allow periods in esusers usernames and role names

This change allows periods in the usernames and role names in the esusers realm. Closes elastic/elasticsearch#905 Original commit: elastic/x-pack-elasticsearch@64b4f02ee5
2015-06-12 13:57:24 -04:00 · 2015-06-12 13:57:24 -04:00 · 95ad77a778
parent 9a97b046d5
commit 95ad77a778
6 changed files with 55 additions and 5 deletions
--- a/src/main/java/org/elasticsearch/shield/support/Validation.java
+++ b/src/main/java/org/elasticsearch/shield/support/Validation.java
@ -12,7 +12,7 @@ import java.util.regex.Pattern;
 */
 public final class Validation {

-    private static final Pattern COMMON_NAME_PATTERN = Pattern.compile("[a-zA-Z_][a-zA-Z0-9_@\\-\\$]{0,29}");
+    private static final Pattern COMMON_NAME_PATTERN = Pattern.compile("[a-zA-Z_][a-zA-Z0-9_@\\-\\$\\.]{0,29}");

    public static final class ESUsers {

@ -24,7 +24,7 @@ public final class Validation {
                    new Error("A valid username must be at least 1 character and no longer than 30 characters. " +
                            "It must begin with a letter (`a-z` or `A-Z`) or an underscore (`_`). Subsequent " +
                            "characters can be letters, underscores (`_`), digits (`0-9`) or any of the following " +
-                            "symbols `@`, `-` or `$`");
+                            "symbols `@`, `-`, `.` or `$`");
        }

        public static Error validatePassword(char[] password) {
@ -43,7 +43,7 @@ public final class Validation {
                    new Error("A valid role name must be at least 1 character and no longer than 30 characters. " +
                            "It must begin with a letter (`a-z` or `A-Z`) or an underscore (`_`). Subsequent " +
                            "characters can be letters, underscores (`_`), digits (`0-9`) or any of the following " +
-                            "symbols `@`, `-` or `$`");
+                            "symbols `@`, `-`, `.` or `$`");
        }
    }

--- a/src/test/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStoreTests.java
+++ b/src/test/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStoreTests.java
@ -170,7 +170,7 @@ public class FileUserRolesStoreTests extends ElasticsearchTestCase {
        Path path = getDataPath("users_roles");
        Map<String, String[]> usersRoles = FileUserRolesStore.parseFile(path, null);
        assertThat(usersRoles, notNullValue());
-        assertThat(usersRoles.size(), is(3));
+        assertThat(usersRoles.size(), is(4));
        assertThat(usersRoles.get("user1"), notNullValue());
        assertThat(usersRoles.get("user1").length, is(3));
        assertThat(usersRoles.get("user1"), arrayContaining("role1", "role2", "role3"));
@ -180,6 +180,8 @@ public class FileUserRolesStoreTests extends ElasticsearchTestCase {
        assertThat(usersRoles.get("user3"), notNullValue());
        assertThat(usersRoles.get("user3").length, is(1));
        assertThat(usersRoles.get("user3"), arrayContaining("role3"));
+        assertThat(usersRoles.get("period.user").length, is(1));
+        assertThat(usersRoles.get("period.user"), arrayContaining("role4"));
    }

    @Test
--- a/src/test/java/org/elasticsearch/shield/authc/esusers/tool/ESUsersToolTests.java
+++ b/src/test/java/org/elasticsearch/shield/authc/esusers/tool/ESUsersToolTests.java
@ -846,6 +846,41 @@ public class ESUsersToolTests extends CliToolTestCase {
        assertThat(loggingTerminal.getTerminalOutput(), hasItem(allOf(containsString("admin"), containsString("-"))));
    }

