forked from opensearch-project/security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for PBKDF2 for password hashing & add support for configu…
…ring BCrypt and PBKDF2 (opensearch-project#4524) Signed-off-by: Dan Cecoi <[email protected]> Co-authored-by: Dan Cecoi <[email protected]>
- Loading branch information
1 parent
be92bb6
commit 8d29b11
Showing
31 changed files
with
1,715 additions
and
169 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
92 changes: 92 additions & 0 deletions
92
src/integrationTest/java/org/opensearch/security/hash/BCryptCustomConfigHashingTests.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.security.hash; | ||
|
||
import java.util.List; | ||
import java.util.Map; | ||
|
||
import org.apache.http.HttpStatus; | ||
import org.awaitility.Awaitility; | ||
import org.junit.BeforeClass; | ||
import org.junit.Test; | ||
|
||
import org.opensearch.security.support.ConfigConstants; | ||
import org.opensearch.test.framework.TestSecurityConfig; | ||
import org.opensearch.test.framework.cluster.ClusterManager; | ||
import org.opensearch.test.framework.cluster.LocalCluster; | ||
import org.opensearch.test.framework.cluster.TestRestClient; | ||
|
||
import static org.hamcrest.Matchers.equalTo; | ||
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL; | ||
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS; | ||
|
||
public class BCryptCustomConfigHashingTests extends HashingTests { | ||
|
||
private static LocalCluster cluster; | ||
|
||
private static String minor; | ||
|
||
private static int rounds; | ||
|
||
@BeforeClass | ||
public static void startCluster() { | ||
minor = randomFrom(List.of("A", "B", "Y")); | ||
rounds = randomIntBetween(4, 10); | ||
|
||
TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS) | ||
.hash(generateBCryptHash("secret", minor, rounds)); | ||
cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE) | ||
.authc(AUTHC_HTTPBASIC_INTERNAL) | ||
.users(ADMIN_USER) | ||
.anonymousAuth(false) | ||
.nodeSettings( | ||
Map.of( | ||
ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, | ||
List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()), | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM, | ||
ConfigConstants.BCRYPT, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR, | ||
minor, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS, | ||
rounds | ||
) | ||
) | ||
.build(); | ||
cluster.before(); | ||
|
||
try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), "secret")) { | ||
Awaitility.await() | ||
.alias("Load default configuration") | ||
.until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP")); | ||
} | ||
} | ||
|
||
@Test | ||
public void shouldAuthenticateWithCorrectPassword() { | ||
String hash = generateBCryptHash(PASSWORD, minor, rounds); | ||
createUserWithHashedPassword(cluster, "user_2", hash); | ||
testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK); | ||
|
||
createUserWithPlainTextPassword(cluster, "user_3", PASSWORD); | ||
testPasswordAuth(cluster, "user_3", PASSWORD, HttpStatus.SC_OK); | ||
} | ||
|
||
@Test | ||
public void shouldNotAuthenticateWithIncorrectPassword() { | ||
String hash = generateBCryptHash(PASSWORD, minor, rounds); | ||
createUserWithHashedPassword(cluster, "user_4", hash); | ||
testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED); | ||
|
||
createUserWithPlainTextPassword(cluster, "user_5", PASSWORD); | ||
testPasswordAuth(cluster, "user_5", "wrong_password", HttpStatus.SC_UNAUTHORIZED); | ||
} | ||
} |
70 changes: 70 additions & 0 deletions
70
src/integrationTest/java/org/opensearch/security/hash/BCryptDefaultConfigHashingTests.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.security.hash; | ||
|
||
import java.util.List; | ||
import java.util.Map; | ||
|
||
import org.apache.http.HttpStatus; | ||
import org.junit.ClassRule; | ||
import org.junit.Test; | ||
|
||
import org.opensearch.security.support.ConfigConstants; | ||
import org.opensearch.test.framework.TestSecurityConfig; | ||
import org.opensearch.test.framework.cluster.ClusterManager; | ||
