Skip to content

Commit

Permalink
Removing wrong code from AuthenticationEvaluatorImpl, extending Authe…
Browse files Browse the repository at this point in the history 
…nticationEvaluator tests.
  • Loading branch information
@semancik
semancik committed Oct 27, 2016
1 parent c8db2ad commit 9788950
Show file tree
Hide file tree
Showing 2 changed files with 144 additions and 124 deletions.
17 changes: 1 addition & 16 deletions .../src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java
View file
Expand Up @@ -91,12 +91,6 @@ public UsernamePasswordAuthenticationToken authenticateUserPassword(ConnectionEn
passwordCredentialsPolicy = credentialsPolicyType.getPassword();
}
}

// Activated - e.g. registration was finished
if (!isActivated(credentials, passwordCredentialsPolicy)) {
recordAuthenticationFailure(principal, connEnv, "no authorizations");
throw new DisabledException("web.security.provider.access.denied");
}

// Lockout
if (isLockedOut(passwordType, passwordCredentialsPolicy)) {
Expand Down Expand Up @@ -320,10 +314,6 @@ private String getPassword(ConnectionEnvironment connEnv, @NotNull MidPointPrinc
return decryptedPassword;
}

private boolean isActivated(CredentialsType credentialsType, AbstractCredentialPolicyType credentialsPolicy) {
return !isOverFailedLockoutAttempts(credentialsType.getPassword(), credentialsPolicy) && isActivated(credentialsType.getNonce());
}

private boolean isLockedOut(AbstractCredentialType credentialsType, AbstractCredentialPolicyType credentialsPolicy) {
return isOverFailedLockoutAttempts(credentialsType, credentialsPolicy) && !isLockoutExpired(credentialsType, credentialsPolicy);
}
Expand All @@ -337,12 +327,7 @@ private boolean isOverFailedLockoutAttempts(int failedLogins, AbstractCredential
return credentialsPolicy != null && credentialsPolicy.getLockoutMaxFailedAttempts() != null &&
credentialsPolicy.getLockoutMaxFailedAttempts() > 0 && failedLogins >= credentialsPolicy.getLockoutMaxFailedAttempts();
}

private boolean isActivated(NonceType nonce) {
return nonce == null;
}



private boolean isLockoutExpired(AbstractCredentialType credentialsType, AbstractCredentialPolicyType credentialsPolicy) {
Duration lockoutDuration = credentialsPolicy.getLockoutDuration();
if (lockoutDuration == null) {
Expand Down
251 changes: 143 additions & 108 deletions .../src/test/java/com/evolveum/midpoint/model/impl/security/TestAuthenticationEvaluator.java
View file
Expand Up @@ -54,8 +54,11 @@
import com.evolveum.midpoint.test.util.MidPointAsserts;
import com.evolveum.midpoint.test.util.MidPointTestConstants;
import com.evolveum.midpoint.test.util.TestUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
Expand Down Expand Up @@ -718,31 +721,7 @@ public void test150PasswordLoginDisabledGoodPassword() throws Exception {
OperationResult result = task.getResult();
modifyUserReplace(USER_JACK_OID, ACTIVATION_ADMINISTRATIVE_STATUS_PATH, task, result, ActivationStatusType.DISABLED);

ConnectionEnvironment connEnv = createConnectionEnvironment();
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();

// WHEN
TestUtil.displayWhen(TEST_NAME);
try {

authenticationEvaluator.authenticateUserPassword(connEnv, USER_JACK_USERNAME, USER_JACK_PASSWORD);

AssertJUnit.fail("Unexpected success");
} catch (DisabledException e) {
// This is expected

// THEN
TestUtil.displayThen(TEST_NAME);
display("expected exception", e);

// this is important. The exception should give no indication whether the password is
// good or bad
assertDisabledException(e, USER_JACK_USERNAME);
}

PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
display("user after", userAfter);
assertFailedLogins(userAfter, 0);
loginJackGoodPasswordExpectDenied(TEST_NAME, task, result);
}

@Test
Expand All @@ -755,22 +734,7 @@ public void test152PasswordLoginEnabledGoodPassword() throws Exception {
OperationResult result = task.getResult();
modifyUserReplace(USER_JACK_OID, ACTIVATION_ADMINISTRATIVE_STATUS_PATH, task, result, ActivationStatusType.ENABLED);

ConnectionEnvironment connEnv = createConnectionEnvironment();
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();

// WHEN
TestUtil.displayWhen(TEST_NAME);
Authentication authentication = authenticationEvaluator.authenticateUserPassword(connEnv, USER_JACK_USERNAME, USER_JACK_PASSWORD);

