Task #609
closed
Password 'validTill' is not set on identity creation
100%
Description
The title speaks for itself.
Only password reset updates the value of IdmPassword#validTill.
Updated by Jan Helbich almost 7 years ago
On identity creation, passwords must inherit maximal expiration date from standard IdM policy for password generation.
If there are multiple policies, lexicographically first will be chosen (other ideas welcome).
Updated by Jan Helbich almost 7 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Jan Helbich to Radek Tomiška
Fixed in branch jhelbich/passwd-validtill-609, Vitek / Radek, can you do code review, please?
While reading through the source of IdM's password policy implementation, I suggest we rewrite the fields of IdmPasswordPolicy entity from primitives to objects. That would make a new task, though.
Updated by Radek Tomiška almost 7 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Radek Tomiška to Jan Helbich
- % Done changed from 0 to 90
I did test and review, works smoothly when identity is created, thx.
I am not sure about the place, where password age is set now. See IdentityPasswordValidateProcessor from core and acc module. This is really confusing. Acc IdentityPasswordValidateProcessor sets password age into PasswordChangeDto (but form validate policy) and DefaultIdmPasswordService.save method works with this bellow your code. But i think you chosed better place to do it - this will work every time. I'll talk about it with Onřej later.
We need to set max password age, when password is changed too.
Code looks nice, i found just some minors:
- comparator could be used to prevent the second search (https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-impl/src/main/java/eu/bcvsolutions/idm/core/model/service/impl/DefaultIdmIdentityContractService.java#L300)
- abbreviation is used in findPasswordCreationPolicy method
- integration tests are nice. TestHelper could be used for preparing test identities (maybe method for password policy could be added to testHelper too)
I agree with you - IdmPasswordPolicy entity should use objects, now even optional fields have value, i overlooked it in review :/ I think about backward compatibility issues, if we change it.
Updated by Ondřej Kopr almost 7 years ago
- Assignee changed from Jan Helbich to Ondřej Kopr
Updated by Ondřej Kopr almost 7 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondřej Kopr to Radek Tomiška
I just add few changes for HH fix:
- HH logic's for fill valid till attribute moved to procesor for persist password - IdentityPasswordProcessor,
- change password policy for get valid till from type generate to validate,
- remove redundant code for get valid till, now exists only one place for fill valid till: method savePassword in IdentityPasswordProcessor in core module,
- update documentation https://wiki.czechidm.com/7.3/dev/security/password-policies#standard_policy_for_validation,
- change FE: password policy detail basic + advanced,
- in FE component TextField add except for zero,
- transform all int to Integer in IdmPasswordPolicy -> solved many null pointer.
On all project is necessary to resave all password policies and remove zero values.
Commit (jhelbich branch): https://github.com/bcvsolutions/CzechIdMng/commit/8109cc059751d559ebb4b4e140bb89c0dc93d2e4
Please Radek could you make a review and try to change password for user?
Updated by Ondřej Kopr almost 7 years ago
I made a quick test of a public password change - it works.
Updated by Radek Tomiška almost 7 years ago
- Status changed from Needs feedback to Closed
- Assignee changed from Radek Tomiška to Ondřej Kopr
- % Done changed from 90 to 100
I did test and review, it looks nice and it works, thx!
I merged branch into develop.