shield: put user should validate password length
This changes the put user request builder to validate password length when a password is provided. The validation is the same as what we use in the file based realm. Closes elastic/elasticsearch#1800 Original commit: elastic/x-pack-elasticsearch@fde1d6c685
This commit is contained in:
parent
4a8c944f24
commit
929e179150
elasticsearch/x-pack/shield/src
main/java/org/elasticsearch/shield/action/user
test/java/org/elasticsearch/shield/authc/esnative
|
@ -11,12 +11,14 @@ import org.elasticsearch.client.ElasticsearchClient;
|
||||||
import org.elasticsearch.common.Nullable;
|
import org.elasticsearch.common.Nullable;
|
||||||
import org.elasticsearch.common.ParseFieldMatcher;
|
import org.elasticsearch.common.ParseFieldMatcher;
|
||||||
import org.elasticsearch.common.Strings;
|
import org.elasticsearch.common.Strings;
|
||||||
|
import org.elasticsearch.common.ValidationException;
|
||||||
import org.elasticsearch.common.bytes.BytesReference;
|
import org.elasticsearch.common.bytes.BytesReference;
|
||||||
import org.elasticsearch.common.xcontent.XContentHelper;
|
import org.elasticsearch.common.xcontent.XContentHelper;
|
||||||
import org.elasticsearch.common.xcontent.XContentParser;
|
import org.elasticsearch.common.xcontent.XContentParser;
|
||||||
import org.elasticsearch.shield.User;
|
import org.elasticsearch.shield.User;
|
||||||
import org.elasticsearch.shield.authc.support.Hasher;
|
import org.elasticsearch.shield.authc.support.Hasher;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.shield.authc.support.SecuredString;
|
||||||
|
import org.elasticsearch.shield.support.Validation;
|
||||||
import org.elasticsearch.xpack.common.xcontent.XContentUtils;
|
import org.elasticsearch.xpack.common.xcontent.XContentUtils;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
@ -46,7 +48,17 @@ public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest,
|
||||||
}
|
}
|
||||||
|
|
||||||
public PutUserRequestBuilder password(@Nullable char[] password) {
|
public PutUserRequestBuilder password(@Nullable char[] password) {
|
||||||
request.passwordHash(password == null ? null : hasher.hash(new SecuredString(password)));
|
if (password != null) {
|
||||||
|
Validation.Error error = Validation.ESUsers.validatePassword(password);
|
||||||
|
if (error != null) {
|
||||||
|
ValidationException validationException = new ValidationException();
|
||||||
|
validationException.addValidationError(error.toString());
|
||||||
|
throw validationException;
|
||||||
|
}
|
||||||
|
request.passwordHash(hasher.hash(new SecuredString(password)));
|
||||||
|
} else {
|
||||||
|
request.passwordHash(null);
|
||||||
|
}
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -10,6 +10,7 @@ import org.elasticsearch.ElasticsearchSecurityException;
|
||||||
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
||||||
import org.elasticsearch.action.search.SearchResponse;
|
import org.elasticsearch.action.search.SearchResponse;
|
||||||
import org.elasticsearch.common.Strings;
|
import org.elasticsearch.common.Strings;
|
||||||
|
import org.elasticsearch.common.ValidationException;
|
||||||
import org.elasticsearch.common.bytes.BytesArray;
|
import org.elasticsearch.common.bytes.BytesArray;
|
||||||
import org.elasticsearch.rest.RestStatus;
|
import org.elasticsearch.rest.RestStatus;
|
||||||
import org.elasticsearch.shield.ShieldTemplateService;
|
import org.elasticsearch.shield.ShieldTemplateService;
|
||||||
|
@ -386,4 +387,14 @@ public class ESNativeTests extends NativeRealmIntegTestCase {
|
||||||
.admin().cluster().prepareHealth().get();
|
.admin().cluster().prepareHealth().get();
|
||||||
assertFalse(response.isTimedOut());
|
assertFalse(response.isTimedOut());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void testCannotCreateUserWithShortPassword() throws Exception {
|
||||||
|
SecurityClient client = securityClient();
|
||||||
|
try {
|
||||||
|
client.preparePutUser("joe", randomAsciiOfLengthBetween(0, 5).toCharArray(), "admin_role").get();
|
||||||
|
fail("cannot create a user without a password < 6 characters");
|
||||||
|
} catch (ValidationException v) {
|
||||||
|
assertThat(v.getMessage().contains("password"), is(true));
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue