EDIT

public abstract class AbstractRequestTokenStore<T extends AbstractRequestToken>  implements IAbstractRequestTokenStore<T> {

        AccountCreationRequest token = new AccountCreationRequest(user.getUsername(), user.getPassword(), user.getEmailAddress(), randomToken, tokenLifetimeMinutes);

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.security;

import java.util.Optional;

import eu.etaxonomy.cdm.model.permission.User;

/**

 * @author a.kohlbecker

 * @since Nov 3, 2021

 */

public interface IAbstractRequestTokenStore<T extends AbstractRequestToken> {

    public static final int TOKEN_LIFETIME_MINUTES_DEFAULT = 60 * 6;

    public T create(User user);

    /**

     * Removes the corresponding <code>AbstractRequestToken</code> from the

     * store

     *

     * @param token

     *            The token string

     * @return true if the token to be remove has existed, otherwise false

     */

    public boolean remove(String token);

    /**

     * Checks is the supplied token exists and has not expired.

     *

     * @param token

     *            The token string

     * @return true if the token is valid

     */

    public boolean isEligibleToken(String token);

    /**

     * Returns the corresponding <code>AbstractRequestToken</code> if it exists

     * and is not expired.

     *

     * @param token

     *            The token string

     * @return the valid <code>AbstractRequestToken</code> or an empty

     *         <code>Optional</code>

     */

    public Optional<T> findResetRequest(String token);

    public void setTokenLifetimeMinutes(int tokenLifetimeMinutes);

    public T createNewToken(User user, String randomToken, int tokenLifetimeMinutes);

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import java.util.HashMap;

import java.util.Map;

import java.util.Optional;

import javax.mail.internet.AddressException;

import javax.mail.internet.InternetAddress;

import org.apache.log4j.Logger;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.beans.factory.annotation.Qualifier;

import org.springframework.dao.DataAccessException;

import org.springframework.mail.MailException;

import org.springframework.scheduling.annotation.Async;

import org.springframework.scheduling.annotation.AsyncResult;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

import org.springframework.util.concurrent.ListenableFuture;

import eu.etaxonomy.cdm.api.security.AbstractRequestToken;

import eu.etaxonomy.cdm.api.security.AccountCreationRequest;

import eu.etaxonomy.cdm.api.security.IAbstractRequestTokenStore;

import eu.etaxonomy.cdm.api.security.PasswordResetRequest;

import eu.etaxonomy.cdm.model.permission.User;

/**

 * @author a.kohlbecker

 * @since Oct 26, 2021

 */

@Service

@Transactional(readOnly = true)

public class AccountRegistrationService extends AccountSelfManagementService implements IAccountRegistrationService {

    private static Logger logger = Logger.getLogger(PasswordResetRequest.class);

    @Autowired

    @Qualifier("accountCreationRequestTokenStore")

    private IAbstractRequestTokenStore<AccountCreationRequest> accountRegistrationTokenStore;

    @Override

    @Async

    public ListenableFuture<Boolean> emailAccountRegistrationRequest(String emailAddress,

            String userName, String password, String accountCreationRequestFormUrlTemplate) throws MailException, AddressException {

        if(logger.isTraceEnabled()) {

            logger.trace("emailAccountRegistrationConfirmation() trying to aquire from rate limiter [rate: " + emailResetToken_rateLimiter.getRate() + ", timeout: " + getRateLimiterTimeout().toMillis() + "ms]");

        }

        if (emailResetToken_rateLimiter.tryAcquire(getRateLimiterTimeout())) {

            logger.trace("emailAccountRegistrationConfirmation() allowed by rate limiter");

            try {

                emailAddressValidAndUnused(emailAddress);

                User user = User.NewInstance(userName, password);

                user.setEmailAddress(emailAddress);

                AbstractRequestToken resetRequest = accountRegistrationTokenStore.create(user);

                String passwordRequestFormUrl = String.format(accountCreationRequestFormUrlTemplate, resetRequest.getToken());

                Map<String, String> additionalValues = new HashMap<>();

                additionalValues.put("linkUrl", passwordRequestFormUrl);

                sendEmail(user.getEmailAddress(), user.getUsername(),

                        UserAccountEmailTemplates.REGISTRATION_REQUEST_EMAIL_SUBJECT_TEMPLATE,

                        UserAccountEmailTemplates.REGISTRATION_REQUEST_EMAIL_BODY_TEMPLATE, additionalValues);

                logger.info("An account creartion request has been send to "

