EDIT

        return initializeUser(user);

    }

    @Override

    public User findByEmailAddress(String emailAddress) {

        Query query = getSession().createQuery("select user from User user where user.emailAddress = :emailAddress");

        query.setParameter("emailAddress", emailAddress);

        User user = (User)query.uniqueResult(); // emailAddress to be unique, see https://dev.e-taxonomy.eu/redmine/issues/7276

        return initializeUser(user);

    public long countByUsername(String queryString, MatchMode matchmode, List<Criterion> criterion) {

    public User initializeUser(User user) {

        if(user != null) {

            getSession().refresh(user); // make sure the user is always up to date

            Hibernate.initialize(user.getPerson());

            Hibernate.initialize(user.getGrantedAuthorities());

            for(Group group : user.getGroups()) {

                Hibernate.initialize(group.getGrantedAuthorities());

            }

        }

        return user;

    }

    /**

     * Find the user having the supplied email address

     * @param emailAddress

     * @return The user or null

     */

    public User findByEmailAddress(String emailAddress);

    <dependency>

        <groupId>com.google.guava</groupId>

        <artifactId>guava</artifactId>

    </dependency>

    <dependency>

        <groupId>org.apache.commons</groupId>

        <artifactId>commons-text</artifactId>

    </dependency>

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.config;

import org.springframework.context.annotation.ComponentScan;

import org.springframework.context.annotation.ComponentScans;

import org.springframework.context.annotation.Configuration;

import org.springframework.scheduling.annotation.EnableAsync;

/**

 * This is to replace the xml configuration in src/main/resources/eu/etaxonomy/cdm/services.xml

 *

 * @author a.kohlbecker

 * @since Nov 5, 2021

 */

@Configuration

@ComponentScans({

    @ComponentScan(basePackages = {

            "eu.etaxonomy.cdm.api.security",

            "eu.etaxonomy.cdm.api.service.security"

            })

})

@EnableAsync // required for eu.etaxonomy.cdm.api.service.security.PasswordResetService @Async

public class AppConfiguration {

}

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.security;

import java.util.Optional;

import eu.etaxonomy.cdm.model.permission.User;

/**

 * @author a.kohlbecker

 * @since Nov 3, 2021

 */

public interface IPasswordResetTokenStore {

    public static final int TOKEN_LIFETIME_MINUTES_DEFAULT = 60 * 6;

    public PasswordResetRequest create(User user);

    /**

     * Removes the corresponding <code>PasswordResetRequest</code> from the

     * store

     *

     * @param token

     *            The token string

     * @return true if the token to be remove has existed, otherwise false

     */

    public boolean remove(String token);

    /**

     * Checks is the supplied token exists and has not expired.

     *

     * @param token

     *            The token string

     * @return true if the token is valid

     */

    public boolean isEligibleToken(String token);

    /**

     * Returns the corresponding <code>PasswordResetRequest</code> if it exists

     * and is not expired.

     *

     * @param token

     *            The token string

     * @return the valid <code>PasswordResetRequest</code> or an empty

     *         <code>Optional</code>

     */

    public Optional<PasswordResetRequest> findResetRequest(String token);

    public void setTokenLifetimeMinutes(int tokenLifetimeMinutes);

}

package eu.etaxonomy.cdm.api.security;

import java.util.Calendar;

import java.util.Date;

/**

 * @author a.kohlbecker

 * @since Oct 26, 2021

 */

public class PasswordResetRequest {

    private String token;

    private String userName;

    private String userEmail;

    private Date expiryDate;

    /**

     * @param user

     * @param expireInMinutes

     */

    protected PasswordResetRequest(String userName, String userEmail, String token, int expireInMinutes) {

        super();

        this.userName = userName;

        this.userEmail = userEmail;

        this.token = token;

        this.setExpiryDate(expireInMinutes);

    }

    public String getToken() {

        return token;

    }

    public String getUserName() {

        return userName;

    }

    public Date getExpiryDate() {

        return expiryDate;

    }

    protected void setExpiryDate(int minutes){

        Calendar now = Calendar.getInstance();

        now.add(Calendar.MINUTE, minutes);

        this.expiryDate = now.getTime();

    }

    public boolean isExpired() {

        return new Date().after(this.expiryDate);

    }

    public String getUserEmail() {

        return userEmail;

