#28: update - check credentialsExpired during login

admin-tools-security/admin-tools-security-dbuser/README.md

@@ -2,12 +2,12 @@
 > Integrates Spring Security and overrides the menu to use admintool.*.securityRoles to check if menu entries could be shown
 
 ## Features
-* `simple user view`: a view where you can manage user states, passwords and roles and add new users(since 1.1.5)
+* `database user view`: a view where you can manage user states, passwords and roles and add new users(since 1.2.0)
 
 ![Preview image](doc/screen_userview_org.png?raw=true "AdminTool User-View UI")
 
 ## Introduced with
-* admin-tools-core:1.1.7
+* admin-tools-core:1.2.0
 
 ## Requirements, Dependencies
 * spring-framework (core, security, spring-data, spring-mvc)
@@ -16,17 +16,17 @@
 
 
 ## Usage
-Until version 1.1.7 the following dependencies must be used. 
+Until version 1.2.0 the following dependencies must be used. 
 ```xml
 <dependency>
 	<groupId>de.chandre.admin-tools</groupId>
 	<artifactId>admin-tools-core</artifactId>
-	<version>1.1.7</version>
+	<version>1.2.0</version>
 </dependency>
 <dependency>
 	<groupId>de.chandre.admin-tools.security</groupId>
 	<artifactId>admin-tools-security-dbuser</artifactId>
-	<version>1.1.7</version>
+	<version>1.2.0</version>
 </dependency>
 ```
 
@@ -99,7 +99,7 @@ public class SecurityBeans {
 ```
 
 ### Security-Config
-This is just an example configuration, role names depending on your own!
+This is just an example configuration, role names for your own modules depending on your own!
 
 ```java
 @EnableWebSecurity

admin-tools-security/admin-tools-security-dbuser/src/main/java/de/chandre/admintool/security/dbuser/ATSecDBAdminUserCreator.java

@@ -12,8 +12,10 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.CollectionUtils;
 
 import de.chandre.admintool.core.sec.ATInitRole;
+import de.chandre.admintool.core.ui.ATError;
 import de.chandre.admintool.security.dbuser.domain.ATRole;
 import de.chandre.admintool.security.dbuser.domain.ATUser;
 import de.chandre.admintool.security.dbuser.domain.ATUserGroup;
@@ -59,12 +61,11 @@ public void createOrUpdateAdminUserAndGroup(String username, String password, St
 		if (StringUtils.isEmpty(username)) {
 			LOGGER.info("set admin username to: admin");
 			username = "admin";
-		} else {
-			user = userDetailsService.getUser(username);
 		}
+		user = userDetailsService.getUser(username);
 		if (null == user && StringUtils.isEmpty(password)) {
 			LOGGER.info("set admin password to: admin");
-			username = "admin";
+			password = "admin";
 		}
 		if (null == user && null == locale) locale = Locale.getDefault();
 		if (null == user && null == timeZone) timeZone = TimeZone.getDefault();
@@ -94,11 +95,15 @@ public void createOrUpdateAdminUserAndGroup(String username, String password, St
 		}
 
 		LOGGER.info("addRolesIfNotExists");
-		roleService.addRolesIfNotExists(new HashSet<>(roles.getRoles()));
-		Set<String> allAccessMgmtRoleNames = roles.getRoles().stream().map(ATInitRole::getNamePrefixed).collect(Collectors.toSet());
-
+		Set<ATError> errors = roleService.addRolesIfNotExists(new HashSet<>(roles.getRoles()));
+		if (!CollectionUtils.isEmpty(errors)) {
+			for (ATError atError : errors) {
+				LOGGER.error(atError.getKey() + ": " + atError.getMessage());
+			}
+		}
 		List<ATRole> assignableRoles = null;
 		if (onlyAccessManagementRoles) {
+			Set<String> allAccessMgmtRoleNames = roles.getRoles().stream().map(ATInitRole::getNamePrefixed).collect(Collectors.toSet());
 			assignableRoles = roleRepository.findByNameIn(allAccessMgmtRoleNames);
 		} else {
 			assignableRoles = roleRepository.findAll();
@@ -113,21 +118,30 @@ public void createOrUpdateAdminUserAndGroup(String username, String password, St
 
