opensearch-project · DarshitChanpura · Jul 11, 2024 · Jul 2, 2024 · Jul 2, 2024 · Jul 2, 2024
@@ -30,14 +30,16 @@
 
 import org.opensearch.common.CheckedConsumer;
 import org.opensearch.common.CheckedSupplier;
+import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.security.ConfigurationFiles;
 import org.opensearch.security.dlic.rest.api.Endpoint;
-import org.opensearch.security.hasher.BCryptPasswordHasher;
 import org.opensearch.security.hasher.PasswordHasher;
+import org.opensearch.security.hasher.PasswordHasherFactory;
 import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.certificate.CertificateData;
 import org.opensearch.test.framework.cluster.ClusterManager;
@@ -85,7 +87,9 @@ public abstract class AbstractApiIntegrationTest extends RandomizedTest {
 
     public static LocalCluster localCluster;
 
-    public static PasswordHasher passwordHasher = new BCryptPasswordHasher();
+    public static PasswordHasher passwordHasher = PasswordHasherFactory.createPasswordHasher(
+        Settings.builder().put(ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM, ConfigConstants.BCRYPT).build()
+    );
 
     @BeforeClass
     public static void startCluster() throws IOException {

@@ -27,13 +27,15 @@
 import org.junit.Assert;
 import org.junit.Test;
 
+import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.common.Strings;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.dlic.rest.api.Endpoint;
-import org.opensearch.security.hasher.BCryptPasswordHasher;
 import org.opensearch.security.hasher.PasswordHasher;
+import org.opensearch.security.hasher.PasswordHasherFactory;
+import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.TestRestClient;
 import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
@@ -59,8 +61,9 @@ public class InternalUsersRestApiIntegrationTest extends AbstractConfigEntityApi
 
     private final static String SOME_ROLE = "some-role";
 
-    private final PasswordHasher passwordHasher = new BCryptPasswordHasher();
-
+    private final PasswordHasher passwordHasher = PasswordHasherFactory.createPasswordHasher(
+        Settings.builder().put(ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM, ConfigConstants.BCRYPT).build()
+    );
     static {
         testSecurityConfig.withRestAdminUser(REST_API_ADMIN_INTERNAL_USERS_ONLY, restAdminPermission(Endpoint.INTERNALUSERS))
             .user(new TestSecurityConfig.User(SERVICE_ACCOUNT_USER).attr("service", "true").attr("enabled", "true"))

