Refactor: Make sure PasswordChangeEndpoint,

ChangePasswordController and ChangePasswordService do not use
ResetPassword's controllers.

[#95916214] https://www.pivotaltracker.com/story/show/95916214

Signed-off-by: Xuebin He <xuebin.he@emc.com>

login/src/main/java/org/cloudfoundry/identity/uaa/login/ChangePasswordService.java

@@ -13,5 +13,5 @@
 package org.cloudfoundry.identity.uaa.login;
 
 public interface ChangePasswordService {
-    public Void changePassword(String username, String currentPassword, String newPassword);
+    void changePassword(String username, String currentPassword, String newPassword);
 }

login/src/main/java/org/cloudfoundry/identity/uaa/login/UaaChangePasswordService.java

@@ -12,31 +12,79 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.login;
 
-import org.cloudfoundry.identity.uaa.scim.endpoints.PasswordResetEndpoints;
-import org.springframework.http.ResponseEntity;
+import org.cloudfoundry.identity.uaa.password.event.PasswordChangeEvent;
+import org.cloudfoundry.identity.uaa.password.event.PasswordChangeFailureEvent;
+import org.cloudfoundry.identity.uaa.scim.ScimUser;
+import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
+import org.cloudfoundry.identity.uaa.scim.exception.InvalidPasswordException;
+import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException;
+import org.cloudfoundry.identity.uaa.scim.validate.PasswordValidator;
+import org.cloudfoundry.identity.uaa.user.UaaUser;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.context.SecurityContextHolder;
 
-import java.util.Map;
+import java.util.Date;
+import java.util.List;
 
-public class UaaChangePasswordService implements ChangePasswordService {
+public class UaaChangePasswordService implements ChangePasswordService, ApplicationEventPublisherAware {
 
-    private final PasswordResetEndpoints passwordResetEndpoints;
+    private final ScimUserProvisioning scimUserProvisioning;
+    private final PasswordValidator passwordValidator;
+    private ApplicationEventPublisher publisher;
 
-    public UaaChangePasswordService(PasswordResetEndpoints passwordResetEndpoints) {
-        this.passwordResetEndpoints= passwordResetEndpoints;
+    public UaaChangePasswordService(ScimUserProvisioning scimUserProvisioning, PasswordValidator passwordValidator) {
+        this.scimUserProvisioning = scimUserProvisioning;
+        this.passwordValidator = passwordValidator;
     }
 
     @Override
-    public Void changePassword(String username, String currentPassword, String newPassword) {
-        PasswordResetEndpoints.PasswordChange change = new PasswordResetEndpoints.PasswordChange();
-        change.setUsername(username);
-        change.setCurrentPassword(currentPassword);
-        change.setNewPassword(newPassword);
-        ResponseEntity<Map<String,String>> response = passwordResetEndpoints.changePassword(change);
-        if (! response.getStatusCode().is2xxSuccessful()) {
-            //throw an error
+    public void changePassword(String username, String currentPassword, String newPassword) {
+        if (username == null || currentPassword == null) {
             throw new BadCredentialsException(username);
         }
-        return null;
+        passwordValidator.validate(newPassword);
+        changePasswordUsernamePasswordAuthenticated(username, currentPassword, newPassword);
+    }
+
+    private void changePasswordUsernamePasswordAuthenticated(String username, String currentPassword, String newPassword) {
+        List<ScimUser> results = scimUserProvisioning.query("userName eq \"" + username + "\"");
+        if (results.isEmpty()) {
+            throw new ScimResourceNotFoundException("User not found");
+        }
+        ScimUser user = results.get(0);
+        UaaUser uaaUser = getUaaUser(user);
+        try {
+            if (scimUserProvisioning.checkPasswordMatches(user.getId(), newPassword)) {
+                throw new InvalidPasswordException("Your new password cannot be the same as the old password");
+            }
+            scimUserProvisioning.changePassword(user.getId(), currentPassword, newPassword);
+            publish(new PasswordChangeEvent("Password changed", uaaUser, SecurityContextHolder.getContext().getAuthentication()));
+        } catch (Exception e) {
+            publish(new PasswordChangeFailureEvent(e.getMessage(), uaaUser, SecurityContextHolder.getContext().getAuthentication()));
+            throw e;
+        }
+    }
+
+    private UaaUser getUaaUser(ScimUser scimUser) {
+        Date today = new Date();
+        return new UaaUser(scimUser.getId(), scimUser.getUserName(), "N/A", scimUser.getPrimaryEmail(), null,
+            scimUser.getGivenName(),
+            scimUser.getFamilyName(), today, today,
+            scimUser.getOrigin(), scimUser.getExternalId(), scimUser.isVerified(), scimUser.getZoneId(), scimUser.getSalt(),
+            scimUser.getPasswordLastModified());
+    }
+
+    @Override
+    public void setApplicationEventPublisher(ApplicationEventPublisher publisher) {
+        this.publisher = publisher;
+    }
+
+    protected void publish(ApplicationEvent event) {
+        if (publisher!=null) {
+            publisher.publishEvent(event);
+        }
     }
 }