 	private void createOrUpdateUser(ATUser user, String username, String password, String firstName, String lastName, 
 			Locale locale, TimeZone timeZone, Set<ATUserGroup> userGroupAd) {
+		boolean newUser = null == user;
 		if (null == user) {
 			LOGGER.info("creating user: " + username);
 			user = new ATUser(username, password);
 			user.setAccountExpiredSince(LocalDateTime.now());
 		} else {
 			LOGGER.info("updating user: " + username);
 		}
-		user.setFirstName(firstName);
-		user.setLastName(lastName);
-		user.setLocale(locale);
-		user.setTimeZone(timeZone);
+		if (null != firstName) {
+			user.setFirstName(firstName);
+		}
+		if (null != lastName) {
+			user.setLastName(lastName);
+		}
+		if (null != locale) {
+			user.setLocale(locale);
+		}
+		if (null != timeZone) {
+			user.setTimeZone(timeZone);
+		}
 		for (ATUserGroup atUserGroup : userGroupAd) {
 			user.getUserGroups().add(atUserGroup);
 		}
-		user = userDetailsService.saveUser(user, true);
+		user = userDetailsService.saveUser(user, newUser);
 	}
 
 	private ATUserGroup createOrUpdateGroup(String groupName, String displayName, String desc, boolean active, List<ATRole> roles) {

admin-tools-security/admin-tools-security-dbuser/src/main/java/de/chandre/admintool/security/dbuser/AdminToolSecDBProperties.java

@@ -136,9 +136,11 @@ public static class Users {
 		private boolean directPasswordChangeAllowed = true;
 		private boolean directPasswordChangeInProfileAllowed = true;
 
-		private String passwordHashPeriod = "P7D";
+		private String passwordHashPeriodStr = "P7D";
 
-		private String maxPasswordAge= "";
+		private String maxLoginAttemptPeriodStr = "P7D";
+
+		private String maxPasswordAgePeriodStr = "P3M";
 
 		public List<String> getAvailableLocales() {
 			return availableLocales;
@@ -194,13 +196,33 @@ public boolean isDirectPasswordChangeInProfileAllowed() {
 		public void setDirectPasswordChangeInProfileAllowed(boolean directPasswordChangeInProfileAllowed) {
 			this.directPasswordChangeInProfileAllowed = directPasswordChangeInProfileAllowed;
 		}
-		public void setPasswordHashPeriod(String passwordHashPeriod) {
-			this.passwordHashPeriod = passwordHashPeriod;
+		public String getPasswordHashPeriodStr() {
+			return passwordHashPeriodStr;
+		}
+		public void setPasswordHashPeriodStr(String passwordHashPeriodStr) {
+			this.passwordHashPeriodStr = passwordHashPeriodStr;
+		}
+		public String getMaxLoginAttemptPeriodStr() {
+			return maxLoginAttemptPeriodStr;
+		}
+		public void setMaxLoginAttemptPeriodStr(String maxLoginAttemptPeriodStr) {
+			this.maxLoginAttemptPeriodStr = maxLoginAttemptPeriodStr;
+		}
+		public String getMaxPasswordAgePeriodStr() {
+			return maxPasswordAgePeriodStr;
+		}
+		public void setMaxPasswordAgePeriodStr(String maxPasswordAgePeriodStr) {
+			this.maxPasswordAgePeriodStr = maxPasswordAgePeriodStr;
 		}
 		public Period getPasswordHashPeriod() {
-			return Period.parse(passwordHashPeriod);
+			return null != this.passwordHashPeriodStr ? Period.parse(this.passwordHashPeriodStr) : null;
+		}
+		public Period getMaxLoginAttemptPeriod() {
+			return null != this.maxLoginAttemptPeriodStr ? Period.parse(this.maxLoginAttemptPeriodStr) : null;
+		}
+		public Period getMaxPasswordAgePeriod() {
+			return null != this.maxPasswordAgePeriodStr ? Period.parse(this.maxPasswordAgePeriodStr) : null;
 		}
-
 		@Override
 		public String toString() {
 			StringBuilder builder = new StringBuilder();
@@ -209,7 +231,9 @@ public String toString() {
 					.append(", lastName=").append(lastName).append(", email=").append(email).append(", phone=")
 					.append(phone).append(", directPasswordChangeAllowed=").append(directPasswordChangeAllowed)
 					.append(", directPasswordChangeInProfileAllowed=").append(directPasswordChangeInProfileAllowed)
-					.append(", passwordHashPeriod=").append(passwordHashPeriod).append("]");
+					.append(", passwordHashPeriodStr=").append(passwordHashPeriodStr)
+					.append(", maxLoginAttemptPeriodStr=").append(maxLoginAttemptPeriodStr)
+					.append(", maxPasswordAgePeriodStr=").append(maxPasswordAgePeriodStr).append("]");
 			return builder.toString();
 		}
 	}
@@ -329,7 +353,7 @@ public static class Validations {
 		private Pattern pattern;
 
 		@PostConstruct
-		private void init() {
+		public void init() {
 			if(minLength > 0 && minLength > maxLength) {
 				throw new IllegalArgumentException("The minLength of validation config should be smaller than or equals to maxLegth!");
 			}

admin-tools-security/admin-tools-security-dbuser/src/main/java/de/chandre/admintool/security/dbuser/domain/ATUser.java