@@ -0,0 +1,92 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.hash;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.http.HttpStatus;
+import org.awaitility.Awaitility;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+public class BCryptCustomConfigHashingTests extends HashingTests {
+
+    private static LocalCluster cluster;
+
+    private static String minor;
+
+    private static int rounds;
+
+    @BeforeClass
+    public static void startCluster() {
+        minor = randomFrom(List.of("A", "B", "Y"));
+        rounds = randomIntBetween(4, 10);
+
+        TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
+            .hash(generateBCryptHash("secret", minor, rounds));
+        cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+            .authc(AUTHC_HTTPBASIC_INTERNAL)
+            .users(ADMIN_USER)
+            .anonymousAuth(false)
+            .nodeSettings(
+                Map.of(
+                    ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED,
+                    List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()),
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM,
+                    ConfigConstants.BCRYPT,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR,
+                    minor,
+                    ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS,
+                    rounds
+                )
+            )
+            .build();
+        cluster.before();
+
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER.getName(), "secret")) {
+            Awaitility.await()
+                .alias("Load default configuration")
+                .until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP"));
+        }
+    }
+
+    @Test
+    public void shouldAuthenticateWithCorrectPassword() {
+        String hash = generateBCryptHash(PASSWORD, minor, rounds);
+        createUserWithHashedPassword(cluster, "user_2", hash);
+        testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK);
+
+        createUserWithPlainTextPassword(cluster, "user_3", PASSWORD);
+        testPasswordAuth(cluster, "user_3", PASSWORD, HttpStatus.SC_OK);
+    }
+
+    @Test
+    public void shouldNotAuthenticateWithIncorrectPassword() {
+        String hash = generateBCryptHash(PASSWORD, minor, rounds);
+        createUserWithHashedPassword(cluster, "user_4", hash);
+        testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+
+        createUserWithPlainTextPassword(cluster, "user_5", PASSWORD);
+        testPasswordAuth(cluster, "user_5", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+    }
+}
@@ -0,0 +1,70 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.hash;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.http.HttpStatus;
+import org.junit.ClassRule;
+import org.junit.Test;
+
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+public class BCryptDefaultConfigHashingTests extends HashingTests {
+
+    private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .users(ADMIN_USER)
+        .anonymousAuth(false)
+        .nodeSettings(
+            Map.of(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()))
+        )
+        .build();
+
+    @Test
+    public void shouldAuthenticateWithCorrectPassword() {
+        String hash = generateBCryptHash(
+            PASSWORD,
+            ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT,
+            ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT
+        );
+        createUserWithHashedPassword(cluster, "user_2", hash);
+        testPasswordAuth(cluster, "user_2", PASSWORD, HttpStatus.SC_OK);
+
+        createUserWithPlainTextPassword(cluster, "user_3", PASSWORD);
+        testPasswordAuth(cluster, "user_3", PASSWORD, HttpStatus.SC_OK);
+    }
+
+    @Test
+    public void shouldNotAuthenticateWithIncorrectPassword() {
+        String hash = generateBCryptHash(
+            PASSWORD,
+            ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT,
+            ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT
+        );
+        createUserWithHashedPassword(cluster, "user_4", hash);
+        testPasswordAuth(cluster, "user_4", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+
+        createUserWithPlainTextPassword(cluster, "user_5", PASSWORD);
+        testPasswordAuth(cluster, "user_5", "wrong_password", HttpStatus.SC_UNAUTHORIZED);
+    }
+}
@@ -0,0 +1,81 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.hash;
+
+import java.nio.CharBuffer;
+
+import com.carrotsearch.randomizedtesting.RandomizedTest;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.http.HttpStatus;
+import org.junit.runner.RunWith;
+
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import com.password4j.BcryptFunction;
+import com.password4j.CompressedPBKDF2Function;
+import com.password4j.Password;
+import com.password4j.types.Bcrypt;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class HashingTests extends RandomizedTest {
+
+    private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
+
+    static final String PASSWORD = "top$ecret1234!";
+
+    public void createUserWithPlainTextPassword(LocalCluster cluster, String username, String password) {
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
+            TestRestClient.HttpResponse httpResponse = client.putJson(
+                "_plugins/_security/api/internalusers/" + username,
+                String.format("{\"password\": \"%s\",\"opendistro_security_roles\": []}", password)
+            );
+            assertThat(httpResponse.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
+        }
+    }
+
+    public void createUserWithHashedPassword(LocalCluster cluster, String username, String hashedPassword) {
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
+            TestRestClient.HttpResponse httpResponse = client.putJson(
+                "_plugins/_security/api/internalusers/" + username,
+                String.format("{\"hash\": \"%s\",\"opendistro_security_roles\": []}", hashedPassword)
+            );
+            assertThat(httpResponse.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
+        }
+    }
+
+    public void testPasswordAuth(LocalCluster cluster, String username, String password, int expectedStatusCode) {
+        try (TestRestClient client = cluster.getRestClient(username, password)) {
+            TestRestClient.HttpResponse response = client.getAuthInfo();
+            response.assertStatusCode(expectedStatusCode);
+        }
+    }
+
+    public static String generateBCryptHash(String password, String minor, int rounds) {
+        return Password.hash(CharBuffer.wrap(password.toCharArray()))
+            .with(BcryptFunction.getInstance(Bcrypt.valueOf(minor), rounds))
+            .getResult();
+    }
+
+    public static String generatePBKDF2Hash(String password, String algorithm, int iterations, int length) {
+        return Password.hash(CharBuffer.wrap(password.toCharArray()))
+            .with(CompressedPBKDF2Function.getInstance(algorithm, iterations, length))
+            .getResult();
+    }
+
+}