Search in sources :

Example 1 with PasswordPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy in project syncope by apache.

the class PasswordGeneratorTest method issueSYNCOPE678.

@Test
public void issueSYNCOPE678() {
    String password = null;
    try {
        password = passwordGenerator.generate(Collections.<PasswordPolicy>emptyList());
    } catch (InvalidPasswordRuleConf e) {
        fail(e.getMessage());
    }
    assertNotNull(password);
    DefaultPasswordRuleConf pwdRuleConf1 = createBaseDefaultPasswordRuleConf();
    pwdRuleConf1.setMinLength(0);
    TestImplementation passwordRule1 = new TestImplementation();
    passwordRule1.setBody(POJOHelper.serialize(pwdRuleConf1));
    TestPasswordPolicy policy1 = new TestPasswordPolicy();
    password = null;
    try {
        password = passwordGenerator.generate(Collections.<PasswordPolicy>singletonList(policy1));
    } catch (InvalidPasswordRuleConf e) {
        fail(e.getMessage());
    }
    assertNotNull(password);
}
Also used : DefaultPasswordRuleConf(org.apache.syncope.common.lib.policy.DefaultPasswordRuleConf) InvalidPasswordRuleConf(org.apache.syncope.core.provisioning.api.utils.policy.InvalidPasswordRuleConf) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) Test(org.junit.jupiter.api.Test)

Example 2 with PasswordPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy in project syncope by apache.

the class PasswordGeneratorTest method startWithDigitAndWithAlpha.

@Test
public void startWithDigitAndWithAlpha() throws InvalidPasswordRuleConf {
    DefaultPasswordRuleConf pwdRuleConf1 = createBaseDefaultPasswordRuleConf();
    pwdRuleConf1.setMustStartWithDigit(true);
    TestImplementation passwordRule1 = new TestImplementation();
    passwordRule1.setBody(POJOHelper.serialize(pwdRuleConf1));
    TestPasswordPolicy policy1 = new TestPasswordPolicy();
    policy1.add(passwordRule1);
    DefaultPasswordRuleConf pwdRuleConf2 = createBaseDefaultPasswordRuleConf();
    pwdRuleConf2.setMustEndWithAlpha(true);
    TestImplementation passwordRule2 = new TestImplementation();
    passwordRule2.setBody(POJOHelper.serialize(pwdRuleConf2));
    TestPasswordPolicy policy2 = new TestPasswordPolicy();
    policy2.add(passwordRule2);
    List<PasswordPolicy> policies = new ArrayList<>();
    policies.add(policy1);
    policies.add(policy2);
    String generatedPassword = passwordGenerator.generate(policies);
    assertTrue(Character.isDigit(generatedPassword.charAt(0)));
    assertTrue(Character.isLetter(generatedPassword.charAt(generatedPassword.length() - 1)));
}
Also used : DefaultPasswordRuleConf(org.apache.syncope.common.lib.policy.DefaultPasswordRuleConf) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) ArrayList(java.util.ArrayList) Test(org.junit.jupiter.api.Test)

Example 3 with PasswordPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy in project syncope by apache.

the class JPAUserDAO method enforcePolicies.

