/** * Returns {@code true} if hash of the specified {@code password} equals the * given hashed password. * * @param hashedPassword Password hash. * @param password The password to compare. * @return If the hash created from the specified {@code password} equals * the given {@code hashedPassword} string. */ public static boolean isSame(@Nullable String hashedPassword, @NotNull char[] password) { return isSame(hashedPassword, String.valueOf(password)); }
/** * Returns {@code true} if hash of the specified {@code password} equals the * given hashed password. * * @param hashedPassword Password hash. * @param password The password to compare. * @return If the hash created from the specified {@code password} equals * the given {@code hashedPassword} string. */ public static boolean isSame(@Nullable String hashedPassword, @Nonnull char[] password) { return isSame(hashedPassword, String.valueOf(password)); }
@Override public void onPasswordChange(@Nonnull User user, String newPassword, @Nonnull Root root, @Nonnull NamePathMapper namePathMapper) throws RepositoryException { if (newPassword == null) { throw new ConstraintViolationException("Expected a new password that is not null."); } String pwHash = getPasswordHash(root, user); if (PasswordUtil.isSame(pwHash, newPassword)) { throw new ConstraintViolationException("New password is identical to the old password."); } }
@Override public void onPasswordChange(@NotNull User user, String newPassword, @NotNull Root root, @NotNull NamePathMapper namePathMapper) throws RepositoryException { if (newPassword == null) { throw new ConstraintViolationException("Expected a new password that is not null."); } String pwHash = getPasswordHash(root, user); if (PasswordUtil.isSame(pwHash, newPassword)) { throw new ConstraintViolationException("New password is identical to the old password."); } }
@Override public void changePassword(String password, String oldPassword) throws RepositoryException { // make sure the old password matches. String pwHash = getPasswordHash(); if (!PasswordUtil.isSame(pwHash, oldPassword)) { throw new RepositoryException("Failed to change password: Old password does not match."); } changePassword(password); }
@Override public void changePassword(String password, String oldPassword) throws RepositoryException { // make sure the old password matches. String pwHash = getPasswordHash(); if (!PasswordUtil.isSame(pwHash, oldPassword)) { throw new RepositoryException("Failed to change password: Old password does not match."); } changePassword(password); }
@Override public void changePassword(String password, String oldPassword) throws RepositoryException { // make sure the old password matches. String pwHash = getPasswordHash(); if (!PasswordUtil.isSame(pwHash, oldPassword)) { throw new RepositoryException("Failed to change password: Old password does not match."); } changePassword(password); }
@Test public void testIsSameNoSuchAlgorithmException() throws Exception { String hash = PasswordUtil.buildPasswordHash("pw"); String invalid = "{invalidAlgorithm}" + hash.substring(hash.indexOf('}')+1); assertFalse(PasswordUtil.isSame(invalid, "pw")); }
@Test public void testIsSameEmptyHash() { assertFalse(PasswordUtil.isSame("", "pw")); }
@Test public void testBuildPasswordHashNoSaltNoIterations() throws Exception { assumeFalse(PasswordUtil.DEFAULT_ALGORITHM.startsWith(PasswordUtil.PBKDF2_PREFIX)); String jr2Hash = "{"+PasswordUtil.DEFAULT_ALGORITHM+"}" + Text.digest(PasswordUtil.DEFAULT_ALGORITHM, "pw".getBytes("utf-8")); assertTrue(PasswordUtil.isSame(jr2Hash, "pw")); }
@Test public void testBuildPasswordHashNoSalt() throws Exception { String hash = PasswordUtil.buildPasswordHash("pw", PasswordUtil.DEFAULT_ALGORITHM, 0, PasswordUtil.DEFAULT_ITERATIONS); assertTrue(PasswordUtil.isSame(hash, "pw")); }
@Test public void testBuildPasswordHashNoIterations() throws Exception { String hash = PasswordUtil.buildPasswordHash("pw", PasswordUtil.DEFAULT_ALGORITHM, PasswordUtil.DEFAULT_SALT_SIZE, 1); assertTrue(PasswordUtil.isSame(hash, "pw")); }
@Test public void testIsSameEmpty() throws Exception { assertTrue(PasswordUtil.isSame(PasswordUtil.buildPasswordHash(""), "")); }
@Test public void testIsSameNullPw() throws Exception { assertFalse(PasswordUtil.isSame(PasswordUtil.buildPasswordHash("pw"), (String) null)); }
@Test public void testIsSameEmptyPw() throws Exception { assertFalse(PasswordUtil.isSame(PasswordUtil.buildPasswordHash("pw"), "")); }
@Test public void testBuildPasswordWithConfig() throws Exception { ConfigurationParameters params = ConfigurationParameters.of( UserConstants.PARAM_PASSWORD_SALT_SIZE, 13, UserConstants.PARAM_PASSWORD_HASH_ITERATIONS, 13); String hash = PasswordUtil.buildPasswordHash("pw", params); assertTrue(PasswordUtil.isSame(hash, "pw")); }
@Test public void testGetCredentials() throws Exception { user = userMgr.createUser(uid, uid); root.commit(); Credentials creds = user.getCredentials(); assertTrue(creds instanceof CredentialsImpl); CredentialsImpl cImpl = (CredentialsImpl) creds; assertEquals(uid, cImpl.getUserId()); assertTrue(PasswordUtil.isSame(cImpl.getPasswordHash(), uid)); }
@Test public void testChangeWithWrongPw() throws Exception { try { authenticate("wrongPw", "newPw"); fail("Authentication with wrong expired password should fail and should not reset pw."); } catch (LoginException e) { // success } finally { Tree userTree = root.getTree(getTestUser().getPath()); assertTrue(PasswordUtil.isSame(userTree.getProperty(UserConstants.REP_PASSWORD).getValue(Type.STRING), userId)); assertEquals(0, userTree.getChild(UserConstants.REP_PWD).getProperty(UserConstants.REP_PASSWORD_LAST_MODIFIED).getValue(Type.LONG).longValue()); } }
@Test public void testPasswordChangePersisted() throws Exception { authenticate(userId, "newPw"); // check that the password has been persisted and has the value of the new password Root rootBasedOnSeparateSession = login(getAdminCredentials()).getLatestRoot(); Tree userTree = rootBasedOnSeparateSession.getTree(getTestUser().getPath()); assertTrue(PasswordUtil.isSame(userTree.getProperty(UserConstants.REP_PASSWORD).getValue(Type.STRING), "newPw")); }
@Test public void testPasswordValidationActionOnCreate() throws Exception { String hashed = PasswordUtil.buildPasswordHash("DWkej32H"); user = getUserManager(root).createUser("testuser", hashed); root.commit(); String pwValue = root.getTree(user.getPath()).getProperty(UserConstants.REP_PASSWORD).getValue(Type.STRING); assertFalse(PasswordUtil.isPlainTextPassword(pwValue)); assertTrue(PasswordUtil.isSame(pwValue, hashed)); }