adding test for MID-9504: password notification for hashed password

Evolveum · Apr 29, 2024 · 6c8b2cb · 6c8b2cb
1 parent 2fce482
commit 6c8b2cb
Show file tree

Hide file tree

Showing 3 changed files with 139 additions and 0 deletions.
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestNotifications.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestNotifications.java
@@ -21,6 +21,13 @@
 import java.util.*;
 import javax.xml.datatype.XMLGregorianCalendar;
 
+import com.evolveum.midpoint.model.api.ModelExecuteOptions;
+import com.evolveum.midpoint.prism.path.ItemPath;
+
+import com.evolveum.midpoint.repo.api.RepoAddOptions;
+import com.evolveum.prism.xml.ns._public.types_3.EncryptedDataType;
+import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
+
 import com.sun.net.httpserver.HttpExchange;
 import com.sun.net.httpserver.HttpHandler;
 import com.sun.net.httpserver.HttpServer;
@@ -73,6 +80,7 @@ public class TestNotifications extends AbstractInitializedModelIntegrationTest {
     private static final TestObject<RoleType> ROLE_WEBMAIL = TestObject.file(TEST_DIR, "role-webmail.xml", "ba0d281a-b0e0-4d3a-ade0-513f53454c27");
 
     private static final TestObject<TaskType> TASK_HR_IMPORT = TestObject.file(TEST_DIR, "task-hr-import.xml", "b5ee6532-b779-4bee-b713-d394346170f7");
+    private static final TestObject<TaskType> SECURITY_POLICY_HASH_PASSWORD = TestObject.file(TEST_DIR, "security-policy-hash-password.xml", "00000000-0000-0000-0000-000000000120");
 
     private static final DummyTestResource RESOURCE_HR = new DummyTestResource(TEST_DIR, "resource-hr.xml", "bb9b9bca-5d47-446a-83ed-6c5411ac219f", "hr");
     private static final DummyTestResource RESOURCE_WEBMAIL = new DummyTestResource(TEST_DIR, "resource-webmail.xml", "657fce5e-9d7a-4bab-b475-157ca586f73a", "webmail");
@@ -91,6 +99,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
         repoAdd(ROLE_DUMMY, initResult);
         repoAdd(ROLE_WEBMAIL, initResult);
         repoAdd(TASK_HR_IMPORT, initResult);
+        repoAdd(SECURITY_POLICY_HASH_PASSWORD, RepoAddOptions.createOverwrite(), initResult);
 
         initDummyResource(RESOURCE_HR, initTask, initResult);
         initDummyResource(RESOURCE_WEBMAIL, initTask, initResult);
@@ -939,6 +948,55 @@ public void test510ModifyUserAssignAccountInMaintenance() throws Exception {
         assertTrue("Wrong message body:\n" + actual, actual.contains(expected));
     }
 