@Transactional(readOnly = true)
@Override
public Pair<Boolean, Boolean> enforcePolicies(final User user) {
    // ------------------------------
    // Verify password policies
    // ------------------------------
    LOG.debug("Password Policy enforcement");
    try {
        int maxPPSpecHistory = 0;
        for (PasswordPolicy policy : getPasswordPolicies(user)) {
            if (user.getPassword() == null && !policy.isAllowNullPassword()) {
                throw new PasswordPolicyException("Password mandatory");
            }
            for (Implementation impl : policy.getRules()) {
                Optional<PasswordRule> rule = ImplementationManager.buildPasswordRule(impl);
                if (rule.isPresent()) {
                    rule.get().enforce(user);
                }
            }
            if (user.verifyPasswordHistory(user.getClearPassword(), policy.getHistoryLength())) {
                throw new PasswordPolicyException("Password value was used in the past: not allowed");
            }
            if (policy.getHistoryLength() > maxPPSpecHistory) {
                maxPPSpecHistory = policy.getHistoryLength();
            }
        }
        // update user's password history with encrypted password
        if (maxPPSpecHistory > 0 && user.getPassword() != null && !user.getPasswordHistory().contains(user.getPassword())) {
            user.getPasswordHistory().add(user.getPassword());
        }
        // keep only the last maxPPSpecHistory items in user's password history
        if (maxPPSpecHistory < user.getPasswordHistory().size()) {
            for (int i = 0; i < user.getPasswordHistory().size() - maxPPSpecHistory; i++) {
                user.getPasswordHistory().remove(i);
            }
        }
    } catch (Exception e) {
        LOG.error("Invalid password for {}", user, e);
        throw new InvalidEntityException(User.class, EntityViolationType.InvalidPassword, e.getMessage());
    } finally {
        // password has been validated, let's remove its clear version
        user.removeClearPassword();
    }
    // ------------------------------
    // Verify account policies
    // ------------------------------
    LOG.debug("Account Policy enforcement");
    boolean suspend = false;
    boolean propagateSuspension = false;
    try {
        if (user.getUsername() == null) {
            throw new AccountPolicyException("Null username");
        }
        if (adminUser.equals(user.getUsername()) || anonymousUser.equals(user.getUsername())) {
            throw new AccountPolicyException("Not allowed: " + user.getUsername());
        }
        if (!USERNAME_PATTERN.matcher(user.getUsername()).matches()) {
            throw new AccountPolicyException("Character(s) not allowed");
        }
        for (AccountPolicy policy : getAccountPolicies(user)) {
            for (Implementation impl : policy.getRules()) {
                Optional<AccountRule> rule = ImplementationManager.buildAccountRule(impl);
                if (rule.isPresent()) {
                    rule.get().enforce(user);
                }
            }
            suspend |= user.getFailedLogins() != null && policy.getMaxAuthenticationAttempts() > 0 && user.getFailedLogins() > policy.getMaxAuthenticationAttempts() && !user.isSuspended();
            propagateSuspension |= policy.isPropagateSuspension();
        }
    } catch (Exception e) {
        LOG.error("Invalid username for {}", user, e);
        throw new InvalidEntityException(User.class, EntityViolationType.InvalidUsername, e.getMessage());
    }
    return ImmutablePair.of(suspend, propagateSuspension);
}
Also used : PasswordRule(org.apache.syncope.core.persistence.api.dao.PasswordRule) AccountRule(org.apache.syncope.core.persistence.api.dao.AccountRule) JPAUser(org.apache.syncope.core.persistence.jpa.entity.user.JPAUser) User(org.apache.syncope.core.persistence.api.entity.user.User) AccountPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException) Implementation(org.apache.syncope.core.persistence.api.entity.Implementation) NoResultException(javax.persistence.NoResultException) AccountPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException) PasswordPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException) DelegatedAdministrationException(org.apache.syncope.core.spring.security.DelegatedAdministrationException) InvalidEntityException(org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException) InvalidEntityException(org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) PasswordPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) Transactional(org.springframework.transaction.annotation.Transactional)

Example 4 with PasswordPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy in project syncope by apache.

the class JPARealmDAO method findSamePolicyChildren.

private <T extends Policy> List<Realm> findSamePolicyChildren(final Realm realm, final T policy) {
    List<Realm> result = new ArrayList<>();
    for (Realm child : findChildren(realm)) {
        if ((policy instanceof AccountPolicy && child.getAccountPolicy() == null || policy.equals(child.getAccountPolicy())) || (policy instanceof PasswordPolicy && child.getPasswordPolicy() == null || policy.equals(child.getPasswordPolicy()))) {
            result.add(child);
            result.addAll(findSamePolicyChildren(child, policy));
        }
    }
    return result;
}
Also used : AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) ArrayList(java.util.ArrayList) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) Realm(org.apache.syncope.core.persistence.api.entity.Realm) JPARealm(org.apache.syncope.core.persistence.jpa.entity.JPARealm)

Example 5 with PasswordPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy in project syncope by apache.

the class PolicyDataBinderImpl method getPolicy.

