From 8a837cdeefb22f84a36a0e5a42813a2f80a71c19 Mon Sep 17 00:00:00 2001
From: Peter Hormanns <peter.hormanns@jalin.de>
Date: Fri, 19 Mar 2021 19:18:31 +0100
Subject: [PATCH] check password complexity in backend

---
 hsarback/.classpath                           |   2 +-
 ...OT.jar => hsadmin-util-4.0.4-SNAPSHOT.jar} | Bin 10465 -> 10991 bytes
 .../hsadmin/mods/user/UnixUserModuleImpl.java |   8 +++++++-
 3 files changed, 8 insertions(+), 2 deletions(-)
 rename hsarback/lib/{hsadmin-util-4.0.3-SNAPSHOT.jar => hsadmin-util-4.0.4-SNAPSHOT.jar} (65%)

diff --git a/hsarback/.classpath b/hsarback/.classpath
index a3b02bc..0b07c1a 100644
--- a/hsarback/.classpath
+++ b/hsarback/.classpath
@@ -37,6 +37,6 @@
 	<classpathentry kind="lib" path="lib/org.apache.bval.bundle-0.5.jar"/>
 	<classpathentry kind="lib" path="lib/serp-1.15.1.jar"/>
 	<classpathentry kind="lib" path="lib/xbean-asm6-shaded-4.8.jar"/>
-	<classpathentry kind="lib" path="lib/hsadmin-util-4.0.3-SNAPSHOT.jar"/>
+	<classpathentry kind="lib" path="lib/hsadmin-util-4.0.4-SNAPSHOT.jar"/>
 	<classpathentry kind="output" path="bin"/>
 </classpath>
diff --git a/hsarback/lib/hsadmin-util-4.0.3-SNAPSHOT.jar b/hsarback/lib/hsadmin-util-4.0.4-SNAPSHOT.jar
similarity index 65%
rename from hsarback/lib/hsadmin-util-4.0.3-SNAPSHOT.jar
rename to hsarback/lib/hsadmin-util-4.0.4-SNAPSHOT.jar
index 8c60531e0c954e5d5353665db62eda6a4a9d2992..cde4b6a13fc3594312c8a5eb7de48e2b5b8e5c21 100644
GIT binary patch
delta 2150
zcmZXV3pmsJAIE3r(!VXn%w=iV7-NcImWotE{<(~mNJ;L-&eCNowRW68%ZadZi6~PR
zB9};qzw5H*5^^d0TT=ATQO1c>a<<>|Kb@!N|9hVA^ZI_@-|zeRKF|02{k=bvz8`2X
zA5Ue-KR}AFIWHj-hE;Bo!|ob@flUAw%oO0Glq>;yC~Z-&Hc{y}Fwofw`KqENSEvP-
z7DJbnK_DkJ5C{k2bFpZSKZ8NHK1M&9kdQ_T@*Afhz9Ankn40L};(6L*SnQpf(HjHz
zZq}oQ#(VXe=4NH-YSyS)!n546QP=XkN^_iD7g}SZB13NHMN7Z%ZS!tRCAkm(RTo8>
z`Mq#)uCP{04qTPZRJADSwNt?!P|?jv0VG+*1d|g@M5VroNRG%Ix&kTIOAEE)LXu1L
za$cn)R4mMja}kc)g9?HOJx{E!n6==o@2c~PT_W2OX1SB9-N{eyAt?TkKKIw{tj0vn
zd1mN+J2I)+4ikLM<#exb6n*x5_}FoRRDIhKqoA^Y#+d&I>0|MIe<WIts?%`|^NiQL
z3)v09PI}rtoSM~ca7<fy065rm{Qk5-{%m$jScOwv$=<?f$L?fC_X^h+R(2}*#)p;;
z0=uxo{c&1EKzX>XWB%Oc?RNimIG#Qk|60Oj{D#_HNG#7@5vo|S^6k6EYLXa`!RG>2
zUVZ3(Hr@B7xRSoEGbY7`+O<cVTZq!D58BMWOpw}f-tE5`^C?+B;C%jKci<eaw)BnF
zsMS-40*3>U-S$Tr&$uq_^zNqGje669g90Q~SA<yQ2i>Nvr;p_8&+MDIp>?rlbbeo~
zBpY$Mp_b*hX-^kB>_ovXZ^YBB5k5mq-6L<!kM4iDu$Jxma;!QxZ{b1RMl+GMaC`xj
z6Bs5DbIySqyhjclxE%1_j$W#j^(i9f@QG-=BP8IYVM6X`wUKDM1=2SHvl`sL@-Zb_
z|7*ukMRn^(ez?bU&^e3oau$78O!}L6$nZR75?7XI_1Uqbth09JRoX+Hk%E&2;vH|D
zCr6hlKkL~%B6Pf<Z|Lws@G3knw7M*n*ig2J&vNh<3^=k1Wif9%S)m+B_HO8vx>A-9
zUHCY<jbwen8==a{un=@8>6gP-NZwKY{hoJ7N-Wd|pDyOQ91Y|Vv%np)qJhk9&1!GR
zxZ=1Z>-MS}m$$Tw@T5zFp9NV5C|7O518B*Z|B72T4VC5^y1OlD>W>Tt4nCvk4)Y^<
zoI5Lq6E9g!(PxbI37j0C$nM5r@2D0TS8gbG;t7vA@9FHDozb<f{8)Kw*uJr`9u}<X
z9^*Z*0v@>PPe;q7r#qfL-u)p9n}PMn+bgl7>fmV6S;L;iFEF$Q-o~j47uEN&ugh$q
zPUwCn%;ALyS@TIr**NG|p6?9v>W;Jt&Q<1hxXHq^-4VNzTiiGS20BtEEfooq+EP==
zA{m6_NNr3|{g4vNI6kb?c{ss|kXn$TF`s%Q_Fa!BFNfFUdYMOj62TVq9G$<{>8D1M
zG`WO^qf3XjzfE*nsfh?~xp8dy9$h~IT$yg8VYuMUN}Ukr8$Sx(p<cVDS>%VrJ#hVo
zW?;VQ{*^Q8AVqdWK<`6<?AQb!Qvy=ui`F6_$h4PLfX=Lbm5Q=Flla%scz_c0R)A_o
zZt!w>+60yFL1!v~K(FM9L*(x?A#zx8^fc;DuZ}I6+Zw7|n!CKBG-%-_Ob~Zya4&&Z
zUY#>U3w5i1dPO?b>A`pT<pKLtWRsJ?v~fQ!WNA9<*5E{M`pC59CE^*?i&0+B;TePL
zUc`}DTvtTjZT_`~5A~S0a>6f4*!!Ab9qKKNk+Y>eQAQ=z{<gv}O2t2egE^LzyFLr(
zsd#*{zTgmaS#-n9BqdUI!qrw}d`>xT;=+S?_%<QgtC*JQyqK%J)j&cthWi<)$D`7B
z-Pb9)axlff%O@aHYa-ThtdSHA|NY4O(_c#GxGxh(y?Y9hw7E=SGVRq{fu@BUMdw;u
zQdsKxyw0kWt`Lv;qJnqYXpWlSL2GKin0oy}8s>G~)LnSy+A05`x`_qWz3r13Nw19#
z&Q1q@Dhtt_yOYtrq<kG}5;vA)g<G`~kW)WfJiL80p8xD;rt4ZIvNZ{I=HBxM>HTU&
z$cq^$d^A|!eU|fac&tZ<-Ji!?9w{u;D1*aRVTPZ_>DsWSS2<IKGk9{~x4J_jDPahV
z-nOZF*H2SRXLic|K>dC7^6R9kqwDLB^T{TG^i!4+i0!WkD1j@M^gojf9cp`Szq?J`
zD$cNMHgBnGC5jwOX`2O(Hl`$^_hxd7`BlqmA(lw6X@r=o=!_Bwk9#KZo&<bf&y!mF
z0b)OK0Jf9>RbQIdm;{4-Je9x*<?od(3u6a7GZMxbARA*1ungk>a0=rD&=~6iFbw+>
zz)`H%h965CpJ?g^Or0}DfulCatDG+X5){gBHiZImk6bp=R>)aqCPoVHm)!ieGI@cO
