Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make hashed token ids url safe #42651

Merged
merged 5 commits into from
May 30, 2019
Merged

Make hashed token ids url safe #42651

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ba959cf
Make hashed token ids url safe
jaymode May 28, 2019
0c5fe32
Adjust expected length of hashed refresh tokens
jkakavas May 29, 2019
9bda4bb
Merge branch 'master' into urlencoded_token_doc_id
jaymode May 29, 2019
02c6a43
mute bwc tests until change is backported
jaymode May 30, 2019
d9fe763
use right version in skip
jaymode May 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ...plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/Hasher.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,14 +360,14 @@ public boolean verify(SecureString text, char[] hash) {
public char[] hash(SecureString text) {
MessageDigest md = MessageDigests.sha256();
md.update(CharArrays.toUtf8Bytes(text.getChars()));
return Base64.getEncoder().encodeToString(md.digest()).toCharArray();
return Base64.getUrlEncoder().withoutPadding().encodeToString(md.digest()).toCharArray();
}

@Override
public boolean verify(SecureString text, char[] hash) {
MessageDigest md = MessageDigests.sha256();
md.update(CharArrays.toUtf8Bytes(text.getChars()));
return CharArrays.constantTimeEquals(Base64.getEncoder().encodeToString(md.digest()).toCharArray(), hash);
return CharArrays.constantTimeEquals(Base64.getUrlEncoder().withoutPadding().encodeToString(md.digest()).toCharArray(), hash);
}
},

Expand Down
12 changes: 9 additions & 3 deletions ...ugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,14 +53,17 @@
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.watcher.watch.ClockMock;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.junit.After;
import org.elasticsearch.xpack.security.test.SecurityMocks;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;

import javax.crypto.SecretKey;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.time.Clock;
import java.time.Instant;
Expand All @@ -70,8 +73,6 @@
import java.util.HashMap;
import java.util.Map;

import javax.crypto.SecretKey;

import static java.time.Clock.systemUTC;
import static org.elasticsearch.repositories.ESBlobStoreTestCase.randomBytes;
import static org.elasticsearch.test.ClusterServiceUtils.setState;
Expand Down Expand Up @@ -722,6 +723,11 @@ public void testCannotValidateTokenIfLicenseDoesNotAllowTokens() throws Exceptio
assertThat(authToken, Matchers.nullValue());
}

public void testHashedTokenIsUrlSafe() {
final String hashedId = TokenService.hashTokenString(UUIDs.randomBase64UUID());
assertEquals(hashedId, URLEncoder.encode(hashedId, StandardCharsets.UTF_8));
}

private TokenService createTokenService(Settings settings, Clock clock) throws GeneralSecurityException {
return new TokenService(settings, clock, client, licenseState, securityMainIndex, securityTokensIndex, clusterService);
}
Expand Down