[WIP]security: move logic in security/password.go to `security/pass…

…word/`

WIP

This commit is to host the password logic in a separate package,
`security/password/`.

Release note: None

pkg/ccl/serverccl/BUILD.bazel

@@ -29,6 +29,7 @@ go_test(
         "//pkg/kv/kvserver/liveness/livenesspb",
         "//pkg/roachpb",
         "//pkg/security",
+        "//pkg/security/password",
         "//pkg/security/securitytest",
         "//pkg/server",
         "//pkg/server/serverpb",

pkg/ccl/serverccl/role_authentication_test.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/password"
 	"github.com/cockroachdb/cockroach/pkg/server"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/testutils/serverutils"
@@ -154,7 +155,7 @@ func TestVerifyPassword(t *testing.T) {
 				validDBConsole = false
 			}
 			if exists && (canLoginSQL || canLoginDBConsole) {
-				var hashedPassword security.PasswordHash
+				var hashedPassword password.PasswordHash
 				expired, hashedPassword, err = pwRetrieveFn(ctx)
 				if err != nil {
 					t.Errorf(
@@ -165,7 +166,7 @@ func TestVerifyPassword(t *testing.T) {
 					)
 				}
 
-				pwCompare, err := security.CompareHashAndCleartextPassword(ctx, hashedPassword, tc.password)
+				pwCompare, err := password.CompareHashAndCleartextPassword(ctx, hashedPassword, tc.password)
 				if err != nil {
 					t.Error(err)
 					valid = false

pkg/security/BUILD.bazel

@@ -23,6 +23,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/clusterversion",
+        "//pkg/security/password",
         "//pkg/server/telemetry",
         "//pkg/settings",
         "//pkg/settings/cluster",
@@ -33,7 +34,6 @@ go_library(
         "//pkg/util/log",
         "//pkg/util/log/eventpb",
         "//pkg/util/metric",
-        "//pkg/util/quotapool",
         "//pkg/util/randutil",
         "//pkg/util/stop",
         "//pkg/util/syncutil",
@@ -43,11 +43,8 @@ go_library(
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_errors//oserror",
         "@com_github_cockroachdb_redact//:redact",
-        "@com_github_xdg_go_scram//:scram",
-        "@com_github_xdg_go_stringprep//:stringprep",
         "@org_golang_x_crypto//bcrypt",
         "@org_golang_x_crypto//ocsp",
-        "@org_golang_x_crypto//pbkdf2",
         "@org_golang_x_sync//errgroup",
     ],
 )
@@ -76,6 +73,7 @@ go_test(
         "//pkg/base",
         "//pkg/roachpb",
         "//pkg/rpc",
+        "//pkg/security/password",
         "//pkg/security/securitytest",
         "//pkg/server",
         "//pkg/settings/cluster",

pkg/security/auth.go

@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/cockroachdb/cockroach/pkg/security/password"
 	"github.com/cockroachdb/cockroach/pkg/util/syncutil"
 	"github.com/cockroachdb/errors"
 )
@@ -159,7 +160,7 @@ func IsTenantCertificate(cert *x509.Certificate) bool {
 // UserAuthPasswordHook builds an authentication hook based on the security
 // mode, password, and its potentially matching hash.
 func UserAuthPasswordHook(
-	insecureMode bool, password string, hashedPassword PasswordHash,
+	insecureMode bool, passwordStr string, hashedPassword password.PasswordHash,
 ) UserAuthHook {
 	return func(ctx context.Context, systemIdentity SQLUsername, clientConnection bool) error {
 		if systemIdentity.Undefined() {
@@ -175,10 +176,10 @@ func UserAuthPasswordHook(
 		}
 
 		// If the requested user has an empty password, disallow authentication.
-		if len(password) == 0 {
+		if len(passwordStr) == 0 {
 			return NewErrPasswordUserAuthFailed(systemIdentity)
 		}
-		ok, err := CompareHashAndCleartextPassword(ctx, hashedPassword, password)
+		ok, err := password.CompareHashAndCleartextPassword(ctx, hashedPassword, passwordStr)
 		if err != nil {
 			return err
 		}