feat: 新增密码策略-密码重复使用规则

continew-org · May 16, 2024 · 3994142 · 3994142
1 parent 79d0101
commit 3994142
Show file tree

Hide file tree

Showing 15 changed files with 276 additions and 16 deletions.
diff --git a/...dmin-system/src/main/java/top/continew/admin/system/mapper/UserPasswordHistoryMapper.java b/...dmin-system/src/main/java/top/continew/admin/system/mapper/UserPasswordHistoryMapper.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2022-present Charles7c Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http:https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package top.continew.admin.system.mapper;
+
+import org.apache.ibatis.annotations.Param;
+import top.continew.starter.data.mybatis.plus.base.BaseMapper;
+import top.continew.admin.system.model.entity.UserPasswordHistoryDO;
+
+/**
+ * 用户历史密码 Mapper
+ *
+ * @author Charles7c
+ * @since 2024/5/16 21:58
+ */
+public interface UserPasswordHistoryMapper extends BaseMapper<UserPasswordHistoryDO> {
+
+ /**
+ * 删除过期历史密码
+ *
+ * @param userId 用户 ID
+ * @param count 保留 N 个历史
+ */
+ void deleteExpired(@Param("userId") Long userId, @Param("count") int count);
+}
diff --git a/continew-admin-system/src/main/java/top/continew/admin/system/model/entity/FileDO.java b/continew-admin-system/src/main/java/top/continew/admin/system/model/entity/FileDO.java
@@ -17,8 +17,6 @@
 package top.continew.admin.system.model.entity;
 
 import cn.hutool.core.util.StrUtil;
-import com.baomidou.mybatisplus.annotation.IdType;
-import com.baomidou.mybatisplus.annotation.TableId;
 import com.baomidou.mybatisplus.annotation.TableName;
 import lombok.Data;
 import org.dromara.x.file.storage.core.FileInfo;
@@ -43,9 +41,6 @@ public class FileDO extends BaseDO {
  @Serial
  private static final long serialVersionUID = 1L;
 
- @TableId(type = IdType.ASSIGN_ID)
- private Long id;
-
  /**
  * 名称
  */

diff --git a/...in-system/src/main/java/top/continew/admin/system/model/entity/UserPasswordHistoryDO.java b/...in-system/src/main/java/top/continew/admin/system/model/entity/UserPasswordHistoryDO.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2022-present Charles7c Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http:https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package top.continew.admin.system.model.entity;
+
+import com.baomidou.mybatisplus.annotation.*;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import java.io.Serial;
+import java.io.Serializable;
+import java.time.LocalDateTime;
+
+/**
+ * 用户历史密码实体
+ *
+ * @author Charles7c
+ * @since 2024/5/16 21:58
+ */
+@Data
+@NoArgsConstructor
+@TableName("sys_user_password_history")
+public class UserPasswordHistoryDO implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * ID
+ */
+ @TableId(type = IdType.ASSIGN_ID)
+ private Long id;
+
+ /**
+ * 用户 ID
+ */
+ private Long userId;
+
+ /**
+ * 密码
+ */
+ private String password;
+
+ /**
+ * 创建时间
+ */
+ @TableField(fill = FieldFill.INSERT)
+ private LocalDateTime createTime;
+
+ public UserPasswordHistoryDO(Long userId, String password) {
+ this.userId = userId;
+ this.password = password;
+ }
+}
diff --git a/continew-admin-system/src/main/java/top/continew/admin/system/service/RoleDeptService.java b/continew-admin-system/src/main/java/top/continew/admin/system/service/RoleDeptService.java
@@ -31,7 +31,7 @@ public interface RoleDeptService {
  *
  * @param deptIds 部门 ID 列表
  * @param roleId 角色 ID
- * @return true：成功；false：无变更/失败
+ * @return 是否新增成功（true：成功；false：无变更/失败）
  */
  boolean add(List<Long> deptIds, Long roleId);
 

diff --git a/continew-admin-system/src/main/java/top/continew/admin/system/service/RoleMenuService.java b/continew-admin-system/src/main/java/top/continew/admin/system/service/RoleMenuService.java
@@ -31,7 +31,7 @@ public interface RoleMenuService {
  *
  * @param menuIds 菜单 ID 列表
  * @param roleId 角色 ID
- * @return true：成功；false：无变更/失败
+ * @return 是否新增成功（true：成功；false：无变更/失败）
  */
  boolean add(List<Long> menuIds, Long roleId);
 