@SuppressWarnings("unchecked")
private <T extends Policy> T getPolicy(final T policy, final PolicyTO policyTO) {
    T result = policy;
    if (policyTO instanceof PasswordPolicyTO) {
        if (result == null) {
            result = (T) entityFactory.newEntity(PasswordPolicy.class);
        }
        PasswordPolicy passwordPolicy = PasswordPolicy.class.cast(result);
        PasswordPolicyTO passwordPolicyTO = PasswordPolicyTO.class.cast(policyTO);
        passwordPolicy.setAllowNullPassword(passwordPolicyTO.isAllowNullPassword());
        passwordPolicy.setHistoryLength(passwordPolicyTO.getHistoryLength());
        passwordPolicyTO.getRules().forEach(ruleKey -> {
            Implementation rule = implementationDAO.find(ruleKey);
            if (rule == null) {
                LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", ruleKey);
            } else {
                passwordPolicy.add(rule);
            }
        });
        // remove all implementations not contained in the TO
        passwordPolicy.getRules().removeIf(implementation -> !passwordPolicyTO.getRules().contains(implementation.getKey()));
    } else if (policyTO instanceof AccountPolicyTO) {
        if (result == null) {
            result = (T) entityFactory.newEntity(AccountPolicy.class);
        }
        AccountPolicy accountPolicy = AccountPolicy.class.cast(result);
        AccountPolicyTO accountPolicyTO = AccountPolicyTO.class.cast(policyTO);
        accountPolicy.setMaxAuthenticationAttempts(accountPolicyTO.getMaxAuthenticationAttempts());
        accountPolicy.setPropagateSuspension(accountPolicyTO.isPropagateSuspension());
        accountPolicyTO.getRules().forEach(ruleKey -> {
            Implementation rule = implementationDAO.find(ruleKey);
            if (rule == null) {
                LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", ruleKey);
            } else {
                accountPolicy.add(rule);
            }
        });
        // remove all implementations not contained in the TO
        accountPolicy.getRules().removeIf(implementation -> !accountPolicyTO.getRules().contains(implementation.getKey()));
        accountPolicy.getResources().clear();
        accountPolicyTO.getPassthroughResources().forEach(resourceName -> {
            ExternalResource resource = resourceDAO.find(resourceName);
            if (resource == null) {
                LOG.debug("Ignoring invalid resource {} ", resourceName);
            } else {
                accountPolicy.add(resource);
            }
        });
    } else if (policyTO instanceof PullPolicyTO) {
        if (result == null) {
            result = (T) entityFactory.newEntity(PullPolicy.class);
        }
        PullPolicy pullPolicy = PullPolicy.class.cast(result);
        PullPolicyTO pullPolicyTO = PullPolicyTO.class.cast(policyTO);
        pullPolicy.setConflictResolutionAction(pullPolicyTO.getConflictResolutionAction());
        pullPolicyTO.getCorrelationRules().forEach((type, impl) -> {
            AnyType anyType = anyTypeDAO.find(type);
            if (anyType == null) {
                LOG.debug("Invalid AnyType {} specified, ignoring...", type);
            } else {
                CorrelationRule correlationRule = pullPolicy.getCorrelationRule(anyType).orElse(null);
                if (correlationRule == null) {
                    correlationRule = entityFactory.newEntity(CorrelationRule.class);
                    correlationRule.setAnyType(anyType);
                    correlationRule.setPullPolicy(pullPolicy);
                    pullPolicy.add(correlationRule);
                }
                Implementation rule = implementationDAO.find(impl);
                if (rule == null) {
                    throw new NotFoundException("Implementation " + type);
                }
                correlationRule.setImplementation(rule);
            }
        });
        // remove all rules not contained in the TO
        pullPolicy.getCorrelationRules().removeIf(anyFilter -> !pullPolicyTO.getCorrelationRules().containsKey(anyFilter.getAnyType().getKey()));
    }
    if (result != null) {
        result.setDescription(policyTO.getDescription());
    }
    return result;
}
Also used : PullPolicy(org.apache.syncope.core.persistence.api.entity.policy.PullPolicy) Realm(org.apache.syncope.core.persistence.api.entity.Realm) LoggerFactory(org.slf4j.LoggerFactory) AnyType(org.apache.syncope.core.persistence.api.entity.AnyType) Autowired(org.springframework.beans.factory.annotation.Autowired) Entity(org.apache.syncope.core.persistence.api.entity.Entity) PolicyDataBinder(org.apache.syncope.core.provisioning.api.data.PolicyDataBinder) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) RealmDAO(org.apache.syncope.core.persistence.api.dao.RealmDAO) ImplementationDAO(org.apache.syncope.core.persistence.api.dao.ImplementationDAO) PolicyTO(org.apache.syncope.common.lib.policy.PolicyTO) PasswordPolicyTO(org.apache.syncope.common.lib.policy.PasswordPolicyTO) Logger(org.slf4j.Logger) Policy(org.apache.syncope.core.persistence.api.entity.policy.Policy) Implementation(org.apache.syncope.core.persistence.api.entity.Implementation) Collectors(java.util.stream.Collectors) AnyTypeDAO(org.apache.syncope.core.persistence.api.dao.AnyTypeDAO) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) EntityFactory(org.apache.syncope.core.persistence.api.entity.EntityFactory) ExternalResource(org.apache.syncope.core.persistence.api.entity.resource.ExternalResource) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) Component(org.springframework.stereotype.Component) CorrelationRule(org.apache.syncope.core.persistence.api.entity.policy.CorrelationRule) AccountPolicyTO(org.apache.syncope.common.lib.policy.AccountPolicyTO) PullPolicyTO(org.apache.syncope.common.lib.policy.PullPolicyTO) ExternalResourceDAO(org.apache.syncope.core.persistence.api.dao.ExternalResourceDAO) PullPolicyTO(org.apache.syncope.common.lib.policy.PullPolicyTO) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) AccountPolicyTO(org.apache.syncope.common.lib.policy.AccountPolicyTO) ExternalResource(org.apache.syncope.core.persistence.api.entity.resource.ExternalResource) Implementation(org.apache.syncope.core.persistence.api.entity.Implementation) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) PullPolicy(org.apache.syncope.core.persistence.api.entity.policy.PullPolicy) CorrelationRule(org.apache.syncope.core.persistence.api.entity.policy.CorrelationRule) AnyType(org.apache.syncope.core.persistence.api.entity.AnyType) PasswordPolicyTO(org.apache.syncope.common.lib.policy.PasswordPolicyTO)

