Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "Add support for passwordExpiryTime in user claims on request" #894

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions components/org.wso2.carbon.identity.password.expiry/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -89,11 +89,6 @@
<artifactId>mockito-inline</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.testutil</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.organization.management.core</groupId>
<artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
Expand Down Expand Up @@ -154,9 +149,6 @@
org.wso2.carbon.user.core; version="${carbon.kernel.package.import.version.range}",
org.wso2.carbon.user.core.util; version="${carbon.kernel.package.import.version.range}",
org.wso2.carbon.user.core.common; version="${carbon.kernel.package.import.version.range}",
org.wso2.carbon.user.core.listener; version="${carbon.kernel.package.import.version.range}",
org.wso2.carbon.user.core.model; version="${carbon.kernel.package.import.version.range}",
org.wso2.carbon.context; version="${carbon.kernel.package.import.version.range}",
org.wso2.carbon.user.api.*; version="${carbon.user.api.imp.pkg.version.range}",
org.wso2.carbon.identity.application.common.model.*;
version="${carbon.identity.framework.imp.pkg.version.range}",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ public class PasswordPolicyConstants {
"http://wso2.org/claims/identity/lastPasswordUpdateTime";
public static final String LAST_CREDENTIAL_UPDATE_TIMESTAMP_CLAIM_NON_IDENTITY =
"http://wso2.org/claims/lastPasswordChangedTimestamp";
public static final String PASSWORD_EXPIRY_TIME_CLAIM = "http://wso2.org/claims/identity/passwordExpiryTime";
public static final String PASSWORD_RESET_PAGE = "/accountrecoveryendpoint/password-recovery-confirm.jsp";
public static final String PASSWORD_CHANGE_EVENT_HANDLER_NAME = "enforcePasswordResetEventHandler";
public static final String ENFORCE_PASSWORD_RESET_HANDLER = "EnforcePasswordResetHandler";
Expand Down Expand Up @@ -58,7 +57,6 @@ public class PasswordPolicyConstants {
public static final String AUTHENTICATION_STATUS = "authenticationStatus";
public static final String BASIC_AUTHENTICATOR = "BasicAuthenticator";
public static final String FALSE = "false";
public static final String TRUE = "true";
public static final String CONFIRMATION_QUERY_PARAM = "&confirmation=";
public static final String PASSWORD_EXPIRED_QUERY_PARAMS = "&passwordExpired=true";
public static final String PASSWORD_EXPIRED_MSG_QUERY_PARAM = "&passwordExpiredMsg=";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,8 @@
import org.wso2.carbon.identity.event.handler.AbstractEventHandler;
import org.wso2.carbon.identity.governance.IdentityGovernanceService;
import org.wso2.carbon.identity.governance.common.IdentityConnectorConfig;
import org.wso2.carbon.identity.password.expiry.listener.PasswordExpiryEventListener;
import org.wso2.carbon.identity.password.expiry.services.ExpiredPasswordIdentificationService;
import org.wso2.carbon.identity.password.expiry.services.impl.ExpiredPasswordIdentificationServiceImpl;
import org.wso2.carbon.user.core.listener.UserOperationEventListener;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService;

Expand All @@ -58,10 +56,6 @@ public class EnforcePasswordResetComponent {
protected void activate(ComponentContext context) {

try {
// Register the listener to capture user operations.
PasswordExpiryEventListener listener = new PasswordExpiryEventListener();
context.getBundleContext().registerService(UserOperationEventListener.class, listener, null);

EnforcePasswordResetAuthenticationHandler enforcePasswordResetAuthenticationHandler =
new EnforcePasswordResetAuthenticationHandler();
BundleContext bundleContext = context.getBundleContext();
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,11 @@
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
import org.wso2.carbon.user.core.common.Group;
import org.wso2.carbon.identity.password.expiry.exceptions.ExpiredPasswordIdentificationException;

import java.util.ArrayList;
import java.util.EnumMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;

Expand Down Expand Up @@ -161,8 +159,6 @@ public static boolean isPasswordExpired(String tenantDomain, String tenantAwareU
throws PostAuthenticationFailedException {

try {
if (!isPasswordExpiryEnabled(tenantDomain)) return false;

