java source code of InternalUsersApiAction

deprecated-security-advanced-modules-master
- NOTICE.txt
- .github
  - workflows
    - ci.yml
- src
  - main
    - java
      - com
        amazon
        dlic
        util
        SettingsBasedSSLConfigurator.java
        auth
        ldap
        backend
        LDAPAuthenticationBackend.java
        LDAPAuthorizationBackend.java
        LdapUser.java
        util
        ConfigConstants.java
        Utils.java
        LdapHelper.java
        ldap2
        LDAPConnectionFactoryFactory.java
        LDAPAuthorizationBackend2.java
        LDAPAuthenticationBackend2.java
        PrivilegedProvider.java
        LDAPUserSearcher.java
        MakeJava9Happy.java
        http
        jwt
        oidc
        json
        OpenIdProviderConfiguration.java
        keybyoidc
        KeySetProvider.java
        SelfRefreshingKeySet.java
        KeyProvider.java
        HTTPJwtKeyByOpenIdConnectAuthenticator.java
        BadCredentialsException.java
        JwtVerifier.java
        KeySetRetriever.java
        AuthenticatorUnavailableException.java
        HTTPJwtAuthenticator.java
        AbstractHTTPJwtAuthenticator.java
        kerberos
        util
        KrbConstants.java
        JaasKrbUtil.java
        HTTPSpnegoAuthenticator.java
        saml
        SamlConfigException.java
        HTTPSamlAuthenticator.java
        SamlFilesystemMetadataResolver.java
        SamlHTTPMetadataResolver.java
        SamlNameIdFormat.java
        AuthTokenProcessorHandler.java
        Saml2SettingsProvider.java
        opendistroforelasticsearch
        security
        compliance
        FieldReadCallback.java
        ComplianceIndexingOperationListenerImpl.java
        configuration
        DlsFlsFilterLeafReader.java
        MaskedField.java
        PrivilegesInterceptorImpl.java
        DlsFlsValveImpl.java
        DlsQueryParser.java
        OpenDistroSecurityFlsDlsIndexSearcherWrapper.java
        dlic
        rest
        api
        RolesApiAction.java
        ActionGroupsApiAction.java
        InternalUsersApiAction.java
        RestApiPrivilegesEvaluator.java
        PermissionsInfoAction.java
        Endpoint.java
        OpenDistroSecurityConfigAction.java
        PatchableResourceApiAction.java
        RolesMappingApiAction.java
        OpenDistroSecurityRestApiActions.java
        FlushCacheApiAction.java
        AuthTokenProcessorAction.java
        AbstractApiAction.java
        TenantsApiAction.java
        support
        Utils.java
        validation
        NoOpValidator.java
        RolesValidator.java
        TenantValidator.java
        AbstractConfigurationValidator.java
        ActionGroupValidator.java
        SecurityConfigValidator.java
        RolesMappingValidator.java
        InternalUsersValidator.java
        auditlog
        impl
        AuditLogImpl.java
        RequestResolver.java
        AuditMessage.java
        AbstractAuditLog.java
        sink
        KafkaSink.java
        Log4JSink.java
        ExternalESSink.java
        SinkProvider.java
        WebhookSink.java
        NoopSink.java
        InternalESSink.java
        DebugSink.java
        AuditLogSink.java
        routing
        AsyncStoragePool.java
        AuditMessageRouter.java
        httpclient
        HttpClient.java
  - test
    - resources
      - ldap
        base.ldif
        roles_mapping.yml
        root-ca.pem
        kirk.key.pem
        internal_users.yml
        roles.yml
        base2.ldif
        spock.crtfull.pem
        chain-ca.pem
        truststore.jks
        action_groups.yml
        node-0.key.pem
        node-0-keystore.jks
        spock.crt.pem
        test1.yml
        kirk-keystore.jks
        config_ldap2.yml
        spock-keystore.jks
        node-0.crt.pem
        spock.key.pem
        roles_tenants.yml
        config.yml
      - jwt
        truststore.jks
        node-0-keystore.jks
        kirk-keystore.jks
        spock-keystore.jks
      - restapi
        roles_captains_tenants_malformed.json
        roles_mapping.yml
        actiongroup_not_parseable.json
        rolesmapping_users_picard_single_wrong_datatype.json
        kirk.key.pem
