diff --git a/server/src/com/mirth/connect/model/PasswordRequirements.java b/server/src/com/mirth/connect/model/PasswordRequirements.java index 38751c2c8..6df8e4ed3 100644 --- a/server/src/com/mirth/connect/model/PasswordRequirements.java +++ b/server/src/com/mirth/connect/model/PasswordRequirements.java @@ -31,14 +31,40 @@ public class PasswordRequirements implements Serializable { private int reuseLimit; private boolean allowUsernameEnumeration; + /** + * No-arg constructor — hardened defaults bundled with issue #125 (SEC-04). + * + *

Previously every integer field defaulted to {@code 0}, which left + * operators who never explicitly configured a password policy with + * no enforcement at all (zero-length passwords, no retry limit, + * no lockout). The hardened defaults below match the OWASP Authentication + * Cheat Sheet baseline: + *

+ * Operators who relied on the old all-zero defaults to bypass policy can + * still call setters explicitly to restore that posture. + */ public PasswordRequirements() { - this.minLength = 0; - this.minUpper = 0; - this.minLower = 0; - this.minNumeric = 0; + this.minLength = 8; + this.minUpper = 1; + this.minLower = 1; + this.minNumeric = 1; this.minSpecial = 0; - this.retryLimit = 0; - this.lockoutPeriod = 0; + this.retryLimit = 5; + this.lockoutPeriod = 1; this.expiration = 0; this.gracePeriod = 0; this.reusePeriod = 0; diff --git a/server/src/com/mirth/connect/server/controllers/DefaultUserController.java b/server/src/com/mirth/connect/server/controllers/DefaultUserController.java index a79d3f2a5..98abc8560 100644 --- a/server/src/com/mirth/connect/server/controllers/DefaultUserController.java +++ b/server/src/com/mirth/connect/server/controllers/DefaultUserController.java @@ -44,6 +44,49 @@ public class DefaultUserController extends UserController { public static final String VACUUM_LOCK_PERSON_STATEMENT_ID = "User.vacuumPersonTable"; public static final String VACUUM_LOCK_PREFERENCES_STATEMENT_ID = "User.vacuumPersonPreferencesTable"; private static final String INCORRECT_CREDENTIALS_MESSAGE = "Incorrect username or password."; + + /** + * Pre-computed PBKDF2WithHmacSHA256 hash used to equalize wall-clock cost + * between the known-user and unknown-user authentication paths, mitigating + * username enumeration via response-time side-channel (CWE-208). + * + *

Without this constant, an unauthenticated attacker can distinguish + * valid usernames from invalid ones by measuring login latency: the valid + * path runs PBKDF2 (~100ms at 600,000 iterations) while the invalid path + * returns immediately. See OWASP Authentication Cheat Sheet and the + * Spring Security CVE-2025-22234 disclosure for the canonical fix + * pattern. + * + *

Generation parameters (byte-equivalent to the production + * {@link com.mirth.commons.encryption.Digester} default): + *

+ * + *

Residual risk: Operators who override {@code digest.iterations} + * to a non-default value retain a smaller-but-non-zero residual timing + * delta. Disclosed in PR #125 body. Dynamic computation at server startup + * is a documented follow-up. + * + *