UserRealm userRealm = getUserRealm(tenantDomain);
UserStoreManager userStoreManager = getUserStoreManager(userRealm);
String userId = ((AbstractUserStoreManager) userStoreManager).getUserIDFromUserName(tenantAwareUsername);
Expand All @@ -180,8 +176,11 @@ public static boolean isPasswordExpired(String tenantDomain, String tenantAwareU
skipIfNoApplicableRules);
}

List<PasswordExpiryRule> filteredRules =
filterApplicableExpiryRules(passwordExpiryRules, skipIfNoApplicableRules);
// If the default behavior is to skip the password expiry, rules with skip logic are not necessary.
List<PasswordExpiryRule> filteredRules = passwordExpiryRules.stream()
.filter(rule -> !skipIfNoApplicableRules ||
!PasswordExpiryRuleOperatorEnum.NE.equals(rule.getOperator()))
.collect(Collectors.toList());

Map<PasswordExpiryRuleAttributeEnum, Set<String>> fetchedUserAttributes =
new EnumMap<>(PasswordExpiryRuleAttributeEnum.class);
Expand All @@ -194,7 +193,7 @@ public static boolean isPasswordExpired(String tenantDomain, String tenantAwareU
}
int expiryDays =
rule.getExpiryDays() > 0 ? rule.getExpiryDays() : getPasswordExpiryInDays(tenantDomain);
return daysDifference >= expiryDays || StringUtils.isBlank(lastPasswordUpdatedTime);
return daysDifference >= expiryDays || lastPasswordUpdatedTime == null;
}
}
// Apply default password expiry policy if no specific rule applies.
Expand Down Expand Up @@ -293,137 +292,7 @@ private static boolean isPasswordExpiredUnderDefaultPolicy(String tenantDomain,
throws PostAuthenticationFailedException {

if (skipIfNoApplicableRules) return false;
return StringUtils.isBlank(lastPasswordUpdatedTime) || daysDifference >= getPasswordExpiryInDays(tenantDomain);
}

/**
* This method returns password expiry time for the given user.
*
* @param tenantDomain The tenant domain.
* @param tenantAwareUsername The tenant aware username.
* @return Optional containing the password expiry time in milliseconds, or empty if not applicable.
* @throws ExpiredPasswordIdentificationException If an error occurred while getting the password expiry time.
*/
public static Optional<Long> getUserPasswordExpiryTime(String tenantDomain, String tenantAwareUsername)
throws ExpiredPasswordIdentificationException {

return getUserPasswordExpiryTime(tenantDomain, tenantAwareUsername, null,
null, null, null);
}

/**
* This method returns password expiry time for the given user.
*
* @param tenantDomain The tenant domain.
* @param tenantAwareUsername The tenant aware username.
* @param isPasswordExpiryEnabled Whether password expiry is enabled.
* @param isSkipIfNoApplicableRulesEnabled Whether skip if no applicable rules config is enabled.
* @param passwordExpiryRules Password expiry rules.
* @param defaultPasswordExpiryInDays Default password expiry in days.
* @return Optional containing the password expiry time in milliseconds, or empty if not applicable.
* @throws ExpiredPasswordIdentificationException If an error occurred while getting the password expiry time.
*/
public static Optional<Long> getUserPasswordExpiryTime(String tenantDomain,
String tenantAwareUsername,
Boolean isPasswordExpiryEnabled,
Boolean isSkipIfNoApplicableRulesEnabled,
List<PasswordExpiryRule> passwordExpiryRules,
Integer defaultPasswordExpiryInDays)
throws ExpiredPasswordIdentificationException {

try {
if (isPasswordExpiryEnabled == null) {
isPasswordExpiryEnabled = isPasswordExpiryEnabled(tenantDomain);
}
// If the password expiry is not enabled, password expiry time is not applicable.
if (!isPasswordExpiryEnabled) return Optional.empty();

if (isSkipIfNoApplicableRulesEnabled == null) {
isSkipIfNoApplicableRulesEnabled = isSkipIfNoApplicableRulesEnabled(tenantDomain);
}
if (defaultPasswordExpiryInDays == null) {
defaultPasswordExpiryInDays = getPasswordExpiryInDays(tenantDomain);
}
if (passwordExpiryRules == null) {
passwordExpiryRules = getPasswordExpiryRules(tenantDomain);
}

