[Backport 2.x] Add support for PBKDF2 for password hashing & add supp…

…ort for configuring BCrypt and PBKDF2 (opensearch-project#4551) Signed-off-by: Dan Cecoi <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Dan Cecoi <[email protected]>
nibix · Jul 11, 2024 · 6f4b59d · 6f4b59d
1 parent ed67676
commit 6f4b59d
Show file tree

Hide file tree

Showing 31 changed files with 1,715 additions and 169 deletions.
diff --git a/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java
@@ -30,14 +30,16 @@
 
 import org.opensearch.common.CheckedConsumer;
 import org.opensearch.common.CheckedSupplier;
+import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.security.ConfigurationFiles;
 import org.opensearch.security.dlic.rest.api.Endpoint;
-import org.opensearch.security.hasher.BCryptPasswordHasher;
 import org.opensearch.security.hasher.PasswordHasher;
+import org.opensearch.security.hasher.PasswordHasherFactory;
 import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.certificate.CertificateData;
 import org.opensearch.test.framework.cluster.ClusterManager;
@@ -78,6 +80,10 @@ public abstract class AbstractApiIntegrationTest extends RandomizedTest {
 
     public static final ToXContentObject EMPTY_BODY = (builder, params) -> builder.startObject().endObject();
 
+    public static final PasswordHasher passwordHasher = PasswordHasherFactory.createPasswordHasher(
+        Settings.builder().put(ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM, ConfigConstants.BCRYPT).build()
+    );
+
     public static Path configurationFolder;
 
     public static ImmutableMap.Builder<String, Object> clusterSettings = ImmutableMap.builder();
@@ -86,8 +92,6 @@ public abstract class AbstractApiIntegrationTest extends RandomizedTest {
 
     public static LocalCluster localCluster;
 
-    public static PasswordHasher passwordHasher = new BCryptPasswordHasher();
-
     @BeforeClass
     public static void startCluster() throws IOException {
         configurationFolder = ConfigurationFiles.createConfigurationDirectory();

diff --git a/...integrationTest/java/org/opensearch/security/api/InternalUsersRestApiIntegrationTest.java b/...integrationTest/java/org/opensearch/security/api/InternalUsersRestApiIntegrationTest.java
@@ -32,8 +32,6 @@
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.dlic.rest.api.Endpoint;
-import org.opensearch.security.hasher.BCryptPasswordHasher;
-import org.opensearch.security.hasher.PasswordHasher;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.TestRestClient;
 import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
@@ -59,8 +57,6 @@ public class InternalUsersRestApiIntegrationTest extends AbstractConfigEntityApi
 
     private final static String SOME_ROLE = "some-role";
 
-    private final PasswordHasher passwordHasher = new BCryptPasswordHasher();
-
     static {
         testSecurityConfig.withRestAdminUser(REST_API_ADMIN_INTERNAL_USERS_ONLY, restAdminPermission(Endpoint.INTERNALUSERS))
             .user(new TestSecurityConfig.User(SERVICE_ACCOUNT_USER).attr("service", "true").attr("enabled", "true"))

