UY-1150 fix for wrong credential reset code expiration maths, add tests

Author: golbi

engine-api/src/main/java/pl/edu/icm/unity/engine/api/authn/EntityWithCredential.java

@@ -14,6 +14,16 @@ public class EntityWithCredential
 	private String credentialValue;
 	private long entityId;
 
+	public EntityWithCredential()
+	{
+	}
+
+	public EntityWithCredential(String credentialName, String credentialValue, long entityId)
+	{
+		this.credentialName = credentialName;
+		this.credentialValue = credentialValue;
+		this.entityId = entityId;
+	}
 	public String getCredentialName()
 	{
 		return credentialName;

std-plugins/src/main/java/pl/edu/icm/unity/stdext/credential/CredentialResetBase.java

@@ -4,6 +4,8 @@
  */
 package pl.edu.icm.unity.stdext.credential;
 
+import java.time.Duration;
+import java.time.LocalDateTime;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
@@ -39,7 +41,8 @@ public abstract class CredentialResetBase implements CredentialReset
 	private static final Logger log = Log.getLogger(Log.U_SERVER_AUTHN, CredentialResetBase.class);
 	protected static final int MAX_ANSWER_ATTEMPTS = 2;
 	private static final int MAX_RESENDS = 3;
-	private static final long MAX_CODE_VALIDITY = 30*3600;
+	public static final Duration DEFAULT_MAX_CODE_VALIDITY = Duration.ofMinutes(30);
+	private Duration maxCodeValidity;
 
 	private NotificationProducer notificationProducer;
 	private IdentityResolver identityResolver;
@@ -52,7 +55,7 @@ public abstract class CredentialResetBase implements CredentialReset
 	private ObjectNode completeCredentialConfiguration;
 
 	private String codeSent;
-	private long codeValidityEnd;
+	private LocalDateTime codeValidityEnd;
 	private int dynamicAnswerAttempts = 0;
 	private int codeSendingAttempts = 0;
 	private AuthenticationSubject requestedSubject;
@@ -62,14 +65,16 @@ public CredentialResetBase(NotificationProducer notificationProducer,
 			LocalCredentialVerificator localVerificator,
 			CredentialHelper credentialHelper,
 			String credentialId, 
-			ObjectNode completeCredentialConfiguration)
+			ObjectNode completeCredentialConfiguration,
+			Duration maxCodeValidity)
 	{
 		this.notificationProducer = notificationProducer;
 		this.credentialHelper = credentialHelper;
 		this.identityResolver = identityResolver;
 		this.credentialId = credentialId;
 		this.localCredentialHandler = localVerificator;
 		this.completeCredentialConfiguration = completeCredentialConfiguration;
+		this.maxCodeValidity = maxCodeValidity;
 	}
 
 	public void setSubject(AuthenticationSubject subject, String[] idTypes)
@@ -135,7 +140,7 @@ private void createCode(boolean onlyNumberCode)
 		{
 			codeSent = CodeGenerator.generateNumberCode(codeLen);
 		}
-		codeValidityEnd = System.currentTimeMillis() + MAX_CODE_VALIDITY;
+		codeValidityEnd = LocalDateTime.now().plus(maxCodeValidity);
 	}
 
 	protected abstract int getCodeLength();
@@ -161,13 +166,18 @@ public void sendCode(String msgTemplate, boolean onlyNumberCode) throws EngineEx
 				msgTemplate, params, locale, username, true);
 	}
 
+	public String getSentCode()
+	{
+		return codeSent;
+	}
+	
 	@Override
 	public void verifyDynamicData(String answer) throws WrongArgumentException, TooManyAttempts
 	{
 		if (dynamicAnswerAttempts >= MAX_ANSWER_ATTEMPTS)
 			throw new TooManyAttempts();
 		dynamicAnswerAttempts++;
-		if (System.currentTimeMillis() > codeValidityEnd)
+		if (LocalDateTime.now().isAfter(codeValidityEnd))
 			throw new TooManyAttempts();
 		if (codeSent == null || !codeSent.equals(answer))
 			throw new WrongArgumentException("The code is invalid");

std-plugins/src/main/java/pl/edu/icm/unity/stdext/credential/pass/PasswordCredentialResetImpl.java

