DefaultUserInfo empty password hash (elastic#64018)

Use an empty char array in place of the hash of the empty string
for defaultEnabledReservedUser, defaultDisabledReservedUser and
bootstrapUserInfo ReservedUserInfo objects, when the password is
empty. In these cases, the hasEmptyPassword property is set to
true and so the actual password hash is not ever checked or
verified in ReservedRealm#doAuthenticate so this change has no
functional effect on existing logic. If anything, it is more
consistent with the logic in NativeUsersStore#setReservedUserEnabled
when the user document didn't already exist.
Even if there is / will be code that attempts to verify the hash,
this would still work as intended as Hasher#resolve would resolve
the NOOP Hasher from the empty string and its verify method would
compare the char arrays.

The reason for this change is that when in FIPS 140 approved only
mode, the security provider's implementation of PBKDF2 might
forbid operations when the password is smaller than 112 bits so
the existing implementation would cause elasticsearch to fail.

Author: jkakavas

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java

@@ -36,7 +36,6 @@
 import org.elasticsearch.index.query.QueryBuilder;
 import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.search.SearchHit;
-import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.security.ScrollHelper;
 import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheRequest;
 import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheResponse;
@@ -83,19 +82,13 @@ public class NativeUsersStore {
 
     private final Settings settings;
     private final Client client;
-    private final ReservedUserInfo disabledDefaultUserInfo;
-    private final ReservedUserInfo enabledDefaultUserInfo;
 
     private final SecurityIndexManager securityIndex;
 
     public NativeUsersStore(Settings settings, Client client, SecurityIndexManager securityIndex) {
         this.settings = settings;
         this.client = client;
         this.securityIndex = securityIndex;
-        final char[] emptyPasswordHash = Hasher.resolve(XPackSettings.PASSWORD_HASHING_ALGORITHM.get(settings)).
-            hash(new SecureString("".toCharArray()));
-        this.disabledDefaultUserInfo = new ReservedUserInfo(emptyPasswordHash, false, true);
-        this.enabledDefaultUserInfo = new ReservedUserInfo(emptyPasswordHash, true, true);
     }
 
     /**
@@ -540,9 +533,10 @@ public void onResponse(GetResponse getResponse) {
                                         } else if (enabled == null) {
                                             listener.onFailure(new IllegalStateException("enabled must not be null!"));
                                         } else if (password.isEmpty()) {
-                                            listener.onResponse((enabled ? enabledDefaultUserInfo : disabledDefaultUserInfo).deepClone());
+                                            listener.onResponse(enabled ? ReservedUserInfo.defaultEnabledUserInfo()
+                                                : ReservedUserInfo.defaultDisabledUserInfo());
                                         } else {
-                                            listener.onResponse(new ReservedUserInfo(password.toCharArray(), enabled, false));
+                                            listener.onResponse(new ReservedUserInfo(password.toCharArray(), enabled));
                                         }
                                     } else {
                                         listener.onResponse(null);
@@ -596,7 +590,7 @@ public void onResponse(SearchResponse searchResponse) {
                                     listener.onFailure(new IllegalStateException("enabled must not be null!"));
                                     return;
                                 } else {
-                                    userInfos.put(username, new ReservedUserInfo(password.toCharArray(), enabled, false));
+                                    userInfos.put(username, new ReservedUserInfo(password.toCharArray(), enabled));
                                 }
                             }
                             listener.onResponse(userInfos);
@@ -683,22 +677,32 @@ static final class ReservedUserInfo {
 
         public final char[] passwordHash;
         public final boolean enabled;
-        public final boolean hasEmptyPassword;
         private final Hasher hasher;
 
-        ReservedUserInfo(char[] passwordHash, boolean enabled, boolean hasEmptyPassword) {
+        ReservedUserInfo(char[] passwordHash, boolean enabled) {
             this.passwordHash = passwordHash;
             this.enabled = enabled;
-            this.hasEmptyPassword = hasEmptyPassword;
             this.hasher = Hasher.resolveFromHash(this.passwordHash);
         }
 
         ReservedUserInfo deepClone() {
-            return new ReservedUserInfo(Arrays.copyOf(passwordHash, passwordHash.length), enabled, hasEmptyPassword);
+            return new ReservedUserInfo(Arrays.copyOf(passwordHash, passwordHash.length), enabled);
+        }
+
+        boolean hasEmptyPassword() {
+            return passwordHash.length == 0;
         }
 
         boolean verifyPassword(SecureString data) {
             return hasher.verify(data, this.passwordHash);
         }
+
+        static ReservedUserInfo defaultEnabledUserInfo() {
+            return new ReservedUserInfo(new char[0], true);
+        }
+
+        static ReservedUserInfo defaultDisabledUserInfo() {
+            return new ReservedUserInfo(new char[0], false);
+        }
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java