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.security;

import java.security.SecureRandom;

import java.util.Base64;

import java.util.Base64.Encoder;

import java.util.Date;

import java.util.HashMap;

import java.util.List;

import java.util.Map;

import java.util.Optional;

import java.util.stream.Collectors;

import org.apache.log4j.Logger;

import org.springframework.stereotype.Component;

import eu.etaxonomy.cdm.model.permission.User;

/**

 * @author a.kohlbecker

 * @since Nov 3, 2021

 */

@Component

public class PasswordResetTokenStore implements IPasswordResetTokenStore {

    public  static final int TOKEN_LENGTH = 50;

    private static Logger logger = Logger.getLogger(PasswordResetTokenStore.class);

    private Map<String, PasswordResetRequest> tokenList = new HashMap<>();

    private Integer tokenLifetimeMinutes = null;

    @Override

    public PasswordResetRequest create(User user) {

        clearExpiredTokens();

        assert user != null;

        assert !user.getEmailAddress().isEmpty();

        PasswordResetRequest token = new PasswordResetRequest(user.getUsername(), user.getEmailAddress(), generateRandomToken(), getTokenLifetimeMinutes());

        tokenList.put(token.getToken(), token);

        return token;

    }

    private String generateRandomToken() {

        SecureRandom random = new SecureRandom();

        byte bytes[] = new byte[TOKEN_LENGTH];

        random.nextBytes(bytes);

        Encoder encoder = Base64.getUrlEncoder().withoutPadding();

        String token = encoder.encodeToString(bytes);

        return token;

    }

    @Override

    public Optional<PasswordResetRequest> findResetRequest(String token) {

        clearExpiredTokens();

        PasswordResetRequest resetRequest = tokenList.get(token);

        if(isEligibleResetRequest(resetRequest)) {

            return Optional.of(resetRequest);

        }

        return Optional.empty();

    }

    @Override

    public boolean isEligibleToken(String token) {

        clearExpiredTokens();

        PasswordResetRequest resetRequest = tokenList.get(token);

        return isEligibleResetRequest(resetRequest);

    }

    private boolean isEligibleResetRequest(PasswordResetRequest resetRequest) {

        if(resetRequest == null) {

            logger.error("PasswordResetRequest must not be null");

            return false;

        }

        if(resetRequest.getExpiryDate().before(new Date())) {

            tokenList.remove(resetRequest.getToken());

            logger.info("Token is expired, and has been deleted now.");

            return false;

        }

        return true;

    }

    /**

     * To be called periodically to remove expired tokens.

     *

     * @return the number of expired tokens that have been cleared

     */

    private int clearExpiredTokens() {

        Date now = new Date();

        List<String> expiredTokens = tokenList.values().stream().filter(t -> t.getExpiryDate().before(now)).map(t -> t.getToken()).collect(Collectors.toList());

        expiredTokens.stream().forEach(tstr -> tokenList.remove(tstr));

        return expiredTokens.size();

    }

    /**

     * Removes the token from the store

     *

     * @param token

     * @return true if the token to be remove has existed, otherwise false

     */

    @Override

    public boolean remove(String token) {

        clearExpiredTokens();

        return tokenList.remove(token) != null;

    }

    public int getTokenLifetimeMinutes() {

        return this.tokenLifetimeMinutes != null ? this.tokenLifetimeMinutes : TOKEN_LIFETIME_MINUTES_DEFAULT;

    }

    @Override

    public void setTokenLifetimeMinutes(int tokenLifetimeMinutes) {

        this.tokenLifetimeMinutes = tokenLifetimeMinutes;

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

/**

 * To be thrown when a user can not be found using the email address.

 *

 * @author a.kohlbecker

 * @since Nov 4, 2021

 */

public class EmailAddressNotFoundException extends UsernameNotFoundException {

    private static final long serialVersionUID = 1572067792460999503L;

    public EmailAddressNotFoundException(String msg) {

        super(msg);

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import org.springframework.util.concurrent.ListenableFuture;

/**

 * @author a.kohlbecker

 * @since Nov 8, 2021

 */

public interface IPasswordResetService {

    /**

     * Create a request token and send it to the user via email.