                        + user.getEmailAddress());

                return new AsyncResult<Boolean>(true);

            } catch (MailException e) {

                throw e;

            }

        } else {

            logger.trace("blocked by rate limiter");

            return new AsyncResult<Boolean>(false);

        }

    }

    @Override

    @Async

    @Transactional(readOnly = false)

    public ListenableFuture<Boolean> createUserAccount(String token, String givenName, String familyName, String prefix)

            throws MailException, AccountSelfManagementException, AddressException {

        if (resetPassword_rateLimiter.tryAcquire(getRateLimiterTimeout())) {

            Optional<AccountCreationRequest> creationRequest = accountRegistrationTokenStore.findResetRequest(token);

            if (creationRequest.isPresent()) {

                try {

                    // check again if the email address is still unused

                    emailAddressValidAndUnused(creationRequest.get().getUserEmail());

                    User newUser = User.NewInstance(creationRequest.get().getUserName(), creationRequest.get().getEncryptedPassword());

                    userDao.saveOrUpdate(newUser);

                    accountRegistrationTokenStore.remove(token);

                    sendEmail(creationRequest.get().getUserEmail(), creationRequest.get().getUserName(),

                            UserAccountEmailTemplates.REGISTRATION_SUCCESS_EMAIL_SUBJECT_TEMPLATE,

                            UserAccountEmailTemplates.REGISTRATION_SUCCESS_EMAIL_BODY_TEMPLATE, null);

                    return new AsyncResult<Boolean>(true);

                } catch (DataAccessException e) {

                    String message = "Failed to create a new user [userName: " + creationRequest.get().getUserName() + ", email: " + creationRequest.get().getUserEmail() + "]";

                    logger.error(message, e);

                    throw new AccountSelfManagementException(message);

                }

            } else {

                throw new AccountSelfManagementException("Invalid account creation token");

            }

        }

        return new AsyncResult<Boolean>(false);

    }

    /**

     * Throws exceptions in case of any problems, returns silently in case

     * everything is OK.

     *

     * @param userNameOrEmail

     * @throws AddressException

     *             in case the <code>emailAddress</code> is invalid

     * @throws EmailAddressAlreadyInUseException

     *             in case the <code>emailAddress</code> is in use

     */

    protected void emailAddressValidAndUnused(String emailAddress)

            throws AddressException, EmailAddressAlreadyInUseException {

        InternetAddress emailAddr = new InternetAddress(emailAddress);

        emailAddr.validate();

        if (userDao.findByEmailAddress(emailAddr.toString()) != null) {

            throw new EmailAddressAlreadyInUseException("Email address is already in use");

        }

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

/**

 * @author a.kohlbecker

 * @since Nov 3, 2021

 */

public class AccountSelfManagementException extends Exception {

    private static final long serialVersionUID = -2154469325094431262L;

    public AccountSelfManagementException(String message, Throwable cause) {

        super(message, cause);

    }

    public AccountSelfManagementException(String message) {

        super(message);

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import java.time.Duration;

import java.util.Map;

import org.apache.commons.collections4.map.HashedMap;

import org.apache.commons.text.StringSubstitutor;

import org.apache.log4j.Logger;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.core.env.Environment;

import org.springframework.mail.MailException;

import org.springframework.mail.SimpleMailMessage;

import org.springframework.mail.javamail.JavaMailSender;

import com.google.common.util.concurrent.RateLimiter;

import eu.etaxonomy.cdm.api.config.CdmConfigurationKeys;

import eu.etaxonomy.cdm.api.config.SendEmailConfigurer;

import eu.etaxonomy.cdm.api.security.PasswordResetRequest;

import eu.etaxonomy.cdm.api.service.IUserService;

import eu.etaxonomy.cdm.persistence.dao.permission.IUserDao;

/**

 * @author a.kohlbecker

 * @since Nov 18, 2021

 */

public abstract class AccountSelfManagementService implements IRateLimitedService {

    protected static Logger logger = Logger.getLogger(PasswordResetRequest.class);

    public static final int RATE_LIMTER_TIMEOUT_SECONDS = 2;

    public static final double PERMITS_PER_SECOND = 0.3;

    @Autowired

    protected IUserDao userDao;

    @Autowired

    protected IUserService userService;

    @Autowired

    protected JavaMailSender emailSender;

    @Autowired

    protected Environment env;

    private Duration rateLimiterTimeout = null;

    protected RateLimiter emailResetToken_rateLimiter = RateLimiter.create(PERMITS_PER_SECOND);

    protected RateLimiter resetPassword_rateLimiter = RateLimiter.create(PERMITS_PER_SECOND);

    /**

     * Uses the {@link StringSubstitutor} as simple template engine.

