feat(core.identity): Added new method for verify password against the identity name (#5949)

* Added new method for verify password against the identity name

* Fixed copyright

* Fixed copyright

* Reverted

* Fixed since tag location

* Update kura/org.eclipse.kura.api/src/main/java/org/eclipse/kura/identity/PasswordStrengthVerificationService.java

Co-authored-by: Matteo Maiero <[email protected]>

* Added empty check

* checkstyle fix

* Password is not stored as string in validateNewPassword

* Added ignore case to the new validator

* Update kura/org.eclipse.kura.core.identity/src/main/java/org/eclipse/kura/core/identity/PasswordStrengthVerificationServiceImpl.java

Co-authored-by: Matteo Maiero <[email protected]>

* Update kura/test/org.eclipse.kura.core.identity.test/src/main/java/org/eclipse/kura/core/identity/test/PasswordStrengthVerificationServiceImplTest.java

Co-authored-by: Matteo Maiero <[email protected]>

* Removed requireNoWhitespaceCharacters
Added null check on validateNewPassword

* Fixed Typo

Signed-off-by: MMaiero <[email protected]>

* Additional typo fix

Signed-off-by: MMaiero <[email protected]>

---------

Signed-off-by: MMaiero <[email protected]>
Co-authored-by: Matteo Maiero <[email protected]>

Author: salvatore-coppola

kura/org.eclipse.kura.api/src/main/java/org/eclipse/kura/identity/PasswordStrengthVerificationService.java

@@ -1,12 +1,12 @@
 /*******************************************************************************
- * Copyright (c) 2024 Eurotech and/or its affiliates and others
- * 
+ * Copyright (c) 2024, 2025 Eurotech and/or its affiliates and others
+ *
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
- * 
+ *
  * Contributors:
  *  Eurotech
  ******************************************************************************/
@@ -29,19 +29,39 @@ public interface PasswordStrengthVerificationService {
      * Checks whether the provided password satisfies the password strength
      * requirements currently configured on the system.
      * 
-     * @param password the password to be verified.
-     * @throws KuraException if the password does not satisfy the current password
-     *                       strength requirements.
+     * @param password
+     *            the password to be verified.
+     * @throws KuraException
+     *             if the password does not satisfy the current password
+     *             strength requirements.
      */
     public void checkPasswordStrength(final char[] password) throws KuraException;
 
+    /**
+     * Similar to {@link #checkPasswordStrength(char[])} checks whether
+     * the provided password satisfies the password strength requirements currently configured
+     * on the system and in addition verifies that the password
+     * does not match the identityName ignoring the characters case.
+     * 
+     * @param identityName
+     *            the name of the identity
+     * @param password
+     *            the password to be verified.
+     * @since 3.0
+     * @throws KuraException
+     *             if the password does not satisfy the current password
+     *             strength requirements.
+     */
+    public void checkPasswordStrength(String identityName, final char[] password) throws KuraException;
+
     /**
      * Returns the password strength requirements that the framework should enforce
      * for new passwords.
      * 
      * @return the password strength requirements.
-     * @throws KuraException if a failure occurs while retrieving the password
-     *                       strength requirements.
+     * @throws KuraException
+     *             if a failure occurs while retrieving the password
+     *             strength requirements.
      */
     public PasswordStrengthRequirements getPasswordStrengthRequirements() throws KuraException;
 }

kura/org.eclipse.kura.core.identity/src/main/java/org/eclipse/kura/core/identity/IdentityServiceImpl.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2024 Eurotech and/or its affiliates and others
+ * Copyright (c) 2024, 2025 Eurotech and/or its affiliates and others
  *
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
@@ -441,7 +441,8 @@ private void validatePasswordConfiguration(final IdentityConfiguration identityC
 
         if (newPassword.isPresent()) {
 
-            ValidationUtil.validateNewPassword(newPassword.get(), passwordStrengthVerificationService);
+            ValidationUtil.validateNewPassword(identityConfiguration.getName(), newPassword.get(),
+                    passwordStrengthVerificationService);
 
         } else if (!this.userAdminHelper.getUser(identityConfiguration.getName())
                 .filter(u -> u.getCredentials().get(PASSWORD_PROPERTY) != null).isPresent()) {

kura/org.eclipse.kura.core.identity/src/main/java/org/eclipse/kura/core/identity/PasswordStrengthVerificationServiceImpl.java

@@ -57,14 +57,31 @@ public PasswordStrengthRequirements getPasswordStrengthRequirements() {
 
     @Override
     public void checkPasswordStrength(char[] password) throws KuraException {
-        final PasswordStrengthRequirements currentRequirements = getPasswordStrengthRequirements();
+        List<Validator<String>> validators = buildValidators(null);
+        checkPasswordStrength(password, validators);
+    }
+
+    @Override
+    public void checkPasswordStrength(String identityName, char[] password) throws KuraException {
+        List<Validator<String>> validators = buildValidators(identityName);
+        checkPasswordStrength(password, validators);
+    }
 
