honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-24 13:55:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix TransportChangePasswordActionTests

Browse Source 
testIncorrectPasswordHashingAlgorithm is based on the assumption
that the algorithm selected for the change password request is
different than the one selected for the NativeUsersStore.
pbkdf2_10000 is the same as pbkdf2 since 10000 is the default cost
factor for pbkdf2 and thus should not be used as an option for the
passwordHashingSettings.

Also make sure that the same algorithm is used for settings and
change password requests in other tests for consistency, even if
we expect to not reach the code where the algorithm is checked for
now.

Resolves #31696
Reverts 1c4f480794f2465c78e8e29645956f16971eeead
This commit is contained in:
Ioannis Kakavas 2018-07-02 10:38:40 +03:00
parent 2971dd56ca
commit a7eaa409e8
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java
View File

@ -47,18 +47,21 @@ import static org.mockito.Mockito.verifyZeroInteractions;
public class TransportChangePasswordActionTests extends ESTestCase {
public void testAnonymousUser() {
final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9");
Settings settings = Settings.builder().put(AnonymousUser.ROLES_SETTING.getKey(), "superuser").build();
AnonymousUser anonymousUser = new AnonymousUser(settings);
NativeUsersStore usersStore = mock(NativeUsersStore.class);
TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
Settings passwordHashingSettings = Settings.builder().
put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build();
TransportService transportService = new TransportService(passwordHashingSettings, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
x -> null, null, Collections.emptySet());
TransportChangePasswordAction action = new TransportChangePasswordAction(settings, transportService,
mock(ActionFilters.class), usersStore);
ChangePasswordRequest request = new ChangePasswordRequest();
// Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency
request.username(anonymousUser.principal());
request.passwordHash(Hasher.resolve(
randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
final AtomicReference<ChangePasswordResponse> responseRef = new AtomicReference<>();
@ -81,16 +84,19 @@ public class TransportChangePasswordActionTests extends ESTestCase {
}
public void testInternalUsers() {
final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9");
NativeUsersStore usersStore = mock(NativeUsersStore.class);
TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
Settings passwordHashingSettings = Settings.builder().
put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build();
TransportService transportService = new TransportService(passwordHashingSettings, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
x -> null, null, Collections.emptySet());
TransportChangePasswordAction action = new TransportChangePasswordAction(Settings.EMPTY, transportService,
mock(ActionFilters.class), usersStore);
ChangePasswordRequest request = new ChangePasswordRequest();
request.username(randomFrom(SystemUser.INSTANCE.principal(), XPackUser.INSTANCE.principal()));
request.passwordHash(Hasher.resolve(
randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
// Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency
request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
final AtomicReference<ChangePasswordResponse> responseRef = new AtomicReference<>();
@ -153,7 +159,6 @@ public class TransportChangePasswordActionTests extends ESTestCase {
verify(usersStore, times(1)).changePassword(eq(request), any(ActionListener.class));
}
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/31696")
public void testIncorrectPasswordHashingAlgorithm() {
final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe"));
final Hasher hasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt9", "bcrypt5"));
@ -166,7 +171,7 @@ public class TransportChangePasswordActionTests extends ESTestCase {
TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
x -> null, null, Collections.emptySet());
Settings passwordHashingSettings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(),
randomFrom("pbkdf2_50000", "pbkdf2_10000", "bcrypt11", "bcrypt8", "bcrypt")).build();
randomFrom("pbkdf2_50000", "pbkdf2_100000", "bcrypt11", "bcrypt8", "bcrypt")).build();
TransportChangePasswordAction action = new TransportChangePasswordAction(passwordHashingSettings, transportService,
mock(ActionFilters.class), usersStore);
action.doExecute(mock(Task.class), request, new ActionListener<ChangePasswordResponse>() {