diff --git a/...in-system/src/main/java/top/continew/admin/system/service/UserPasswordHistoryService.java b/...in-system/src/main/java/top/continew/admin/system/service/UserPasswordHistoryService.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2022-present Charles7c Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http:https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package top.continew.admin.system.service;
+
+/**
+ * 用户历史密码业务接口
+ *
+ * @author Charles7c
+ * @since 2024/5/16 21:58
+ */
+public interface UserPasswordHistoryService {
+
+ /**
+ * 新增
+ *
+ * @param userId 用户 ID
+ * @param password 密码
+ * @param count 保留 N 个历史
+ */
+ void add(Long userId, String password, int count);
+
+ /**
+ * 密码是否为重复使用
+ *
+ * @param userId 用户 ID
+ * @param password 密码
+ * @param count 最近 N 次
+ * @return 是否为重复使用
+ */
+ boolean isPasswordReused(Long userId, String password, int count);
+}
diff --git a/continew-admin-system/src/main/java/top/continew/admin/system/service/UserRoleService.java b/continew-admin-system/src/main/java/top/continew/admin/system/service/UserRoleService.java
@@ -31,7 +31,7 @@ public interface UserRoleService {
  *
  * @param roleIds 角色 ID 列表
  * @param userId 用户 ID
- * @return true：成功；false：无变更/失败
+ * @return 是否新增成功（true：成功；false：无变更/失败）
  */
  boolean add(List<Long> roleIds, Long userId);
 
@@ -54,7 +54,7 @@ public interface UserRoleService {
  * 根据角色 ID 判断是否已被用户关联
  *
  * @param roleIds 角色 ID 列表
- * @return true：已关联；false：未关联
+ * @return 是否已关联（true：已关联；false：未关联）
  */
  boolean isRoleIdExists(List<Long> roleIds);
 }
diff --git a/continew-admin-system/src/main/java/top/continew/admin/system/service/UserService.java b/continew-admin-system/src/main/java/top/continew/admin/system/service/UserService.java
@@ -145,5 +145,5 @@ public interface UserService extends BaseService<UserResp, UserDetailResp, UserQ
  * @param pwdResetTime 上次重置密码时间
  * @return 是否过期
  */
- Boolean isPasswordExpired(LocalDateTime pwdResetTime);
+ boolean isPasswordExpired(LocalDateTime pwdResetTime);
 }
diff --git a/.../src/main/java/top/continew/admin/system/service/impl/UserPasswordHistoryServiceImpl.java b/.../src/main/java/top/continew/admin/system/service/impl/UserPasswordHistoryServiceImpl.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2022-present Charles7c Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http:https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package top.continew.admin.system.service.impl;
+
+import cn.hutool.core.collection.CollUtil;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import top.continew.admin.system.mapper.UserPasswordHistoryMapper;
+import top.continew.admin.system.model.entity.UserPasswordHistoryDO;
+import top.continew.admin.system.service.UserPasswordHistoryService;
+
+import java.util.List;
+
+/**
+ * 用户历史密码业务实现
+ *
+ * @author Charles7c
+ * @since 2024/5/16 21:58
+ */
+@Service
+@RequiredArgsConstructor
+public class UserPasswordHistoryServiceImpl implements UserPasswordHistoryService {
+
+ private final UserPasswordHistoryMapper baseMapper;
+ private final PasswordEncoder passwordEncoder;
+
+ @Override
+ @Transactional(rollbackFor = Exception.class)
+ public void add(Long userId, String password, int count) {
+ baseMapper.insert(new UserPasswordHistoryDO(userId, password));
+ // 删除过期历史密码
+ baseMapper.deleteExpired(userId, count);
+ }
+
+ @Override
+ public boolean isPasswordReused(Long userId, String password, int count) {
+ // 查询近 N 个历史密码
+ List<UserPasswordHistoryDO> list = baseMapper.lambdaQuery()
+ .select(UserPasswordHistoryDO::getPassword)
+ .eq(UserPasswordHistoryDO::getUserId, userId)
+ .orderByDesc(UserPasswordHistoryDO::getCreateTime)
+ .last("LIMIT %s".formatted(count))
+ .list();
+ if (CollUtil.isEmpty(list)) {
+ return false;
+ }
+ // 校验是否重复使用历史密码
+ List<String> passwordList = list.stream().map(UserPasswordHistoryDO::getPassword).toList();
+ return passwordList.stream().anyMatch(p -> passwordEncoder.matches(password, p));
+ }
+}
diff --git a/...ew-admin-system/src/main/java/top/continew/admin/system/service/impl/UserServiceImpl.java b/...ew-admin-system/src/main/java/top/continew/admin/system/service/impl/UserServiceImpl.java
@@ -88,6 +88,7 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
  private final FileStorageService fileStorageService;
  private final PasswordEncoder passwordEncoder;
  private final OptionService optionService;
+ private final UserPasswordHistoryService userPasswordHistoryService;
  @Resource
  private DeptService deptService;
  @Value("${avatar.support-suffix}")
@@ -192,6 +193,7 @@ public void updateBasicInfo(UserBasicInfoUpdateReq req, Long id) {
  }
 
