From 8c78fe711486a3f722879d8f7cf89632daf793e0 Mon Sep 17 00:00:00 2001 From: Tal Levy Date: Fri, 29 Jun 2018 09:30:54 -0700 Subject: [PATCH] Introduce a Hashing Processor (#31087) It is useful to have a processor similar to logstash-filter-fingerprint in Elasticsearch. A processor that leverages a variety of hashing algorithms to create cryptographically-secure one-way hashes of values in documents. This processor introduces a pbkdf2hmac hashing scheme to fields in documents for indexing --- x-pack/plugin/build.gradle | 1 + .../xpack/security/Security.java | 10 +- .../xpack/security/ingest/HashProcessor.java | 200 ++++++++++++++++++ .../ingest/HashProcessorFactoryTests.java | 136 ++++++++++++ .../security/ingest/HashProcessorTests.java | 130 ++++++++++++ .../test/hash_processor/10_basic.yml | 51 +++++ 6 files changed, 527 insertions(+), 1 deletion(-) create mode 100644 x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/HashProcessor.java create mode 100644 x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/HashProcessorFactoryTests.java create mode 100644 x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/HashProcessorTests.java create mode 100644 x-pack/plugin/src/test/resources/rest-api-spec/test/hash_processor/10_basic.yml diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle index 3de63d76204..919663c57cb 100644 --- a/x-pack/plugin/build.gradle +++ b/x-pack/plugin/build.gradle @@ -151,6 +151,7 @@ integTestCluster { setting 'xpack.license.self_generated.type', 'trial' keystoreSetting 'bootstrap.password', 'x-pack-test-password' keystoreSetting 'xpack.security.transport.ssl.keystore.secure_password', 'keypass' + keystoreSetting 'xpack.security.ingest.hash.processor.key', 'hmackey' distribution = 'zip' // this is important since we use the reindex module in ML setupCommand 'setupTestUser', 'bin/elasticsearch-users', 'useradd', 'x_pack_rest_user', '-p', 'x-pack-test-password', '-r', 'superuser' diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index e1ade053a38..5b4f8cbbdef 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -173,6 +173,7 @@ import org.elasticsearch.xpack.security.authz.SecuritySearchOperationListener; import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache; import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore; import org.elasticsearch.xpack.security.authz.store.NativeRolesStore; +import org.elasticsearch.xpack.security.ingest.HashProcessor; import org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor; import org.elasticsearch.xpack.security.rest.SecurityRestFilter; import org.elasticsearch.xpack.security.rest.action.RestAuthenticateAction; @@ -573,6 +574,10 @@ public class Security extends Plugin implements ActionPlugin, IngestPlugin, Netw // hide settings settingsList.add(Setting.listSetting(SecurityField.setting("hide_settings"), Collections.emptyList(), Function.identity(), Property.NodeScope, Property.Filtered)); + + // ingest processor settings + settingsList.add(HashProcessor.HMAC_KEY_SETTING); + return settingsList; } @@ -716,7 +721,10 @@ public class Security extends Plugin implements ActionPlugin, IngestPlugin, Netw @Override public Map getProcessors(Processor.Parameters parameters) { - return Collections.singletonMap(SetSecurityUserProcessor.TYPE, new SetSecurityUserProcessor.Factory(parameters.threadContext)); + Map processors = new HashMap<>(); + processors.put(SetSecurityUserProcessor.TYPE, new SetSecurityUserProcessor.Factory(parameters.threadContext)); + processors.put(HashProcessor.TYPE, new HashProcessor.Factory(parameters.env.settings())); + return processors; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/HashProcessor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/HashProcessor.java new file mode 100644 index 00000000000..fa49b843847 --- /dev/null +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/HashProcessor.java @@ -0,0 +1,200 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.security.ingest; + +import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.common.Nullable; +import org.elasticsearch.common.Strings; +import