Fix validation of username and password in CreateTokenRequest (elastic/x-pack-elasticsearch#2145)

This change fixes the validation of the the username and password field in the CreateTokenRequest and adds a unit test to validate the fix. relates elastic/x-pack-elasticsearch#2127 Original commit: elastic/x-pack-elasticsearch@b870683d39
2017-08-02 07:58:54 -06:00 · 2017-08-02 07:58:54 -06:00 · 573f365b56
parent 7795d70414
commit 573f365b56
2 changed files with 50 additions and 2 deletions
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequest.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequest.java
@ -45,10 +45,10 @@ public final class CreateTokenRequest extends ActionRequest {
        if ("password".equals(grantType) == false) {
            validationException = addValidationError("only [password] grant_type is supported", validationException);
        }
-        if (Strings.isNullOrEmpty("username")) {
+        if (Strings.isNullOrEmpty(username)) {
            validationException = addValidationError("username is missing", validationException);
        }
-        if (Strings.isNullOrEmpty("password")) {
+        if (password == null || password.getChars() == null || password.getChars().length == 0) {
            validationException = addValidationError("password is missing", validationException);
        }

--- a/plugin/src/test/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequestTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/security/action/token/CreateTokenRequestTests.java
@ -0,0 +1,48 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.security.action.token;
+
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.test.ESTestCase;
+
+import static org.hamcrest.Matchers.hasItem;
+
+public class CreateTokenRequestTests extends ESTestCase {
+
+    public void testRequestValidation() throws Exception {
+        CreateTokenRequest request = new CreateTokenRequest();
+        ActionRequestValidationException ve = request.validate();
+        assertNotNull(ve);
+        assertEquals(3, ve.validationErrors().size());
+
+        request.setGrantType("password");
+        ve = request.validate();
+        assertNotNull(ve);
+        assertEquals(2, ve.validationErrors().size());
+        assertThat(ve.validationErrors(), hasItem("username is missing"));
+        assertThat(ve.validationErrors(), hasItem("password is missing"));
+
+        request.setUsername(randomBoolean() ? null : "");
+        request.setPassword(randomBoolean() ? null : new SecureString(new char[] {}));
+
+        ve = request.validate();
+        assertNotNull(ve);
+        assertEquals(2, ve.validationErrors().size());
+        assertThat(ve.validationErrors(), hasItem("username is missing"));
+        assertThat(ve.validationErrors(), hasItem("password is missing"));
+
+        request.setUsername(randomAlphaOfLengthBetween(1, 256));
+        ve = request.validate();
+        assertNotNull(ve);
+        assertEquals(1, ve.validationErrors().size());
+        assertThat(ve.validationErrors(), hasItem("password is missing"));
+
+        request.setPassword(new SecureString(randomAlphaOfLengthBetween(1, 256).toCharArray()));
+        ve = request.validate();
+        assertNull(ve);
+    }
+}