  @Override
+ @Transactional(rollbackFor = Exception.class)
  public void updatePassword(String oldPassword, String newPassword, Long id) {
  CheckUtils.throwIfEqual(newPassword, oldPassword, "新密码不能与当前密码相同");
  UserDO user = super.getById(id);
@@ -200,16 +202,17 @@ public void updatePassword(String oldPassword, String newPassword, Long id) {
  CheckUtils.throwIf(!passwordEncoder.matches(oldPassword, password), "当前密码错误");
  }
  // 校验密码合法性
- this.checkPassword(newPassword, user);
+ int passwordReusePolicy = this.checkPassword(newPassword, user);
  // 更新密码和密码重置时间
  user.setPassword(newPassword);
  user.setPwdResetTime(LocalDateTime.now());
  baseMapper.updateById(user);
- onlineUserService.cleanByUserId(user.getId());
+ // 保存历史密码
+ userPasswordHistoryService.add(id, password, passwordReusePolicy);
  }
 
  @Override
- public Boolean isPasswordExpired(LocalDateTime pwdResetTime) {
+ public boolean isPasswordExpired(LocalDateTime pwdResetTime) {
  // 永久有效
  int passwordExpirationDays = optionService.getValueByCode2Int(PASSWORD_EXPIRATION_DAYS.name());
  if (passwordExpirationDays <= SysConstants.NO) {
@@ -343,7 +346,7 @@ protected void afterAdd(UserReq req, UserDO user) {
  * @param password 密码
  * @param user 用户信息
  */
- private void checkPassword(String password, UserDO user) {
+ private int checkPassword(String password, UserDO user) {
  // 密码最小长度
  int passwordMinLength = optionService.getValueByCode2Int(PASSWORD_MIN_LENGTH.name());
  ValidationUtils.throwIf(StrUtil.length(password) < passwordMinLength, PASSWORD_MIN_LENGTH.getDescription()
@@ -362,6 +365,12 @@ private void checkPassword(String password, UserDO user) {
  int passwordContainSpecialChar = optionService.getValueByCode2Int(PASSWORD_CONTAIN_SPECIAL_CHARACTERS.name());
  ValidationUtils.throwIf(passwordContainSpecialChar == SysConstants.YES && !ReUtil
  .isMatch(RegexConstants.SPECIAL_CHARACTER, password), PASSWORD_CONTAIN_SPECIAL_CHARACTERS.getDescription());
+ // 密码重复使用规则
+ int passwordReusePolicy = optionService.getValueByCode2Int(PASSWORD_REUSE_POLICY.name());
+ ValidationUtils.throwIf(userPasswordHistoryService.isPasswordReused(user
+ .getId(), password, passwordReusePolicy), PASSWORD_REUSE_POLICY.getDescription()
+ .formatted(passwordReusePolicy));
+ return passwordReusePolicy;
  }
 