login/src/main/resources/login-ui.xml

@@ -436,7 +436,8 @@
     </bean>
 
     <bean id="changePasswordService" class="org.cloudfoundry.identity.uaa.login.UaaChangePasswordService">
-        <constructor-arg ref="passwordResetEndpoints"/>
+        <constructor-arg ref="scimUserProvisioning"/>
+        <constructor-arg ref="uaaPasswordValidator"/>
     </bean>
 
     <bean id="changePasswordController" class="org.cloudfoundry.identity.uaa.login.ChangePasswordController">

login/src/test/java/org/cloudfoundry/identity/uaa/login/ChangePasswordControllerTest.java

@@ -1,6 +1,6 @@
 /*******************************************************************************
  *     Cloud Foundry
- *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
+ *     Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
  *     You may not use this product except in compliance with the License.
@@ -18,7 +18,6 @@
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
-import org.mockito.Mockito;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -31,7 +30,8 @@
 import java.util.Arrays;
 
 import static com.google.common.collect.Lists.newArrayList;
-import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.doThrow;
 import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -47,7 +47,7 @@ public class ChangePasswordControllerTest extends TestClassNullifier {
     @Before
     public void setUp() throws Exception {
         SecurityContextHolder.clearContext();
-        changePasswordService = Mockito.mock(ChangePasswordService.class);
+        changePasswordService = mock(ChangePasswordService.class);
         ChangePasswordController controller = new ChangePasswordController(changePasswordService);
 
         InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
@@ -57,6 +57,14 @@ public void setUp() throws Exception {
                 .standaloneSetup(controller)
                 .setViewResolvers(viewResolver)
                 .build();
+
+        Authentication authentication = new UsernamePasswordAuthenticationToken(
+            "bob",
+            "secret",
+            Arrays.asList(UaaAuthority.UAA_USER)
+        );
+
+        SecurityContextHolder.getContext().setAuthentication(authentication);
     }
 
     @After
@@ -65,88 +73,71 @@ public void tearDown() {
     }
 
     @Test
-    public void testChangePasswordPage() throws Exception {
+    public void changePasswordPage_RendersChangePasswordPage() throws Exception {
         mockMvc.perform(get("/change_password"))
                 .andExpect(status().isOk())
                 .andExpect(view().name("change_password"));
     }
 
     @Test
-    public void testChangePassword() throws Exception {
-        setupSecurityContext();
-
-        MockHttpServletRequestBuilder post = post("/change_password.do")
-                .contentType(APPLICATION_FORM_URLENCODED)
-                .param("current_password", "secret")
-                .param("new_password", "new secret")
-                .param("confirm_password", "new secret");
-
+    public void changePassword_Returns302Found_SuccessfullyChangedPassword() throws Exception {
+        MockHttpServletRequestBuilder post = createRequest("secret", "new secret", "new secret");
         mockMvc.perform(post)
                 .andExpect(status().isFound())
                 .andExpect(redirectedUrl("profile"));
 
-        Mockito.verify(changePasswordService).changePassword("bob", "secret", "new secret");
+        verify(changePasswordService).changePassword("bob", "secret", "new secret");
     }
 
