Manage security question for reset password on syncope (apereo#7378)

alberto-bogi · alberto bogi · mmoayyed · web-flow · commit 2f68b70957a9 · 2025-08-11T20:33:52.000+04:00
Co-authored-by: alberto bogi &lt;alberto.bogi@tirasa.net&gt;
Co-authored-by: Misagh Moayyed &lt;mm1844@gmail.com&gt;
diff --git a/ci/tests/puppeteer/scenarios/pm-reset-password-syncope/script.js b/ci/tests/puppeteer/scenarios/pm-reset-password-syncope/script.js
@@ -51,6 +51,12 @@ const cas = require("../../cas.js");
     await cas.goto(page, link);
     await cas.sleep(2000);
 
+    await cas.assertInnerText(page, "#content h2", "Answer Security Questions");
+
+    await cas.type(page, "#q0", "Rome", true);
+    await cas.pressEnter(page);
+    await cas.waitForNavigation(page);
+    await cas.sleep(2000);
     await cas.assertInnerText(page, "#pwdmain h3", `Hello, ${username}. You must change your password.`);
 
     newPassword = await cas.randomWord();
diff --git a/ci/tests/puppeteer/scenarios/pm-reset-password-syncope/script.json b/ci/tests/puppeteer/scenarios/pm-reset-password-syncope/script.json
@@ -27,7 +27,6 @@
     "--cas.authn.pm.reset.mail.text=${url}",
     "--cas.authn.pm.reset.mail.subject=Reset",
     "--cas.authn.pm.reset.mail.attribute-name=mail",
-    "--cas.authn.pm.reset.security-questions-enabled=false",
 
     "--cas.authn.pm.syncope.basic-auth-username=admin",
     "--cas.authn.pm.syncope.basic-auth-password=password",
diff --git a/ci/tests/syncope/docker-compose.yml b/ci/tests/syncope/docker-compose.yml
@@ -10,7 +10,7 @@ services:
   syncope:
     depends_on:
       - db
-    image: apache/syncope:4.0.0
+    image: apache/syncope:4.1.0-SNAPSHOT
     ports:
       - "18080:8080"
     restart: always
@@ -31,7 +31,7 @@ services:
   syncope-console:
     depends_on:
       - syncope
-    image: apache/syncope-console:4.0.0
+    image: apache/syncope-console:4.1.0-SNAPSHOT
     ports:
       - "28080:8080"
     restart: always
diff --git a/ci/tests/syncope/run-syncope-server.sh b/ci/tests/syncope/run-syncope-server.sh
@@ -261,6 +261,8 @@ for i in {0..4}; do
     "username": '\""syncopepasschange${suffix}\""',
     "password": "Sync0pe",
     "mustChangePassword": true,
+    "securityQuestion": "'"${SECURITY_QUESTION_KEY}"'",
+    "securityAnswer": "Rome",
     "plainAttrs": [
       {
         "schema": "email",
diff --git a/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/http/HttpRequestUtils.java b/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/http/HttpRequestUtils.java
@@ -52,11 +52,17 @@ public class HttpRequestUtils {
         result.setHeaders(response.getHeaders());
         result.setLocale(ObjectUtils.getIfNull(response.getLocale(), Locale.getDefault()));
         result.setVersion(ObjectUtils.getIfNull(response.getVersion(), HttpVersion.HTTP_1_1));
-        val output = new ByteArrayOutputStream();
-        response.getEntity().writeTo(output);
-        val contentTypeHeader = response.getFirstHeader(HttpHeaders.CONTENT_TYPE);
-        val contentType = contentTypeHeader != null ? contentTypeHeader.getValue() : ContentType.APPLICATION_JSON.getMimeType();
-        result.setEntity(new ByteArrayEntity(output.toByteArray(), ContentType.parseLenient(contentType)));
+
+        val entity = response.getEntity();
+        if (entity != null) {
+            try (val output = new ByteArrayOutputStream()) {
+                entity.writeTo(output);
+                val contentTypeHeader = response.getFirstHeader(HttpHeaders.CONTENT_TYPE);
+                val contentType = contentTypeHeader != null ? contentTypeHeader.getValue() : ContentType.APPLICATION_JSON.getMimeType();
+                result.setEntity(new ByteArrayEntity(output.toByteArray(), ContentType.parseLenient(contentType)));
+            }
+        }
+
         return result;
     };
     
