diff --git a/src/main/java/org/opensearch/security/user/UserService.java b/src/main/java/org/opensearch/security/user/UserService.java index 67170a2453..7c1c643739 100644 --- a/src/main/java/org/opensearch/security/user/UserService.java +++ b/src/main/java/org/opensearch/security/user/UserService.java @@ -12,7 +12,7 @@ package org.opensearch.security.user; import java.io.IOException; -import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.util.Base64; import java.util.Collections; import java.util.List; @@ -111,7 +111,6 @@ protected final SecurityDynamicConfiguration load(final CType config, boolean */ public SecurityDynamicConfiguration createOrUpdateAccount(ObjectNode contentAsNode) throws IOException { - SecurityJsonNode securityJsonNode = new SecurityJsonNode(contentAsNode); final SecurityDynamicConfiguration internalUsersConfiguration = load(getUserConfigName(), false); @@ -121,7 +120,8 @@ public SecurityDynamicConfiguration createOrUpdateAccount(ObjectNode contentA throw new UserServiceException(NO_ACCOUNT_NAME_MESSAGE); } - if (!securityJsonNode.get("attributes").get("owner").isNull() && !securityJsonNode.get("attributes").get("owner").asString().equals(accountName)) { // If this is a service account + if (!securityJsonNode.get("attributes").get("isService").isNull() && securityJsonNode.get("attributes").get("isService").asString().equalsIgnoreCase("true")) + { // If this is a service account verifyServiceAccount(securityJsonNode, accountName); String password = generatePassword(); contentAsNode.put("hash", hash(password.toCharArray())); @@ -146,6 +146,10 @@ public SecurityDynamicConfiguration createOrUpdateAccount(ObjectNode contentA contentAsNode.remove("password"); } + if (!securityJsonNode.get("attributes").get("isEnabled").isNull()) { + contentAsNode.put("isEnabled", securityJsonNode.get("isEnabled").asString()); + } + final boolean userExisted = internalUsersConfiguration.exists(accountName); // sanity checks, hash is mandatory for newly created users @@ -238,7 +242,7 @@ public String generateAuthToken(String accountName) throws IOException { saveAndUpdateConfigs(getUserConfigName().toString(), client, CType.INTERNALUSERS, internalUsersConfiguration); - authToken = Base64.getUrlEncoder().encodeToString((accountName + ":" + plainTextPassword).getBytes(Charset.forName("UTF-8"))); + authToken = Base64.getUrlEncoder().encodeToString((accountName + ":" + plainTextPassword).getBytes(StandardCharsets.UTF_8)); return authToken; } catch (JsonProcessingException ex) { diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java index a22e37856e..9818226b09 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java @@ -45,28 +45,28 @@ protected String getEndpointPrefix() { private static final String ENABLED_SERVICE_ACCOUNT_BODY = "{" - + " \"attributes\": { \"owner\": \"test_owner\", " + + " \"attributes\": { \"isService\": \"true\", " + "\"isEnabled\": \"true\"}" + " }\n"; private static final String DISABLED_SERVICE_ACCOUNT_BODY = "{" - + " \"attributes\": { \"owner\": \"test_owner\", " + + " \"attributes\": { \"isService\": \"true\", " + "\"isEnabled\": \"false\"}" + " }\n"; private static final String ENABLED_NOT_SERVICE_ACCOUNT_BODY = "{" - + " \"attributes\": { \"owner\": \"user_is_owner_1\", " + + " \"attributes\": { \"isService\": \"false\", " + "\"isEnabled\": \"true\"}" + " }\n"; private static final String PASSWORD_SERVICE = "{ \"password\" : \"test\"," - + " \"attributes\": { \"owner\": \"test_owner\", " + + " \"attributes\": { \"isService\": \"true\", " + "\"isEnabled\": \"true\"}" + " }\n"; private static final String HASH_SERVICE = "{ \"owner\" : \"test_owner\"," - + " \"attributes\": { \"owner\": \"test_owner\", " + + " \"attributes\": { \"isService\": \"true\", " + "\"isEnabled\": \"true\"}" + " }\n"; private static final String PASSWORD_HASH_SERVICE = "{ \"password\" : \"test\", \"hash\" : \"123\"," - + " \"attributes\": { \"owner\": \"test_owner\", " + + " \"attributes\": { \"isService\": \"true\", " + "\"isEnabled\": \"true\"}" + " }\n"; @@ -87,7 +87,7 @@ public void testSecurityRoles() throws Exception { .executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString()); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - Assert.assertEquals(133, settings.size()); + Assert.assertEquals(171, settings.size()); response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/newuser\", \"value\": {\"password\": \"newuser\", \"opendistro_security_roles\": [\"opendistro_security_all_access\"] } }]", new Header[0]); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); @@ -137,7 +137,7 @@ public void testUserApi() throws Exception { HttpResponse response = rh.executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString()); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - Assert.assertEquals(133, settings.size()); + Assert.assertEquals(171, settings.size()); verifyGet(); verifyPut(); verifyPatch(true); @@ -152,7 +152,7 @@ private void verifyGet(final Header... header) throws Exception { HttpResponse response = rh.executeGetRequest(ENDPOINT + "/internalusers/admin", header); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - Assert.assertEquals(7, settings.size()); + Assert.assertEquals(9, settings.size()); // hash must be filtered Assert.assertEquals("", settings.get("admin.hash")); @@ -538,7 +538,7 @@ public void testUserApiWithRestAdminPermissions() throws Exception { HttpResponse response = rh.executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString(), restApiAdminHeader); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - Assert.assertEquals(133, settings.size()); + Assert.assertEquals(171, settings.size()); verifyGet(restApiAdminHeader); verifyPut(restApiAdminHeader); verifyPatch(false, restApiAdminHeader); @@ -556,7 +556,7 @@ public void testUserApiWithRestInternalUsersAdminPermissions() throws Exception HttpResponse response = rh.executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString(), restApiInternalUsersAdminHeader); Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - Assert.assertEquals(133, settings.size()); + Assert.assertEquals(171, settings.size()); verifyGet(restApiInternalUsersAdminHeader); verifyPut(restApiInternalUsersAdminHeader); verifyPatch(false, restApiInternalUsersAdminHeader); @@ -585,7 +585,7 @@ public void testPasswordRules() throws Exception { .executeGetRequest("_plugins/_security/api/" + CType.INTERNALUSERS.toLCString()); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - Assert.assertEquals(133, settings.size()); + Assert.assertEquals(171, settings.size()); addUserWithPassword("tooshoort", "", HttpStatus.SC_BAD_REQUEST); addUserWithPassword("tooshoort", "123", HttpStatus.SC_BAD_REQUEST); @@ -665,7 +665,7 @@ public void testUserApiWithDots() throws Exception { .executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString()); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); - Assert.assertEquals(133, settings.size()); + Assert.assertEquals(171, settings.size()); addUserWithPassword(".my.dotuser0", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m", HttpStatus.SC_CREATED);