Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve rule-based password expiry validation. #846

Merged
merged 4 commits into from
Aug 29, 2024
Merged

Improve rule-based password expiry validation. #846

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1e0c46f
Add validations
PasinduYeshan Aug 26, 2024
647de32
Refactor
PasinduYeshan Aug 26, 2024
494ce44
Retrieve roles assigned through groups.
PasinduYeshan Aug 27, 2024
8649ee5
Refactor logic
PasinduYeshan Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ...main/java/org/wso2/carbon/identity/password/expiry/constants/PasswordPolicyConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ public class PasswordPolicyConstants {
public static final String CONFIRMATION_QUERY_PARAM = "&confirmation=";
public static final String PASSWORD_EXPIRED_QUERY_PARAMS = "&passwordExpired=true";
public static final String PASSWORD_EXPIRY_RULES_PREFIX = "passwordExpiry.rule";
public static final Integer MAX_PASSWORD_EXPIRY_RULE_VALUES = 5;

public enum ErrorMessages {
ERROR_WHILE_GETTING_USER_STORE_DOMAIN("80001",
Expand Down
16 changes: 15 additions & 1 deletion ...iry/src/main/java/org/wso2/carbon/identity/password/expiry/models/PasswordExpiryRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
package org.wso2.carbon.identity.password.expiry.models;

import org.apache.commons.lang.StringUtils;
import org.wso2.carbon.identity.password.expiry.constants.PasswordPolicyConstants;

import java.util.ArrayList;
import java.util.List;
Expand All @@ -40,7 +41,7 @@ public PasswordExpiryRule(String rule) throws IllegalArgumentException{
try {
// Rule format: "priority,expiryDays,attribute,operator,value1,value2, ...".
// At least 5 parts are required in the rule definition.
int ruleSectionLength = 4;
int ruleSectionLength = 5;

String[] ruleSections = rule.split(RULE_SPLIT_REGEX);
if (ruleSections.length < ruleSectionLength) {
Expand All @@ -49,6 +50,15 @@ public PasswordExpiryRule(String rule) throws IllegalArgumentException{

this.priority = Integer.parseInt(ruleSections[0].trim());
this.expiryDays = Integer.parseInt(ruleSections[1].trim());

if (this.priority <= 0) {
throw new IllegalArgumentException("Invalid rule format: priority should be positive.");
}
// Expiry days can be 0 in skip password expiry scenarios.
if (this.expiryDays < 0) {
throw new IllegalArgumentException("Invalid rule format: expiry days should be positive.");
}

this.attribute = PasswordExpiryRuleAttributeEnum.fromString(ruleSections[2].trim());
this.operator = PasswordExpiryRuleOperatorEnum.fromString(ruleSections[3].trim());

Expand All @@ -66,6 +76,10 @@ public PasswordExpiryRule(String rule) throws IllegalArgumentException{
if (this.values.isEmpty()) {
throw new IllegalArgumentException("Invalid rule format: no valid values provided.");
}
if (this.values.size() > PasswordPolicyConstants.MAX_PASSWORD_EXPIRY_RULE_VALUES) {
throw new IllegalArgumentException("Invalid rule format: number of values exceeds the maximum limit of "
+ PasswordPolicyConstants.MAX_PASSWORD_EXPIRY_RULE_VALUES + ".");
}
} catch (NumberFormatException e) {
throw new IllegalArgumentException("Invalid rule format: " + e.getMessage());
}
Expand Down
81 changes: 62 additions & 19 deletions ...piry/src/main/java/org/wso2/carbon/identity/password/expiry/util/PasswordPolicyUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,25 +250,23 @@ private static Set<String> getUserAttributes(PasswordExpiryRuleAttributeEnum att
throws PostAuthenticationFailedException {