     *

     * Must conform to the recommendations of <a href=

     * "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html">

     * https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html</a>

     *

     * <ul>

     * <li>Hides internal processing time differences by sending the email

     * asynchronously</li>

     * <li>Access to the method is rate limited, see {@link #RATE_LIMIT}</li>

     * </ul>

     *

     * @param userNameOrEmail

     *            The user name or email address of the user requesting for a

     *            password reset.

     * @param passwordRequestFormUrlTemplate

     *            A template string for {@code String.format()} for the URL to

     *            the request form in which the user can enter the new password.

     *            The template string must contain one string placeholder

     *            {@code %s} for the request token string.

     * @return A <code>Future</code> for a <code>Boolean</code> flag. The

     *         boolean value will be <code>false</code> in case the max access

     *         rate for this method has been exceeded and a time out has

     *         occurred. Other internal error states are intentionally hidden to

     *         avoid leaking of information on the existence of users (see above

     *         link to the Forgot_Password_Cheat_Sheet).

     */

    ListenableFuture<Boolean> emailResetToken(String userNameOrEmail, String passwordRequestFormUrlTemplate);

    /**

     *

     * @param token

     *            the token string

     * @param newPassword

     *            The new password to set

     * @return A <code>Future</code> for a <code>Boolean</code> flag. The

     *         boolean value will be <code>false</code> in case the max access

     *         rate for this method has been exceeded and a time out has

     *         occurred. Other internal error states are intentionally hidden to

     *         avoid leaking of information on the existence of users (see above

     *         link to the Forgot_Password_Cheat_Sheet).

     * @throws PasswordResetException

     */

    ListenableFuture<Boolean> resetPassword(String token, String newPassword) throws PasswordResetException;

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

/**

 * @author a.kohlbecker

 * @since Nov 3, 2021

 */

public class PasswordResetException extends Exception {

    private static final long serialVersionUID = -2154469325094431262L;

    public PasswordResetException(String message, Throwable cause) {

        super(message, cause);

    }

    public PasswordResetException(String message) {

        super(message);

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import java.time.Duration;

import java.util.HashMap;

import java.util.Map;

import java.util.Optional;

import javax.mail.internet.AddressException;

import javax.mail.internet.InternetAddress;

import org.apache.commons.collections4.map.HashedMap;

import org.apache.commons.text.StringSubstitutor;

import org.apache.log4j.Logger;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.core.env.Environment;

import org.springframework.dao.DataAccessException;

import org.springframework.mail.SimpleMailMessage;

import org.springframework.mail.javamail.JavaMailSender;

import org.springframework.scheduling.annotation.Async;

import org.springframework.scheduling.annotation.AsyncResult;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

import org.springframework.util.concurrent.ListenableFuture;

import com.google.common.util.concurrent.RateLimiter;

import eu.etaxonomy.cdm.api.config.CdmConfigurationKeys;

import eu.etaxonomy.cdm.api.config.SendEmailConfigurer;

import eu.etaxonomy.cdm.api.security.IPasswordResetTokenStore;

import eu.etaxonomy.cdm.api.security.PasswordResetRequest;

import eu.etaxonomy.cdm.api.service.IUserService;

import eu.etaxonomy.cdm.model.permission.User;

import eu.etaxonomy.cdm.persistence.dao.permission.IUserDao;

/**

 * @author a.kohlbecker

 * @since Oct 26, 2021

 */

@Service

@Transactional(readOnly = true)

public class PasswordResetService implements IPasswordResetService {

    private static final int RATE_LIMTER_TIMEOUT_SECONDS = 2;

    private static final double PERMITS_PER_SECOND = 0.3;

    private static Logger logger = Logger.getLogger(PasswordResetRequest.class);

    @Autowired

    private IUserDao userDao;

    @Autowired

    private IUserService userService;

    @Autowired

    private IPasswordResetTokenStore passwordResetTokenStore;

    @Autowired

    private JavaMailSender emailSender;

    @Autowired

    Environment env;

    RateLimiter emailResetToken_rateLimiter = RateLimiter.create(PERMITS_PER_SECOND);

    RateLimiter resetPassword_rateLimiter = RateLimiter.create(PERMITS_PER_SECOND);

    public static final String RESET_REQUEST_EMAIL_SUBJECT_TEMPLATE = "Your password reset request for ${userName}";

    public static final String RESET_REQUEST_EMAIL_BODY_TEMPLATE = "You are receiving this email because a password reset was requested for your account at the ${dataBase}"

            + " data base. If this was not initiated by you, please ignore this message."

