Search in sources :

Example 1 with ResetPasswordServiceImpl

use of org.alfresco.repo.security.authentication.ResetPasswordServiceImpl in project alfresco-remote-api by Alfresco.

the class TestPeople method testResetPassword.

/**
 * Tests reset password.
 * <p>POST:</p>
 * <ul>
 * <li> {@literal <host>:<port>/alfresco/api/<networkId>/public/alfresco/versions/1/people/<userId>/request-password-reset} </li>
 * <li> {@literal <host>:<port>/alfresco/api/<networkId>/public/alfresco/versions/1/people/<userId>/reset-password} </li>
 * </ul>
 */
@Test
public void testResetPassword() throws Exception {
    // As Admin, create a user
    setRequestContext(account1.getId(), account1Admin, "admin");
    Person person = new Person();
    person.setUserName("john.doe@" + account1.getId());
    person.setFirstName("John");
    person.setLastName("Doe");
    person.setEmail("john.doe@alfresco.com");
    person.setEnabled(true);
    person.setEmailNotificationsEnabled(true);
    person.setPassword("password");
    people.create(person);
    // un-authenticated API
    setRequestContext(account1.getId(), null, null);
    // Just try to login, to test the new created user credential
    LoginTicket loginRequest = new LoginTicket();
    loginRequest.setUserId(person.getUserName());
    loginRequest.setPassword(person.getPassword());
    // Authenticate and create a ticket
    HttpResponse response = post("tickets", RestApiUtil.toJsonAsString(loginRequest), null, null, "authentication", 201);
    LoginTicketResponse loginResponse = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), LoginTicketResponse.class);
    assertNotNull(loginResponse.getId());
    assertNotNull(loginResponse.getUserId());
    /**
     * Reset Password
     */
    // First make the service to send a synchronous email
    ResetPasswordServiceImpl passwordService = applicationContext.getBean("resetPasswordService", ResetPasswordServiceImpl.class);
    passwordService.setSendEmailAsynchronously(false);
    // Get the 'mail' bean in a test mode.
    EmailUtil emailUtil = new EmailUtil(applicationContext);
    try {
        // Un-authenticated API
        setRequestContext(account1.getId(), null, null);
        // Reset email (just in case other tests didn't clean up...)
        emailUtil.reset();
        // Request reset password
        Client client = new Client().setClient("share");
        post(getRequestResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(client), 202);
        assertEquals("A reset password email should have been sent.", 1, emailUtil.getSentCount());
        MimeMessage msg = emailUtil.getLastEmail();
        assertNotNull("There should be an email.", msg);
        assertEquals("Should've been only one email recipient.", 1, msg.getAllRecipients().length);
        // Check the recipient is the person who requested the reset password
        assertEquals(person.getEmail(), msg.getAllRecipients()[0].toString());
        // There should be a subject
        assertNotNull("There should be a subject.", msg.getSubject());
        // Check the reset password url.
        String resetPasswordUrl = (String) emailUtil.getLastEmailTemplateModelValue("reset_password_url");
        assertNotNull("Wrong email is sent.", resetPasswordUrl);
        // Get the workflow id and key
        org.alfresco.util.Pair<String, String> pair = getWorkflowIdAndKeyFromUrl(resetPasswordUrl);
        assertNotNull("Workflow Id can't be null.", pair.getFirst());
        assertNotNull("Workflow Key can't be null.", pair.getSecond());
        // Reset the email helper, to get rid of the request reset password email
        emailUtil.reset();
        // Un-authenticated APIs as we are still using the 'setRequestContext(account1.getId(), null, null)' set above.
        // Reset the password
        PasswordReset passwordReset = new PasswordReset().setPassword("changed").setId(pair.getFirst()).setKey(pair.getSecond());
        post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordReset), 202);
        assertEquals("A reset password confirmation email should have been sent.", 1, emailUtil.getSentCount());
        msg = emailUtil.getLastEmail();
        assertNotNull("There should be an email.", msg);
        assertEquals("Should've been only one email recipient.", 1, msg.getAllRecipients().length);
        assertEquals(person.getEmail(), msg.getAllRecipients()[0].toString());
        // There should be a subject
        assertNotNull("There should be a subject.", msg.getSubject());
        // Try to login with old credential
        post("tickets", RestApiUtil.toJsonAsString(loginRequest), null, null, "authentication", 403);
        // Set the new password
        loginRequest.setPassword(passwordReset.getPassword());
        response = post("tickets", RestApiUtil.toJsonAsString(loginRequest), null, null, "authentication", 201);
        loginResponse = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), LoginTicketResponse.class);
        assertNotNull(loginResponse.getId());
        assertNotNull(loginResponse.getUserId());
        /*
             * Negative tests
             */
        // First, reset the email helper
        emailUtil.reset();
        // Try reset with the used workflow
        // Note: we still return 202 response for security reasons
        passwordReset.setPassword("changedAgain");
        post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordReset), 202);
        assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
        // Request reset password - Invalid user (user does not exist)
