Moved ValidatedPassword to Java

Author: andsel

logstash-core/lib/logstash/settings.rb

@@ -436,51 +436,51 @@ def validate(value)
     java_import org.logstash.settings.StringSetting
 
     java_import org.logstash.settings.NullableStringSetting
-
     java_import org.logstash.settings.PasswordSetting
+    ValidatedPassword = org.logstash.settings.ValidatedPasswordSetting
 
-    class ValidatedPassword < Setting::PasswordSetting
-      def initialize(name, value, password_policies)
-        @password_policies = password_policies
-        super(name, value, true)
-      end
-
-      def coerce(password)
-        if password && !password.kind_of?(::LogStash::Util::Password)
-          raise(ArgumentError, "Setting `#{name}` could not coerce LogStash::Util::Password value to password")
-        end
-
-        policies = build_password_policies
-        validatedResult = LogStash::Util::PasswordValidator.new(policies).validate(password.value)
-        if validatedResult.length() > 0
-          if @password_policies.fetch(:mode).eql?("WARN")
-            logger.warn("Password #{validatedResult}.")
-          else
-            raise(ArgumentError, "Password #{validatedResult}.")
-          end
-        end
-        password
-      end
-
-      def build_password_policies
-        policies = {}
-        policies[Util::PasswordPolicyType::EMPTY_STRING] = Util::PasswordPolicyParam.new
-        policies[Util::PasswordPolicyType::LENGTH] = Util::PasswordPolicyParam.new("MINIMUM_LENGTH", @password_policies.dig(:length, :minimum).to_s)
-        if @password_policies.dig(:include, :upper).eql?("REQUIRED")
-          policies[Util::PasswordPolicyType::UPPER_CASE] = Util::PasswordPolicyParam.new
-        end
-        if @password_policies.dig(:include, :lower).eql?("REQUIRED")
-          policies[Util::PasswordPolicyType::LOWER_CASE] = Util::PasswordPolicyParam.new
-        end
-        if @password_policies.dig(:include, :digit).eql?("REQUIRED")
-          policies[Util::PasswordPolicyType::DIGIT] = Util::PasswordPolicyParam.new
-        end
-        if @password_policies.dig(:include, :symbol).eql?("REQUIRED")
-          policies[Util::PasswordPolicyType::SYMBOL] = Util::PasswordPolicyParam.new
-        end
-        policies
-      end
-    end
+    # class ValidatedPassword < Setting::PasswordSetting
+    #   def initialize(name, value, password_policies)
+    #     @password_policies = password_policies
+    #     super(name, value, true)
+    #   end
+    #
+    #   def coerce(password)
+    #     if password && !password.kind_of?(::LogStash::Util::Password)
+    #       raise(ArgumentError, "Setting `#{name}` could not coerce LogStash::Util::Password value to password")
+    #     end
+    #
+    #     policies = build_password_policies
+    #     validatedResult = LogStash::Util::PasswordValidator.new(policies).validate(password.value)
+    #     if validatedResult.length() > 0
+    #       if @password_policies.fetch(:mode).eql?("WARN")
+    #         logger.warn("Password #{validatedResult}.")
+    #       else
+    #         raise(ArgumentError, "Password #{validatedResult}.")
+    #       end
+    #     end
+    #     password
+    #   end
+    #
+    #   def build_password_policies
+    #     policies = {}
+    #     policies[Util::PasswordPolicyType::EMPTY_STRING] = Util::PasswordPolicyParam.new
+    #     policies[Util::PasswordPolicyType::LENGTH] = Util::PasswordPolicyParam.new("MINIMUM_LENGTH", @password_policies.dig(:length, :minimum).to_s)
+    #     if @password_policies.dig(:include, :upper).eql?("REQUIRED")
+    #       policies[Util::PasswordPolicyType::UPPER_CASE] = Util::PasswordPolicyParam.new
+    #     end
+    #     if @password_policies.dig(:include, :lower).eql?("REQUIRED")
+    #       policies[Util::PasswordPolicyType::LOWER_CASE] = Util::PasswordPolicyParam.new
+    #     end
+    #     if @password_policies.dig(:include, :digit).eql?("REQUIRED")
+    #       policies[Util::PasswordPolicyType::DIGIT] = Util::PasswordPolicyParam.new
+    #     end
+    #     if @password_policies.dig(:include, :symbol).eql?("REQUIRED")
+    #       policies[Util::PasswordPolicyType::SYMBOL] = Util::PasswordPolicyParam.new
+    #     end
+    #     policies
+    #   end
+    # end
 