     * Below named values are automatically resolved, more can be added via the

     * <code>valuesMap</code> parameter.

     *

     * @param userEmail

     *  The TO-address

     * @param userName

     *  Used to set the value for <code>${userName}</code>

     * @param subjectTemplate

     *  A {@link StringSubstitutor} template for the email subject

     * @param bodyTemplate

     *  A {@link StringSubstitutor} template for the email body

     * @param additionalValuesMap

     *  Additional named values for to be replaced in the template strings.

     */

    public void sendEmail(String userEmail, String userName, String subjectTemplate, String bodyTemplate, Map<String, String> additionalValuesMap) throws MailException {

        String from = env.getProperty(SendEmailConfigurer.FROM_ADDRESS);

        String dataSourceBeanId = env.getProperty(CdmConfigurationKeys.CDM_DATA_SOURCE_ID);

        String supportEmailAddress = env.getProperty(CdmConfigurationKeys.MAIL_ADDRESS_SUPPORT);

        if(additionalValuesMap == null) {

            additionalValuesMap = new HashedMap<>();

        }

        if(supportEmailAddress != null) {

            additionalValuesMap.put("supportEmailAddress", supportEmailAddress);

        }

        additionalValuesMap.put("userName", userName);

        additionalValuesMap.put("dataBase", dataSourceBeanId);

        StringSubstitutor substitutor = new StringSubstitutor(additionalValuesMap);

        // TODO use MimeMessages for better email layout?

        // TODO user Thymeleaf instead for HTML support?

        SimpleMailMessage message = new SimpleMailMessage();

        message.setFrom(from);

        message.setTo(userEmail);

        message.setSubject(substitutor.replace(subjectTemplate));

        message.setText(substitutor.replace(bodyTemplate));

        emailSender.send(message);

    }

    @Override

    public Duration getRateLimiterTimeout() {

        if(rateLimiterTimeout == null) {

            rateLimiterTimeout = Duration.ofSeconds(RATE_LIMTER_TIMEOUT_SECONDS);

        }

        return rateLimiterTimeout;

    }

    @Override

    public void setRateLimiterTimeout(Duration timeout) {

        this.rateLimiterTimeout = timeout;

    }

    @Override

    public void setRate(double rate) {

        resetPassword_rateLimiter.setRate(rate);

        emailResetToken_rateLimiter.setRate(rate);

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

/**

 * To be thrown an email address is already bound to an account an can nor be

 * used to create a new user account.

 *

 * @author a.kohlbecker

 * @since Nov 4, 2021

 */

public class EmailAddressAlreadyInUseException extends UsernameNotFoundException {

    private static final long serialVersionUID = 1572067792460999503L;

    public EmailAddressAlreadyInUseException(String msg) {

        super(msg);

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import javax.mail.internet.AddressException;

import org.springframework.mail.MailException;

import org.springframework.util.concurrent.ListenableFuture;

import eu.etaxonomy.cdm.api.security.AccountCreationRequest;

/**

 * @author a.kohlbecker

 * @since Nov 18, 2021

 */

public interface IAccountRegistrationService extends IRateLimitedService {

    public static final int RATE_LIMTER_TIMEOUT_SECONDS = 2;

    public static final double PERMITS_PER_SECOND = 0.3;

    /**

     * Create a {@link AccountCreationRequest} token and send it to the user via

     * email.

     *

     * <ul>

     * <li>Hides internal processing time differences by sending the email

     * asynchronously</li>

     * <li>Access to the method is rate limited, see {@link #RATE_LIMIT}</li>

     * </ul>

     *

     * @param emailAddress

     *            The email address to send the account creation request to

     * @param accountCreationRequestFormUrlTemplate

     *            A template string for {@code String.format()} for the URL to

     *            the form in which the user can create a new user account. The

     *            template string must contain one string placeholder {@code %s}

     *            for the request token string.

