View Javadoc
1   /*
2    * Copyright (c) 2002-2025, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.web.user;
35  
36  import java.security.SecureRandom;
37  import java.util.Date;
38  import java.util.List;
39  import java.util.Locale;
40  
41  import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
42  import org.springframework.context.ApplicationContext;
43  import org.springframework.mock.web.MockHttpServletRequest;
44  
45  import fr.paris.lutece.portal.business.user.AdminUserDAO;
46  import fr.paris.lutece.portal.business.user.AdminUserHome;
47  import fr.paris.lutece.portal.business.user.PasswordUpdateMode;
48  import fr.paris.lutece.portal.business.user.authentication.LuteceDefaultAdminAuthentication;
49  import fr.paris.lutece.portal.business.user.authentication.LuteceDefaultAdminUser;
50  import fr.paris.lutece.portal.service.admin.AccessDeniedException;
51  import fr.paris.lutece.portal.service.admin.AdminUserService;
52  import fr.paris.lutece.portal.service.i18n.I18nService;
53  import fr.paris.lutece.portal.service.message.AdminMessage;
54  import fr.paris.lutece.portal.service.message.AdminMessageService;
55  import fr.paris.lutece.portal.service.security.SecurityTokenService;
56  import fr.paris.lutece.portal.service.spring.SpringContextService;
57  import fr.paris.lutece.portal.service.util.AppException;
58  import fr.paris.lutece.portal.web.constants.Messages;
59  import fr.paris.lutece.portal.web.constants.Parameters;
60  import fr.paris.lutece.test.LuteceTestCase;
61  import fr.paris.lutece.util.password.IPassword;
62  import fr.paris.lutece.util.password.IPasswordFactory;
63  
64  public class AdminLoginJspBeanTest extends LuteceTestCase
65  {
66      private static final String NEW_PASSWORD = "password";
67      private static final String PASSWORD = "Pa55word!";
68      private LuteceDefaultAdminUser user;
69  
70      @Override
71      public void setUp( ) throws Exception
72      {
73          super.setUp( );
74  
75          assertFalse( PASSWORD.equals( NEW_PASSWORD ) );
76  
77          AdminUserDAO adminUserDAO = getAdminUserDAO( );
78          String randomUsername = "user" + new SecureRandom( ).nextLong( );
79          IPasswordFactory passwordFactory = SpringContextService.getBean( IPasswordFactory.BEAN_NAME );
80  
81          user = new LuteceDefaultAdminUser( randomUsername, new LuteceDefaultAdminAuthentication( ) );
82          user.setPassword( passwordFactory.getPasswordFromCleartext( PASSWORD ) );
83          user.setFirstName( randomUsername );
84          user.setLastName( randomUsername );
85          user.setEmail( randomUsername + "@lutece.fr" );
86          adminUserDAO.insert( user );
87      }
88  
89      @Override
90      public void tearDown( ) throws Exception
91      {
92          AdminUserHome.remove( user.getUserId( ) );
93          AdminUserHome.removeAllPasswordHistoryForUser( user.getUserId( ) );
94          super.tearDown( );
95      }
96  
97      public void testDoLogin( ) throws Exception
98      {
99          AdminLoginJspBean bean = new AdminLoginJspBean( );
100         MockHttpServletRequest request = new MockHttpServletRequest( );
101         request.addParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "admin/admin_login.html" ) );
102         bean.doLogin( request );
103         AdminMessage message = AdminMessageService.getMessage( request );
104         assertNotNull( message );
105         assertEquals( I18nService.getLocalizedString( Messages.MESSAGE_AUTH_FAILURE, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
106 
107         request = new MockHttpServletRequest( );
108         request.addParameter( Parameters.ACCESS_CODE, "admin" );
109         request.addParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "admin/admin_login.html" ) );
110         bean.doLogin( request );
111         message = AdminMessageService.getMessage( request );
112         assertNotNull( message );
113         assertEquals( I18nService.getLocalizedString( Messages.MESSAGE_AUTH_FAILURE, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
114 
115         request = new MockHttpServletRequest( );
116         request.addParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "admin/admin_login.html" ) );
117         request.addParameter( Parameters.ACCESS_CODE, "admin" );
118         request.addParameter( Parameters.PASSWORD, "adminadmin" );
119         bean.doLogin( request );
120         message = AdminMessageService.getMessage( request );
121         assertNotNull( message );
122         assertEquals( I18nService.getLocalizedString( Messages.MESSAGE_USER_MUST_CHANGE_PASSWORD, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
123     }
124 
125     public void testDoLoginNoCSRFToken( ) throws Exception
126     {
127         AdminLoginJspBean bean = new AdminLoginJspBean( );
128         MockHttpServletRequest request = new MockHttpServletRequest( );
129         request.addParameter( Parameters.ACCESS_CODE, "admin" );
130         request.addParameter( Parameters.PASSWORD, "adminadmin" );
