From 573f365b56beeadc86814964088f306d0fc2dc2b Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Wed, 2 Aug 2017 07:58:54 -0600 Subject: [PATCH] Fix validation of username and password in CreateTokenRequest (elastic/x-pack-elasticsearch#2145) This change fixes the validation of the the username and password field in the CreateTokenRequest and adds a unit test to validate the fix. relates elastic/x-pack-elasticsearch#2127 Original commit: elastic/x-pack-elasticsearch@b870683d39446b66184bcd6ee057dea6651ef6a1 --- .../action/token/CreateTokenRequest.java | 4 +- .../action/token/CreateTokenRequestTests.java | 48 +++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 plugin/src/test/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequestTests.java diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequest.java b/plugin/src/main/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequest.java index 45bf6e10077..ddb36ce55ca 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequest.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequest.java @@ -45,10 +45,10 @@ public final class CreateTokenRequest extends ActionRequest { if ("password".equals(grantType) == false) { validationException = addValidationError("only [password] grant_type is supported", validationException); } - if (Strings.isNullOrEmpty("username")) { + if (Strings.isNullOrEmpty(username)) { validationException = addValidationError("username is missing", validationException); } - if (Strings.isNullOrEmpty("password")) { + if (password == null || password.getChars() == null || password.getChars().length == 0) { validationException = addValidationError("password is missing", validationException); } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequestTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequestTests.java new file mode 100644 index 00000000000..d44bcf34bf2 --- /dev/null +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequestTests.java @@ -0,0 +1,48 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.security.action.token; + +import org.elasticsearch.action.ActionRequestValidationException; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.test.ESTestCase; + +import static org.hamcrest.Matchers.hasItem; + +public class CreateTokenRequestTests extends ESTestCase { + + public void testRequestValidation() throws Exception { + CreateTokenRequest request = new CreateTokenRequest(); + ActionRequestValidationException ve = request.validate(); + assertNotNull(ve); + assertEquals(3, ve.validationErrors().size()); + + request.setGrantType("password"); + ve = request.validate(); + assertNotNull(ve); + assertEquals(2, ve.validationErrors().size()); + assertThat(ve.validationErrors(), hasItem("username is missing")); + assertThat(ve.validationErrors(), hasItem("password is missing")); + + request.setUsername(randomBoolean() ? null : ""); + request.setPassword(randomBoolean() ? null : new SecureString(new char[] {})); + + ve = request.validate(); + assertNotNull(ve); + assertEquals(2, ve.validationErrors().size()); + assertThat(ve.validationErrors(), hasItem("username is missing")); + assertThat(ve.validationErrors(), hasItem("password is missing")); + + request.setUsername(randomAlphaOfLengthBetween(1, 256)); + ve = request.validate(); + assertNotNull(ve); + assertEquals(1, ve.validationErrors().size()); + assertThat(ve.validationErrors(), hasItem("password is missing")); + + request.setPassword(new SecureString(randomAlphaOfLengthBetween(1, 256).toCharArray())); + ve = request.validate(); + assertNull(ve); + } +}