org.elasticsearch.common.collect.Tuple; +import org.elasticsearch.common.settings.SecureSetting; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.ingest.AbstractProcessor; +import org.elasticsearch.ingest.ConfigurationUtils; +import org.elasticsearch.ingest.IngestDocument; +import org.elasticsearch.ingest.Processor; +import org.elasticsearch.xpack.core.security.SecurityField; + +import javax.crypto.Mac; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; +import java.nio.charset.StandardCharsets; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; +import java.util.Arrays; +import java.util.Base64; +import java.util.HashMap; +import java.util.List; +import java.util.Locale; +import java.util.Map; +import java.util.Objects; +import java.util.stream.Collectors; + +import static org.elasticsearch.ingest.ConfigurationUtils.newConfigurationException; + +/** + * A processor that hashes the contents of a field (or fields) using various hashing algorithms + */ +public final class HashProcessor extends AbstractProcessor { + public static final String TYPE = "hash"; + public static final Setting.AffixSetting HMAC_KEY_SETTING = SecureSetting + .affixKeySetting(SecurityField.setting("ingest." + TYPE) + ".", "key", + (key) -> SecureSetting.secureString(key, null)); + + private final List fields; + private final String targetField; + private final Method method; + private final Mac mac; + private final byte[] salt; + private final boolean ignoreMissing; + + HashProcessor(String tag, List fields, String targetField, byte[] salt, Method method, @Nullable Mac mac, + boolean ignoreMissing) { + super(tag); + this.fields = fields; + this.targetField = targetField; + this.method = method; + this.mac = mac; + this.salt = salt; + this.ignoreMissing = ignoreMissing; + } + + List getFields() { + return fields; + } + + String getTargetField() { + return targetField; + } + + byte[] getSalt() { + return salt; + } + + @Override + public void execute(IngestDocument document) { + Map hashedFieldValues = fields.stream().map(f -> { + String value = document.getFieldValue(f, String.class, ignoreMissing); + if (value == null && ignoreMissing) { + return new Tuple(null, null); + } + try { + return new Tuple<>(f, method.hash(mac, salt, value)); + } catch (Exception e) { + throw new IllegalArgumentException("field[" + f + "] could not be hashed", e); + } + }).filter(tuple -> Objects.nonNull(tuple.v1())).collect(Collectors.toMap(Tuple::v1, Tuple::v2)); + if (fields.size() == 1) { + document.setFieldValue(targetField, hashedFieldValues.values().iterator().next()); + } else { + document.setFieldValue(targetField, hashedFieldValues); + } + } + + @Override + public String getType() { + return TYPE; + } + + public static final class Factory implements Processor.Factory { + + private final Settings settings; + private final Map secureKeys; + + public Factory(Settings settings) { + this.settings = settings; + this.secureKeys = new HashMap<>(); + HMAC_KEY_SETTING.getAllConcreteSettings(settings).forEach(k -> { + secureKeys.put(k.getKey(), k.get(settings)); + }); + } + + private static Mac createMac(Method method, SecureString password, byte[] salt, int iterations) { + try { + SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2With" + method.getAlgorithm()); + PBEKeySpec keySpec = new PBEKeySpec(password.getChars(), salt, iterations, 128); + byte[] pbkdf2 = secretKeyFactory.generateSecret(keySpec).getEncoded(); + Mac mac = Mac.getInstance(method.getAlgorithm()); + mac.init(new SecretKeySpec(pbkdf2, method.getAlgorithm())); + return mac; + } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidKeyException e) { + throw new IllegalArgumentException("invalid settings", e); + } + } + + @Override + public HashProcessor create(Map registry, String processorTag, Map config) { + boolean ignoreMissing = ConfigurationUtils.readBooleanProperty(TYPE, processorTag, config, "ignore_missing", false); + List fields = ConfigurationUtils.readList(TYPE, processorTag, config, "fields"); + if (fields.isEmpty()) { + throw ConfigurationUtils.newConfigurationException(TYPE, processorTag, "fields", "must