From 0cbd611820358cfb047c2d5ebe345dd46a2ac444 Mon Sep 17 00:00:00 2001 From: Bartosz Leper Date: Thu, 11 Apr 2024 15:00:06 +0200 Subject: [PATCH] Lower bcrypt cost when testing (#40254) (#40397) * Lower bcrypt cost when testing * Review --- lib/auth/assist/assistv1/test/service_test.go | 2 +- lib/auth/auth_test.go | 2 +- .../discoveryconfigv1/service_test.go | 2 +- lib/auth/helpers.go | 2 +- .../integration/integrationv1/service_test.go | 2 +- lib/auth/kubewaitingcontainer/service_test.go | 2 +- lib/auth/okta/service_test.go | 2 +- lib/auth/userloginstate/service_test.go | 2 +- .../userpreferencesv1/service_test.go | 2 +- lib/authz/permissions_test.go | 2 +- lib/cache/cache_test.go | 14 ++++++----- lib/services/local/resource_test.go | 4 ++-- lib/services/local/services_test.go | 2 +- lib/services/local/session_test.go | 8 +++---- lib/services/local/users.go | 24 +++++++++++++++---- lib/services/local/users_test.go | 2 +- 16 files changed, 46 insertions(+), 28 deletions(-) diff --git a/lib/auth/assist/assistv1/test/service_test.go b/lib/auth/assist/assistv1/test/service_test.go index 3fda580cd204b..c5293ed882daf 100644 --- a/lib/auth/assist/assistv1/test/service_test.go +++ b/lib/auth/assist/assistv1/test/service_test.go @@ -277,7 +277,7 @@ func initSvc(t *testing.T) (map[string]context.Context, *assistv1.Service) { require.NoError(t, err) trustSvc := local.NewCAService(backend) roleSvc := local.NewAccessService(backend) - userSvc := local.NewIdentityService(backend) + userSvc := local.NewTestIdentityService(backend) require.NoError(t, clusterConfigSvc.SetAuthPreference(ctx, types.DefaultAuthPreference())) require.NoError(t, clusterConfigSvc.SetClusterAuditConfig(ctx, types.DefaultClusterAuditConfig())) diff --git a/lib/auth/auth_test.go b/lib/auth/auth_test.go index 5dafa65db2dbd..25c5d3fdb3b6a 100644 --- a/lib/auth/auth_test.go +++ b/lib/auth/auth_test.go @@ -2989,7 +2989,7 @@ func newTestServices(t *testing.T) Services { Trust: local.NewCAService(bk), PresenceInternal: local.NewPresenceService(bk), Provisioner: local.NewProvisioningService(bk), - Identity: local.NewIdentityService(bk), + Identity: local.NewTestIdentityService(bk), Access: local.NewAccessService(bk), DynamicAccessExt: local.NewDynamicAccessService(bk), ClusterConfiguration: configService, diff --git a/lib/auth/discoveryconfig/discoveryconfigv1/service_test.go b/lib/auth/discoveryconfig/discoveryconfigv1/service_test.go index 46aad2bd92bc7..731a3b17275d4 100644 --- a/lib/auth/discoveryconfig/discoveryconfigv1/service_test.go +++ b/lib/auth/discoveryconfig/discoveryconfigv1/service_test.go @@ -490,7 +490,7 @@ func initSvc(t *testing.T, clusterName string) (context.Context, localClient, *S trustSvc := local.NewCAService(backend) roleSvc := local.NewAccessService(backend) - userSvc := local.NewIdentityService(backend) + userSvc := local.NewTestIdentityService(backend) clusterConfigSvc, err := local.NewClusterConfigurationService(backend) require.NoError(t, err) diff --git a/lib/auth/helpers.go b/lib/auth/helpers.go index fc041f1d720c0..e9ad203a2a0f1 100644 --- a/lib/auth/helpers.go +++ b/lib/auth/helpers.go @@ -269,7 +269,7 @@ func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error) { } access := local.NewAccessService(srv.Backend) - identity := local.NewIdentityService(srv.Backend) + identity := local.NewTestIdentityService(srv.Backend) emitter, err := events.NewCheckingEmitter(events.CheckingEmitterConfig{ Inner: srv.AuditLog, diff --git a/lib/auth/integration/integrationv1/service_test.go