[PM-12806] Enforce 5000 iteration minimum for prelogin (#11332)

* Enforce 5000 iteration minimum for prelogin * Fix tests * Add more extensive tests * Add loginstrategy prelogin downgrade test
2025-12-21 18:53:29 +00:00 · 2024-10-17 06:58:07 -07:00
parent 288b0cff2f
commit e8f0135d50
5 changed files with 212 additions and 18 deletions
--- a/libs/common/src/auth/services/kdf-config.service.spec.ts
+++ b/libs/common/src/auth/services/kdf-config.service.spec.ts
@@ -58,41 +58,120 @@ describe("KdfConfigService", () => {
    }
  });

-  it("validateKdfConfig(): should validate the PBKDF2 KDF config", () => {
+  it("validateKdfConfigForSetting(): should validate the PBKDF2 KDF config", () => {
    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(600_000);
-    expect(() => kdfConfig.validateKdfConfig()).not.toThrow();
+    expect(() => kdfConfig.validateKdfConfigForSetting()).not.toThrow();
  });

-  it("validateKdfConfig(): should validate the Argon2id KDF config", () => {
+  it("validateKdfConfigForSetting(): should validate the Argon2id KDF config", () => {
    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 4);
-    expect(() => kdfConfig.validateKdfConfig()).not.toThrow();
+    expect(() => kdfConfig.validateKdfConfigForSetting()).not.toThrow();
  });

-  it("validateKdfConfig(): should throw an error for invalid PBKDF2 iterations", () => {
-    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(100);
-    expect(() => kdfConfig.validateKdfConfig()).toThrow(
+  it("validateKdfConfigForSetting(): should throw an error for invalid PBKDF2 iterations", () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(100000);
+    expect(() => kdfConfig.validateKdfConfigForSetting()).toThrow(
      `PBKDF2 iterations must be between ${PBKDF2KdfConfig.ITERATIONS.min} and ${PBKDF2KdfConfig.ITERATIONS.max}`,
    );
  });

-  it("validateKdfConfig(): should throw an error for invalid Argon2 iterations", () => {
+  it("validateKdfConfigForSetting(): should throw an error for invalid Argon2 iterations", () => {
    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(11, 64, 4);
-    expect(() => kdfConfig.validateKdfConfig()).toThrow(
+    expect(() => kdfConfig.validateKdfConfigForSetting()).toThrow(
      `Argon2 iterations must be between ${Argon2KdfConfig.ITERATIONS.min} and ${Argon2KdfConfig.ITERATIONS.max}`,
    );
  });

-  it("validateKdfConfig(): should throw an error for invalid Argon2 memory", () => {
+  it("validateKdfConfigForSetting(): should throw an error for invalid Argon2 memory", () => {
    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 1025, 4);
-    expect(() => kdfConfig.validateKdfConfig()).toThrow(
+    expect(() => kdfConfig.validateKdfConfigForSetting()).toThrow(
      `Argon2 memory must be between ${Argon2KdfConfig.MEMORY.min}mb and ${Argon2KdfConfig.MEMORY.max}mb`,
    );
  });

-  it("validateKdfConfig(): should throw an error for invalid Argon2 parallelism", () => {
+  it("validateKdfConfigForSetting(): should throw an error for invalid Argon2 parallelism", () => {
    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 17);
-    expect(() => kdfConfig.validateKdfConfig()).toThrow(
+    expect(() => kdfConfig.validateKdfConfigForSetting()).toThrow(
      `Argon2 parallelism must be between ${Argon2KdfConfig.PARALLELISM.min} and ${Argon2KdfConfig.PARALLELISM.max}`,
    );
  });
+
+  it("validateKdfConfigForPrelogin(): should validate the PBKDF2 KDF config", () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(600_000);
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).not.toThrow();
+  });
+
+  it("validateKdfConfigForPrelogin(): should validate the Argon2id KDF config", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 4);
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).not.toThrow();
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too low PBKDF2 iterations", () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(
+      PBKDF2KdfConfig.PRELOGIN_ITERATIONS.min - 1,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `PBKDF2 iterations must be between ${PBKDF2KdfConfig.PRELOGIN_ITERATIONS.min} and ${PBKDF2KdfConfig.PRELOGIN_ITERATIONS.max}`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too high PBKDF2 iterations", () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(
+      PBKDF2KdfConfig.PRELOGIN_ITERATIONS.max + 1,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `PBKDF2 iterations must be between ${PBKDF2KdfConfig.PRELOGIN_ITERATIONS.min} and ${PBKDF2KdfConfig.PRELOGIN_ITERATIONS.max}`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too low Argon2 iterations", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(
+      Argon2KdfConfig.ITERATIONS.min - 1,
+      64,
+      4,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `Argon2 iterations must be between ${Argon2KdfConfig.ITERATIONS.min} and ${Argon2KdfConfig.ITERATIONS.max}`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too high Argon2 iterations", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(
+      Argon2KdfConfig.PRELOGIN_ITERATIONS.max + 1,
+      64,
+      4,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `Argon2 iterations must be between ${Argon2KdfConfig.ITERATIONS.min} and ${Argon2KdfConfig.ITERATIONS.max}`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too low Argon2 memory", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(
+      3,
+      Argon2KdfConfig.PRELOGIN_MEMORY.min - 1,
+      4,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `Argon2 memory must be between ${Argon2KdfConfig.PRELOGIN_MEMORY.min}mb and ${Argon2KdfConfig.PRELOGIN_MEMORY.max}mb`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too high Argon2 memory", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(
+      3,
+      Argon2KdfConfig.PRELOGIN_MEMORY.max + 1,
+      4,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `Argon2 memory must be between ${Argon2KdfConfig.PRELOGIN_MEMORY.min}mb and ${Argon2KdfConfig.PRELOGIN_MEMORY.max}mb`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too high Argon2 parallelism", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 17);
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `Argon2 parallelism must be between ${Argon2KdfConfig.PRELOGIN_PARALLELISM.min} and ${Argon2KdfConfig.PRELOGIN_PARALLELISM.max}`,
+    );
+  });
 });