Pull request #97: [EDELIVERY-13367] SA report

Merge in EDELIVERY/smp from bugfix/EDELIVERY-13367-sa-domismp-it3-3.2-client-side-validation-bypass to development * commit '5e37eb4d': [EDELIVERY-13367] SA report

Pull request #97: [EDELIVERY-13367] SA report
e3a6d8c2 · Joze RIHTARSIC · b662bca7 · 5e37eb4d · e3a6d8c2 · e3a6d8c2
Commit e3a6d8c2 authored 10 months ago by Joze RIHTARSIC
--- a/smp-angular/src/app/common/dialogs/password-change-dialog/password-change-dialog.component.ts
+++ b/smp-angular/src/app/common/dialogs/password-change-dialog/password-change-dialog.component.ts
@@ -47,7 +47,7 @@ export class PasswordChangeDialogComponent {
    let currentPasswdFormControl: UntypedFormControl = new UntypedFormControl({value: null, readonly: false},
      this.securityService.getCurrentUser().casAuthenticated && this.adminUser ? null : [Validators.required]);
    let newPasswdFormControl: UntypedFormControl = new UntypedFormControl({value: null, readonly: false},
-      [Validators.required, Validators.pattern(this.passwordValidationRegExp), equal(currentPasswdFormControl, false)]);
+      [Validators.required, Validators.pattern(this.passwordValidationRegExp)]);
    let confirmNewPasswdFormControl: UntypedFormControl = new UntypedFormControl({value: null, readonly: false},
      [Validators.required, equal(newPasswdFormControl, true)]);


--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/config/enums/SMPPropertyEnum.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/config/enums/SMPPropertyEnum.java
@@ -154,7 +154,7 @@ public enum SMPPropertyEnum {
            "Password minimum complexity rules!",
            OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, REGEXP),

-    PASSWORD_POLICY_MESSAGE("smp.passwordPolicy.validationMessage", "Minimum length: 16 characters;Maximum length: 32 characters;At least one letter in lowercase;At least one letter in uppercase;At least one digit;At least one special character",
+    PASSWORD_POLICY_MESSAGE("smp.passwordPolicy.validationMessage", "Minimum length: 16 characters;Maximum length: 32 characters;At least one letter in lowercase;At least one letter in uppercase;At least one digit;At least one special character;Must not be same as existing password",
            "The error message shown to the user in case the password does not follow the regex put in the domibus.passwordPolicy.pattern property",
            OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, STRING),
    PASSWORD_POLICY_VALID_DAYS("smp.passwordPolicy.validDays", "90", "Number of days password is valid",

--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java
@@ -246,6 +246,15 @@ public class UIUserService extends UIServiceBase<DBUser, UserRO> {
                CredentialType.USERNAME_PASSWORD,
                CredentialTargetType.UI));

+        // check if new password is the same as the old one
+        // but allow admin to overwrite it
+        if (!adminUpdate
+                && StringUtils.isNotBlank(dbCredential.getValue())
+                && BCrypt.checkpw(password, dbCredential.getValue())) {
+            LOG.info(SMPLogger.SECURITY_MARKER, "Change/set password failed because 'new' password match the old password for user: [{}]", userID);
+            throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, "PasswordChange", configurationService.getPasswordPolicyValidationMessage());
+        }
+
        dbCredential.setValue(BCryptPasswordHash.hashPassword(password));
        OffsetDateTime currentTime = OffsetDateTime.now();
        dbCredential.setChangedOn(currentTime);

--- a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UIUserServiceIntegrationTest.java
+++ b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UIUserServiceIntegrationTest.java
@@ -250,6 +250,24 @@ class UIUserServiceIntegrationTest extends AbstractJunit5BaseDao {
        testInstance.updateUserPassword(authorizedUserId, userToUpdateId, authorizedPassword, newPassword);
    }

+    @Test
+    void testUpdateUserPasswordFaileSame() {
+        DBUser user = TestDBUtils.createDBUserByUsername(UUID.randomUUID().toString());
+        DBCredential credential = TestDBUtils.createDBCredentialForUser(user, null, null, null);
+        credential.setValue(BCrypt.hashpw("TTTTtttt1111$$$$$", BCrypt.gensalt()));
+        userDao.persistFlushDetach(user);
+        credentialDao.persistFlushDetach(credential);
+
+        long authorizedUserId = user.getId();
+        long userToUpdateId = user.getId();
+        String authorizedPassword = "TTTTtttt1111$$$$$";
+        String newPassword = "TTTTtttt1111$$$$$";
+
+        SMPRuntimeException result = assertThrows(SMPRuntimeException.class,
+                () -> testInstance.updateUserPassword(authorizedUserId, userToUpdateId, authorizedPassword, newPassword));
+        MatcherAssert.assertThat(result.getMessage(), CoreMatchers.containsString("Must not be same as existing password"));
+    }
+
    @Test
    void testUpdateUserPasswordByAdminUserNotExists() {
        // system admin