     * @return A <code>Future</code> for a <code>Boolean</code> flag. The

     *         boolean value will be <code>false</code> in case the max access

     *         rate for this method has been exceeded and a time out has

     *         occurred. Internal error states that may expose sensitive

     *         information are intentionally hidden this way (see above link to

     *         the Forgot_Password_Cheat_Sheet).

     * @throws MailException

     *             in case sending the email has failed

     * @throws AddressException

     *             in case the <code>emailAddress</code> in not valid

     */

    ListenableFuture<Boolean> emailAccountRegistrationRequest(String emailAddress, String userName, String password,

            String passwordRequestFormUrlTemplate) throws MailException, AddressException;

    /**

     *

     * @param token

     *            the token string

     * @param givenName

     *            The new password to set - <b>required</b>

     * @param familyName

     *            The family name - optional, can be left empty

     * @param prefix

     *            The family name - optional, can be left empty

     * @return A <code>Future</code> for a <code>Boolean</code> flag. The

     *         boolean value will be <code>false</code> in case the max access

     *         rate for this method has been exceeded and a time out has

     *         occurred.

     * @throws AccountSelfManagementException

     *             in case an invalid token has been used

     * @throws MailException

     *             in case sending the email has failed

     * @throws AddressException

     *             in case the <code>emailAddress</code> stored in the

     *             {@link AccountCreationRequest} identified by the

     *             <code>token</code> not valid

     */

    ListenableFuture<Boolean> createUserAccount(String token, String givenName, String familyName, String prefix)

            throws MailException, AccountSelfManagementException, AddressException;

}

public interface IPasswordResetService extends IRateLimitedService {

    * @throws AccountSelfManagementException

    ListenableFuture<Boolean> resetPassword(String token, String newPassword) throws AccountSelfManagementException;

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import java.time.Duration;

/**

 * @author a.kohlbecker

 * @since Nov 18, 2021

 */

public interface IRateLimitedService {

    /**

     * Requests to the service methods should be rate limited.

     * This method allows to set the timeout when waiting for a

     * free execution slot. {@link #RATE_LIMTER_TIMEOUT_SECONDS}

     * is the default

     */

    void setRateLimiterTimeout(Duration timeout);

    /**

     * see {@link #setRateLimiterTimeout(Duration)}

     *

     * @return the currently used timeout

     */

    Duration getRateLimiterTimeout();

    /**

     * Requests to the service methods should be rate limited.

     * This method allows to override the default rate

     * {@link #PERMITS_PER_SECOND}

     */

    public void setRate(double rate);

}

import org.springframework.beans.factory.annotation.Qualifier;

import eu.etaxonomy.cdm.api.security.IAbstractRequestTokenStore;

public class PasswordResetService extends AccountSelfManagementService implements IPasswordResetService {

    @Qualifier("passwordResetTokenStore")

    IAbstractRequestTokenStore<PasswordResetRequest> passwordResetTokenStore;

                        UserAccountEmailTemplates.RESET_REQUEST_EMAIL_SUBJECT_TEMPLATE,

                        UserAccountEmailTemplates.REGISTRATION_REQUEST_EMAIL_BODY_TEMPLATE, additionalValues);

    *

    * @param token

    *            the token string

    * @param newPassword

    *            The new password to set

    * @return A <code>Future</code> for a <code>Boolean</code> flag. The

    *         boolean value will be <code>false</code> in case the max access

    *         rate for this method has been exceeded and a time out has

    *         occurred.

    * @throws AccountSelfManagementException

    *             in case an invalid token has been used

    * @throws MailException

    *             in case sending the email has failed

    */

   @Override

   @Async

   public ListenableFuture<Boolean> resetPassword(String token, String newPassword) throws AccountSelfManagementException, MailException {

       if (resetPassword_rateLimiter.tryAcquire(getRateLimiterTimeout())) {

           Optional<PasswordResetRequest> resetRequest = passwordResetTokenStore.findResetRequest(token);

           if (resetRequest.isPresent()) {

               try {

                   UserDetails user = userService.loadUserByUsername(resetRequest.get().getUserName());

                   Assert.isAssignable(user.getClass(), User.class);

                   userService.encodeUserPassword((User)user, newPassword);

                   userDao.saveOrUpdate((User)user);

                   passwordResetTokenStore.remove(token);

                   sendEmail(resetRequest.get().getUserEmail(), resetRequest.get().getUserName(),

                           UserAccountEmailTemplates.RESET_SUCCESS_EMAIL_SUBJECT_TEMPLATE,

                           UserAccountEmailTemplates.RESET_SUCCESS_EMAIL_BODY_TEMPLATE, null);

                   return new AsyncResult<Boolean>(true);