specify at least one field"); + } else if (fields.stream().anyMatch(Strings::isNullOrEmpty)) { + throw ConfigurationUtils.newConfigurationException(TYPE, processorTag, "fields", + "a field-name entry is either empty or null"); + } + String targetField = ConfigurationUtils.readStringProperty(TYPE, processorTag, config, "target_field"); + String keySettingName = ConfigurationUtils.readStringProperty(TYPE, processorTag, config, "key_setting"); + SecureString key = secureKeys.get(keySettingName); + if (key == null) { + throw ConfigurationUtils.newConfigurationException(TYPE, processorTag, "key_setting", + "key [" + keySettingName + "] must match [xpack.security.ingest.hash.*.key]. It is not set"); + } + String saltString = ConfigurationUtils.readStringProperty(TYPE, processorTag, config, "salt"); + byte[] salt = saltString.getBytes(StandardCharsets.UTF_8); + String methodProperty = ConfigurationUtils.readStringProperty(TYPE, processorTag, config, "method", "SHA256"); + Method method = Method.fromString(processorTag, "method", methodProperty); + int iterations = ConfigurationUtils.readIntProperty(TYPE, processorTag, config, "iterations", 5); + Mac mac = createMac(method, key, salt, iterations); + return new HashProcessor(processorTag, fields, targetField, salt, method, mac, ignoreMissing); + } + } + + enum Method { + SHA1("HmacSHA1"), + SHA256("HmacSHA256"), + SHA384("HmacSHA384"), + SHA512("HmacSHA512"); + + private final String algorithm; + + Method(String algorithm) { + this.algorithm = algorithm; + } + + public String getAlgorithm() { + return algorithm; + } + + @Override + public String toString() { + return name().toLowerCase(Locale.ROOT); + } + + public String hash(Mac mac, byte[] salt, String input) { + try { + byte[] encrypted = mac.doFinal(input.getBytes(StandardCharsets.UTF_8)); + byte[] messageWithSalt = new byte[salt.length + encrypted.length]; + System.arraycopy(salt, 0, messageWithSalt, 0, salt.length); + System.arraycopy(encrypted, 0, messageWithSalt, salt.length, encrypted.length); + return Base64.getEncoder().encodeToString(messageWithSalt); + } catch (IllegalStateException e) { + throw new ElasticsearchException("error hashing data", e); + } + } + + public static Method fromString(String processorTag, String propertyName, String type) { + try { + return Method.valueOf(type.toUpperCase(Locale.ROOT)); + } catch(IllegalArgumentException e) { + throw newConfigurationException(TYPE, processorTag, propertyName, "type [" + type + + "] not supported, cannot convert field. Valid hash methods: " + Arrays.toString(Method.values())); + } + } + } +} diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/HashProcessorFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/HashProcessorFactoryTests.java new file mode 100644 index 00000000000..e9dda488e72 --- /dev/null +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/HashProcessorFactoryTests.java @@ -0,0 +1,136 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.security.ingest; + +import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.common.settings.MockSecureSettings; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.test.ESTestCase; + +import java.nio.charset.StandardCharsets; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import static org.hamcrest.Matchers.equalTo; + +public class HashProcessorFactoryTests extends ESTestCase { + + public void testProcessor() { + MockSecureSettings mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString("xpack.security.ingest.hash.processor.key", "my_key"); + Settings settings = Settings.builder().setSecureSettings(mockSecureSettings).build(); + HashProcessor.Factory factory = new HashProcessor.Factory(settings); + Map config = new HashMap<>(); + config.put("fields", Collections.singletonList("_field")); + config.put("target_field", "_target"); + config.put("salt", "_salt"); + config.put("key_setting", "xpack.security.ingest.hash.processor.key"); + for (HashProcessor.Method method : HashProcessor.Method.values()) { + config.put("method", method.toString()); + HashProcessor