+    @Test
+    public void testUseradd_UsernameWithPeriod() throws Exception {
+        Path userFile = createTempFile();
+        Path userRolesFile = createTempFile();
+        Settings settings = Settings.builder()
+                .put("shield.authc.realms.esusers.type", "esusers")
+                .put("shield.authc.realms.esusers.files.users", userFile)
+                .put("shield.authc.realms.esusers.files.users_roles", userRolesFile)
+                .put("path.home", createTempDir())
+                .build();
+
+        ESUsersTool tool = new ESUsersTool();
+        CliTool.Command command = tool.parse("useradd", args("john.doe -p changeme -r r1,r2,r3"));
+        assertThat(command, instanceOf(ESUsersTool.Useradd.class));
+        ESUsersTool.Useradd cmd = (ESUsersTool.Useradd) command;
+
+        CliTool.ExitStatus status = execute(cmd, settings);
+        assertThat(status, is(CliTool.ExitStatus.OK));
+
+        assertFileExists(userFile);
+        List<String> lines = Files.readAllLines(userFile, Charsets.UTF_8);
+        assertThat(lines.size(), is(1));
+        // we can't just hash again and compare the lines, as every time we hash a new salt is generated
+        // instead we'll just verify the generated hash against the correct password.
+        String line = lines.get(0);
+        assertThat(line, startsWith("john.doe:"));
+        String hash = line.substring("john.doe:".length());
+        assertThat(Hasher.BCRYPT.verify(SecuredStringTests.build("changeme"), hash.toCharArray()), is(true));
+
+        assertFileExists(userRolesFile);
+        lines = Files.readAllLines(userRolesFile, Charsets.UTF_8);
+        assertThat(lines, hasSize(3));
+        assertThat(lines, containsInAnyOrder("r1:john.doe", "r2:john.doe", "r3:john.doe"));
+    }
+
    private CliTool.ExitStatus execute(CliTool.Command cmd, Settings settings) throws Exception {
        Environment env = new Environment(settings);
        return cmd.execute(settings, env);
--- a/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
+++ b/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
@ -43,7 +43,7 @@ public class FileRolesStoreTests extends ElasticsearchTestCase {
        Path path = getDataPath("roles.yml");
        Map<String, Permission.Global.Role> roles = FileRolesStore.parseFile(path, Collections.<Permission.Global.Role>emptySet(), logger);
        assertThat(roles, notNullValue());
-        assertThat(roles.size(), is(4));
+        assertThat(roles.size(), is(5));

        Permission.Global.Role role = roles.get("role1");
        assertThat(role, notNullValue());
@ -69,6 +69,15 @@ public class FileRolesStoreTests extends ElasticsearchTestCase {
        assertThat(group.privilege(), notNullValue());
        assertThat(group.privilege(), is(Privilege.Index.CRUD));

+        role = roles.get("role1.ab");
+        assertThat(role, notNullValue());
+        assertThat(role.name(), equalTo("role1.ab"));
+        assertThat(role.cluster(), notNullValue());
+        assertThat(role.cluster().privilege(), is(Privilege.Cluster.ALL));
+        assertThat(role.indices(), notNullValue());
+        assertThat(role.indices().groups(), notNullValue());
+        assertThat(role.indices().groups().length, is(0));
+
        role = roles.get("role2");
        assertThat(role, notNullValue());
        assertThat(role.name(), equalTo("role2"));
--- a/src/test/resources/org/elasticsearch/shield/authc/esusers/users_roles
+++ b/src/test/resources/org/elasticsearch/shield/authc/esusers/users_roles
@ -2,5 +2,6 @@ role1:user1
 role2: user1,user2
 # this is a comment line
 role3: user1, user2 , user3
+role4: period.user
 # another comment line
 # and another one
--- a/src/test/resources/org/elasticsearch/shield/authz/store/roles.yml
+++ b/src/test/resources/org/elasticsearch/shield/authz/store/roles.yml
@ -4,6 +4,9 @@ role1:
    'idx1,idx2': READ
    idx3: crud

+role1.ab:
+  cluster: ALL
+
 role2:
  cluster: ALL, MONITOR