Pull request #122: [EDELIVERY-13839] Fix user password reset - same passsword must not be allowed

Merge in EDELIVERY/smp from bugfix/EDELIVERY-13839-user-management-password-same-password to development * commit '2e83d0d6': [EDELIVERY-13860] Fix DNS tool identifier validation to use default identifier settings.

Pull request #122: [EDELIVERY-13839] Fix user password reset - same passsword must not be allowed
23cd5bbb · Joze RIHTARSIC · 86e9dbdd · 2e83d0d6 · 23cd5bbb
Commit 23cd5bbb authored 7 months ago by Joze RIHTARSIC
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/CredentialService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/CredentialService.java
@@ -373,6 +373,12 @@ public class CredentialService {

        Pattern pattern = configurationService.getPasswordPolicyRexExp();
        if (pattern != null && !pattern.matcher(newPassword).matches()) {
+            LOG.info(SMPLogger.SECURITY_MARKER, "Change/set password failed because it does not match password policy!: [{}]", username);
+            throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, "PasswordChange", configurationService.getPasswordPolicyValidationMessage());
+        }
+
+        if (StringUtils.isNotBlank(dbCredential.getValue()) && BCrypt.checkpw(newPassword, dbCredential.getValue())) {
+            LOG.info(SMPLogger.SECURITY_MARKER, "Change/set password failed because 'new' password match the old password for user: [{}]", username);
            throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, "PasswordChange", configurationService.getPasswordPolicyValidationMessage());
        }