redback-policy/src/main/java/org/apache/archiva/redback/policy/DefaultUserSecurityPolicy.java - archiva-redback-core - Git at Google

 package org.apache.archiva.redback.policy;

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 import org.apache.archiva.redback.configuration.UserConfiguration;
 import org.apache.archiva.redback.configuration.UserConfigurationKeys;
 import org.apache.archiva.redback.users.User;
 import org.apache.archiva.redback.policy.rules.MustHavePasswordRule;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.ApplicationContext;
 import org.springframework.stereotype.Service;

 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 import javax.inject.Named;
 import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.List;

 /**
  * User Security Policy.
  *
  * @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a>
  */
 @Service("userSecurityPolicy")
 public class DefaultUserSecurityPolicy
     implements UserSecurityPolicy
 {
     private static final String ENABLEMENT_KEY = "UserSecurityPolicy" + ":ENABLED";

     private Logger log = LoggerFactory.getLogger( getClass() );

     private PasswordRule defaultPasswordRule = new MustHavePasswordRule();

     @Inject
     @Named(value = "userConfiguration#default")
     private UserConfiguration config;

     @Inject
     @Named(value = "passwordEncoder#sha256")
     private PasswordEncoder passwordEncoder;

     @Inject
     @Named(value = "userValidationSettings")
     private UserValidationSettings userValidationSettings;

     @Inject
     @Named(value = "cookieSettings#rememberMe")
     private CookieSettings rememberMeCookieSettings;

     @Inject
     @Named(value = "cookieSettings#signon")
     private CookieSettings signonCookieSettings;

     // TODO use something more generic to be able to do change about container
     @Inject
     private ApplicationContext applicationContext;

     /**
      * The List of {@link PasswordRule} objects.
      */
     @Inject
     private List<PasswordRule> rules = new ArrayList<PasswordRule>( 0 );

     private int previousPasswordsCount;

     private int loginAttemptCount;

     private int passwordExpirationDays;

     private boolean passwordExpirationEnabled;

     private List<String> unlockableAccounts;


     // ---------------------------------------
     //  Component lifecycle
     // ---------------------------------------
     // TODO move this to constructor
     @SuppressWarnings("unchecked")
     @PostConstruct
     public void initialize()
     {
         configurePolicy();

         configureEncoder();

         // In some configurations, rules can be unset.
         if ( rules == null )
         {
             // Set rules to prevent downstream NPE.
             rules = new ArrayList<PasswordRule>( 1 );
         }

         if ( rules.isEmpty() )
         {
             // there should be at least one rule
             addPasswordRule( defaultPasswordRule );
         }
     }

     private void configureEncoder()
     {
         String encoder = config.getString( UserConfigurationKeys.PASSWORD_ENCODER );

         if ( encoder != null )
         {
             this.passwordEncoder = applicationContext.getBean( "passwordEncoder#" + encoder, PasswordEncoder.class );
         }
     }

     private void configurePolicy()
     {
         this.previousPasswordsCount = config.getInt( UserConfigurationKeys.PASSWORD_RETENTION_COUNT );
         this.loginAttemptCount = config.getInt( UserConfigurationKeys.LOGIN_ATTEMPT_COUNT );
         this.passwordExpirationEnabled = config.getBoolean( UserConfigurationKeys.PASSWORD_EXPIRATION_ENABLED );
         this.passwordExpirationDays = config.getInt( UserConfigurationKeys.PASSWORD_EXPIRATION );
         this.unlockableAccounts = config.getList( UserConfigurationKeys.UNLOCKABLE_ACCOUNTS );
     }


     public String getId()
     {
         return "Default User Security Policy";
     }

     public int getPreviousPasswordsCount()
     {
         return previousPasswordsCount;
     }

     public List<String> getUnlockableAccounts()
     {
         if ( unlockableAccounts == null )
         {
             unlockableAccounts = new ArrayList<String>( 0 );
         }
         return unlockableAccounts;
     }

     /**
      * Sets a list of accounts which should never be locked by security policy
      *
      * @param unlockableAccounts
      */
     public void setUnlockableAccounts( List<String> unlockableAccounts )
     {
         this.unlockableAccounts = unlockableAccounts;
     }

     /**
      * Sets the count of previous passwords that should be tracked.
      *
      * @param count the count of previous passwords to track.
      */
     public void setPreviousPasswordsCount( int count )
     {
         this.previousPasswordsCount = count;
     }

     public int getLoginAttemptCount()
     {
         return loginAttemptCount;
     }

     public void setLoginAttemptCount( int count )
     {
         this.loginAttemptCount = count;
     }

