From 57997d2c3c0c2ccfdf6db58a17384d87f658d4bd Mon Sep 17 00:00:00 2001 From: Yoshani Date: Mon, 21 Oct 2024 18:49:48 +0530 Subject: [PATCH] handle username existence to prevent enumeration --- .../recovery/IdentityRecoveryConstants.java | 1 + .../connector/SelfRegistrationConfigImpl.java | 16 ++++++++++++++++ .../SelfRegistrationConfigImplTest.java | 8 ++++++++ 3 files changed, 25 insertions(+) diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java index 1b4faf3df7..4900306ca3 100644 --- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java +++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java @@ -598,6 +598,7 @@ public static class ConnectorConfig { "UseNumbersInOTP"; public static final String SELF_REGISTRATION_OTP_LENGTH = "SelfRegistration.OTP.OTPLength"; public static final String SEND_CONFIRMATION_NOTIFICATION = "SelfRegistration.SendConfirmationOnCreation"; + public static final String HANDLE_EXISTING_USERNAME = "SelfRegistration.HandleExistingUsername"; public static final String SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE = "SelfRegistration.Notification" + ".InternallyManage"; public static final String SELF_REGISTRATION_RE_CAPTCHA = "SelfRegistration.ReCaptcha"; diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/connector/SelfRegistrationConfigImpl.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/connector/SelfRegistrationConfigImpl.java index e889530ec9..c1021243dd 100644 --- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/connector/SelfRegistrationConfigImpl.java +++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/connector/SelfRegistrationConfigImpl.java @@ -99,6 +99,8 @@ public Map getPropertyNameMapping() { "OTP length"); nameMapping.put(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION, "Enable Account Confirmation On Creation"); + nameMapping.put(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME, + "Handle existing user name"); nameMapping.put(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE, "Manage notifications sending internally"); nameMapping.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA, "Prompt reCaptcha"); @@ -144,6 +146,8 @@ public Map getPropertyDescriptionMapping() { "Length of the OTP for SMS and e-mail verifications. OTP length must be 4-10."); descriptionMapping.put(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION, "Enable user account confirmation when the user account is not locked on creation"); + descriptionMapping.put(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME, + "Adopt the same behavior for both existing and non-existing users in the system."); descriptionMapping.put(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE, "Disable if the client application handles notification sending"); descriptionMapping.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA, @@ -184,6 +188,7 @@ public String[] getPropertyNames() { properties.add(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_USE_NUMBERS_IN_OTP); properties.add(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_OTP_LENGTH); properties.add(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION); + properties.add(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME); properties.add(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE); properties.add(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA); properties.add(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_VERIFICATION_CODE_EXPIRY_TIME); @@ -210,6 +215,7 @@ public Properties getDefaultPropertyValues(String tenantDomain) throws IdentityG String useNumbersInOTP = StringUtils.EMPTY; String otpLength = "6"; String enableSendNotificationOnCreation = "false"; + String handleExistingUsername = "false"; String enableNotificationInternallyManage = "true"; String enableSelfRegistrationReCaptcha = "true"; String verificationCodeExpiryTime = "1440"; @@ -237,6 +243,8 @@ public Properties getDefaultPropertyValues(String tenantDomain) throws IdentityG IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_OTP_LENGTH); String sendNotificationOnCreationProperty = IdentityUtil.getProperty( IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION); + String handleExistingUsernameProperty = IdentityUtil.getProperty( + IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME); String notificationInternallyMangedProperty = IdentityUtil.getProperty( IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE); String reCaptchaProperty = IdentityUtil.getProperty( @@ -282,6 +290,9 @@ public Properties getDefaultPropertyValues(String tenantDomain) throws IdentityG if (StringUtils.isNotEmpty(sendNotificationOnCreationProperty)) { enableSendNotificationOnCreation = sendNotificationOnCreationProperty; } + if (StringUtils.isNotEmpty(handleExistingUsernameProperty)) { + handleExistingUsername = handleExistingUsernameProperty; + } if (StringUtils.isNotEmpty(notificationInternallyMangedProperty)) { enableNotificationInternallyManage = notificationInternallyMangedProperty; } @@ -329,6 +340,8 @@ public Properties getDefaultPropertyValues(String tenantDomain) throws IdentityG otpLength); defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION, enableSendNotificationOnCreation); + defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME, + handleExistingUsername); defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE, enableNotificationInternallyManage); defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA, @@ -399,6 +412,9 @@ public Map getMetaData() { meta.put(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION, getPropertyObject(IdentityMgtConstants.DataTypes.BOOLEAN.getValue())); + meta.put(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME, + getPropertyObject(IdentityMgtConstants.DataTypes.BOOLEAN.getValue())); + meta.put(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE, getPropertyObject(IdentityMgtConstants.DataTypes.BOOLEAN.getValue())); diff --git a/components/org.wso2.carbon.identity.recovery/src/test/java/org/wso2/carbon/identity/recovery/connector/SelfRegistrationConfigImplTest.java b/components/org.wso2.carbon.identity.recovery/src/test/java/org/wso2/carbon/identity/recovery/connector/SelfRegistrationConfigImplTest.java index 7465a1681a..2265901bff 100644 --- a/components/org.wso2.carbon.identity.recovery/src/test/java/org/wso2/carbon/identity/recovery/connector/SelfRegistrationConfigImplTest.java +++ b/components/org.wso2.carbon.identity.recovery/src/test/java/org/wso2/carbon/identity/recovery/connector/SelfRegistrationConfigImplTest.java @@ -108,6 +108,8 @@ public void testGetPropertyNameMapping() { "OTP length"); nameMappingExpected.put(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION, "Enable Account Confirmation On Creation"); + nameMappingExpected.put(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME, + "Handle existing user name"); nameMappingExpected.put(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE, "Manage notifications sending internally"); nameMappingExpected.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA, "Prompt reCaptcha"); @@ -155,6 +157,8 @@ public void testGetPropertyDescriptionMapping() { "Length of the OTP for SMS and e-mail verifications. OTP length must be 4-10."); descriptionMappingExpected.put(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION, "Enable user account confirmation when the user account is not locked on creation"); + descriptionMappingExpected.put(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME, + "Adopt the same behavior for both existing and non-existing users in the system."); descriptionMappingExpected.put(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE, "Disable if the client application handles notification sending"); descriptionMappingExpected.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA, @@ -198,6 +202,7 @@ public void testGetPropertyNames() { propertiesExpected.add(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_USE_NUMBERS_IN_OTP); propertiesExpected.add(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_OTP_LENGTH); propertiesExpected.add(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION); + propertiesExpected.add(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME); propertiesExpected.add(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE); propertiesExpected.add(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA); propertiesExpected @@ -231,6 +236,7 @@ public void testGetDefaultPropertyValues() throws IdentityGovernanceException { String testUseNumbersInOTP = StringUtils.EMPTY; String testOtpLength = "6"; String testEnableSendNotificationOnCreation = "false"; + String testHandleExistingUsername = "false"; String testEnableNotificationInternallyManage = "true"; String testEnableSelfRegistrationReCaptcha = "true"; String testVerificationCodeExpiryTime = "1440"; @@ -258,6 +264,8 @@ public void testGetDefaultPropertyValues() throws IdentityGovernanceException { testOtpLength); propertiesExpected.put(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION, testEnableSendNotificationOnCreation); + propertiesExpected.put(IdentityRecoveryConstants.ConnectorConfig.HANDLE_EXISTING_USERNAME, + testHandleExistingUsername); propertiesExpected.put(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE, testEnableNotificationInternallyManage); propertiesExpected.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA,