Only Reset Password code data should deserialize to PasswordChange

mbhave · mbhave · commit 66132926f1ba · 2016-05-02T17:04:17.000-07:00
Signed-off-by: Madhura Bhave &lt;mbhave@pivotal.io&gt;
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/UaaResetPasswordService.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/UaaResetPasswordService.java
@@ -79,20 +79,22 @@ private ResetPasswordResponse changePasswordCodeAuthenticated(String code, Strin
             throw new InvalidCodeException("invalid_code", "Sorry, your reset password link is no longer valid. Please request a new one", 422);
         }
         String userId;
-        String userName = null;
-        Date passwordLastModified = null;
-        String clientId = null;
-        String redirectUri = null;
+        String userName;
+        Date passwordLastModified;
+        String clientId;
+        String redirectUri;
+        PasswordChange change;
         try {
-            PasswordChange change = JsonUtils.readValue(expiringCode.getData(), PasswordChange.class);
-            userId = change.getUserId();
-            userName = change.getUsername();
-            passwordLastModified = change.getPasswordModifiedTime();
-            clientId = change.getClientId();
-            redirectUri = change.getRedirectUri();
+            change = JsonUtils.readValue(expiringCode.getData(), PasswordChange.class);
         } catch (JsonUtils.JsonUtilException x) {
-            userId = expiringCode.getData();
+            throw new InvalidCodeException("invalid_code", "Sorry, your reset password link is no longer valid. Please request a new one", 422);
         }
+        userId = change.getUserId();
+        userName = change.getUsername();
+        passwordLastModified = change.getPasswordModifiedTime();
+        clientId = change.getClientId();
+        redirectUri = change.getRedirectUri();
+
         ScimUser user = scimUserProvisioning.retrieve(userId);
         try {
             if (isUserModified(user, expiringCode.getExpiresAt(), userName, passwordLastModified)) {
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/scim/endpoints/PasswordChange.java b/server/src/main/java/org/cloudfoundry/identity/uaa/scim/endpoints/PasswordChange.java
@@ -1,11 +1,9 @@
 package org.cloudfoundry.identity.uaa.scim.endpoints;
 
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 import java.util.Date;
 
-@JsonIgnoreProperties(ignoreUnknown = true)
 public class PasswordChange {
     public PasswordChange() {}
 
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/UaaResetPasswordServiceTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/UaaResetPasswordServiceTests.java
@@ -121,7 +121,7 @@ public void forgotPassword_PublishesResetPasswordRequestEvent() throws Exception
         ArgumentCaptor<ResetPasswordRequestEvent> captor = ArgumentCaptor.forClass(ResetPasswordRequestEvent.class);
         verify(publisher).publishEvent(captor.capture());
         ResetPasswordRequestEvent event = captor.getValue();
-        assertThat((String) event.getSource(), equalTo("user@example.com"));
+        assertThat(event.getSource(), equalTo("user@example.com"));
         assertThat(event.getCode(), equalTo("code"));
         assertThat(event.getAuthentication(), sameInstance(authentication));
     }
@@ -185,7 +185,7 @@ public void resetPassword_InvalidPasswordException_NewPasswordSameAsOld() {
         user.setMeta(new ScimMeta(new Date(), new Date(), 0));
         user.setPrimaryEmail("foo@example.com");
         ExpiringCode expiringCode = new ExpiringCode("good_code",
-            new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), "user-id", null);
+            new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), "{\"user_id\":\"user-id\",\"username\":\"username\",\"passwordModifiedTime\":null,\"client_id\":\"\",\"redirect_uri\":\"\"}", null);
         when(codeStore.retrieveCode("good_code")).thenReturn(expiringCode);
         when(scimUserProvisioning.retrieve("user-id")).thenReturn(user);
         when(scimUserProvisioning.checkPasswordMatches("user-id", "Passwo3dAsOld"))
@@ -202,6 +202,22 @@ public void resetPassword_InvalidPasswordException_NewPasswordSameAsOld() {
         }
     }
 
+    @Test
+    public void resetPassword_InvalidCodeData() {
+        ExpiringCode expiringCode = new ExpiringCode("good_code",
+                new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), "user-id", null);
+        when(codeStore.retrieveCode("good_code")).thenReturn(expiringCode);
+        SecurityContext securityContext = mock(SecurityContext.class);
+        when(securityContext.getAuthentication()).thenReturn(new MockAuthentication());
+        SecurityContextHolder.setContext(securityContext);
+        try {
+            emailResetPasswordService.resetPassword("good_code", "password");
+            fail();
+        } catch (InvalidCodeException e) {
+            assertEquals("Sorry, your reset password link is no longer valid. Please request a new one", e.getMessage());
+        }
+    }
+
     @Test
     public void resetPassword_WithInvalidClientId() {
         setupResetPassword("invalid_client", "redirect.example.com");
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/scim/endpoints/PasswordResetEndpointTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/scim/endpoints/PasswordResetEndpointTest.java
@@ -237,7 +237,8 @@ public void testCreatingAPasswordResetWithAUsernameContainingSpecialCharacters()
     @Test
     public void testChangingAPasswordWithAValidCode() throws Exception {
         when(expiringCodeStore.retrieveCode("secret_code"))
-                .thenReturn(new ExpiringCode("secret_code", new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), "eyedee", null));
+                .thenReturn(new ExpiringCode("secret_code", new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME),
+                        "{\"user_id\":\"eyedee\",\"username\":\"user@example.com\",\"passwordModifiedTime\":null,\"client_id\":\"\",\"redirect_uri\":\"\"}", null));
 
