Update admin

pom.xml

@@ -254,8 +254,8 @@
         -->
         <maven.compiler.argument.target>${maven.compiler.target}</maven.compiler.argument.target>
         <maven.compiler.argument.source>${maven.compiler.source}</maven.compiler.argument.source>
-        <aerogear.security.version>1.2.0</aerogear.security.version>
-        <aerogear.security.picketlink.version>1.1.1</aerogear.security.picketlink.version>
+        <aerogear.security.version>1.2.3-SNAPSHOT</aerogear.security.version>
+        <aerogear.security.picketlink.version>1.1.2-SNAPSHOT</aerogear.security.picketlink.version>
 
     </properties>
 

src/main/java/org/jboss/aerogear/connectivity/rest/security/AdminEndpoint.java

@@ -0,0 +1,65 @@
+/**
+ * JBoss, Home of Professional Open Source
+ * Copyright Red Hat, Inc., and individual contributors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * 	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.jboss.aerogear.connectivity.rest.security;
+
+import org.jboss.aerogear.connectivity.users.Developer;
+import org.jboss.aerogear.security.authz.IdentityManagement;
+import org.jboss.aerogear.security.authz.Secure;
+import org.picketlink.Identity;
+import org.picketlink.idm.IdentityManagementException;
+import org.picketlink.idm.IdentityManager;
+
+import javax.ejb.Stateless;
+import javax.inject.Inject;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+@Stateless
+@Path("/admin")
+public class AdminEndpoint {
+
+    @Inject
+    private IdentityManagement configuration;
+    @Inject
+    private IdentityManager identityManager;
+
+    @Inject
+    private Identity identity;
+
+    @POST
+    @Path("/enroll")
+    @Consumes(MediaType.APPLICATION_JSON)
+    @Produces(MediaType.APPLICATION_JSON)
+    @Secure("admin")
+    public Response enroll(final Developer developer) {
+        try {
+            configuration.create(developer, developer.getPassword());
+            configuration.grant(developer.getRole()).to(developer.getLoginName());
+
+        } catch (IdentityManagementException ime) {
+            return Response.status(Response.Status.BAD_REQUEST).entity("Credential not available").build();
+        }
+
+        return Response.ok(developer).build();
+
+    }
+}

src/main/java/org/jboss/aerogear/connectivity/rest/security/AuthenticationEndpoint.java

@@ -17,14 +17,10 @@
 package org.jboss.aerogear.connectivity.rest.security;
 
 import org.jboss.aerogear.connectivity.users.Developer;
-import org.jboss.aerogear.connectivity.users.UserRoles;
 import org.jboss.aerogear.security.auth.AuthenticationManager;
 import org.jboss.aerogear.security.authz.IdentityManagement;
-import org.jboss.aerogear.security.authz.Secure;
 import org.jboss.aerogear.security.exception.AeroGearSecurityException;
-import org.picketlink.idm.IdentityManagementException;
-import org.picketlink.idm.IdentityManager;
-import org.picketlink.idm.credential.Password;
+import org.jboss.aerogear.security.picketlink.auth.CredentialMatcher;
 import org.picketlink.idm.model.SimpleUser;
 
 import javax.ejb.Stateless;
@@ -45,48 +41,17 @@ public class AuthenticationEndpoint {
     @Inject
     private AuthenticationManager authenticationManager;
     @Inject
-    private IdentityManagement configuration;
+    private CredentialMatcher credential;
     @Inject
-    private IdentityManager identityManager;
-
-    private static final String DEFAULT_PASSWORD = "123";
-
-    @POST
-    @Path("/enroll")
-    @Consumes(MediaType.APPLICATION_JSON)
-    @Produces(MediaType.APPLICATION_JSON)
-    @Secure("admin")
-    public Response enroll(final Developer developer) {
-        // creating a user and granting rights:
-        try {
-            configuration.create(developer, developer.getPassword());
-            configuration.grant("developer").to(developer.getLoginName());
-
-        } catch (IdentityManagementException ime) {
-            return Response.status(Status.BAD_REQUEST).entity("username not available").build();
-        }
-
-        return Response.ok(developer).build();
-
-    }
+    private IdentityManagement configuration;
 
     @POST
     @Path("/login")
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     public Response login(final Developer developer) {
 
-        try {
-            authenticationManager.login(developer, developer.getPassword());
-        } catch (AeroGearSecurityException agse) {
-            return Response.status(Status.UNAUTHORIZED).build();
-        }
-
-        // See if the password is still the default. If it is we need them to change it
-        // Only Temporary until we get scripts in. see https://issues.jboss.org/browse/AGPUSH-107
-        if(developer.getPassword().equals(DEFAULT_PASSWORD)) {
-            return Response.status(Status.FORBIDDEN).build();
-        }
+        authenticationManager.login(developer, developer.getPassword());
 
         return Response.ok().build();
     }
@@ -102,28 +67,13 @@ public Response logout() {
         return Response.ok().build();
     }
 
