[perf] changed the default realm cache hasher

Changed form `bcrypt5` to `bcrypt4`. Also added more bcrypt hash algorithms to choose from when configuring it (added `bcrypt4`, `bcrypt6`, `bcrypt8` and `bcrypt9`)

Original commit: elastic/x-pack-elasticsearch@64bc26cafe

src/main/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealm.java

@@ -31,7 +31,7 @@ public abstract class CachingUsernamePasswordRealm extends UsernamePasswordRealm
 
     protected CachingUsernamePasswordRealm(String type, RealmConfig config) {
         super(type, config);
-        hasher = Hasher.resolve(config.settings().get(CACHE_HASH_ALGO_SETTING, null), Hasher.BCRYPT5);
+        hasher = Hasher.resolve(config.settings().get(CACHE_HASH_ALGO_SETTING, null), Hasher.BCRYPT4);
         TimeValue ttl = config.settings().getAsTime(CACHE_TTL_SETTING, DEFAULT_TTL);
         if (ttl.millis() > 0) {
             cache = CacheBuilder.newBuilder()

src/main/java/org/elasticsearch/shield/authc/support/Hasher.java

@@ -78,6 +78,23 @@ public enum Hasher {
         }
     },
 
+    BCRYPT4() {
+        @Override
+        public char[] hash(SecuredString text) {
+            String salt = org.elasticsearch.shield.authc.support.BCrypt.gensalt(4);
+            return BCrypt.hashpw(text, salt).toCharArray();
+        }
+
+        @Override
+        public boolean verify(SecuredString text, char[] hash) {
+            String hashStr = new String(hash);
+            if (!hashStr.startsWith(BCRYPT_PREFIX)) {
+                return false;
+            }
+            return BCrypt.checkpw(text, hashStr);
+        }
+    },
+
     BCRYPT5() {
         @Override
         public char[] hash(SecuredString text) {
@@ -95,6 +112,23 @@ public enum Hasher {
         }
     },
 
+    BCRYPT6() {
+        @Override
+        public char[] hash(SecuredString text) {
+            String salt = org.elasticsearch.shield.authc.support.BCrypt.gensalt(6);
+            return BCrypt.hashpw(text, salt).toCharArray();
+        }
+
+        @Override
+        public boolean verify(SecuredString text, char[] hash) {
+            String hashStr = new String(hash);
+            if (!hashStr.startsWith(BCRYPT_PREFIX)) {
+                return false;
+            }
+            return BCrypt.checkpw(text, hashStr);
+        }
+    },
+
     BCRYPT7() {
         @Override
         public char[] hash(SecuredString text) {
@@ -112,6 +146,40 @@ public enum Hasher {
         }
     },
 
+    BCRYPT8() {
+        @Override
+        public char[] hash(SecuredString text) {
+            String salt = org.elasticsearch.shield.authc.support.BCrypt.gensalt(8);
+            return BCrypt.hashpw(text, salt).toCharArray();
+        }
+
+        @Override
+        public boolean verify(SecuredString text, char[] hash) {
+            String hashStr = new String(hash);
+            if (!hashStr.startsWith(BCRYPT_PREFIX)) {
+                return false;
+            }
+            return BCrypt.checkpw(text, hashStr);
+        }
+    },
+
+    BCRYPT9() {
+        @Override
+        public char[] hash(SecuredString text) {
+            String salt = org.elasticsearch.shield.authc.support.BCrypt.gensalt(9);
+            return BCrypt.hashpw(text, salt).toCharArray();
+        }
+
+        @Override
+        public boolean verify(SecuredString text, char[] hash) {
+            String hashStr = new String(hash);
+            if (!hashStr.startsWith(BCRYPT_PREFIX)) {
+                return false;
+            }
+            return BCrypt.checkpw(text, hashStr);
+        }
+    },
+
     MD5() {
         @Override
         public char[] hash(SecuredString text) {
@@ -195,8 +263,12 @@ public enum Hasher {
         switch (name.toLowerCase(Locale.ROOT)) {
             case "htpasswd"     : return HTPASSWD;
             case "bcrypt"       : return BCRYPT;
+            case "bcrypt4"      : return BCRYPT4;
             case "bcrypt5"      : return BCRYPT5;
+            case "bcrypt6"      : return BCRYPT6;
             case "bcrypt7"      : return BCRYPT7;
+            case "bcrypt8"      : return BCRYPT8;
+            case "bcrypt9"      : return BCRYPT9;
             case "sha1"         : return SHA1;
             case "sha2"         : return SHA2;
             case "md5"          : return MD5;

src/test/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealmTests.java

@@ -23,7 +23,7 @@ public class CachingUsernamePasswordRealmTests extends ElasticsearchTestCase {
     @Test
     public void testSettings() throws Exception {
 
