[SYNCOPE-1937] fixes password history length management (#1256)

andrea-patricelli · web-flow · commit ad823fe39377 · 2025-12-06T07:20:56.000+01:00
diff --git a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.java b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.java
@@ -334,8 +334,7 @@ public void addToPasswordHistory(final String password) {
     @Override
     public void removeOldestEntriesFromPasswordHistory(final int n) {
         List<String> ph = getPasswordHistory();
-        ph.subList(n, ph.size());
-        passwordHistory = POJOHelper.serialize(ph);
+        passwordHistory = POJOHelper.serialize(ph.subList(Math.min(n, ph.size()), ph.size()));
     }
 
     @Override
diff --git a/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/UserTest.java b/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/UserTest.java
@@ -18,15 +18,21 @@
  */
 package org.apache.syncope.core.persistence.jpa.inner;
 
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.time.OffsetDateTime;
 import java.util.List;
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
 import org.apache.syncope.common.lib.types.CipherAlgorithm;
 import org.apache.syncope.core.persistence.api.EncryptorManager;
 import org.apache.syncope.core.persistence.api.dao.DerSchemaDAO;
@@ -253,4 +259,41 @@ public void issueSYNCOPE1666() {
         assertTrue(encryptorManager.getInstance().
                 verify(securityAnswer, CipherAlgorithm.SSHA256, actual.getSecurityAnswer()));
     }
+
+    @Test
+    public void issueSYNCOPE1937()
+            throws NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, BadPaddingException,
+            InvalidKeyException {
+        User user = entityFactory.newEntity(User.class);
+        user.setUsername("username");
+        user.setRealm(realmDAO.getRoot());
+        user.setCreator("admin");
+        user.setCreationDate(OffsetDateTime.now());
+
+        user.setCipherAlgorithm(CipherAlgorithm.SHA1);
+        user.setPassword("password123");
+
+        User actual = userDAO.save(user);
+
+        assertEquals(0, user.getPasswordHistory().size());
+
+        // add some other password to history
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password123!", CipherAlgorithm.SHA1));
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password124!", CipherAlgorithm.SHA1));
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password125!", CipherAlgorithm.SHA1));
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password126!", CipherAlgorithm.SHA1));
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password127!", CipherAlgorithm.SHA1));
+
+        assertEquals(5, user.getPasswordHistory().size());
+
+        // keep only the last three passwords into history
+        user.removeOldestEntriesFromPasswordHistory(2);
+
+        assertEquals(3, user.getPasswordHistory().size());
+
+        // try with an exceeding number
+        assertDoesNotThrow(() -> user.removeOldestEntriesFromPasswordHistory(user.getPasswordHistory().size() + 5));
+
+        assertNotNull(actual);
+    }
 }
diff --git a/core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/entity/user/Neo4jUser.java b/core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/entity/user/Neo4jUser.java
@@ -291,8 +291,7 @@ public void addToPasswordHistory(final String password) {
     @Override
     public void removeOldestEntriesFromPasswordHistory(final int n) {
         List<String> ph = getPasswordHistory();
-        ph.subList(n, ph.size());
-        passwordHistory = POJOHelper.serialize(ph);
+        passwordHistory = POJOHelper.serialize(ph.subList(Math.min(n, ph.size()), ph.size()));
     }
 
     @Override
diff --git a/core/persistence-neo4j/src/test/java/org/apache/syncope/core/persistence/neo4j/inner/UserTest.java b/core/persistence-neo4j/src/test/java/org/apache/syncope/core/persistence/neo4j/inner/UserTest.java
@@ -18,15 +18,21 @@
  */
 package org.apache.syncope.core.persistence.neo4j.inner;
 
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.time.OffsetDateTime;
 import java.util.List;
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
 import org.apache.syncope.common.lib.types.CipherAlgorithm;
 import org.apache.syncope.core.persistence.api.EncryptorManager;
 import org.apache.syncope.core.persistence.api.dao.DerSchemaDAO;
@@ -253,4 +259,41 @@ public void issueSYNCOPE1666() {
         assertTrue(encryptorManager.getInstance().
                 verify(securityAnswer, CipherAlgorithm.SSHA256, actual.getSecurityAnswer()));
     }
+
+    @Test
+    public void issueSYNCOPE1937()
+            throws NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, BadPaddingException,
+            InvalidKeyException {
+        User user = entityFactory.newEntity(User.class);
+        user.setUsername("username");
+        user.setRealm(realmDAO.getRoot());
+        user.setCreator("admin");
+        user.setCreationDate(OffsetDateTime.now());
+
+        user.setCipherAlgorithm(CipherAlgorithm.SHA1);
+        user.setPassword("password123");
+
+        User actual = userDAO.save(user);
+
+        assertEquals(0, user.getPasswordHistory().size());
+
+        // add some other password to history
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password123!", CipherAlgorithm.SHA1));
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password124!", CipherAlgorithm.SHA1));
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password125!", CipherAlgorithm.SHA1));
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password126!", CipherAlgorithm.SHA1));
+        user.addToPasswordHistory(encryptorManager.getInstance().encode("Password127!", CipherAlgorithm.SHA1));
+
+        assertEquals(5, user.getPasswordHistory().size());
+
+        // keep only the last three passwords into history
+        user.removeOldestEntriesFromPasswordHistory(2);
+
+        assertEquals(3, user.getPasswordHistory().size());
+
+        // try with an exceeding number
+        assertDoesNotThrow(() -> user.removeOldestEntriesFromPasswordHistory(user.getPasswordHistory().size() + 5));
+
+        assertNotNull(actual);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -334,8 +334,7 @@ public void addToPasswordHistory(final String password) {`
`334`	`334`	`@Override`
`335`	`335`	`public void removeOldestEntriesFromPasswordHistory(final int n) {`
`336`	`336`	`List<String> ph = getPasswordHistory();`
`337`		`- ph.subList(n, ph.size());`
`338`		`- passwordHistory = POJOHelper.serialize(ph);`
	`337`	`+ passwordHistory = POJOHelper.serialize(ph.subList(Math.min(n, ph.size()), ph.size()));`
`339`	`338`	`}`
`340`	`339`
`341`	`340`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -291,8 +291,7 @@ public void addToPasswordHistory(final String password) {`
`291`	`291`	`@Override`
`292`	`292`	`public void removeOldestEntriesFromPasswordHistory(final int n) {`
`293`	`293`	`List<String> ph = getPasswordHistory();`
`294`		`- ph.subList(n, ph.size());`
`295`		`- passwordHistory = POJOHelper.serialize(ph);`
	`294`	`+ passwordHistory = POJOHelper.serialize(ph.subList(Math.min(n, ph.size()), ph.size()));`
`296`	`295`	`}`
`297`	`296`
`298`	`297`	`@Override`