Exemplo n.º 1
0
  @Test
  public void passwordResetWithoutSecurityQuestion() {
    // 0. disable security question for password reset
    configurationService.set(attrTO("passwordReset.securityQuestion", "false"));

    // 1. create an user with security question and answer
    UserTO user = UserITCase.getUniqueSampleTO("*****@*****.**");
    createUser(user);

    // 2. verify that new user is able to authenticate
    SyncopeClient authClient = clientFactory.create(user.getUsername(), "password123");
    UserTO read = authClient.self().getValue();
    assertNotNull(read);

    // 3. request password reset (as anonymous) with no security answer
    SyncopeClient anonClient = clientFactory.create();
    anonClient.getService(UserSelfService.class).requestPasswordReset(user.getUsername(), null);

    // 4. get token (normally sent via e-mail, now reading as admin)
    String token = userService.read(read.getKey()).getToken();
    assertNotNull(token);

    // 5. confirm password reset
    try {
      anonClient
          .getService(UserSelfService.class)
          .confirmPasswordReset("WRONG TOKEN", "newPassword");
      fail();
    } catch (SyncopeClientException e) {
      assertEquals(ClientExceptionType.NotFound, e.getType());
      assertTrue(e.getMessage().contains("WRONG TOKEN"));
    }
    anonClient.getService(UserSelfService.class).confirmPasswordReset(token, "newPassword123");

    // 6. verify that password was reset and token removed
    authClient = clientFactory.create(user.getUsername(), "newPassword123");
    read = authClient.self().getValue();
    assertNotNull(read);
    assertNull(read.getToken());

    // 7. re-enable security question for password reset
    configurationService.set(attrTO("passwordReset.securityQuestion", "true"));
  }
Exemplo n.º 2
0
  @Test
  public void passwordReset() {
    // 0. ensure that password request DOES require security question
    configurationService.set(attrTO("passwordReset.securityQuestion", "true"));

    // 1. create an user with security question and answer
    UserTO user = UserITCase.getUniqueSampleTO("*****@*****.**");
    user.setSecurityQuestion("887028ea-66fc-41e7-b397-620d7ea6dfbb");
    user.setSecurityAnswer("Rossi");
    user.getResources().add(RESOURCE_NAME_TESTDB);
    createUser(user);

    // verify propagation (including password) on external db
    JdbcTemplate jdbcTemplate = new JdbcTemplate(testDataSource);
    String pwdOnResource =
        jdbcTemplate.queryForObject(
            "SELECT password FROM test WHERE id=?", String.class, user.getUsername());
    assertTrue(StringUtils.isNotBlank(pwdOnResource));

    // 2. verify that new user is able to authenticate
    SyncopeClient authClient = clientFactory.create(user.getUsername(), "password123");
    UserTO read = authClient.self().getValue();
    assertNotNull(read);

    // 3. request password reset (as anonymous) providing the expected security answer
    SyncopeClient anonClient = clientFactory.create();
    try {
      anonClient
          .getService(UserSelfService.class)
          .requestPasswordReset(user.getUsername(), "WRONG");
      fail();
    } catch (SyncopeClientException e) {
      assertEquals(ClientExceptionType.InvalidSecurityAnswer, e.getType());
    }
    anonClient.getService(UserSelfService.class).requestPasswordReset(user.getUsername(), "Rossi");

    // 4. get token (normally sent via e-mail, now reading as admin)
    String token = userService.read(read.getKey()).getToken();
    assertNotNull(token);

    // 5. confirm password reset
    try {
      anonClient
          .getService(UserSelfService.class)
          .confirmPasswordReset("WRONG TOKEN", "newPassword");
      fail();
    } catch (SyncopeClientException e) {
      assertEquals(ClientExceptionType.NotFound, e.getType());
      assertTrue(e.getMessage().contains("WRONG TOKEN"));
    }
    anonClient.getService(UserSelfService.class).confirmPasswordReset(token, "newPassword123");

    // 6. verify that password was reset and token removed
    authClient = clientFactory.create(user.getUsername(), "newPassword123");
    read = authClient.self().getValue();
    assertNotNull(read);
    assertNull(read.getToken());

    // 7. verify that password was changed on external resource
    String newPwdOnResource =
        jdbcTemplate.queryForObject(
            "SELECT password FROM test WHERE id=?", String.class, user.getUsername());
    assertTrue(StringUtils.isNotBlank(newPwdOnResource));
    assertNotEquals(pwdOnResource, newPwdOnResource);
  }