cloudfoundry · silvestre · Jan 18, 2023 · Jan 17, 2023
diff --git a/src/autoscaler/api/brokerserver/broker_server.go b/src/autoscaler/api/brokerserver/broker_server.go
@@ -75,6 +75,7 @@ func NewBrokerServer(logger lager.Logger, conf *config.Config, bindingdb db.Bind
 	var middleWareBrokerCredentials []MiddleWareBrokerCredentials
 
 	for _, brokerCredential := range conf.BrokerCredentials {
+		brokerCredential = restrictToMaxBcryptLength(logger, brokerCredential)
 		if string(brokerCredential.BrokerUsernameHash) == "" {
 			var err error
 			brokerCredential.BrokerUsernameHash, err = bcrypt.GenerateFromPassword([]byte(brokerCredential.BrokerUsername), bcrypt.MinCost) // use MinCost as the config already provided it as cleartext
@@ -153,6 +154,19 @@ func NewBrokerServer(logger lager.Logger, conf *config.Config, bindingdb db.Bind
 	return runner, nil
 }
 
+func restrictToMaxBcryptLength(logger lager.Logger, brokerCredential config.BrokerCredentialsConfig) config.BrokerCredentialsConfig {
+	if len(brokerCredential.BrokerUsername) > 72 {
+		logger.Error("warning-configured-username-too-long-using-only-first-72-characters", bcrypt.ErrPasswordTooLong, lager.Data{"username-length": len(brokerCredential.BrokerUsername)})
+		brokerCredential.BrokerUsername = brokerCredential.BrokerUsername[:72]
+	}
+	if len(brokerCredential.BrokerPassword) > 72 {
+		logger.Error("warning-configured-password-too-long-using-only-first-72-characters", bcrypt.ErrPasswordTooLong, lager.Data{"password-length": len(brokerCredential.BrokerPassword)})
+		brokerCredential.BrokerPassword = brokerCredential.BrokerPassword[:72]
+	}
+
+	return brokerCredential
+}
+
 func GetHealth(w http.ResponseWriter, _ *http.Request) {
 	handlers.WriteJSONResponse(w, http.StatusOK, []byte(`{"alive":"true"}`))
 }
diff --git a/src/autoscaler/healthendpoint/server.go b/src/autoscaler/healthendpoint/server.go
@@ -135,6 +135,10 @@ func getPasswordHashBytes(logger lager.Logger, passwordHash string, password str
 	var passwordHashByte []byte
 	var err error
 	if passwordHash == "" {
+		if len(password) > 72 {
+			logger.Error("warning-configured-password-too-long-using-only-first-72-characters", bcrypt.ErrPasswordTooLong, lager.Data{"password-length": len(password)})
+			password = password[:72]
+		}
 		passwordHashByte, err = bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) // use MinCost as the config already provided it as cleartext
 		if err != nil {
 			logger.Error("failed-new-server-password", err)
@@ -150,6 +154,10 @@ func getUserHashBytes(logger lager.Logger, usernameHash string, username string)
 	var usernameHashByte []byte
 	var err error
 	if usernameHash == "" {
+		if len(username) > 72 {
+			logger.Error("warning-configured-username-too-long-using-only-first-72-characters", bcrypt.ErrPasswordTooLong, lager.Data{"username-length": len(username)})
+			username = username[:72]
+		}
 		// when username and password are set for health check
 		usernameHashByte, err = bcrypt.GenerateFromPassword([]byte(username), bcrypt.MinCost) // use MinCost as the config already provided it as cleartext
 		if err != nil {

diff --git a/templates/app-autoscaler.yml b/templates/app-autoscaler.yml
@@ -706,11 +706,11 @@ variables:
 - name: service_broker_password
   type: password
   options:
-    length: 72
+    length: 128
 - name: service_broker_password_blue
   type: password
   options:
-    length: 72
+    length: 128
 - name: autoscaler_metricsforwarder_health_password
   type: password
 - name: autoscaler_metricsgateway_health_password