b/lib/auth/integration/integrationv1/service_test.go index 2357f7f3310e9..028f9561e41f0 100644 --- a/lib/auth/integration/integrationv1/service_test.go +++ b/lib/auth/integration/integrationv1/service_test.go @@ -331,7 +331,7 @@ func initSvc(t *testing.T, ca types.CertAuthority, clusterName string, proxyPubl require.NoError(t, err) trustSvc := local.NewCAService(backend) roleSvc := local.NewAccessService(backend) - userSvc := local.NewIdentityService(backend) + userSvc := local.NewTestIdentityService(backend) require.NoError(t, clusterConfigSvc.SetAuthPreference(ctx, types.DefaultAuthPreference())) require.NoError(t, clusterConfigSvc.SetClusterAuditConfig(ctx, types.DefaultClusterAuditConfig())) diff --git a/lib/auth/kubewaitingcontainer/service_test.go b/lib/auth/kubewaitingcontainer/service_test.go index ca3ab86abf3ba..26e0af4711af7 100644 --- a/lib/auth/kubewaitingcontainer/service_test.go +++ b/lib/auth/kubewaitingcontainer/service_test.go @@ -354,7 +354,7 @@ func initSvc(t *testing.T, authorizerFn func(t *testing.T, client localClient) a require.NoError(t, err) roleSvc := local.NewAccessService(backend) - userSvc := local.NewIdentityService(backend) + userSvc := local.NewTestIdentityService(backend) clusterSrv, err := local.NewClusterConfigurationService(backend) require.NoError(t, err) caSrv := local.NewCAService(backend) diff --git a/lib/auth/okta/service_test.go b/lib/auth/okta/service_test.go index 65c0871336ad9..7492a1e3a79a0 100644 --- a/lib/auth/okta/service_test.go +++ b/lib/auth/okta/service_test.go @@ -169,7 +169,7 @@ func initSvc(t *testing.T, kind string) (context.Context, *Service) { require.NoError(t, err) trustSvc := local.NewCAService(backend) roleSvc := local.NewAccessService(backend) - userSvc := local.NewIdentityService(backend) + userSvc := local.NewTestIdentityService(backend) require.NoError(t, clusterConfigSvc.SetAuthPreference(ctx, types.DefaultAuthPreference())) require.NoError(t, clusterConfigSvc.SetClusterAuditConfig(ctx, types.DefaultClusterAuditConfig())) diff --git a/lib/auth/userloginstate/service_test.go b/lib/auth/userloginstate/service_test.go index 69e82d5d2b15e..30bde262efc9c 100644 --- a/lib/auth/userloginstate/service_test.go +++ b/lib/auth/userloginstate/service_test.go @@ -203,7 +203,7 @@ func initSvc(t *testing.T) (userContext context.Context, noAccessContext context require.NoError(t, err) trustSvc := local.NewCAService(backend) roleSvc := local.NewAccessService(backend) - userSvc := local.NewIdentityService(backend) + userSvc := local.NewTestIdentityService(backend) require.NoError(t, clusterConfigSvc.SetAuthPreference(ctx, types.DefaultAuthPreference())) require.NoError(t, clusterConfigSvc.SetClusterAuditConfig(ctx, types.DefaultClusterAuditConfig())) diff --git a/lib/auth/userpreferences/userpreferencesv1/service_test.go b/lib/auth/userpreferences/userpreferencesv1/service_test.go index 9e2fac7c2d86b..0c95ae89781a4 100644 --- a/lib/auth/userpreferences/userpreferencesv1/service_test.go +++ b/lib/auth/userpreferences/userpreferencesv1/service_test.go @@ -161,7 +161,7 @@ func initSvc(t *testing.T) (map[string]context.Context, *Service) { require.NoError(t, err) trustSvc := local.NewCAService(backend) roleSvc := local.NewAccessService(backend) - userSvc := local.NewIdentityService(backend) + userSvc := local.NewTestIdentityService(backend) require.NoError(t, clusterConfigSvc.SetAuthPreference(ctx, types.DefaultAuthPreference())) require.NoError(t, clusterConfigSvc.SetClusterAuditConfig(ctx, types.DefaultClusterAuditConfig())) diff --git a/lib/authz/permissions_test.go b/lib/authz/permissions_test.go index 42c69f9c622bd..df4a42cf7e50f 100644 --- a/lib/authz/permissions_test.go +++ b/lib/authz/permissions_test.go @@ -764,7 +764,7 @@ func newTestResources(t *testing.T) (*testClient, *services.LockWatcher, Authori require.NoError(t, err) caSvc := local.NewCAService(backend) accessSvc := local.NewAccessService(backend) - identitySvc := local.NewIdentityService(backend) + identitySvc := local.NewTestIdentityService(backend) eventsSvc := local.NewEventsService(backend) client := &testClient{ diff --git a/lib/cache/cache_test.go b/lib/cache/cache_test.go index 7ed47f7532395..8de5fbb69c103 100644 --- a/lib/cache/cache_test.go +++ b/lib/cache/cache_test.go @@ -224,19 +224,21 @@ func newPackWithoutCache(dir string, opts ...packOption) (*testPack, error) { return nil, trace.Wrap(err) } + idService := local.NewTestIdentityService(p.backend) + p.trustS = local.NewCAService(p.backend) p.clusterConfigS = clusterConfig p.provisionerS = local.NewProvisioningService(p.backend) p.eventsS = newProxyEvents(local.NewEventsService(p.backend), cfg.ignoreKinds) p.presenceS = local.NewPresenceService(p.backend) - p.usersS = local.NewIdentityService(p.backend) + p.usersS = idService p.accessS = local.NewAccessService(p.backend) p.dynamicAccessS = local.NewDynamicAccessService(p.backend) - p.appSessionS = local.NewIdentityService(p.backend) - p.webSessionS = local.NewIdentityService(p.backend).WebSessions() - p.snowflakeSessionS = local.NewIdentityService(p.backend) - p.samlIdPSessionsS = local.NewIdentityService(p.backend) - p.webTokenS = local.NewIdentityService(p.backend).WebTokens() + p.appSessionS = idService + p.webSessionS = idService.WebSessions() + p.snowflakeSessionS = idService + p.samlIdPSessionsS = idService + p.webTokenS = idService.WebTokens() p.restrictions = local.NewRestrictionsService(p.backend) p.apps = local.NewAppService(p.backend) p.kubernetes = local.NewKubernetesService(p.backend) diff --git a/lib/services/local/resource_test.go b/lib/services/local/resource_test.go index d3fc1608cf953..ac9b1bfadb63c 100644 --- a/lib/services/local/resource_test.go +++ b/lib/services/local/resource_test.go @@ -83,7 +83,7 @@ func runUserResourceTest( require.NoError(t, err) // Check that dynamically created item is compatible with service - s := NewIdentityService(tt.bk) + s := NewTestIdentityService(tt.bk) b, err := s.GetUser("bob", withSecrets) require.NoError(t, err) require.Equal(t, services.UsersEquals(bob, b), true, "dynamically inserted user does not match") @@ -194,7 +194,7 @@ func TestGithubConnectorResource(t *testing.T) { err := CreateResources(ctx, tt.bk, connector) require.NoError(t, err) - s := NewIdentityService(tt.bk) + s := NewTestIdentityService(tt.bk) _, err = s.GetGithubConnector(ctx, "github", true) require.NoError(t, err) } diff --git a/lib/services/local/services_test.go b/lib/services/local/services_test.go index cdd9bb6860e80..64530e21310a9 100644 --- a/lib/services/local/services_test.go +++ b/lib/services/local/services_test.go @@ -62,7 +62,7 @@ func setupServicesContext(ctx context.Context, t *testing.T) *servicesContext { CAS: NewCAService(tt.bk), PresenceS: presenceService, ProvisioningS: NewProvisioningService(tt.bk), - WebS: NewIdentityService(tt.bk), + WebS: NewTestIdentityService(tt.bk), Access: NewAccessService(tt.bk), EventsS: eventsService, ChangesC: make(chan interface{}), diff --git