From d207161143eeab933d58961b34dbc7326388c722 Mon Sep 17 00:00:00 2001
From: Rutuja Surve <rutuja@amazon.com>
Date: Fri, 25 Nov 2022 15:38:29 +0530
Subject: [PATCH] username validation for special chars

Signed-off-by: Rutuja Surve <rutuja@amazon.com>
---
 .../dlic/rest/api/InternalUsersApiAction.java |  7 +++++++
 .../security/dlic/rest/api/UserApiTest.java   | 20 +++++++++++++++----
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
index dbf1a0e800..50a2d35b32 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
@@ -14,6 +14,7 @@
 import java.io.IOException;
 import java.nio.file.Path;
 import java.util.List;
+import java.util.regex.Pattern;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
@@ -93,6 +94,12 @@ protected void handlePut(RestChannel channel, final RestRequest request, final C
             return;
         }
 
+        Pattern usernamePattern = Pattern.compile("[$&+,:;=\\\\?@#|/'<>.^*()%!-]");
+        if (usernamePattern.matcher(username).find()) {
+            badRequestResponse(channel, "Username has special characters, not permitted.");
+            return;
+        }
+
         // TODO it might be sensible to consolidate this with the overridden method in
         // order to minimize duplicated logic
 
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java
index 715c256cb7..5312eb7f17 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java
@@ -133,6 +133,10 @@ public void testUserApi() throws Exception {
         response = rh.executePutRequest(ENDPOINT + "/internalusers/", "{\"hash\": \"123\"}", new Header[0]);
         Assert.assertEquals(HttpStatus.SC_METHOD_NOT_ALLOWED, response.getStatusCode());
 
+        // username has special characters
+        response = rh.executePutRequest(ENDPOINT + "/internalusers/n@ag:ilum", "{\"hash\": \"123\"}", new Header[0]);
+        Assert.assertEquals(HttpStatus.SC_METHOD_NOT_ALLOWED, response.getStatusCode());
+
         // Faulty JSON payload
         response = rh.executePutRequest(ENDPOINT + "/internalusers/nagilum", "{some: \"thing\" asd  other: \"thing\"}",
                 new Header[0]);
@@ -401,7 +405,8 @@ public void testUserApi() throws Exception {
         Assert.assertTrue(roles.contains("starfleet"));
         Assert.assertTrue(roles.contains("captains"));
 
-        addUserWithPassword("$1aAAAAAAAAC", "$1aAAAAAAAAC", HttpStatus.SC_CREATED);
+        addUserWithPassword("$1aAAAAAAAAC", "$1aAAAAAAAAC", HttpStatus.SC_BAD_REQUEST);
+        addUserWithPassword("1aAAAAAAAAC", "$1aAAAAAAAAC", HttpStatus.SC_CREATED);
         addUserWithPassword("abc", "abc", HttpStatus.SC_CREATED);
 
 
@@ -468,7 +473,7 @@ public void testPasswordRules() throws Exception {
         addUserWithPassword("$1aAAAAAAAac", "$1aAAAAAAAAC", HttpStatus.SC_BAD_REQUEST);
         addUserWithPassword(URLEncoder.encode("$1aAAAAAAAac%", "UTF-8"), "$1aAAAAAAAAC%", HttpStatus.SC_BAD_REQUEST);
         addUserWithPassword(URLEncoder.encode("$1aAAAAAAAac%!=\"/\\;:test&~@^", "UTF-8").replace("+", "%2B"), "$1aAAAAAAAac%!=\\\"/\\\\;:test&~@^", HttpStatus.SC_BAD_REQUEST);
-        addUserWithPassword(URLEncoder.encode("$1aAAAAAAAac%!=\"/\\;: test&", "UTF-8"), "$1aAAAAAAAac%!=\\\"/\\\\;: test&123", HttpStatus.SC_CREATED);
+        addUserWithPassword(URLEncoder.encode("$1aAAAAAAAac%!=\"/\\;: test&", "UTF-8"), "$1aAAAAAAAac%!=\\\"/\\\\;: test&123", HttpStatus.SC_BAD_REQUEST);
 
         response = rh.executeGetRequest(PLUGINS_PREFIX + "/api/internalusers/nothinghthere?pretty", new Header[0]);
         Assert.assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode());
@@ -514,16 +519,23 @@ public void testUserApiWithDots() throws Exception {
         Assert.assertEquals(56, settings.size());
 
         addUserWithPassword(".my.dotuser0", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m",
-                HttpStatus.SC_CREATED);
+                HttpStatus.SC_BAD_REQUEST);
 
         addUserWithPassword(".my.dot.user0", "12345678",
+                HttpStatus.SC_BAD_REQUEST);
+
+        addUserWithPassword("mydotuser0", "12345678",
                 HttpStatus.SC_CREATED);
 
         addUserWithHash(".my.dotuser1", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m",
+                HttpStatus.SC_BAD_REQUEST);
+
+
+        addUserWithHash("mydotuser1", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m",
                 HttpStatus.SC_CREATED);
 
         addUserWithPassword(".my.dot.user2", "12345678",
-                HttpStatus.SC_CREATED);
+                HttpStatus.SC_BAD_REQUEST);
 
     }