001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.pwd;
016    
017    import com.liferay.portal.UserPasswordException;
018    import com.liferay.portal.kernel.exception.PortalException;
019    import com.liferay.portal.kernel.security.RandomUtil;
020    import com.liferay.portal.kernel.security.SecureRandom;
021    import com.liferay.portal.kernel.util.ArrayUtil;
022    import com.liferay.portal.kernel.util.PwdGenerator;
023    import com.liferay.portal.kernel.util.StringBundler;
024    import com.liferay.portal.kernel.util.Validator;
025    import com.liferay.portal.kernel.words.WordsUtil;
026    import com.liferay.portal.model.PasswordPolicy;
027    import com.liferay.portal.model.User;
028    import com.liferay.portal.service.PasswordTrackerLocalServiceUtil;
029    import com.liferay.portal.service.UserLocalServiceUtil;
030    import com.liferay.portal.util.PropsValues;
031    
032    import java.util.Arrays;
033    import java.util.Date;
034    import java.util.Random;
035    
036    /**
037     * @author Scott Lee
038     * @author Mika Koivisto
039     */
040    public class PasswordPolicyToolkit extends BasicToolkit {
041    
042            public PasswordPolicyToolkit() {
043                    _lowerCaseCharsetArray = getSortedCharArray(
044                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_LOWERCASE);
045                    _numbersCharsetArray = getSortedCharArray(
046                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_NUMBERS);
047                    _symbolsCharsetArray = getSortedCharArray(
048                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_SYMBOLS);
049                    _upperCaseCharsetArray = getSortedCharArray(
050                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_UPPERCASE);
051    
052                    _alphanumericCharsetArray = ArrayUtil.append(
053                            _lowerCaseCharsetArray, _upperCaseCharsetArray,
054                            _numbersCharsetArray);
055    
056                    Arrays.sort(_alphanumericCharsetArray);
057    
058                    StringBundler sb = new StringBundler(4);
059    
060                    sb.append(
061                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_LOWERCASE);
062                    sb.append(PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_NUMBERS);
063                    sb.append(PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_SYMBOLS);
064                    sb.append(
065                            PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_CHARSET_UPPERCASE);
066    
067                    _completeCharset = sb.toString();
068            }
069    
070            @Override
071            public String generate(PasswordPolicy passwordPolicy) {
072                    if (PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_GENERATOR.equals(
073                                    "static")) {
074    
075                            return generateStatic(passwordPolicy);
076                    }
077                    else {
078                            return generateDynamic(passwordPolicy);
079                    }
080            }
081    
082            @Override
083            public void validate(
084                            long userId, String password1, String password2,
085                            PasswordPolicy passwordPolicy)
086                    throws PortalException {
087    
088                    if (passwordPolicy.isCheckSyntax()) {
089                            if (!passwordPolicy.isAllowDictionaryWords() &&
090                                    WordsUtil.isDictionaryWord(password1)) {
091    
092                                    throw new UserPasswordException.MustNotContainDictionaryWords(
093                                            userId, WordsUtil.getDictionaryList());
094                            }
095    
096                            if (password1.length() < passwordPolicy.getMinLength()) {
097                                    throw new UserPasswordException.MustBeLonger(
098                                            userId, passwordPolicy.getMinLength());
099                            }
100    
101                            if ((getUsageCount(password1, _alphanumericCharsetArray) <
102                                            passwordPolicy.getMinAlphanumeric()) ||
103                                    (getUsageCount(password1, _lowerCaseCharsetArray) <
104                                            passwordPolicy.getMinLowerCase()) ||
105                                    (getUsageCount(password1, _numbersCharsetArray) <
106                                            passwordPolicy.getMinNumbers()) ||
107                                    (getUsageCount(password1, _symbolsCharsetArray) <
108                                            passwordPolicy.getMinSymbols()) ||
109                                    (getUsageCount(password1, _upperCaseCharsetArray) <
110                                            passwordPolicy.getMinUpperCase())) {
111    
112                                    throw new UserPasswordException.MustNotBeTrivial(userId);
113                            }
114    
115                            String regex = passwordPolicy.getRegex();
116    
117                            if (Validator.isNotNull(regex) && !password1.matches(regex)) {
118                                    throw new UserPasswordException.MustComplyWithRegex(
119                                            userId, regex);
120                            }
121                    }
122    
123                    if (!passwordPolicy.isChangeable() && (userId != 0)) {
124                            throw new UserPasswordException.MustNotBeChanged(userId);
125                    }
126    
127                    if (userId == 0) {
128                            return;
129                    }
130    
131                    User user = UserLocalServiceUtil.getUserById(userId);
132    
133                    Date passwordModfiedDate = user.getPasswordModifiedDate();
134    
135                    if (passwordModfiedDate != null) {
136                            Date now = new Date();
