Replace Bouncy Castle Blake2bDigest in MaskedField

Fix Blake2b generation by passing salt correctly Fix typo in comment Signed-off-by: Terry Quigley <[email protected]>
terryquigleysas · Apr 18, 2024 · 5a212f5 · 5a212f5
1 parent 9a85f23
commit 5a212f5
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 17 deletions.
diff --git a/build.gradle b/build.gradle
@@ -580,6 +580,7 @@ dependencies {
     implementation "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
     implementation 'com.nimbusds:nimbus-jose-jwt:9.37.3'
+    implementation 'com.rfksystems:blake2b:2.0.0'
 
     //JWT
     implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}"

diff --git a/src/main/java/org/opensearch/security/configuration/MaskedField.java b/src/main/java/org/opensearch/security/configuration/MaskedField.java
@@ -21,9 +21,10 @@
 
 import com.google.common.base.Splitter;
 import org.apache.lucene.util.BytesRef;
-import org.bouncycastle.crypto.digests.Blake2bDigest;
 import org.bouncycastle.util.encoders.Hex;
 
+import com.rfksystems.blake2b.Blake2b;
+
 public class MaskedField {
 
     private final String name;
@@ -164,10 +165,10 @@ private String customHash(String in) {
     }
 
     private byte[] blake2bHash(byte[] in) {
-        final Blake2bDigest hash = new Blake2bDigest(null, 32, null, defaultSalt);
+        final Blake2b hash = new Blake2b(null, 32, defaultSalt, null);
         hash.update(in, 0, in.length);
         final byte[] out = new byte[hash.getDigestSize()];
-        hash.doFinal(out, 0);
+        hash.digest(out, 0);
         return Hex.encode(out);
     }
 

diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/FieldMaskedTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/FieldMaskedTest.java
@@ -151,9 +151,9 @@ public void testMaskedAggregationsRace() throws Exception {
         Assert.assertTrue(res.getBody().contains("200.100"));
         Assert.assertTrue(res.getBody().contains("\"doc_count\" : 30"));
         Assert.assertTrue(res.getBody().contains("\"doc_count\" : 1"));
-        Assert.assertFalse(res.getBody().contains("e1623afebfa505884e249a478640ec98094d19a72ac7a89dd0097e28955bb5ae"));
-        Assert.assertFalse(res.getBody().contains("26a8671e57fefc13504f8c61ced67ac98338261ace1e5bf462038b2f2caae16e"));
-        Assert.assertFalse(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140"));
+        Assert.assertFalse(res.getBody().contains("4805f3596e68104d71b922124a61c701798180d5511a21586d9d8d58a1fc593f"));
+        Assert.assertFalse(res.getBody().contains("cf2061910587994e02f446d59d61d2dbabc5a3a8aea2fa05d08ffe2a12ee8bc8"));
+        Assert.assertFalse(res.getBody().contains("0e3f99018654fda6757601e88d4317f1649efae79126eb62c3f8c15105ba47ac"));
 
         Assert.assertEquals(
             HttpStatus.SC_OK,
@@ -164,9 +164,9 @@ public void testMaskedAggregationsRace() throws Exception {
         Assert.assertTrue(res.getBody().contains("\"doc_count\" : 1"));
         Assert.assertFalse(res.getBody().contains("100.100"));
         Assert.assertFalse(res.getBody().contains("200.100"));
-        Assert.assertTrue(res.getBody().contains("e1623afebfa505884e249a478640ec98094d19a72ac7a89dd0097e28955bb5ae"));
-        Assert.assertTrue(res.getBody().contains("26a8671e57fefc13504f8c61ced67ac98338261ace1e5bf462038b2f2caae16e"));
-        Assert.assertTrue(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140"));
+        Assert.assertTrue(res.getBody().contains("4805f3596e68104d71b922124a61c701798180d5511a21586d9d8d58a1fc593f"));
+        Assert.assertTrue(res.getBody().contains("cf2061910587994e02f446d59d61d2dbabc5a3a8aea2fa05d08ffe2a12ee8bc8"));
+        Assert.assertTrue(res.getBody().contains("0e3f99018654fda6757601e88d4317f1649efae79126eb62c3f8c15105ba47ac"));
 