@@ -4,6 +4,7 @@
  */
 package pl.edu.icm.unity.stdext.credential.pass;
 
+import java.time.Duration;
 import java.util.List;
 
 import com.fasterxml.jackson.databind.node.ObjectNode;
@@ -38,13 +39,27 @@ public PasswordCredentialResetImpl(NotificationProducer notificationProducer,
 			CredentialHelper credentialHelper, String credentialId,
 			ObjectNode completeCredentialConfiguration,
 			PasswordCredentialResetSettings settings,
-			PasswordEngine passwordEngine)
+			PasswordEngine passwordEngine,
+			Duration maxCodeValidity)
 	{
 		super(notificationProducer, identityResolver, localVerificator, credentialHelper,
-				credentialId, completeCredentialConfiguration);
+				credentialId, completeCredentialConfiguration, maxCodeValidity);
 		this.settings = settings;
 		this.passwordEngine = passwordEngine;
 	}
+	
+	public PasswordCredentialResetImpl(NotificationProducer notificationProducer,
+			IdentityResolver identityResolver,
+			LocalCredentialVerificator localVerificator,
+			CredentialHelper credentialHelper, String credentialId,
+			ObjectNode completeCredentialConfiguration,
+			PasswordCredentialResetSettings settings,
+			PasswordEngine passwordEngine)
+	{
+		this(notificationProducer, identityResolver, localVerificator, credentialHelper, credentialId, 
+				completeCredentialConfiguration, settings, passwordEngine, 
+				CredentialResetBase.DEFAULT_MAX_CODE_VALIDITY);
+	}
 
 	@Override
 	protected String getCredentialSettings()

std-plugins/src/main/java/pl/edu/icm/unity/stdext/credential/sms/SMSCredentialResetImpl.java

@@ -4,6 +4,8 @@
  */
 package pl.edu.icm.unity.stdext.credential.sms;
 
+import java.time.Duration;
+
 import com.fasterxml.jackson.databind.node.ObjectNode;
 
 import pl.edu.icm.unity.Constants;
@@ -30,11 +32,26 @@ public SMSCredentialResetImpl(NotificationProducer notificationProducer,
 			CredentialHelper credentialHelper,
 			String credentialId, 
 			ObjectNode completeCredentialConfiguration,
-			SMSCredentialRecoverySettings settings)
+			SMSCredentialRecoverySettings settings,
+			Duration maxCodeValidity)
 	{
-		super(notificationProducer, identityResolver, localVerificator, credentialHelper, credentialId, completeCredentialConfiguration);
+		super(notificationProducer, identityResolver, localVerificator, credentialHelper, credentialId, 
+				completeCredentialConfiguration, maxCodeValidity);
 		this.settings = settings;
 	}
+
+	public SMSCredentialResetImpl(NotificationProducer notificationProducer,
+			IdentityResolver identityResolver,
+			LocalCredentialVerificator localVerificator,
+			CredentialHelper credentialHelper,
+			String credentialId, 
+			ObjectNode completeCredentialConfiguration,
+			SMSCredentialRecoverySettings settings)
+	{
+		this(notificationProducer, identityResolver, localVerificator, credentialHelper, credentialId, 
+				completeCredentialConfiguration, settings, CredentialResetBase.DEFAULT_MAX_CODE_VALIDITY);
+	}
+
 
 	@Override
 	protected String getCredentialSettings()

std-plugins/src/test/java/pl/edu/icm/unity/stdext/credential/pass/PasswordCredentialResetImplTest.java

