add password complexity check before submitting during reset password flow
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/70de6fde Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/70de6fde Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/70de6fde Branch: refs/heads/master Commit: 70de6fde4438bd4ba750806e5b4a23cd9aa07d9b Parents: 459163b Author: Mike Dunker <[email protected]> Authored: Thu Aug 17 11:02:36 2017 -0700 Committer: Mike Dunker <[email protected]> Committed: Thu Aug 17 11:02:36 2017 -0700 ---------------------------------------------------------------------- .../usergrid/rest/applications/users/UserResource.java | 9 +++++++++ .../usergrid/rest/management/users/UserResource.java | 9 +++++++++ .../org/apache/usergrid/management/ManagementService.java | 10 +++++----- .../management/cassandra/ManagementServiceImpl.java | 10 ++++++++++ 4 files changed, 33 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/usergrid/blob/70de6fde/stack/rest/src/main/java/org/apache/usergrid/rest/applications/users/UserResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/users/UserResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/users/UserResource.java index 5435f7e..3e4542d 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/users/UserResource.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/users/UserResource.java @@ -17,6 +17,7 @@ package org.apache.usergrid.rest.applications.users; +import java.util.Collection; import java.util.Map; import java.util.UUID; @@ -465,6 +466,14 @@ public class UserResource extends ServiceResource { if ( ( password1 != null ) || ( password2 != null ) ) { if ( management.checkPasswordResetTokenForAppUser( getApplicationId(), getUserUuid(), token ) ) { if ( ( password1 != null ) && password1.equals( password2 ) ) { + // validate password + Collection<String> violations = management.passwordPolicyCheck(password1, false); + if (violations.size() > 0) { + // password not valid + errorMsg = management.getPasswordDescription(false); + return handleViewable("resetpw_set_form", this, getOrganizationName()); + } + management.setAppUserPassword( getApplicationId(), getUser().getUuid(), password1 ); management.revokeAccessTokenForAppUser( token ); return handleViewable( "resetpw_set_success", this, getOrganizationName() ); http://git-wip-us.apache.org/repos/asf/usergrid/blob/70de6fde/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java index b747aa4..1f80bc1 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java @@ -43,6 +43,7 @@ import javax.ws.rs.*; import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.UriInfo; +import java.util.Collection; import java.util.Map; import java.util.UUID; @@ -297,6 +298,14 @@ public class UserResource extends AbstractContextResource { if ( ( password1 != null ) || ( password2 != null ) ) { if ( management.checkPasswordResetTokenForAdminUser( user.getUuid(), tokenInfo ) ) { if ( ( password1 != null ) && password1.equals( password2 ) ) { + // validate password + Collection<String> violations = management.passwordPolicyCheck(password1, true); + if (violations.size() > 0) { + // password not valid + errorMsg = management.getPasswordDescription(true); + return handleViewable( "resetpw_set_form", this, organizationId ); + } + management.setAdminUserPassword( user.getUuid(), password1 ); management.revokeAccessTokenForAdminUser( user.getUuid(), token ); loginEndpoint = properties.getProperty("usergrid.viewable.loginEndpoint"); http://git-wip-us.apache.org/repos/asf/usergrid/blob/70de6fde/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java b/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java index 2b88b07..8b840d6 100644 --- a/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java +++ b/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java @@ -17,11 +17,7 @@ package org.apache.usergrid.management; -import java.util.List; -import java.util.Map; -import java.util.Properties; -import java.util.Set; -import java.util.UUID; +import java.util.*; import org.apache.usergrid.persistence.CredentialsInfo; import org.apache.usergrid.persistence.Entity; @@ -372,6 +368,10 @@ public interface ManagementService { Observable<Id> deleteAllEntities(final UUID applicationId,final int limit); + Collection<String> passwordPolicyCheck(String password, boolean isAdminUser); + + String getPasswordDescription(boolean isAdminUser); + // DO NOT REMOVE BELOW METHODS, THEY ARE HERE TO ALLOW EXTERNAL CLASSES TO OVERRIDE AND HOOK INTO POST PROCESSING void createOrganizationPostProcessing( final OrganizationInfo orgInfo, http://git-wip-us.apache.org/repos/asf/usergrid/blob/70de6fde/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java index 2ba9bde..89375fd 100644 --- a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java +++ b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java @@ -3412,6 +3412,16 @@ public class ManagementServiceImpl implements ManagementService { return service.deleteAllEntities(CpNamingUtils.getApplicationScope(applicationId),limit); } + @Override + public Collection<String> passwordPolicyCheck(String password, boolean isAdminUser) { + return passwordPolicy.policyCheck(password, isAdminUser); + } + + @Override + public String getPasswordDescription(boolean isAdminUser) { + return passwordPolicy.getDescription(isAdminUser); + } + private String getProperty(String key) { String obj = properties.getProperty(key); if(StringUtils.isEmpty(obj))