a/lib/services/local/session_test.go b/lib/services/local/session_test.go index 3f321945b969d..93e6606bc15fa 100644 --- a/lib/services/local/session_test.go +++ b/lib/services/local/session_test.go @@ -38,7 +38,7 @@ func TestDeleteUserAppSessions(t *testing.T) { }) require.NoError(t, err) - identity := NewIdentityService(backend) + identity := NewTestIdentityService(backend) users := []string{"alice", "bob"} ctx := context.Background() @@ -90,7 +90,7 @@ func TestListAppSessions(t *testing.T) { }) require.NoError(t, err) - identity := NewIdentityService(backend) + identity := NewTestIdentityService(backend) users := []string{"alice", "bob"} ctx := context.Background() @@ -177,7 +177,7 @@ func TestDeleteUserSAMLIdPSessions(t *testing.T) { }) require.NoError(t, err) - identity := NewIdentityService(backend) + identity := NewTestIdentityService(backend) users := []string{"alice", "bob"} ctx := context.Background() @@ -229,7 +229,7 @@ func TestListSAMLIdPSessions(t *testing.T) { }) require.NoError(t, err) - identity := NewIdentityService(backend) + identity := NewTestIdentityService(backend) users := []string{"alice", "bob"} ctx := context.Background() diff --git a/lib/services/local/users.go b/lib/services/local/users.go index 67ae3236d656f..0b6f92e9ee50d 100644 --- a/lib/services/local/users.go +++ b/lib/services/local/users.go @@ -25,6 +25,7 @@ import ( "encoding/json" "sort" "sync" + "testing" "time" "github.com/gogo/protobuf/jsonpb" @@ -54,17 +55,32 @@ var GlobalSessionDataMaxEntries = 5000 // arbitrary // user accounts as well type IdentityService struct { backend.Backend - log logrus.FieldLogger + log logrus.FieldLogger + bcryptCost int } // NewIdentityService returns a new instance of IdentityService object func NewIdentityService(backend backend.Backend) *IdentityService { return &IdentityService{ - Backend: backend, - log: logrus.WithField(trace.Component, "identity"), + Backend: backend, + log: logrus.WithField(trace.Component, "identity"), + bcryptCost: bcrypt.DefaultCost, } } +// NewTestIdentityService returns a new instance of IdentityService object to be +// used in tests. It will use weaker cryptography to minimize the time it takes +// to perform flakiness tests and decrease the probability of timeouts. +func NewTestIdentityService(backend backend.Backend) *IdentityService { + if !testing.Testing() { + // Don't allow using weak cryptography in production. + panic("Attempted to create a test identity service outside of a test") + } + s := NewIdentityService(backend) + s.bcryptCost = bcrypt.MinCost + return s +} + // DeleteAllUsers deletes all users func (s *IdentityService) DeleteAllUsers() error { startKey := backend.ExactKey(webPrefix, usersPrefix) @@ -591,7 +607,7 @@ func (s *IdentityService) UpsertPassword(user string, password []byte) error { if err != nil { return trace.Wrap(err) } - hash, err := utils.BcryptFromPassword(password, bcrypt.DefaultCost) + hash, err := utils.BcryptFromPassword(password, s.bcryptCost) if err != nil { return trace.Wrap(err) } diff --git a/lib/services/local/users_test.go b/lib/services/local/users_test.go index e7769634b29d7..8e55e8ea01f4a 100644 --- a/lib/services/local/users_test.go +++ b/lib/services/local/users_test.go @@ -48,7 +48,7 @@ func newIdentityService(t *testing.T, clock clockwork.Clock) *local.IdentityServ Clock: clockwork.NewFakeClock(), }) require.NoError(t, err) - return local.NewIdentityService(backend) + return local.NewTestIdentityService(backend) } func TestRecoveryCodesCRUD(t *testing.T) {