private void checkPasswordChangeIsAllowed(String userId, String oldPassword) {
if (securityContextAccessor.isClient()) {
// Trusted client (not acting on behalf of user)
return;
}
// Call is by or on behalf of end user
String currentUser = securityContextAccessor.getUserId();
if (securityContextAccessor.isAdmin()) {
// even an admin needs to provide the old value to change his
// password
if (userId.equals(currentUser) && !StringUtils.hasText(oldPassword)) {
throw new InvalidPasswordException("Previous password is required even for admin");
}
} else {
if (!userId.equals(currentUser)) {
logger.warn(
"User with id " + currentUser + " attempting to change password for user " + userId);
// TODO: This should be audited when we have non-authentication
// events in the log
throw new InvalidPasswordException("Not permitted to change another user's password");
}
// User is changing their own password, old password is required
if (!StringUtils.hasText(oldPassword)) {
throw new InvalidPasswordException("Previous password is required");
}
}
}
private SecurityContextAccessor mockSecurityContext(ScimUser user) {
SecurityContextAccessor sca = mock(SecurityContextAccessor.class);
String id = user.getId();
when(sca.getUserId()).thenReturn(id);
return sca;
}
