Skip to content

Commit

Permalink
Add support for PBKDF2 for password hashing & add support for configu…
Browse files Browse the repository at this point in the history
…ring BCrypt and PBKDF2 (opensearch-project#4524)

Signed-off-by: Dan Cecoi <[email protected]>
Co-authored-by: Dan Cecoi <[email protected]>
  • Loading branch information
dancristiancecoi and Dan Cecoi authored Jul 11, 2024
1 parent be92bb6 commit 8d29b11
Show file tree
Hide file tree
Showing 31 changed files with 1,715 additions and 169 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,16 @@

import org.opensearch.common.CheckedConsumer;
import org.opensearch.common.CheckedSupplier;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.xcontent.XContentFactory;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.core.xcontent.ToXContentObject;
import org.opensearch.security.ConfigurationFiles;
import org.opensearch.security.dlic.rest.api.Endpoint;
import org.opensearch.security.hasher.BCryptPasswordHasher;
import org.opensearch.security.hasher.PasswordHasher;
import org.opensearch.security.hasher.PasswordHasherFactory;
import org.opensearch.security.securityconf.impl.CType;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.certificate.CertificateData;
import org.opensearch.test.framework.cluster.ClusterManager;
Expand Down Expand Up @@ -78,6 +80,10 @@ public abstract class AbstractApiIntegrationTest extends RandomizedTest {

public static final ToXContentObject EMPTY_BODY = (builder, params) -> builder.startObject().endObject();

public static final PasswordHasher passwordHasher = PasswordHasherFactory.createPasswordHasher(
Settings.builder().put(ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM, ConfigConstants.BCRYPT).build()
);

public static Path configurationFolder;

public static ImmutableMap.Builder<String, Object> clusterSettings = ImmutableMap.builder();
Expand All @@ -86,8 +92,6 @@ public abstract class AbstractApiIntegrationTest extends RandomizedTest {

public static LocalCluster localCluster;

public static PasswordHasher passwordHasher = new BCryptPasswordHasher();

@BeforeClass
public static void startCluster() throws IOException {
configurationFolder = ConfigurationFiles.createConfigurationDirectory();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,6 @@
import org.opensearch.core.xcontent.ToXContentObject;
import org.opensearch.security.DefaultObjectMapper;
import org.opensearch.security.dlic.rest.api.Endpoint;
import org.opensearch.security.hasher.BCryptPasswordHasher;
import org.opensearch.security.hasher.PasswordHasher;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.cluster.TestRestClient;
import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
Expand All @@ -59,8 +57,6 @@ public class InternalUsersRestApiIntegrationTest extends AbstractConfigEntityApi

private final static String SOME_ROLE = "some-role";

private final PasswordHasher passwordHasher = new BCryptPasswordHasher();

static {
testSecurityConfig.withRestAdminUser(REST_API_ADMIN_INTERNAL_USERS_ONLY, restAdminPermission(Endpoint.INTERNALUSERS))
.user(new TestSecurityConfig.User(SERVICE_ACCOUNT_USER).attr("service", "true").attr("enabled", "true"))
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

package org.opensearch.security.hash;

import java.util.List;
import java.util.Map;

import org.apache.http.HttpStatus;
import org.awaitility.Awaitility;
import org.junit.BeforeClass;
import org.junit.Test;

import org.opensearch.security.support.ConfigConstants;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.cluster.ClusterManager;
import org.opensearch.test.framework.cluster.LocalCluster;
import org.opensearch.test.framework.cluster.TestRestClient;

import static org.hamcrest.Matchers.equalTo;
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;

public class BCryptCustomConfigHashingTests extends HashingTests {

private static LocalCluster cluster;

private static String minor;

private static int rounds;

@BeforeClass
public static void startCluster() {
minor = randomFrom(List.of("A", "B", "Y"));
rounds = randomIntBetween(4, 10);

TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
.hash(generateBCryptHash("secret", minor, rounds));
cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(ADMIN_USER)
.anonymousAuth(false)
.nodeSettings(
Map.of(
ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED,
List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()),
ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM,
ConfigConstants.BCRYPT,
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR,
minor,
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS,
rounds
)
)
.build();
cluster.before();

try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), "secret")) {
Awaitility.await()
.alias("Load default configuration")
.until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP"));
}
}

@Test
public void shouldAuthenticateWithCorrectPassword() {
String hash = generateBCryptHash(PASSWORD, minor, rounds);
createUserWithHashedPassword(cluster, "user_2", hash);
testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK);

createUserWithPlainTextPassword(cluster, "user_3", PASSWORD);
testPasswordAuth(cluster, "user_3", PASSWORD, HttpStatus.SC_OK);
}

@Test
public void shouldNotAuthenticateWithIncorrectPassword() {
String hash = generateBCryptHash(PASSWORD, minor, rounds);
createUserWithHashedPassword(cluster, "user_4", hash);
testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED);

createUserWithPlainTextPassword(cluster, "user_5", PASSWORD);
testPasswordAuth(cluster, "user_5", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

package org.opensearch.security.hash;

import java.util.List;
import java.util.Map;

import org.apache.http.HttpStatus;
import org.junit.ClassRule;
import org.junit.Test;

import org.opensearch.security.support.ConfigConstants;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.cluster.ClusterManager;
import org.opensearch.test.framework.cluster.LocalCluster;

import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;

public class BCryptDefaultConfigHashingTests extends HashingTests {

private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);