  /**

diff --git a/continew-admin-system/src/main/resources/mapper/UserPasswordHistoryMapper.xml b/continew-admin-system/src/main/resources/mapper/UserPasswordHistoryMapper.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http:https://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+<mapper namespace="top.continew.admin.system.mapper.UserPasswordHistoryMapper">
+ <delete id="deleteExpired">
+ DELETE FROM sys_user_password_history
+ WHERE id NOT IN (
+ SELECT * FROM (
+ SELECT id
+ FROM sys_user_password_history
+ WHERE user_id = #{userId}
+ ORDER BY create_time DESC
+ LIMIT #{count}
+ ) t1
+ )
+ </delete>
+</mapper>
diff --git a/continew-admin-webapi/src/main/resources/db/changelog/mysql/continew-admin_data.sql b/continew-admin-webapi/src/main/resources/db/changelog/mysql/continew-admin_data.sql
@@ -121,7 +121,7 @@ VALUES
 ('密码有效期（天）', 'PASSWORD_EXPIRATION_DAYS', NULL, '0', '取值范围为 0-999（0 表示永久有效）。', NULL, NULL),
 ('密码重复使用规则', 'PASSWORD_REUSE_POLICY', NULL, '5', '不允许使用最近 N 次密码，取值范围为 3-32。', NULL, NULL),
 ('密码最小长度', 'PASSWORD_MIN_LENGTH', NULL, '8', '取值范围为 8-32。', NULL, NULL),
-('密码是否允许包含正反序账号名', 'PASSWORD_ALLOW_CONTAIN_USERNAME', NULL, '0', '', NULL, NULL),
+('密码是否允许包含正反序账号名', 'PASSWORD_ALLOW_CONTAIN_USERNAME', NULL, '1', '', NULL, NULL),
 ('密码是否必须包含特殊字符', 'PASSWORD_CONTAIN_SPECIAL_CHARACTERS', NULL, '0', '', NULL, NULL);
 
 -- 初始化默认字典

diff --git a/continew-admin-webapi/src/main/resources/db/changelog/mysql/continew-admin_table.sql b/continew-admin-webapi/src/main/resources/db/changelog/mysql/continew-admin_table.sql
@@ -95,6 +95,15 @@ CREATE TABLE IF NOT EXISTS `sys_user` (
  INDEX `idx_update_user`(`update_user`) USING BTREE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='用户表';
 
+CREATE TABLE IF NOT EXISTS `sys_user_password_history` (
+ `id` bigint(20) NOT NULL COMMENT 'ID',
+ `user_id` bigint(20) NOT NULL COMMENT '用户ID',
+ `password` varchar(255) NOT NULL COMMENT '密码',
+ `create_time` datetime NOT NULL COMMENT '创建时间',
+ PRIMARY KEY (`id`) USING BTREE,
+ INDEX `idx_user_id`(`user_id`) USING BTREE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='用户历史密码表';
+
 CREATE TABLE IF NOT EXISTS `sys_user_social` (
  `source` varchar(255) NOT NULL COMMENT '来源',
  `open_id` varchar(255) NOT NULL COMMENT '开放ID',

diff --git a/continew-admin-webapi/src/main/resources/db/changelog/postgresql/continew-admin_data.sql b/continew-admin-webapi/src/main/resources/db/changelog/postgresql/continew-admin_data.sql
@@ -121,7 +121,7 @@ VALUES
 ('密码有效期（天）', 'PASSWORD_EXPIRATION_DAYS', NULL, '0', '取值范围为 0-999（0 表示永久有效）。', NULL, NULL),
 ('密码重复使用规则', 'PASSWORD_REUSE_POLICY', NULL, '5', '不允许使用最近 N 次密码，取值范围为 3-32。', NULL, NULL),
 ('密码最小长度', 'PASSWORD_MIN_LENGTH', NULL, '8', '取值范围为 8-32。', NULL, NULL),
-('密码是否允许包含正反序账号名', 'PASSWORD_ALLOW_CONTAIN_USERNAME', NULL, '0', '', NULL, NULL),
+('密码是否允许包含正反序账号名', 'PASSWORD_ALLOW_CONTAIN_USERNAME', NULL, '1', '', NULL, NULL),
 ('密码是否必须包含特殊字符', 'PASSWORD_CONTAIN_SPECIAL_CHARACTERS', NULL, '0', '', NULL, NULL);
 
 -- 初始化默认字典