UserRealm userRealm = getUserRealm(tenantDomain);
UserStoreManager userStoreManager = getUserStoreManager(userRealm);
String userId = ((AbstractUserStoreManager) userStoreManager).getUserIDFromUserName(tenantAwareUsername);
String lastPasswordUpdatedTime =
getLastPasswordUpdatedTime(tenantAwareUsername, userStoreManager, userRealm);

long lastPasswordUpdatedTimeInMillis = 0L;
boolean isLastPasswordUpdatedTimeBlank = StringUtils.isBlank(lastPasswordUpdatedTime);
if (!isLastPasswordUpdatedTimeBlank) {
lastPasswordUpdatedTimeInMillis = getLastPasswordUpdatedTimeInMillis(lastPasswordUpdatedTime);
}

// If no rules are defined, use the default expiry time if "skipIfNoApplicableRules" is disabled.
if (CollectionUtils.isEmpty(passwordExpiryRules)) {
if (isSkipIfNoApplicableRulesEnabled) return Optional.empty();
// If lastPasswordUpdatedTime is blank, set expiry time to now.
if (isLastPasswordUpdatedTimeBlank) {
return Optional.of(System.currentTimeMillis());
}
return Optional.of(
lastPasswordUpdatedTimeInMillis + getDaysTimeInMillis(defaultPasswordExpiryInDays));
}

Map<PasswordExpiryRuleAttributeEnum, Set<String>> userAttributes =
new EnumMap<>(PasswordExpiryRuleAttributeEnum.class);

List<PasswordExpiryRule> filteredRules =
filterApplicableExpiryRules(passwordExpiryRules, isSkipIfNoApplicableRulesEnabled);
for (PasswordExpiryRule rule : filteredRules) {
if (isRuleApplicable(rule, userAttributes, tenantDomain, userId, userStoreManager)) {
// Skip the rule if the operator is not equals.
if (PasswordExpiryRuleOperatorEnum.NE.equals(rule.getOperator())) {
return Optional.empty();
}
if (isLastPasswordUpdatedTimeBlank) {
return Optional.of(System.currentTimeMillis());
}
int expiryDays =
rule.getExpiryDays() > 0 ? rule.getExpiryDays() : getPasswordExpiryInDays(tenantDomain);
return Optional.of(lastPasswordUpdatedTimeInMillis + getDaysTimeInMillis(expiryDays));
}
}

if (isSkipIfNoApplicableRulesEnabled) return Optional.empty();
if (isLastPasswordUpdatedTimeBlank) {
return Optional.of(System.currentTimeMillis());
}
return Optional.of(
lastPasswordUpdatedTimeInMillis + getDaysTimeInMillis(defaultPasswordExpiryInDays));
} catch (UserStoreException | PostAuthenticationFailedException e) {
throw new ExpiredPasswordIdentificationException(PasswordPolicyConstants.ErrorMessages.
ERROR_WHILE_GETTING_USER_STORE_DOMAIN.getCode(),
PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_GETTING_USER_STORE_DOMAIN.getMessage());
}
}

private static List<PasswordExpiryRule> filterApplicableExpiryRules(List<PasswordExpiryRule> passwordExpiryRules,
boolean skipIfNoApplicableRules) {

if (!skipIfNoApplicableRules) {
return passwordExpiryRules;
}
// If the default behavior is to skip the password expiry, rules with skip logic are not required.
return passwordExpiryRules.stream().filter(
rule -> !PasswordExpiryRuleOperatorEnum.NE.equals(rule.getOperator())).collect(Collectors.toList());
}

/**
* This method returns the time in milliseconds for the given number of days.
*
* @param days The number of days.
* @return The time in milliseconds.
*/
private static long getDaysTimeInMillis(int days) {

return (long) days * 24 * 60 * 60 * 1000;
return lastPasswordUpdatedTime == null || daysDifference >= getPasswordExpiryInDays(tenantDomain);
}

/**
Expand Down
Loading
Loading