fix: add support for sha256 and sha512 in htpasswd #3497
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3497 +/- ##
==========================================
- Coverage 91.71% 91.66% -0.06%
==========================================
Files 185 185
Lines 25674 25736 +62
==========================================
+ Hits 23547 23590 +43
- Misses 1374 1386 +12
- Partials 753 760 +7 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for SHA-256 and SHA-512 password hashing algorithms to htpasswd authentication, particularly to support FIPS-140 compliance where bcrypt is not approved. The implementation adds dual-path authentication that uses bcrypt for existing hashes (but warns when FIPS-140 is enabled) and supports crypt-SHA hashes as FIPS-140 compliant alternatives.
- Adds
github.com/GehirnInc/cryptandgithub.com/tg123/go-htpasswddependencies for SHA-256/512 support - Implements SHA-256 and SHA-512 credential generation functions
- Updates authentication logic to detect hash types and use appropriate verification method with FIPS-140 awareness
Reviewed Changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| test/blackbox/helpers_zot.bash | Adds additional test user credentials for authentication testing |
| test/blackbox/fips140_authn.bats | New test suite for FIPS-140 authentication scenarios using regclient |
| pkg/test/image-utils/upload_test.go | Renames function calls to use GetBcryptCredString for clarity |
| pkg/test/common/fs_test.go | Updates test to use renamed GetBcryptCredString function |
| pkg/test/common/fs.go | Adds SHA-256/512 credential generation functions and renames bcrypt function |
| pkg/api/htpasswd_test.go | Updates all test cases to use renamed GetBcryptCredString function |
| pkg/api/htpasswd.go | Implements hash type detection and dual-path authentication with FIPS-140 support |
| go.sum | Adds checksums for new crypt and go-htpasswd dependencies |
| go.mod | Declares new dependencies for SHA-based password hashing |
Comments suppressed due to low confidence (1)
pkg/api/htpasswd.go:24
- The comment states that HTPasswd 'Currently supports only bcrypt hashes', but the code now supports SHA-256 and SHA-512 hashes as well. This documentation should be updated to reflect the new capabilities.
// HTPasswd user auth store
//
// Currently supports only bcrypt hashes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 21 out of 22 changed files in this pull request and generated 8 comments.
Comments suppressed due to low confidence (2)
pkg/api/htpasswd.go:23
- The comment states that only bcrypt hashes are supported, but the code now also supports SHA-256 and SHA-512 hashes. Update this comment to reflect the current functionality.
// Currently supports only bcrypt hashes.
pkg/api/htpasswd.go:128
- This statement is unreachable.
return false, present
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rchincha
force-pushed
the
issue-3495
branch
13 times, most recently
from
5b11a41 to
3d3c18d
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 6 comments.
Comments suppressed due to low confidence (1)
pkg/api/controller_test.go:735
- The variable
testStringis undefined in this scope. It should use an element from thesingleCredtestsslice. Based on the loop structure, this should likely iterate oversingleCredtestsusingfor _, testString := range singleCredtests {or reference a specific test string from the slice.
htpasswdPath := test.MakeHtpasswdFileFromString(testString)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rchincha
force-pushed
the
issue-3495
branch
4 times, most recently
from
8664860 to
01a3f15
Compare
andaaron
left a comment
andaaron
left a comment
There was a problem hiding this comment.
Please resolve the copilot reviews if they are done.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rchincha
force-pushed
the
issue-3495
branch
2 times, most recently
from
a0540c8 to
bc34f19
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rchincha
force-pushed
the
issue-3495
branch
2 times, most recently
from
05f8050 to
5eb6d8a
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
pkg/api/htpasswd.go:23
- The comment states 'Currently supports only bcrypt hashes' but the implementation now supports bcrypt, SHA-256, and SHA-512 hashes. This documentation should be updated to reflect the new capabilities.
// HTPasswd user auth store
//
// Currently supports only bcrypt hashes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rchincha
force-pushed
the
issue-3495
branch
2 times, most recently
from
c08b846 to
4a70b81
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 25 out of 26 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
pkg/api/htpasswd.go:23
- The comment states that HTPasswd 'Currently supports only bcrypt hashes', but the code now also supports SHA256 and SHA512 hashes. Update the comment to reflect the expanded support: 'Supports bcrypt, SHA256, and SHA512 hashes.'
// HTPasswd user auth store
//
// Currently supports only bcrypt hashes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 25 out of 26 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Fixes issue project-zot#3495 We currently support only bcrypt htpasswd hashes, however bcrypt is not FIPS-140 approved since it uses Blowfish. This PR adds support for sha256 and sha512 formats and enforces that bcrypt be disabled when fips140 mode is enabled. Signed-off-by: Ramkumar Chinchani <[email protected]>
Fixes issue #3495
What type of PR is this?
Which issue does this PR fix:
What does this PR do / Why do we need it:
If an issue # is not available please add repro steps and logs showing the issue:
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades?
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.