dancristiancecoi
diff --git a/‎build.gradle
+2 b/‎build.gradle
+2
diff --git a/‎plugin-security.policy
+3 b/‎plugin-security.policy
+3
diff --git a/‎src/integrationTest/java/org/opensearch/security/api/AccountRestApiIntegrationTest.java
+7-2 b/‎src/integrationTest/java/org/opensearch/security/api/AccountRestApiIntegrationTest.java
+7-2
diff --git a/‎src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java
+11-10 b/‎src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java
+11-10
diff --git a/‎src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+134 b/‎src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+134
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java
+9-5 b/‎src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java
+9-5
diff --git a/‎src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
+7-2 b/‎src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
+7-2
@@ -581,6 +581,8 @@ dependencies {
     implementation 'org.ldaptive:ldaptive:1.2.3'
     implementation 'com.nimbusds:nimbus-jose-jwt:9.37.3'
 
+    implementation 'com.password4j:password4j:1.7.3'
+
     //JWT
     implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}"
     implementation "io.jsonwebtoken:jjwt-impl:${jjwt_version}"
 
@@ -77,6 +77,9 @@ grant {
   //Enable this permission to debug unauthorized de-serialization attempt
   //permission java.io.SerializablePermission "enableSubstitution";
 
+ 
+  permission java.io.FilePermission "/psw4j.properties","read";
+
 };
 
 grant codeBase "${codebase.netty-common}" {
 
@@ -13,14 +13,17 @@
 import org.junit.Test;
 
 import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.security.hash.PasswordHash;
+import org.opensearch.security.hash.PasswordHashImpl;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.TestRestClient;
 
+import java.nio.CharBuffer;
+
 import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.not;
-import static org.opensearch.security.dlic.rest.support.Utils.hash;
 
 public class AccountRestApiIntegrationTest extends AbstractApiIntegrationTest {
 
@@ -106,11 +109,13 @@ private void verifyWrongPayload(final TestRestClient client) throws Exception {
 
     private void verifyPasswordCanBeChanged() throws Exception {
         final var newPassword = randomAlphabetic(10);
+        final PasswordHash passwordService = new PasswordHashImpl();
         withUser(
             TEST_USER,
             TEST_USER_PASSWORD,
             client -> ok(
-                () -> client.putJson(accountPath(), changePasswordWithHashPayload(TEST_USER_PASSWORD, hash(newPassword.toCharArray())))
+                () -> client.putJson(accountPath(), changePasswordWithHashPayload(TEST_USER_PASSWORD,
+                        passwordService.hash(CharBuffer.wrap(newPassword.toCharArray()))))
             )
         );
         withUser(
 
@@ -31,7 +31,8 @@
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.nio.ByteBuffer;
-import java.security.SecureRandom;
+import java.nio.CharBuffer;
+
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -46,7 +47,6 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
 
 import org.opensearch.action.admin.indices.create.CreateIndexRequest;
 import org.opensearch.action.index.IndexRequest;
@@ -57,6 +57,8 @@
 import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.security.hash.PasswordHash;
+import org.opensearch.security.hash.PasswordHashImpl;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.test.framework.cluster.OpenSearchClientProvider.UserCredentialsHolder;
 
@@ -451,7 +453,7 @@ public Object getAttribute(String attributeName) {
         public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException {
             xContentBuilder.startObject();
 
-            xContentBuilder.field("hash", hash(password.toCharArray()));
+            xContentBuilder.field("hash", hash(password));
 
             Set<String> roleNames = getRoleNames();
 
@@ -933,13 +935,12 @@ public void updateInternalUsersConfiguration(Client client, List<User> users) {
         updateConfigInIndex(client, CType.INTERNALUSERS, userMap);
     }
 
-    static String hash(final char[] clearTextPassword) {
-        final byte[] salt = new byte[16];
-        new SecureRandom().nextBytes(salt);
-        final String hash = OpenBSDBCrypt.generate((Objects.requireNonNull(clearTextPassword)), salt, 12);
-        Arrays.fill(salt, (byte) 0);
-        Arrays.fill(clearTextPassword, '\0');
-        return hash;
+    static String hash(final String clearTextPassword) {
+        PasswordHash passwordService = new PasswordHashImpl();
+        return passwordService.hash((
+                Objects.requireNonNull(
+                        CharBuffer.wrap(clearTextPassword.toCharArray())
+                )));
     }
 
     private void writeEmptyConfigToIndex(Client client, CType configType) {
 
@@ -1916,6 +1916,140 @@ public List<Setting<?>> getSettings() {
             );
         }
 
+
+        //todo: What is Property.Filtered?
+        //todo: Do we want these properties to be Final?
+        settings.add(
+                Setting.simpleString(
+                        ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM,
+                        ConfigConstants.SECURITY_PASSWORD_HASHING_ALGORITHM_DEFAULT,
+                        Property.NodeScope,
+                        Property.Filtered,
+                        Property.Final
+                )
+        );
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ITERATIONS,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ITERATIONS_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_LENGTH,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_LENGTH_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.simpleString(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ALGORITHM,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_PBKDF2_ALGORITHM_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_SCRYPT_WORK_FACTOR,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_SCRYPT_WORK_FACTOR_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_SCRYPT_RESOURCES,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_SCRYPT_RESOURCES_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_SCRYPT_PARALLELIZATION,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_SCRYPT_PARALLELIZATION_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_SCRYPT_DERIVED_KEY_LENGTH,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_SCRYPT_DERIVED_KEY_LENGTH_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_MEMORY,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_MEMORY_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_ITERATIONS,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_ITERATIONS_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_LENGTH,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_LENGTH_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_PARALLELISM,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_PARALLELISM_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.simpleString(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_TYPE,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_TYPE_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_VERSION,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_ARGON2_VERSION_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+
+        settings.add(Setting.intSetting(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_ROUNDS_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
+        settings.add(Setting.simpleString(
+                ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR,
+                ConfigConstants.SECURITY_PASSWORD_HASHING_BCRYPT_MINOR_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered,
+                Property.Final
+        ));
+
         return settings;
     }
 
