fix the hardcode password in IT (#1853) (#1856)

* rename the fake credential in IT Signed-off-by: Xun Zhang <xunzh@amazon.com> * create random password for IT Signed-off-by: Xun Zhang <xunzh@amazon.com> --------- Signed-off-by: Xun Zhang <xunzh@amazon.com> (cherry picked from commit 94d2f51) Co-authored-by: Xun Zhang <xunzh@amazon.com>
opensearch-project · Jan 12, 2024 · 4f14cb9 · 4f14cb9
1 parent 388fa33
commit 4f14cb9
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 39 deletions.
diff --git a/plugin/src/test/java/org/opensearch/ml/rest/MLModelGroupRestIT.java b/plugin/src/test/java/org/opensearch/ml/rest/MLModelGroupRestIT.java
@@ -7,6 +7,8 @@
 
 package org.opensearch.ml.rest;
 
+import static org.opensearch.ml.rest.SecureMLRestIT.generatePassword;
+
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -67,7 +69,6 @@ public class MLModelGroupRestIT extends MLCommonsRestTestCase {
     public ExpectedException exceptionRule = ExpectedException.none();
 
     private String modelGroupId;
-    private String password = "IntegTest@MLModelGroupRestIT123";
 
     public void disableModelAccessControl(boolean isSecurityEnabled) throws IOException {
         Response response = TestHelper
@@ -101,38 +102,54 @@ public void setup() throws IOException {
         }
         createSearchRole(indexSearchAccessRole, "*");
 
-        createUser(mlNoAccessUser, password, ImmutableList.of(opensearchBackendRole));
-        mlNoAccessClient = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), mlNoAccessUser, password)
-            .setSocketTimeout(60000)
-            .build();
-
-        createUser(mlReadOnlyUser, password, ImmutableList.of(opensearchBackendRole));
-        mlReadOnlyClient = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), mlReadOnlyUser, password)
-            .setSocketTimeout(60000)
-            .build();
-
-        createUser(mlFullAccessUser, password, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
-        mlFullAccessClient = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), mlFullAccessUser, password)
-            .setSocketTimeout(60000)
-            .build();
-
-        createUser(user1, password, ImmutableList.of("IT", "HR"));
-        user1Client = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), user1, password)
+        String mlNoAccessUserPw = generatePassword(mlNoAccessUser);
+        createUser(mlNoAccessUser, mlNoAccessUserPw, ImmutableList.of(opensearchBackendRole));
+        mlNoAccessClient = new SecureRestClientBuilder(
+            getClusterHosts().toArray(new HttpHost[0]),
+            isHttps(),
+            mlNoAccessUser,
+            mlNoAccessUserPw
+        ).setSocketTimeout(60000).build();
+
+        String mlReadOnlyUserPw = generatePassword(mlReadOnlyUser);
+        createUser(mlReadOnlyUser, mlReadOnlyUserPw, ImmutableList.of(opensearchBackendRole));
+        mlReadOnlyClient = new SecureRestClientBuilder(
+            getClusterHosts().toArray(new HttpHost[0]),
+            isHttps(),
+            mlReadOnlyUser,
+            mlReadOnlyUserPw
+        ).setSocketTimeout(60000).build();
+
+        String mlFullAccessUserPw = generatePassword(mlFullAccessUser);
+        createUser(mlFullAccessUser, mlFullAccessUserPw, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
+        mlFullAccessClient = new SecureRestClientBuilder(
+            getClusterHosts().toArray(new HttpHost[0]),
+            isHttps(),
+            mlFullAccessUser,
+            mlFullAccessUserPw
+        ).setSocketTimeout(60000).build();
+
+        String user1Pw = generatePassword(user1);
+        createUser(user1, user1Pw, ImmutableList.of("IT", "HR"));
+        user1Client = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), user1, user1Pw)
             .setSocketTimeout(60000)
             .build();
 
-        createUser(user2, password, ImmutableList.of("IT"));
-        user2Client = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), user2, password)
+        String user2Pw = generatePassword(user2);
+        createUser(user2, user2Pw, ImmutableList.of("IT"));
+        user2Client = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), user2, user2Pw)
             .setSocketTimeout(60000)
             .build();
 
-        createUser(user3, password, ImmutableList.of("Finance"));
-        user3Client = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), user3, password)
+        String user3Pw = generatePassword(user3);
+        createUser(user3, user3Pw, ImmutableList.of("Finance"));
+        user3Client = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), user3, user3Pw)
             .setSocketTimeout(60000)
             .build();
 