// THEN
TestUtil.displayThen(TEST_NAME);
XMLGregorianCalendar endTs = clock.currentTimeXMLGregorianCalendar();
assertGoodPasswordAuthentication(authentication, USER_JACK_USERNAME);

PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
display("user after", userAfter);
assertFailedLogins(userAfter, 0);
assertLastSuccessfulLogin(userAfter, startTs, endTs);
loginJackGoodPasswordExpectSuccess(TEST_NAME, task, result);
}

@Test
Expand All @@ -789,31 +753,7 @@ public void test154PasswordLoginNotValidYetGoodPassword() throws Exception {
modifyUserReplace(USER_JACK_OID, ACTIVATION_VALID_FROM_PATH, task, result, validFrom);
modifyUserReplace(USER_JACK_OID, ACTIVATION_VALID_TO_PATH, task, result, validTo);

ConnectionEnvironment connEnv = createConnectionEnvironment();
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();

// WHEN
TestUtil.displayWhen(TEST_NAME);
try {

authenticationEvaluator.authenticateUserPassword(connEnv, USER_JACK_USERNAME, USER_JACK_PASSWORD);

AssertJUnit.fail("Unexpected success");
} catch (DisabledException e) {
// This is expected

// THEN
TestUtil.displayThen(TEST_NAME);
display("expected exception", e);

// this is important. The exception should give no indication whether the password is
// good or bad
assertDisabledException(e, USER_JACK_USERNAME);
}

PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
display("user after", userAfter);
assertFailedLogins(userAfter, 0);
loginJackGoodPasswordExpectDenied(TEST_NAME, task, result);
}

@Test
Expand All @@ -827,23 +767,7 @@ public void test155PasswordLoginValidGoodPassword() throws Exception {
Task task = createTask(TestAuthenticationEvaluator.class.getName() + "." + TEST_NAME);
OperationResult result = task.getResult();

display("now", clock.currentTimeXMLGregorianCalendar());
ConnectionEnvironment connEnv = createConnectionEnvironment();
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();

// WHEN
TestUtil.displayWhen(TEST_NAME);
Authentication authentication = authenticationEvaluator.authenticateUserPassword(connEnv, USER_JACK_USERNAME, USER_JACK_PASSWORD);

// THEN
TestUtil.displayThen(TEST_NAME);
XMLGregorianCalendar endTs = clock.currentTimeXMLGregorianCalendar();
assertGoodPasswordAuthentication(authentication, USER_JACK_USERNAME);

PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
display("user after", userAfter);
assertFailedLogins(userAfter, 0);
assertLastSuccessfulLogin(userAfter, startTs, endTs);
loginJackGoodPasswordExpectSuccess(TEST_NAME, task, result);
}

@Test
Expand All @@ -856,33 +780,96 @@ public void test156PasswordLoginNotValidAnyLongerGoodPassword() throws Exception

Task task = createTask(TestAuthenticationEvaluator.class.getName() + "." + TEST_NAME);
OperationResult result = task.getResult();

loginJackGoodPasswordExpectDenied(TEST_NAME, task, result);
}

@Test
public void test159PasswordLoginNoLongerValidEnabledGoodPassword() throws Exception {
final String TEST_NAME = "test159PasswordLoginNoLongerValidEnabledGoodPassword";
TestUtil.displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TestAuthenticationEvaluator.class.getName() + "." + TEST_NAME);
OperationResult result = task.getResult();
modifyUserReplace(USER_JACK_OID, ACTIVATION_ADMINISTRATIVE_STATUS_PATH, task, result, ActivationStatusType.ENABLED);

loginJackGoodPasswordExpectSuccess(TEST_NAME, task, result);
}

@Test
public void test160PasswordLoginLifecycleActiveGoodPassword() throws Exception {
final String TEST_NAME = "test160PasswordLoginLifecycleActiveGoodPassword";
TestUtil.displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TestAuthenticationEvaluator.class.getName() + "." + TEST_NAME);
OperationResult result = task.getResult();

modifyUserReplace(USER_JACK_OID, UserType.F_LIFECYCLE_STATE, task, result,
SchemaConstants.LIFECYCLE_ACTIVE);

loginJackGoodPasswordExpectSuccess(TEST_NAME, task, result);
}

@Test
public void test162PasswordLoginLifecycleDraftGoodPassword() throws Exception {
final String TEST_NAME = "test162PasswordLoginLifecycleDraftGoodPassword";
TestUtil.displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TestAuthenticationEvaluator.class.getName() + "." + TEST_NAME);
OperationResult result = task.getResult();

modifyUserReplace(USER_JACK_OID, UserType.F_LIFECYCLE_STATE, task, result,
SchemaConstants.LIFECYCLE_DRAFT);