131         try
132         {
133             bean.doLogin( request );
134             fail( "Should have thrown" );
135         }
136         catch( AccessDeniedException e )
137         {
138             // OK
139         }
140     }
141 
142     public void testDoLoginBadCSRFToken( ) throws Exception
143     {
144         AdminLoginJspBean bean = new AdminLoginJspBean( );
145         MockHttpServletRequest request = new MockHttpServletRequest( );
146         request.addParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "admin/admin_login.html" ) + "b" );
147         request.addParameter( Parameters.ACCESS_CODE, "admin" );
148         request.addParameter( Parameters.PASSWORD, "adminadmin" );
149         try
150         {
151             bean.doLogin( request );
152             fail( "Should have thrown" );
153         }
154         catch( AccessDeniedException e )
155         {
156             // OK
157         }
158     }
159 
160     public void testDoLoginDisabledLuteceUser( ) throws Exception
161     {
162         AdminLoginJspBean bean = new AdminLoginJspBean( );
163         MockHttpServletRequest request = new MockHttpServletRequest( );
164         request.addParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "admin/admin_login.html" ) );
165         request.addParameter( Parameters.ACCESS_CODE, "lutece" );
166         request.addParameter( Parameters.PASSWORD, "adminadmin" );
167         bean.doLogin( request );
168         AdminMessage message = AdminMessageService.getMessage( request );
169         assertNotNull( message );
170         assertEquals( I18nService.getLocalizedString( Messages.MESSAGE_AUTH_FAILURE, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
171     }
172 
173     public void testDoLoginDisabledRedacUser( ) throws Exception
174     {
175         AdminLoginJspBean bean = new AdminLoginJspBean( );
176         MockHttpServletRequest request = new MockHttpServletRequest( );
177         request.addParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "admin/admin_login.html" ) );
178         request.addParameter( Parameters.ACCESS_CODE, "redac" );
179         request.addParameter( Parameters.PASSWORD, "adminadmin" );
180         bean.doLogin( request );
181         AdminMessage message = AdminMessageService.getMessage( request );
182         assertNotNull( message );
183         assertEquals( I18nService.getLocalizedString( Messages.MESSAGE_AUTH_FAILURE, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
184     }
185 
186     public void testDoLoginDisabledValidUser( ) throws Exception
187     {
188         AdminLoginJspBean bean = new AdminLoginJspBean( );
189         MockHttpServletRequest request = new MockHttpServletRequest( );
190         request.addParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "admin/admin_login.html" ) );
191         request.addParameter( Parameters.ACCESS_CODE, "valid" );
192         request.addParameter( Parameters.PASSWORD, "adminadmin" );
193         bean.doLogin( request );
194         AdminMessage message = AdminMessageService.getMessage( request );
195         assertNotNull( message );
196         assertEquals( I18nService.getLocalizedString( Messages.MESSAGE_AUTH_FAILURE, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
197     }
198 
199     private AdminUserDAO getAdminUserDAO( )
200     {
201         AdminUserDAO adminUserDAO = new AdminUserDAO( );
202         ApplicationContext context = SpringContextService.getContext( );
203         AutowireCapableBeanFactory beanFactory = context.getAutowireCapableBeanFactory( );
204         beanFactory.autowireBean( adminUserDAO );
205         return adminUserDAO;
206     }
207 
208     public void testDoForgotPasswordNoParam( ) throws Exception
209     {
210         AdminLoginJspBean bean = new AdminLoginJspBean( );
211         MockHttpServletRequest request = new MockHttpServletRequest( );
212         bean.doForgotPassword( request );
213         AdminMessage message = AdminMessageService.getMessage( request );
214         assertNotNull( message );
215         assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
216     }
217 
218     public void testDoForgotPasswordDoesNotExist( ) throws Exception
219     {
220         AdminLoginJspBean bean = new AdminLoginJspBean( );
221 
222         MockHttpServletRequest request = new MockHttpServletRequest( );
223         request.addParameter( Parameters.ACCESS_CODE, "DOES_NOT_EXIST" );
224         String url = bean.doForgotPassword( request );
225         assertTrue( url != null && url.endsWith ( "AdminMessage.jsp" ) );
226     }
227 
228     public void testDoForgotPasswordNoEmail( ) throws Exception
229     {
230         user.setEmail( null );
231         getAdminUserDAO( ).store( user );
232 
233         AdminLoginJspBean bean = new AdminLoginJspBean( );
234 
235         MockHttpServletRequest request = new MockHttpServletRequest( );
236         request.addParameter( Parameters.ACCESS_CODE, user.getAccessCode( ) );