Regeneration: Must be regenerated if + * {@code EncryptionSettings.DEFAULT_DIGEST_ITERATIONS} changes. The hash + * is validated at boot indirectly by + * {@code AuthorizeUserTimingTest#dummyHashIsConsumableWithoutThrowing}, + * which asserts {@code digester.matches(...)} returns false without + * throwing — guards against malformed base64 / wrong salt-size pitfalls. + */ + private static final String DUMMY_HASH = "L5+whfGBNpMMKJgAWt/jWIUPX8jnOCy5CzQomGpdNu/3hTQRWNp/yg=="; + private Logger logger = LogManager.getLogger(this.getClass()); private ExtensionController extensionController = null; @@ -297,8 +340,13 @@ public LoginStatus authorizeUser(String username, String plainPassword, String s // Retrieve the matching User User validUser = getUser(null, username); + // Hoisted above the if/else so both branches share a single Digester + // reference. The unknown-user path consumes the same PBKDF2 work as + // the known-user path to defeat username enumeration via timing + // (CWE-208 — see DUMMY_HASH javadoc and AuthorizeUserTimingTest). + Digester digester = ControllerFactory.getFactory().createConfigurationController().getDigester(); + if (validUser != null) { - Digester digester = ControllerFactory.getFactory().createConfigurationController().getDigester(); loginRequirementsChecker = new LoginRequirementsChecker(validUser); if (loginRequirementsChecker.isUserLockedOut()) { if (passwordRequirements.getAllowUsernameEnumeration()) { @@ -323,6 +371,12 @@ public LoginStatus authorizeUser(String username, String plainPassword, String s authorized = digester.matches(plainPassword, credentials.getPassword()); } } + } else { + // Timing equalization (CWE-208): run the same PBKDF2 work for + // unknown usernames so attackers cannot distinguish "user does + // not exist" from "wrong password" via response-time analysis. + // The boolean result is intentionally discarded. + digester.matches(plainPassword, DUMMY_HASH); } LoginStatus loginStatus = null; diff --git a/server/src/com/mirth/connect/server/util/PasswordRequirementsChecker.java b/server/src/com/mirth/connect/server/util/PasswordRequirementsChecker.java index 51139ed9c..d094526d5 100644 --- a/server/src/com/mirth/connect/server/util/PasswordRequirementsChecker.java +++ b/server/src/com/mirth/connect/server/util/PasswordRequirementsChecker.java @@ -76,20 +76,24 @@ public static PasswordRequirementsChecker getInstance() { } public PasswordRequirements loadPasswordRequirements(PropertiesConfiguration securityProperties) { + // Start with the hardened no-arg defaults from PasswordRequirements + // (issue #125 SEC-04). Then read each property using the hardened + // value as the fallback default, so absent keys retain the secure + // baseline instead of collapsing to zero. See WR-01 in 01-REVIEW.md. PasswordRequirements passwordRequirements = new PasswordRequirements(); - passwordRequirements.setMinLength(securityProperties.getInt(PASSWORD_MINLENGTH, 0)); - passwordRequirements.setMinUpper(securityProperties.getInt(PASSWORD_MIN_UPPER, 0)); - passwordRequirements.setMinLower(securityProperties.getInt(PASSWORD_MIN_LOWER, 0)); - passwordRequirements.setMinNumeric(securityProperties.getInt(PASSWORD_MIN_NUMERIC, 0)); - passwordRequirements.setMinSpecial(securityProperties.getInt(PASSWORD_MIN_SPECIAL, 0)); - passwordRequirements.setExpiration(securityProperties.getInt(PASSWORD_EXPIRATION, 0)); - passwordRequirements.setGracePeriod(securityProperties.getInt(PASSWORD_GRACE_PERIOD, 0)); - passwordRequirements.setRetryLimit(securityProperties.getInt(PASSWORD_RETRY_LIMIT, 0)); - passwordRequirements.setLockoutPeriod(securityProperties.getInt(PASSWORD_LOCKOUT_PERIOD, 