        post(getRequestResetPasswordUrl(System.currentTimeMillis() + "noUser"), RestApiUtil.toJsonAsString(client), 202);
        assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
        // As Admin disable the user
        setRequestContext(account1.getId(), account1Admin, "admin");
        Map<String, String> params = Collections.singletonMap("fields", "enabled");
        Person updatedPerson = people.update(person.getUserName(), qjson("{`enabled`:" + false + "}"), params, 200);
        assertFalse(updatedPerson.isEnabled());
        // Un-authenticated API
        setRequestContext(account1.getId(), null, null);
        // Request reset password - Invalid user (user is disabled)
        post(getRequestResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(client), 202);
        assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
        // Client is not specified
        client = new Client();
        post(getRequestResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(client), 400);
        // Reset password
        // First, reset the email helper and enable the user
        emailUtil.reset();
        // As Admin enable the user
        setRequestContext(account1.getId(), account1Admin, "admin");
        params = Collections.singletonMap("fields", "enabled");
        updatedPerson = people.update(person.getUserName(), qjson("{`enabled`:" + true + "}"), params, 200);
        assertTrue(updatedPerson.isEnabled());
        // Un-authenticated API
        setRequestContext(account1.getId(), null, null);
        client = new Client().setClient("share");
        post(getRequestResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(client), 202);
        assertEquals("A reset password email should have been sent.", 1, emailUtil.getSentCount());
        resetPasswordUrl = (String) emailUtil.getLastEmailTemplateModelValue("reset_password_url");
        // Check the reset password url.
        assertNotNull("Wrong email is sent.", resetPasswordUrl);
        // Get the workflow id and key
        pair = getWorkflowIdAndKeyFromUrl(resetPasswordUrl);
        assertNotNull("Workflow Id can't be null.", pair.getFirst());
        assertNotNull("Workflow Key can't be null.", pair.getSecond());
        // Reset the email helper, to get rid of the request reset password email
        emailUtil.reset();
        // Invalid request - password is not provided
        PasswordReset passwordResetInvalid = new PasswordReset().setId(pair.getFirst()).setKey(pair.getSecond());
        post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 400);
        // Invalid request - workflow id is not provided
        passwordResetInvalid.setPassword("changedAgain").setId(null);
        post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 400);
        // Invalid request - workflow key is not provided
        passwordResetInvalid.setId(pair.getFirst()).setKey(null);
        post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 400);
        // Invalid request - Invalid workflow id
        // Note: we still return 202 response for security reasons
        passwordResetInvalid = new PasswordReset().setPassword("changedAgain").setId(// Invalid Id
        "activiti$" + System.currentTimeMillis()).setKey(pair.getSecond());
        post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 202);
        assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
        // Invalid request - Invalid workflow key
        // Note: we still return 202 response for security reasons
        passwordResetInvalid = new PasswordReset().setPassword("changedAgain").setId(pair.getFirst()).setKey(// Invalid Key
        GUID.generate());
        post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 202);
        assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
        // Invalid request (not the same user) - The given user id 'user1' does not match the person's user id who requested the password reset.
        // Note: we still return 202 response for security reasons
        passwordResetInvalid = new PasswordReset().setPassword("changedAgain").setId(pair.getFirst()).setKey(pair.getSecond());
        post(getResetPasswordUrl(user1), RestApiUtil.toJsonAsString(passwordResetInvalid), 202);
        assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
    } finally {
        passwordService.setSendEmailAsynchronously(true);
        emailUtil.reset();
    }
}
Also used : HttpResponse(org.alfresco.rest.api.tests.client.HttpResponse) EmailUtil(org.alfresco.util.email.EmailUtil) ResetPasswordServiceImpl(org.alfresco.repo.security.authentication.ResetPasswordServiceImpl) LoginTicket(org.alfresco.rest.api.model.LoginTicket) LoginTicketResponse(org.alfresco.rest.api.model.LoginTicketResponse) MimeMessage(javax.mail.internet.MimeMessage) PasswordReset(org.alfresco.rest.api.model.PasswordReset) Client(org.alfresco.rest.api.model.Client) PublicApiClient(org.alfresco.rest.api.tests.client.PublicApiClient) Person(org.alfresco.rest.api.tests.client.data.Person) Test(org.junit.Test)

Aggregations

MimeMessage (javax.mail.internet.MimeMessage)1 ResetPasswordServiceImpl (org.alfresco.repo.security.authentication.ResetPasswordServiceImpl)1 Client (org.alfresco.rest.api.model.Client)1 LoginTicket (org.alfresco.rest.api.model.LoginTicket)1 LoginTicketResponse (org.alfresco.rest.api.model.LoginTicketResponse)1 PasswordReset (org.alfresco.rest.api.model.PasswordReset)1 HttpResponse (org.alfresco.rest.api.tests.client.HttpResponse)1 PublicApiClient (org.alfresco.rest.api.tests.client.PublicApiClient)1 Person (org.alfresco.rest.api.tests.client.data.Person)1 EmailUtil (org.alfresco.util.email.EmailUtil)1 Test (org.junit.Test)1