From 3b5dfa5ca9d6fe5fbdde8387c947650d7e2a3c3e Mon Sep 17 00:00:00 2001
From: Enrico Vianello <enrico.vianello@cnaf.infn.it>
Date: Fri, 27 Sep 2024 19:03:27 +0200
Subject: [PATCH] Fix expected password length to 8 chars at least (#849)

It was wrongly set to 9 while users were prompted to insert at least 8 chars
---
 .../java/it/infn/mw/iam/util/RegexUtil.java   |  2 +-
 .../directives/password.directive.js          |  2 +-
 .../iam/js/directive/password.directive.js    |  2 +-
 .../account/password/PasswordUpdateTests.java | 23 +++++++++++++++++++
 4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/util/RegexUtil.java b/iam-login-service/src/main/java/it/infn/mw/iam/util/RegexUtil.java
index 9e09d040e..12ef03cea 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/util/RegexUtil.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/util/RegexUtil.java
@@ -22,7 +22,7 @@ private RegexUtil() {}
   // Regex matches password with at least one lowercase letter, one uppercase
   // letter, one number, one symbol and minimum length of 8 characters
   public static final String PASSWORD_REGEX =
-      "^(?=.*[\\p{Lower}])(?=.*[\\p{Upper}])(?=.*[\\p{Digit}])(?=.*[\\p{Punct}]).{8,}([^\\r\\t\\v\\f\\n]+)$";
+      "^(?=.*[\\p{Lower}])(?=.*[\\p{Upper}])(?=.*[\\p{Digit}])(?=.*[\\p{Punct}]).{7,}([^\\r\\t\\v\\f\\n]+)$";
   public static final String PASSWORD_REGEX_MESSAGE_ERROR =
       "The password must include at least one uppercase letter, one lowercase letter, one number, one symbol (e.g., @$!%*?&) and must contain at least 8 characters for greater security.";
 }
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/directives/password.directive.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/directives/password.directive.js
index efb613b00..1734fe6c7 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/directives/password.directive.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/directives/password.directive.js
@@ -18,7 +18,7 @@ angular.module('dashboardApp').directive('strongPassword', function () {
         require: 'ngModel',
         link: function (scope, element, attrs, ngModel) {
             ngModel.$parsers.unshift(function (viewValue) {
-                var passwordStrengthRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[(!"#$%&'()*+,-./:;<=>?@[\]\^ `{|}~)])([^\r\t\v\f\n]+).{8,}$/;
+                var passwordStrengthRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[(!"#$%&'()*+,-./:;<=>?@[\]\^ `{|}~)])([^\r\t\v\f\n]+).{7,}$/;
                 var isStrong = passwordStrengthRegex.test(viewValue);
 
                 ngModel.$setValidity('strongPassword', isStrong);
diff --git a/iam-login-service/src/main/webapp/resources/iam/js/directive/password.directive.js b/iam-login-service/src/main/webapp/resources/iam/js/directive/password.directive.js
index b949da8a8..68963b429 100644
--- a/iam-login-service/src/main/webapp/resources/iam/js/directive/password.directive.js
+++ b/iam-login-service/src/main/webapp/resources/iam/js/directive/password.directive.js
@@ -18,7 +18,7 @@ angular.module('passwordResetApp').directive('strongPassword', function () {
         require: 'ngModel',
         link: function (scope, element, attrs, ngModel) {
             ngModel.$parsers.unshift(function (viewValue) {
-                var passwordStrengthRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!"#$%&'()*+,-./:;<=>?@[\]\^ `{|}~]).{8,}([^\r\t\v\f\n]+)$/;
+                var passwordStrengthRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!"#$%&'()*+,-./:;<=>?@[\]\^ `{|}~]).{7,}([^\r\t\v\f\n]+)$/;
                 var isStrong = passwordStrengthRegex.test(viewValue);
                 ngModel.$setValidity('strongPassword', isStrong);
                 return viewValue;
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/password/PasswordUpdateTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/password/PasswordUpdateTests.java
index 7a5227358..00a941bed 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/password/PasswordUpdateTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/password/PasswordUpdateTests.java
@@ -137,6 +137,29 @@ public void testUpdatePassword() {
         .getAccessToken();
   }
 
+  @Test
+  public void testUpdatePasswordWithMinLength() {
+
+    String currentPassword = "password";
+    String newPassword = "S3crP@ss";
+
+    String accessToken = passwordTokenGetter().port(iamPort)
+        .username(testUser.getUserName())
+        .password(currentPassword)
+        .getAccessToken();
+
+    doPost(accessToken, currentPassword, newPassword).statusCode(HttpStatus.OK.value());
+
+    passwordTokenGetter().port(iamPort)
+        .username(testUser.getUserName())
+        .password(newPassword)
+        .getAccessToken();
+
+    currentPassword = newPassword;
+    newPassword = "T0S#ort";
+    doPost(accessToken, currentPassword, newPassword).statusCode(HttpStatus.BAD_REQUEST.value());
+  }
+
   @Test
   public void testUpdatePasswordFullAuthenticationRequired() {