     /**
      * Get the password encoder to be used for password operations
      *
      * @return the encoder
      */
     public PasswordEncoder getPasswordEncoder()
     {
         return passwordEncoder;
     }

     public boolean isEnabled()
     {
         Boolean bool = (Boolean) PolicyContext.getContext().get( ENABLEMENT_KEY );
         return bool == null || bool.booleanValue();
     }

     public void setEnabled( boolean enabled )
     {
         PolicyContext.getContext().put( ENABLEMENT_KEY, Boolean.valueOf( enabled ) );
     }

     /**
      * Add a Specific Rule to the Password Rules List.
      *
      * @param rule the rule to add.
      */
     public void addPasswordRule( PasswordRule rule )
     {
         // TODO: check for duplicates? if so, check should only be based on Rule class name.

         rule.setUserSecurityPolicy( this );
         this.rules.add( rule );
     }

     /**
      * Get the Password Rules List.
      *
      * @return the list of {@link PasswordRule} objects.
      */
     public List<PasswordRule> getPasswordRules()
     {
         return this.rules;
     }

     /**
      * Set the Password Rules List.
      *
      * @param rules the list of {@link PasswordRule} objects.
      */
     public void setPasswordRules( List<PasswordRule> rules )
     {
         this.rules.clear();

         if ( rules == null )
         {
             return;
         }

         // Intentionally iterating to ensure policy settings in provided rules.

         for ( PasswordRule rule : rules )
         {
             addPasswordRule( rule );
         }
     }

     public void extensionPasswordExpiration( User user )
         throws MustChangePasswordException
     {
         if ( passwordExpirationEnabled && !getUnlockableAccounts().contains( user.getUsername() ) )
         {
             Calendar expirationDate = Calendar.getInstance();
             expirationDate.setTime( user.getLastPasswordChange() );
             expirationDate.add( Calendar.DAY_OF_MONTH, passwordExpirationDays );
             Calendar now = Calendar.getInstance();

             if ( now.after( expirationDate ) )
             {
                 log.info( "User '{}' flagged for password expiry (expired on: {})", user.getUsername(),
                           expirationDate );
                 user.setPasswordChangeRequired( true );
                 throw new MustChangePasswordException( "Password Expired, You must change your password.", user );
             }
         }
     }

     public void extensionExcessiveLoginAttempts( User user )
         throws AccountLockedException
     {
         if ( !getUnlockableAccounts().contains( user.getUsername() ) )
         {
             int attempt = user.getCountFailedLoginAttempts();
             attempt++;
             user.setCountFailedLoginAttempts( attempt );

             if ( attempt >= loginAttemptCount )
             {
                 log.info( "User '{}' locked due to excessive login attempts: {}", user.getUsername(), attempt );
                 user.setLocked( true );
                 throw new AccountLockedException( "Account " + user.getUsername() + " is locked.", user );
             }
         }
     }

     public void extensionChangePassword( User user )
         throws PasswordRuleViolationException
     {
         extensionChangePassword( user, false );
     }

     public void extensionChangePassword( User user, boolean passwordChangeRequired )
         throws PasswordRuleViolationException
     {
         validatePassword( user );

         // set the current encoded password.
         user.setEncodedPassword( passwordEncoder.encodePassword( user.getPassword() ) );
         user.setPassword( null );

         // push new password onto list of previous password.
         List<String> previousPasswords = new ArrayList<String>( 1 );
         previousPasswords.add( user.getEncodedPassword() );

         if ( !user.getPreviousEncodedPasswords().isEmpty() )
         {
             int oldCount = Math.min( previousPasswordsCount - 1, user.getPreviousEncodedPasswords().size() );
             //modified sublist start index as the previous value results to nothing being added to the list.
             List<String> sublist = user.getPreviousEncodedPasswords().subList( 0, oldCount );
             previousPasswords.addAll( sublist );
         }

         user.setPreviousEncodedPasswords( previousPasswords );
         user.setPasswordChangeRequired( passwordChangeRequired );

