From 5260f31c57cb8ede6c55bd5216cb8694d0b749df Mon Sep 17 00:00:00 2001
From: Carlos Ruiz <carg67@gmail.com>
Date: Fri, 14 Dec 2018 14:10:10 +0100
Subject: [PATCH] IDEMPIERE-2558 don't allow use old password when change
 password / fix daysReuse=0 means this feature is not used / do not save
 password history if not configured / warning on log when saving plain
 passwords

---
 .../org/compiere/model/MPasswordHistory.java  |  9 +++--
 .../src/org/compiere/model/MUser.java         | 35 +++++++++----------
 2 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/org.adempiere.base/src/org/compiere/model/MPasswordHistory.java b/org.adempiere.base/src/org/compiere/model/MPasswordHistory.java
index f32e93cdb5..e257a3ca42 100644
--- a/org.adempiere.base/src/org/compiere/model/MPasswordHistory.java
+++ b/org.adempiere.base/src/org/compiere/model/MPasswordHistory.java
@@ -1,18 +1,18 @@
 package org.compiere.model;
 
 import java.sql.ResultSet;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 
 import org.compiere.util.Env;
 
 public class MPasswordHistory extends X_AD_Password_History {
-
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = 3480028808276906947L;
-	
+	private static final long serialVersionUID = 8602148028134601856L;
+
 	public MPasswordHistory(Properties ctx, int AD_Password_History_ID,
 			String trxName) {
 		super(ctx, AD_Password_History_ID, trxName);
@@ -35,6 +35,9 @@ public class MPasswordHistory extends X_AD_Password_History {
 	 * @return
 	 */
 	public static List<MPasswordHistory> getPasswordHistoryForCheck (int daysReuse, int userId){
+		if (daysReuse <= 0) {
+			return new ArrayList<MPasswordHistory>();
+		}
 		StringBuilder whereClause = new StringBuilder()
 				.append("SYSDATE-")
 				.append(daysReuse)
diff --git a/org.adempiere.base/src/org/compiere/model/MUser.java b/org.adempiere.base/src/org/compiere/model/MUser.java
index 05ce2ac997..21555e5d8e 100644
--- a/org.adempiere.base/src/org/compiere/model/MUser.java
+++ b/org.adempiere.base/src/org/compiere/model/MUser.java
@@ -907,14 +907,6 @@ public class MUser extends X_AD_User
 				MPasswordRule pwdrule = MPasswordRule.getRules(getCtx(), get_TrxName());
 				if (pwdrule != null){
 					List<MPasswordHistory> passwordHistorys = MPasswordHistory.getPasswordHistoryForCheck(pwdrule.getDays_Reuse_Password(), this.getAD_User_ID());
-					// for long time user don't use this system, because all password in history table is out of check range. but we will want new password must difference latest password  
-					if (passwordHistorys.size() == 0 && !this.is_new() && this.get_ValueOld(MUser.COLUMNNAME_Password) != null){
-						Object oldSalt = this.get_ValueOld(MUser.COLUMNNAME_Salt);
-						Object oldPassword = this.get_ValueOld(MUser.COLUMNNAME_Password);
-						
-						MPasswordHistory latestPassword = new MPasswordHistory(oldSalt == null?null:oldSalt.toString(), oldPassword == null?null:oldPassword.toString());
-						passwordHistorys.add(latestPassword);
-					}
 					pwdrule.validate((getLDAPUser() != null ? getLDAPUser() : getName()), getPassword(), passwordHistorys);
 				}
 				setDatePasswordChanged(new Timestamp(new Date().getTime()));
@@ -1055,17 +1047,24 @@ public class MUser extends X_AD_User
 	@Override
 	protected boolean afterSave(boolean newRecord, boolean success) {
 		if (getPassword() != null && getPassword().length() > 0 && (newRecord || is_ValueChanged("Password"))) {
-			MPasswordHistory passwordHistory = new MPasswordHistory(this.getCtx(), 0, this.get_TrxName());
-			passwordHistory.setSalt(this.getSalt());
-			passwordHistory.setPassword(this.getPassword());
-			// http://wiki.idempiere.org/en/System_user
-			if (!this.is_new() && this.getAD_User_ID() == 0){
-				passwordHistory.set_Value(MPasswordHistory.COLUMNNAME_AD_User_ID, 0);
-			}else{
-				passwordHistory.setAD_User_ID(this.getAD_User_ID());
+			MPasswordRule pwdrule = MPasswordRule.getRules(getCtx(), get_TrxName());
+			if (pwdrule != null && pwdrule.getDays_Reuse_Password() > 0) {
+				boolean hash_password = MSysConfig.getBooleanValue(MSysConfig.USER_PASSWORD_HASH, false);
+				if (! hash_password) {
+					log.severe("Saving password history: it is strongly encouraged to save password history just when using hashed passwords - WARNING! table AD_Password_History is possibly keeping plain passwords");
+				}
+				MPasswordHistory passwordHistory = new MPasswordHistory(this.getCtx(), 0, this.get_TrxName());
+				passwordHistory.setSalt(this.getSalt());
+				passwordHistory.setPassword(this.getPassword());
+				// http://wiki.idempiere.org/en/System_user
+				if (!this.is_new() && this.getAD_User_ID() == 0){
+					passwordHistory.set_Value(MPasswordHistory.COLUMNNAME_AD_User_ID, 0);
+				}else{
+					passwordHistory.setAD_User_ID(this.getAD_User_ID());
+				}
+				passwordHistory.setDatePasswordChanged(this.getUpdated());
+				passwordHistory.saveEx();
 			}
-			passwordHistory.setDatePasswordChanged(this.getUpdated());
-			passwordHistory.saveEx();
 		}
 		return super.afterSave(newRecord, success);
 	}