         for (int i = 0; i < 10; i++) {
             Assert.assertEquals(
@@ -177,9 +177,9 @@ public void testMaskedAggregationsRace() throws Exception {
             Assert.assertTrue(res.getBody().contains("200.100"));
             Assert.assertTrue(res.getBody().contains("\"doc_count\" : 30"));
             Assert.assertTrue(res.getBody().contains("\"doc_count\" : 1"));
-            Assert.assertFalse(res.getBody().contains("e1623afebfa505884e249a478640ec98094d19a72ac7a89dd0097e28955bb5ae"));
-            Assert.assertFalse(res.getBody().contains("26a8671e57fefc13504f8c61ced67ac98338261ace1e5bf462038b2f2caae16e"));
-            Assert.assertFalse(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140"));
+            Assert.assertFalse(res.getBody().contains("4805f3596e68104d71b922124a61c701798180d5511a21586d9d8d58a1fc593f"));
+            Assert.assertFalse(res.getBody().contains("cf2061910587994e02f446d59d61d2dbabc5a3a8aea2fa05d08ffe2a12ee8bc8"));
+            Assert.assertFalse(res.getBody().contains("0e3f99018654fda6757601e88d4317f1649efae79126eb62c3f8c15105ba47ac"));
         }
 
     }
@@ -201,7 +201,7 @@ public void testMaskedSearch() throws Exception {
         Assert.assertTrue(res.getBody().contains("cust2"));
         Assert.assertTrue(res.getBody().contains("100.100.1.1"));
         Assert.assertTrue(res.getBody().contains("100.100.2.2"));
-        Assert.assertFalse(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140"));
+        Assert.assertFalse(res.getBody().contains("0e3f99018654fda6757601e88d4317f1649efae79126eb62c3f8c15105ba47ac"));
 
         Assert.assertEquals(
             HttpStatus.SC_OK,
@@ -213,7 +213,7 @@ public void testMaskedSearch() throws Exception {
         Assert.assertTrue(res.getBody().contains("cust2"));
         Assert.assertFalse(res.getBody().contains("100.100.1.1"));
         Assert.assertFalse(res.getBody().contains("100.100.2.2"));
-        Assert.assertTrue(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140"));
+        Assert.assertTrue(res.getBody().contains("0e3f99018654fda6757601e88d4317f1649efae79126eb62c3f8c15105ba47ac"));
 
     }
 
@@ -233,7 +233,7 @@ public void testMaskedGet() throws Exception {
         Assert.assertFalse(res.getBody().contains("cust2"));
         Assert.assertTrue(res.getBody().contains("100.100.1.1"));
         Assert.assertFalse(res.getBody().contains("100.100.2.2"));
-        Assert.assertFalse(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140"));
+        Assert.assertFalse(res.getBody().contains("0e3f99018654fda6757601e88d4317f1649efae79126eb62c3f8c15105ba47ac"));
 
         Assert.assertEquals(
             HttpStatus.SC_OK,
@@ -244,7 +244,7 @@ public void testMaskedGet() throws Exception {
         Assert.assertFalse(res.getBody().contains("cust2"));
         Assert.assertFalse(res.getBody().contains("100.100.1.1"));
         Assert.assertFalse(res.getBody().contains("100.100.2.2"));
-        Assert.assertTrue(res.getBody().contains("87873bdb698e5f0f60e0b02b76dad1ec11b2787c628edbc95b7ff0e82274b140"));
+        Assert.assertTrue(res.getBody().contains("0e3f99018654fda6757601e88d4317f1649efae79126eb62c3f8c15105ba47ac"));
     }
 
 }
diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java
@@ -397,7 +397,7 @@ public static class HttpResponse {
         public HttpResponse(SimpleHttpResponse inner) throws IllegalStateException, IOException {
             super();
             this.inner = inner;
-            if (inner.getBody() == null) { // head request does not have a entity
+            if (inner.getBody() == null) { // head request does not have an entity
                 this.body = "";
             } else {
                 this.body = inner.getBodyText();