processor = factory.create(null, "_tag", new HashMap<>(config)); + assertThat(processor.getFields(), equalTo(Collections.singletonList("_field"))); + assertThat(processor.getTargetField(), equalTo("_target")); + assertArrayEquals(processor.getSalt(), "_salt".getBytes(StandardCharsets.UTF_8)); + } + } + + public void testProcessorNoFields() { + MockSecureSettings mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString("xpack.security.ingest.hash.processor.key", "my_key"); + Settings settings = Settings.builder().setSecureSettings(mockSecureSettings).build(); + HashProcessor.Factory factory = new HashProcessor.Factory(settings); + Map config = new HashMap<>(); + config.put("target_field", "_target"); + config.put("salt", "_salt"); + config.put("key_setting", "xpack.security.ingest.hash.processor.key"); + config.put("method", HashProcessor.Method.SHA1.toString()); + ElasticsearchException e = expectThrows(ElasticsearchException.class, + () -> factory.create(null, "_tag", config)); + assertThat(e.getMessage(), equalTo("[fields] required property is missing")); + } + + public void testProcessorNoTargetField() { + MockSecureSettings mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString("xpack.security.ingest.hash.processor.key", "my_key"); + Settings settings = Settings.builder().setSecureSettings(mockSecureSettings).build(); + HashProcessor.Factory factory = new HashProcessor.Factory(settings); + Map config = new HashMap<>(); + config.put("fields", Collections.singletonList("_field")); + config.put("salt", "_salt"); + config.put("key_setting", "xpack.security.ingest.hash.processor.key"); + config.put("method", HashProcessor.Method.SHA1.toString()); + ElasticsearchException e = expectThrows(ElasticsearchException.class, + () -> factory.create(null, "_tag", config)); + assertThat(e.getMessage(), equalTo("[target_field] required property is missing")); + } + + public void testProcessorFieldsIsEmpty() { + MockSecureSettings mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString("xpack.security.ingest.hash.processor.key", "my_key"); + Settings settings = Settings.builder().setSecureSettings(mockSecureSettings).build(); + HashProcessor.Factory factory = new HashProcessor.Factory(settings); + Map config = new HashMap<>(); + config.put("fields", Collections.singletonList(randomBoolean() ? "" : null)); + config.put("salt", "_salt"); + config.put("target_field", "_target"); + config.put("key_setting", "xpack.security.ingest.hash.processor.key"); + config.put("method", HashProcessor.Method.SHA1.toString()); + ElasticsearchException e = expectThrows(ElasticsearchException.class, + () -> factory.create(null, "_tag", config)); + assertThat(e.getMessage(), equalTo("[fields] a field-name entry is either empty or null")); + } + + public void testProcessorMissingSalt() { + MockSecureSettings mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString("xpack.security.ingest.hash.processor.key", "my_key"); + Settings settings = Settings.builder().setSecureSettings(mockSecureSettings).build(); + HashProcessor.Factory factory = new HashProcessor.Factory(settings); + Map config = new HashMap<>(); + config.put("fields", Collections.singletonList("_field")); + config.put("target_field", "_target"); + config.put("key_setting", "xpack.security.ingest.hash.processor.key"); + ElasticsearchException e = expectThrows(ElasticsearchException.class, + () -> factory.create(null, "_tag", config)); + assertThat(e.getMessage(), equalTo("[salt] required property is missing")); + } + + public void testProcessorInvalidMethod() { + MockSecureSettings mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString("xpack.security.ingest.hash.processor.key", "my_key"); + Settings settings = Settings.builder().setSecureSettings(mockSecureSettings).build(); + HashProcessor.Factory factory = new HashProcessor.Factory(settings); + Map config = new HashMap<>(); + config.put("fields", Collections.singletonList("_field")); + config.put("salt", "_salt"); + config.put("target_field", "_target"); + config.put("key_setting", "xpack.security.ingest.hash.processor.key"); + config.put("method", "invalid"); + ElasticsearchException