diff --git a/support/cas-server-support-pm-webflow/src/test/java/org/apereo/cas/pm/web/flow/actions/PasswordChangeActionTests.java b/support/cas-server-support-pm-webflow/src/test/java/org/apereo/cas/pm/web/flow/actions/PasswordChangeActionTests.java
@@ -120,5 +120,4 @@ void verifyCurrentPasswordWrong() throws Throwable {
         PasswordManagementWebflowUtils.putPasswordResetUsername(context, changeReq.getUsername());
         assertEquals(CasWebflowConstants.TRANSITION_ID_ERROR, passwordChangeAction.execute(context).getId());
     }
-
 }
diff --git a/support/cas-server-support-syncope-authentication/src/main/java/org/apereo/cas/syncope/pm/SyncopePasswordManagementService.java b/support/cas-server-support-syncope-authentication/src/main/java/org/apereo/cas/syncope/pm/SyncopePasswordManagementService.java
@@ -18,7 +18,9 @@
 import lombok.val;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.Strings;
+import org.apache.commons.lang3.tuple.Pair;
 import org.apache.hc.core5.http.HttpEntityContainer;
+import org.apache.hc.core5.http.HttpResponse;
 import org.apache.hc.core5.http.HttpStatus;
 import org.apache.hc.core5.http.io.entity.EntityUtils;
 import org.springframework.http.HttpHeaders;
@@ -196,6 +198,33 @@ public boolean unlockAccount(final Credential credential) throws Throwable {
         return false;
     }
 
+    @Override
+    public boolean isAnswerValidForSecurityQuestion(final PasswordManagementQuery query, final String question, final String knownAnswer, final String givenAnswer) {
+        HttpResponse response = null;
+        try {
+            val userSecurityAnswerUrl = Strings.CI.appendIfMissing(SpringExpressionLanguageValueResolver.getInstance()
+                .resolve(casProperties.getAuthn().getPm().getSyncope().getUrl()),
+            "/rest/users/verifySecurityAnswer");
+
+            LOGGER.debug("Check security answer validity for user [{}]", query.getUsername());
+            val exec = HttpExecutionRequest.builder().method(HttpMethod.POST).url(userSecurityAnswerUrl)
+                .basicAuthUsername(casProperties.getAuthn().getPm().getSyncope().getBasicAuthUsername())
+                .basicAuthPassword(casProperties.getAuthn().getPm().getSyncope().getBasicAuthPassword())
+                .headers(Map.of(
+                    SyncopeUtils.SYNCOPE_HEADER_DOMAIN, casProperties.getAuthn().getPm().getSyncope().getDomain(),
+                    HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE,
+                    HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE))
+                .parameters(Map.of("username", query.getUsername()))
+                .entity(givenAnswer)
+                .maximumRetryAttempts(casProperties.getAuthn().getSyncope().getMaxRetryAttempts())
+                .build();
+            response = Objects.requireNonNull(HttpUtils.execute(exec));
+            return org.springframework.http.HttpStatus.resolve(response.getCode()).is2xxSuccessful();
+        } finally {
+            HttpUtils.close(response);
+        }
+    }
+
     protected String fetchSyncopeUserKey(final String username) {
         val query = PasswordManagementQuery.builder().username(username).build();
         return searchUser(query)

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,8 @@ for i in {0..4}; do`
`261`	`261`	`"username": '\""syncopepasschange${suffix}\""',`
`262`	`262`	`"password": "Sync0pe",`
`263`	`263`	`"mustChangePassword": true,`
	`264`	`+ "securityQuestion": "'"${SECURITY_QUESTION_KEY}"'",`
	`265`	`+ "securityAnswer": "Rome",`
`264`	`266`	`"plainAttrs": [`
`265`	`267`	`{`
`266`	`268`	`"schema": "email",`
Original file line number	Diff line number	Diff line change
`@@ -120,5 +120,4 @@ void verifyCurrentPasswordWrong() throws Throwable {`
`120`	`120`	`PasswordManagementWebflowUtils.putPasswordResetUsername(context, changeReq.getUsername());`
`121`	`121`	`assertEquals(CasWebflowConstants.TRANSITION_ID_ERROR, passwordChangeAction.execute(context).getId());`
`122`	`122`	`}`
`123`		`-`
`124`	`123`	`}`