            + ".\n Please click ${linkUrl} to reset your password";

    public static final String RESET_SUCCESS_EMAIL_SUBJECT_TEMPLATE = "Your password for ${userName} has been changed";

    public static final String RESET_SUCCESS_EMAIL_BODY_TEMPLATE = "The password of your account at the ${dataBase} data base has just been changed."

            + "If this was not initiated by you, please contact the adminitrator as soon as possible.";

    public static final String RESET_FAILED_EMAIL_SUBJECT_TEMPLATE = "Changing your password for ${userName} has failed";

    public static final String RESET_FAILED_EMAIL_BODY_TEMPLATE = "The attempt to change the password of your account at the ${dataBase} data base has failed."

            + "If this was not initiated by you, please contact the adminitrator as soon as possible.";

    /**

     * Create a request token and send it to the user via email.

     *

     * Must conform to the recommendations of <a href=

     * "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html">

     * https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html</a>

     *

     * <ul>

     * <li>Hides internal processing time differences by sending the email

     * asynchronously</li>

     * <li>Access to the method is rate limited, see {@link #RATE_LIMIT}</li>

     * </ul>

     *

     * @param userNameOrEmail

     *            The user name or email address of the user requesting for a

     *            password reset.

     * @param passwordRequestFormUrlTemplate

     *            A template string for {@code String.format()} for the URL to

     *            the request form in which the user can enter the new password.

     *            The template string must contain one string placeholder

     *            {@code %s} for the request token string.

     * @return A <code>Future</code> for a <code>Boolean</code> flag. The

     *         boolean value will be <code>false</code> in case the max access

     *         rate for this method has been exceeded and a time out has

     *         occurred. Other internal error states are intentionally hidden to

     *         avoid leaking of information on the existence of users (see above

     *         link to the Forgot_Password_Cheat_Sheet).

     */

    @Override

    @Async

    public ListenableFuture<Boolean> emailResetToken(String userNameOrEmail, String passwordRequestFormUrlTemplate) {

        if (emailResetToken_rateLimiter.tryAcquire(Duration.ofSeconds(RATE_LIMTER_TIMEOUT_SECONDS))) {

            try {

                User user = findUser(userNameOrEmail);

                PasswordResetRequest resetRequest = passwordResetTokenStore.create(user);

                String passwordRequestFormUrl = String.format(passwordRequestFormUrlTemplate, resetRequest.getToken());

                Map<String, String> additionalValues = new HashMap<>();

                additionalValues.put("linkUrl", passwordRequestFormUrl);

                sendEmail(user.getEmailAddress(), user.getUsername(), RESET_REQUEST_EMAIL_SUBJECT_TEMPLATE, RESET_REQUEST_EMAIL_BODY_TEMPLATE,

                        additionalValues);

                logger.info("Password reset request for  " + userNameOrEmail + " has been send");

            } catch (UsernameNotFoundException e) {

                logger.warn("Password reset request for unknown user, cause: " + e.getMessage());

            }

            return new AsyncResult<Boolean>(true);

        } else {

            return new AsyncResult<Boolean>(false);

        }

    }

    /**

     * Uses the {@link StringSubstitutor} as simple template engine.

     * Below named values are automatically resoved, more can be added via the

     * <code>valuesMap</code> parameter.

     *

     * @param userEmail

     *  The TO-address

     * @param userName

     *  Used to set the value for <code>${userName}</code>

     * @param subjectTemplate

     *  A {@link StringSubstitutor} template for the email subject

     * @param bodyTemplate

     *  A {@link StringSubstitutor} template for the email body

     * @param additionalValuesMap

     *  Additional named values for to be replaced in the template strings.

     */

    public void sendEmail(String userEmail, String userName, String subjectTemplate, String bodyTemplate, Map<String, String> additionalValuesMap) {

        String from = env.getProperty(SendEmailConfigurer.FROM_ADDRESS);

        String dataSourceBeanId = env.getProperty(CdmConfigurationKeys.CDM_DATA_SOURCE_ID);

        if(additionalValuesMap == null) {

            additionalValuesMap = new HashedMap<>();

        }

        additionalValuesMap.put("userName", userName);

        additionalValuesMap.put("dataBase", dataSourceBeanId);

        StringSubstitutor substitutor = new StringSubstitutor(additionalValuesMap);

        // TODO use MimeMessages for better email layout?