z$(yyJ(*Ex&;jSX&>n!-OX4-(2YlZ?Z>c}N?{v$IjKpK}zb0}aF4IB!1{{$QgTx87O
zi!%g<G4f%LF+aq}m@mXZjTA@x*9Hn&eIICo*4EaU$QN2${e3v<p#S@oz8gTG60V=Z
gVE=>R`z6X3vgK{-4+eXz++fRZGdECO!zyO}1Z^y)>;M1&

delta 1652
zcmaDK`Y@0;z?+$civa|hdW$CVsxUVKDU(^uAl^keF!f0dL`{}v)CSX@j0PZja}DEe
zCNRT_<qxY6P$bCqVXxl{Mh1r4%nS_b43h&i<m*H7^K<l)a}tY-dxLZRuQ&+QeOp&v
zTi9yN()x=@y<@NNO0~M?3?&xlODi}%7Ty1L>+HrQTc+<ja9_x`&qcVt!Tyv*wM;_D
zmsxL&H(#Dvx$S(;{{KHd@g6X?DJ<Y!$IHH5_Rhgr;qNjM1*Tg}?p)unBJt!AX5rI3
zXZM}>{Me+sKJKJT+9D5QHvNtz`{#GR2vDt?k#<R+Tl9B+{rQ;W73){Kh@O{R6<6JV
z@P>!-Ndw6hF8lQOcN^Uny*ooG*iovh!av39y}RS$8{w9RAMJlxcG*O2ncMrGuzANN
zm+dVpQ0Qxs?_To!y~s?jswtUk+dsYtIp-IZw(w5StaU%LkB8RBo-l0m<m-E_CRbFE
zVZ2A;{q5=hI`-&<%6Lx7|Mn`p#(LoeHy=);=Pw=z9`9;9E*19Bc*{R+w#>qxSMztV
z8|g?)J8o^ZvUr{H;hyb(!x`TiO`pALIhWMAW#1RtJ}cc3BxEa`CAs8y6!Y7CufK1N
ze*KE2t<PNVxYRtS`$Y{0uhus!ulKS$J8^@f^?V)W=+|?a=1vH9oV>w~C(O|G#Cf3t
z=F2I$XC6FTvBUM|uZ{K#FU^ox@T>4d$<2ntht_hhTN}9Rx9G9o!B=`1Uv2S;y2kJ=
zJ;YD%RqU$;p1PZ4)UHOCFi01RtWGGaxL~O>p>)Ne1^>(CzWKw_6bA!1eU$QTWdSpE
zg>Nx}7?Zg~KZEE^V&7T862GL^gBg?8C~AQf+*Gsz(_%{Qg8smi_4bL<jETUM^$3`<
zj3)=E7}r<i=JW<#^gCoAQros(Vb6NmN6d<)o%~Y14jvAVvvb!kPRX9WjrmXY?y}_B
zddIfUt3Lm7@AD^<oK`CvSnqr?)1>@z^VXw6kLS#DP>KpDV^~tswSBhfK3Bu8<&P&W
z*VA{4dHMXa<lN`;Duj<4|JfJ!c8<~Vi4%?mom?<Ua-+$<UG+gdQ462gAM@2}lUx+T
z!+-RI@WjKHQ*4xWKANz%(Jas5Q8df<tiH)vp<?H49yai`eTwloGKH;acH85C+@tEL
z*A~tao*I_IQZCh3_R43L`|jz#-@eP-tp4MQU$LP01D6DuPaC{sYNseYKCvRmxMG4&
zq2lEyrT-;#IsQ!!t`&MzpP;4h!X_2DDtN<59?Q1{*$yK6WJRv(Znt@t>u({VVCivf
z$4;?*S~uLPb(U_p>)^iE<8_(-=|J<dH)YQ5(%iKyF>msbrouxX)`=b1%WJja-VJw&
zrt_ylPMA(LX_Z;RyT5Ifd9f?wmb5#2O_z%|t#YlcuWf&5Hrr+Kf*((JJg(I06SLP1
z|G1soRDq?R{f$7(?!9pVM*r9lQ4cB*;(1pT6i@b0iK^#2sljU0EyANK!gF@5kIx#O
z9??0m&LTZLJv=)vb${~awh7J&4*F`;B^+F2{Q1kI&)q>gg}S|rE(=ZeZU_n}ynAWV
z8JTsPt}J?V=8sLZur0G~^4$dc;|&S?{{{3I0=yZSM3~{lSP-~8gA$w|da{D55~yUG
z?5b)HPFU@#dSH5osu`I6sA>(S_0=4}bdg#Cn0~6}$A?<9O?Fgw2TOIUOEX3C082UX
z$@|qMz(TixLV|)|AwCTy1(3$yGiD!L1$4njAl3sp1qzllz7ql}v;phu*N|p<A`Ike