     @Test
-    public void testChangePasswordValidation() throws Exception {
-        setupSecurityContext();
-
-        MockHttpServletRequestBuilder post = post("/change_password.do")
-                .contentType(APPLICATION_FORM_URLENCODED)
-                .param("current_password", "secret")
-                .param("new_password", "new secret")
-                .param("confirm_password", "newsecret");
-
+    public void changePassword_ConfirmationPasswordDoesNotMatch() throws Exception {
+        MockHttpServletRequestBuilder post = createRequest("secret", "new secret", "newsecret");
         mockMvc.perform(post)
                 .andExpect(status().isUnprocessableEntity())
                 .andExpect(view().name("change_password"))
                 .andExpect(model().attribute("message_code", "form_error"));
 
-        Mockito.verifyZeroInteractions(changePasswordService);
+        verifyZeroInteractions(changePasswordService);
     }
 
     @Test
-    public void testPasswordPolicyViolationIsReported() throws Exception {
-        setupSecurityContext();
-        MockHttpServletRequestBuilder post = post("/change_password.do")
-                .contentType(APPLICATION_FORM_URLENCODED)
-                .param("current_password", "secret")
-                .param("new_password", "new secret")
-                .param("confirm_password", "new secret");
-
-        when(changePasswordService.changePassword("bob", "secret", "new secret")).thenThrow(new InvalidPasswordException(newArrayList("Msg 2b", "Msg 1b")));
+    public void changePassword_PasswordPolicyViolationReported() throws Exception {
+        doThrow(new InvalidPasswordException(newArrayList("Msg 2b", "Msg 1b"))).when(changePasswordService).changePassword("bob", "secret", "new secret");
+
+        MockHttpServletRequestBuilder post = createRequest("secret", "new secret", "new secret");
         mockMvc.perform(post)
                 .andExpect(status().isUnprocessableEntity())
                 .andExpect(view().name("change_password"))
                 .andExpect(model().attribute("message", "Msg 1b Msg 2b"));
     }
 
     @Test
-    public void testChangePasswordWrongPassword() throws Exception {
-        setupSecurityContext();
-
-        Mockito.doThrow(new RestClientException("401 Unauthorized")).when(changePasswordService).changePassword("bob", "wrong", "new secret");
-
-        MockHttpServletRequestBuilder post = post("/change_password.do")
-                .contentType(APPLICATION_FORM_URLENCODED)
-                .param("current_password", "wrong")
-                .param("new_password", "new secret")
-                .param("confirm_password", "new secret");
+    public void changePassword_Returns401Unauthorized_WrongCurrentPassword() throws Exception {
+        doThrow(new RestClientException("401 Unauthorized")).when(changePasswordService).changePassword("bob", "wrong", "new secret");
 
+        MockHttpServletRequestBuilder post = createRequest("wrong", "new secret", "new secret");
         mockMvc.perform(post)
                 .andExpect(status().isUnprocessableEntity())
                 .andExpect(view().name("change_password"))
                 .andExpect(model().attribute("message_code", "unauthorized"));
     }
 
-    private void setupSecurityContext() {
-        Authentication authentication = new UsernamePasswordAuthenticationToken(
-                        "bob",
-                        "secret",
-                        Arrays.asList(UaaAuthority.UAA_USER)
-        );
+    @Test
+    public void changePassword_PasswordNoveltyViolationReported_NewPasswordSameAsCurrentPassword() throws Exception {
+        doThrow(new InvalidPasswordException("Your new password cannot be the same as the old password.")).when(changePasswordService).changePassword("bob", "secret", "new secret");
 
-        SecurityContextHolder.getContext().setAuthentication(authentication);
+        MockHttpServletRequestBuilder post = createRequest("secret", "new secret", "new secret");
+        mockMvc.perform(post)
+            .andExpect(status().isUnprocessableEntity())
+            .andExpect(view().name("change_password"))
+            .andExpect(model().attribute("message", "Your new password cannot be the same as the old password."));
+    }
+
+    private MockHttpServletRequestBuilder createRequest(String currentPassword, String newPassword, String confirmPassword) {
+        return post("/change_password.do")
+            .contentType(APPLICATION_FORM_URLENCODED)
+            .param("current_password", currentPassword)
+            .param("new_password", newPassword)
+            .param("confirm_password", confirmPassword);
     }
 }