Skip to content

Commit

Permalink
Fix TransportChangePasswordActionTests
Browse files Browse the repository at this point in the history
testIncorrectPasswordHashingAlgorithm is based on the assumption
that the algorithm selected for the change password request is
different than the one selected for the NativeUsersStore.
pbkdf2_10000 is the same as pbkdf2 since 10000 is the default cost
factor for pbkdf2 and thus should not be used as an option for the
passwordHashingSettings.

Also make sure that the same algorithm is used for settings and
change password requests in other tests for consistency, even if
we expect to not reach the code where the algorithm is checked for
now.

Resolves elastic#31696
Reverts 1c4f480
  • Loading branch information
jkakavas committed Jul 2, 2018
1 parent 2971dd5 commit a7eaa40
Showing 1 changed file with 13 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -47,18 +47,21 @@
public class TransportChangePasswordActionTests extends ESTestCase {

public void testAnonymousUser() {
final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9");
Settings settings = Settings.builder().put(AnonymousUser.ROLES_SETTING.getKey(), "superuser").build();
AnonymousUser anonymousUser = new AnonymousUser(settings);
NativeUsersStore usersStore = mock(NativeUsersStore.class);
TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
Settings passwordHashingSettings = Settings.builder().
put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build();
TransportService transportService = new TransportService(passwordHashingSettings, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
x -> null, null, Collections.emptySet());
TransportChangePasswordAction action = new TransportChangePasswordAction(settings, transportService,
mock(ActionFilters.class), usersStore);

ChangePasswordRequest request = new ChangePasswordRequest();
// Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency
request.username(anonymousUser.principal());
request.passwordHash(Hasher.resolve(
randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));

final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
final AtomicReference<ChangePasswordResponse> responseRef = new AtomicReference<>();
Expand All @@ -81,16 +84,19 @@ public void onFailure(Exception e) {
}

public void testInternalUsers() {
final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9");
NativeUsersStore usersStore = mock(NativeUsersStore.class);
TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
Settings passwordHashingSettings = Settings.builder().
put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build();
TransportService transportService = new TransportService(passwordHashingSettings, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
x -> null, null, Collections.emptySet());
TransportChangePasswordAction action = new TransportChangePasswordAction(Settings.EMPTY, transportService,
mock(ActionFilters.class), usersStore);

ChangePasswordRequest request = new ChangePasswordRequest();
request.username(randomFrom(SystemUser.INSTANCE.principal(), XPackUser.INSTANCE.principal()));
request.passwordHash(Hasher.resolve(
randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
// Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency
request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));

final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
final AtomicReference<ChangePasswordResponse> responseRef = new AtomicReference<>();
Expand Down Expand Up @@ -153,7 +159,6 @@ public void onFailure(Exception e) {
verify(usersStore, times(1)).changePassword(eq(request), any(ActionListener.class));
}

@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/31696")
public void testIncorrectPasswordHashingAlgorithm() {
final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe"));
final Hasher hasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt9", "bcrypt5"));
Expand All @@ -166,7 +171,7 @@ public void testIncorrectPasswordHashingAlgorithm() {
TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
x -> null, null, Collections.emptySet());
Settings passwordHashingSettings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(),
randomFrom("pbkdf2_50000", "pbkdf2_10000", "bcrypt11", "bcrypt8", "bcrypt")).build();
randomFrom("pbkdf2_50000", "pbkdf2_100000", "bcrypt11", "bcrypt8", "bcrypt")).build();
TransportChangePasswordAction action = new TransportChangePasswordAction(passwordHashingSettings, transportService,
mock(ActionFilters.class), usersStore);
action.doExecute(mock(Task.class), request, new ActionListener<ChangePasswordResponse>() {
Expand Down

0 comments on commit a7eaa40

Please sign in to comment.