store hashed basic http credentials

Author: sscarduzio

CHANGELOG.md

@@ -4,8 +4,9 @@
 
 
 ## Unreleased
-
-> 2016-09-06 :new: v1.10.0: SSL support   
+> 2016-09-06 :new: v1.10.0: 
+* SSL support: prevent basic HTTP Auth credential sniffing.
+* ```auth_key_sha1``` store hashed basic HTTP auth credentials in configuration file. 
 
 ## Released
 

src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/Block.java

@@ -72,6 +72,10 @@ public Block(Settings s, ESLogger logger) {
       conditionsToCheck.add(new ActionsRule(s));
     } catch (RuleNotConfiguredException e) {
     }
+    try {
+      conditionsToCheck.add(new AuthKeySha1Rule(s));
+    } catch (RuleNotConfiguredException e) {
+    }
   }
 
   public String getName() {

src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/rules/impl/AuthKeyRule.java

@@ -18,7 +18,7 @@
 public class AuthKeyRule extends Rule {
   private final static ESLogger logger = Loggers.getLogger(AuthKeyRule.class);
 
-  private String authKey;
+  protected String authKey;
 
   public AuthKeyRule(Settings s) throws RuleNotConfiguredException {
     super(s);
@@ -30,7 +30,6 @@ public AuthKeyRule(Settings s) throws RuleNotConfiguredException {
     else {
       throw new RuleNotConfiguredException();
     }
-
   }
 
   // Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
@@ -65,6 +64,10 @@ public RuleExitResult match(RequestContext rc) {
       return NO_MATCH;
     }
 
-    return authKey.equals(authHeader) ? MATCH : NO_MATCH;
+    return checkEqual(authHeader) ? MATCH : NO_MATCH;
+  }
+
+  protected boolean checkEqual(String provided) {
+    return authKey.equals(provided);
   }
-}
+}

src/main/java/org/elasticsearch/plugin/readonlyrest/acl/blocks/rules/impl/AuthKeySha1Rule.java

@@ -0,0 +1,40 @@
+package org.elasticsearch.plugin.readonlyrest.acl.blocks.rules.impl;
+
+import com.google.common.base.Charsets;
+import com.google.common.hash.Hashing;
+import org.elasticsearch.ElasticsearchParseException;
+import org.elasticsearch.common.Base64;
+import org.elasticsearch.common.logging.ESLogger;
+import org.elasticsearch.common.logging.Loggers;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.plugin.readonlyrest.acl.blocks.rules.RuleNotConfiguredException;
+
+import java.io.IOException;
+
+/**
+ * Created by sscarduzio on 13/02/2016.
+ */
+public class AuthKeySha1Rule extends AuthKeyRule {
+
+  private final static ESLogger logger = Loggers.getLogger(AuthKeySha1Rule.class);
+
+  public AuthKeySha1Rule(Settings s) throws RuleNotConfiguredException {
+    super(s);
+    try {
+      authKey = new String(Base64.decode(authKey),Charsets.UTF_8);
+    } catch (IOException e) {
+      throw new ElasticsearchParseException("cannot parse configuration for: " + this.KEY);
+    }
+  }
+
+  @Override
+  protected boolean checkEqual(String provided) {
+    try {
+      String decodedProvided = new String(Base64.decode(provided), Charsets.UTF_8);
+      String shaProvided = Hashing.sha1().hashString(decodedProvided, Charsets.UTF_8).toString();
+      return authKey.equals(shaProvided);
+    } catch (IOException e) {
+      return false;
+    }
+  }
+}

src/test/java/org/elasticsearch/rest/action/readonlyrest/acl/test/ACLTest.java

@@ -171,6 +171,15 @@ public final void testHttpBasicAuth() throws Throwable {
     assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
     assertEquals(res.getBlock().getName(), "2");
   }
+  @Test
+  public final void testSHA1HttpBasicAuth() throws Throwable {
+    String secret64 = Base64.encodeBytes("sha1configured:p455wd".getBytes(Charsets.UTF_8));
+    RequestContext rc = mockReq("/index1/_search?q=item.getName():fishingpole&size=200", "1.1.1.1", "", "Basic " + secret64, 0, Method.DELETE, null, null, null);
+    BlockExitResult res = acl.check(rc);
+    assertTrue(res.isMatch());
+    assertTrue(res.getBlock().getPolicy() == Block.Policy.ALLOW);
+    assertEquals(res.getBlock().getName(), "15");
+  }
 
   @Test
   public final void testXforwardedForHeader() throws Throwable {

src/test/test_rules.yml

@@ -99,5 +99,6 @@ readonlyrest:
       hosts: [1.1.1.2]
       indices: ["i1", "i2", "i3"]
 
-
-
+    - name: 15
+      type: allow
+      auth_key_sha1: a5aa590854b3806350b345ea154a52e3391aed32 #sha1configured:p455wd