@@ -66,9 +66,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
     private final boolean realmEnabled;
     private final boolean anonymousEnabled;
     private final SecurityIndexManager securityIndex;
-    private final Hasher reservedRealmHasher;
-    private final ReservedUserInfo disabledDefaultUserInfo;
-    private final ReservedUserInfo enabledDefaultUserInfo;
 
     private final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(logger.getName());
 
@@ -80,13 +77,10 @@ public ReservedRealm(Environment env, Settings settings, NativeUsersStore native
         this.anonymousUser = anonymousUser;
         this.anonymousEnabled = AnonymousUser.isAnonymousEnabled(settings);
         this.securityIndex = securityIndex;
-        this.reservedRealmHasher = Hasher.resolve(XPackSettings.PASSWORD_HASHING_ALGORITHM.get(settings));
-        final char[] emptyPasswordHash = reservedRealmHasher.hash(new SecureString("".toCharArray()));
-        disabledDefaultUserInfo = new ReservedUserInfo(emptyPasswordHash, false, true);
-        enabledDefaultUserInfo = new ReservedUserInfo(emptyPasswordHash, true, true);
-        final char[] hash = BOOTSTRAP_ELASTIC_PASSWORD.get(settings).length() == 0 ? emptyPasswordHash :
+        final Hasher reservedRealmHasher = Hasher.resolve(XPackSettings.PASSWORD_HASHING_ALGORITHM.get(settings));
+        final char[] hash = BOOTSTRAP_ELASTIC_PASSWORD.get(settings).length() == 0 ? new char[0] :
             reservedRealmHasher.hash(BOOTSTRAP_ELASTIC_PASSWORD.get(settings));
-        bootstrapUserInfo = new ReservedUserInfo(hash, true, hash == emptyPasswordHash);
+        bootstrapUserInfo = new ReservedUserInfo(hash, true);
     }
 
     @Override
@@ -100,7 +94,7 @@ protected void doAuthenticate(UsernamePasswordToken token, ActionListener<Authen
                 AuthenticationResult result;
                 if (userInfo != null) {
                     try {
-                        if (userInfo.hasEmptyPassword) {
+                        if (userInfo.hasEmptyPassword()) {
                             result = AuthenticationResult.terminate("failed to authenticate user [" + token.principal() + "]", null);
                         } else if (userInfo.verifyPassword(token.credentials())) {
                             final User user = getUser(token.principal(), userInfo);
@@ -110,8 +104,6 @@ protected void doAuthenticate(UsernamePasswordToken token, ActionListener<Authen
                             result = AuthenticationResult.terminate("failed to authenticate user [" + token.principal() + "]", null);
                         }
                     } finally {
-                        assert userInfo.passwordHash != disabledDefaultUserInfo.passwordHash : "default user info must be cloned";
-                        assert userInfo.passwordHash != enabledDefaultUserInfo.passwordHash : "default user info must be cloned";
                         assert userInfo.passwordHash != bootstrapUserInfo.passwordHash : "bootstrap user info must be cloned";
                         Arrays.fill(userInfo.passwordHash, (char) 0);
                     }
@@ -249,7 +241,7 @@ private ReservedUserInfo getDefaultUserInfo(String username) {
         if (ElasticUser.NAME.equals(username)) {
             return bootstrapUserInfo.deepClone();
         } else {
-            return enabledDefaultUserInfo.deepClone();
+            return ReservedUserInfo.defaultEnabledUserInfo();
         }
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStoreTests.java

@@ -128,7 +128,7 @@ public void testBlankPasswordInIndexImpliesDefaultPassword() throws Exception {
         actionRespond(GetRequest.class, new GetResponse(result));
 
         final NativeUsersStore.ReservedUserInfo userInfo = future.get();
-        assertThat(userInfo.hasEmptyPassword, equalTo(true));
+        assertThat(userInfo.hasEmptyPassword(), equalTo(true));
         assertThat(userInfo.enabled, equalTo(true));
         assertTrue(Hasher.verifyHash(new SecureString("".toCharArray()), userInfo.passwordHash));
     }
@@ -190,7 +190,7 @@ public void testVerifyNonExistentUser() throws Exception {
                 false,
                 null,
                 Collections.emptyMap(),
-                Collections.emptyMap());
+            Collections.emptyMap());
 
         actionRespond(GetRequest.class, new GetResponse(getResult));
 
@@ -201,6 +201,17 @@ public void testVerifyNonExistentUser() throws Exception {
         assertThat(result.getMessage(), nullValue());
     }
 
