All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.cloudfoundry.identity.uaa.account.UaaResetPasswordService Maven / Gradle / Ivy

/*******************************************************************************
 *     Cloud Foundry
 *     Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved.
 *
 *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
 *     You may not use this product except in compliance with the License.
 *
 *     This product includes a number of subcomponents with
 *     separate copyright notices and license terms. Your use of these
 *     subcomponents is subject to the terms and conditions of the
 *     subcomponent's license, as noted in the LICENSE file.
 *******************************************************************************/
package org.cloudfoundry.identity.uaa.account;

import org.cloudfoundry.identity.uaa.account.event.PasswordChangeEvent;
import org.cloudfoundry.identity.uaa.account.event.PasswordChangeFailureEvent;
import org.cloudfoundry.identity.uaa.account.event.ResetPasswordRequestEvent;
import org.cloudfoundry.identity.uaa.authentication.InvalidCodeException;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCode;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCodeStore;
import org.cloudfoundry.identity.uaa.constants.OriginKeys;
import org.cloudfoundry.identity.uaa.error.UaaException;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
import org.cloudfoundry.identity.uaa.scim.endpoints.PasswordChange;
import org.cloudfoundry.identity.uaa.scim.exception.InvalidPasswordException;
import org.cloudfoundry.identity.uaa.scim.validate.PasswordValidator;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.core.io.support.ResourcePropertySource;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.NoSuchClientException;

import java.sql.Timestamp;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Set;

import static java.util.Collections.emptyList;
import static org.springframework.http.HttpStatus.UNPROCESSABLE_ENTITY;
import static org.springframework.util.StringUtils.isEmpty;

public class UaaResetPasswordService implements ResetPasswordService, ApplicationEventPublisherAware {

    public static final int PASSWORD_RESET_LIFETIME = 30 * 60 * 1000;
    public static final String FORGOT_PASSWORD_INTENT_PREFIX = "forgot_password_for_id:";

    private final ScimUserProvisioning scimUserProvisioning;
    private final ExpiringCodeStore expiringCodeStore;
    private final PasswordValidator passwordValidator;
    private final ClientServicesExtension clientDetailsService;
    private ResourcePropertySource resourcePropertySource;
    private ApplicationEventPublisher publisher;

    public UaaResetPasswordService(ScimUserProvisioning scimUserProvisioning,
                                   ExpiringCodeStore expiringCodeStore,
                                   PasswordValidator passwordValidator,
                                   ClientServicesExtension clientDetailsService,
                                   ResourcePropertySource resourcePropertySource) {
        this.scimUserProvisioning = scimUserProvisioning;
        this.expiringCodeStore = expiringCodeStore;
        this.passwordValidator = passwordValidator;
        this.clientDetailsService = clientDetailsService;
        this.resourcePropertySource = resourcePropertySource;
    }

    @Override
    public ResetPasswordResponse resetPassword(ExpiringCode code, String newPassword) {
        passwordValidator.validate(newPassword);
        return changePasswordCodeAuthenticated(code, newPassword);
    }

    @Override
    public void resetUserPassword(String userId, String password) {
        if (scimUserProvisioning.checkPasswordMatches(userId, password, IdentityZoneHolder.get().getId())) {
            throw new InvalidPasswordException(resourcePropertySource.getProperty("force_password_change.same_as_old").toString(), UNPROCESSABLE_ENTITY);
        }
        passwordValidator.validate(password);
        ScimUser user = scimUserProvisioning.retrieve(userId, IdentityZoneHolder.get().getId());
        UaaUser uaaUser = getUaaUser(user);
        Authentication authentication = constructAuthentication(uaaUser);
        updatePasswordAndPublishEvent(scimUserProvisioning, uaaUser, authentication, password);
    }

    private ResetPasswordResponse changePasswordCodeAuthenticated(ExpiringCode expiringCode, String newPassword) {
        String userId;
        String userName;
        Date passwordLastModified;
        String clientId;
        String redirectUri;
        PasswordChange change;
        try {
            change = JsonUtils.readValue(expiringCode.getData(), PasswordChange.class);
        } catch (JsonUtils.JsonUtilException x) {
            throw new InvalidCodeException("invalid_code", "Sorry, your reset password link is no longer valid. Please request a new one", 422);
        }
        userId = change.getUserId();
        userName = change.getUsername();
        passwordLastModified = change.getPasswordModifiedTime();
        clientId = change.getClientId();
        redirectUri = change.getRedirectUri();