137    
138                            long passwordModificationElapsedTime =
139                                    now.getTime() - passwordModfiedDate.getTime();
140    
141                            long minAge = passwordPolicy.getMinAge() * 1000;
142    
143                            if ((passwordModificationElapsedTime < minAge) &&
144                                    !user.getPasswordReset()) {
145    
146                                    throw new UserPasswordException.MustNotBeChangedYet(
147                                            userId, new Date(passwordModfiedDate.getTime() + minAge));
148                            }
149                    }
150    
151                    if (PasswordTrackerLocalServiceUtil.isSameAsCurrentPassword(
152                                    userId, password1)) {
153    
154                            throw new UserPasswordException.MustNotBeEqualToCurrent(userId);
155                    }
156                    else if (!PasswordTrackerLocalServiceUtil.isValidPassword(
157                                            userId, password1)) {
158    
159                            throw new UserPasswordException.MustNotBeRecentlyUsed(userId);
160                    }
161            }
162    
163            protected String generateDynamic(PasswordPolicy passwordPolicy) {
164                    int alphanumericActualMinLength =
165                            passwordPolicy.getMinLowerCase() + passwordPolicy.getMinNumbers() +
166                                    passwordPolicy.getMinUpperCase();
167    
168                    int alphanumericMinLength = Math.max(
169                            passwordPolicy.getMinAlphanumeric(), alphanumericActualMinLength);
170                    int passwordMinLength = Math.max(
171                            passwordPolicy.getMinLength(),
172                            alphanumericMinLength + passwordPolicy.getMinSymbols());
173    
174                    StringBundler sb = new StringBundler(6);
175    
176                    if (passwordPolicy.getMinLowerCase() > 0) {
177                            sb.append(
178                                    getRandomString(
179                                            passwordPolicy.getMinLowerCase(), _lowerCaseCharsetArray));
180                    }
181    
182                    if (passwordPolicy.getMinNumbers() > 0) {
183                            sb.append(
184                                    getRandomString(
185                                            passwordPolicy.getMinNumbers(), _numbersCharsetArray));
186                    }
187    
188                    if (passwordPolicy.getMinSymbols() > 0) {
189                            sb.append(
190                                    getRandomString(
191                                            passwordPolicy.getMinSymbols(), _symbolsCharsetArray));
192                    }
193    
194                    if (passwordPolicy.getMinUpperCase() > 0) {
195                            sb.append(
196                                    getRandomString(
197                                            passwordPolicy.getMinUpperCase(), _upperCaseCharsetArray));
198                    }
199    
200                    if (alphanumericMinLength > alphanumericActualMinLength) {
201                            int count = alphanumericMinLength - alphanumericActualMinLength;
202    
203                            sb.append(getRandomString(count, _alphanumericCharsetArray));
204                    }
205    
206                    if (passwordMinLength >
207                                    (alphanumericMinLength + passwordPolicy.getMinSymbols())) {
208    
209                            int count =
210                                    passwordMinLength -
211                                            (alphanumericMinLength + passwordPolicy.getMinSymbols());
212    
213                            sb.append(PwdGenerator.getPassword(_completeCharset, count));
214                    }
215    
216                    if (sb.index() == 0) {
217                            sb.append(
218                                    PwdGenerator.getPassword(
219                                            _completeCharset,
220                                            PropsValues.PASSWORDS_DEFAULT_POLICY_MIN_LENGTH));
221                    }
222    
223                    return RandomUtil.shuffle(new SecureRandom(), sb.toString());
224            }
225    
226            protected String generateStatic(PasswordPolicy passwordPolicy) {
227                    return PropsValues.PASSWORDS_PASSWORDPOLICYTOOLKIT_STATIC;
228            }
229    
230            protected String getRandomString(int count, char[] chars) {
231                    Random random = new SecureRandom();
232    
233                    StringBundler sb = new StringBundler(count);
234    
235                    for (int i = 0; i < count; i++) {
236                            int index = random.nextInt(chars.length);
237    
238                            sb.append(chars[index]);
239                    }
240    
241                    return sb.toString();
242            }
243    
244            protected char[] getSortedCharArray(String s) {
245                    char[] chars = s.toCharArray();
246    
247                    Arrays.sort(chars);
248    
249                    return chars;
250            }
251    
252            protected int getUsageCount(String s, char[] chars) {
253                    int count = 0;
254    
255                    for (int i = 0; i < s.length(); i++) {
256                            if (Arrays.binarySearch(chars, s.charAt(i)) >= 0) {
257                                    count++;
258                            }
259                    }
260    
261                    return count;
262            }
263    
264            private char[] _alphanumericCharsetArray;
265            private String _completeCharset;
266            private char[] _lowerCaseCharsetArray;
267            private char[] _numbersCharsetArray;
268            private char[] _symbolsCharsetArray;
269            private char[] _upperCaseCharsetArray;
270    
271    }