        // TODO user Thymeleaf instead for HTML support?

        SimpleMailMessage message = new SimpleMailMessage();

        message.setFrom(from);

        message.setTo(userEmail);

        message.setSubject(substitutor.replace(subjectTemplate));

        message.setText(substitutor.replace(bodyTemplate));

        emailSender.send(message);

    }

    /**

     *

     * @param userNameOrEmail

     * @return

     */

    protected User findUser(String userNameOrEmail) throws UsernameNotFoundException, EmailAddressNotFoundException {

        User user;

        try {

            InternetAddress emailAddr = new InternetAddress(userNameOrEmail);

            emailAddr.validate();

            user = userDao.findByEmailAddress(userNameOrEmail);

            if (user == null) {

                throw new EmailAddressNotFoundException(

                        "No user with the email address'" + userNameOrEmail + "' found.");

            }

        } catch (AddressException ex) {

            user = userDao.findUserByUsername(userNameOrEmail);

            if (user == null) {

                throw new UsernameNotFoundException("No user with the user name: '" + userNameOrEmail + "' found.");

            }

        }

        return user;

    }

    /**

     *

     * @param token

     *            the token string

     * @param newPassword

     *            The new password to set

     * @return A <code>Future</code> for a <code>Boolean</code> flag. The

     *         boolean value will be <code>false</code> in case the max access

     *         rate for this method has been exceeded and a time out has

     *         occurred. Other internal error states are intentionally hidden to

     *         avoid leaking of information on the existence of users (see above

     *         link to the Forgot_Password_Cheat_Sheet).

     * @throws PasswordResetException

     */

    @Override

    @Async

    public ListenableFuture<Boolean> resetPassword(String token, String newPassword) throws PasswordResetException {

        if (resetPassword_rateLimiter.tryAcquire(Duration.ofSeconds(RATE_LIMTER_TIMEOUT_SECONDS))) {

            Optional<PasswordResetRequest> resetRequest = passwordResetTokenStore.findResetRequest(token);

            if (resetRequest.isPresent()) {

                try {

                    userService.changePasswordForUser(resetRequest.get().getUserName(), newPassword);

                    sendEmail(resetRequest.get().getUserEmail(), resetRequest.get().getUserName(), RESET_SUCCESS_EMAIL_SUBJECT_TEMPLATE, RESET_SUCCESS_EMAIL_BODY_TEMPLATE, null);

                    return new AsyncResult<Boolean>(true);

                } catch (DataAccessException | UsernameNotFoundException e) {

                    logger.error("Failed to change password of User " + resetRequest.get().getUserName(), e);

                    sendEmail(resetRequest.get().getUserEmail(), resetRequest.get().getUserName(), RESET_FAILED_EMAIL_SUBJECT_TEMPLATE, RESET_FAILED_EMAIL_BODY_TEMPLATE, null);

                }

            } else {

                throw new PasswordResetException("Invalid password reset token");

            }

        }

        return new AsyncResult<Boolean>(false);

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.security;

import static org.junit.Assert.assertEquals;

import static org.junit.Assert.assertFalse;

import static org.junit.Assert.assertTrue;

import java.io.FileNotFoundException;

import java.util.Optional;

import org.junit.Before;

import org.junit.Test;

import org.unitils.database.annotations.Transactional;

import org.unitils.database.util.TransactionMode;

import org.unitils.spring.annotation.SpringBeanByType;

import eu.etaxonomy.cdm.model.permission.User;

import eu.etaxonomy.cdm.test.integration.CdmTransactionalIntegrationTest;

/**

 * @author a.kohlbecker

 * @since Nov 5, 2021

 */

@Transactional(TransactionMode.DISABLED)

public class PasswordResetTokenStoreTest extends CdmTransactionalIntegrationTest {

    private static final String USER_EMAIL = "dummy@cybertaxonomy.test";

    private static final String USER_PWD = "dummy123";

    private static final String USER_NAME = "dummy";

    @SpringBeanByType

    private IPasswordResetTokenStore passwordResetTokenStore;

    private User testUser;

    @Before

    public void reset() {

        passwordResetTokenStore.setTokenLifetimeMinutes(IPasswordResetTokenStore.TOKEN_LIFETIME_MINUTES_DEFAULT);

        testUser = User.NewInstance(USER_NAME, USER_PWD);

        testUser.setEmailAddress(USER_EMAIL);