0)); - passwordRequirements.setReusePeriod(securityProperties.getInt(PASSWORD_REUSE_PERIOD, 0)); - passwordRequirements.setReuseLimit(securityProperties.getInt(PASSWORD_REUSE_LIMIT, 0)); - passwordRequirements.setAllowUsernameEnumeration(securityProperties.getBoolean(PASSWORD_ALLOW_USERNAME_ENUMERATION, false)); + passwordRequirements.setMinLength(securityProperties.getInt(PASSWORD_MINLENGTH, passwordRequirements.getMinLength())); + passwordRequirements.setMinUpper(securityProperties.getInt(PASSWORD_MIN_UPPER, passwordRequirements.getMinUpper())); + passwordRequirements.setMinLower(securityProperties.getInt(PASSWORD_MIN_LOWER, passwordRequirements.getMinLower())); + passwordRequirements.setMinNumeric(securityProperties.getInt(PASSWORD_MIN_NUMERIC, passwordRequirements.getMinNumeric())); + passwordRequirements.setMinSpecial(securityProperties.getInt(PASSWORD_MIN_SPECIAL, passwordRequirements.getMinSpecial())); + passwordRequirements.setExpiration(securityProperties.getInt(PASSWORD_EXPIRATION, passwordRequirements.getExpiration())); + passwordRequirements.setGracePeriod(securityProperties.getInt(PASSWORD_GRACE_PERIOD, passwordRequirements.getGracePeriod())); + passwordRequirements.setRetryLimit(securityProperties.getInt(PASSWORD_RETRY_LIMIT, passwordRequirements.getRetryLimit())); + passwordRequirements.setLockoutPeriod(securityProperties.getInt(PASSWORD_LOCKOUT_PERIOD, passwordRequirements.getLockoutPeriod())); + passwordRequirements.setReusePeriod(securityProperties.getInt(PASSWORD_REUSE_PERIOD, passwordRequirements.getReusePeriod())); + passwordRequirements.setReuseLimit(securityProperties.getInt(PASSWORD_REUSE_LIMIT, passwordRequirements.getReuseLimit())); + passwordRequirements.setAllowUsernameEnumeration(securityProperties.getBoolean(PASSWORD_ALLOW_USERNAME_ENUMERATION, passwordRequirements.getAllowUsernameEnumeration())); return passwordRequirements; } diff --git a/server/test/com/mirth/connect/server/controllers/AuthorizeUserTimingTest.java b/server/test/com/mirth/connect/server/controllers/AuthorizeUserTimingTest.java new file mode 100644 index 000000000..fde1d0245 --- /dev/null +++ b/server/test/com/mirth/connect/server/controllers/AuthorizeUserTimingTest.java @@ -0,0 +1,328 @@ +/* + * + * Copyright (c) Innovar Healthcare. All rights reserved. + * + * https://www.innovarhealthcare.com + * + * The software in this package is published under the terms of the MPL license a copy of which has + * been included with this distribution in the LICENSE.txt file. + */ + +package com.mirth.connect.server.controllers; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.mockStatic; +import static org.mockito.Mockito.when; + +import java.lang.reflect.Field; + +import org.apache.ibatis.session.SqlSessionManager; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.junit.Before; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import com.mirth.commons.encryption.Digester; +import com.mirth.commons.encryption.Output; +import com.mirth.connect.client.core.ControllerException; +import com.mirth.connect.model.Credentials; +import com.mirth.connect.model.EncryptionSettings; +import com.mirth.connect.model.LoginStatus; +import com.mirth.connect.model.PasswordRequirements; +import com.mirth.connect.model.User; +import com.mirth.connect.plugins.AuthorizationPlugin; +import com.mirth.connect.server.util.SqlConfig; +import com.mirth.connect.server.util.StatementLock; +import com.mirth.connect.test.SlowTest; + +/** + * Regression test for issue #125 (SEC-04): username enumeration via timing (CWE-208) + * and message (CWE-204). + * + *

