honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Only enforce password hashing check if FIPS enabled (#32383) 

This commit modifies the FIPS password hashing algorithm check to only
be executed if FIPS mode is enabled.
This commit is contained in:
Jason Tedor 2018-07-25 20:57:03 -04:00 committed by GitHub
parent a577fb3381
commit 467a60ba0c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java
View File

@ -16,7 +16,7 @@ public class FIPS140PasswordHashingAlgorithmBootstrapCheck implements BootstrapC
private final boolean fipsModeEnabled; private final boolean fipsModeEnabled;
FIPS140PasswordHashingAlgorithmBootstrapCheck(Settings settings) { FIPS140PasswordHashingAlgorithmBootstrapCheck(final Settings settings) {
this.fipsModeEnabled = Security.FIPS_MODE_ENABLED.get(settings); this.fipsModeEnabled = Security.FIPS_MODE_ENABLED.get(settings);
} }
@ -27,17 +27,15 @@ public class FIPS140PasswordHashingAlgorithmBootstrapCheck implements BootstrapC
* @return the result of the bootstrap check * @return the result of the bootstrap check
*/ */
@Override @Override
public BootstrapCheckResult check(BootstrapContext context) { public BootstrapCheckResult check(final BootstrapContext context) {
final String selectedAlgorithm = XPackSettings.PASSWORD_HASHING_ALGORITHM.get(context.settings); if (fipsModeEnabled) {
if (selectedAlgorithm.toLowerCase(Locale.ROOT).startsWith("pbkdf2") == false) { final String selectedAlgorithm = XPackSettings.PASSWORD_HASHING_ALGORITHM.get(context.settings);
return BootstrapCheckResult.failure("Only PBKDF2 is allowed for password hashing in a FIPS-140 JVM. Please set the " + if (selectedAlgorithm.toLowerCase(Locale.ROOT).startsWith("pbkdf2") == false) {
"appropriate value for [ " + XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey() + " ] setting."); return BootstrapCheckResult.failure("Only PBKDF2 is allowed for password hashing in a FIPS-140 JVM. Please set the " +
"appropriate value for [ " + XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey() + " ] setting.");
}
} }
return BootstrapCheckResult.success(); return BootstrapCheckResult.success();
} }
@Override
public boolean alwaysEnforce() {
return fipsModeEnabled;
}
} }

56
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java
View File

@ -3,32 +3,60 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.xpack.security; package org.elasticsearch.xpack.security;
import org.elasticsearch.bootstrap.BootstrapCheck;
import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.bootstrap.BootstrapContext;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.XPackSettings;
import java.util.Arrays;
import static org.hamcrest.Matchers.equalTo;
public class FIPS140PasswordHashingAlgorithmBootstrapCheckTests extends ESTestCase { public class FIPS140PasswordHashingAlgorithmBootstrapCheckTests extends ESTestCase {
public void testPBKDF2AlgorithmIsAllowed() { public void testPBKDF2AlgorithmIsAllowed() {
Settings settings = Settings.builder().put("xpack.security.fips_mode.enabled", "true").build(); {
final Settings settings = Settings.builder()
.put(Security.FIPS_MODE_ENABLED.getKey(), true)
.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_10000")
.build();
final BootstrapCheck.BootstrapCheckResult result =
new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
assertFalse(result.isFailure());
}
settings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_10000").build(); {
assertFalse(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure()); final Settings settings = Settings.builder()
.put(Security.FIPS_MODE_ENABLED.getKey(), true)
settings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2").build(); .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2")
assertFalse(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure()); .build();
final BootstrapCheck.BootstrapCheckResult result =
new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
assertFalse(result.isFailure());
}
} }
public void testBCRYPTAlgorithmIsNotAllowed() { public void testBCRYPTAlgorithmDependsOnFipsMode() {
Settings settings = Settings.builder().put("xpack.security.fips_mode.enabled", "true").build(); for (final Boolean fipsModeEnabled : Arrays.asList(true, false)) {
assertTrue(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure()); for (final String passwordHashingAlgorithm : Arrays.asList(null, "BCRYPT", "BCRYPT11")) {
settings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "BCRYPT").build(); runBCRYPTTest(fipsModeEnabled, passwordHashingAlgorithm);
assertTrue(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure()); }
}
settings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "BCRYPT11").build();
assertTrue(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure());
} }
private void runBCRYPTTest(final boolean fipsModeEnabled, final String passwordHashingAlgorithm) {
final Settings.Builder builder = Settings.builder().put(Security.FIPS_MODE_ENABLED.getKey(), fipsModeEnabled);
if (passwordHashingAlgorithm != null) {
builder.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), passwordHashingAlgorithm);
}
final Settings settings = builder.build();
final BootstrapCheck.BootstrapCheckResult result =
new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
assertThat(result.isFailure(), equalTo(fipsModeEnabled));
}
} }