import org.opensearch.test.framework.cluster.LocalCluster; | ||
|
||
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL; | ||
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS; | ||
|
||
public class BCryptDefaultConfigHashingTests extends HashingTests { | ||
|
||
private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS); | ||
|
||
@ClassRule | ||
public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE) | ||
.authc(AUTHC_HTTPBASIC_INTERNAL) | ||
.users(ADMIN_USER) | ||
.anonymousAuth(false) | ||
.nodeSettings( | ||
Map.of(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName())) | ||
) | ||
.build(); | ||
|
||
@Test | ||
public void shouldAuthenticateWithCorrectPassword() { | ||
String hash = generateBCryptHash( | ||
PASSWORD, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT | ||
); | ||
createUserWithHashedPassword(cluster, "user_2", hash); | ||
testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK); | ||
|
||
createUserWithPlainTextPassword(cluster, "user_3", PASSWORD); | ||
testPasswordAuth(cluster, "user_3", PASSWORD, HttpStatus.SC_OK); | ||
} | ||
|
||
@Test | ||
public void shouldNotAuthenticateWithIncorrectPassword() { | ||
String hash = generateBCryptHash( | ||
PASSWORD, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT | ||
); | ||
createUserWithHashedPassword(cluster, "user_4", hash); | ||
testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED); | ||
|
||
createUserWithPlainTextPassword(cluster, "user_5", PASSWORD); | ||
testPasswordAuth(cluster, "user_5", "wrong_password", HttpStatus.SC_UNAUTHORIZED); | ||
} | ||
} |
81 changes: 81 additions & 0 deletions
81
src/integrationTest/java/org/opensearch/security/hash/HashingTests.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.security.hash; | ||
|
||
import java.nio.CharBuffer; | ||
|
||
import com.carrotsearch.randomizedtesting.RandomizedTest; | ||
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; | ||
import org.apache.http.HttpStatus; | ||
import org.junit.runner.RunWith; | ||
|
||
import org.opensearch.test.framework.TestSecurityConfig; | ||
import org.opensearch.test.framework.cluster.LocalCluster; | ||
import org.opensearch.test.framework.cluster.TestRestClient; | ||
|
||
import com.password4j.BcryptFunction; | ||
import com.password4j.CompressedPBKDF2Function; | ||
import com.password4j.Password; | ||
import com.password4j.types.Bcrypt; | ||
|
||
import static org.hamcrest.MatcherAssert.assertThat; | ||
import static org.hamcrest.Matchers.equalTo; | ||
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS; | ||
|
||
@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class) | ||
@ThreadLeakScope(ThreadLeakScope.Scope.NONE) | ||
public class HashingTests extends RandomizedTest { | ||
|
||
private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS); | ||
|
||
static final String PASSWORD = "top$ecret1234!"; | ||
|
||
public void createUserWithPlainTextPassword(LocalCluster cluster, String username, String password) { | ||
try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { | ||
TestRestClient.HttpResponse httpResponse = client.putJson( | ||
"_plugins/_security/api/internalusers/" + username, | ||
String.format("{\"password\": \"%s\",\"opendistro_security_roles\": []}", password) | ||
); | ||
assertThat(httpResponse.getStatusCode(), equalTo(HttpStatus.SC_CREATED)); | ||
} | ||
} | ||
|
||
public void createUserWithHashedPassword(LocalCluster cluster, String username, String hashedPassword) { | ||
try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { | ||
TestRestClient.HttpResponse httpResponse = client.putJson( | ||
"_plugins/_security/api/internalusers/" + username, | ||
String.format("{\"hash\": \"%s\",\"opendistro_security_roles\": []}", hashedPassword) | ||
); | ||
assertThat(httpResponse.getStatusCode(), equalTo(HttpStatus.SC_CREATED)); | ||
} | ||
} | ||
|
||
public void testPasswordAuth(LocalCluster cluster, String username, String password, int expectedStatusCode) { | ||
try (TestRestClient client = cluster.getRestClient(username, password)) { | ||
TestRestClient.HttpResponse response = client.getAuthInfo(); | ||