diff --git a/src/integrationTest/java/org/opensearch/security/hash/BCryptCustomConfigHashingTests.java b/src/integrationTest/java/org/opensearch/security/hash/BCryptCustomConfigHashingTests.java
@@ -0,0 +1,92 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.hash;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.http.HttpStatus;
+import org.awaitility.Awaitility;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+public class BCryptCustomConfigHashingTests extends HashingTests {
+
+    private static LocalCluster cluster;
+
+    private static String minor;
+
+    private static int rounds;
+
+    @BeforeClass
+    public static void startCluster() {
+        minor = randomFrom(List.of("A", "B", "Y"));
+        rounds = randomIntBetween(4, 10);
+
+        TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
+            .hash(generateBCryptHash("secret", minor, rounds));
+        cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+            .authc(AUTHC_HTTPBASIC_INTERNAL)
+            .users(ADMIN_USER)
+            .anonymousAuth(false)
+            .nodeSettings(
+                Map.of(
+                    ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED,
+                    List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()),
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM,
+                    ConfigConstants.BCRYPT,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR,
+                    minor,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS,
+                    rounds
+                )
+            )
+            .build();
+        cluster.before();
+
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), "secret")) {
+            Awaitility.await()
+                .alias("Load default configuration")
+                .until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP"));
+        }
+    }
+
+    @Test
+    public void shouldAuthenticateWithCorrectPassword() {
+        String hash = generateBCryptHash(PASSWORD, minor, rounds);
+        createUserWithHashedPassword(cluster, "user_2", hash);
+        testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK);
+
+        createUserWithPlainTextPassword(cluster, "user_3", PASSWORD);
+        testPasswordAuth(cluster, "user_3", PASSWORD, HttpStatus.SC_OK);
+    }
+
+    @Test
+    public void shouldNotAuthenticateWithIncorrectPassword() {
+        String hash = generateBCryptHash(PASSWORD, minor, rounds);
+        createUserWithHashedPassword(cluster, "user_4", hash);
+        testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+
+        createUserWithPlainTextPassword(cluster, "user_5", PASSWORD);
+        testPasswordAuth(cluster, "user_5", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+    }
+}
diff --git a/src/integrationTest/java/org/opensearch/security/hash/BCryptDefaultConfigHashingTests.java b/src/integrationTest/java/org/opensearch/security/hash/BCryptDefaultConfigHashingTests.java
@@ -0,0 +1,70 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.hash;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.http.HttpStatus;
+import org.junit.ClassRule;
+import org.junit.Test;
+
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+public class BCryptDefaultConfigHashingTests extends HashingTests {
+
+    private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .users(ADMIN_USER)
+        .anonymousAuth(false)
+        .nodeSettings(
+            Map.of(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()))
+        )
+        .build();
+
+    @Test
+    public void shouldAuthenticateWithCorrectPassword() {
+        String hash = generateBCryptHash(
+            PASSWORD,
+            ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT,
+            ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT
+        );
+        createUserWithHashedPassword(cluster, "user_2", hash);
+        testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK);
+
+        createUserWithPlainTextPassword(cluster, "user_3", PASSWORD);
+        testPasswordAuth(cluster, "user_3", PASSWORD, HttpStatus.SC_OK);
+    }
+
+    @Test
+    public void shouldNotAuthenticateWithIncorrectPassword() {
+        String hash = generateBCryptHash(
+            PASSWORD,
+            ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT,
+            ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT
+        );
+        createUserWithHashedPassword(cluster, "user_4", hash);
+        testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+
+        createUserWithPlainTextPassword(cluster, "user_5", PASSWORD);
+        testPasswordAuth(cluster, "user_5", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+    }
+}
diff --git a/src/integrationTest/java/org/opensearch/security/hash/HashingTests.java b/src/integrationTest/java/org/opensearch/security/hash/HashingTests.java
@@ -0,0 +1,81 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.hash;
+
+import java.nio.CharBuffer;
+
+import com.carrotsearch.randomizedtesting.RandomizedTest;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.http.HttpStatus;
+import org.junit.runner.RunWith;
+
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import com.password4j.BcryptFunction;
+import com.password4j.CompressedPBKDF2Function;
+import com.password4j.Password;
+import com.password4j.types.Bcrypt;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class HashingTests extends RandomizedTest {
+
+    private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
+
+    static final String PASSWORD = "top$ecret1234!";
+
+    public void createUserWithPlainTextPassword(LocalCluster cluster, String username, String password) {
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
+            TestRestClient.HttpResponse httpResponse = client.putJson(
+                "_plugins/_security/api/internalusers/" + username,
+                String.format("{\"password\": \"%s\",\"opendistro_security_roles\": []}", password)
+            );
+            assertThat(httpResponse.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
+        }
+    }
+
+    public void createUserWithHashedPassword(LocalCluster cluster, String username, String hashedPassword) {
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
+            TestRestClient.HttpResponse httpResponse = client.putJson(
+                "_plugins/_security/api/internalusers/" + username,
+                String.format("{\"hash\": \"%s\",\"opendistro_security_roles\": []}", hashedPassword)
+            );
+            assertThat(httpResponse.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
+        }
+    }
+
+    public void testPasswordAuth(LocalCluster cluster, String username, String password, int expectedStatusCode) {
+        try (TestRestClient client = cluster.getRestClient(username, password)) {
+            TestRestClient.HttpResponse response = client.getAuthInfo();
+            response.assertStatusCode(expectedStatusCode);
+        }
+    }
+
+    public static String generateBCryptHash(String password, String minor, int rounds) {
+        return Password.hash(CharBuffer.wrap(password.toCharArray()))
+            .with(BcryptFunction.getInstance(Bcrypt.valueOf(minor), rounds))
+            .getResult();
+    }
+
+    public static String generatePBKDF2Hash(String password, String algorithm, int iterations, int length) {
+        return Password.hash(CharBuffer.wrap(password.toCharArray()))
+            .with(CompressedPBKDF2Function.getInstance(algorithm, iterations, length))
+            .getResult();
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/security/hash/PBKDF2CustomConfigHashingTests.java b/src/integrationTest/java/org/opensearch/security/hash/PBKDF2CustomConfigHashingTests.java
@@ -0,0 +1,97 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.hash;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.http.HttpStatus;
+import org.awaitility.Awaitility;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+public class PBKDF2CustomConfigHashingTests extends HashingTests {
+
+    public static LocalCluster cluster;
+
+    private static final String PASSWORD = "top$ecret1234!";
+
+    private static String function;
+    private static int iterations, length;
+
+    @BeforeClass
+    public static void startCluster() {
+
+        function = randomFrom(List.of("SHA224", "SHA256", "SHA384", "SHA512"));
+        iterations = randomFrom(List.of(32000, 64000, 128000, 256000));
+        length = randomFrom(List.of(128, 256, 512));
+
+        TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
+            .hash(generatePBKDF2Hash("secret", function, iterations, length));
+        cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+            .authc(AUTHC_HTTPBASIC_INTERNAL)
+            .users(ADMIN_USER)
+            .anonymousAuth(false)
+            .nodeSettings(
+                Map.of(
+                    ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED,
+                    List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()),
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM,
+                    ConfigConstants.PBKDF2,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_FUNCTION,
+                    function,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ITERATIONS,
+                    iterations,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_LENGTH,
+                    length
+                )
+            )
+            .build();
+        cluster.before();
+
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), "secret")) {
+            Awaitility.await()
+                .alias("Load default configuration")
+                .until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP"));
+        }
+    }
+
+    @Test
+    public void shouldAuthenticateWithCorrectPassword() {
+        String hash = generatePBKDF2Hash(PASSWORD, function, iterations, length);
+        createUserWithHashedPassword(cluster, "user_1", hash);
+        testPasswordAuth(cluster, "user_1", PASSWORD, HttpStatus.SC_OK);
+
+        createUserWithPlainTextPassword(cluster, "user_2", PASSWORD);
+        testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK);
+    }
+
+    @Test
+    public void shouldNotAuthenticateWithIncorrectPassword() {
+        String hash = generatePBKDF2Hash(PASSWORD, function, iterations, length);
+        createUserWithHashedPassword(cluster, "user_3", hash);
+        testPasswordAuth(cluster, "user_3", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+
+        createUserWithPlainTextPassword(cluster, "user_4", PASSWORD);
+        testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+    }
+}