if (!fetchedUserAttributes.containsKey(attribute)) {
try {
switch (attribute) {
case ROLES:
List<RoleBasicInfo> userRoles = getUserRoles(tenantDomain, userId);
Set<String> userRoleIds = userRoles.stream().map(RoleBasicInfo::getId).collect(Collectors.toSet());
fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.ROLES, userRoleIds);
break;
case GROUPS:
List<Group> userGroups =
((AbstractUserStoreManager) userStoreManager).getGroupListOfUser(userId,
null, null);
Set<String> userGroupIds = userGroups.stream().map(Group::getGroupID).collect(Collectors.toSet());
fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.GROUPS, userGroupIds);
break;
}
} catch (UserStoreException e) {
throw new PostAuthenticationFailedException(PasswordPolicyConstants.ErrorMessages.
ERROR_WHILE_RETRIEVING_USER_GROUPS.getCode(),
PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_RETRIEVING_USER_GROUPS.getMessage());
switch (attribute) {
case ROLES:
// Fetch roles assigned to user via groups.
Set<String> userGroupIds = getUserGroupIds(userId, userStoreManager);
List<String> roleIdsOfGroups = getRoleIdsOfGroups(new ArrayList<>(userGroupIds), tenantDomain);
fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.GROUPS, userGroupIds);

List<RoleBasicInfo> userRoles = getUserRoles(tenantDomain, userId);
Set<String> userRoleIds =
userRoles.stream().map(RoleBasicInfo::getId).collect(Collectors.toSet());
userRoleIds.addAll(roleIdsOfGroups);
fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.ROLES, userRoleIds);
break;
case GROUPS:
Set<String> groupIds = getUserGroupIds(userId, userStoreManager);
PasinduYeshan marked this conversation as resolved.
Show resolved Hide resolved
fetchedUserAttributes.put(PasswordExpiryRuleAttributeEnum.GROUPS, groupIds);
break;
}
}
return fetchedUserAttributes.get(attribute);
Expand Down Expand Up @@ -314,6 +312,51 @@ public static List<RoleBasicInfo> getUserRoles(String tenantDomain, String userI
}
}

/**
* Get the group IDs of the given user.
*
* @param userId The user ID.
* @param userStoreManager The user store manager.
* @return The group IDs of the user.
* @throws PostAuthenticationFailedException If an error occurs while getting the group IDs of the user.
*/
private static Set<String> getUserGroupIds(String userId, UserStoreManager userStoreManager)
throws PostAuthenticationFailedException {

try {
List<Group> userGroups =
((AbstractUserStoreManager) userStoreManager).getGroupListOfUser(userId,
null, null);
return userGroups.stream().map(Group::getGroupID).collect(Collectors.toSet());
} catch (UserStoreException e) {
throw new PostAuthenticationFailedException(PasswordPolicyConstants.ErrorMessages.
ERROR_WHILE_RETRIEVING_USER_GROUPS.getCode(),
PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_RETRIEVING_USER_GROUPS.getMessage());
}
}

/**
* Get the role IDs of the given groups.
*
* @param groupIds The group IDs.
* @param tenantDomain The tenant domain.
* @return The role IDs of the groups.
* @throws PostAuthenticationFailedException If an error occurs while getting the role IDs of the groups.
*/
private static List<String> getRoleIdsOfGroups(List<String> groupIds, String tenantDomain)
throws PostAuthenticationFailedException {

try {
RoleManagementService roleManagementService = EnforcePasswordResetComponentDataHolder.getInstance()
.getRoleManagementService();
return roleManagementService.getRoleIdListOfGroups(groupIds, tenantDomain);
} catch (IdentityRoleManagementException e) {
throw new PostAuthenticationFailedException(PasswordPolicyConstants.ErrorMessages.
ERROR_WHILE_RETRIEVING_USER_ROLES.getCode(),
PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_RETRIEVING_USER_ROLES.getMessage());
}
}

/**
* This method retrieves the last password updated time in milliseconds.
*
Expand Down
Loading