+    public void testDefaultReservedUserInfoPasswordEmpty() {
+        NativeUsersStore.ReservedUserInfo disabledUserInfo = NativeUsersStore.ReservedUserInfo.defaultDisabledUserInfo();
+        NativeUsersStore.ReservedUserInfo enabledUserInfo = NativeUsersStore.ReservedUserInfo.defaultEnabledUserInfo();
+        NativeUsersStore.ReservedUserInfo constructedUserInfo =
+            new NativeUsersStore.ReservedUserInfo(Hasher.PBKDF2.hash(new SecureString(randomAlphaOfLength(14))), randomBoolean());
+
+        assertThat(disabledUserInfo.hasEmptyPassword(), equalTo(true));
+        assertThat(enabledUserInfo.hasEmptyPassword(), equalTo(true));
+        assertThat(constructedUserInfo.hasEmptyPassword(), equalTo(false));
+    }
+
     private <ARequest extends ActionRequest, AResponse extends ActionResponse> ARequest actionRespond(Class<ARequest> requestClass,
                                                                                                       AResponse response) {
         Tuple<ARequest, ActionListener<?>> tuple = findRequest(requestClass);
@@ -209,11 +220,11 @@ private <ARequest extends ActionRequest, AResponse extends ActionResponse> ARequ
     }
 
     private <ARequest extends ActionRequest> Tuple<ARequest, ActionListener<?>> findRequest(
-            Class<ARequest> requestClass) {
+        Class<ARequest> requestClass) {
         return this.requests.stream()
-                .filter(t -> requestClass.isInstance(t.v1()))
-                .map(t -> new Tuple<ARequest, ActionListener<?>>(requestClass.cast(t.v1()), t.v2()))
-                .findFirst().orElseThrow(() -> new RuntimeException("Cannot find request of type " + requestClass));
+            .filter(t -> requestClass.isInstance(t.v1()))
+            .map(t -> new Tuple<ARequest, ActionListener<?>>(requestClass.cast(t.v1()), t.v2()))
+            .findFirst().orElseThrow(() -> new RuntimeException("Cannot find request of type " + requestClass));
     }
 
     private void respondToGetUserRequest(String username, SecureString password, String[] roles) throws IOException {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java

@@ -143,7 +143,7 @@ private void verifySuccessfulAuthentication(boolean enabled) throws Exception {
         when(securityIndex.indexExists()).thenReturn(true);
         doAnswer((i) -> {
             ActionListener callback = (ActionListener) i.getArguments()[1];
-            callback.onResponse(new ReservedUserInfo(hasher.hash(newPassword), enabled, false));
+            callback.onResponse(new ReservedUserInfo(hasher.hash(newPassword), enabled));
             return null;
         }).when(usersStore).getReservedUserInfo(eq(principal), any(ActionListener.class));
 
@@ -155,7 +155,7 @@ private void verifySuccessfulAuthentication(boolean enabled) throws Exception {
         // the realm assumes it owns the hashed password so it fills it with 0's
         doAnswer((i) -> {
             ActionListener callback = (ActionListener) i.getArguments()[1];
-            callback.onResponse(new ReservedUserInfo(hasher.hash(newPassword), true, false));
+            callback.onResponse(new ReservedUserInfo(hasher.hash(newPassword), true));
             return null;
         }).when(usersStore).getReservedUserInfo(eq(principal), any(ActionListener.class));
 
@@ -317,7 +317,7 @@ public void testFailedAuthentication() throws Exception {
         // Mocked users store is initiated with default hashing algorithm
         final Hasher hasher = Hasher.resolve("bcrypt");
         char[] hash = hasher.hash(password);
-        ReservedUserInfo userInfo = new ReservedUserInfo(hash, true, false);
+        ReservedUserInfo userInfo = new ReservedUserInfo(hash, true);
         mockGetAllReservedUserInfo(usersStore, Collections.singletonMap("elastic", userInfo));
         final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore,
             new AnonymousUser(Settings.EMPTY), securityIndex, threadPool);
@@ -382,7 +382,7 @@ public void testBootstrapElasticPasswordFailsOnceElasticUserExists() throws Exce
         doAnswer((i) -> {
             ActionListener callback = (ActionListener) i.getArguments()[1];
             char[] hash = hasher.hash(password);
-            ReservedUserInfo userInfo = new ReservedUserInfo(hash, true, false);
+            ReservedUserInfo userInfo = new ReservedUserInfo(hash, true);
             callback.onResponse(userInfo);
             return null;
         }).when(usersStore).getReservedUserInfo(eq("elastic"), any(ActionListener.class));