         // Update timestamp for password change.
         user.setLastPasswordChange( new Date() );
     }

     public void validatePassword( User user )
         throws PasswordRuleViolationException
     {
         if ( isEnabled() )
         {
             PasswordRuleViolations violations = new PasswordRuleViolations();

             for ( PasswordRule rule : this.rules )
             {
                 if ( rule.isEnabled() )
                 {
                     if ( rule.requiresSecurityPolicy() )
                     {
                         rule.setUserSecurityPolicy( this );
                     }

                     rule.testPassword( violations, user );
                 }
             }

             if ( violations.hasViolations() )
             {
                 PasswordRuleViolationException exception = new PasswordRuleViolationException();
                 exception.setViolations( violations );
                 throw exception;
             }
         }

         // If you got this far, then ensure that the password is never null.
         if ( user.getPassword() == null )
         {
             user.setPassword( "" );
         }
     }

     public int getPasswordExpirationDays()
     {
         return passwordExpirationDays;
     }

     public void setPasswordExpirationDays( int passwordExpiry )
     {
         this.passwordExpirationDays = passwordExpiry;
     }

     public UserValidationSettings getUserValidationSettings()
     {
         return userValidationSettings;
     }

     public void setUserValidationSettings( UserValidationSettings settings )
     {
         this.userValidationSettings = settings;
     }

     public CookieSettings getRememberMeCookieSettings()
     {
         return rememberMeCookieSettings;
     }

     public CookieSettings getSignonCookieSettings()
     {
         return signonCookieSettings;
     }

     public UserConfiguration getConfig()
     {
         return config;
     }

     public void setConfig( UserConfiguration config )
     {
         this.config = config;
     }


     public void setPasswordEncoder( PasswordEncoder passwordEncoder )
     {
         this.passwordEncoder = passwordEncoder;
     }

     public void setRememberMeCookieSettings( CookieSettings rememberMeCookieSettings )
     {
         this.rememberMeCookieSettings = rememberMeCookieSettings;
     }

     public void setSignonCookieSettings( CookieSettings signonCookieSettings )
     {
         this.signonCookieSettings = signonCookieSettings;
     }

     public void setRules( List<PasswordRule> rules )
     {
         this.rules = rules;
     }

     public void setDefaultPasswordRule( PasswordRule defaultPasswordRule )
     {
         this.defaultPasswordRule = defaultPasswordRule;
     }
 }
	package org.apache.archiva.redback.policy;

	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	import org.apache.archiva.redback.configuration.UserConfiguration;
	import org.apache.archiva.redback.configuration.UserConfigurationKeys;
	import org.apache.archiva.redback.users.User;
	import org.apache.archiva.redback.policy.rules.MustHavePasswordRule;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;
	import org.springframework.context.ApplicationContext;
	import org.springframework.stereotype.Service;

	import javax.annotation.PostConstruct;
	import javax.inject.Inject;
	import javax.inject.Named;
	import java.util.ArrayList;
	import java.util.Calendar;
	import java.util.Date;
	import java.util.List;

	/**
	* User Security Policy.
	*
	* @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a>
	*/
	@Service("userSecurityPolicy")
	public class DefaultUserSecurityPolicy
	implements UserSecurityPolicy
	{
	private static final String ENABLEMENT_KEY = "UserSecurityPolicy" + ":ENABLED";

	private Logger log = LoggerFactory.getLogger( getClass() );

	private PasswordRule defaultPasswordRule = new MustHavePasswordRule();

	@Inject
	@Named(value = "userConfiguration#default")
	private UserConfiguration config;

	@Inject
	@Named(value = "passwordEncoder#sha256")
	private PasswordEncoder passwordEncoder;

	@Inject
	@Named(value = "userValidationSettings")
	private UserValidationSettings userValidationSettings;

	@Inject
	@Named(value = "cookieSettings#rememberMe")
	private CookieSettings rememberMeCookieSettings;

	@Inject
	@Named(value = "cookieSettings#signon")
	private CookieSettings signonCookieSettings;

	// TODO use something more generic to be able to do change about container
	@Inject
	private ApplicationContext applicationContext;

	/**
	* The List of {@link PasswordRule} objects.
	*/
	@Inject
	private List<PasswordRule> rules = new ArrayList<PasswordRule>( 0 );

	private int previousPasswordsCount;

	private int loginAttemptCount;

	private int passwordExpirationDays;

	private boolean passwordExpirationEnabled;

	private List<String> unlockableAccounts;


	// ---------------------------------------
	// Component lifecycle
	// ---------------------------------------
	// TODO move this to constructor
	@SuppressWarnings("unchecked")
	@PostConstruct
	public void initialize()
	{
	configurePolicy();

	configureEncoder();