    }

    @Test

    public void testTokenStillValid() {

        String token = passwordResetTokenStore.create(testUser).getToken();

        assertTrue(passwordResetTokenStore.isEligibleToken(token));

        Optional<PasswordResetRequest> resetRequest = passwordResetTokenStore.findResetRequest(token);

        assertTrue(resetRequest.isPresent());

        assertEquals(USER_NAME, resetRequest.get().getUserName());

        assertEquals(USER_EMAIL, resetRequest.get().getUserEmail());

        assertEquals(token, resetRequest.get().getToken());

    }

    @Test

    public void testTokenExpired() {

        passwordResetTokenStore.setTokenLifetimeMinutes(-10);

        String token = passwordResetTokenStore.create(testUser).getToken();

        assertFalse(passwordResetTokenStore.isEligibleToken(token));

        Optional<PasswordResetRequest> resetRequest = passwordResetTokenStore.findResetRequest(token);

        assertTrue(!resetRequest.isPresent());

    }

    @Test

    public void testTokenUnknown() {

        String unknownToken = "un-known-token";

        assertFalse(passwordResetTokenStore.isEligibleToken(unknownToken));

        Optional<PasswordResetRequest> resetRequest = passwordResetTokenStore.findResetRequest(unknownToken);

        assertTrue(!resetRequest.isPresent());

    }

    @Test

    public void testTokenNull() {

        String nullToken = null;

        assertFalse(passwordResetTokenStore.isEligibleToken(nullToken));

        Optional<PasswordResetRequest> resetRequest = passwordResetTokenStore.findResetRequest(nullToken);

        assertTrue(!resetRequest.isPresent());

    }

    @Test

    public void testTokenRemove() {

        String token = passwordResetTokenStore.create(testUser).getToken();

        assertTrue(passwordResetTokenStore.isEligibleToken(token));

        Optional<PasswordResetRequest> resetRequest = passwordResetTokenStore.findResetRequest(token);

        assertTrue(resetRequest.isPresent());

        passwordResetTokenStore.remove(token);

        resetRequest = passwordResetTokenStore.findResetRequest(token);

        assertFalse("Expecing false since the token has been removed", resetRequest.isPresent());

    }

    @Override

    public void createTestDataSet() throws FileNotFoundException {

        // NO DATA NEEDED

    }

}

/**

* Copyright (C) 2021 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.api.service.security;

import static org.junit.Assert.assertEquals;

import static org.junit.Assert.assertNotNull;

import static org.junit.Assert.assertTrue;

import java.io.FileNotFoundException;

import java.util.concurrent.CountDownLatch;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

import javax.mail.internet.MimeMessage;

import org.junit.After;

import org.junit.Before;

import org.junit.Test;

import org.springframework.mail.javamail.JavaMailSender;

import org.springframework.util.concurrent.ListenableFuture;

import org.subethamail.wiser.Wiser;

import org.subethamail.wiser.WiserMessage;

import org.unitils.dbunit.annotation.DataSet;

import org.unitils.spring.annotation.SpringBeanByType;

import eu.etaxonomy.cdm.api.security.IPasswordResetTokenStore;

import eu.etaxonomy.cdm.api.security.PasswordResetTokenStore;

import eu.etaxonomy.cdm.api.service.IUserService;

import eu.etaxonomy.cdm.model.permission.User;

import eu.etaxonomy.cdm.test.unitils.CleanSweepInsertLoadStrategy;

/**

 * @author a.kohlbecker

 * @since Nov 8, 2021

 */

public class PasswordResetServiceTest extends eu.etaxonomy.cdm.test.integration.CdmTransactionalIntegrationTest {

    private static final String userName = "pwdResetTestUser";

    private static final String userPWD = "super_SECURE_123";

    private static final String newPWD = "NEW_123_new_456";

    private static final String userEmail = "pwdResetTestUser@cybertaxonomy.test";

    private static String base64UrlSaveCharClass = "[a-zA-Z0-9\\-_]";

    private static final String requestFormUrlTemplate = "http://cybertaxonomy.test/passwordReset?userName={%s}&sessID=f8d8sf8dsf";

    @SpringBeanByType

    private IUserService userService;