-        createUser(user4, password, ImmutableList.of());
-        user4Client = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), user4, password)
+        String user4Pw = generatePassword(user4);
+        createUser(user4, user4Pw, ImmutableList.of());
+        user4Client = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), user4, user4Pw)
             .setSocketTimeout(60000)
             .build();
 

diff --git a/plugin/src/test/java/org/opensearch/ml/rest/SecureMLRestIT.java b/plugin/src/test/java/org/opensearch/ml/rest/SecureMLRestIT.java
@@ -9,6 +9,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Map;
+import java.util.Random;
 
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpHost;
@@ -57,7 +58,27 @@ public class SecureMLRestIT extends MLCommonsRestTestCase {
     public ExpectedException exceptionRule = ExpectedException.none();
 
     private String modelGroupId;
-    private String password = "IntegTest@SecureMLRestIT123";
+
+    /**
+     * Create an unguessable password. Simple password are weak due to https://tinyurl.com/383em9zk
+     * @return a random password.
+     */
+    public static String generatePassword(String username) {
+        String characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_";
+
+        Random rng = new Random();
+
+        char[] password = new char[15];
+        for (int i = 0; i < 15; i++) {
+            char nextChar = characters.charAt(rng.nextInt(characters.length()));
+            while (username.indexOf(nextChar) > -1) {
+                nextChar = characters.charAt(rng.nextInt(characters.length()));
+            }
+            password[i] = nextChar;
+        }
+
+        return new String(password);
+    }
 
     @Before
     public void setup() throws IOException {
@@ -77,28 +98,41 @@ public void setup() throws IOException {
         }
         createSearchRole(indexSearchAccessRole, "*");
 
-        createUser(mlNoAccessUser, password, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
-        mlNoAccessClient = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), mlNoAccessUser, password)
-            .setSocketTimeout(60000)
-            .build();
+        String noAccessUserPw = generatePassword(mlNoAccessUser);
+        createUser(mlNoAccessUser, noAccessUserPw, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
+        mlNoAccessClient = new SecureRestClientBuilder(
+            getClusterHosts().toArray(new HttpHost[0]),
+            isHttps(),
+            mlNoAccessUser,
+            noAccessUserPw
+        ).setSocketTimeout(60000).build();
 
-        createUser(mlReadOnlyUser, password, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
-        mlReadOnlyClient = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), mlReadOnlyUser, password)
-            .setSocketTimeout(60000)
-            .build();
+        String readOnlyUserPw = generatePassword(mlReadOnlyUser);
+        createUser(mlReadOnlyUser, readOnlyUserPw, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
+        mlReadOnlyClient = new SecureRestClientBuilder(
+            getClusterHosts().toArray(new HttpHost[0]),
+            isHttps(),
+            mlReadOnlyUser,
+            readOnlyUserPw
+        ).setSocketTimeout(60000).build();
 
-        createUser(mlFullAccessNoIndexAccessUser, password, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
+        String noIndexAccessUserPw = generatePassword(mlFullAccessNoIndexAccessUser);
+        createUser(mlFullAccessNoIndexAccessUser, noIndexAccessUserPw, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
         mlFullAccessNoIndexAccessClient = new SecureRestClientBuilder(
             getClusterHosts().toArray(new HttpHost[0]),
             isHttps(),
             mlFullAccessNoIndexAccessUser,
-            password
+            noIndexAccessUserPw
         ).setSocketTimeout(60000).build();
 
-        createUser(mlFullAccessUser, password, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
-        mlFullAccessClient = new SecureRestClientBuilder(getClusterHosts().toArray(new HttpHost[0]), isHttps(), mlFullAccessUser, password)
-            .setSocketTimeout(60000)
-            .build();
+        String fullAccessUserPw = generatePassword(mlFullAccessUser);
+        createUser(mlFullAccessUser, fullAccessUserPw, new ArrayList<>(Arrays.asList(opensearchBackendRole)));
+        mlFullAccessClient = new SecureRestClientBuilder(
+            getClusterHosts().toArray(new HttpHost[0]),
+            isHttps(),
+            mlFullAccessUser,
+            fullAccessUserPw
+        ).setSocketTimeout(60000).build();
 
         createRoleMapping("ml_read_access", new ArrayList<>(Arrays.asList(mlReadOnlyUser)));
         createRoleMapping("ml_full_access", new ArrayList<>(Arrays.asList(mlFullAccessNoIndexAccessUser, mlFullAccessUser)));