e = expectThrows(ElasticsearchException.class, + () -> factory.create(null, "_tag", config)); + assertThat(e.getMessage(), equalTo("[method] type [invalid] not supported, cannot convert field. " + + "Valid hash methods: [sha1, sha256, sha384, sha512]")); + } + + public void testProcessorInvalidOrMissingKeySetting() { + Settings settings = Settings.builder().setSecureSettings(new MockSecureSettings()).build(); + HashProcessor.Factory factory = new HashProcessor.Factory(settings); + Map config = new HashMap<>(); + config.put("fields", Collections.singletonList("_field")); + config.put("salt", "_salt"); + config.put("target_field", "_target"); + config.put("key_setting", "invalid"); + config.put("method", HashProcessor.Method.SHA1.toString()); + ElasticsearchException e = expectThrows(ElasticsearchException.class, + () -> factory.create(null, "_tag", new HashMap<>(config))); + assertThat(e.getMessage(), + equalTo("[key_setting] key [invalid] must match [xpack.security.ingest.hash.*.key]. It is not set")); + config.remove("key_setting"); + ElasticsearchException ex = expectThrows(ElasticsearchException.class, + () -> factory.create(null, "_tag", config)); + assertThat(ex.getMessage(), equalTo("[key_setting] required property is missing")); + } +} diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/HashProcessorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/HashProcessorTests.java new file mode 100644 index 00000000000..b3890600592 --- /dev/null +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/HashProcessorTests.java @@ -0,0 +1,130 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.security.ingest; + +import org.elasticsearch.ingest.IngestDocument; +import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.security.ingest.HashProcessor.Method; + +import javax.crypto.Mac; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Base64; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import static org.hamcrest.Matchers.equalTo; + +public class HashProcessorTests extends ESTestCase { + + @SuppressWarnings("unchecked") + public void testIgnoreMissing() throws Exception { + Method method = randomFrom(Method.values()); + Mac mac = createMac(method); + Map fields = new HashMap<>(); + fields.put("one", "foo"); + HashProcessor processor = new HashProcessor("_tag", Arrays.asList("one", "two"), + "target", "_salt".getBytes(StandardCharsets.UTF_8), Method.SHA1, mac, true); + IngestDocument ingestDocument = new IngestDocument(fields, new HashMap<>()); + processor.execute(ingestDocument); + Map target = ingestDocument.getFieldValue("target", Map.class); + assertThat(target.size(), equalTo(1)); + assertNotNull(target.get("one")); + + HashProcessor failProcessor = new HashProcessor("_tag", Arrays.asList("one", "two"), + "target", "_salt".getBytes(StandardCharsets.UTF_8), Method.SHA1, mac, false); + IllegalArgumentException exception = expectThrows(IllegalArgumentException.class, () -> failProcessor.execute(ingestDocument)); + assertThat(exception.getMessage(), equalTo("field [two] not present as part of path [two]")); + } + + public void testStaticKeyAndSalt() throws Exception { + byte[] salt = "_salt".getBytes(StandardCharsets.UTF_8); + SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); + PBEKeySpec keySpec = new PBEKeySpec("hmackey".toCharArray(), salt, 5, 128); + byte[] pbkdf2 = secretKeyFactory.generateSecret(keySpec).getEncoded(); + Mac mac = Mac.getInstance(Method.SHA1.getAlgorithm()); + mac.init(new SecretKeySpec(pbkdf2, Method.SHA1.getAlgorithm())); + Map fields = new HashMap<>(); + fields.put("field", "0123456789"); + HashProcessor processor = new HashProcessor("_tag", Collections.singletonList("field"), + "target", salt, Method.SHA1, mac, false); + IngestDocument ingestDocument = new IngestDocument(fields, new HashMap<>()); + processor.execute(ingestDocument); + assertThat(ingestDocument.getFieldValue("target", String.class), equalTo("X3NhbHQMW0oHJGEEE9obGcGv5tGd7HFyDw==")); + } + + public void testProcessorSingleField() throws Exception { + List fields = Collections.singletonList(randomAlphaOfLength(6)); + Map docFields = new HashMap<>(); + for (String field : fields) { + docFields.put(field, randomAlphaOfLengthBetween(2, 10)); + } + + String targetField = randomAlphaOfLength(6); + Method method = randomFrom(Method.values()); + Mac mac = createMac(method); + byte[] salt = randomByteArrayOfLength(5); + HashProcessor processor = new HashProcessor("_tag", fields, targetField, salt, method, mac, false); + IngestDocument ingestDocument = new IngestDocument(docFields, new HashMap<>()); + processor.execute(ingestDocument); + + String targetFieldValue = ingestDocument.getFieldValue(targetField, String.class); + Object expectedTargetFieldValue = method.hash(mac, salt, ingestDocument.getFieldValue(fields.get(0), String.class)); + assertThat(targetFieldValue, equalTo(expectedTargetFieldValue)); + byte[] bytes = Base64.getDecoder().decode(targetFieldValue); + byte[] actualSaltPrefix = new byte[salt.length]; + System.arraycopy(bytes, 0, actualSaltPrefix, 0, salt.length); + assertArrayEquals(salt, actualSaltPrefix); + } + + @SuppressWarnings("unchecked") + public void testProcessorMultipleFields() throws Exception { + List fields = new ArrayList<>(); + for (int i = 0; i < randomIntBetween(2, 10); i++) { + fields.add(randomAlphaOfLength(5 + i)); + } + Map docFields = new HashMap<>(); + for (String field : fields) { + docFields.put(field, randomAlphaOfLengthBetween(2, 10)); + } + + String targetField = randomAlphaOfLength(6); + Method method = randomFrom(Method.values()); + Mac mac = createMac(method); + byte[] salt = randomByteArrayOfLength(5); + HashProcessor processor = new HashProcessor("_tag", fields, targetField, salt, method, mac, false); + IngestDocument ingestDocument = new IngestDocument(docFields, new HashMap<>()); + processor.execute(ingestDocument); + + Map targetFieldMap = ingestDocument.getFieldValue(targetField, Map.class); + for (Map.Entry entry : targetFieldMap.entrySet()) { + Object expectedTargetFieldValue = method.hash(mac, salt, ingestDocument.getFieldValue(entry.getKey(), String.class)); + assertThat(entry.getValue(), equalTo(expectedTargetFieldValue)); + byte[] bytes = Base64.getDecoder().decode(entry.getValue()); + byte[] actualSaltPrefix = new byte[salt.length]; + System.arraycopy(bytes, 0, actualSaltPrefix, 0, salt.length); + assertArrayEquals(salt, actualSaltPrefix); + } + } + + private Mac createMac(Method method) throws Exception { + char[] password = randomAlphaOfLengthBetween(1, 10).toCharArray(); + byte[] salt = randomAlphaOfLength(5).getBytes(StandardCharsets.UTF_8); + int iterations = randomIntBetween(1, 10); + SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2With" + method.getAlgorithm()); + PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations, 128); + byte[] pbkdf2 = secretKeyFactory.generateSecret(keySpec).getEncoded(); + Mac mac = Mac.getInstance(method.getAlgorithm()); + mac.init(new SecretKeySpec(pbkdf2, method.getAlgorithm())); + return mac; + } +} diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/hash_processor/10_basic.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/hash_processor/10_basic.yml new file mode 100644 index 00000000000..ee84e02d2f4 --- /dev/null +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/hash_processor/10_basic.yml @@ -0,0 +1,51 @@ +--- +teardown: + - do: + ingest.delete_pipeline: + id: "my_pipeline" + ignore: 404 + +--- +"Test Hash Processor": + + - do: + cluster.health: + wait_for_status: yellow + - do: + ingest.put_pipeline: + id: "my_pipeline" + body: > + { + "processors": [ + { + "hash" : { + "fields" : ["user_ssid"], + "target_field" : "anonymized", + "salt": "_salt", + "iterations": 5, + "method": "sha1", + "key_setting": "xpack.security.ingest.hash.processor.key" + } + } + ] + } + - match: { acknowledged: true } + + - do: + index: + index: test + type: test + id: 1 + pipeline: "my_pipeline" + body: > + { + "user_ssid": "0123456789" + } + + - do: + get: + index: test + type: test + id: 1 + - match: { _source.anonymized: "X3NhbHQMW0oHJGEEE9obGcGv5tGd7HFyDw==" } +