    @SpringBeanByType

    private IPasswordResetService passwordResetService;

    @SpringBeanByType

    private IPasswordResetTokenStore passwordResetTokenStore;

    @SpringBeanByType

    private JavaMailSender emailSender;

    private Wiser wiser = null;

    CountDownLatch resetTokenSendSignal;

    CountDownLatch passwordChangedSignal;

    Throwable assyncError = null;

    @Before

    public void startEmailServer() {

        wiser = new Wiser();

        wiser.setPort(2500); // Default is 25

        wiser.start();

    }

    @Before

    public void createUser() {

        User user = User.NewInstance(userName, userPWD);

        user.setEmailAddress(userEmail);

        userService.save(user);

        commitAndStartNewTransaction();

        // printDataSet(System.err, "User");

    }

    @After

    public void removeUser() {

        userService.deleteUser(userName);

        userService.getSession().flush();

        commitAndStartNewTransaction();

    }

    @After

    public void stopEmailServer() {

        wiser.stop();

    }

    @Test

    @DataSet(loadStrategy = CleanSweepInsertLoadStrategy.class, value="/eu/etaxonomy/cdm/database/ClearDBDataSet.xml")

    public void testSuccessfulEmailReset() throws Throwable {

        // printDataSet(System.err, "UserAccount");

        resetTokenSendSignal = new CountDownLatch(1);

        passwordChangedSignal = new CountDownLatch(1);

        ListenableFuture<Boolean> emailResetFuture = passwordResetService.emailResetToken(userName, requestFormUrlTemplate);

        emailResetFuture.addCallback(

                requestSuccessVal -> {

                    resetTokenSendSignal.countDown();

                }, futureException -> {

                    assyncError = futureException;

                    resetTokenSendSignal.countDown();

                });

        // -- wait for passwordResetService.emailResetToken() to complete

        resetTokenSendSignal.await();

        if(assyncError != null) {

            throw assyncError;

        }

        assertNotNull(emailResetFuture.get());

        assertEquals(1, wiser.getMessages().size());

        // -- read email message

        WiserMessage requestMessage = wiser.getMessages().get(0);

        MimeMessage requestMimeMessage = requestMessage.getMimeMessage();

        assertEquals(PasswordResetService.RESET_REQUEST_EMAIL_SUBJECT_TEMPLATE.replace("${userName}", userName), requestMimeMessage.getSubject());

        String messageContent = requestMimeMessage.getContent().toString();

        // -- extract token

        Pattern pattern = Pattern.compile("=\\{(" + base64UrlSaveCharClass + "+)\\}");

        Matcher m = pattern.matcher(messageContent);

        assertTrue(m.find());

        assertEquals(PasswordResetTokenStore.TOKEN_LENGTH + 17, m.group(1).length());

        // -- change password

        ListenableFuture<Boolean> resetPasswordFuture = passwordResetService.resetPassword( m.group(1), newPWD);

        resetPasswordFuture.addCallback(requestSuccessVal -> {

            passwordChangedSignal.countDown();

        }, futureException -> {

            assyncError =  futureException;

            passwordChangedSignal.countDown();

        });

        // -- wait for passwordResetService.resetPassword to complete

        passwordChangedSignal.await();

        assertTrue(resetPasswordFuture.get());

        assertEquals(2, wiser.getMessages().size());

        WiserMessage successMessage = wiser.getMessages().get(1);

        MimeMessage successMimeMessage = successMessage.getMimeMessage();

        assertEquals(PasswordResetService.RESET_SUCCESS_EMAIL_SUBJECT_TEMPLATE.replace("${userName}", userName), successMimeMessage.getSubject());

    }

    @Override

    public void createTestDataSet() throws FileNotFoundException {

        // not needed

    }

}

mail.int-test-server: wiser

# ===========================================================

# in production environmens this propery is set in cdm-remote

# however it is not set in cdm-service and needs to be set 

# for the PasswordResetServiceTest

#

# explitely different name than for the unitils database

# to make this property better findable

cdm.dataSource.id: cdm-tests-db

        <!-- Email functionality (used in cdmlib-services) -->

      <dependency>

        <!-- only needed for PasswordResetService, may be replaced by Thymeleaf -->

        <groupId>org.apache.commons</groupId>

        <artifactId>commons-text</artifactId>

        <version>1.9</version>

    </dependency>