@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 2021 Bixbit - Krzysztof Benedyczak. All rights reserved.
+ * See LICENCE.txt file for licensing information.
+ */
+package pl.edu.icm.unity.stdext.credential.pass;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.catchThrowable;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.time.Duration;
+
+import org.junit.Test;
+
+import pl.edu.icm.unity.engine.api.authn.AuthenticationSubject;
+import pl.edu.icm.unity.engine.api.authn.EntityWithCredential;
+import pl.edu.icm.unity.engine.api.identity.IdentityResolver;
+import pl.edu.icm.unity.engine.api.notification.NotificationProducer;
+import pl.edu.icm.unity.exceptions.EngineException;
+import pl.edu.icm.unity.exceptions.IllegalGroupValueException;
+import pl.edu.icm.unity.exceptions.IllegalIdentityValueException;
+import pl.edu.icm.unity.exceptions.IllegalTypeException;
+import pl.edu.icm.unity.exceptions.TooManyAttempts;
+import pl.edu.icm.unity.exceptions.WrongArgumentException;
+
+public class PasswordCredentialResetImplTest
+{
+	private AuthenticationSubject subject = AuthenticationSubject.identityBased("identity");
+	private NotificationProducer notificationProducer;
+	private IdentityResolver identityResolver;
+
+	@Test
+	public void shouldAcceptCorrectCode() throws EngineException
+	{
+		initMocks();
+		PasswordCredentialResetImpl resetImpl = new PasswordCredentialResetImpl(notificationProducer, 
+				identityResolver, 
+				null, 
+				null, 
+				"credentialId", 
+				null, 
+				mock(PasswordCredentialResetSettings.class), 
+				null); 
+		resetImpl.setSubject(subject);
+		resetImpl.sendCode("msgTemplate", false);
+		
+		String sentCode = resetImpl.getSentCode();
+		assertThat(sentCode).isNotNull();
+		
+		resetImpl.verifyDynamicData(sentCode);
+	}
+	
+	@Test
+	public void shouldNotAcceptIncorrectCode() throws EngineException
+	{
+		initMocks();
+		PasswordCredentialResetImpl resetImpl = new PasswordCredentialResetImpl(notificationProducer, 
+				identityResolver, 
+				null, 
+				null, 
+				"credentialId", 
+				null, 
+				mock(PasswordCredentialResetSettings.class), 
+				null); 
+		resetImpl.setSubject(subject);
+		resetImpl.sendCode("msgTemplate", false);
+		
+		String sentCode = resetImpl.getSentCode();
+		assertThat(sentCode).isNotNull();
+		
+		Throwable error = catchThrowable(() -> resetImpl.verifyDynamicData(sentCode + "foo"));
+		
+		assertThat(error).isNotNull().isInstanceOf(WrongArgumentException.class);
+	}
+
+	@Test
+	public void shouldNotAcceptExpiredCode() throws EngineException, InterruptedException
+	{
+		initMocks();
+		PasswordCredentialResetImpl resetImpl = new PasswordCredentialResetImpl(notificationProducer, 
+				identityResolver, 
+				null, 
+				null, 
+				"credentialId", 
+				null, 
+				mock(PasswordCredentialResetSettings.class), 
+				null, 
+				Duration.ofMillis(10)); 
+		resetImpl.setSubject(subject);
+		resetImpl.sendCode("msgTemplate", false);
+		
+		String sentCode = resetImpl.getSentCode();
+		assertThat(sentCode).isNotNull();
+		
+		Thread.sleep(11);
+		
+		Throwable error = catchThrowable(() -> resetImpl.verifyDynamicData(sentCode));
+		
+		assertThat(error).isNotNull().isInstanceOf(TooManyAttempts.class);
+	}
+
+	private void initMocks() throws IllegalIdentityValueException, IllegalTypeException, IllegalGroupValueException,
+			EngineException
+	{
+		notificationProducer = mock(NotificationProducer.class);
+		identityResolver = mock(IdentityResolver.class);
+		when(identityResolver.resolveSubject(eq(subject), any(), eq("credentialId"))).thenReturn(
+				new EntityWithCredential("credentialId", "credVal", 123));
+	}
+
+}
+