	// In some configurations, rules can be unset.
	if ( rules == null )
	{
	// Set rules to prevent downstream NPE.
	rules = new ArrayList<PasswordRule>( 1 );
	}

	if ( rules.isEmpty() )
	{
	// there should be at least one rule
	addPasswordRule( defaultPasswordRule );
	}
	}

	private void configureEncoder()
	{
	String encoder = config.getString( UserConfigurationKeys.PASSWORD_ENCODER );

	if ( encoder != null )
	{
	this.passwordEncoder = applicationContext.getBean( "passwordEncoder#" + encoder, PasswordEncoder.class );
	}
	}

	private void configurePolicy()
	{
	this.previousPasswordsCount = config.getInt( UserConfigurationKeys.PASSWORD_RETENTION_COUNT );
	this.loginAttemptCount = config.getInt( UserConfigurationKeys.LOGIN_ATTEMPT_COUNT );
	this.passwordExpirationEnabled = config.getBoolean( UserConfigurationKeys.PASSWORD_EXPIRATION_ENABLED );
	this.passwordExpirationDays = config.getInt( UserConfigurationKeys.PASSWORD_EXPIRATION );
	this.unlockableAccounts = config.getList( UserConfigurationKeys.UNLOCKABLE_ACCOUNTS );
	}


	public String getId()
	{
	return "Default User Security Policy";
	}

	public int getPreviousPasswordsCount()
	{
	return previousPasswordsCount;
	}

	public List<String> getUnlockableAccounts()
	{
	if ( unlockableAccounts == null )
	{
	unlockableAccounts = new ArrayList<String>( 0 );
	}
	return unlockableAccounts;
	}

	/**
	* Sets a list of accounts which should never be locked by security policy
	*
	* @param unlockableAccounts
	*/
	public void setUnlockableAccounts( List<String> unlockableAccounts )
	{
	this.unlockableAccounts = unlockableAccounts;
	}

	/**
	* Sets the count of previous passwords that should be tracked.
	*
	* @param count the count of previous passwords to track.
	*/
	public void setPreviousPasswordsCount( int count )
	{
	this.previousPasswordsCount = count;
	}

	public int getLoginAttemptCount()
	{
	return loginAttemptCount;
	}

	public void setLoginAttemptCount( int count )
	{
	this.loginAttemptCount = count;
	}

	/**
	* Get the password encoder to be used for password operations
	*
	* @return the encoder
	*/
	public PasswordEncoder getPasswordEncoder()
	{
	return passwordEncoder;
	}

	public boolean isEnabled()
	{
	Boolean bool = (Boolean) PolicyContext.getContext().get( ENABLEMENT_KEY );
	return bool == null \|\| bool.booleanValue();
	}

	public void setEnabled( boolean enabled )
	{
	PolicyContext.getContext().put( ENABLEMENT_KEY, Boolean.valueOf( enabled ) );
	}

	/**
	* Add a Specific Rule to the Password Rules List.
	*
	* @param rule the rule to add.
	*/
	public void addPasswordRule( PasswordRule rule )
	{
	// TODO: check for duplicates? if so, check should only be based on Rule class name.

	rule.setUserSecurityPolicy( this );
	this.rules.add( rule );
	}

	/**
	* Get the Password Rules List.
	*
	* @return the list of {@link PasswordRule} objects.
	*/
	public List<PasswordRule> getPasswordRules()
	{
	return this.rules;
	}

	/**
	* Set the Password Rules List.
	*
	* @param rules the list of {@link PasswordRule} objects.
	*/
	public void setPasswordRules( List<PasswordRule> rules )
	{
	this.rules.clear();

	if ( rules == null )
	{
	return;
	}

	// Intentionally iterating to ensure policy settings in provided rules.