Aggregations

PasswordPolicy (org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy)17 ArrayList (java.util.ArrayList)8 DefaultPasswordRuleConf (org.apache.syncope.common.lib.policy.DefaultPasswordRuleConf)7 AccountPolicy (org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy)7 ExternalResource (org.apache.syncope.core.persistence.api.entity.resource.ExternalResource)7 Test (org.junit.jupiter.api.Test)7 Implementation (org.apache.syncope.core.persistence.api.entity.Implementation)6 Realm (org.apache.syncope.core.persistence.api.entity.Realm)6 SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)3 Policy (org.apache.syncope.core.persistence.api.entity.policy.Policy)3 PullPolicy (org.apache.syncope.core.persistence.api.entity.policy.PullPolicy)3 InvalidPasswordRuleConf (org.apache.syncope.core.provisioning.api.utils.policy.InvalidPasswordRuleConf)3 List (java.util.List)2 StringUtils (org.apache.commons.lang3.StringUtils)2 AccountPolicyTO (org.apache.syncope.common.lib.policy.AccountPolicyTO)2 PasswordPolicyTO (org.apache.syncope.common.lib.policy.PasswordPolicyTO)2 PullPolicyTO (org.apache.syncope.common.lib.policy.PullPolicyTO)2 ExternalResourceDAO (org.apache.syncope.core.persistence.api.dao.ExternalResourceDAO)2 OrgUnit (org.apache.syncope.core.persistence.api.entity.resource.OrgUnit)2 Provision (org.apache.syncope.core.persistence.api.entity.resource.Provision)2