use of org.alfresco.repo.security.authentication.ResetPasswordServiceImpl in project alfresco-remote-api by Alfresco.
the class TestPeople method testResetPassword.
/**
* Tests reset password.
* <p>POST:</p>
* <ul>
* <li> {@literal <host>:<port>/alfresco/api/<networkId>/public/alfresco/versions/1/people/<userId>/request-password-reset} </li>
* <li> {@literal <host>:<port>/alfresco/api/<networkId>/public/alfresco/versions/1/people/<userId>/reset-password} </li>
* </ul>
*/
@Test
public void testResetPassword() throws Exception {
// As Admin, create a user
setRequestContext(account1.getId(), account1Admin, "admin");
Person person = new Person();
person.setUserName("john.doe@" + account1.getId());
person.setFirstName("John");
person.setLastName("Doe");
person.setEmail("john.doe@alfresco.com");
person.setEnabled(true);
person.setEmailNotificationsEnabled(true);
person.setPassword("password");
people.create(person);
// un-authenticated API
setRequestContext(account1.getId(), null, null);
// Just try to login, to test the new created user credential
LoginTicket loginRequest = new LoginTicket();
loginRequest.setUserId(person.getUserName());
loginRequest.setPassword(person.getPassword());
// Authenticate and create a ticket
HttpResponse response = post("tickets", RestApiUtil.toJsonAsString(loginRequest), null, null, "authentication", 201);
LoginTicketResponse loginResponse = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), LoginTicketResponse.class);
assertNotNull(loginResponse.getId());
assertNotNull(loginResponse.getUserId());
/**
* Reset Password
*/
// First make the service to send a synchronous email
ResetPasswordServiceImpl passwordService = applicationContext.getBean("resetPasswordService", ResetPasswordServiceImpl.class);
passwordService.setSendEmailAsynchronously(false);
// Get the 'mail' bean in a test mode.
EmailUtil emailUtil = new EmailUtil(applicationContext);
try {
// Un-authenticated API
setRequestContext(account1.getId(), null, null);
// Reset email (just in case other tests didn't clean up...)
emailUtil.reset();
// Request reset password
Client client = new Client().setClient("share");
post(getRequestResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(client), 202);
assertEquals("A reset password email should have been sent.", 1, emailUtil.getSentCount());
MimeMessage msg = emailUtil.getLastEmail();
assertNotNull("There should be an email.", msg);
assertEquals("Should've been only one email recipient.", 1, msg.getAllRecipients().length);
// Check the recipient is the person who requested the reset password
assertEquals(person.getEmail(), msg.getAllRecipients()[0].toString());
// There should be a subject
assertNotNull("There should be a subject.", msg.getSubject());
// Check the reset password url.
String resetPasswordUrl = (String) emailUtil.getLastEmailTemplateModelValue("reset_password_url");
assertNotNull("Wrong email is sent.", resetPasswordUrl);
// Get the workflow id and key
org.alfresco.util.Pair<String, String> pair = getWorkflowIdAndKeyFromUrl(resetPasswordUrl);
assertNotNull("Workflow Id can't be null.", pair.getFirst());
assertNotNull("Workflow Key can't be null.", pair.getSecond());
// Reset the email helper, to get rid of the request reset password email
emailUtil.reset();
// Un-authenticated APIs as we are still using the 'setRequestContext(account1.getId(), null, null)' set above.