        rolesmapping_backendroles_captains_list.json
        rolesmapping_all_access.json
        roles_field_masks_valid.json
        rolesmapping_hosts_single_wrong_datatype.json
        roles_captains_different_content.json
        securityconfig.json
        roles_multiple_2.json
        security_config.json
        rolesmapping_not_parseable.json
        roles_invalid_keys.json
        internal_users.yml
        roles.yml
        invalid_config.json
        roles_captains_no_tenants.json
        rolesmapping_hosts_list.json
        rolesmapping_users_picard_list.json
        roles_starfleet.json
        roles_complete_invalid.json
        users_wrong_datatypes2.json
        actiongroup_read.json
        truststore.jks
        users_wrong_datatypes.json
        simple_role.json
        actiongroup_readonly.json
        action_groups.yml
        node-0-keystore.jks
        users_wrong_datatypes3.json
        rolesmapping_backendroles_captains_single_wrong_datatype.json
        users_key_not_quoted.json
        rolesmapping_backendroles_captains_single.json
        roles_field_masks_invalid.json
        actiongroup_crud.json
        rolesmapping_hosts_single.json
        roles_multiple.json
        kirk-keystore.jks
        roles_captains.json
        rolesmapping_all_noaccess.json
        spock-keystore.jks
        roles_not_parseable.json
        rolesmapping_users_picard_single.json
        roles_captains_tenants2.json
        roles_captains_tenants.json
        roles_wrong_datatype.json
        roles_tenants.yml
        config.yml
        rolesmapping_invalid_keys.json
      - auditlog
        spock.all.pem
        roles_mapping.yml
        root-ca.pem
        mapping4.json
        kirk.key.pem
        truststore_fail.jks
        data2.json
        mapping3.json
        roles_2_tenants.yml
        data3.json
        node-0-keystore.p12
        kirk.all.pem
        internal_users.yml
        roles.yml
        signing-ca.pem
        data1.json
        spock.crtfull.pem
        mapping1.json
        kirk.crt.pem
        chain-ca.pem
        truststore.jks
        action_groups.yml
        node-0.key.pem
        messageasjson.json
        node-0-keystore.jks
        roles_2.yml
        endpoints
        configuration_wrong_endpoint_names.yml
        sink
        configuration_all_variants.yml
        configuration_kafka.yml
        configuration_no_multiple_endpoints.yml
        configuration_no_default.yml
        configuration_tls.yml
        routing
        configuration_wrong_endpoint_names.yml
        configuration_valid.yml
        configuration_wrong_endpoint_types.yml
        routing.yml
        configuration_no_default.yml
        fallback.yml
        configuration_wrong_categories.yml
        perftest.yml
        spock.crt.pem
        kirk-keystore.jks
        spock-keystore.p12
        spock-keystore.jks
        node-0.crt.pem
        data1mod.json
        kirk-keystore.p12
        spock.key.pem
        mapping2.json
        roles_tenants.yml
        config.yml
        kirk.crtfull.pem
      - log4j2-test.properties
      - cache
        roles_mapping.yml
        internal_users.yml
        roles.yml
        truststore.jks
        action_groups.yml
        node-0-keystore.jks
        kirk-keystore.jks
        spock-keystore.jks
        roles_tenants.yml
        config.yml
      - sslConfigurator
        jks
        node1-keystore.jks
        truststore.jks
        other-root-ca.jks
        other-root-ca.pem
        pem
        spock.key
        node-wrong-hostname-keystore.jks
        root-ca.pem
        node1-keystore.jks
        kirk.pem
        kirk.key
        signing-ca.pem
        node-wrong-hostname.key
        truststore.jks
        node1.pem
        wrong-kirk.key
        wrong-kirk.pem
        spock.pem
        other-root-ca.pem
        node1.key
        node-wrong-hostname.pem
      - multitenancy
        roles_mapping.yml
        config_basic_auth.yml
        internal_users.yml
        roles.yml
        truststore.jks
        action_groups.yml
        node-0-keystore.jks
        kirk-keystore.jks
        spock-keystore.jks
        config_nodnfof.yml
        roles_tenants.yml
        config.yml
      - saml
        kirk-keystore.jks