 
@@ -11,6 +11,7 @@
 
 package org.opensearch.security.dlic.rest.api;
 
+import java.nio.CharBuffer;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -19,8 +20,6 @@
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import org.apache.commons.lang3.tuple.Triple;
-import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
-
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.core.common.Strings;
@@ -32,6 +31,8 @@
 import org.opensearch.security.dlic.rest.validation.RequestContentValidator;
 import org.opensearch.security.dlic.rest.validation.RequestContentValidator.DataType;
 import org.opensearch.security.dlic.rest.validation.ValidationResult;
+import org.opensearch.security.hash.PasswordHash;
+import org.opensearch.security.hash.PasswordHashImpl;
 import org.opensearch.security.securityconf.Hashed;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
@@ -44,13 +45,15 @@
 import static org.opensearch.security.dlic.rest.api.Responses.ok;
 import static org.opensearch.security.dlic.rest.api.Responses.response;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
-import static org.opensearch.security.dlic.rest.support.Utils.hash;
 
 /**
  * Rest API action to fetch or update account details of the signed-in user.
  * Currently this action serves GET and PUT request for /_opendistro/_security/api/account endpoint
  */
 public class AccountApiAction extends AbstractApiAction {
+
+    private final PasswordHash passwordService;
+
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(new Route(Method.GET, "/account"), new Route(Method.PUT, "/account"))
     );
@@ -62,6 +65,7 @@ public AccountApiAction(
     ) {
         super(Endpoint.ACCOUNT, clusterService, threadPool, securityApiDependencies);
         this.requestHandlersBuilder.configureRequestHandlers(this::accountApiRequestHandlers);
+        this.passwordService = new PasswordHashImpl(securityApiDependencies.settings());
     }
 
     @Override
@@ -132,7 +136,7 @@ ValidationResult<SecurityConfiguration> validCurrentPassword(final SecurityConfi
         final var currentPassword = content.get("current_password").asText();
         final var internalUserEntry = (Hashed) securityConfiguration.configuration().getCEntry(username);
         final var currentHash = internalUserEntry.getHash();
-        if (currentHash == null || !OpenBSDBCrypt.checkPassword(currentHash, currentPassword.toCharArray())) {
+        if (currentHash == null || !passwordService.check(CharBuffer.wrap(currentPassword.toCharArray()), currentHash)) {
             return ValidationResult.error(RestStatus.BAD_REQUEST, badRequestMessage("Could not validate your current password."));
         }
         return ValidationResult.success(securityConfiguration);
@@ -148,7 +152,7 @@ ValidationResult<SecurityConfiguration> updatePassword(final SecurityConfigurati
         if (Strings.isNullOrEmpty(password)) {
             hash = securityJsonNode.get("hash").asString();
         } else {
-            hash = hash(password.toCharArray());
+            hash =  this.passwordService.hash(CharBuffer.wrap(password.toCharArray()));
         }
         if (Strings.isNullOrEmpty(hash)) {
             return ValidationResult.error(
 
@@ -12,6 +12,7 @@
 package org.opensearch.security.dlic.rest.api;
 
 import java.io.IOException;
+import java.nio.CharBuffer;
 import java.util.List;
 import java.util.Map;
 
@@ -31,6 +32,8 @@
 import org.opensearch.security.dlic.rest.validation.RequestContentValidator;
 import org.opensearch.security.dlic.rest.validation.RequestContentValidator.DataType;
 import org.opensearch.security.dlic.rest.validation.ValidationResult;
+import org.opensearch.security.hash.PasswordHash;
+import org.opensearch.security.hash.PasswordHashImpl;
 import org.opensearch.security.securityconf.Hashed;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
@@ -47,7 +50,6 @@
 import static org.opensearch.security.dlic.rest.api.Responses.payload;
 import static org.opensearch.security.dlic.rest.api.Responses.response;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
-import static org.opensearch.security.dlic.rest.support.Utils.hash;
 
 public class InternalUsersApiAction extends AbstractApiAction {
 
@@ -57,6 +59,8 @@ protected void consumeParameters(final RestRequest request) {
         request.param("filterBy");
     }
 
+    private final PasswordHash passwordService;
+
     static final List<String> RESTRICTED_FROM_USERNAME = ImmutableList.of(
         ":" // Not allowed in basic auth, see https://stackoverflow.com/a/33391003/533057
     );
@@ -92,6 +96,7 @@ public InternalUsersApiAction(
         super(Endpoint.INTERNALUSERS, clusterService, threadPool, securityApiDependencies);
         this.userService = userService;
         this.requestHandlersBuilder.configureRequestHandlers(this::internalUsersApiRequestHandlers);
+        this.passwordService = new PasswordHashImpl(securityApiDependencies.settings());
     }
 
     @Override
@@ -268,7 +273,7 @@ private ValidationResult<SecurityConfiguration> generateHashForPassword(final Se
                 if (content.has("password")) {
                     final var plainTextPassword = content.get("password").asText();
                     content.remove("password");
-                    content.put("hash", hash(plainTextPassword.toCharArray()));
+                    content.put("hash", passwordService.hash(CharBuffer.wrap(plainTextPassword.toCharArray())));
                 }
                 return ValidationResult.success(securityConfiguration);
             }