Definitely fix password storage (MID-5336)

This fixes password validation broken in previous commit.
Evolveum · May 10, 2019 · 1dc8a58 · 1dc8a58
1 parent 6db9305
commit 1dc8a58
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 10 deletions.
diff --git a/...min-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/PasswordPanel.java b/...min-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/PasswordPanel.java
@@ -97,29 +97,28 @@ public boolean isVisible() {
 		inputContainer.setOutputMarkupId(true);
 		add(inputContainer);
 
-	    final PasswordTextField password1 = new PasswordTextField(ID_PASSWORD_ONE, new PasswordModel(model));
+	    final PasswordTextField password1 = new SecureModelPasswordTextField(ID_PASSWORD_ONE, new PasswordModel(model));
         password1.setRequired(false);
         password1.setOutputMarkupId(true);
         password1.add(new EmptyOnBlurAjaxFormUpdatingBehaviour());
         inputContainer.add(password1);
 
-        final PasswordTextField password2 = new PasswordTextField(ID_PASSWORD_TWO, new PasswordModel(Model.of(new ProtectedStringType())));
+        final PasswordTextField password2 = new SecureModelPasswordTextField(ID_PASSWORD_TWO, new PasswordModel(Model.of(new ProtectedStringType())));
         password2.setRequired(false);
         password2.setOutputMarkupId(true);
-        password2.add(new EmptyOnBlurAjaxFormUpdatingBehaviour());
         inputContainer.add(password2);
 
         password1.add(new AjaxFormComponentUpdatingBehavior("change") {
 			@Override
 			protected void onUpdate(AjaxRequestTarget target) {
-				boolean required = !StringUtils.isEmpty(password1.getModel().getObject());
+				boolean required = !StringUtils.isEmpty(password1.getModelObject());
 				password2.setRequired(required);
                 //fix of MID-2463
 //				target.add(password2);
 //				target.appendJavaScript("$(\"#"+ password2.getMarkupId() +"\").focus()");
 			}
 		});
-        password2.add(new PasswordValidator(password1, password2));
+        password2.add(new PasswordValidator(password1));
 
         final WebMarkupContainer linkContainer = new WebMarkupContainer(ID_LINK_CONTAINER) {
 			@Override
@@ -221,17 +220,15 @@ public FormComponent getBaseFormComponent() {
     private static class PasswordValidator implements IValidator<String> {
 
         private PasswordTextField p1;
-        private PasswordTextField p2;
 
-        private PasswordValidator(@NotNull PasswordTextField p1, @NotNull PasswordTextField p2) {
+        private PasswordValidator(@NotNull PasswordTextField p1) {
             this.p1 = p1;
-            this.p2 = p2;
         }
 
         @Override
         public void validate(IValidatable<String> validatable) {
             String s1 = p1.getModelObject();
-            String s2 = p2.getModelObject();
+            String s2 = validatable.getValue();
 
             if (StringUtils.isEmpty(s1) && StringUtils.isEmpty(s2)) {
                 return;

diff --git a/...n/java/com/evolveum/midpoint/gui/api/component/password/SecureModelPasswordTextField.java b/...n/java/com/evolveum/midpoint/gui/api/component/password/SecureModelPasswordTextField.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.evolveum.midpoint.gui.api.component.password;
+
+import org.apache.wicket.markup.html.form.PasswordTextField;
+import org.apache.wicket.model.IModel;
+
+/**
+ * PasswordTextField that assumes its underlying model is secure enough to be serialized.
+ *
+ * Therefore we can disable "reset password" security feature and - when detaching - clear only our input.
+ * The model is preserved, because it's considered secure enough.
+ */
+public class SecureModelPasswordTextField extends PasswordTextField {
+
+	public SecureModelPasswordTextField(String id, IModel<String> model) {
+		super(id, model);
+		setResetPassword(false);
+	}
+
+	@Override
+	protected void onDetach() {
+		clearInput();
+		super.onDetach();
+	}
+}
diff --git a/...-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java b/...-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java
@@ -226,7 +226,7 @@ protected void onEvent(final AjaxRequestTarget target) {
 
 					@Override
                 	public boolean isEnabled() {
-                		return passwordAccountDto.getCssClass() != NO_CAPABILITY_ICON_CSS;
+                		return !passwordAccountDto.getCssClass().equals(NO_CAPABILITY_ICON_CSS);
                 	}
                 });
             }