        spock-keystore.jks
      - dlsfls
        roles_983.yml
        flsquery2.json
        roles_mapping.yml
        masked_field_mapping.json
        internal_users.yml
        roles.yml
        flsquery.json
        roles_983_tenants.yml
        truststore.jks
        action_groups.yml
        node-0-keystore.jks
        logs_bulk_data.json
        doc1.json
        kirk-keystore.jks
        roles_ccs2.yml
        spock-keystore.jks
        roles_ccs2_tenants.yml
        scenarios.txt
        roles_tenants.yml
        config.yml
    - java
      - com
        amazon
        dlic
        auth
        ldap
        LdapBackendTestNewStyleConfig.java
        LdapBackendTest.java
        srv
        LdapServer.java
        EmbeddedLDAPServer.java
        UtilsTest.java
        LdapBackendTestClientCert.java
        LdapBackendIntegTest.java
        ldap2
        LdapBackendIntegTest2.java
        LdapBackendTestClientCert2.java
        LdapBackendTestOldStyleConfig2.java
        LdapBackendTestNewStyleConfig2.java
        http
        jwt
        HTTPJwtAuthenticatorTest.java
        keybyoidc
        CxfTestTools.java
        HTTPJwtKeyByOpenIdConnectAuthenticatorTest.java
        TestJwts.java
        KeySetRetrieverTest.java
        TestJwk.java
        SingleKeyHTTPJwtKeyByOpenIdConnectAuthenticatorTest.java
        MockIpdServer.java
        SelfRefreshingKeySetTest.java
        saml
        HTTPSamlAuthenticatorTest.java
        MockSamlIdpServer.java
        opendistroforelasticsearch
        security
        dlic
        rest
        api
        IndexMissingTest.java
        RolesMappingApiTest.java
        ActionGroupsApiTest.java
        GetConfigurationApiTest.java
        UserApiTest.java
        OpenDistroSecurityApiAccessTest.java
        RolesApiTest.java
        RoleBasedAccessTest.java
        AbstractRestApiUnitTest.java
        FlushCacheApiTest.java
        SecurityConfigApiTest.java
        dlsfls
        FlsDlsTestMulti.java
        FlsPerfTest.java
        DlsTest.java
        FieldMaskedTest.java
        DlsScrollTest.java
        FlsDlsTestForbiddenField.java
        DlsDateMathTest.java
        FlsTest.java
        Fls983Test.java
        FlsFieldsTest.java
        FlsFieldsWcTest.java
        MFlsTest.java
        IndexPatternTest.java
        DlsFlsCrossClusterSearchTest.java
        CustomFieldMaskedTest.java
        CustomFieldMaskedComplexMappingTest.java
        FlsExistsFieldsTest.java
        DlsNestedTest.java
        DateMathTest.java
        DlsPropsReplaceTest.java
        FlsDlsTestAB.java
        AbstractDlsFlsTest.java
        auditlog
        impl
        DelegateTest.java
        DisabledCategoriesTest.java
        IgnoreAuditUsersTest.java
        AuditlogTest.java
        TracingTests.java
        compliance
        RestApiComplianceAuditlogTest.java
        ComplianceAuditlogTest.java
        integration
        TestAuditlogImpl.java
        BasicAuditlogTest.java
        SSLAuditlogTest.java
        sink
        KafkaSinkTest.java
        WebhookAuditLogTest.java
        MockWebhookAuditLog.java
        SinkProviderTest.java
        SinkProviderTLSTest.java
        AbstractAuditlogiUnitTest.java
        helper
        RetrySink.java
        FailingSink.java
        MockRestRequest.java
        TestHttpHandler.java
        ErroneousHttpHandler.java
        LoggingSink.java
        SlowSink.java
        MyOwnAuditLog.java
        MockAuditMessageFactory.java
        AuditLogTestSuite.java
        routing
        FallbackTest.java
        RoutingConfigurationTest.java
        ThreadPoolSettingsTest.java
        PerfTest.java
        RouterTest.java
        util
        FakeRestRequest.java
        SettingsBasedSSLConfiguratorTest.java
        httpclient
        HttpClientTest.java
        cache
        DummyAuthorizer.java
        DummyHTTPAuthenticator.java
        DummyAuthenticationBackend.java
        CachingTest.java
        multitenancy
        test
        MultitenancyTests.java
- output.txt
- pom.xml
- LICENSE
- CONTRIBUTING.md
- opendistro-elasticsearch-security-advanced-modules.release-notes
- THIRD-PARTY.txt
- README.md
- CODE_OF_CONDUCT.md
- .gitignore