Verifies three behaviours required by the locked plan: + *

    + *
  1. {@code DUMMY_HASH} is a valid PBKDF2 base64 hash — calling + * {@code digester.matches(plain, DUMMY_HASH)} returns {@code false} without + * throwing. Guards against pitfall: malformed base64 / wrong salt size + * causes 500 instead of 401.
    2. + *
  2. The fail message for known-bad-password and unknown-user paths is byte-equal + * to the canonical {@code INCORRECT_CREDENTIALS_MESSAGE}.
    3. + *
  3. The wall-clock mean delta between known-username login and unknown-username + * login is {@code <= 20ms} across 50 samples per side. Discards the first 5 + * samples per side as JIT warmup.
    4. + *
+ * + *

The timing-parity test bears {@code @Category(SlowTest.class)} because the + * full 50-sample run performs ~100 PBKDF2-at-600000-iter operations and runs + * in ~10s on a typical CI runner. + */ +public class AuthorizeUserTimingTest { + + private static final Logger logger = LogManager.getLogger(AuthorizeUserTimingTest.class); + private static final String INCORRECT_CREDENTIALS_MESSAGE = "Incorrect username or password."; + private static final String CORRECT_PASSWORD = "correctpassword"; + private static final String WRONG_PASSWORD = "wrongpassword"; + private static final String VALID_USERNAME = "validuser"; + private static final String UNKNOWN_USERNAME = "nonexistentuser"; + + private Digester productionLikeDigester; + private String hashedCorrectPassword; + + @Before + public void setUp() throws Exception { + // Build a Digester configured identically to production: + // PBKDF2WithHmacSHA256, 600000 iter, BouncyCastle, PBE, 256-bit key, + // 8-byte salt, BASE64 output. Matches DigesterTest#createDigester. + productionLikeDigester = new Digester(); + productionLikeDigester.setProvider(new BouncyCastleProvider()); + productionLikeDigester.setAlgorithm("PBKDF2WithHmacSHA256"); + productionLikeDigester.setIterations(EncryptionSettings.DEFAULT_DIGEST_ITERATIONS); + productionLikeDigester.setUsePBE(true); + productionLikeDigester.setKeySizeBits(256); + productionLikeDigester.setSaltSizeBytes(8); + productionLikeDigester.setFormat(Output.BASE64); + + // Pre-compute the hash of the "correct" password the validuser path will + // succeed against. Done once in @Before so the test itself does not pay + // the 100ms PBKDF2 cost on every sample. + hashedCorrectPassword = productionLikeDigester.digest(CORRECT_PASSWORD); + assertNotNull("Digester.digest must return a non-null hash for setup", hashedCorrectPassword); + } + + /** + * Reflective access to the private static {@code DUMMY_HASH} constant on + * {@link DefaultUserController}. We do NOT add a public accessor to + * production code; reflection keeps the constant private. + */ + private static String readDummyHashConstant() throws Exception { + Field f = DefaultUserController.class.getDeclaredField("DUMMY_HASH"); + f.setAccessible(true); + return (String) f.get(null); + } + + // ===== Test 1: DUMMY_HASH safety ===== + + /** + * The DUMMY_HASH constant must be a base64-encoded byte array of length + * (saltSizeBytes + derived-key-bytes). If the constant is malformed, + * {@code digester.matches(...)} throws {@code EncryptionException} wrapping + * {@code ArrayIndexOutOfBoundsException} (see Digester.matches → doMatches + * → Base64.decodeBase64). That would make every unknown-user login a 500 + * instead of a 401. This test guards against that pitfall. + */ + @Test + public void dummyHashIsConsumableWithoutThrowing() throws Exception { + String dummyHash = readDummyHashConstant(); + assertNotNull("DUMMY_HASH must be declared on DefaultUserController", dummyHash); + assertFalse("DUMMY_HASH must not be empty", dummyHash.isEmpty()); + + // Must return false (random plaintext does not match the dummy hash) + // and must NOT throw. + boolean matched = productionLikeDigester.matches("any-plaintext-attacker-might-submit", dummyHash); + assertFalse("digester.matches with random plaintext against DUMMY_HASH must return false", matched); + } + + // ===== Test 2: message identity (CWE-204) ===== + + /** + * The error message returned for a known username with a wrong password must + * be byte-equal to the message returned for an unknown username. Both must + * be exactly {@code INCORRECT_CREDENTIALS_MESSAGE}. + */ + @Test + public void messageIdenticalForKnownBadPasswordAndUnknownUser() throws Exception { + DefaultUserController controller = newControllerWithMockedDeps(); + + String knownMessage = invokeAuthorizeAndGetMessage(controller, VALID_USERNAME, WRONG_PASSWORD); + String unknownMessage = invokeAuthorizeAndGetMessage(controller, UNKNOWN_USERNAME, WRONG_PASSWORD); + + assertEquals("Known-bad-password message must be the canonical generic message", + INCORRECT_CREDENTIALS_MESSAGE, knownMessage); + assertEquals("Unknown-user message must be the canonical generic message", + INCORRECT_CREDENTIALS_MESSAGE, unknownMessage); + assertEquals("Known-bad-password and unknown-user messages must be byte-equal", + knownMessage, unknownMessage); + } + + // ===== Test 3: timing parity (CWE-208) ===== + + /** + * Measures wall-clock {@code authorizeUser} latency for 50 samples each of + * known and unknown usernames, discards the first 5 per side as JIT warmup, + * and asserts the absolute mean delta is at most 20ms. This number matches + * ROADMAP Success Criterion 4 verbatim and CONTEXT.md §#125. + * + *

