001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.pwd;
016    
017    import com.liferay.portal.UserPasswordException;
018    import com.liferay.portal.kernel.exception.PortalException;
019    import com.liferay.portal.kernel.exception.SystemException;
020    import com.liferay.portal.kernel.security.RandomUtil;
021    import com.liferay.portal.kernel.security.SecureRandom;
022    import com.liferay.portal.kernel.util.ArrayUtil;
023    import com.liferay.portal.kernel.util.StringBundler;
024    import com.liferay.portal.kernel.util.Validator;
025    import com.liferay.portal.model.PasswordPolicy;
026    import com.liferay.portal.model.User;
027    import com.liferay.portal.service.PasswordTrackerLocalServiceUtil;
028    import com.liferay.portal.service.UserLocalServiceUtil;
029    import com.liferay.portal.util.PropsValues;
030    import com.liferay.portal.words.WordsUtil;
031    import com.liferay.util.PwdGenerator;
032    
033    import java.util.Arrays;
034    import java.util.Date;
035    import java.util.Random;
036    
037    /**
038     * @author Scott Lee
039     * @author Mika Koivisto
040     */
041    public class PasswordPolicyToolkit extends BasicToolkit {
042    
043            public PasswordPolicyToolkit() {
044                    _lowerCaseCharsetArray = getSortedCharArray(
045                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_LOWERCASE);
046                    _numbersCharsetArray = getSortedCharArray(
047                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_NUMBERS);
048                    _symbolsCharsetArray = getSortedCharArray(
049                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_SYMBOLS);
050                    _upperCaseCharsetArray = getSortedCharArray(
051                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_UPPERCASE);
052    
053                    _alphanumericCharsetArray = ArrayUtil.append(
054                            _lowerCaseCharsetArray, _upperCaseCharsetArray,
055                            _numbersCharsetArray);
056    
057                    Arrays.sort(_alphanumericCharsetArray);
058    
059                    StringBundler sb = new StringBundler(4);
060    
061                    sb.append(
062                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_LOWERCASE);
063                    sb.append(PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_NUMBERS);
064                    sb.append(PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_SYMBOLS);
065                    sb.append(
066                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_UPPERCASE);
067    
068                    _completeCharset = sb.toString();
069            }
070    
071            @Override
072            public String generate(PasswordPolicy passwordPolicy) {
073                    if (PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_GENERATOR.equals(
074                                    "static")) {
075    
076                            return generateStatic(passwordPolicy);
077                    }
078                    else {
079                            return generateDynamic(passwordPolicy);
080                    }
081            }
082    
083            @Override
084            public void validate(
085                            long userId, String password1, String password2,
086                            PasswordPolicy passwordPolicy)
087                    throws PortalException, SystemException {
088    
089                    if (passwordPolicy.isCheckSyntax()) {
090                            if (!passwordPolicy.isAllowDictionaryWords() &&
091                                    WordsUtil.isDictionaryWord(password1)) {
092    
093                                    throw new UserPasswordException(
094                                            UserPasswordException.PASSWORD_CONTAINS_TRIVIAL_WORDS);
095                            }
096    
097                            if (password1.length() < passwordPolicy.getMinLength()) {
098                                    throw new UserPasswordException(
099                                            UserPasswordException.PASSWORD_LENGTH);
100                            }
101    
102                            if ((getUsageCount(password1, _alphanumericCharsetArray) <
103                                            passwordPolicy.getMinAlphanumeric()) ||
104                                    (getUsageCount(password1, _lowerCaseCharsetArray) <
105                                            passwordPolicy.getMinLowerCase()) ||
106                                    (getUsageCount(password1, _numbersCharsetArray) <
107                                            passwordPolicy.getMinNumbers()) ||
108                                    (getUsageCount(password1, _symbolsCharsetArray) <
109                                            passwordPolicy.getMinSymbols()) ||
110                                    (getUsageCount(password1, _upperCaseCharsetArray) <
111                                            passwordPolicy.getMinUpperCase())) {
112    
113                                    throw new UserPasswordException(
114                                            UserPasswordException.PASSWORD_TOO_TRIVIAL);
115                            }
116    
117                            if (Validator.isNotNull(passwordPolicy.getRegex()) &&
118                                    !password1.matches(passwordPolicy.getRegex())) {
119    
120                                    throw new UserPasswordException(
121                                            UserPasswordException.PASSWORD_INVALID);
122                            }
123                    }
124    
125                    if (!passwordPolicy.isChangeable() && (userId != 0)) {
126                            throw new UserPasswordException(
127                                    UserPasswordException.PASSWORD_NOT_CHANGEABLE);
128                    }
129    
130                    if (userId == 0) {
131                            return;
132                    }
133    
134                    User user = UserLocalServiceUtil.getUserById(userId);
135    
136                    Date passwordModfiedDate = user.getPasswordModifiedDate();
137    
138                    if (passwordModfiedDate != null) {