zOunKa1QvP;6uKt~HcCN;f3l7y4_Me*Q<`al{NxBtS+MCa(?GO5oFl;S|Nmb3$$=`0
zI`~3H2Svj#kOsZU0$Mx@7&#8Ekbz-Iql*Giq0!_#Eq-};90L_p0<jf}Lbb^cHT5Ug
QtME;}sU^VnQ3)go08yfxrT_o{

diff --git a/hsarback/src/de/hsadmin/mods/user/UnixUserModuleImpl.java b/hsarback/src/de/hsadmin/mods/user/UnixUserModuleImpl.java
index fa1e64a..45a1efe 100644
--- a/hsarback/src/de/hsadmin/mods/user/UnixUserModuleImpl.java
+++ b/hsarback/src/de/hsadmin/mods/user/UnixUserModuleImpl.java
@@ -11,6 +11,7 @@ import de.hsadmin.core.model.AbstractModuleImpl;
 import de.hsadmin.core.model.AuthorisationException;
 import de.hsadmin.core.model.Transaction;
 import de.hsadmin.core.util.HSAdminException;
+import de.hsadmin.core.util.PasswordTool;
 import de.hsadmin.hostsharing.BasePacType;
 import de.hsadmin.hostsharing.MultiOption;
 import de.hsadmin.mods.pac.Pac;
@@ -98,6 +99,7 @@ public class UnixUserModuleImpl extends AbstractModuleImpl {
 		if (passWord.indexOf(':') >= 0) {
 			throw new AuthorisationException(loginUser, "add", newUnixUser, "userId");
 		}
+		PasswordTool.checkPasswordComplexity(passWord);
 		Query qPac = em.createQuery("SELECT obj FROM Pacs obj WHERE obj.name = :pacName");
 		qPac.setParameter("pacName", userName.substring(0, 5));
 		Object singleResult = qPac.getSingleResult();
@@ -164,7 +166,11 @@ public class UnixUserModuleImpl extends AbstractModuleImpl {
 		if (!attachedUnixUser.getName().equals(detachedUnixUser.getName())) {
 			throw new AuthorisationException(loginUser, "update", detachedUnixUser, "name");
 		}
-		attachedUnixUser.setPassword(detachedUnixUser.getPassword());
+		final String passWord = detachedUnixUser.getPassword();
+		if (passWord != null && passWord.length() > 0) {
+			PasswordTool.checkPasswordComplexity(passWord);
+			attachedUnixUser.setPassword(passWord);
+		}
 		if (hasFullAccessOnPacOf(attachedUnixUser)) {
 			attachedUnixUser.setComment(detachedUnixUser.getComment());
 			attachedUnixUser.setHomedir(detachedUnixUser.getHomedir());