-        String hashAlgo = randomFrom("bcrypt", "bcrypt5", "bcrypt7", "sha1", "sha2", "md5", "clear_text", "noop");
+        String hashAlgo = randomFrom("bcrypt", "bcrypt4", "bcrypt5", "bcrypt6", "bcrypt7", "bcrypt8", "bcrypt9", "sha1", "sha2", "md5", "clear_text", "noop");
         int maxUsers = randomIntBetween(10, 100);
         TimeValue ttl = TimeValue.timeValueMinutes(randomIntBetween(10, 20));
         Settings settings = ImmutableSettings.builder()

src/test/java/org/elasticsearch/shield/authc/support/HasherTests.java

@@ -39,18 +39,14 @@ public class HasherTests extends ElasticsearchTestCase {
     }
 
     @Test
-    public void testBcrypt_SelfGenerated() throws Exception {
+    public void testBcryptFamily_SelfGenerated() throws Exception {
         testHasherSelfGenerated(Hasher.BCRYPT);
-    }
+        testHasherSelfGenerated(Hasher.BCRYPT4);
-
-    @Test
-    public void testBcrypt5_SelfGenerated() throws Exception {
         testHasherSelfGenerated(Hasher.BCRYPT5);
-    }
+        testHasherSelfGenerated(Hasher.BCRYPT6);
-
-    @Test
-    public void testBcrypt7_SelfGenerated() throws Exception {
         testHasherSelfGenerated(Hasher.BCRYPT7);
+        testHasherSelfGenerated(Hasher.BCRYPT8);
+        testHasherSelfGenerated(Hasher.BCRYPT9);
     }
 
     @Test
@@ -68,11 +64,6 @@ public class HasherTests extends ElasticsearchTestCase {
         testHasherSelfGenerated(Hasher.SHA2);
     }
 
-    public void testHasherSelfGenerated(Hasher hasher) throws Exception {
-        SecuredString passwd = SecuredStringTests.build("test123");
-        assertTrue(hasher.verify(passwd, hasher.hash(passwd)));
-    }
-
     @Test
     public void testNoop_SelfGenerated() throws Exception {
         testHasherSelfGenerated(Hasher.NOOP);
@@ -82,8 +73,12 @@ public class HasherTests extends ElasticsearchTestCase {
     public void testResolve() throws Exception {
         assertThat(Hasher.resolve("htpasswd"), sameInstance(Hasher.HTPASSWD));
         assertThat(Hasher.resolve("bcrypt"), sameInstance(Hasher.BCRYPT));
+        assertThat(Hasher.resolve("bcrypt4"), sameInstance(Hasher.BCRYPT4));
         assertThat(Hasher.resolve("bcrypt5"), sameInstance(Hasher.BCRYPT5));
+        assertThat(Hasher.resolve("bcrypt6"), sameInstance(Hasher.BCRYPT6));
         assertThat(Hasher.resolve("bcrypt7"), sameInstance(Hasher.BCRYPT7));
+        assertThat(Hasher.resolve("bcrypt8"), sameInstance(Hasher.BCRYPT8));
+        assertThat(Hasher.resolve("bcrypt9"), sameInstance(Hasher.BCRYPT9));
         assertThat(Hasher.resolve("sha1"), sameInstance(Hasher.SHA1));
         assertThat(Hasher.resolve("sha2"), sameInstance(Hasher.SHA2));
         assertThat(Hasher.resolve("md5"), sameInstance(Hasher.MD5));
@@ -98,4 +93,9 @@ public class HasherTests extends ElasticsearchTestCase {
         Hasher hasher = randomFrom(Hasher.values());
         assertThat(Hasher.resolve("unknown_hasher", hasher), sameInstance(hasher));
     }
+
+    private static void testHasherSelfGenerated(Hasher hasher) throws Exception {
+        SecuredString passwd = SecuredStringTests.build("test123");
+        assertTrue(hasher.verify(passwd, hasher.hash(passwd)));
+    }
 }