Password policy is not enforced before hashing in auth module #330
Description
Currently, in ground-control/internal/auth/password_test.go, passwords are hashed directly using HashPassword() without validating them against the rules defined in ground-control/internal/auth/policy.go.
Example: https://github.com/container-registry/harbor-satellite/blob/main/ground-control/internal/auth/password_test.go
func TestVerifyPassword(t *testing.T) {
password := "test-password-123"
hash, err := HashPassword(password)
require.NoError(t, err)
tests := []struct {
name string
password string
hash string
want bool
}{}
}
However, in other parts of the codebase, password validation and hashing are being handled separately. For example in bootstrap.go:
https://github.com/container-registry/harbor-satellite/blob/main/ground-control/internal/server/bootstrap.go#L32
if err := s.passwordPolicy.Validate(password); err != nil {
return fmt.Errorf("ADMIN_PASSWORD invalid: %w", err)
}
hash, err := auth.HashPassword(password)
A similar pattern is also repeated in user_handlers.go:
https://github.com/container-registry/harbor-satellite/blob/main/ground-control/internal/server/user_handlers.go#L60
and in token.go:
https://github.com/container-registry/harbor-satellite/blob/main/internal/token/token.go
Instead of validating the password policy separately before calling HashPassword(), we can integrate Validate() inside HashPassword(). This would ensure policy enforcement is consistent everywhere and reduce repeated validation logic across the codebase.