+    /**
+     * Change user password, when store method is hash (MID-9504)
+     */
+    @Test
+    public void test600ModifyHashStoredPassword() throws Exception {
+        given();
+        Task task = taskManager.createTaskInstance(TestNotifications.class.getName() + ".test600ModifyHashStoredPassword");
+        task.setChannel(SchemaConstants.CHANNEL_USER_URI);
+        OperationResult result = task.getResult();
+        preTestCleanup(AssignmentPolicyEnforcementType.POSITIVE);
+
+        when();
+        ProtectedStringType passEncrypt = protector.encryptString("dummyPassword");
+        passEncrypt.setClearValue(null);
+        ObjectDelta<UserType> userDelta = createModifyUserAddDelta(
+                USER_BARBOSSA_OID,
+                ItemPath.create(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_VALUE),
+                passEncrypt);
+        executeChanges(userDelta, new ModelExecuteOptions().reconcile(false), task, result);
+
+        then();
+        result.computeStatus();
+        TestUtil.assertSuccess(result);
+
+        PrismObject<UserType> userBarbarosa = modelService.getObject(UserType.class, USER_BARBOSSA_OID, null, task, result);
+        UserType userBarbarosaType = userBarbarosa.asObjectable();
+        assertTrue("Password isn't save as hash", userBarbarosaType.getCredentials().getPassword().getValue().isHashed());
+
+        notificationManager.setDisabled(true);
+
+        // Check notifications
+        displayDumpable("Dummy transport messages", dummyTransport);
+
+        checkDummyTransportMessages("accountPasswordNotifier", 0);
+        checkDummyTransportMessages("userPasswordNotifier", 1);
+        checkDummyTransportMessages("simpleAccountNotifier-SUCCESS", 0);
+        checkDummyTransportMessages("simpleAccountNotifier-FAILURE", 0);
+        checkDummyTransportMessages("simpleAccountNotifier-IN-PROGRESS", 0);
+        checkDummyTransportMessages("simpleAccountNotifier-ADD-SUCCESS", 0);
+        checkDummyTransportMessages("simpleUserNotifier", 1);
+        checkDummyTransportMessages("simpleUserNotifier-ADD", 0);
+
+        List<Message> pwdMessages = dummyTransport.getMessages("dummy:userPasswordNotifier");
+        Message pwdMessage = pwdMessages.get(0); // number of messages was already checked
+        assertEquals("Invalid list of recipients", singletonList("recipient@evolveum.com"), pwdMessage.getTo());
+        assertThat(pwdMessage.getBody()) // there can be subscription footer
+                .startsWith("Password: dummyPassword");
+    }
+
     @SuppressWarnings("Duplicates")
     private void preTestCleanup(AssignmentPolicyEnforcementType enforcementPolicy) throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException {
         assumeAssignmentPolicy(enforcementPolicy);

diff --git a/model/model-intest/src/test/resources/notifications/security-policy-hash-password.xml b/model/model-intest/src/test/resources/notifications/security-policy-hash-password.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2014-2018 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<securityPolicy oid="00000000-0000-0000-0000-000000000120"
+    xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
+    <name>Default Security Policy</name>
+    <authentication>
+        <modules>
+            <loginForm id="1">
+                <identifier>loginForm</identifier>
+            </loginForm>
+            <httpBasic id="2">
+                <identifier>httpBasic</identifier>
+            </httpBasic>
+        </modules>
+        <sequence id="3">
+            <identifier>admin-gui-default</identifier>
+            <displayName>Default gui sequence</displayName>
+            <channel>
+                <default>true</default>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+                <urlSuffix>gui-default</urlSuffix>
+            </channel>
+            <module id="6">
+                <identifier>loginForm</identifier>
+                <order>1</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
+        <sequence id="4">
+            <identifier>rest-default</identifier>
+            <channel>
+                <default>true</default>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
+                <urlSuffix>rest-default</urlSuffix>
+            </channel>
+            <module id="7">
+                <identifier>httpBasic</identifier>
+                <order>1</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
+        <sequence id="5">
+            <identifier>actuator-default</identifier>
+            <channel>
+                <default>true</default>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
+                <urlSuffix>actuator-default</urlSuffix>
+            </channel>
+            <module id="8">
+                <identifier>httpBasic</identifier>
+                <order>1</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
+        <ignoredLocalPath>/actuator/health</ignoredLocalPath>
+    </authentication>
+    <credentials>
+        <password>
+            <minOccurs>0</minOccurs>
+            <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
+            <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
+            <lockoutDuration>PT15M</lockoutDuration>
+            <storageMethod>
+                <storageType>hashing</storageType>
+            </storageMethod>
+        </password>
+    </credentials>
+</securityPolicy>
diff --git a/model/model-intest/src/test/resources/notifications/system-configuration.xml b/model/model-intest/src/test/resources/notifications/system-configuration.xml
@@ -12,6 +12,7 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
 
     <name>SystemConfiguration</name>
+    <globalSecurityPolicyRef oid="00000000-0000-0000-0000-000000000120"/>
     <logging>
         <rootLoggerAppender>File Appender</rootLoggerAppender>
         <rootLoggerLevel>INFO</rootLoggerLevel>
@@ -49,6 +50,12 @@
                 <recipientExpression>
                     <value>recipient@evolveum.com</value>
                 </recipientExpression>
+                <bodyExpression>
+                    <script>
+                        <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#velocity</language>
+                        <code>Password: $event.focusPassword</code>
+                    </script>
+                </bodyExpression>
                 <transport>dummy:userPasswordNotifier</transport>
             </userPasswordNotifier>
         </handler>