Formal support for "password_hash" in Put User

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/user/PutUserRequestBuilder.java

@@ -80,7 +80,12 @@ public PutUserRequestBuilder email(String email) {
         return this;
     }
 
-    public PutUserRequestBuilder passwordHash(char[] passwordHash) {
+    public PutUserRequestBuilder passwordHash(char[] passwordHash, Hasher configuredHasher) {
+        final Hasher resolvedHasher = Hasher.resolveFromHash(passwordHash);
+        if (resolvedHasher.equals(configuredHasher) == false) {
+            throw new IllegalArgumentException("Provided password hash uses [" + resolvedHasher
+                + "] but the configured hashing algorithm is [" + configuredHasher + "]");
+        }
         request.passwordHash(passwordHash);
         return this;
     }
@@ -120,7 +125,7 @@ public PutUserRequestBuilder source(String username, BytesReference source, XCon
                 } else if (User.Fields.PASSWORD_HASH.match(currentFieldName, parser.getDeprecationHandler())) {
                     if (token == XContentParser.Token.VALUE_STRING) {
                         char[] passwordChars = parser.text().toCharArray();
-                        passwordHash(passwordChars);
+                        passwordHash(passwordChars, hasher);
                     } else {
                         throw new ElasticsearchParseException(
                                 "expected field [{}] to be of type string, but found [{}] instead", currentFieldName, token);
@@ -176,5 +181,4 @@ public PutUserRequestBuilder source(String username, BytesReference source, XCon
             return this;
         }
     }
-
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/PutUserRequestBuilderTests.java

@@ -8,6 +8,7 @@
 import org.elasticsearch.ElasticsearchParseException;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.common.bytes.BytesArray;
+import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.action.user.PutUserRequest;
@@ -19,6 +20,7 @@
 
 import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.nullValue;
 import static org.mockito.Mockito.mock;
@@ -135,4 +137,51 @@ public void testWithEnabled() throws IOException {
             builder.source("kibana4", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, Hasher.BCRYPT).request();
         assertFalse(request.enabled());
     }
+
+    public void testWithValidPasswordHash() throws IOException {
+        final Hasher hasher = Hasher.BCRYPT4; // this is the fastest hasher we officially support
+        final char[] hash = hasher.hash(new SecureString("secret".toCharArray()));
+        final String json = "{\n" +
+            "    \"password_hash\": \"" + new String(hash) + "\"," +
+            "    \"roles\": []\n" +
+            "}";
+
+        PutUserRequestBuilder requestBuilder = new PutUserRequestBuilder(mock(Client.class));
+        PutUserRequest request = requestBuilder.source("hash_user",
+            new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, hasher).request();
+        assertThat(request.passwordHash(), equalTo(hash));
+        assertThat(request.username(), equalTo("hash_user"));
+    }
+
+    public void testWithMismatchedPasswordHash() throws IOException {
+        final Hasher systemHasher = Hasher.BCRYPT8;
+        final Hasher userHasher = Hasher.BCRYPT4; // this is the fastest hasher we officially support
+        final char[] hash = userHasher.hash(new SecureString("secret".toCharArray()));
+        final String json = "{\n" +
+            "    \"password_hash\": \"" + new String(hash) + "\"," +
+            "    \"roles\": []\n" +
+            "}";
+
+        PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class));
+        final IllegalArgumentException ex = expectThrows(IllegalArgumentException.class, () -> {
+            builder.source("hash_user", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, systemHasher).request();
+        });
+        assertThat(ex.getMessage(), containsString(userHasher.name()));
+        assertThat(ex.getMessage(), containsString(systemHasher.name()));
+    }
+
+    public void testWithPasswordHashThatsNotReallyAHash() throws IOException {
+        final Hasher systemHasher = Hasher.PBKDF2;
+        final String json = "{\n" +
+            "    \"password_hash\": \"not-a-hash\"," +
+            "    \"roles\": []\n" +
+            "}";
+
+        PutUserRequestBuilder builder = new PutUserRequestBuilder(mock(Client.class));
+        final IllegalArgumentException ex = expectThrows(IllegalArgumentException.class, () -> {
+            builder.source("hash_user", new BytesArray(json.getBytes(StandardCharsets.UTF_8)), XContentType.JSON, systemHasher).request();
+        });
+        assertThat(ex.getMessage(), containsString(Hasher.NOOP.name()));
+        assertThat(ex.getMessage(), containsString(systemHasher.name()));
+    }
 }

x-pack/plugin/src/test/resources/rest-api-spec/test/users/10_basic.yml

@@ -13,6 +13,10 @@ teardown:
       xpack.security.delete_user:
         username: "joe"
         ignore: 404
+  - do:
+      xpack.security.delete_user:
+        username: "bob"
+        ignore: 404
 
 ---
 "Test put user api":
@@ -101,3 +105,47 @@ teardown:
                 "key2" : "val2"
               }
             }
+---
+"Test put user with password hash":
+
+  # Mostly this chain of put_user , search index, set value is to work around the fact that the
+  # rest tests treat anything with a leading "$" as a stashed value, and bcrypt passwords start with "$"
+  # But it has the nice side effect of automatically adjusting to any changes in the default hasher for
+  # the ES cluster
+  - do:
+      xpack.security.put_user:
+        username: "bob"
+        body:  >
+          {
+            "password" : "correct horse battery staple",
+            "roles" : [ ]
+          }
+
+  - do:
+      get:
+        index: .security
+        type: doc
+        id: user-bob
+  - set: { _source.password: "hash" }
+
+  - do:
+      xpack.security.put_user:
+        username: "joe"
+        body:  >
+            {
+              "password_hash" : "$hash",
+              "roles" : [ "superuser" ]
+            }
+
+  # base64("joe:correct horse battery staple") = "am9lOmNvcnJlY3QgaG9yc2UgYmF0dGVyeSBzdGFwbGU="
+  - do:
+      headers:
+        Authorization: "Basic am9lOmNvcnJlY3QgaG9yc2UgYmF0dGVyeSBzdGFwbGU="
+      xpack.security.authenticate: {}
+  - match: { username: "joe" }
+
+  - do:
+      catch: unauthorized
+      headers:
+        Authorization: "Basic am9lOnMza3JpdA=="
+      xpack.security.authenticate: {}