@@ -244,7 +244,10 @@ public Locale getLocaleAsLocale() {
 	}
 
 	public void setLocale(Locale locale) {
-		this.locale = locale.toString();
+		if (null != locale) {
+			this.locale = locale.toString();
+		}
+		locale = null;
 	}
 
 	public void setLocale(String locale) {
@@ -266,7 +269,10 @@ public void setTimeZone(String timeZone) {
 	}
 
 	public void setTimeZone(TimeZone timeZone) {
-		this.timeZone = timeZone.getID();
+		if (null != timeZone) {
+			this.timeZone = timeZone.getID();
+		}
+		this.timeZone = null;
 	}
 
 	public void setTimeZone(ZoneId zoneId) {

admin-tools-security/admin-tools-security-dbuser/src/main/java/de/chandre/admintool/security/dbuser/service/AdminToolSecDBRoleServiceImpl.java

@@ -112,8 +112,10 @@ public Set<ATError> updateRole(AccessRelationTO accessRelationTO) {
 		ATRole role = getRole(StringUtils.trimToNull(accessRelationTO.getName()));
 		if (null == role) {
 			errors = new HashSet<>();
-			errors.add(new ATError(Constants.MSG_KEY_PREFIX + "role.notFound", 
-					validator.getMessageWithSuffix("notFound", null, "No user foud"), "name"));
+			errors.add(new ATError(Constants.MSG_KEY_PREFIX + "role.notFound",
+					validator.getMessageWithSuffix("notFound", new Object[] { accessRelationTO.getName() },
+							"No role found with name: " + accessRelationTO.getName()),
+					"name"));
 			return errors;
 		}
 		if (LOGGER.isDebugEnabled()) {
@@ -130,8 +132,10 @@ public Set<ATError> updateRole(AccessRelationTO accessRelationTO) {
 				saveRole(role);
 			} catch (Exception e) {
 				LOGGER.debug(e.getMessage(), e);
-				errors.add(new ATError(Constants.MSG_KEY_PREFIX + "role.save", 
-						validator.getMessageWithSuffix("save", null, "Exception during save"), "generic"));
+				errors.add(new ATError(Constants.MSG_KEY_PREFIX + "role.save",
+						validator.getMessageWithSuffix("save", new Object[] { accessRelationTO.getName() },
+								"Exception saving role: " + accessRelationTO.getName()),
+						"generic"));
 			}
 
 		}
@@ -144,7 +148,15 @@ public Set<ATError> addRole(String name, String displayName, String description,
 		role.setDisplayName(displayName);
 		role.setDescription(description);
 		role.setActive(active);
-		return addRole(role);
+		try {
+			return addRole(role);
+		} catch (Exception e) {
+			LOGGER.debug(e.getMessage(), e);
+			Set<ATError> errors = new HashSet<>();
+			errors.add(new ATError(Constants.MSG_KEY_PREFIX + "role.save", 
+					validator.getMessageWithSuffix("save", new Object[] {name}, "Exception saving role: " +name), "generic"));
+			return errors;
+		}
 	}
 
 	public Set<ATError> addRole(ATRole role) {

admin-tools-security/admin-tools-security-dbuser/src/main/java/de/chandre/admintool/security/dbuser/service/AdminToolSecDBUserDetailsService.java

@@ -6,6 +6,8 @@
 import de.chandre.admintool.core.ui.ATError;
 import de.chandre.admintool.security.commons.auth.AdminToolUserDetailsService;
 import de.chandre.admintool.security.commons.auth.UserTO;
+import de.chandre.admintool.security.dbuser.AdminToolSecDBProperties;
+import de.chandre.admintool.security.dbuser.AdminToolSecDBProperties.Users;
 import de.chandre.admintool.security.dbuser.Constants.CommunicationProcess;
 import de.chandre.admintool.security.dbuser.domain.ATUser;
 import de.chandre.admintool.security.dbuser.service.comm.SendException;
@@ -84,6 +86,19 @@ public interface AdminToolSecDBUserDetailsService extends AdminToolUserDetailsSe
 	 */
 	void resetPassword(String username, String password);
 
+	/**
+	 * returns all users assigned to userGroupName
+	 * @param userGroupId
+	 * @return
+	 */
 	List<ATUser> getUsersByUserGroupName(String userGroupId);
 
+	/**
+	 * checks if last password change ins older than now minus {@link Users#getPasswordHashPeriod()}.
+	 * set credentials expired to user if check results in true
+	 * @param user
+	 * @return
+	 */
+	ATUser checkIfPasswordExpired(ATUser user);
+
 }