Validating for password length when FIPS is enabled

src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java

@@ -152,6 +152,11 @@ public LDAPConfiguration(@NonNull String server, String rootDN, boolean inhibitI
         if(FIPS140.useCompliantAlgorithms() && !validateServerUrlIsSecure(server)){
             throw new IllegalArgumentException(Messages.LDAPConfiguration_InsecureServer(server));
         }
+        String managerPassword = Secret.toString(managerPasswordSecret);
+        if(StringUtils.isNotBlank(managerPassword) && !"undefined".equals(managerPassword) &&
+                FIPS140.useCompliantAlgorithms() && StringUtils.length(managerPassword) < 14) {
+            throw new IllegalArgumentException(Messages.LDAPConfiguration_passwordTooShortFIPS());
+        }
         this.server = server.trim();
         this.managerDN = fixEmpty(managerDN);
         this.managerPasswordSecret = managerPasswordSecret;
@@ -481,6 +486,14 @@ public FormValidation doCheckServer(@QueryParameter String value, @QueryParamete
             }
         }
 
+        @POST
+        public FormValidation doCheckManagerPasswordSecret(@QueryParameter String managerPasswordSecret) {
+            if(FIPS140.useCompliantAlgorithms() && StringUtils.length(managerPasswordSecret) < 14) {
+                return FormValidation.error(Messages.LDAPConfiguration_passwordTooShortFIPS());
+            }
+            return FormValidation.ok();
+        }
+
         private void forceClose(Context ctx){
             if(ctx==null){
                 return;

src/main/resources/jenkins/security/plugins/ldap/Messages.properties

@@ -66,4 +66,5 @@ UserDetails.Inactive=The user "{0}" is inactive until {1}.
 UserDetails.Expired=The user "{0}" is expired since {1}.
 UserDetails.CredentialsExpired=The user "{0}" has expired credentials.
 UserDetails.Locked=The user "{0}" is locked and must be unlocked by an administrator.
-LDAPConfiguration.InsecureServer=LDAP server URL is not secure: {0}.
+LDAPConfiguration.InsecureServer=LDAP server URL is not secure: {0}.
+LDAPConfiguration.passwordTooShortFIPS=Password is too short (< 14 characters)

src/test/java/hudson/security/LDAPEmbeddedFIPSTest.java

@@ -24,6 +24,7 @@
 
 package hudson.security;
 
+import hudson.util.FormValidation;
 import io.jenkins.plugins.casc.misc.ConfiguredWithCode;
 import jenkins.model.Jenkins;
 import hudson.tasks.MailAddressResolver;
@@ -35,6 +36,7 @@
 import jenkins.security.plugins.ldap.*;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
+import org.junit.rules.ExpectedException;
 import org.jvnet.hudson.test.FlagRule;
 import org.springframework.security.ldap.userdetails.LdapUserDetails;
 import org.junit.Rule;
@@ -65,6 +67,8 @@ public class LDAPEmbeddedFIPSTest {
     public RuleChain chain = RuleChain.outerRule(ads).around(r);
     @Rule
     public LoggerRule log = new LoggerRule();
+    @Rule
+    public ExpectedException thrown = ExpectedException.none();
 
     @ClassRule
     public static FlagRule<String> fipsSystemPropertyRule =
@@ -123,4 +127,32 @@ public void checkServerTrusted(X509Certificate[] certs, String authType) {
             e.printStackTrace();
         }
     }
+
+    @Test
+    public void testPasswordCheck() {
+        //Test when password is null
+        LDAPConfiguration configuration = new LDAPConfiguration("ldaps://ldap.example.com", "dc=example,dc=com", true, null, null);
+        assertNotNull(configuration);
+
+        // Test with a short password
+        thrown.expect(IllegalArgumentException.class);
+        thrown.expectMessage("Password is too short");
+        configuration = new LDAPConfiguration("ldaps://ldap.example.com", "dc=example,dc=com", true, null, Secret.fromString("shortString"));
+
+        //Test with a strong password
+        configuration = new LDAPConfiguration("ldaps://ldap.example.com", "dc=example,dc=com", true, null, Secret.fromString("ThisIsVeryStrongPassword"));
+        assertNotNull(configuration);
+    }
+
+    @Test
+    public void testPasswordCheckOnCheckServer(){
+        // Test with a short password
+        FormValidation shortPasswordValidation = new LDAPConfiguration.LDAPConfigurationDescriptor().doCheckManagerPasswordSecret("short");
+        assertEquals(FormValidation.Kind.ERROR, shortPasswordValidation.kind);
+        assertThat(shortPasswordValidation.getMessage(), containsString("Password is too short"));
+
+        // Test with a strong password but server validation fails hence checking for 'Unknown host'
+        FormValidation strongPasswordValidation = new LDAPConfiguration.LDAPConfigurationDescriptor().doCheckManagerPasswordSecret("ThisIsVeryStrongPassword");
+        assertEquals(FormValidation.Kind.OK, strongPasswordValidation.kind);
+    }
 }

src/test/java/jenkins/security/plugins/ldap/CasCFIPSTest.java

@@ -24,7 +24,7 @@ public class CasCFIPSTest {
 
     @Rule
     public RuleChain chain = RuleChain.outerRule(new EnvironmentVariables()
-            .set("LDAP_PASSWORD", "SECRET"))
+            .set("LDAP_PASSWORD", "SECRET_Password_123"))
             .around(new JenkinsConfiguredWithCodeRule());
 
     @Test
@@ -36,7 +36,7 @@ public void configure_ldap() {
         assertTrue(securityRealm.getGroupIdStrategy() instanceof IdStrategy.CaseSensitive);
         final LDAPConfiguration configuration = securityRealm.getConfigurations().get(0);
         assertEquals("ldaps://ldap.acme.com", configuration.getServer());
-        assertEquals("SECRET", configuration.getManagerPassword());
+        assertEquals("SECRET_Password_123", configuration.getManagerPassword());
         assertEquals("manager", configuration.getManagerDN());
         assertEquals("(&(objectCategory=User)(sAMAccountName={0}))", configuration.getUserSearch());
         assertEquals("(&(cn={0})(objectclass=group))", configuration.getGroupSearchFilter());