Fix RealmInteg test failures

As part of the changes in elastic#31234,the password verification logic determines the algorithm used for hashing the password from the format of the stored password hash itself. Thus, it is generally possible to validate a password even if it's associated stored hash was not created with the same algorithm than the one currently set in the settings. At the same time, we introduced a check for incoming client change password requests to make sure that the request's password is hashed with the same algorithm that is configured to be used in the node settings. In the spirit of randomizing the algorithms used, the {@code SecurityClient} used in the {@code NativeRealmIntegTests} and {@code ReservedRealmIntegTests} would send all requests dealing with user passwords by randomly selecting a hashing algorithm each time. This meant that some change password requests were using a different password hashing algorithm than the one used for the node and the request would fail. This commit changes this behavior in the two aforementioned Integ tests to use the same password hashing algorithm for the node and the clients, no matter what the request is. Resolves elastic#31670
jkakavas · Jul 16, 2018 · 60b1f57 · 60b1f57
1 parent f77559c
commit 60b1f57
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/...rc/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java b/...rc/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java
@@ -8,13 +8,16 @@
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
 import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.NativeRealmIntegTestCase;
 import org.elasticsearch.xpack.core.security.action.user.ChangePasswordResponse;
+import org.elasticsearch.xpack.core.security.authc.support.Hasher;
 import org.elasticsearch.xpack.core.security.client.SecurityClient;
 import org.elasticsearch.xpack.core.security.user.BeatsSystemUser;
 import org.elasticsearch.xpack.core.security.user.ElasticUser;
 import org.elasticsearch.xpack.core.security.user.KibanaUser;
 import org.elasticsearch.xpack.core.security.user.LogstashSystemUser;
+import org.junit.BeforeClass;
 
 import java.util.Arrays;
 
@@ -29,6 +32,22 @@
  */
 public class ReservedRealmIntegTests extends NativeRealmIntegTestCase {
 
+    private static Hasher hasher;
+
+    @BeforeClass
+    public static void setHasher() {
+        hasher = getFastStoredHashAlgoForTests();
+    }
+
+    @Override
+    public Settings nodeSettings(int nodeOrdinal) {
+        Settings settings = Settings.builder()
+            .put(super.nodeSettings(nodeOrdinal))
+            .put("xpack.security.authc.password_hashing.algorithm", hasher.name())
+            .build();
+        return settings;
+    }
+
     public void testAuthenticate() {
         for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME, BeatsSystemUser.NAME)) {
             ClusterHealthResponse response = client()
@@ -76,7 +95,7 @@ public void testChangingPassword() {
         }
 
         ChangePasswordResponse response = securityClient()
-            .prepareChangePassword(username, Arrays.copyOf(newPassword, newPassword.length), getFastStoredHashAlgoForTests())
+            .prepareChangePassword(username, Arrays.copyOf(newPassword, newPassword.length), hasher)
                 .get();
         assertThat(response, notNullValue());