@ClassRule
public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(ADMIN_USER)
.anonymousAuth(false)
.nodeSettings(
Map.of(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()))
)
.build();

@Test
public void shouldAuthenticateWithCorrectPassword() {
String hash = generateBCryptHash(
PASSWORD,
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT,
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT
);
createUserWithHashedPassword(cluster, "user_2", hash);
testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK);

createUserWithPlainTextPassword(cluster, "user_3", PASSWORD);
testPasswordAuth(cluster, "user_3", PASSWORD, HttpStatus.SC_OK);
}

@Test
public void shouldNotAuthenticateWithIncorrectPassword() {
String hash = generateBCryptHash(
PASSWORD,
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT,
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT
);
createUserWithHashedPassword(cluster, "user_4", hash);
testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED);

createUserWithPlainTextPassword(cluster, "user_5", PASSWORD);
testPasswordAuth(cluster, "user_5", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

package org.opensearch.security.hash;

import java.nio.CharBuffer;

import com.carrotsearch.randomizedtesting.RandomizedTest;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import org.apache.http.HttpStatus;
import org.junit.runner.RunWith;

import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.cluster.LocalCluster;
import org.opensearch.test.framework.cluster.TestRestClient;

import com.password4j.BcryptFunction;
import com.password4j.CompressedPBKDF2Function;
import com.password4j.Password;
import com.password4j.types.Bcrypt;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.equalTo;
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;

@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
public class HashingTests extends RandomizedTest {

private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);

static final String PASSWORD = "top$ecret1234!";

public void createUserWithPlainTextPassword(LocalCluster cluster, String username, String password) {
try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
TestRestClient.HttpResponse httpResponse = client.putJson(
"_plugins/_security/api/internalusers/" + username,
String.format("{\"password\": \"%s\",\"opendistro_security_roles\": []}", password)
);
assertThat(httpResponse.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
}
}

public void createUserWithHashedPassword(LocalCluster cluster, String username, String hashedPassword) {
try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
TestRestClient.HttpResponse httpResponse = client.putJson(
"_plugins/_security/api/internalusers/" + username,
String.format("{\"hash\": \"%s\",\"opendistro_security_roles\": []}", hashedPassword)
);
assertThat(httpResponse.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
}
}

public void testPasswordAuth(LocalCluster cluster, String username, String password, int expectedStatusCode) {
try (TestRestClient client = cluster.getRestClient(username, password)) {
TestRestClient.HttpResponse response = client.getAuthInfo();
response.assertStatusCode(expectedStatusCode);
}
}

public static String generateBCryptHash(String password, String minor, int rounds) {
return Password.hash(CharBuffer.wrap(password.toCharArray()))
.with(BcryptFunction.getInstance(Bcrypt.valueOf(minor), rounds))
.getResult();
}

public static String generatePBKDF2Hash(String password, String algorithm, int iterations, int length) {
return Password.hash(CharBuffer.wrap(password.toCharArray()))
.with(CompressedPBKDF2Function.getInstance(algorithm, iterations, length))
.getResult();
}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

package org.opensearch.security.hash;

import java.util.List;
import java.util.Map;

import org.apache.http.HttpStatus;
import org.awaitility.Awaitility;
import org.junit.BeforeClass;
import org.junit.Test;

import org.opensearch.security.support.ConfigConstants;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.cluster.ClusterManager;
import org.opensearch.test.framework.cluster.LocalCluster;
import org.opensearch.test.framework.cluster.TestRestClient;

import static org.hamcrest.Matchers.equalTo;
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;

public class PBKDF2CustomConfigHashingTests extends HashingTests {

public static LocalCluster cluster;

private static final String PASSWORD = "top$ecret1234!";

private static String function;
private static int iterations, length;

@BeforeClass
public static void startCluster() {

function = randomFrom(List.of("SHA224", "SHA256", "SHA384", "SHA512"));
iterations = randomFrom(List.of(32000, 64000, 128000, 256000));
length = randomFrom(List.of(128, 256, 512));

TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
.hash(generatePBKDF2Hash("secret", function, iterations, length));
cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(ADMIN_USER)
.anonymousAuth(false)
.nodeSettings(
Map.of(
ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED,
List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()),
ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM,
ConfigConstants.PBKDF2,
ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_FUNCTION,
function,
ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ITERATIONS,
iterations,
ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_LENGTH,
length
)
)
.build();
cluster.before();

try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), "secret")) {
Awaitility.await()
.alias("Load default configuration")
.until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP"));
}
}

@Test
public void shouldAuthenticateWithCorrectPassword() {
String hash = generatePBKDF2Hash(PASSWORD, function, iterations, length);
createUserWithHashedPassword(cluster, "user_1", hash);
testPasswordAuth(cluster, "user_1", PASSWORD, HttpStatus.SC_OK);

createUserWithPlainTextPassword(cluster, "user_2", PASSWORD);
testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK);
}

@Test
public void shouldNotAuthenticateWithIncorrectPassword() {
String hash = generatePBKDF2Hash(PASSWORD, function, iterations, length);
createUserWithHashedPassword(cluster, "user_3", hash);
testPasswordAuth(cluster, "user_3", "wrong_password", HttpStatus.SC_UNAUTHORIZED);

createUserWithPlainTextPassword(cluster, "user_4", PASSWORD);
testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
}
}
Loading

0 comments on commit 8d29b11

Please sign in to comment.