// Reset the password
PasswordReset passwordReset = new PasswordReset().setPassword("changed").setId(pair.getFirst()).setKey(pair.getSecond());
post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordReset), 202);
assertEquals("A reset password confirmation email should have been sent.", 1, emailUtil.getSentCount());
msg = emailUtil.getLastEmail();
assertNotNull("There should be an email.", msg);
assertEquals("Should've been only one email recipient.", 1, msg.getAllRecipients().length);
assertEquals(person.getEmail(), msg.getAllRecipients()[0].toString());
// There should be a subject
assertNotNull("There should be a subject.", msg.getSubject());
// Try to login with old credential
post("tickets", RestApiUtil.toJsonAsString(loginRequest), null, null, "authentication", 403);
// Set the new password
loginRequest.setPassword(passwordReset.getPassword());
response = post("tickets", RestApiUtil.toJsonAsString(loginRequest), null, null, "authentication", 201);
loginResponse = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), LoginTicketResponse.class);
assertNotNull(loginResponse.getId());
assertNotNull(loginResponse.getUserId());
/*
* Negative tests
*/
// First, reset the email helper
emailUtil.reset();
// Try reset with the used workflow
// Note: we still return 202 response for security reasons
passwordReset.setPassword("changedAgain");
post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordReset), 202);
assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
// Request reset password - Invalid user (user does not exist)
post(getRequestResetPasswordUrl(System.currentTimeMillis() + "noUser"), RestApiUtil.toJsonAsString(client), 202);
assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
// As Admin disable the user
setRequestContext(account1.getId(), account1Admin, "admin");
Map<String, String> params = Collections.singletonMap("fields", "enabled");
Person updatedPerson = people.update(person.getUserName(), qjson("{`enabled`:" + false + "}"), params, 200);
assertFalse(updatedPerson.isEnabled());
// Un-authenticated API
setRequestContext(account1.getId(), null, null);
// Request reset password - Invalid user (user is disabled)
post(getRequestResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(client), 202);
assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
// Client is not specified
client = new Client();
post(getRequestResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(client), 400);
// Reset password
// First, reset the email helper and enable the user
emailUtil.reset();
// As Admin enable the user
setRequestContext(account1.getId(), account1Admin, "admin");
params = Collections.singletonMap("fields", "enabled");
updatedPerson = people.update(person.getUserName(), qjson("{`enabled`:" + true + "}"), params, 200);
assertTrue(updatedPerson.isEnabled());
// Un-authenticated API
setRequestContext(account1.getId(), null, null);
client = new Client().setClient("share");
post(getRequestResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(client), 202);
assertEquals("A reset password email should have been sent.", 1, emailUtil.getSentCount());
resetPasswordUrl = (String) emailUtil.getLastEmailTemplateModelValue("reset_password_url");
// Check the reset password url.
assertNotNull("Wrong email is sent.", resetPasswordUrl);
// Get the workflow id and key
pair = getWorkflowIdAndKeyFromUrl(resetPasswordUrl);
assertNotNull("Workflow Id can't be null.", pair.getFirst());
assertNotNull("Workflow Key can't be null.", pair.getSecond());
// Reset the email helper, to get rid of the request reset password email
emailUtil.reset();
// Invalid request - password is not provided
PasswordReset passwordResetInvalid = new PasswordReset().setId(pair.getFirst()).setKey(pair.getSecond());
post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 400);
// Invalid request - workflow id is not provided
passwordResetInvalid.setPassword("changedAgain").setId(null);
post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 400);
// Invalid request - workflow key is not provided
passwordResetInvalid.setId(pair.getFirst()).setKey(null);
post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 400);
// Invalid request - Invalid workflow id
// Note: we still return 202 response for security reasons
passwordResetInvalid = new PasswordReset().setPassword("changedAgain").setId(// Invalid Id
"activiti$" + System.currentTimeMillis()).setKey(pair.getSecond());
post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 202);
assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
// Invalid request - Invalid workflow key
// Note: we still return 202 response for security reasons
passwordResetInvalid = new PasswordReset().setPassword("changedAgain").setId(pair.getFirst()).setKey(// Invalid Key
GUID.generate());
post(getResetPasswordUrl(person.getUserName()), RestApiUtil.toJsonAsString(passwordResetInvalid), 202);
assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
// Invalid request (not the same user) - The given user id 'user1' does not match the person's user id who requested the password reset.
// Note: we still return 202 response for security reasons
passwordResetInvalid = new PasswordReset().setPassword("changedAgain").setId(pair.getFirst()).setKey(pair.getSecond());
post(getResetPasswordUrl(user1), RestApiUtil.toJsonAsString(passwordResetInvalid), 202);
assertEquals("No email should have been sent.", 0, emailUtil.getSentCount());
} finally {
passwordService.setSendEmailAsynchronously(true);
emailUtil.reset();
}
}
Aggregations