237         String url = bean.doForgotPassword( request );
238         assertTrue( url != null && url.endsWith ( "AdminMessage.jsp" ) );
239     }
240 
241     public void testDoForgotPassword( ) throws Exception
242     {
243         AdminLoginJspBean bean = new AdminLoginJspBean( );
244 
245         MockHttpServletRequest request = new MockHttpServletRequest( );
246         request.addParameter( Parameters.ACCESS_CODE, user.getAccessCode( ) );
247         bean.doForgotPassword( request );
248         AdminMessage message = AdminMessageService.getMessage( request );
249         assertNotNull( message );
250         assertEquals( I18nService.getLocalizedString( "portal.admin.message.admin_forgot_password.sendingSuccess", Locale.FRENCH ),
251                 message.getText( Locale.FRENCH ) );
252         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
253         assertNotNull( storedUser );
254         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
255     }
256 
257     public void testDoResetPasswordNoSessionLock( )
258     {
259         boolean previousSessionLockParam = setSessionLock( false );
260 
261         try
262         {
263             doResetPasswordTest( );
264         }
265         finally
266         {
267             restoreSessionLock( previousSessionLockParam );
268         }
269     }
270 
271     public void testDoResetPasswordSessionLock( )
272     {
273         boolean previousSessionLockParam = setSessionLock( true );
274 
275         try
276         {
277             doResetPasswordTest( );
278         }
279         finally
280         {
281             restoreSessionLock( previousSessionLockParam );
282         }
283     }
284 
285     private void doResetPasswordTest( )
286     {
287         AdminLoginJspBean bean = new AdminLoginJspBean( );
288         MockHttpServletRequest request = new MockHttpServletRequest( );
289         request.setMethod( "POST" );
290         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
291         Date timestamp = new Date( );
292         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
293         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
294         request.setParameter( "token", token );
295         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
296         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
297 
298         String res = bean.doResetPassword( request );
299         assertNotNull( res );
300         AdminMessage message = AdminMessageService.getMessage( request );
301         assertNotNull( message );
302         assertEquals( AdminMessage.TYPE_INFO, message.getType( ) );
303         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
304         assertNotNull( storedUser );
305         assertFalse( storedUser.getPassword( ).check( PASSWORD ) );
306         assertTrue( storedUser.getPassword( ).check( NEW_PASSWORD ) );
307         List<IPassword> passwordHistory = AdminUserHome.selectUserPasswordHistory( user.getUserId( ) );
308         boolean found = false;
309         for ( IPassword password : passwordHistory )
310         {
311             if ( password.check( NEW_PASSWORD ) )
312             {
313                 found = true;
314                 break;
315             }
316         }
317         assertTrue( found );
318     }
319 
320     public void testDoResetPasswordSessionLockDifferentSessions( )
321     {
322         boolean previousSessionLockParam = setSessionLock( true );
323 
324         try
325         {
326             AdminLoginJspBean bean = new AdminLoginJspBean( );
327             MockHttpServletRequest request = new MockHttpServletRequest( );
328             request.setMethod( "POST" );
329             request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
330             Date timestamp = new Date( );
331             String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
332             request.changeSessionId( );
333             request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
334             request.setParameter( "token", token );
335             request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
336             request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
337 
338             String res = bean.doResetPassword( request );
339             assertNotNull( res );
340             AdminMessage message = AdminMessageService.getMessage( request );
341             assertNotNull( message );
342             assertEquals( AdminMessage.TYPE_STOP, message.getType( ) );
343             LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
344             assertNotNull( storedUser );
345             assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
346         }
347         finally
348         {
349             restoreSessionLock( previousSessionLockParam );
350         }
351     }
352 
353     private boolean setSessionLock( boolean locked )
354     {
355         boolean previous = AdminUserService.getBooleanSecurityParameter( AdminUserService.DSKEY_LOCK_RESET_TOKEN_TO_SESSION );