               } catch (DataAccessException | IllegalArgumentException | UsernameNotFoundException e) {

                   logger.error("Failed to change password of User " + resetRequest.get().getUserName(), e);

                   sendEmail(resetRequest.get().getUserEmail(), resetRequest.get().getUserName(),

                           UserAccountEmailTemplates.RESET_FAILED_EMAIL_SUBJECT_TEMPLATE,

                           UserAccountEmailTemplates.RESET_FAILED_EMAIL_BODY_TEMPLATE, null);

               }

           } else {

               throw new AccountSelfManagementException("Invalid password reset token");

           }

       }

       return new AsyncResult<Boolean>(false);

   }

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

/**

 * @author a.kohlbecker

 * @since Nov 11, 2021

 */

public class UserAccountEmailTemplates {

    public static final String RESET_REQUEST_EMAIL_SUBJECT_TEMPLATE = "Your password reset request for ${userName}";

    public static final String RESET_REQUEST_EMAIL_BODY_TEMPLATE = "You are receiving this email because a password reset was requested for your account at the ${dataBase}"

            + " data base. If this was not initiated by you, please ignore this message."

            + "\n\nPlease click ${linkUrl} to reset your password";

    public static final String RESET_SUCCESS_EMAIL_SUBJECT_TEMPLATE = "Your password for ${userName} has been changed";

    public static final String RESET_SUCCESS_EMAIL_BODY_TEMPLATE = "The password of your account (${userName}) at the ${dataBase} data base has just been changed."

            + "\n\nIf this was not initiated by you, please contact the administrator (${supportEmailAddress}) as soon as possible.";

    public static final String RESET_FAILED_EMAIL_SUBJECT_TEMPLATE = "Changing your password for ${userName} has failed";

    public static final String RESET_FAILED_EMAIL_BODY_TEMPLATE = "The attempt to change the password of your account at the ${dataBase} data base has failed."

            + "\n\nIf this was not initiated by you, please contact the administrator (${supportEmailAddress}) as soon as possible.";

    public static final String REGISTRATION_REQUEST_EMAIL_SUBJECT_TEMPLATE = "Your requested for new user account at ${dataBase}";

    public static final String REGISTRATION_REQUEST_EMAIL_BODY_TEMPLATE = "You are receiving this email because you requested for a new account at the ${dataBase}"

            + " data base. If this was not initiated by you, please ignore this message."

            + "\n\nPlease click ${linkUrl} to start creating your user account.";

    public static final String REGISTRATION_SUCCESS_EMAIL_SUBJECT_TEMPLATE = "The new user account (${userName}) has been changed";

    public static final String REGISTRATION_SUCCESS_EMAIL_BODY_TEMPLATE = "Your account (${userName}) at the ${dataBase} data base has just been created."

            + "\n\nIf this was not initiated by you, please contact the administrator (${supportEmailAddress}).";

}

import org.springframework.beans.factory.annotation.Qualifier;

    @Qualifier("passwordResetTokenStore")

    private IAbstractRequestTokenStore passwordResetTokenStore;

        passwordResetTokenStore.setTokenLifetimeMinutes(IAbstractRequestTokenStore.TOKEN_LIFETIME_MINUTES_DEFAULT);

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import static org.junit.Assert.assertEquals;

import static org.junit.Assert.assertNotNull;

import static org.junit.Assert.assertTrue;

import java.io.FileNotFoundException;

import java.time.Duration;

import java.util.concurrent.CountDownLatch;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

import javax.mail.internet.AddressException;

import javax.mail.internet.MimeMessage;

import org.apache.log4j.Level;

import org.apache.log4j.Logger;

import org.junit.After;

import org.junit.Before;

import org.junit.Test;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.core.env.Environment;

import org.springframework.mail.javamail.JavaMailSender;

import org.springframework.util.concurrent.ListenableFuture;

import org.subethamail.wiser.Wiser;

import org.subethamail.wiser.WiserMessage;

import org.unitils.dbunit.annotation.DataSet;

import org.unitils.spring.annotation.SpringBeanByName;

import org.unitils.spring.annotation.SpringBeanByType;

import eu.etaxonomy.cdm.api.security.AbstractRequestTokenStore;

import eu.etaxonomy.cdm.api.security.AccountCreationRequest;

import eu.etaxonomy.cdm.api.security.IAbstractRequestTokenStore;

import eu.etaxonomy.cdm.api.security.PasswordResetRequest;

import eu.etaxonomy.cdm.api.service.IUserService;

import eu.etaxonomy.cdm.test.unitils.CleanSweepInsertLoadStrategy;

public class AccountRegistrationServiceTest extends eu.etaxonomy.cdm.test.integration.CdmTransactionalIntegrationTest {

    private static final double maxRequestRate = 4.0;