     # The CoercibleString allows user to enter any value which coerces to a String.
     # For example for true/false booleans; if the possible_strings are ["foo", "true", "false"]

logstash-core/spec/logstash/settings_spec.rb

@@ -284,14 +284,14 @@
       it "raises an error when supplied value is not LogStash::Util::Password" do
         expect {
           LogStash::Setting::ValidatedPassword.new("test.validated.password", "testPassword", password_policies)
-        }.to raise_error(ArgumentError, a_string_including("Setting `test.validated.password` could not coerce LogStash::Util::Password value to password"))
+        }.to raise_error(IllegalArgumentException, a_string_including("Setting `test.validated.password` could not coerce LogStash::Util::Password value to password"))
       end
 
       it "fails on validation" do
         password = LogStash::Util::Password.new("Password!")
         expect {
           LogStash::Setting::ValidatedPassword.new("test.validated.password", password, password_policies)
-        }.to raise_error(ArgumentError, a_string_including("Password must contain at least one digit between 0 and 9."))
+        }.to raise_error(IllegalArgumentException, a_string_including("Password must contain at least one digit between 0 and 9."))
       end
 
       it "validates the password successfully" do

logstash-core/src/main/java/org/logstash/settings/ValidatedPasswordSetting.java

@@ -0,0 +1,127 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.logstash.settings;
+
+import co.elastic.logstash.api.Password;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.jruby.RubySymbol;
+import org.logstash.RubyUtil;
+import org.logstash.secret.password.PasswordPolicyParam;
+import org.logstash.secret.password.PasswordPolicyType;
+import org.logstash.secret.password.PasswordValidator;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class ValidatedPasswordSetting extends PasswordSetting {
+
+    private static final Logger LOGGER = LogManager.getLogger(ValidatedPasswordSetting.class);
+
+    private final Map<String, Object> passwordPolicies;
+
+    @SuppressWarnings("this-escape")
+    public ValidatedPasswordSetting(String name, Object defaultValue, Map<Object, Object> passwordPolicies) {
+        super(name, defaultValue, false); // this super doesn't call validate and coerce
+
+        this.passwordPolicies = convertKeyRubyLabelsToStrings(passwordPolicies);
+        Password coercedDefault = coerce(defaultValue);
+        validate(coercedDefault);
+        this.defaultValue = coercedDefault;
+    }
+
+    @SuppressWarnings("unchecked")
+    private Map<String, Object> convertKeyRubyLabelsToStrings(Map<Object, Object> passwordPolicies) {
+        Map<String, Object> result = new HashMap<>();
+        for (Map.Entry<Object, Object> entry : passwordPolicies.entrySet()) {
+            final String transformedKey = entry.getKey().toString();;
+            Object value = entry.getValue();
+            if (value instanceof Map) {
+                value = convertKeyRubyLabelsToStrings((Map<Object, Object>) value);
+            }
+            // TODO handle lists if needed ?
+            // TODO what if the value is a RubySymbol ?
+            result.put(transformedKey, value);
+        }
+        return result;
+    }
+
+    @Override
+    public Password coerce(Object password) {
+        if (password != null && !(password instanceof Password)) {
+            throw new IllegalArgumentException("Setting `" + getName() + "` could not coerce LogStash::Util::Password value to password");
+        }
+        LOGGER.info("Password policies: {}", passwordPolicies);
+        System.out.printf("Password policies: %s%n", passwordPolicies);
+        Map<PasswordPolicyType, PasswordPolicyParam> policies = buildPasswordPolicies();
+        String validatedResult = new PasswordValidator(policies).validate(((Password) password).getValue());
+
+        if (!validatedResult.isEmpty()) {
+            if ("WARN".equals(passwordPolicies.get("mode"))) {
+                LOGGER.warn("Password {}.", validatedResult);
+            } else {
+                throw new IllegalArgumentException("Password "+ validatedResult + ".");
+            }
+        }
+        return (Password) password;
+    }
+
+    private Map<PasswordPolicyType, PasswordPolicyParam> buildPasswordPolicies() {
+        Map<PasswordPolicyType, PasswordPolicyParam> policies = new HashMap<>();
+
+        policies.put(PasswordPolicyType.EMPTY_STRING, new PasswordPolicyParam());
+        Object minLengthPolicyValue = dig(passwordPolicies, "length", "minimum");
+
+        // in Ruby "nil.to_s" is "", so we do the same here
+        policies.put(PasswordPolicyType.LENGTH, new PasswordPolicyParam("MINIMUM_LENGTH",
+                minLengthPolicyValue != null? minLengthPolicyValue.toString() : ""));
+
+        if ("REQUIRED".equals(dig(passwordPolicies, "include", "upper"))) {
+            policies.put(PasswordPolicyType.UPPER_CASE, new PasswordPolicyParam());
+        }
+        if ("REQUIRED".equals(dig(passwordPolicies, "include", "lower"))) {
+            policies.put(PasswordPolicyType.LOWER_CASE, new PasswordPolicyParam());
+        }
+        if ("REQUIRED".equals(dig(passwordPolicies, "include", "digit"))) {
+            policies.put(PasswordPolicyType.DIGIT, new PasswordPolicyParam());
+        }
+        if ("REQUIRED".equals(dig(passwordPolicies, "include", "symbol"))) {
+            policies.put(PasswordPolicyType.SYMBOL, new PasswordPolicyParam());
+        }
+        return policies;
+    }
+
+    private static Object dig(Map<String, Object> map, String... path) {
+        Object current = map;
+        for (String key : path) {
+            if (!(current instanceof Map)) {
+                return null;
+            }
+            current = ((Map<?, ?>) current).get(key);
+            if (current == null) {
+                return null;
+            }
+        }
+        return current;
+    }
+
+
+}