TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 20:57:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: check password complexity policy and respect changeRequired on password change (#7884)

Browse Source 
* fix: check password complexity policy on password change and respect require_change

* pass changeRequired where available and add tests

* fix requested changes

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
This commit is contained in:
Livio Spring
2024-05-02 11:50:13 +02:00
committed by GitHub
parent 8cc12e869a
commit 43da9225be
11 changed files with 509 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
internal/command/user_v2_human_test.go
View File

@@ -2014,8 +2014,8 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("password2"),
OldPassword: gu.Ptr("password"),
Password: "password2",
OldPassword: "password",
ChangeRequired: true,
},
},
@@ -2061,8 +2061,8 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("password2"),
OldPassword: gu.Ptr("password"),
Password: "password2",
OldPassword: "password",
ChangeRequired: true,
},
},
@@ -2085,7 +2085,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
OldPassword: gu.Ptr("password"),
OldPassword: "password",
ChangeRequired: true,
},
},
@@ -2119,7 +2119,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("password2"),
Password: "password2",
ChangeRequired: true,
},
},
@@ -2173,7 +2173,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("password2"),
Password: "password2",
ChangeRequired: true,
},
},
@@ -2229,8 +2229,8 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("password2"),
OldPassword: gu.Ptr("password"),
Password: "password2",
OldPassword: "password",
ChangeRequired: true,
},
},
@@ -2266,8 +2266,8 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("password2"),
OldPassword: gu.Ptr("wrong"),
Password: "password2",
OldPassword: "wrong",
ChangeRequired: true,
},
},
@@ -2336,8 +2336,8 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("password2"),
PasswordCode: gu.Ptr("code"),
Password: "password2",
PasswordCode: "code",
ChangeRequired: true,
},
},
@@ -2389,8 +2389,8 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("password2"),
PasswordCode: gu.Ptr("wrong"),
Password: "password2",
PasswordCode: "wrong",
ChangeRequired: true,
},
},
@@ -2403,7 +2403,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
},
},
{
name: "change human password encoded, password code, ok",
name: "change human password, password code, not matching policy",
fields: fields{
eventstore: expectEventstore(
expectFilter(
@@ -2436,9 +2436,58 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
&user.NewAggregate("user1", "org1").Aggregate,
1,
false,
false,
false,
true,
true,
true,
true,
),
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
userPasswordHasher: mockPasswordHasher("x"),
},
args: args{
ctx: context.Background(),
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: "password2",
PasswordCode: "code",
ChangeRequired: true,
},
},
codeAlg: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
},
res: res{
err: zerrors.IsErrorInvalidArgument,
},
},
{
name: "change human password encoded, password code, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
newAddHumanEvent("$plain$x$password", true, true, "", language.English),
),
eventFromEventPusher(
user.NewHumanInitializedCheckSucceededEvent(context.Background(),
&userAgg.Aggregate,
),
),
eventFromEventPusherWithCreationDateNow(
user.NewHumanPasswordCodeAddedEventV2(context.Background(),
&userAgg.Aggregate,
&crypto.CryptoValue{
CryptoType: crypto.TypeEncryption,
Algorithm: "enc",
KeyID: "id",
Crypted: []byte("code"),
},
time.Hour*1,
domain.NotificationTypeEmail,
"",
false,
),
),
@@ -2460,8 +2509,8 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
EncodedPasswordHash: gu.Ptr("$plain$x$password2"),
PasswordCode: gu.Ptr("code"),
EncodedPasswordHash: "$plain$x$password2",
PasswordCode: "code",
ChangeRequired: true,
},
},
@@ -2533,9 +2582,9 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
orgID: "org1",
human: &ChangeHuman{
Password: &Password{
Password: gu.Ptr("passwordnotused"),
EncodedPasswordHash: gu.Ptr("$plain$x$password2"),
PasswordCode: gu.Ptr("code"),
Password: "passwordnotused",
EncodedPasswordHash: "$plain$x$password2",
PasswordCode: "code",
ChangeRequired: true,
},
},
@@ -2557,6 +2606,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
userPasswordHasher: tt.fields.userPasswordHasher,
newEncryptedCode: tt.fields.newCode,
checkPermission: tt.fields.checkPermission,
userEncryption: tt.args.codeAlg,
}
err := r.ChangeUserHuman(tt.args.ctx, tt.args.human, tt.args.codeAlg)
if tt.res.err == nil {