/*
 * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License").
 *  You may not use this file except in compliance with the License.
 *  A copy of the License is located at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  or in the "license" file accompanying this file. This file is distributed
 *  on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 *  express or implied. See the License for the specific language governing
 *  permissions and limitations under the License.
 */

package com.amazon.opendistroforelasticsearch.security.dlic.rest.api;

import java.io.IOException;
import java.nio.file.Path;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Objects;

import com.amazon.opendistroforelasticsearch.security.DefaultObjectMapper;
import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestRequest.Method;
import org.elasticsearch.threadpool.ThreadPool;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.fasterxml.jackson.databind.node.TextNode;
import com.amazon.opendistroforelasticsearch.security.auditlog.AuditLog;
import com.amazon.opendistroforelasticsearch.security.configuration.AdminDNs;
import com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository;
import com.amazon.opendistroforelasticsearch.security.dlic.rest.validation.AbstractConfigurationValidator;
import com.amazon.opendistroforelasticsearch.security.dlic.rest.validation.InternalUsersValidator;
import com.amazon.opendistroforelasticsearch.security.privileges.PrivilegesEvaluator;
import com.amazon.opendistroforelasticsearch.security.securityconf.Hashed;
import com.amazon.opendistroforelasticsearch.security.securityconf.impl.CType;
import com.amazon.opendistroforelasticsearch.security.securityconf.impl.SecurityDynamicConfiguration;
import com.amazon.opendistroforelasticsearch.security.ssl.transport.PrincipalExtractor;
import com.amazon.opendistroforelasticsearch.security.support.SecurityJsonNode;

public class InternalUsersApiAction extends PatchableResourceApiAction {

    @Inject
    public InternalUsersApiAction(final Settings settings, final Path configPath, final RestController controller,
            final Client client, final AdminDNs adminDNs, final ConfigurationRepository cl,
            final ClusterService cs, final PrincipalExtractor principalExtractor, final PrivilegesEvaluator evaluator,
            ThreadPool threadPool, AuditLog auditLog) {
        super(settings, configPath, controller, client, adminDNs, cl, cs, principalExtractor, evaluator, threadPool,
                auditLog);

        // legacy mapping for backwards compatibility
        // TODO: remove in next version
        controller.registerHandler(Method.GET, "/_opendistro/_security/api/user/{name}", this);
        controller.registerHandler(Method.GET, "/_opendistro/_security/api/user/", this);
        controller.registerHandler(Method.DELETE, "/_opendistro/_security/api/user/{name}", this);
        controller.registerHandler(Method.PUT, "/_opendistro/_security/api/user/{name}", this);

        // corrected mapping, introduced in Open Distro Security
        controller.registerHandler(Method.GET, "/_opendistro/_security/api/internalusers/{name}", this);
        controller.registerHandler(Method.GET, "/_opendistro/_security/api/internalusers/", this);
        controller.registerHandler(Method.DELETE, "/_opendistro/_security/api/internalusers/{name}", this);
        controller.registerHandler(Method.PUT, "/_opendistro/_security/api/internalusers/{name}", this);
        controller.registerHandler(Method.PATCH, "/_opendistro/_security/api/internalusers/", this);
        controller.registerHandler(Method.PATCH, "/_opendistro/_security/api/internalusers/{name}", this);

    }

    @Override
    protected Endpoint getEndpoint() {
        return Endpoint.INTERNALUSERS;
    }

    @Override
    protected void handlePut(RestChannel channel, final RestRequest request, final Client client, final JsonNode content) throws IOException {

        final String username = request.param("name");

        if (username == null || username.length() == 0) {
            badRequestResponse(channel, "No " + getResourceName() + " specified.");
            return;
        }

        // TODO it might be sensible to consolidate this with the overridden method in
        // order to minimize duplicated logic

        final SecurityDynamicConfiguration<?> configuration = load(getConfigName(), false);

        if (isHidden(configuration, username)) {
            forbidden(channel, "Resource '" + username + "' is not available.");
            return;
        }

