directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kayyag...@apache.org
Subject svn commit: r1550894 - in /directory/apacheds/trunk: interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
Date Sat, 14 Dec 2013 07:33:01 GMT
Author: kayyagari
Date: Sat Dec 14 07:33:00 2013
New Revision: 1550894

URL: http://svn.apache.org/r1550894
Log:
applied patch from Lucas Theisen for DIRSERVER-1932 with slight modifications

Modified:
    directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
    directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java

Modified: directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=1550894&r1=1550893&r2=1550894&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
(original)
+++ directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
Sat Dec 14 07:33:00 2013
@@ -1370,6 +1370,12 @@ public class AuthenticationInterceptor e
             return false;
         }
 
+        // see sections 7.8 and 7.2 of the ppolicy draft
+        if ( policyConfig.isPwdMustChange() && pwdResetSet.contains( userEntry.getDn().getNormName()
) ) 
+        {
+            return false;
+        }
+        
         Attribute pwdChangedTimeAt = userEntry.get( AT_PWD_CHANGED_TIME );
 
         if ( pwdChangedTimeAt != null )

Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java?rev=1550894&r1=1550893&r2=1550894&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
(original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
Sat Dec 14 07:33:00 2013
@@ -40,6 +40,7 @@ import static org.junit.Assert.fail;
 import org.apache.directory.api.ldap.codec.api.LdapApiService;
 import org.apache.directory.api.ldap.codec.api.LdapApiServiceFactory;
 import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy;
+import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyErrorEnum;
 import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyImpl;
 import org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator;
 import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants;
@@ -1251,4 +1252,90 @@ public class PasswordPolicyIT extends Ab
         userConnection.close();
         adminConnection.close();
     }
+    
+    
+    /**
+    * According to the <a href=
+    * "http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.8"
+    * >rfc</a>:
+    * <pre>
+    * <b>7.8 Password Too Young Check</b>
+    * 
+    *   If the Section 7.2 check returned true then this check will return
+    *   false, to allow the password to be changed.
+    *   ...
+    * </pre>
+    * <pre>
+    * <b>7.2 Password Must be Changed Now Check</b>
+    * 
+    *   A status of true is returned to indicate that the password must be
+    *   changed if all of these conditions are met:
+    *   
+    *   o  The pwdMustChange attribute is set to TRUE.
+    *   o  The pwdReset attribute is set to TRUE.
+    *   
+    *   Otherwise a status of false is returned.
+    * </pre>
+    * 
+    * Therefore, if the admin sets the password, the user should be allowed
+    * to change it even if pwdMinAge has not expired.
+    */
+   @Test
+   public void testPwdMinAgeWithMustChange() throws Exception
+   {
+       policyConfig.setPwdMustChange( true );
+       policyConfig.setPwdMinAge( 1 );
+
+       LdapConnection adminConnection = getAdminNetworkConnection( getLdapServer() );
+
+       Dn userDn = new Dn( "cn=userMinAgeMustChange,ou=system" );
+       Entry userEntry = new DefaultEntry(
+           userDn.toString(),
+           "ObjectClass: top",
+           "ObjectClass: person",
+           "cn: userMinAgeMustChange",
+           "sn: userMinAgeMustChange_sn",
+           "userPassword: 12345" );
+       adminConnection.add( userEntry );
+
+       LdapConnection userConnection = new LdapNetworkConnection( "localhost", getLdapServer().getPort()
);
+       BindRequest bindRequest = new BindRequestImpl();
+       bindRequest.setDn( userDn );
+       bindRequest.setCredentials( "12345" );
+       bindRequest.addControl( PP_REQ_CTRL );
+       // successful bind but must require pwd reset as was set by admin
+       BindResponse bindResponse = userConnection.bind( bindRequest );
+       assertEquals( ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode()
);
+       assertEquals( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET, 
+           getPwdRespCtrl( bindResponse ).getResponse().getPasswordPolicyError() );
+
+       ModifyRequest modifyRequest = new ModifyRequestImpl();
+       modifyRequest.setName( userDn );
+       modifyRequest.replace( "userPassword", "123456" );
+       modifyRequest.addControl( PP_REQ_CTRL );
+       // succeed because admin previously set password
+       ModifyResponse modifyResponse = userConnection.modify( modifyRequest );
+       assertEquals( ResultCodeEnum.SUCCESS, modifyResponse.getLdapResult().getResultCode()
);
+
+       modifyRequest = new ModifyRequestImpl();
+       modifyRequest.setName( userDn );
+       modifyRequest.replace( "userPassword", "1234567" );
+       modifyRequest.addControl( PP_REQ_CTRL );
+       // fail cause password is too young
+       modifyResponse = userConnection.modify( modifyRequest );
+       assertEquals( ResultCodeEnum.CONSTRAINT_VIOLATION, 
+           modifyResponse.getLdapResult().getResultCode() );
+       assertEquals( PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG, 
+           getPwdRespCtrl( modifyResponse ).getResponse().getPasswordPolicyError() );
+
+       // Wait for the pwdMinAge delay to be over
+       Thread.sleep( 1000 );
+
+       // Now, we should be able to modify the password
+       modifyResponse = userConnection.modify( modifyRequest );
+       assertEquals( ResultCodeEnum.SUCCESS, modifyResponse.getLdapResult().getResultCode()
);
+
+       userConnection.close();
+       adminConnection.close();
+   }    
 }



Mime
View raw message