Return-Path: X-Original-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AB00C10615 for ; Wed, 4 Sep 2013 09:52:46 +0000 (UTC) Received: (qmail 63501 invoked by uid 500); 4 Sep 2013 09:52:45 -0000 Delivered-To: apmail-jackrabbit-oak-commits-archive@jackrabbit.apache.org Received: (qmail 63484 invoked by uid 500); 4 Sep 2013 09:52:45 -0000 Mailing-List: contact oak-commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-commits@jackrabbit.apache.org Received: (qmail 63476 invoked by uid 99); 4 Sep 2013 09:52:45 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Sep 2013 09:52:45 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Sep 2013 09:52:41 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 8F0F0238899C; Wed, 4 Sep 2013 09:52:20 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1519963 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeAction.java test/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeActionTest.java Date: Wed, 04 Sep 2013 09:52:20 -0000 To: oak-commits@jackrabbit.apache.org From: angela@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20130904095220.8F0F0238899C@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: angela Date: Wed Sep 4 09:52:20 2013 New Revision: 1519963 URL: http://svn.apache.org/r1519963 Log: OAK-50: user mgt - add PasswordChangeAction Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeAction.java - copied, changed from r1519606, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeActionTest.java Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeAction.java (from r1519606, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeAction.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeAction.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java&r1=1519606&r2=1519963&rev=1519963&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeAction.java Wed Sep 4 09:52:20 2013 @@ -16,10 +16,8 @@ */ package org.apache.jackrabbit.oak.spi.security.user.action; -import java.util.regex.Pattern; -import java.util.regex.PatternSyntaxException; +import javax.annotation.CheckForNull; import javax.annotation.Nonnull; -import javax.annotation.Nullable; import javax.jcr.RepositoryException; import javax.jcr.nodetype.ConstraintViolationException; @@ -28,84 +26,41 @@ import org.apache.jackrabbit.oak.api.Roo import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; +import org.apache.jackrabbit.oak.spi.security.user.UserConstants; import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import org.apache.jackrabbit.oak.util.TreeUtil; /** - * {@code PasswordValidationAction} provides a simple password validation - * mechanism with the following configurable option: + * {@code PasswordChangeAction} asserts that the upon + * {@link #onPasswordChange(org.apache.jackrabbit.api.security.user.User, String, + * org.apache.jackrabbit.oak.api.Root, org.apache.jackrabbit.oak.namepath.NamePathMapper)} + * a different, non-null password is specified. * - *
    - *
  • constraint: a regular expression that can be compiled - * to a {@link java.util.regex.Pattern} defining validation rules for a password.
    • - *
- * - *

The password validation is executed on user creation and upon password - * change. It throws a {@code ConstraintViolationException} if the password - * validation fails.

- * - * @see org.apache.jackrabbit.api.security.user.UserManager#createUser(String, String) * @see org.apache.jackrabbit.api.security.user.User#changePassword(String) * @see org.apache.jackrabbit.api.security.user.User#changePassword(String, String) */ -public class PasswordValidationAction extends AbstractAuthorizableAction { - - private static final Logger log = LoggerFactory.getLogger(PasswordValidationAction.class); - - public static final String CONSTRAINT = "constraint"; +public class PasswordChangeAction extends AbstractAuthorizableAction { - private Pattern pattern; - - //-----------------------------------------< AbstractAuthorizableAction >--- @Override protected void init(SecurityProvider securityProvider, ConfigurationParameters config) { - String constraint = config.getNullableConfigValue(CONSTRAINT, (String) null); - if (constraint != null) { - setConstraint(constraint); - } + // nothing to do } //-------------------------------------------------< AuthorizableAction >--- @Override - public void onCreate(User user, String password, Root root, NamePathMapper namePathMapper) throws RepositoryException { - validatePassword(password, false); - } - - @Override public void onPasswordChange(User user, String newPassword, Root root, NamePathMapper namePathMapper) throws RepositoryException { - validatePassword(newPassword, true); - } - - //------------------------------------------------------< Configuration >--- - /** - * Set the password constraint. - * - * @param constraint A regular expression that can be used to validate a new password. - */ - public void setConstraint(@Nonnull String constraint) { - try { - pattern = Pattern.compile(constraint); - } catch (PatternSyntaxException e) { - log.warn("Invalid password constraint: ", e.getMessage()); + if (newPassword == null) { + throw new ConstraintViolationException("Expected a new password that is not null."); + } + String pwHash = getPasswordHash(root, user); + if (PasswordUtil.isSame(pwHash, newPassword)) { + throw new ConstraintViolationException("New password is identical to the old password."); } } //------------------------------------------------------------< private >--- - /** - * Validate the specified password. - * - * @param password The password to be validated - * @param forceMatch If true the specified password is always validated; - * otherwise only if it is a plain text password. - * @throws RepositoryException If the specified password is too short or - * doesn't match the specified password pattern. - */ - private void validatePassword(@Nullable String password, boolean forceMatch) throws RepositoryException { - if (password != null && (forceMatch || PasswordUtil.isPlainTextPassword(password))) { - if (pattern != null && !pattern.matcher(password).matches()) { - throw new ConstraintViolationException("Password violates password constraint (" + pattern.pattern() + ")."); - } - } + @CheckForNull + private String getPasswordHash(@Nonnull Root root, @Nonnull User user) throws RepositoryException { + return TreeUtil.getString(root.getTree(user.getPath()), UserConstants.REP_PASSWORD); } } \ No newline at end of file Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeActionTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeActionTest.java?rev=1519963&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeActionTest.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordChangeActionTest.java Wed Sep 4 09:52:20 2013 @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.spi.security.user.action; + +import java.util.UUID; +import javax.jcr.nodetype.ConstraintViolationException; + +import org.apache.jackrabbit.api.security.user.User; +import org.apache.jackrabbit.oak.AbstractSecurityTest; +import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; +import org.junit.Before; +import org.junit.Test; + +import static org.junit.Assert.fail; + +public class PasswordChangeActionTest extends AbstractSecurityTest { + + private PasswordChangeAction pwChangeAction; + + @Before + public void before() throws Exception { + super.before(); + pwChangeAction = new PasswordChangeAction(); + pwChangeAction.init(getSecurityProvider(), ConfigurationParameters.EMPTY); + } + + @Test + public void testNullPassword() throws Exception { + try { + pwChangeAction.onPasswordChange(getTestUser(), null, root, getNamePathMapper()); + fail("ConstraintViolationException expected."); + } catch (ConstraintViolationException e) { + // success + } + } + + @Test + public void testSamePassword() throws Exception { + try { + User user = getTestUser(); + String pw = user.getID(); + pwChangeAction.onPasswordChange(user, pw, root, getNamePathMapper()); + fail("ConstraintViolationException expected."); + } catch (ConstraintViolationException e) { + // success + } + } + + @Test + public void testPasswordChange() throws Exception { + pwChangeAction.onPasswordChange(getTestUser(), "changedPassword", root, getNamePathMapper()); + } + + @Test + public void testUserWithoutPassword() throws Exception { + String uid = "testUser" + UUID.randomUUID(); + User user = getUserManager(root).createUser(uid, null); + + pwChangeAction.onPasswordChange(user, "changedPassword", root, getNamePathMapper()); + } +} \ No newline at end of file