-        ValidatorOptions validatorOptions = new ValidatorOptions(currentRequirements.getPasswordMinimumLength(),
-                currentRequirements.digitsRequired(), currentRequirements.bothCasesRequired(),
+    private List<Validator<String>> buildValidators(String identityName) {
+        PasswordStrengthRequirements currentRequirements = getPasswordStrengthRequirements();
+        ValidatorOptions validatorOptions = new ValidatorOptions(currentRequirements.getPasswordMinimumLength(), //
+                currentRequirements.digitsRequired(), //
+                currentRequirements.bothCasesRequired(), //
                 currentRequirements.specialCharactersRequired());
 
-        final List<Validator<String>> validators = PasswordStrengthValidators.fromConfig(validatorOptions);
+        List<Validator<String>> validators = new ArrayList<>(PasswordStrengthValidators.fromConfig(validatorOptions));
+        if (identityName != null && !identityName.trim().isEmpty()) {
+            validators.add(PasswordStrengthValidators.requireDifferentNameAndPassword(identityName));
+        }
+        return validators;
+    }
 
+    private void checkPasswordStrength(char[] password, List<Validator<String>> validators) throws KuraException {
         final List<String> errors = new ArrayList<>();
 
         for (final Validator<String> validator : validators) {

kura/org.eclipse.kura.core.identity/src/main/java/org/eclipse/kura/core/identity/ValidationUtil.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2024 Eurotech and/or its affiliates and others
+ * Copyright (c) 2024, 2025 Eurotech and/or its affiliates and others
  *
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
@@ -33,19 +33,30 @@ private ValidationUtil() {
 
     public static void validateNewPassword(final char[] password,
             final PasswordStrengthVerificationService passwordStrengthVerificationService) throws KuraException {
-        if (password.length == 0) {
+        if (password == null || password.length == 0) {
             throw new KuraException(KuraErrorCode.INVALID_PARAMETER, "New password cannot be empty");
         }
 
-        final String asString = new String(password);
+        requireMaximumLength(NEW_PASSWORD, password, 255);
 
-        requireMaximumLength(NEW_PASSWORD, asString, 255);
-
-        requireNoWhitespaceCharacters(NEW_PASSWORD, asString);
+        requireNoWhitespaceCharacters(NEW_PASSWORD, password);
 
         passwordStrengthVerificationService.checkPasswordStrength(password);
     }
 
+    public static void validateNewPassword(String identityName, final char[] password,
+            final PasswordStrengthVerificationService passwordStrengthVerificationService) throws KuraException {
+        if (password == null || password.length == 0) {
+            throw new KuraException(KuraErrorCode.INVALID_PARAMETER, "New password cannot be empty");
+        }
+
+        requireMaximumLength(NEW_PASSWORD, password, 255);
+
+        requireNoWhitespaceCharacters(NEW_PASSWORD, password);
+
+        passwordStrengthVerificationService.checkPasswordStrength(identityName, password);
+    }
+
     public static void validateNewIdentityName(final String identityName) throws KuraException {
         requireMinimumLength(IDENTITY_NAME, identityName, 3);
 
@@ -79,10 +90,18 @@ private static void requireMaximumLength(final String parameterName, final Strin
         }
     }
 
-    private static void requireNoWhitespaceCharacters(final String parameterName, final String value)
+    private static void requireMaximumLength(final String parameterName, final char[] value, final int length)
+            throws KuraException {
+        if (value.length > length) {
+            throw new KuraException(KuraErrorCode.INVALID_PARAMETER,
+                    parameterName + " must be at most " + length + " characters long");
+        }
+    }
+
+    private static void requireNoWhitespaceCharacters(final String parameterName, final char[] value)
             throws KuraException {
-        for (int i = 0; i < value.length(); i++) {
-            if (Character.isWhitespace(value.codePointAt(i))) {
+        for (int i = 0; i < value.length; i++) {
+            if (Character.isWhitespace(value[i])) {
                 throw new KuraException(KuraErrorCode.INVALID_PARAMETER,
                         parameterName + " cannot contain whitespace characters");
             }

kura/org.eclipse.kura.util/src/main/java/org/eclipse/kura/util/validation/PasswordStrengthValidators.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2023 Eurotech and/or its affiliates and others
+ * Copyright (c) 2023, 2025 Eurotech and/or its affiliates and others
  *
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
@@ -80,6 +80,12 @@ private static Validator<String> containsBothCases(final Messages messages) {
         };
     }
 
