security: move logic in security/password.go to security/password/

This commit is to host the password logic in a separate package,
`security/password/`.

Release note: None

go.mod

@@ -140,6 +140,7 @@ require (
 	github.com/stretchr/testify v1.7.0
 	github.com/twpayne/go-geom v1.4.1
 	github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad
+	github.com/xdg-go/pbkdf2 v1.0.0
 	github.com/xdg-go/scram v1.0.2
 	github.com/xdg-go/stringprep v1.0.2
 	github.com/zabawaba99/go-gitignore v0.0.0-20200117185801-39e6bddfb292
@@ -316,7 +317,6 @@ require (
 	github.com/twitchtv/twirp v8.1.0+incompatible // indirect
 	github.com/twpayne/go-kml v1.5.2 // indirect
 	github.com/urfave/cli/v2 v2.3.0 // indirect
-	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
 	go.mongodb.org/mongo-driver v1.5.1 // indirect
 	go.opencensus.io v0.23.0 // indirect

pkg/BUILD.bazel

@@ -188,6 +188,7 @@ ALL_TESTS = [
     "//pkg/rpc/nodedialer:nodedialer_test",
     "//pkg/rpc:rpc_test",
     "//pkg/security/certmgr:certmgr_test",
+    "//pkg/security/password:password_test",
     "//pkg/security/sessionrevival:sessionrevival_test",
     "//pkg/security:security_test",
     "//pkg/server/debug/goroutineui:goroutineui_test",

pkg/ccl/serverccl/BUILD.bazel

@@ -29,6 +29,7 @@ go_test(
         "//pkg/kv/kvserver/liveness/livenesspb",
         "//pkg/roachpb",
         "//pkg/security",
+        "//pkg/security/password",
         "//pkg/security/securitytest",
         "//pkg/server",
         "//pkg/server/serverpb",

pkg/ccl/serverccl/role_authentication_test.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/password"
 	"github.com/cockroachdb/cockroach/pkg/server"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/testutils/serverutils"
@@ -154,7 +155,7 @@ func TestVerifyPassword(t *testing.T) {
 				validDBConsole = false
 			}
 			if exists && (canLoginSQL || canLoginDBConsole) {
-				var hashedPassword security.PasswordHash
+				var hashedPassword password.PasswordHash
 				expired, hashedPassword, err = pwRetrieveFn(ctx)
 				if err != nil {
 					t.Errorf(
@@ -165,7 +166,7 @@ func TestVerifyPassword(t *testing.T) {
 					)
 				}
 
-				pwCompare, err := security.CompareHashAndCleartextPassword(ctx, hashedPassword, tc.password)
+				pwCompare, err := password.CompareHashAndCleartextPassword(ctx, hashedPassword, tc.password)
 				if err != nil {
 					t.Error(err)
 					valid = false

pkg/security/BUILD.bazel

@@ -23,6 +23,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/clusterversion",
+        "//pkg/security/password",
         "//pkg/server/telemetry",
         "//pkg/settings",
         "//pkg/settings/cluster",
@@ -33,7 +34,6 @@ go_library(
         "//pkg/util/log",
         "//pkg/util/log/eventpb",
         "//pkg/util/metric",
-        "//pkg/util/quotapool",
         "//pkg/util/randutil",
         "//pkg/util/stop",
         "//pkg/util/syncutil",
@@ -43,11 +43,8 @@ go_library(
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_errors//oserror",
         "@com_github_cockroachdb_redact//:redact",
-        "@com_github_xdg_go_scram//:scram",
-        "@com_github_xdg_go_stringprep//:stringprep",
         "@org_golang_x_crypto//bcrypt",
         "@org_golang_x_crypto//ocsp",
-        "@org_golang_x_crypto//pbkdf2",
         "@org_golang_x_sync//errgroup",
     ],
 )
@@ -65,7 +62,6 @@ go_test(
         "certs_test.go",
         "join_token_test.go",
         "main_test.go",
-        "password_test.go",
         "permission_check_test.go",
         "tls_test.go",
         "username_test.go",
@@ -78,7 +74,6 @@ go_test(
         "//pkg/rpc",
         "//pkg/security/securitytest",
         "//pkg/server",
-        "//pkg/settings/cluster",
         "//pkg/testutils",
         "//pkg/testutils/serverutils",
         "//pkg/util/envutil",
@@ -89,7 +84,6 @@ go_test(
         "//pkg/util/uuid",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_stretchr_testify//require",
-        "@org_golang_x_crypto//bcrypt",
         "@org_golang_x_exp//rand",
     ] + select({
         "@io_bazel_rules_go//go/platform:aix": [

pkg/security/auth.go

@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/cockroachdb/cockroach/pkg/security/password"
 	"github.com/cockroachdb/cockroach/pkg/util/syncutil"
 	"github.com/cockroachdb/errors"
 )
@@ -159,7 +160,7 @@ func IsTenantCertificate(cert *x509.Certificate) bool {
 // UserAuthPasswordHook builds an authentication hook based on the security
 // mode, password, and its potentially matching hash.
 func UserAuthPasswordHook(
-	insecureMode bool, password string, hashedPassword PasswordHash,
+	insecureMode bool, passwordStr string, hashedPassword password.PasswordHash,
 ) UserAuthHook {
 	return func(ctx context.Context, systemIdentity SQLUsername, clientConnection bool) error {
 		if systemIdentity.Undefined() {
@@ -175,10 +176,10 @@ func UserAuthPasswordHook(
 		}
 
 		// If the requested user has an empty password, disallow authentication.
-		if len(password) == 0 {
+		if len(passwordStr) == 0 {
 			return NewErrPasswordUserAuthFailed(systemIdentity)
 		}
-		ok, err := CompareHashAndCleartextPassword(ctx, hashedPassword, password)
+		ok, err := password.CompareHashAndCleartextPassword(ctx, hashedPassword, passwordStr)
 		if err != nil {
 			return err
 		}