shield: put user should validate password length

This changes the put user request builder to validate password length when a
password is provided. The validation is the same as what we use in the file
based realm.

Closes elastic/elasticsearch#1800

Original commit: elastic/x-pack-elasticsearch@fde1d6c685
This commit is contained in:
jaymode 2016-03-24 14:56:11 -04:00
parent 4a8c944f24
commit 929e179150
2 changed files with 24 additions and 1 deletions

View File

@ -11,12 +11,14 @@ import org.elasticsearch.client.ElasticsearchClient;
import org.elasticsearch.common.Nullable; import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.ParseFieldMatcher; import org.elasticsearch.common.ParseFieldMatcher;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
import org.elasticsearch.common.ValidationException;
import org.elasticsearch.common.bytes.BytesReference; import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.common.xcontent.XContentParser; import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.shield.User; import org.elasticsearch.shield.User;
import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.Hasher;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.support.Validation;
import org.elasticsearch.xpack.common.xcontent.XContentUtils; import org.elasticsearch.xpack.common.xcontent.XContentUtils;
import java.io.IOException; import java.io.IOException;
@ -46,7 +48,17 @@ public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest,
} }
public PutUserRequestBuilder password(@Nullable char[] password) { public PutUserRequestBuilder password(@Nullable char[] password) {
request.passwordHash(password == null ? null : hasher.hash(new SecuredString(password))); if (password != null) {
Validation.Error error = Validation.ESUsers.validatePassword(password);
if (error != null) {
ValidationException validationException = new ValidationException();
validationException.addValidationError(error.toString());
throw validationException;
}
request.passwordHash(hasher.hash(new SecuredString(password)));
} else {
request.passwordHash(null);
}
return this; return this;
} }

View File

@ -10,6 +10,7 @@ import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse; import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
import org.elasticsearch.common.ValidationException;
import org.elasticsearch.common.bytes.BytesArray; import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.shield.ShieldTemplateService; import org.elasticsearch.shield.ShieldTemplateService;
@ -386,4 +387,14 @@ public class ESNativeTests extends NativeRealmIntegTestCase {
.admin().cluster().prepareHealth().get(); .admin().cluster().prepareHealth().get();
assertFalse(response.isTimedOut()); assertFalse(response.isTimedOut());
} }
public void testCannotCreateUserWithShortPassword() throws Exception {
SecurityClient client = securityClient();
try {
client.preparePutUser("joe", randomAsciiOfLengthBetween(0, 5).toCharArray(), "admin_role").get();
fail("cannot create a user without a password < 6 characters");
} catch (ValidationException v) {
assertThat(v.getMessage().contains("password"), is(true));
}
}
} }