From 4c2fbcf4c3481b944db28705dc3d346aada6a97a Mon Sep 17 00:00:00 2001
From: Jason Tedor <jason@tedor.me>
Date: Wed, 25 Jul 2018 20:57:03 -0400
Subject: [PATCH] Only enforce password hashing check if FIPS enabled (#32383)

This commit modifies the FIPS password hashing algorithm check to only
be executed if FIPS mode is enabled.
---
 ...asswordHashingAlgorithmBootstrapCheck.java | 18 +++----
 ...rdHashingAlgorithmBootstrapCheckTests.java | 54 ++++++++++++++-----
 2 files changed, 49 insertions(+), 23 deletions(-)

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java
index 7f6d799cf5a8e..57e12a211a38d 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java
@@ -16,7 +16,7 @@ public class FIPS140PasswordHashingAlgorithmBootstrapCheck implements BootstrapC
 
     private final boolean fipsModeEnabled;
 
-    FIPS140PasswordHashingAlgorithmBootstrapCheck(Settings settings) {
+    FIPS140PasswordHashingAlgorithmBootstrapCheck(final Settings settings) {
         this.fipsModeEnabled = Security.FIPS_MODE_ENABLED.get(settings);
     }
 
@@ -27,17 +27,15 @@ public class FIPS140PasswordHashingAlgorithmBootstrapCheck implements BootstrapC
      * @return the result of the bootstrap check
      */
     @Override
-    public BootstrapCheckResult check(BootstrapContext context) {
-        final String selectedAlgorithm = XPackSettings.PASSWORD_HASHING_ALGORITHM.get(context.settings);
-        if (selectedAlgorithm.toLowerCase(Locale.ROOT).startsWith("pbkdf2") == false) {
-            return BootstrapCheckResult.failure("Only PBKDF2 is allowed for password hashing in a FIPS-140 JVM. Please set the " +
-                "appropriate value for [ " + XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey() + " ] setting.");
+    public BootstrapCheckResult check(final BootstrapContext context) {
+        if (fipsModeEnabled) {
+            final String selectedAlgorithm = XPackSettings.PASSWORD_HASHING_ALGORITHM.get(context.settings);
+            if (selectedAlgorithm.toLowerCase(Locale.ROOT).startsWith("pbkdf2") == false) {
+                return BootstrapCheckResult.failure("Only PBKDF2 is allowed for password hashing in a FIPS-140 JVM. Please set the " +
+                        "appropriate value for [ " + XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey() + " ] setting.");
+            }
         }
         return BootstrapCheckResult.success();
     }
 
-    @Override
-    public boolean alwaysEnforce() {
-        return fipsModeEnabled;
-    }
 }
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java
index 310a6e241e057..b424986876aa4 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java
@@ -3,32 +3,60 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+
 package org.elasticsearch.xpack.security;
 
+import org.elasticsearch.bootstrap.BootstrapCheck;
 import org.elasticsearch.bootstrap.BootstrapContext;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.XPackSettings;
 
+import java.util.Arrays;
+
+import static org.hamcrest.Matchers.equalTo;
+
 public class FIPS140PasswordHashingAlgorithmBootstrapCheckTests extends ESTestCase {
 
     public void testPBKDF2AlgorithmIsAllowed() {
-        Settings settings = Settings.builder().put("xpack.security.fips_mode.enabled", "true").build();
+        {
+            final Settings settings = Settings.builder()
+                    .put(Security.FIPS_MODE_ENABLED.getKey(), true)
+                    .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_10000")
+                    .build();
+            final BootstrapCheck.BootstrapCheckResult result =
+                    new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+            assertFalse(result.isFailure());
+        }
 
-        settings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_10000").build();
-        assertFalse(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure());
-
-        settings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2").build();
-        assertFalse(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure());
+        {
+            final Settings settings = Settings.builder()
+                    .put(Security.FIPS_MODE_ENABLED.getKey(), true)
+                    .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2")
+                    .build();
+            final BootstrapCheck.BootstrapCheckResult result =
+                    new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+            assertFalse(result.isFailure());
+        }
     }
 
-    public void testBCRYPTAlgorithmIsNotAllowed() {
-        Settings settings = Settings.builder().put("xpack.security.fips_mode.enabled", "true").build();
-        assertTrue(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure());
-        settings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "BCRYPT").build();
-        assertTrue(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure());
+    public void testBCRYPTAlgorithmDependsOnFipsMode() {
+        for (final Boolean fipsModeEnabled : Arrays.asList(true, false)) {
+            for (final String passwordHashingAlgorithm : Arrays.asList(null, "BCRYPT", "BCRYPT11")) {
+                runBCRYPTTest(fipsModeEnabled, passwordHashingAlgorithm);
+            }
+        }
+    }
 
-        settings = Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "BCRYPT11").build();
-        assertTrue(new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null)).isFailure());
+    private void runBCRYPTTest(final boolean fipsModeEnabled, final String passwordHashingAlgorithm) {
+        final Settings.Builder builder = Settings.builder().put(Security.FIPS_MODE_ENABLED.getKey(), fipsModeEnabled);
+        if (passwordHashingAlgorithm != null) {
+            builder.put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), passwordHashingAlgorithm);
+        }
+        final Settings settings = builder.build();
+        final BootstrapCheck.BootstrapCheckResult result =
+                new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+        assertThat(result.isFailure(), equalTo(fipsModeEnabled));
     }
+
 }