         ScimUser scimUser = new ScimUser("eyedee", "user@example.com", "User", "Man");
         scimUser.setMeta(new ScimMeta(new Date(System.currentTimeMillis() - (1000 * 60 * 60 * 24)), new Date(System.currentTimeMillis() - (1000 * 60 * 60 * 24)), 0));
@@ -281,7 +282,9 @@ public void changing_password_with_invalid_code() throws Exception {
     @Test
     public void testChangingAPasswordForUnverifiedUser() throws Exception {
         when(expiringCodeStore.retrieveCode("secret_code"))
-            .thenReturn(new ExpiringCode("secret_code", new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), "eyedee", null));
+            .thenReturn(new ExpiringCode("secret_code", new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME),
+                    "{\"user_id\":\"eyedee\",\"username\":\"user@example.com\",\"passwordModifiedTime\":null,\"client_id\":\"\",\"redirect_uri\":\"\"}",
+                    null));
 
         ScimUser scimUser = new ScimUser("eyedee", "user@example.com", "User", "Man");
         scimUser.setMeta(new ScimMeta(new Date(System.currentTimeMillis() - (1000 * 60 * 60 * 24)), new Date(System.currentTimeMillis() - (1000 * 60 * 60 * 24)), 0));
@@ -338,7 +341,9 @@ public void changePassword_Returns422UnprocessableEntity_NewPasswordSameAsOld()
         Mockito.reset(passwordValidator);
 
         when(expiringCodeStore.retrieveCode("emailed_code"))
-            .thenReturn(new ExpiringCode("emailed_code", new Timestamp(System.currentTimeMillis()+ UaaResetPasswordService.PASSWORD_RESET_LIFETIME), "eyedee", null));
+            .thenReturn(new ExpiringCode("emailed_code", new Timestamp(System.currentTimeMillis()+ UaaResetPasswordService.PASSWORD_RESET_LIFETIME),
+                    "{\"user_id\":\"eyedee\",\"username\":\"user@example.com\",\"passwordModifiedTime\":null,\"client_id\":\"\",\"redirect_uri\":\"\"}",
+                    null));
 
         ScimUser scimUser = new ScimUser("eyedee", "user@example.com", "User", "Man");
         scimUser.setMeta(new ScimMeta(new Date(System.currentTimeMillis()-(1000*60*60*24)), new Date(System.currentTimeMillis()-(1000*60*60*24)), 0));
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/ResetPasswordControllerMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/ResetPasswordControllerMockMvcTests.java
@@ -239,7 +239,8 @@ public void testResettingAPasswordUsingTimestampForUserModification() throws Exc
         List<ScimUser> users = getWebApplicationContext().getBean(ScimUserProvisioning.class).query("username eq \"marissa\"");
         assertNotNull(users);
         assertEquals(1, users.size());
-        ExpiringCode code = codeStore.generateCode(users.get(0).getId(), new Timestamp(System.currentTimeMillis()+ UaaResetPasswordService.PASSWORD_RESET_LIFETIME), null);
+        PasswordChange passwordChange = new PasswordChange(users.get(0).getId(), users.get(0).getUserName(), null, null, null);
+        ExpiringCode code = codeStore.generateCode(JsonUtils.writeValueAsString(passwordChange), new Timestamp(System.currentTimeMillis()+ UaaResetPasswordService.PASSWORD_RESET_LIFETIME), null);
 
         MockHttpServletRequestBuilder post = createChangePasswordRequest(users.get(0), code,
             true, "newpassw0rD", "newpassw0rD");
@@ -266,11 +267,11 @@ public void resetPassword_ReturnsUnprocessableEntity_NewPasswordSameAsOld() thro
         assertNotNull(users);
         assertEquals(1, users.size());
         ScimUser user = users.get(0);
-
-        ExpiringCode code = codeStore.generateCode(user.getId(), new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), null);
+        PasswordChange passwordChange = new PasswordChange(user.getId(), user.getUserName(), null, null, null);
+        ExpiringCode code = codeStore.generateCode(JsonUtils.writeValueAsString(passwordChange), new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), null);
         getMockMvc().perform(createChangePasswordRequest(user, code, true, "d3faultPasswd", "d3faultPasswd"));
 
-        code = codeStore.generateCode(user.getId(), new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), null);
+        code = codeStore.generateCode(JsonUtils.writeValueAsString(passwordChange), new Timestamp(System.currentTimeMillis() + UaaResetPasswordService.PASSWORD_RESET_LIFETIME), null);
         getMockMvc().perform(createChangePasswordRequest(user, code, true, "d3faultPasswd", "d3faultPasswd"))
             .andExpect(status().isUnprocessableEntity())
             .andExpect(view().name("forgot_password"))