356         AdminUserService.updateSecurityParameter( AdminUserService.DSKEY_LOCK_RESET_TOKEN_TO_SESSION, Boolean.valueOf( locked ).toString( ) );
357         return previous;
358     }
359 
360     private void restoreSessionLock( boolean previousSessionLockParam )
361     {
362         AdminUserService.updateSecurityParameter( AdminUserService.DSKEY_LOCK_RESET_TOKEN_TO_SESSION, Boolean.valueOf( previousSessionLockParam ).toString( ) );
363     }
364 
365     public void testDoResetPasswordShortPassword( )
366     {
367         AdminLoginJspBean bean = new AdminLoginJspBean( );
368         MockHttpServletRequest request = new MockHttpServletRequest( );
369         request.setMethod( "POST" );
370         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
371         Date timestamp = new Date( );
372         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
373         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
374         request.setParameter( "token", token );
375         String newPassword = "p";
376         request.setParameter( Parameters.NEW_PASSWORD, newPassword );
377         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, newPassword );
378 
379         String res = bean.doResetPassword( request );
380         assertNotNull( res );
381         AdminMessage message = AdminMessageService.getMessage( request );
382         assertNotNull( message );
383         assertEquals( AdminMessage.TYPE_STOP, message.getType( ) );
384         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
385         assertNotNull( storedUser );
386         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
387     }
388 
389     public void testDoResetPasswordChangedPassword( )
390     {
391         AdminLoginJspBean bean = new AdminLoginJspBean( );
392         MockHttpServletRequest request = new MockHttpServletRequest( );
393         request.setMethod( "POST" );
394         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
395         Date timestamp = new Date( );
396         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
397         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
398         request.setParameter( "token", token );
399         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
400         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
401 
402         IPasswordFactory passwordFactory = SpringContextService.getBean( IPasswordFactory.BEAN_NAME );
403         final String changedPassword = PASSWORD + "_changed";
404         assertFalse( PASSWORD.equals( changedPassword ) );
405         assertFalse( NEW_PASSWORD.equals( changedPassword ) );
406         user.setPassword( passwordFactory.getPasswordFromCleartext( changedPassword ) );
407         getAdminUserDAO( ).store( user, PasswordUpdateMode.UPDATE );
408 
409         String res = bean.doResetPassword( request );
410         assertNotNull( res );
411         AdminMessage message = AdminMessageService.getMessage( request );
412         assertNotNull( message );
413         assertEquals( AdminMessage.TYPE_STOP, message.getType( ) );
414         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
415         assertNotNull( storedUser );
416         assertTrue( storedUser.getPassword( ).check( changedPassword ) );
417     }
418 
419     public void testDoResetPasswordExpiredToken( )
420     {
421         AdminLoginJspBean bean = new AdminLoginJspBean( );
422         MockHttpServletRequest request = new MockHttpServletRequest( );
423         request.setMethod( "POST" );
424         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
425         Date timestamp = new Date(
426                 new Date( ).getTime( ) + 1 + ( 1000L * 60 * AdminUserService.getIntegerSecurityParameter( AdminUserService.DSKEY_RESET_TOKEN_VALIDITY ) ) );
427         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
428         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
429         request.setParameter( "token", token );
430         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
431         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
432 
433         String res = bean.doResetPassword( request );
434         assertNotNull( res );
435         AdminMessage message = AdminMessageService.getMessage( request );
436         assertNotNull( message );
437         assertEquals( AdminMessage.TYPE_STOP, message.getType( ) );
438         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
439         assertNotNull( storedUser );
440         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
441     }
442 
443     public void testDoResetPasswordNonexistentUser( )
444     {
445         AdminLoginJspBean bean = new AdminLoginJspBean( );
446         MockHttpServletRequest request = new MockHttpServletRequest( );
447         request.setMethod( "POST" );
448         request.setParameter( Parameters.USER_ID, Integer.toString( Integer.MAX_VALUE ) );
449         Date timestamp = new Date( );
