honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

security: handle null values for full name and email 

This commit adds logic so that we properly handle null tokens for full name and
email.

Closes elastic/elasticsearch#1887

Original commit: elastic/x-pack-elasticsearch@e03188c29f
This commit is contained in:
jaymode 2016-04-02 18:01:46 -04:00
parent 917101f7a3
commit 4f7dad8da2
2 changed files with 118 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequestBuilder.java
View File

@ -111,14 +111,14 @@ public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest,
} else if (ParseFieldMatcher.STRICT.match(currentFieldName, User.Fields.FULL_NAME)) {
if (token == XContentParser.Token.VALUE_STRING) {
fullName(parser.text());
} else {
} else if (token != XContentParser.Token.VALUE_NULL) {
throw new ElasticsearchParseException(
"expected field [{}] to be of type string, but found [{}] instead", currentFieldName, token);
}
} else if (ParseFieldMatcher.STRICT.match(currentFieldName, User.Fields.EMAIL)) {
if (token == XContentParser.Token.VALUE_STRING) {
email(parser.text());
} else {
} else if (token != XContentParser.Token.VALUE_NULL) {
throw new ElasticsearchParseException(
"expected field [{}] to be of type string, but found [{}] instead", currentFieldName, token);
}

116
elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/action/user/PutUserRequestBuilderTests.java Normal file
View File

@ -0,0 +1,116 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.action.user;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.client.Client;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.test.ESTestCase;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import static org.hamcrest.Matchers.arrayContaining;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.nullValue;
import static org.mockito.Mockito.mock;
public class PutUserRequestBuilderTests extends ESTestCase {
public void testNullValuesForEmailAndFullName() throws IOException {
final String json = "{\n" +
" \"roles\": [\n" +
" \"kibana4\"\n" +
" ],\n" +
" \"full_name\": null,\n" +
" \"email\": null,\n" +
" \"metadata\": {}\n" +
"}";
PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class));
builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)));
PutUserRequest request = builder.request();
assertThat(request.username(), is("kibana4"));
assertThat(request.roles(), arrayContaining("kibana4"));
assertThat(request.fullName(), nullValue());
assertThat(request.email(), nullValue());
assertThat(request.metadata().isEmpty(), is(true));
}
public void testMissingEmailFullName() throws Exception {
final String json = "{\n" +
" \"roles\": [\n" +
" \"kibana4\"\n" +
" ],\n" +
" \"metadata\": {}\n" +
"}";
PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class));
builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)));
PutUserRequest request = builder.request();
assertThat(request.username(), is("kibana4"));
assertThat(request.roles(), arrayContaining("kibana4"));
assertThat(request.fullName(), nullValue());
assertThat(request.email(), nullValue());
assertThat(request.metadata().isEmpty(), is(true));
}
public void testWithFullNameAndEmail() throws IOException {
final String json = "{\n" +
" \"roles\": [\n" +
" \"kibana4\"\n" +
" ],\n" +
" \"full_name\": \"Kibana User\",\n" +
" \"email\": \"kibana@elastic.co\",\n" +
" \"metadata\": {}\n" +
"}";
PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class));
builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)));
PutUserRequest request = builder.request();
assertThat(request.username(), is("kibana4"));
assertThat(request.roles(), arrayContaining("kibana4"));
assertThat(request.fullName(), is("Kibana User"));
assertThat(request.email(), is("kibana@elastic.co"));
assertThat(request.metadata().isEmpty(), is(true));
}
public void testInvalidFullname() throws IOException {
final String json = "{\n" +
" \"roles\": [\n" +
" \"kibana4\"\n" +
" ],\n" +
" \"full_name\": [ \"Kibana User\" ],\n" +
" \"email\": \"kibana@elastic.co\",\n" +
" \"metadata\": {}\n" +
"}";
PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class));
ElasticsearchParseException e = expectThrows(ElasticsearchParseException.class,
() -> builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8))));
assertThat(e.getMessage(), containsString("expected field [full_name] to be of type string"));
}
public void testInvalidEmail() throws IOException {
final String json = "{\n" +
" \"roles\": [\n" +
" \"kibana4\"\n" +
" ],\n" +
" \"full_name\": \"Kibana User\",\n" +
" \"email\": [ \"kibana@elastic.co\" ],\n" +
" \"metadata\": {}\n" +
"}";
PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class));
ElasticsearchParseException e = expectThrows(ElasticsearchParseException.class,
() -> builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8))));
assertThat(e.getMessage(), containsString("expected field [email] to be of type string"));
}
}