refactoring: moved password policy check before user info rest calls

application/src/main/java/org/thingsboard/server/service/security/auth/rest/RestAuthenticationProvider.java

@@ -36,11 +36,15 @@ import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.id.UserId;
 import org.thingsboard.server.common.data.security.Authority;
 import org.thingsboard.server.common.data.security.UserCredentials;
+import org.thingsboard.server.common.data.security.model.SecuritySettings;
+import org.thingsboard.server.common.data.security.model.UserPasswordPolicy;
 import org.thingsboard.server.dao.customer.CustomerService;
+import org.thingsboard.server.dao.exception.DataValidationException;
 import org.thingsboard.server.dao.user.UserService;
 import org.thingsboard.server.queue.util.TbCoreComponent;
 import org.thingsboard.server.service.security.auth.MfaAuthenticationToken;
 import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService;
+import org.thingsboard.server.service.security.exception.UserPasswordNotValidException;
 import org.thingsboard.server.service.security.model.SecurityUser;
 import org.thingsboard.server.service.security.model.UserPrincipal;
 import org.thingsboard.server.service.security.system.SystemSecurityService;
@@ -83,6 +87,17 @@ public class RestAuthenticationProvider implements AuthenticationProvider {
         if (userPrincipal.getType() == UserPrincipal.Type.USER_NAME) {
             String username = userPrincipal.getValue();
             String password = (String) authentication.getCredentials();
+
+            SecuritySettings securitySettings = systemSecurityService.getSecuritySettings(null);
+            UserPasswordPolicy passwordPolicy = securitySettings.getPasswordPolicy();
+            if (Boolean.TRUE.equals(passwordPolicy.getForceUserToResetPasswordIfNotValid())) {
+                try {
+                    systemSecurityService.validatePasswordByPolicy(password, passwordPolicy);
+                } catch (DataValidationException e) {
+                    throw new UserPasswordNotValidException("The entered password violates our policies. If this is your real password, please reset it.");
+                }
+            }
+
             securityUser = authenticateByUsernameAndPassword(authentication, userPrincipal, username, password);
             if (twoFactorAuthService.isTwoFaEnabled(securityUser.getTenantId(), securityUser.getId())) {
                 return new MfaAuthenticationToken(securityUser);

application/src/main/java/org/thingsboard/server/service/security/exception/UserPasswordNotValidException.java

@@ -15,9 +15,9 @@
  */
 package org.thingsboard.server.service.security.exception;
 
-import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.authentication.AccountStatusException;
 
-public class UserPasswordNotValidException extends AuthenticationException {
+public class UserPasswordNotValidException extends AccountStatusException {
 
     public UserPasswordNotValidException(String msg) {
         super(msg);

application/src/main/java/org/thingsboard/server/service/security/system/DefaultSystemSecurityService.java

@@ -133,19 +133,9 @@ public class DefaultSystemSecurityService implements SystemSecurityService {
 
     @Override
     public void validateUserCredentials(TenantId tenantId, UserCredentials userCredentials, String username, String password) throws AuthenticationException {
-        SecuritySettings securitySettings = self.getSecuritySettings(tenantId);
-        UserPasswordPolicy passwordPolicy = securitySettings.getPasswordPolicy();
-
-        if (!tenantId.isSysTenantId() && Boolean.TRUE.equals(passwordPolicy.getForceUserToResetPasswordIfNotValid())) {
-            try {
-                validatePasswordByPolicy(password, passwordPolicy);
-            } catch (DataValidationException e) {
-                throw new UserPasswordNotValidException("The entered password violates our policies. If this is your real password, please reset it.");
-
-            }
-        }
         if (!encoder.matches(password, userCredentials.getPassword())) {
             int failedLoginAttempts = userService.increaseFailedLoginAttempts(tenantId, userCredentials.getUserId());
+            SecuritySettings securitySettings = self.getSecuritySettings(tenantId);
             if (securitySettings.getMaxFailedLoginAttempts() != null && securitySettings.getMaxFailedLoginAttempts() > 0) {
                 if (failedLoginAttempts > securitySettings.getMaxFailedLoginAttempts() && userCredentials.isEnabled()) {
                     lockAccount(userCredentials.getUserId(), username, securitySettings.getUserLockoutNotificationEmail(), securitySettings.getMaxFailedLoginAttempts());
@@ -161,6 +151,7 @@ public class DefaultSystemSecurityService implements SystemSecurityService {
 
         userService.resetFailedLoginAttempts(tenantId, userCredentials.getUserId());
 
+        SecuritySettings securitySettings = self.getSecuritySettings(tenantId);
         if (isPositiveInteger(securitySettings.getPasswordPolicy().getPasswordExpirationPeriodDays())) {
             if ((userCredentials.getCreatedTime()
                     + TimeUnit.DAYS.toMillis(securitySettings.getPasswordPolicy().getPasswordExpirationPeriodDays()))
@@ -227,7 +218,8 @@ public class DefaultSystemSecurityService implements SystemSecurityService {
         }
     }
 
-    private void validatePasswordByPolicy(String password, UserPasswordPolicy passwordPolicy) {
+    @Override
+    public void validatePasswordByPolicy(String password, UserPasswordPolicy passwordPolicy) {
         List<Rule> passwordRules = new ArrayList<>();
 
         Integer maximumLength = passwordPolicy.getMaximumLength();

application/src/main/java/org/thingsboard/server/service/security/system/SystemSecurityService.java

@@ -22,6 +22,7 @@ import org.thingsboard.server.common.data.id.CustomerId;
 import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.security.UserCredentials;
 import org.thingsboard.server.common.data.security.model.SecuritySettings;
+import org.thingsboard.server.common.data.security.model.UserPasswordPolicy;
 import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings;
 import org.thingsboard.server.dao.exception.DataValidationException;
 import org.thingsboard.server.service.security.model.SecurityUser;
@@ -34,6 +35,8 @@ public interface SystemSecurityService {
 
     SecuritySettings saveSecuritySettings(TenantId tenantId, SecuritySettings securitySettings);
 
+    void validatePasswordByPolicy(String password, UserPasswordPolicy passwordPolicy);
+
     void validateUserCredentials(TenantId tenantId, UserCredentials userCredentials, String username, String password) throws AuthenticationException;
 
     void validateTwoFaVerification(SecurityUser securityUser, boolean verificationSuccess, PlatformTwoFaSettings twoFaSettings);