450         String token = AdminUserHome.getUserPasswordResetToken( Integer.MAX_VALUE, timestamp,
451                 AdminUserService.getBooleanSecurityParameter( AdminUserService.DSKEY_LOCK_RESET_TOKEN_TO_SESSION ) ? request.getSession( ).getId( ) : null );
452         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
453         request.setParameter( "token", token );
454         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
455         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
456 
457         String res = bean.doResetPassword( request );
458         assertNotNull( res );
459         AdminMessage message = AdminMessageService.getMessage( request );
460         assertNotNull( message );
461         assertEquals( AdminMessage.TYPE_STOP, message.getType( ) );
462     }
463 
464     public void testDoResetPasswordBadToken( )
465     {
466         AdminLoginJspBean bean = new AdminLoginJspBean( );
467         MockHttpServletRequest request = new MockHttpServletRequest( );
468         request.setMethod( "POST" );
469         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
470         Date timestamp = new Date( );
471         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
472         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
473         char [ ] tokenCharacters = token.toCharArray( );
474         tokenCharacters [0] += 1;
475         request.setParameter( "token", new String( tokenCharacters ) );
476         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
477         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
478 
479         String res = bean.doResetPassword( request );
480         assertNotNull( res );
481         AdminMessage message = AdminMessageService.getMessage( request );
482         assertNotNull( message );
483         assertEquals( AdminMessage.TYPE_STOP, message.getType( ) );
484         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
485         assertNotNull( storedUser );
486         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
487     }
488 
489     public void testDoResetPasswordDifferentPasswords( )
490     {
491         AdminLoginJspBean bean = new AdminLoginJspBean( );
492         MockHttpServletRequest request = new MockHttpServletRequest( );
493         request.setMethod( "POST" );
494         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
495         Date timestamp = new Date( );
496         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
497         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
498         request.setParameter( "token", token );
499         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
500         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD + "diff" );
501 
502         String res = bean.doResetPassword( request );
503         assertNotNull( res );
504         AdminMessage message = AdminMessageService.getMessage( request );
505         assertNotNull( message );
506         assertEquals( AdminMessage.TYPE_STOP, message.getType( ) );
507         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
508         assertNotNull( storedUser );
509         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
510     }
511 
512     public void testDoResetPasswordNoNewPassword( )
513     {
514         AdminLoginJspBean bean = new AdminLoginJspBean( );
515         MockHttpServletRequest request = new MockHttpServletRequest( );
516         request.setMethod( "POST" );
517         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
518         Date timestamp = new Date( );
519         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
520         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
521         request.setParameter( "token", token );
522         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
523 
524         String res = bean.doResetPassword( request );
525         assertNotNull( res );
526         AdminMessage message = AdminMessageService.getMessage( request );
527         assertNotNull( message );
528         assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
529         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
530         assertNotNull( storedUser );
531         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
532     }
533 
534     public void testDoResetPasswordNoConfirmPassword( )
535     {
536         AdminLoginJspBean bean = new AdminLoginJspBean( );
537         MockHttpServletRequest request = new MockHttpServletRequest( );
538         request.setMethod( "POST" );
539         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
540         Date timestamp = new Date( );
541         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
542         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
543         request.setParameter( "token", token );
544         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
545 
546         String res = bean.doResetPassword( request );
547         assertNotNull( res );
548         AdminMessage message = AdminMessageService.getMessage( request );
