search

vt-middleware / passay

Password policy enforcement for Java.
http://www.passay.org
Other
282 stars 64 forks source link

CharacterCharacteristicsRule not passing "invalid" flag from sub rules #31

Closed wheeler7 closed 8 years ago

wheeler7 commented 8 years ago

Hi,

I'm using passay library:

  <dependency>
      <groupId>org.passay</groupId>
      <artifactId>passay</artifactId>
      <version>1.1.0</version>
  </dependency>

I've got a problem with CharacterCharacteristicsRule. When one of the sub rules, aggregated by CharacterCharacteristicsRule, finds given password to be invalid then RuleResult returned by CharacterCharacteristicsRule has "valid" flag still set to true.

The case is that when I define four CharacterRule classes:

Then I'm adding them to CharacterCharacteristicsRule and I set up that at least 3 characteristics should be met.

Assuming that password would be "1Abc!xyz" then three characteristics are met but CharacterRule for digits is not met.

Looking at code of method validate() in CharacterCharacteristicsRule class:

   final RuleResult result = new RuleResult(true);
    for (CharacterRule rule : rules) {
      final RuleResult rr = rule.validate(passwordData);
      if (!rr.isValid()) {
        if (reportRuleFailures) {
          result.getDetails().addAll(rr.getDetails());
        }
      } else {
        successCount++;
      }
    }

You can see that when sub rule is not valid then details are aggregated to result object but "valid" flag of result object is not updated to false. So finaly I'm receiving RuleResult object with "valid" flag set to true and no items on "details" list, beacuse they are not aggregated in validate() method of PasswordValidator class.

Best regards

dfish3r commented 8 years ago

If you look a the next few lines, you'll see that the aggregated result is set to false if the numCharacteristics property has not been met.

If you still believe we have a bug, please attach a unit test that demonstrates. Thanks.

wheeler7 commented 8 years ago

Hi dfish3r, thank you for your reply and I'm sorry because I think i have missunderstood the idea of CharacterCharacteristicsRule treating is a container that will check if all sub rules are valid and yet some characteristic. Sorry and thank you Best regards