    Logger logger = Logger.getLogger(AccountRegistrationServiceTest.class);

    private static final int rateLimiterTimeout = 200;

    private static final String userName = "pwdResetTestUser";

    private static final String userPWD = "super_SECURE_123";

    private static final String userEmail = "pwdResetTestUser@cybertaxonomy.test";

    private static String base64UrlSaveCharClass = "[a-zA-Z0-9\\-_]";

    private static final String requestFormUrlTemplate = "http://cybertaxonomy.test/passwordReset?userName={%s}&sessID=f8d8sf8dsf";

    @SpringBeanByType

    private IUserService userService;

    @SpringBeanByType

    private IAccountRegistrationService accountRegistrationService;

    @SpringBeanByName

    private IAbstractRequestTokenStore<AccountCreationRequest> accountCreationRequestTokenStore;

    @SpringBeanByType

    private JavaMailSender emailSender;

    @Autowired

    private Environment env;

    private Wiser wiser = null;

    private CountDownLatch createRequestTokenSendSignal;

    private CountDownLatch accountCreatedSignal;

    Throwable assyncError = null;

    @Before

    public void startEmailServer() {

        // Integer smtpPort = env.getProperty(SendEmailConfigurer.PORT, Integer.class);

        wiser = new Wiser();

        wiser.setPort(2500); // must be the same as configured for SendEmailConfigurer.PORT

        wiser.start();

        logger.debug("Wiser email server started");

    }

    @Before

    public void accountRegistrationService() throws InterruptedException {

        logger.setLevel(Level.DEBUG);

        Logger.getLogger(PasswordResetRequest.class).setLevel(Level.TRACE);

        // speed up testing

        accountRegistrationService.setRateLimiterTimeout(Duration.ofMillis(rateLimiterTimeout));

        accountRegistrationService.setRate(maxRequestRate);

        // pause long enough to avoid conflicts

        long sleepTime = Math.round(1000 / maxRequestRate) + rateLimiterTimeout;

        Thread.sleep(sleepTime);

    }

    @Before

    public void resetAsyncVars() {

        assyncError = null;

        createRequestTokenSendSignal = null;

        accountCreatedSignal = null;

    }

    @After

    public void stopEmailServer() {

        wiser.stop();

    }

    @Test

    @DataSet(loadStrategy = CleanSweepInsertLoadStrategy.class, value="/eu/etaxonomy/cdm/database/ClearDBDataSet.xml")

    public void testSuccessfulEmailReset() throws Throwable {

        logger.debug("testSuccessfulEmailReset() ...");

        // printDataSet(System.err, "UserAccount");

        createRequestTokenSendSignal = new CountDownLatch(1);

        accountCreatedSignal = new CountDownLatch(1);

        ListenableFuture<Boolean> emailResetFuture = accountRegistrationService.emailAccountRegistrationRequest(userEmail, userName, userPWD, requestFormUrlTemplate);

        emailResetFuture.addCallback(

                requestSuccessVal -> {

                    createRequestTokenSendSignal.countDown();

                }, futureException -> {

                    assyncError = futureException;

                    createRequestTokenSendSignal.countDown();

                });

        // -- wait for passwordResetService.emailResetToken() to complete

        createRequestTokenSendSignal.await();

        if(assyncError != null) {

            throw assyncError;

        }

        assertNotNull(emailResetFuture.get());

        assertEquals(1, wiser.getMessages().size());

        // -- read email message

        WiserMessage requestMessage = wiser.getMessages().get(0);

        MimeMessage requestMimeMessage = requestMessage.getMimeMessage();

        assertTrue(requestMimeMessage.getSubject()

                .matches(UserAccountEmailTemplates.REGISTRATION_REQUEST_EMAIL_SUBJECT_TEMPLATE.replace("${dataBase}", ".*"))

                );

