Enforce password policy in HashPassword

Author: minhpham1810

ground-control/internal/auth/password.go

@@ -8,9 +8,21 @@ import (
 	"github.com/container-registry/harbor-satellite/ground-control/pkg/crypto"
 )
 
+type PasswordPolicyError struct {
+	Err error
+}
+
+func (e *PasswordPolicyError) Error() string { return e.Err.Error() }
+func (e *PasswordPolicyError) Unwrap() error { return e.Err }
+
 // HashPassword creates an Argon2id hash of the password.
 func HashPassword(password string) (string, error) {
-	return crypto.HashSecret(password)
+    policy := LoadPolicyFromEnv()
+    if err := policy.Validate(password); err != nil {
+        return "", &PasswordPolicyError{Err: err}
+    }
+
+    return crypto.HashSecret(password)
 }
 
 // VerifyPassword compares a password against an Argon2id hash.

ground-control/internal/auth/password_test.go

@@ -7,7 +7,7 @@ import (
 )
 
 func TestVerifyPassword(t *testing.T) {
-	password := "test-password-123"
+	password := "Test-password-123"
 	hash, err := HashPassword(password)
 	require.NoError(t, err)
 
@@ -61,28 +61,41 @@ func TestHashPassword(t *testing.T) {
 	tests := []struct {
 		name     string
 		password string
+		wantErr  bool
 	}{
 		{
 			name:     "normal password",
 			password: "MySecurePassword123!",
+			wantErr:  false,
 		},
 		{
 			name:     "empty password",
 			password: "",
+			wantErr:  true,
 		},
 		{
+			// Make it long AND policy-compliant (upper/lower/number) so if it fails,
+			// it's likely due to max length, not missing character classes.
+			// NOTE: if this ends up under 128 chars in your policy, it will pass.
 			name:     "long password",
-			password: "a very long password that exceeds typical password length requirements for testing purposes",
+			password: "A1" + "this-is-a-very-long-password-used-for-testing-length-behavior-and-it-has-lowercase-too",
+			wantErr:  false, // flip to true if you change this to exceed policy MaxLength
 		},
 		{
 			name:     "special characters",
-			password: "p@$$w0rd!#%&*()[]{}",
+			password: "Test@#$%^&*123",
+			wantErr:  false,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			hash, err := HashPassword(tt.password)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+
 			require.NoError(t, err)
 			require.NotEmpty(t, hash)
 			require.Contains(t, hash, "$argon2id$")
@@ -95,7 +108,7 @@ func TestHashPassword(t *testing.T) {
 }
 
 func TestHashPassword_UniqueHashes(t *testing.T) {
-	password := "same-password"
+	password := "SamePassword1!"
 	hash1, err := HashPassword(password)
 	require.NoError(t, err)
 

ground-control/internal/server/bootstrap.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"errors"
 
 	"github.com/container-registry/harbor-satellite/ground-control/internal/auth"
 	"github.com/container-registry/harbor-satellite/ground-control/internal/database"
@@ -29,15 +30,16 @@ func (s *Server) BootstrapSystemAdmin(ctx context.Context) error {
 		return fmt.Errorf("ADMIN_PASSWORD environment variable is required for initial setup")
 	}
 
-	if err := s.passwordPolicy.Validate(password); err != nil {
-		return fmt.Errorf("ADMIN_PASSWORD invalid: %w", err)
-	}
-
 	hash, err := auth.HashPassword(password)
 	if err != nil {
+		var pe *auth.PasswordPolicyError
+		if errors.As(err, &pe) {
+			return fmt.Errorf("ADMIN_PASSWORD invalid: %w", pe)
+		}
 		return fmt.Errorf("failed to hash admin password: %w", err)
 	}
 
+
 	_, err = s.dbQueries.CreateUser(ctx, database.CreateUserParams{
 		Username:     systemAdminUsername,
 		PasswordHash: hash,

ground-control/internal/server/user_handlers.go

@@ -57,17 +57,19 @@ func (s *Server) createUserHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := s.passwordPolicy.Validate(req.Password); err != nil {
-		WriteJSONError(w, err.Error(), http.StatusBadRequest)
-		return
-	}
-
 	hash, err := auth.HashPassword(req.Password)
 	if err != nil {
+		var pe *auth.PasswordPolicyError
+		if errors.As(err, &pe) {
+			WriteJSONError(w, pe.Error(), http.StatusBadRequest)
+			return
+		}
+
 		WriteJSONError(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
 
+
 	user, err := s.dbQueries.CreateUser(r.Context(), database.CreateUserParams{
 		Username:     req.Username,
 		PasswordHash: hash,
@@ -201,11 +203,19 @@ func (s *Server) changeOwnPasswordHandler(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	if err := s.passwordPolicy.Validate(req.NewPassword); err != nil {
-		WriteJSONError(w, err.Error(), http.StatusBadRequest)
+	hash, err := auth.HashPassword(req.NewPassword)
+	if err != nil {
+		var pe *auth.PasswordPolicyError
+		if errors.As(err, &pe) {
+			WriteJSONError(w, pe.Error(), http.StatusBadRequest)
+			return
+		}
+
+		WriteJSONError(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
 
+
 	// Verify current password
 	user, err := s.dbQueries.GetUserByUsername(r.Context(), currentUser.Username)
 	if err != nil {
@@ -219,11 +229,7 @@ func (s *Server) changeOwnPasswordHandler(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	hash, err := auth.HashPassword(req.NewPassword)
-	if err != nil {
-		WriteJSONError(w, "Internal server error", http.StatusInternalServerError)
-		return
-	}
+
 
 	if err := s.dbQueries.UpdateUserPassword(r.Context(), database.UpdateUserPasswordParams{
 		Username:     currentUser.Username,
@@ -253,11 +259,19 @@ func (s *Server) changeUserPasswordHandler(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	if err := s.passwordPolicy.Validate(req.NewPassword); err != nil {
-		WriteJSONError(w, err.Error(), http.StatusBadRequest)
+	hash, err := auth.HashPassword(req.NewPassword)
+	if err != nil {
+		var pe *auth.PasswordPolicyError
+		if errors.As(err, &pe) {
+			WriteJSONError(w, pe.Error(), http.StatusBadRequest)
+			return
+		}
+
+		WriteJSONError(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
 
+
 	// Check if user exists
 	user, err := s.dbQueries.GetUserByUsername(r.Context(), username)
 	if err != nil {
@@ -269,11 +283,6 @@ func (s *Server) changeUserPasswordHandler(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	hash, err := auth.HashPassword(req.NewPassword)
-	if err != nil {
-		WriteJSONError(w, "Internal server error", http.StatusInternalServerError)
-		return
-	}
 
 	if err := s.dbQueries.UpdateUserPassword(r.Context(), database.UpdateUserPasswordParams{
 		Username:     username,