+    public static Validator<String> requireDifferentNameAndPassword(final String identityName) {
+
+        return new PredicateValidator(v -> !v.equalsIgnoreCase(identityName),
+                new DefaultMessages().pwdNotEqualsUsername());
+    }
+
     public interface Messages {
 
         public String pwdStrengthDigitsRequired();
@@ -89,6 +95,8 @@ public interface Messages {
         public String pwdStrengthBothCasesRequired();
 
         public String pwdStrengthMinLength(final int value);
+
+        public String pwdNotEqualsUsername();
     }
 
     private static class DefaultMessages implements Messages {
@@ -112,6 +120,11 @@ public String pwdStrengthBothCasesRequired() {
         public String pwdStrengthMinLength(final int value) {
             return "Password length must be at least " + value + " characters";
         }
+
+        @Override
+        public String pwdNotEqualsUsername() {
+            return "The identity name cannot be the same as the password";
+        }
     }
 
 }

kura/test/org.eclipse.kura.core.identity.test/src/main/java/org/eclipse/kura/core/identity/test/IdentityServiceImplTest.java

@@ -348,7 +348,7 @@ public void shouldRemoveUserPassword() {
     @Test
     public void shouldSetNeedPasswordChange() {
         givenUserAdminUsers("kura.user.foo");
-        givenPasswordStrenghtVerificationOptions("new.password.min.length", 8, "new.password.require.digits", false,
+        givenPasswordStrengthVerificationOptions("new.password.min.length", 8, "new.password.require.digits", false,
                 "new.password.require.special.characters", false, "new.password.require.both.cases", false);
 
         whenIdentityConfigurationIsUpdated(new IdentityConfiguration("foo", singletonList(
@@ -363,7 +363,7 @@ public void shouldSetNeedPasswordChange() {
     public void shouldUnsetNeedPasswordChange() {
         givenUserAdminUsers("kura.user.foo");
         givenUserAdminProperty("kura.user.foo", "kura.need.password.change", "true");
-        givenPasswordStrenghtVerificationOptions("new.password.min.length", 8, "new.password.require.digits", false,
+        givenPasswordStrengthVerificationOptions("new.password.min.length", 8, "new.password.require.digits", false,
                 "new.password.require.special.characters", false, "new.password.require.both.cases", false);
 
         whenIdentityConfigurationIsUpdated(new IdentityConfiguration("foo", singletonList(
@@ -507,10 +507,20 @@ public void shouldNotAllowPasswordContainingTab() {
         thenExceptionIsThrown(KuraException.class);
     }
 
+    @Test
+    public void shouldNotAllowPasswordEqualsToIdentityName() {
+        givenUserAdminUsers("kura.user.foo");
+
+        whenIdentityConfigurationIsUpdated(new IdentityConfiguration("foo", singletonList(
+                new PasswordConfiguration(false, true, Optional.of("foo".toCharArray()), Optional.empty()))));
+
+        thenExceptionIsThrown(KuraException.class);
+    }
+
     @Test
     public void shouldAllow255CharsPassword() {
         givenUserAdminUsers("kura.user.foo");
-        givenPasswordStrenghtVerificationOptions("new.password.min.length", 8, "new.password.require.digits", false,
+        givenPasswordStrengthVerificationOptions("new.password.min.length", 8, "new.password.require.digits", false,
                 "new.password.require.special.characters", false, "new.password.require.both.cases", false);
 
         whenIdentityConfigurationIsUpdated(new IdentityConfiguration("foo", singletonList(
@@ -522,7 +532,7 @@ public void shouldAllow255CharsPassword() {
     @Test
     public void shouldNotAllowTooLongPassword() {
         givenUserAdminUsers("kura.user.foo");
-        givenPasswordStrenghtVerificationOptions("new.password.min.length", 8, "new.password.require.digits", false,
+        givenPasswordStrengthVerificationOptions("new.password.min.length", 8, "new.password.require.digits", false,
                 "new.password.require.special.characters", false, "new.password.require.both.cases", false);
 
         whenIdentityConfigurationIsUpdated(new IdentityConfiguration("foo", singletonList(
@@ -533,7 +543,7 @@ public void shouldNotAllowTooLongPassword() {
 
     @Test
     public void shouldNotAllowPasswordNotSatisfyingPasswordStrengthRequirements() {
-        givenPasswordStrenghtVerificationOptions("new.password.min.length", 3, "new.password.require.digits", false,
+        givenPasswordStrengthVerificationOptions("new.password.min.length", 3, "new.password.require.digits", false,
                 "new.password.require.special.characters", false, "new.password.require.both.cases", false);
         givenUserAdminUsers("kura.user.foo");
 

kura/test/org.eclipse.kura.core.identity.test/src/main/java/org/eclipse/kura/core/identity/test/IdentityServiceTestBase.java

@@ -31,7 +31,7 @@ public abstract class IdentityServiceTestBase {
 
     private final ConfigurationService configurationService;
 
-    protected void givenPasswordStrenghtVerificationOptions(final Object... values) {
+    protected void givenPasswordStrengthVerificationOptions(final Object... values) {
 
         final Iterator<Object> iter = Arrays.asList(values).iterator();