Fix TransportChangePasswordActionTests

testIncorrectPasswordHashingAlgorithm is based on the assumption that the algorithm selected for the change password request is different than the one selected for the NativeUsersStore. pbkdf2_10000 is the same as pbkdf2 since 10000 is the default cost factor for pbkdf2 and thus should not be used as an option for the passwordHashingSettings. Also make sure that the same algorithm is used for settings and change password requests in other tests for consistency, even if we expect to not reach the code where the algorithm is checked for now. Resolves #31696 Reverts 1c4f480
elastic · Jul 2, 2018 · a7eaa40 · a7eaa40
1 parent 2971dd5
commit a7eaa40
Showing 1 changed file with 13 additions and 8 deletions.
diff --git a/...java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java b/...java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java
@@ -47,18 +47,21 @@
 public class TransportChangePasswordActionTests extends ESTestCase {
 
     public void testAnonymousUser() {
+        final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9");
         Settings settings = Settings.builder().put(AnonymousUser.ROLES_SETTING.getKey(), "superuser").build();
         AnonymousUser anonymousUser = new AnonymousUser(settings);
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
-        TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
+        Settings passwordHashingSettings = Settings.builder().
+            put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build();
+        TransportService transportService = new TransportService(passwordHashingSettings, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
                 x -> null, null, Collections.emptySet());
         TransportChangePasswordAction action = new TransportChangePasswordAction(settings, transportService,
             mock(ActionFilters.class), usersStore);
 
         ChangePasswordRequest request = new ChangePasswordRequest();
+        // Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency
         request.username(anonymousUser.principal());
-        request.passwordHash(Hasher.resolve(
-            randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
+        request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
 
         final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
         final AtomicReference<ChangePasswordResponse> responseRef = new AtomicReference<>();
@@ -81,16 +84,19 @@ public void onFailure(Exception e) {
     }
 
     public void testInternalUsers() {
+        final String hashingAlgorithm = randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9");
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
-        TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
+        Settings passwordHashingSettings = Settings.builder().
+            put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hashingAlgorithm).build();
+        TransportService transportService = new TransportService(passwordHashingSettings, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
                 x -> null, null, Collections.emptySet());
         TransportChangePasswordAction action = new TransportChangePasswordAction(Settings.EMPTY, transportService,
             mock(ActionFilters.class), usersStore);
 
         ChangePasswordRequest request = new ChangePasswordRequest();
         request.username(randomFrom(SystemUser.INSTANCE.principal(), XPackUser.INSTANCE.principal()));
-        request.passwordHash(Hasher.resolve(
-            randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt", "bcrypt9")).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
+        // Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency
+        request.passwordHash(Hasher.resolve(hashingAlgorithm).hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
 
         final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
         final AtomicReference<ChangePasswordResponse> responseRef = new AtomicReference<>();
@@ -153,7 +159,6 @@ public void onFailure(Exception e) {
         verify(usersStore, times(1)).changePassword(eq(request), any(ActionListener.class));
     }
 
-    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/31696")
     public void testIncorrectPasswordHashingAlgorithm() {
         final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe"));
         final Hasher hasher = Hasher.resolve(randomFrom("pbkdf2", "pbkdf2_1000", "bcrypt9", "bcrypt5"));
@@ -166,7 +171,7 @@ public void testIncorrectPasswordHashingAlgorithm() {
         TransportService transportService = new TransportService(Settings.EMPTY, null, null, TransportService.NOOP_TRANSPORT_INTERCEPTOR,
             x -> null, null, Collections.emptySet());
         Settings passwordHashingSettings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(),
-            randomFrom("pbkdf2_50000", "pbkdf2_10000", "bcrypt11", "bcrypt8", "bcrypt")).build();
+            randomFrom("pbkdf2_50000", "pbkdf2_100000", "bcrypt11", "bcrypt8", "bcrypt")).build();
         TransportChangePasswordAction action = new TransportChangePasswordAction(passwordHashingSettings, transportService,
             mock(ActionFilters.class), usersStore);
         action.doExecute(mock(Task.class), request, new ActionListener<ChangePasswordResponse>() {