-    // Temporary. see https://issues.jboss.org/browse/AGPUSH-107
     @PUT
     @Path("/update")
-    @Secure("user")
-    public Response updateUserPasswordAndRole(final Developer developer){
-
-        //Check to make sure that the user doesn't just re-enter the default password again
-        if( developer.getPassword().equals(DEFAULT_PASSWORD) ) {
-            return Response.status(Status.FORBIDDEN).build();
-        }
+    public Response updateUserPasswordAndRole(final Developer developer) {
 
-        SimpleUser user = (SimpleUser)this.configuration.findByUsername(developer.getLoginName());
-        this.identityManager.updateCredential(user, new Password(developer.getPassword()));
+        SimpleUser simpleUser = (SimpleUser) configuration.findByUsername(developer.getLoginName());
+        configuration.reset(simpleUser, developer.getPassword(), developer.getNewPassword());
 
-        //Update the role so they can access all "developer" endpoints
-        this.configuration.grant(UserRoles.DEVELOPER.getRoleName()).to(user.getLoginName());
-
-        // remove the temporary "user" role since they no longer need it
-        // This will then make this endpoint unreachable, which is better for security
-        // with this temporary fix
-        this.identityManager.revokeRole(user, this.identityManager.getRole(UserRoles.USER.getRoleName()));
         return Response.ok().build();
     }
-
 }

src/main/java/org/jboss/aerogear/connectivity/users/Developer.java

@@ -34,6 +34,9 @@ public class Developer extends SimpleUser {
     private Long id = null;
 
     private String password;
+    private String newPassword;
+
+    private String role;
 
     public void setId(Long id) {
         this.id = id;
@@ -47,6 +50,22 @@ public void setPassword(String password) {
         this.password = password;
     }
 
+    public String getNewPassword() {
+        return newPassword;
+    }
+
+    public void setNewPassword(String newPassword) {
+        this.newPassword = newPassword;
+    }
+
+    public String getRole() {
+        return role;
+    }
+
+    public void setRole(String role) {
+        this.role = role;
+    }
+
     @Override
     public boolean equals(Object that) {
         if (this == that) {

src/main/java/org/jboss/aerogear/connectivity/users/PicketLinkDefaultUsers.java

@@ -26,6 +26,10 @@
 import javax.ejb.Singleton;
 import javax.ejb.Startup;
 import javax.inject.Inject;
+import java.util.Calendar;
+import java.util.Date;
+
+import static org.jboss.aerogear.connectivity.users.UserRoles.*;
 
 @Singleton
 @Startup
@@ -44,7 +48,6 @@ public class PicketLinkDefaultUsers {
     @PostConstruct
     public void create() {
 
-        // developers!! developers!! developers!! developers!!
         User adminUser = identityManager.getUser("admin");
 
         // We only create the Admin, if there is none:
@@ -53,22 +56,20 @@ public void create() {
             Developer admin = new Developer();
             admin.setLoginName("admin");
 
-            /*
-             * Note: Password will be encoded in SHA-512 with SecureRandom-1024 salt
-             * See http://lists.jboss.org/pipermail/security-dev/2013-January/000650.html for more information
-             */
             this.identityManager.add(admin);
-            this.identityManager.updateCredential(admin, new Password("123"));
+            this.identityManager.updateCredential(admin, new Password("123"), new Date(), expirationDate());
 
-            /**
-             * Only give them a role of "User" since they will be technically logged in when we ask for a
-             * password change and we don't want them to access stuff until they change the password.
-             *
-             * Once the password is changed,  a role of "developer" will be added.
-             */
-            Role roleDeveloper = new SimpleRole(UserRoles.USER.getRoleName());
+            Role roleDeveloper = new SimpleRole(UserRoles.DEVELOPER);
             this.identityManager.add(roleDeveloper);
             identityManager.grantRole(admin, roleDeveloper);
+
         }
     }
+
+    //Expiration date of the password
+    private Date expirationDate() {
+        Calendar expirationDate = Calendar.getInstance();
+        expirationDate.add(Calendar.HOUR, -1);
+        return expirationDate.getTime();
+    }
 }

src/main/java/org/jboss/aerogear/connectivity/users/UserRoles.java

@@ -19,26 +19,15 @@
 /**
  * A type-safe identifier for the user role types.
  */
-public enum UserRoles {
+public class UserRoles {
     /**
      * The type identifier for a user role.
      */
-    USER("user"),
+    public static final String USER = "user";
 
     /**
      * The type identifier for a developer.
      */
-    DEVELOPER("developer");
+    public static final String DEVELOPER = "developer";
 
-    private final String roleName;
-
-    private UserRoles(String roleName) {
-        this.roleName = roleName;
-    }
-    /**
-     * Returns the actual role
-     */
-    public String getRoleName() {
-        return roleName;
-    }
 }