loginJackGoodPasswordExpectDenied(TEST_NAME, task, result);
}

@Test
public void test164PasswordLoginLifecycleDeprecatedGoodPassword() throws Exception {
final String TEST_NAME = "test164PasswordLoginLifecycleDeprecatedGoodPassword";
TestUtil.displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TestAuthenticationEvaluator.class.getName() + "." + TEST_NAME);
OperationResult result = task.getResult();

modifyUserReplace(USER_JACK_OID, UserType.F_LIFECYCLE_STATE, task, result,
SchemaConstants.LIFECYCLE_DEPRECATED);

loginJackGoodPasswordExpectSuccess(TEST_NAME, task, result);
}

@Test
public void test166PasswordLoginLifecycleProposedGoodPassword() throws Exception {
final String TEST_NAME = "test166PasswordLoginLifecycleProposedGoodPassword";
TestUtil.displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TestAuthenticationEvaluator.class.getName() + "." + TEST_NAME);
OperationResult result = task.getResult();

modifyUserReplace(USER_JACK_OID, UserType.F_LIFECYCLE_STATE, task, result,
SchemaConstants.LIFECYCLE_PROPOSED);

display("now", clock.currentTimeXMLGregorianCalendar());
ConnectionEnvironment connEnv = createConnectionEnvironment();
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();

// WHEN
TestUtil.displayWhen(TEST_NAME);
try {

authenticationEvaluator.authenticateUserPassword(connEnv, USER_JACK_USERNAME, USER_JACK_PASSWORD);

AssertJUnit.fail("Unexpected success");
} catch (DisabledException e) {
// This is expected

// THEN
TestUtil.displayThen(TEST_NAME);
display("expected exception", e);

// this is important. The exception should give no indication whether the password is
// good or bad
assertDisabledException(e, USER_JACK_USERNAME);
}
loginJackGoodPasswordExpectDenied(TEST_NAME, task, result);
}

@Test
public void test168PasswordLoginLifecycleArchivedGoodPassword() throws Exception {
final String TEST_NAME = "test168PasswordLoginLifecycleArchivedGoodPassword";
TestUtil.displayTestTile(TEST_NAME);

PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
display("user after", userAfter);
assertFailedLogins(userAfter, 0);
// GIVEN
Task task = createTask(TestAuthenticationEvaluator.class.getName() + "." + TEST_NAME);
OperationResult result = task.getResult();

modifyUserReplace(USER_JACK_OID, UserType.F_LIFECYCLE_STATE, task, result,
SchemaConstants.LIFECYCLE_ARCHIVED);

loginJackGoodPasswordExpectDenied(TEST_NAME, task, result);
}

@Test
Expand Down Expand Up @@ -1119,5 +1106,53 @@ private void assertPrincipalJack(MidPointPrincipal principal) {
assertNotNull("No user in principal",user);
assertEquals("Bad name in user in principal", USER_JACK_USERNAME, user.getName().getOrig());
}

private void loginJackGoodPasswordExpectSuccess(final String TEST_NAME, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException {
display("now", clock.currentTimeXMLGregorianCalendar());
ConnectionEnvironment connEnv = createConnectionEnvironment();
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();

// WHEN
TestUtil.displayWhen(TEST_NAME);
Authentication authentication = authenticationEvaluator.authenticateUserPassword(connEnv, USER_JACK_USERNAME, USER_JACK_PASSWORD);

// THEN
TestUtil.displayThen(TEST_NAME);
XMLGregorianCalendar endTs = clock.currentTimeXMLGregorianCalendar();
assertGoodPasswordAuthentication(authentication, USER_JACK_USERNAME);

PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
display("user after", userAfter);
assertFailedLogins(userAfter, 0);
assertLastSuccessfulLogin(userAfter, startTs, endTs);
}

private void loginJackGoodPasswordExpectDenied(final String TEST_NAME, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException {
display("now", clock.currentTimeXMLGregorianCalendar());
ConnectionEnvironment connEnv = createConnectionEnvironment();
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();

// WHEN
TestUtil.displayWhen(TEST_NAME);
try {

authenticationEvaluator.authenticateUserPassword(connEnv, USER_JACK_USERNAME, USER_JACK_PASSWORD);

AssertJUnit.fail("Unexpected success");
} catch (DisabledException e) {
// This is expected

// THEN
TestUtil.displayThen(TEST_NAME);
display("expected exception", e);

// this is important. The exception should give no indication whether the password is
// good or bad
assertDisabledException(e, USER_JACK_USERNAME);
}

PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
display("user after", userAfter);
assertFailedLogins(userAfter, 0);
}
}

0 comments on commit 9788950

Please sign in to comment.