Username validation for special characters

[rutuja-amazon]

Add username validation:

• Username should not include special characters

[shikharj05]

Thank you for the change. Can you add tests as well?

[rutuja-amazon]

Added unit tests.

[cwperks]

@rutuja-amazon Should I add any backport labels to this PR?

[cliu123]

Is this test case specifically related to this fix? If yes, why isn't it also HttpStatus.SC_BAD_REQUEST.

[rutuja-amazon]

Yes, we need to updated all test cases that use special characters in username to now fail at creation

[cliu123]

Agreed. Then shouldn't this PUT request with special characters in username get HttpStatus.SC_BAD_REQUEST, which would be consistent with the fix?

[rutuja-amazon]

Sounds good, updated to HttpStatus.SC_BAD_REQUEST.

[shikharj05]

I think . should be allowed

[rutuja-amazon]

Permitted .. Do we also allow @ in username?

[DarshitChanpura]

@ shouldn't be allowed and only one . should be allowed. Thoughts? @cwperks @peternied @davidlago

[rutuja-amazon]

Do we also allow -, _ and @ along with .? Please suggest.
In the current fix I have permitted the four special characters above.

[codecov-commenter]

Codecov Report

Merging #2277 (3e552a9) into main (7cad5e4) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##               main    #2277      +/-   ##
============================================
+ Coverage     61.05%   61.07%   +0.01%     
  Complexity     3270     3270              
============================================
  Files           259      260       +1     
  Lines         18337    18369      +32     
  Branches       3248     3251       +3     
============================================
+ Hits          11196    11219      +23     
- Misses         5555     5563       +8     
- Partials       1586     1587       +1     

Impacted Files	Coverage Δ
...security/dlic/rest/api/InternalUsersApiAction.java	83.78% <100.00%> (+1.43%)	⬆️
...ecurity/configuration/ConfigurationRepository.java	72.13% <0.00%> (-2.19%)	⬇️
.../dlic/auth/ldap2/LDAPConnectionFactoryFactory.java	57.46% <0.00%> (-1.50%)	⬇️
...iance/ComplianceIndexingOperationListenerImpl.java	61.76% <0.00%> (-1.48%)	⬇️
...arch/security/ssl/OpenSearchSecuritySSLPlugin.java	78.82% <0.00%> (-1.29%)	⬇️
...ensearch/security/ssl/DefaultSecurityKeyStore.java	67.28% <0.00%> (-0.55%)	⬇️
...amazon/dlic/util/SettingsBasedSSLConfigurator.java	62.30% <0.00%> (ø)
...opensearch/security/auditlog/sink/WebhookSink.java	76.74% <0.00%> (ø)
...opensearch/security/ssl/util/SSLRequestHelper.java	65.71% <0.00%> (ø)
...ensearch/security/ssl/util/SSLConfigConstants.java	77.77% <0.00%> (ø)
... and 4 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[peternied]

This change impacts forward combability as username might have been viable in older versions of OpenSearch that will no longer work.

[peternied]

Username should not include special characters

Why not, are there bugs associated with these characters?

[rutuja-amazon]

permitting special characters results in security risk & vulnerabilities.

[peternied]

Thanks for looking out for issues of this nature, could you be more specific as to the risks associated with individual characters? I am reticent to limit these usernames without cause.

If there is an issue please follow our reporting process [1] also quoted below.

Reporting a Vulnerability

If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] https://github.com/opensearch-project/security/security/policy

[peternied]

Added more details on the main thread #2277 (comment)

[rutuja-amazon]

Requesting addition of backport labels @cwperks

[DarshitChanpura]

@rutuja-amazon which branches would you like this change to be backported to?

[peternied]

@rutuja-amazon Since this is change is based on a LOW security finding we should discuss everything in the public on this pull request. Pulling in the context from our internal threads:

Bug

Repro

Create two users through the dashboards create internal user:

• username: hello password: world:a_great_day
• username: hello:world password: a_great_day

Attempt to logging to login via basic auth into both accounts
curl -k -s https://hello:world:a_great_day@localhost:9200/_plugins/_security/api/account | jq
curl -k -s https://hello:world:a_great_day@localhost:9200/_plugins/_security/api/account | jq (Both are the same!)

You cannot login as the user hello:world.

Additional details

Note; this is expected as the username cannot contain a colon [1].

As per CVSS rating (3.1), it's been categorized as LOW risk.

[1] https://stackoverflow.com/questions/11612854/http-https-basic-authentication-colon-in-username

For the moment, lets block only the colon character.

[peternied]

@rutuja-amazon I've created rutuja-amazon#1, if you merge that pull request into this change we can get this issue fixed, what do you think?

[rutuja-amazon]

@rutuja-amazon I've created rutuja-amazon#1, if you merge that pull request into this change we can get this issue fixed, what do you think?

Issue is with other special characters as well, as discussed offline

[peternied]

I've created an issue to track the set of special characters that should be included or not, and at this time the only exclusion that seems justified is colon :. Please feel free to discuss on the issue, but as this pull request stands its too restrictive without justification for me approve and merge.

• Block user create with certain characters/strings #2309

[rutuja-amazon]

Updated PR to only allow : for this use-case. Requesting merging this PR with backported labels.

[cwperks]

The changes look good to me, once the code hygiene check is fixed I will approve this PR.

[peternied]

The changes look good to me, once the code hygiene check is fixed I will approve this PR.

I'll take care of this to help get this merged more quickly...

[peternied]

Note; CI / build-artifact-names (pull_request) will fail because this hasn't merged the latest from main, and I'm am attempting to avoid rebasing these changes.

[peternied]

Failing CI check is known fixed in main, merging!

[opensearch-trigger-bot]

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-2277-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 efbc48b405ff6ff372c4821aa15c53fc50a409a3
# Push it to GitHub
git push --set-upstream origin backport/backport-2277-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-2277-to-1.x.

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-2277-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 efbc48b405ff6ff372c4821aa15c53fc50a409a3
# Push it to GitHub
git push --set-upstream origin backport/backport-2277-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-2277-to-1.3.