From be2a4753d04b9c7efa0a2e5444c7de73fd1e5ee0 Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Wed, 19 Dec 2012 16:14:49 +0000
Subject: [PATCH] Fix OPENDJ-665 Attribute Value Password Validator should implement check-substrings

---
 opends/src/server/org/opends/server/extensions/AttributeValuePasswordValidator.java |   49 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 48 insertions(+), 1 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/AttributeValuePasswordValidator.java b/opends/src/server/org/opends/server/extensions/AttributeValuePasswordValidator.java
index 425a289..7f5f852 100644
--- a/opends/src/server/org/opends/server/extensions/AttributeValuePasswordValidator.java
+++ b/opends/src/server/org/opends/server/extensions/AttributeValuePasswordValidator.java
@@ -23,6 +23,7 @@
  *
  *
  *      Copyright 2008 Sun Microsystems, Inc.
+ *      Portions Copyright 2012 ForgeRock, AS.
  */
 package org.opends.server.extensions;
 import org.opends.messages.Message;
@@ -96,6 +97,39 @@
 
 
   /**
+   * Search for substrings of the password in an Attribute. The search is
+   * case-insensitive.
+   *
+   * @param password the password
+   * @param minSubstringLength the minimum substring length to check
+   * @param a the attribute to search
+   * @return true if an attribute value matches a substring of the password,
+   * false otherwise.
+   */
+  private boolean containsSubstring(String password, int minSubstringLength,
+      Attribute a)
+  {
+    final int passwordLength = password.length();
+
+    for (int i = 0; i < passwordLength; i++)
+    {
+      for (int j = i + minSubstringLength; j <= passwordLength; j++)
+      {
+        Attribute substring = Attributes.create(a.getAttributeType(),
+            password.substring(i, j));
+        for (AttributeValue val : a)
+        {
+          if (substring.contains(val))
+            return true;
+        }
+      }
+    }
+    return false;
+  }
+
+
+
+  /**
    * {@inheritDoc}
    */
   @Override()
@@ -113,6 +147,17 @@
     String password = newPassword.toString();
     String reversed = new StringBuilder(password).reverse().toString();
 
+    // Check to see if we should verify the whole password or the substrings.
+    int minSubstringLength = password.length();
+    if (config.isCheckSubstrings())
+    {
+      // We apply the minimal substring length only if the provided value
+      // is smaller then the actual password length
+      if (config.getMinSubstringLength() < password.length())
+      {
+        minSubstringLength = config.getMinSubstringLength();
+      }
+    }
 
     // If we should check a specific set of attributes, then do that now.
     // Otherwise, check all user attributes.
@@ -136,7 +181,9 @@
       for (Attribute a : attrList)
       {
         if (a.contains(vf) ||
-            (config.isTestReversedPassword() && a.contains(vr)))
+            (config.isTestReversedPassword() && a.contains(vr)) ||
+            (config.isCheckSubstrings() &&
+                containsSubstring(password, minSubstringLength, a)))
         {
 
           invalidReason.append(ERR_ATTRVALUE_VALIDATOR_PASSWORD_IN_ENTRY.get());

--
Gitblit v1.10.0