001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.pwd;
016    
017    import com.liferay.portal.UserPasswordException;
018    import com.liferay.portal.kernel.exception.PortalException;
019    import com.liferay.portal.kernel.exception.SystemException;
020    import com.liferay.portal.kernel.util.ArrayUtil;
021    import com.liferay.portal.kernel.util.Randomizer;
022    import com.liferay.portal.kernel.util.StringBundler;
023    import com.liferay.portal.kernel.util.Validator;
024    import com.liferay.portal.model.PasswordPolicy;
025    import com.liferay.portal.model.User;
026    import com.liferay.portal.service.PasswordTrackerLocalServiceUtil;
027    import com.liferay.portal.service.UserLocalServiceUtil;
028    import com.liferay.portal.util.PropsValues;
029    import com.liferay.portal.words.WordsUtil;
030    import com.liferay.util.PwdGenerator;
031    
032    import java.util.Arrays;
033    import java.util.Date;
034    
035    /**
036     * @author Scott Lee
037     * @author Mika Koivisto
038     */
039    public class PasswordPolicyToolkit extends BasicToolkit {
040    
041            public PasswordPolicyToolkit() {
042                    _lowerCaseCharsetArray = getSortedCharArray(
043                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_LOWERCASE);
044                    _numbersCharsetArray = getSortedCharArray(
045                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_NUMBERS);
046                    _symbolsCharsetArray = getSortedCharArray(
047                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_SYMBOLS);
048                    _upperCaseCharsetArray = getSortedCharArray(
049                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_UPPERCASE);
050    
051                    _alphanumericCharsetArray = ArrayUtil.append(
052                            _lowerCaseCharsetArray, _upperCaseCharsetArray,
053                            _numbersCharsetArray);
054    
055                    Arrays.sort(_alphanumericCharsetArray);
056    
057                    StringBundler sb = new StringBundler(4);
058    
059                    sb.append(
060                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_LOWERCASE);
061                    sb.append(PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_NUMBERS);
062                    sb.append(PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_SYMBOLS);
063                    sb.append(
064                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_UPPERCASE);
065    
066                    _completeCharset = sb.toString();
067            }
068    
069            @Override
070            public String generate(PasswordPolicy passwordPolicy) {
071                    if (PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_GENERATOR.equals(
072                                    "static")) {
073    
074                            return generateStatic(passwordPolicy);
075                    }
076                    else {
077                            return generateDynamic(passwordPolicy);
078                    }
079            }
080    
081            @Override
082            public void validate(
083                            long userId, String password1, String password2,
084                            PasswordPolicy passwordPolicy)
085                    throws PortalException, SystemException {
086    
087                    if (passwordPolicy.isCheckSyntax()) {
088                            if (!passwordPolicy.isAllowDictionaryWords() &&
089                                    WordsUtil.isDictionaryWord(password1)) {
090    
091                                    throw new UserPasswordException(
092                                            UserPasswordException.PASSWORD_CONTAINS_TRIVIAL_WORDS);
093                            }
094    
095                            if (password1.length() < passwordPolicy.getMinLength()) {
096                                    throw new UserPasswordException(
097                                            UserPasswordException.PASSWORD_LENGTH);
098                            }
099    
100                            if ((getUsageCount(password1, _alphanumericCharsetArray) <
101                                            passwordPolicy.getMinAlphanumeric()) ||
102                                    (getUsageCount(password1, _lowerCaseCharsetArray) <
103                                            passwordPolicy.getMinLowerCase()) ||
104                                    (getUsageCount(password1, _numbersCharsetArray) <
105                                            passwordPolicy.getMinNumbers()) ||
106                                    (getUsageCount(password1, _symbolsCharsetArray) <
107                                            passwordPolicy.getMinSymbols()) ||
108                                    (getUsageCount(password1, _upperCaseCharsetArray) <
109                                            passwordPolicy.getMinUpperCase())) {
110    
111                                    throw new UserPasswordException(
112                                            UserPasswordException.PASSWORD_TOO_TRIVIAL);
113                            }
114    
115                            if (Validator.isNotNull(passwordPolicy.getRegex()) &&
116                                    !password1.matches(passwordPolicy.getRegex())) {
117    
118                                    throw new UserPasswordException(
119                                            UserPasswordException.PASSWORD_INVALID);
120                            }
121                    }
122    
123                    if (!passwordPolicy.isChangeable()) {
124                            throw new UserPasswordException(
125                                    UserPasswordException.PASSWORD_NOT_CHANGEABLE);
126                    }
127    
128                    if (userId != 0) {
129                            User user = UserLocalServiceUtil.getUserById(userId);
130    
131                            Date passwordModfiedDate = user.getPasswordModifiedDate();
132    
133                            if (passwordModfiedDate != null) {
134    
135                                    // LEP-2961
136    
137                                    Date now = new Date();
138    