        String messageContent = requestMimeMessage.getContent().toString();

        // -- extract token

        Pattern pattern = Pattern.compile("=\\{(" + base64UrlSaveCharClass + "+)\\}");

        Matcher m = pattern.matcher(messageContent);

        assertTrue(m.find());

        assertEquals(AbstractRequestTokenStore.TOKEN_LENGTH + 17, m.group(1).length());

        // -- change password

        ListenableFuture<Boolean> createAccountFuture = accountRegistrationService.createUserAccount(m.group(1), "Testor", "Nutzer", "Dr.");

        createAccountFuture.addCallback(requestSuccessVal -> {

            accountCreatedSignal.countDown();

        }, futureException -> {

            assyncError =  futureException;

            accountCreatedSignal.countDown();

        });

        // -- wait for passwordResetService.resetPassword to complete

        accountCreatedSignal.await();

        assertTrue(createAccountFuture.get());

        assertEquals(2, wiser.getMessages().size());

        WiserMessage successMessage = wiser.getMessages().get(1);

        MimeMessage successMimeMessage = successMessage.getMimeMessage();

        assertEquals(UserAccountEmailTemplates.REGISTRATION_SUCCESS_EMAIL_SUBJECT_TEMPLATE.replace("${userName}", userName), successMimeMessage.getSubject());

    }

    @Test

    @DataSet(loadStrategy = CleanSweepInsertLoadStrategy.class, value="/eu/etaxonomy/cdm/database/ClearDBDataSet.xml")

    public void emailResetToken_ivalidEmailAddress() throws Throwable {

        logger.debug("emailResetToken_ivalidEmailAddress() ...");

        createRequestTokenSendSignal = new CountDownLatch(1);

        accountRegistrationService.setRateLimiterTimeout(Duration.ofMillis(1)); // as should as possible to allow the fist call to be successful (with 1ns the fist call fails!)

        ListenableFuture<Boolean> emailResetFuture = accountRegistrationService.emailAccountRegistrationRequest("not-a-valid-email@#address#", userName, userPWD, requestFormUrlTemplate);

        emailResetFuture.addCallback(

                requestSuccessVal -> {

                    createRequestTokenSendSignal.countDown();

                }, futureException -> {

                    assyncError = futureException;

                    createRequestTokenSendSignal.countDown();

                });

        // -- wait for passwordResetService.emailResetToken() to complete

        createRequestTokenSendSignal.await();

        assertNotNull(assyncError);

        assertEquals(AddressException.class, assyncError.getClass());

    }

    @Test

    @DataSet(loadStrategy = CleanSweepInsertLoadStrategy.class, value="/eu/etaxonomy/cdm/database/ClearDBDataSet.xml")

    public void testInvalidToken() throws Throwable {

        logger.debug("testInvalidToken() ...");

        accountCreatedSignal = new CountDownLatch(1);

        // -- change password

        ListenableFuture<Boolean> resetPasswordFuture = accountRegistrationService.createUserAccount("IUER9843URIO--INVALID-TOKEN--UWEUR89EUWWEOIR", userName, null, null);

        resetPasswordFuture.addCallback(requestSuccessVal -> {

            accountCreatedSignal.countDown();

        }, futureException -> {

            assyncError =  futureException;

            accountCreatedSignal.countDown();

        });

        // -- wait for passwordResetService.resetPassword to complete

        accountCreatedSignal.await();

        assertNotNull(assyncError);

        assertEquals(AccountSelfManagementException.class, assyncError.getClass());

        assertEquals(0, wiser.getMessages().size());

    }

    @Override

    public void createTestDataSet() throws FileNotFoundException {

        // not needed

    }

}

import org.unitils.spring.annotation.SpringBeanByName;

import eu.etaxonomy.cdm.api.security.IAbstractRequestTokenStore;

    @SpringBeanByName

    private IAbstractRequestTokenStore<PasswordResetRequest> passwordResetTokenStore;

        assertEquals(UserAccountEmailTemplates.RESET_REQUEST_EMAIL_SUBJECT_TEMPLATE.replace("${userName}", userName), requestMimeMessage.getSubject());

        assertEquals(UserAccountEmailTemplates.RESET_SUCCESS_EMAIL_SUBJECT_TEMPLATE.replace("${userName}", userName), successMimeMessage.getSubject());

        assertEquals(AccountSelfManagementException.class, assyncError.getClass());