549         assertNotNull( message );
550         assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
551         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
552         assertNotNull( storedUser );
553         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
554     }
555 
556     public void testDoResetPasswordGET( )
557     {
558         AdminLoginJspBean bean = new AdminLoginJspBean( );
559         MockHttpServletRequest request = new MockHttpServletRequest( );
560         request.setMethod( "GET" );
561         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
562         Date timestamp = new Date( );
563         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
564         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
565         request.setParameter( "token", token );
566         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
567         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
568 
569         try
570         {
571             bean.doResetPassword( request );
572             fail( "should have thrown" );
573         }
574         catch( AppException e )
575         {
576         }
577         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
578         assertNotNull( storedUser );
579         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
580     }
581 
582     public void testDoResetPasswordNoTimestamp( )
583     {
584         AdminLoginJspBean bean = new AdminLoginJspBean( );
585         MockHttpServletRequest request = new MockHttpServletRequest( );
586         request.setMethod( "POST" );
587         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
588         Date timestamp = new Date( );
589         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
590         request.setParameter( "token", token );
591         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
592         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
593 
594         String res = bean.doResetPassword( request );
595         assertNotNull( res );
596         AdminMessage message = AdminMessageService.getMessage( request );
597         assertNotNull( message );
598         assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
599         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
600         assertNotNull( storedUser );
601         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
602     }
603 
604     public void testDoResetPasswordNoUserId( )
605     {
606         AdminLoginJspBean bean = new AdminLoginJspBean( );
607         MockHttpServletRequest request = new MockHttpServletRequest( );
608         request.setMethod( "POST" );
609         Date timestamp = new Date( );
610         String token = AdminUserService.getUserPasswordResetToken( user, timestamp, request );
611         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
612         request.setParameter( "token", token );
613         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
614         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
615 
616         String res = bean.doResetPassword( request );
617         assertNotNull( res );
618         AdminMessage message = AdminMessageService.getMessage( request );
619         assertNotNull( message );
620         assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
621         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
622         assertNotNull( storedUser );
623         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
624     }
625 
626     public void testDoResetPasswordNoToken( )
627     {
628         AdminLoginJspBean bean = new AdminLoginJspBean( );
629         MockHttpServletRequest request = new MockHttpServletRequest( );
630         request.setMethod( "POST" );
631         request.setParameter( Parameters.USER_ID, Integer.toString( user.getUserId( ) ) );
632         Date timestamp = new Date( );
633         request.setParameter( "ts", Long.toString( timestamp.getTime( ) ) );
634         request.setParameter( Parameters.NEW_PASSWORD, NEW_PASSWORD );
635         request.setParameter( Parameters.CONFIRM_NEW_PASSWORD, NEW_PASSWORD );
636 
637         String res = bean.doResetPassword( request );
638         assertNotNull( res );
639         AdminMessage message = AdminMessageService.getMessage( request );
640         assertNotNull( message );
641         assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
642         LuteceDefaultAdminUser storedUser = getAdminUserDAO( ).loadDefaultAdminUser( user.getUserId( ) );
643         assertNotNull( storedUser );
644         assertTrue( storedUser.getPassword( ).check( PASSWORD ) );
645     }
646 
647     public void testGetResetPasswordNoRequestParameters( )
648     {
649         AdminLoginJspBean bean = new AdminLoginJspBean( );
650         MockHttpServletRequest request = new MockHttpServletRequest( );
651 
652         bean.getResetPassword( request );
653         assertTrue( "The template failed", true );
654     }
655 }