Log password requirement details in demo environment (opensearch-proj…

…ect#4071) Signed-off-by: Cameron Durham <u64.cam@gmail.com>
dlin2028 · May 1, 2024 · 57adb29 · 57adb29
1 parent 4a7270c
commit 57adb29
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 7 deletions.
diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
@@ -76,6 +76,7 @@ public class SecuritySettingsConfigurer {
         ".plugins-flow-framework-templates",
         ".plugins-flow-framework-state"
     );
+    static final Integer DEFAULT_PASSWORD_MIN_LENGTH = 8;
     static String ADMIN_PASSWORD = "";
     static String ADMIN_USERNAME = "admin";
 
@@ -131,7 +132,7 @@ void updateAdminPassword() {
             final PasswordValidator passwordValidator = PasswordValidator.of(
                 Settings.builder()
                     .put(SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}")
-                    .put(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, 8)
+                    .put(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, DEFAULT_PASSWORD_MIN_LENGTH)
                     .build()
             );
 
@@ -142,11 +143,19 @@ void updateAdminPassword() {
             }
 
             // If script execution environment is set to demo, validate custom password, else if set to test, skip validation
-            if (shouldValidatePassword
-                && !ADMIN_PASSWORD.isEmpty()
-                && passwordValidator.validate(ADMIN_USERNAME, ADMIN_PASSWORD) != RequestContentValidator.ValidationError.NONE) {
-                System.out.println("Password " + ADMIN_PASSWORD + " is weak. Please re-try with a stronger password.");
-                System.exit(-1);
+            if (shouldValidatePassword && !ADMIN_PASSWORD.isEmpty()) {
+                RequestContentValidator.ValidationError response = passwordValidator.validate(ADMIN_USERNAME, ADMIN_PASSWORD);
+                if (!RequestContentValidator.ValidationError.NONE.equals(response)) {
+                    System.out.println(
+                        String.format(
+                            "Password %s failed validation: \"%s\". Please re-try with a minimum %d character password and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character that is strong. Password strength can be tested here: https://lowe.github.io/tryzxcvbn",
+                            ADMIN_PASSWORD,
+                            response.message(),
+                            DEFAULT_PASSWORD_MIN_LENGTH
+                        )
+                    );
+                    System.exit(-1);
+                }
             }
 
             // if ADMIN_PASSWORD is still an empty string, it implies no custom password was provided. We exit the setup.

diff --git a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
@@ -37,6 +37,9 @@
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
+import static org.opensearch.security.dlic.rest.validation.RequestContentValidator.ValidationError.INVALID_PASSWORD_INVALID_REGEX;
+import static org.opensearch.security.dlic.rest.validation.RequestContentValidator.ValidationError.INVALID_PASSWORD_TOO_SHORT;
+import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.DEFAULT_PASSWORD_MIN_LENGTH;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.REST_ENABLED_ROLES;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.SYSTEM_INDICES;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.isKeyPresentInYMLFile;
@@ -55,6 +58,9 @@ public class SecuritySettingsConfigurerTests {
 
     private final String adminPasswordKey = ConfigConstants.OPENSEARCH_INITIAL_ADMIN_PASSWORD;
 
+    private static final String PASSWORD_VALIDATION_FAILURE_MESSAGE =
+        "Password %s failed validation: \"%s\". Please re-try with a minimum %d character password and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character that is strong. Password strength can be tested here: https://lowe.github.io/tryzxcvbn";
+
     private static SecuritySettingsConfigurer securitySettingsConfigurer;
 
     private static Installer installer;
@@ -125,7 +131,32 @@ public void testUpdateAdminPasswordWithWeakPassword() throws NoSuchFieldExceptio
             System.setSecurityManager(null);
         }
 
-        verifyStdOutContainsString("Password weakpassword is weak. Please re-try with a stronger password.");
+        verifyStdOutContainsString(
+            String.format(
+                PASSWORD_VALIDATION_FAILURE_MESSAGE,
+                "weakpassword",
+                INVALID_PASSWORD_INVALID_REGEX.message(),
+                DEFAULT_PASSWORD_MIN_LENGTH
+            )
+        );
+    }
+
+    @Test
+    public void testUpdateAdminPasswordWithShortPassword() throws NoSuchFieldException, IllegalAccessException {
+
+        setEnv(adminPasswordKey, "short");
+        try {
+            System.setSecurityManager(new NoExitSecurityManager());
+            securitySettingsConfigurer.updateAdminPassword();
+        } catch (SecurityException e) {
+            assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing."));
+        } finally {
+            System.setSecurityManager(null);
+        }
+
+        verifyStdOutContainsString(
+            String.format(PASSWORD_VALIDATION_FAILURE_MESSAGE, "short", INVALID_PASSWORD_TOO_SHORT.message(), DEFAULT_PASSWORD_MIN_LENGTH)
+        );
     }
 
     @Test