Marked {@code @Category(SlowTest.class)} — full run is ~10s. + */ + @Test + @Category(SlowTest.class) + public void meanResponseDeltaUnder20msOver50Samples() throws Exception { + DefaultUserController controller = newControllerWithMockedDeps(); + + final int samples = 50; + final int warmupDiscard = 5; + long sumKnownNanos = 0L; + long sumUnknownNanos = 0L; + + for (int i = 0; i < samples; i++) { + long known = timedAuthorizeNanos(controller, VALID_USERNAME, WRONG_PASSWORD); + long unknown = timedAuthorizeNanos(controller, UNKNOWN_USERNAME, WRONG_PASSWORD); + if (i >= warmupDiscard) { + sumKnownNanos += known; + sumUnknownNanos += unknown; + } + } + + long effective = samples - warmupDiscard; + double meanKnownMs = (sumKnownNanos / (double) effective) / 1_000_000.0; + double meanUnknownMs = (sumUnknownNanos / (double) effective) / 1_000_000.0; + double deltaMs = Math.abs(meanKnownMs - meanUnknownMs); + + logger.info(String.format( + "AuthorizeUserTimingTest samples=%d (effective=%d) meanKnown=%.2fms meanUnknown=%.2fms delta=%.2fms", + samples, effective, meanKnownMs, meanUnknownMs, deltaMs)); + + assertTrue(String.format( + "Mean response-time delta must be <= 20ms (was %.2fms; mean known=%.2fms, mean unknown=%.2fms)", + deltaMs, meanKnownMs, meanUnknownMs), + deltaMs <= 20.0); + } + + // ===== Test plumbing ===== + + private long timedAuthorizeNanos(DefaultUserController controller, String user, String pw) { + long start = System.nanoTime(); + try { + controller.authorizeUser(user, pw, "http://localhost/test"); + } catch (Exception e) { + // Treat ControllerException as a timing sample too — production + // would still consume the same PBKDF2 work in the error path. + } + return System.nanoTime() - start; + } + + private String invokeAuthorizeAndGetMessage(DefaultUserController controller, String user, String pw) + throws ControllerException { + LoginStatus status = controller.authorizeUser(user, pw, "http://localhost/test"); + assertNotNull("authorizeUser must return a LoginStatus", status); + return status.getMessage(); + } + + /** + * Builds a DefaultUserController whose required collaborators (SqlConfig, + * StatementLock, ControllerFactory) are stubbed to drive the validuser / + * unknownuser paths deterministically. The stubs are installed in a + * try-with-resources elsewhere; here we wire them onto the current call + * scope by entering a mockStatic block that lives for the duration of the + * surrounding @Test method via the controller instance retaining no + * static-mock references. + * + *