response.assertStatusCode(expectedStatusCode); | ||
} | ||
} | ||
|
||
public static String generateBCryptHash(String password, String minor, int rounds) { | ||
return Password.hash(CharBuffer.wrap(password.toCharArray())) | ||
.with(BcryptFunction.getInstance(Bcrypt.valueOf(minor), rounds)) | ||
.getResult(); | ||
} | ||
|
||
public static String generatePBKDF2Hash(String password, String algorithm, int iterations, int length) { | ||
return Password.hash(CharBuffer.wrap(password.toCharArray())) | ||
.with(CompressedPBKDF2Function.getInstance(algorithm, iterations, length)) | ||
.getResult(); | ||
} | ||
|
||
} |
97 changes: 97 additions & 0 deletions
97
src/integrationTest/java/org/opensearch/security/hash/PBKDF2CustomConfigHashingTests.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
package org.opensearch.security.hash; | ||
|
||
import java.util.List; | ||
import java.util.Map; | ||
|
||
import org.apache.http.HttpStatus; | ||
import org.awaitility.Awaitility; | ||
import org.junit.BeforeClass; | ||
import org.junit.Test; | ||
|
||
import org.opensearch.security.support.ConfigConstants; | ||
import org.opensearch.test.framework.TestSecurityConfig; | ||
import org.opensearch.test.framework.cluster.ClusterManager; | ||
import org.opensearch.test.framework.cluster.LocalCluster; | ||
import org.opensearch.test.framework.cluster.TestRestClient; | ||
|
||
import static org.hamcrest.Matchers.equalTo; | ||
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL; | ||
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS; | ||
|
||
public class PBKDF2CustomConfigHashingTests extends HashingTests { | ||
|
||
public static LocalCluster cluster; | ||
|
||
private static final String PASSWORD = "top$ecret1234!"; | ||
|
||
private static String function; | ||
private static int iterations, length; | ||
|
||
@BeforeClass | ||
public static void startCluster() { | ||
|
||
function = randomFrom(List.of("SHA224", "SHA256", "SHA384", "SHA512")); | ||
iterations = randomFrom(List.of(32000, 64000, 128000, 256000)); | ||
length = randomFrom(List.of(128, 256, 512)); | ||
|
||
TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS) | ||
.hash(generatePBKDF2Hash("secret", function, iterations, length)); | ||
cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE) | ||
.authc(AUTHC_HTTPBASIC_INTERNAL) | ||
.users(ADMIN_USER) | ||
.anonymousAuth(false) | ||
.nodeSettings( | ||
Map.of( | ||
ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, | ||
List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()), | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM, | ||
ConfigConstants.PBKDF2, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_FUNCTION, | ||
function, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ITERATIONS, | ||
iterations, | ||
ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_LENGTH, | ||
length | ||
) | ||
) | ||
.build(); | ||
cluster.before(); | ||
|
||
try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), "secret")) { | ||
Awaitility.await() | ||
.alias("Load default configuration") | ||
.until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP")); | ||
} | ||
} | ||
|
||
@Test | ||
public void shouldAuthenticateWithCorrectPassword() { | ||
String hash = generatePBKDF2Hash(PASSWORD, function, iterations, length); | ||
createUserWithHashedPassword(cluster, "user_1", hash); | ||
testPasswordAuth(cluster, "user_1", PASSWORD, HttpStatus.SC_OK); | ||
|
||
createUserWithPlainTextPassword(cluster, "user_2", PASSWORD); | ||
testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK); | ||
} | ||
|
||
@Test | ||
public void shouldNotAuthenticateWithIncorrectPassword() { | ||
String hash = generatePBKDF2Hash(PASSWORD, function, iterations, length); | ||
createUserWithHashedPassword(cluster, "user_3", hash); | ||
testPasswordAuth(cluster, "user_3", "wrong_password", HttpStatus.SC_UNAUTHORIZED); | ||
|
||
createUserWithPlainTextPassword(cluster, "user_4", PASSWORD); | ||
testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED); | ||
} | ||
} |
Oops, something went wrong.