139                                    long passwordModificationElapsedTime =
140                                            now.getTime() - passwordModfiedDate.getTime();
141    
142                                    long userCreationElapsedTime =
143                                            now.getTime() - user.getCreateDate().getTime();
144    
145                                    long minAge = passwordPolicy.getMinAge() * 1000;
146    
147                                    if ((passwordModificationElapsedTime < minAge) &&
148                                            (userCreationElapsedTime > minAge)) {
149    
150                                            throw new UserPasswordException(
151                                                    UserPasswordException.PASSWORD_TOO_YOUNG);
152                                    }
153                            }
154    
155                            if (PasswordTrackerLocalServiceUtil.isSameAsCurrentPassword(
156                                            userId, password1)) {
157    
158                                    throw new UserPasswordException(
159                                            UserPasswordException.PASSWORD_SAME_AS_CURRENT);
160                            }
161                            else if (!PasswordTrackerLocalServiceUtil.isValidPassword(
162                                                    userId, password1)) {
163    
164                                    throw new UserPasswordException(
165                                            UserPasswordException.PASSWORD_ALREADY_USED);
166                            }
167                    }
168            }
169    
170            protected String generateDynamic(PasswordPolicy passwordPolicy) {
171                    int alphanumericMinLength = Math.max(
172                            passwordPolicy.getMinAlphanumeric(),
173                            passwordPolicy.getMinLowerCase() + passwordPolicy.getMinNumbers() +
174                                    passwordPolicy.getMinUpperCase());
175                    int passwordMinLength = Math.max(
176                            passwordPolicy.getMinLength(),
177                            alphanumericMinLength + passwordPolicy.getMinSymbols());
178    
179                    StringBundler sb = new StringBundler(passwordMinLength);
180    
181                    if (passwordPolicy.getMinLowerCase() > 0) {
182                            sb.append(
183                                    getRandomString(
184                                            passwordPolicy.getMinLowerCase(), _lowerCaseCharsetArray));
185                    }
186    
187                    if (passwordPolicy.getMinNumbers() > 0) {
188                            sb.append(
189                                    getRandomString(
190                                            passwordPolicy.getMinNumbers(), _numbersCharsetArray));
191                    }
192    
193                    if (passwordPolicy.getMinSymbols() > 0) {
194                            sb.append(
195                                    getRandomString(
196                                            passwordPolicy.getMinSymbols(), _symbolsCharsetArray));
197                    }
198    
199                    if (passwordPolicy.getMinUpperCase() > 0) {
200                            sb.append(
201                                    getRandomString(
202                                            passwordPolicy.getMinUpperCase(), _upperCaseCharsetArray));
203                    }
204    
205                    if (alphanumericMinLength > passwordPolicy.getMinAlphanumeric()) {
206                            int count =
207                                    alphanumericMinLength - passwordPolicy.getMinAlphanumeric();
208    
209                            sb.append(getRandomString(count, _alphanumericCharsetArray));
210                    }
211    
212                    if (passwordMinLength >
213                                    (alphanumericMinLength + passwordPolicy.getMinSymbols())) {
214    
215                            int count =
216                                    passwordMinLength -
217                                            (alphanumericMinLength + passwordPolicy.getMinSymbols());
218    
219                            sb.append(PwdGenerator.getSecurePassword(_completeCharset, count));
220                    }
221    
222                    Randomizer randomizer = Randomizer.getInstance();
223    
224                    return randomizer.randomize(sb.toString());
225            }
226    
227            protected String generateStatic(PasswordPolicy passwordPolicy) {
228                    return PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_STATIC;
229            }
230    
231            protected String getRandomString(int count, char[] chars) {
232                    StringBundler sb = new StringBundler(count);
233    
234                    Randomizer randomizer = Randomizer.getInstance();
235    
236                    for (int i = 0; i < count; i++) {
237                            int index = randomizer.nextInt(chars.length);
238    
239                            sb.append(chars[index]);
240                    }
241    
242                    return sb.toString();
243            }
244    
245            protected char[] getSortedCharArray(String s) {
246                    char[] chars = s.toCharArray();
247    
248                    Arrays.sort(chars);
249    
250                    return chars;
251            }
252    
253            protected int getUsageCount(String s, char[] chars) {
254                    int count = 0;
255    
256                    for (int i = 0; i < s.length(); i++) {
257                            if (Arrays.binarySearch(chars, s.charAt(i)) >= 0) {
258                                    count++;
259                            }
260                    }
261    
262                    return count;
263            }
264    
265            private char[] _alphanumericCharsetArray;
266            private String _completeCharset;
267            private char[] _lowerCaseCharsetArray;
268            private char[] _numbersCharsetArray;
269            private char[] _symbolsCharsetArray;
270            private char[] _upperCaseCharsetArray;
271    
272    }