Implementation note: each @Test that calls this helper installs the + * mockStatic blocks itself; this helper just builds the controller and + * arranges per-test stubs. See {@link #installMocks()}. + */ + private DefaultUserController newControllerWithMockedDeps() throws Exception { + // Install the static mocks. The mocks live as instance fields so the + // surrounding test method's lifecycle keeps them open until the + // @After teardown (implicitly, when the @Test method returns and the + // controller goes out of scope). For simplicity we install them once + // per test via this builder. + installMocks(); + return new DefaultUserController(); + } + + // mockStatic handles must remain open for the duration of the @Test — + // we keep them as instance fields and close them via try-with-resources + // inside each @Test would be ideal; for brevity here we leak them + // intentionally and rely on Mockito's test-isolation cleanup. + private org.mockito.MockedStatic sqlConfigStatic; + private org.mockito.MockedStatic statementLockStatic; + private org.mockito.MockedStatic controllerFactoryStatic; + + @org.junit.After + public void tearDown() { + if (sqlConfigStatic != null) sqlConfigStatic.close(); + if (statementLockStatic != null) statementLockStatic.close(); + if (controllerFactoryStatic != null) controllerFactoryStatic.close(); + } + + private void installMocks() throws Exception { + // StatementLock — readLock/readUnlock are no-ops in tests. + StatementLock mockLock = mock(StatementLock.class); + statementLockStatic = mockStatic(StatementLock.class); + statementLockStatic.when(() -> StatementLock.getInstance(anyString())).thenReturn(mockLock); + + // SqlConfig — selectOne dispatched on statement name. + SqlConfig mockSqlConfig = mock(SqlConfig.class); + SqlSessionManager mockSessionManager = mock(SqlSessionManager.class); + when(mockSqlConfig.getReadOnlySqlSessionManager()).thenReturn(mockSessionManager); + when(mockSqlConfig.getSqlSessionManager()).thenReturn(mockSessionManager); + + // User.getUser → known user for VALID_USERNAME, null for UNKNOWN_USERNAME. + when(mockSessionManager.selectOne(eq("User.getUser"), any())).thenAnswer(inv -> { + Object param = inv.getArgument(1); + if (param instanceof User) { + String requested = ((User) param).getUsername(); + if (VALID_USERNAME.equals(requested)) { + User u = new User(); + u.setId(42); + u.setUsername(VALID_USERNAME); + return u; + } + } + return null; + }); + + // User.getLatestUserCredentials → Credentials with the real PBKDF2 hash + // of CORRECT_PASSWORD for the known user. + Credentials creds = new Credentials(); + creds.setPassword(hashedCorrectPassword); + when(mockSessionManager.selectOne(eq("User.getLatestUserCredentials"), any())).thenReturn(creds); + + sqlConfigStatic = mockStatic(SqlConfig.class); + sqlConfigStatic.when(SqlConfig::getInstance).thenReturn(mockSqlConfig); + + // ControllerFactory — provides ExtensionController (auth plugin null) + // and ConfigurationController (digester + password requirements). + ConfigurationController mockConfigController = mock(ConfigurationController.class); + when(mockConfigController.getDigester()).thenReturn(productionLikeDigester); + PasswordRequirements pr = new PasswordRequirements(); + // Force allowUsernameEnumeration=false so we exercise the safe error path. + pr.setAllowUsernameEnumeration(false); + // Bypass the strike/lockout path so the wrong-password branch does NOT + // invoke LoginRequirementsChecker.incrementStrikes(); combined with the + // UserController stub below, this isolates the test from the hardened + // PasswordRequirements defaults (retryLimit=5, lockoutPeriod=5) added + // by issue #125. See CR-01 in 01-REVIEW.md. + pr.setRetryLimit(0); + pr.setLockoutPeriod(0); + when(mockConfigController.getPasswordRequirements()).thenReturn(pr); + + ExtensionController mockExtController = mock(ExtensionController.class); + when(mockExtController.getAuthorizationPlugin()).thenReturn((AuthorizationPlugin) null); + + // UserController stub — required so LoginRequirementsChecker's + // constructor (which calls ControllerFactory.getFactory().createUserController()) + // does not return null and subsequently NPE in any code path that + // dereferences userController. Belt-and-suspenders alongside + // retryLimit=0 above. + UserController mockUserController = mock(UserController.class); + + ControllerFactory mockFactory = mock(ControllerFactory.class); + when(mockFactory.createConfigurationController()).thenReturn(mockConfigController); + when(mockFactory.createExtensionController()).thenReturn(mockExtController); + when(mockFactory.createUserController()).thenReturn(mockUserController); + + controllerFactoryStatic = mockStatic(ControllerFactory.class); + controllerFactoryStatic.when(ControllerFactory::getFactory).thenReturn(mockFactory); + } +} diff --git a/server/test/com/mirth/connect/test/SlowTest.java b/server/test/com/mirth/connect/test/SlowTest.java new file mode 100644 index 000000000..d87e28bd3 --- /dev/null +++ b/server/test/com/mirth/connect/test/SlowTest.java @@ -0,0 +1,26 @@ +/* + * + * Copyright (c) Innovar Healthcare. All rights reserved. + * + * https://www.innovarhealthcare.com + * + * The software in this package is published under the terms of the MPL license a copy of which has + * been included with this distribution in the LICENSE.txt file. + */ + +package com.mirth.connect.test; + +/** + * JUnit {@link org.junit.experimental.categories.Category} marker for slow tests. + * + *

Apply via {@code @Category(SlowTest.class)} at the class or method level. + * Test classes / methods carrying this category may take noticeably longer than + * the typical unit test (e.g., the 50-sample PBKDF2 timing-parity assertion in + * {@link com.mirth.connect.server.controllers.AuthorizeUserTimingTest}). The + * default {@code ant test} target still runs them; future fast pre-commit hooks + * can exclude them via a {@code } category filter. + * + *

Intentionally empty — this is a marker interface only. + */ +public interface SlowTest { +}