	for ( PasswordRule rule : rules )
	{
	addPasswordRule( rule );
	}
	}

	public void extensionPasswordExpiration( User user )
	throws MustChangePasswordException
	{
	if ( passwordExpirationEnabled && !getUnlockableAccounts().contains( user.getUsername() ) )
	{
	Calendar expirationDate = Calendar.getInstance();
	expirationDate.setTime( user.getLastPasswordChange() );
	expirationDate.add( Calendar.DAY_OF_MONTH, passwordExpirationDays );
	Calendar now = Calendar.getInstance();

	if ( now.after( expirationDate ) )
	{
	log.info( "User '{}' flagged for password expiry (expired on: {})", user.getUsername(),
	expirationDate );
	user.setPasswordChangeRequired( true );
	throw new MustChangePasswordException( "Password Expired, You must change your password.", user );
	}
	}
	}

	public void extensionExcessiveLoginAttempts( User user )
	throws AccountLockedException
	{
	if ( !getUnlockableAccounts().contains( user.getUsername() ) )
	{
	int attempt = user.getCountFailedLoginAttempts();
	attempt++;
	user.setCountFailedLoginAttempts( attempt );

	if ( attempt >= loginAttemptCount )
	{
	log.info( "User '{}' locked due to excessive login attempts: {}", user.getUsername(), attempt );
	user.setLocked( true );
	throw new AccountLockedException( "Account " + user.getUsername() + " is locked.", user );
	}
	}
	}

	public void extensionChangePassword( User user )
	throws PasswordRuleViolationException
	{
	extensionChangePassword( user, false );
	}

	public void extensionChangePassword( User user, boolean passwordChangeRequired )
	throws PasswordRuleViolationException
	{
	validatePassword( user );

	// set the current encoded password.
	user.setEncodedPassword( passwordEncoder.encodePassword( user.getPassword() ) );
	user.setPassword( null );

	// push new password onto list of previous password.
	List<String> previousPasswords = new ArrayList<String>( 1 );
	previousPasswords.add( user.getEncodedPassword() );

	if ( !user.getPreviousEncodedPasswords().isEmpty() )
	{
	int oldCount = Math.min( previousPasswordsCount - 1, user.getPreviousEncodedPasswords().size() );
	//modified sublist start index as the previous value results to nothing being added to the list.
	List<String> sublist = user.getPreviousEncodedPasswords().subList( 0, oldCount );
	previousPasswords.addAll( sublist );
	}

	user.setPreviousEncodedPasswords( previousPasswords );
	user.setPasswordChangeRequired( passwordChangeRequired );

	// Update timestamp for password change.
	user.setLastPasswordChange( new Date() );
	}

	public void validatePassword( User user )
	throws PasswordRuleViolationException
	{
	if ( isEnabled() )
	{
	PasswordRuleViolations violations = new PasswordRuleViolations();

	for ( PasswordRule rule : this.rules )
	{
	if ( rule.isEnabled() )
	{
	if ( rule.requiresSecurityPolicy() )
	{
	rule.setUserSecurityPolicy( this );
	}

	rule.testPassword( violations, user );
	}
	}

	if ( violations.hasViolations() )
	{
	PasswordRuleViolationException exception = new PasswordRuleViolationException();
	exception.setViolations( violations );
	throw exception;
	}
	}

	// If you got this far, then ensure that the password is never null.
	if ( user.getPassword() == null )
	{
	user.setPassword( "" );
	}
	}

	public int getPasswordExpirationDays()
	{
	return passwordExpirationDays;
	}

	public void setPasswordExpirationDays( int passwordExpiry )
	{
	this.passwordExpirationDays = passwordExpiry;
	}

	public UserValidationSettings getUserValidationSettings()
	{
	return userValidationSettings;
	}

	public void setUserValidationSettings( UserValidationSettings settings )
	{
	this.userValidationSettings = settings;
	}

	public CookieSettings getRememberMeCookieSettings()
	{
	return rememberMeCookieSettings;
	}

	public CookieSettings getSignonCookieSettings()
	{
	return signonCookieSettings;
	}

	public UserConfiguration getConfig()
	{
	return config;
	}

	public void setConfig( UserConfiguration config )
	{
	this.config = config;
	}


	public void setPasswordEncoder( PasswordEncoder passwordEncoder )
	{
	this.passwordEncoder = passwordEncoder;
	}

	public void setRememberMeCookieSettings( CookieSettings rememberMeCookieSettings )
	{
	this.rememberMeCookieSettings = rememberMeCookieSettings;
	}

	public void setSignonCookieSettings( CookieSettings signonCookieSettings )
	{
	this.signonCookieSettings = signonCookieSettings;
	}

	public void setRules( List<PasswordRule> rules )
	{
	this.rules = rules;
	}

	public void setDefaultPasswordRule( PasswordRule defaultPasswordRule )
	{
	this.defaultPasswordRule = defaultPasswordRule;
	}
	}