        ScimUser user = scimUserProvisioning.retrieve(userId, IdentityZoneHolder.get().getId());
        UaaUser uaaUser = getUaaUser(user);
        Authentication authentication = constructAuthentication(uaaUser);
        try {
            if (scimUserProvisioning.checkPasswordMatches(userId, newPassword, IdentityZoneHolder.get().getId())) {
                throw new InvalidPasswordException("Your new password cannot be the same as the old password.", UNPROCESSABLE_ENTITY);
            }
            if (isUserModified(user, userName, passwordLastModified)) {
                throw new UaaException("Invalid password reset request.");
            }
            if (!user.isVerified()) {
                scimUserProvisioning.verifyUser(userId, -1, IdentityZoneHolder.get().getId());
            }

            updatePasswordAndPublishEvent(scimUserProvisioning, uaaUser, authentication, newPassword);

            String redirectLocation = "home";
            if (!isEmpty(clientId) && !isEmpty(redirectUri)) {
                try {
                    ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId, IdentityZoneHolder.get().getId());
                    Set redirectUris = clientDetails.getRegisteredRedirectUri() == null ? Collections.emptySet() :
                        clientDetails.getRegisteredRedirectUri();
                    String matchingRedirectUri = UaaUrlUtils.findMatchingRedirectUri(redirectUris, redirectUri, redirectLocation);
                    if (matchingRedirectUri != null) {
                        redirectLocation = matchingRedirectUri;
                    }
                } catch (NoSuchClientException nsce) {}
            }
            return new ResetPasswordResponse(user, redirectLocation, clientId);
        } catch (Exception e) {

            publish(new PasswordChangeFailureEvent(e.getMessage(), uaaUser, authentication));
            throw e;
        }
    }

    @Override
    public ForgotPasswordInfo forgotPassword(String username, String clientId, String redirectUri) {
        String jsonUsername = JsonUtils.writeValueAsString(username);
        List results = scimUserProvisioning.query("userName eq " + jsonUsername + " and origin eq \"" + OriginKeys.UAA + "\"", IdentityZoneHolder.get().getId());
        if (results.isEmpty()) {
            results = scimUserProvisioning.query("userName eq " + jsonUsername, IdentityZoneHolder.get().getId());
            if (results.isEmpty()) {
                throw new NotFoundException();
            } else {
                throw new ConflictException(results.get(0).getId(), results.get(0).getPrimaryEmail());
            }
        }
        ScimUser scimUser = results.get(0);

        PasswordChange change = new PasswordChange(scimUser.getId(), scimUser.getUserName(), scimUser.getPasswordLastModified(), clientId, redirectUri);
        String intent = FORGOT_PASSWORD_INTENT_PREFIX+scimUser.getId();
        expiringCodeStore.expireByIntent(intent, IdentityZoneHolder.get().getId());
        ExpiringCode code = expiringCodeStore.generateCode(JsonUtils.writeValueAsString(change), new Timestamp(System.currentTimeMillis() + PASSWORD_RESET_LIFETIME), intent, IdentityZoneHolder.get().getId());

        String email = scimUser.getPrimaryEmail();
        if (email == null) {
            email = scimUser.getUserName();
        }

        publish(new ResetPasswordRequestEvent(username, email, code.getCode(), SecurityContextHolder.getContext().getAuthentication()));
        return new ForgotPasswordInfo(scimUser.getId(), email, code);
    }

    private boolean isUserModified(ScimUser user, String userName, Date passwordLastModified) {
        boolean modified = false;
        if (userName != null) {
            modified = !(userName.equals(user.getUserName()));
        }
        if (passwordLastModified != null && (!modified)) {
            modified = user.getPasswordLastModified().getTime() != passwordLastModified.getTime();
        }
        return modified;
    }

    private UaaUser getUaaUser(ScimUser scimUser) {
        Date today = new Date();
        return new UaaUser(scimUser.getId(), scimUser.getUserName(), "N/A", scimUser.getPrimaryEmail(), null,
            scimUser.getGivenName(),
            scimUser.getFamilyName(), today, today,
            scimUser.getOrigin(), scimUser.getExternalId(), scimUser.isVerified(), scimUser.getZoneId(), scimUser.getSalt(),
            scimUser.getPasswordLastModified());
    }

    @Override
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.publisher = applicationEventPublisher;
    }

    protected void publish(ApplicationEvent event) {
        if (publisher!=null) {
            publisher.publishEvent(event);
        }
    }

    private UaaAuthentication constructAuthentication(UaaUser uaaUser) {
        return new UaaAuthentication(new UaaPrincipal(uaaUser), emptyList(), null);
    }

    private void updatePasswordAndPublishEvent(ScimUserProvisioning scimUserProvisioning, UaaUser uaaUser, Authentication authentication, String newPassword){
        scimUserProvisioning.changePassword(uaaUser.getId(), null, newPassword, IdentityZoneHolder.get().getId());
        scimUserProvisioning.updatePasswordChangeRequired(uaaUser.getId(), false, IdentityZoneHolder.get().getId());
        publish(new PasswordChangeEvent("Password changed", uaaUser, authentication));
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy