@Test
public void passwordResetWithoutSecurityQuestion() {
// 0. disable security question for password reset
configurationService.set(attrTO("passwordReset.securityQuestion", "false"));
// 1. create an user with security question and answer
UserTO user = UserITCase.getUniqueSampleTO("*****@*****.**");
createUser(user);
// 2. verify that new user is able to authenticate
SyncopeClient authClient = clientFactory.create(user.getUsername(), "password123");
UserTO read = authClient.self().getValue();
assertNotNull(read);
// 3. request password reset (as anonymous) with no security answer
SyncopeClient anonClient = clientFactory.create();
anonClient.getService(UserSelfService.class).requestPasswordReset(user.getUsername(), null);
// 4. get token (normally sent via e-mail, now reading as admin)
String token = userService.read(read.getKey()).getToken();
assertNotNull(token);
// 5. confirm password reset
try {
anonClient
.getService(UserSelfService.class)
.confirmPasswordReset("WRONG TOKEN", "newPassword");
fail();
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.NotFound, e.getType());
assertTrue(e.getMessage().contains("WRONG TOKEN"));
}
anonClient.getService(UserSelfService.class).confirmPasswordReset(token, "newPassword123");
// 6. verify that password was reset and token removed
authClient = clientFactory.create(user.getUsername(), "newPassword123");
read = authClient.self().getValue();
assertNotNull(read);
assertNull(read.getToken());
// 7. re-enable security question for password reset
configurationService.set(attrTO("passwordReset.securityQuestion", "true"));
}
@Test
public void passwordReset() {
// 0. ensure that password request DOES require security question
configurationService.set(attrTO("passwordReset.securityQuestion", "true"));
// 1. create an user with security question and answer
UserTO user = UserITCase.getUniqueSampleTO("*****@*****.**");
user.setSecurityQuestion("887028ea-66fc-41e7-b397-620d7ea6dfbb");
user.setSecurityAnswer("Rossi");
user.getResources().add(RESOURCE_NAME_TESTDB);
createUser(user);
// verify propagation (including password) on external db
JdbcTemplate jdbcTemplate = new JdbcTemplate(testDataSource);
String pwdOnResource =
jdbcTemplate.queryForObject(
"SELECT password FROM test WHERE id=?", String.class, user.getUsername());
assertTrue(StringUtils.isNotBlank(pwdOnResource));
// 2. verify that new user is able to authenticate
SyncopeClient authClient = clientFactory.create(user.getUsername(), "password123");
UserTO read = authClient.self().getValue();
assertNotNull(read);
// 3. request password reset (as anonymous) providing the expected security answer
SyncopeClient anonClient = clientFactory.create();
try {
anonClient
.getService(UserSelfService.class)
.requestPasswordReset(user.getUsername(), "WRONG");
fail();
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.InvalidSecurityAnswer, e.getType());
}
anonClient.getService(UserSelfService.class).requestPasswordReset(user.getUsername(), "Rossi");
// 4. get token (normally sent via e-mail, now reading as admin)
String token = userService.read(read.getKey()).getToken();
assertNotNull(token);
// 5. confirm password reset
try {
anonClient
.getService(UserSelfService.class)
.confirmPasswordReset("WRONG TOKEN", "newPassword");
fail();
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.NotFound, e.getType());
assertTrue(e.getMessage().contains("WRONG TOKEN"));
}
anonClient.getService(UserSelfService.class).confirmPasswordReset(token, "newPassword123");
// 6. verify that password was reset and token removed
authClient = clientFactory.create(user.getUsername(), "newPassword123");
read = authClient.self().getValue();
assertNotNull(read);
assertNull(read.getToken());
// 7. verify that password was changed on external resource
String newPwdOnResource =
jdbcTemplate.queryForObject(
"SELECT password FROM test WHERE id=?", String.class, user.getUsername());
assertTrue(StringUtils.isNotBlank(newPwdOnResource));
assertNotEquals(pwdOnResource, newPwdOnResource);
}