        // check if resource is writeable
        if (isReserved(configuration, username)) {
            forbidden(channel, "Resource '" + username + "' is read-only.");
            return;
        }

        final ObjectNode contentAsNode = (ObjectNode) content;
        final SecurityJsonNode securityJsonNode = new SecurityJsonNode(contentAsNode);

        // if password is set, it takes precedence over hash
        final String plainTextPassword = securityJsonNode.get("password").asString();
        final String origHash = securityJsonNode.get("hash").asString();
        if (plainTextPassword != null && plainTextPassword.length() > 0) {
            contentAsNode.remove("password");
            contentAsNode.put("hash", hash(plainTextPassword.toCharArray()));
        } else if(origHash != null && origHash.length() > 0) {
            contentAsNode.remove("password");
        } else if(plainTextPassword != null && plainTextPassword.isEmpty() && origHash == null) {
            contentAsNode.remove("password");
        }

        // check if user exists
        final SecurityDynamicConfiguration<?> internaluser = load(CType.INTERNALUSERS, false);

        final boolean userExisted = internaluser.exists(username);

        // when updating an existing user password hash can be blank, which means no
        // changes

        // sanity checks, hash is mandatory for newly created users
        if (!userExisted && securityJsonNode.get("hash").asString() == null) {
            badRequestResponse(channel, "Please specify either 'hash' or 'password' when creating a new internal user.");
            return;
        }

        // for existing users, hash is optional
        if (userExisted && securityJsonNode.get("hash").asString() == null) {
            // sanity check, this should usually not happen
            final String hash = ((Hashed)internaluser.getCEntry(username)).getHash();
            if (hash == null || hash.length() == 0) {
                internalErrorResponse(channel,
                        "Existing user " + username + " has no password, and no new password or hash was specified.");
                return;
            }
            contentAsNode.put("hash", hash);
        }

        internaluser.remove(username);

        // checks complete, create or update the user
        internaluser.putCObject(username, DefaultObjectMapper.readTree(contentAsNode, internaluser.getImplementingClass()));

        saveAnUpdateConfigs(client, request, CType.INTERNALUSERS, internaluser, new OnSucessActionListener<IndexResponse>(channel) {

            @Override
            public void onResponse(IndexResponse response) {
                if (userExisted) {
                    successResponse(channel, "'" + username + "' updated.");
                } else {
                    createdResponse(channel, "'" + username + "' created.");
                }

            }
        });



    }


    @Override
    protected void filter(SecurityDynamicConfiguration<?> builder) {
        super.filter(builder);
        // replace password hashes in addition. We must not remove them from the
        // Builder since this would remove users completely if they
        // do not have any addition properties like roles or attributes
        builder.clearHashes();
    }

    @Override
    protected AbstractConfigurationValidator postProcessApplyPatchResult(RestChannel channel, RestRequest request, JsonNode existingResourceAsJsonNode,
                                                                         JsonNode updatedResourceAsJsonNode, String resourceName) {
        AbstractConfigurationValidator retVal = null;
        JsonNode passwordNode = updatedResourceAsJsonNode.get("password");

        if (passwordNode != null) {
            String plainTextPassword = passwordNode.asText();
            try {
                XContentBuilder builder = channel.newBuilder();
                builder.startObject();
                builder.field("password", plainTextPassword);
                builder.endObject();
                retVal = getValidator(request, BytesReference.bytes(builder), resourceName);
            } catch (IOException e) {
                log.error(e);
            }

            ((ObjectNode) updatedResourceAsJsonNode).remove("password");
            ((ObjectNode) updatedResourceAsJsonNode).set("hash", new TextNode(hash(plainTextPassword.toCharArray())));
            return retVal;
        }

        return null;
    }

    public static String hash(final char[] clearTextPassword) {
        final byte[] salt = new byte[16];
        new SecureRandom().nextBytes(salt);
        final String hash = OpenBSDBCrypt.generate((Objects.requireNonNull(clearTextPassword)), salt, 12);
        Arrays.fill(salt, (byte) 0);
        Arrays.fill(clearTextPassword, '\0');
        return hash;
    }

    @Override
    protected String getResourceName() {
        return "user";
    }

    @Override
    protected CType getConfigName() {
        return CType.INTERNALUSERS;
    }

    @Override
    protected AbstractConfigurationValidator getValidator(RestRequest request, BytesReference ref, Object... params) {
        return new InternalUsersValidator(request, ref, this.settings, params);
    }
}