(syncope) branch 3_0_X updated: [SYNCOPE-1937] fixes password history length management (#1256)

ilgrosso Fri, 05 Dec 2025 22:34:00 -0800

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 3_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git



The following commit(s) were added to refs/heads/3_0_X by this push:
     new 6266099fac [SYNCOPE-1937] fixes password history length management 
(#1256)
6266099fac is described below

commit 6266099faceed419a4d1c5f77bf6adbe272924ef
Author: Andrea Patricelli <[email protected]>
AuthorDate: Sat Dec 6 07:20:56 2025 +0100

    [SYNCOPE-1937] fixes password history length management (#1256)
---
 .../core/persistence/jpa/entity/user/JPAUser.java  |  3 +-
 .../core/persistence/jpa/inner/UserTest.java       | 43 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git 
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.java
 
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.java
index 1efba4d64b..30ed932ab1 100644
--- 
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.java
+++ 
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.java
@@ -330,8 +330,7 @@ public class JPAUser
     @Override
     public void removeOldestEntriesFromPasswordHistory(final int n) {
         List<String> ph = getPasswordHistory();
-        ph.subList(n, ph.size());
-        passwordHistory = POJOHelper.serialize(ph);
+        passwordHistory = POJOHelper.serialize(ph.subList(Math.min(n, 
ph.size()), ph.size()));
     }
 
     @Override
diff --git 
a/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/UserTest.java
 
b/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/UserTest.java
index 9fc2e5e759..679982362f 100644
--- 
a/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/UserTest.java
+++ 
b/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/UserTest.java
@@ -18,6 +18,7 @@
  */
 package org.apache.syncope.core.persistence.jpa.inner;
 
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
@@ -25,10 +26,15 @@ import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.time.OffsetDateTime;
 import java.time.temporal.ChronoUnit;
 import java.util.List;
 import java.util.Optional;
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
 import org.apache.syncope.common.lib.types.CipherAlgorithm;
 import org.apache.syncope.core.persistence.api.dao.DerSchemaDAO;
 import org.apache.syncope.core.persistence.api.dao.ExternalResourceDAO;
@@ -301,4 +307,41 @@ public class UserTest extends AbstractTest {
         assertNotNull(actual.getSecurityAnswer());
         assertTrue(Encryptor.getInstance().verify(securityAnswer, 
CipherAlgorithm.SSHA256, actual.getSecurityAnswer()));
     }
+
+    @Test
+    public void issueSYNCOPE1937()
+            throws NoSuchPaddingException, IllegalBlockSizeException, 
NoSuchAlgorithmException, BadPaddingException,
+            InvalidKeyException {
+        User user = entityFactory.newEntity(User.class);
+        user.setUsername("username");
+        user.setRealm(realmDAO.getRoot());
+        user.setCreator("admin");
+        user.setCreationDate(OffsetDateTime.now());
+
+        user.setCipherAlgorithm(CipherAlgorithm.SHA1);
+        user.setPassword("password123");
+
+        User actual = userDAO.save(user);
+
+        assertEquals(0, user.getPasswordHistory().size());
+
+        // add some other password to history
+        
user.addToPasswordHistory(encryptorManager.getInstance().encode("Password123!", 
CipherAlgorithm.SHA1));
+        
user.addToPasswordHistory(encryptorManager.getInstance().encode("Password124!", 
CipherAlgorithm.SHA1));
+        
user.addToPasswordHistory(encryptorManager.getInstance().encode("Password125!", 
CipherAlgorithm.SHA1));
+        
user.addToPasswordHistory(encryptorManager.getInstance().encode("Password126!", 
CipherAlgorithm.SHA1));
+        
user.addToPasswordHistory(encryptorManager.getInstance().encode("Password127!", 
CipherAlgorithm.SHA1));
+
+        assertEquals(5, user.getPasswordHistory().size());
+
+        // keep only the last three passwords into history
+        user.removeOldestEntriesFromPasswordHistory(2);
+
+        assertEquals(3, user.getPasswordHistory().size());
+
+        // try with an exceeding number
+        assertDoesNotThrow(() -> 
user.removeOldestEntriesFromPasswordHistory(user.getPasswordHistory().size() + 
5));
+
+        assertNotNull(actual);
+    }
 }

(syncope) branch 3_0_X updated: [SYNCOPE-1937] fixes password history length management (#1256)

Reply via email to