139                            Date now = new Date();
140    
141                            long passwordModificationElapsedTime =
142                                    now.getTime() - passwordModfiedDate.getTime();
143    
144                            long minAge = passwordPolicy.getMinAge() * 1000;
145    
146                            if ((passwordModificationElapsedTime < minAge) &&
147                                    !user.getPasswordReset()) {
148    
149                                    throw new UserPasswordException(
150                                            UserPasswordException.PASSWORD_TOO_YOUNG);
151                            }
152                    }
153    
154                    if (PasswordTrackerLocalServiceUtil.isSameAsCurrentPassword(
155                                    userId, password1)) {
156    
157                            throw new UserPasswordException(
158                                    UserPasswordException.PASSWORD_SAME_AS_CURRENT);
159                    }
160                    else if (!PasswordTrackerLocalServiceUtil.isValidPassword(
161                                            userId, password1)) {
162    
163                            throw new UserPasswordException(
164                                    UserPasswordException.PASSWORD_ALREADY_USED);
165                    }
166            }
167    
168            protected String generateDynamic(PasswordPolicy passwordPolicy) {
169                    int alphanumericActualMinLength =
170                            passwordPolicy.getMinLowerCase() + passwordPolicy.getMinNumbers() +
171                                    passwordPolicy.getMinUpperCase();
172    
173                    int alphanumericMinLength = Math.max(
174                            passwordPolicy.getMinAlphanumeric(), alphanumericActualMinLength);
175                    int passwordMinLength = Math.max(
176                            passwordPolicy.getMinLength(),
177                            alphanumericMinLength + passwordPolicy.getMinSymbols());
178    
179                    StringBundler sb = new StringBundler(6);
180    
181                    if (passwordPolicy.getMinLowerCase() > 0) {
182                            sb.append(
183                                    getRandomString(
184                                            passwordPolicy.getMinLowerCase(), _lowerCaseCharsetArray));
185                    }
186    
187                    if (passwordPolicy.getMinNumbers() > 0) {
188                            sb.append(
189                                    getRandomString(
190                                            passwordPolicy.getMinNumbers(), _numbersCharsetArray));
191                    }
192    
193                    if (passwordPolicy.getMinSymbols() > 0) {
194                            sb.append(
195                                    getRandomString(
196                                            passwordPolicy.getMinSymbols(), _symbolsCharsetArray));
197                    }
198    
199                    if (passwordPolicy.getMinUpperCase() > 0) {
200                            sb.append(
201                                    getRandomString(
202                                            passwordPolicy.getMinUpperCase(), _upperCaseCharsetArray));
203                    }
204    
205                    if (alphanumericMinLength > alphanumericActualMinLength) {
206                            int count = alphanumericMinLength - alphanumericActualMinLength;
207    
208                            sb.append(getRandomString(count, _alphanumericCharsetArray));
209                    }
210    
211                    if (passwordMinLength >
212                                    (alphanumericMinLength + passwordPolicy.getMinSymbols())) {
213    
214                            int count =
215                                    passwordMinLength -
216                                            (alphanumericMinLength + passwordPolicy.getMinSymbols());
217    
218                            sb.append(PwdGenerator.getPassword(_completeCharset, count));
219                    }
220    
221                    if (sb.index() == 0) {
222                            sb.append(
223                                    PwdGenerator.getPassword(
224                                            _completeCharset,
225                                            PropsValues.PASSWORDS_DEFAULT_POLICY_MIN_LENGTH));
226                    }
227    
228                    return RandomUtil.shuffle(new SecureRandom(), sb.toString());
229            }
230    
231            protected String generateStatic(PasswordPolicy passwordPolicy) {
232                    return PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_STATIC;
233            }
234    
235            protected String getRandomString(int count, char[] chars) {
236                    Random random = new SecureRandom();
237    
238                    StringBundler sb = new StringBundler(count);
239    
240                    for (int i = 0; i < count; i++) {
241                            int index = random.nextInt(chars.length);
242    
243                            sb.append(chars[index]);
244                    }
245    
246                    return sb.toString();
247            }
248    
249            protected char[] getSortedCharArray(String s) {
250                    char[] chars = s.toCharArray();
251    
252                    Arrays.sort(chars);
253    
254                    return chars;
255            }
256    
257            protected int getUsageCount(String s, char[] chars) {
258                    int count = 0;
259    
260                    for (int i = 0; i < s.length(); i++) {
261                            if (Arrays.binarySearch(chars, s.charAt(i)) >= 0) {
262                                    count++;
263                            }
264                    }
265    
266                    return count;
267            }
268    
269            private char[] _alphanumericCharsetArray;
270            private String _completeCharset;
271            private char[] _lowerCaseCharsetArray;
272            private char[] _numbersCharsetArray;
273            private char[] _symbolsCharsetArray;
274            private char[] _upperCaseCharsetArray;
275    
276    }