Examples with ChaiUnavailableException com.novell.ldapchai.exception.ChaiUnavailableException used on opensource projects

Example 56 with ChaiUnavailableException

use of com.novell.ldapchai.exception.ChaiUnavailableException in project pwm by pwm-project.

the class OtpService method validateToken.

public boolean validateToken(final SessionLabel sessionLabel, final UserIdentity userIdentity, final OTPUserRecord otpUserRecord, final String userInput, final boolean allowRecoveryCodes) throws PwmOperationalException, PwmUnrecoverableException {
    boolean otpCorrect = false;
    try {
        final Base32 base32 = new Base32();
        final byte[] rawSecret = base32.decode(otpUserRecord.getSecret());
        final Mac mac = Mac.getInstance("HMACSHA1");
        mac.init(new SecretKeySpec(rawSecret, ""));
        final PasscodeGenerator generator = new PasscodeGenerator(mac, settings.getOtpTokenLength(), settings.getTotpIntervalSeconds());
        switch(otpUserRecord.getType()) {
            case TOTP:
                otpCorrect = generator.verifyTimeoutCode(userInput, settings.getTotpPastIntervals(), settings.getTotpFutureIntervals());
                break;
            default:
                throw new UnsupportedOperationException("OTP type not supported: " + otpUserRecord.getType());
        }
    } catch (Exception e) {
        LOGGER.error(sessionLabel, "error checking otp secret: " + e.getMessage());
    }
    if (!otpCorrect && allowRecoveryCodes && otpUserRecord.getRecoveryCodes() != null && otpUserRecord.getRecoveryInfo() != null) {
        final OTPUserRecord.RecoveryInfo recoveryInfo = otpUserRecord.getRecoveryInfo();
        final String userHashedInput = doRecoveryHash(userInput, recoveryInfo);
        for (final OTPUserRecord.RecoveryCode code : otpUserRecord.getRecoveryCodes()) {
            if (code.getHashCode().equals(userInput) || code.getHashCode().equals(userHashedInput)) {
                if (code.isUsed()) {
                    throw new PwmOperationalException(PwmError.ERROR_OTP_RECOVERY_USED, "recovery code has been previously used");
                }
                code.setUsed(true);
                try {
                    pwmApplication.getOtpService().writeOTPUserConfiguration(null, userIdentity, otpUserRecord);
                } catch (ChaiUnavailableException e) {
                    throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_WRITING_OTP_SECRET, e.getMessage()));
                }
                otpCorrect = true;
            }
        }
    }
    return otpCorrect;
}

Example 57 with ChaiUnavailableException

use of com.novell.ldapchai.exception.ChaiUnavailableException in project pwm by pwm-project.

the class LdapOtpOperator method clearOtpUserConfiguration.

@Override
public void clearOtpUserConfiguration(final PwmSession pwmSession, final UserIdentity userIdentity, final String userGuid) throws PwmUnrecoverableException {
    final Configuration config = pwmApplication.getConfig();
    final LdapProfile ldapProfile = config.getLdapProfiles().get(userIdentity.getLdapProfileID());
    final String ldapStorageAttribute = ldapProfile.readSettingAsString(PwmSetting.OTP_SECRET_LDAP_ATTRIBUTE);
    if (ldapStorageAttribute == null || ldapStorageAttribute.length() < 1) {
        final String errorMsg = "ldap storage attribute is not configured, unable to clear OTP secret";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INVALID_CONFIG, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    try {
        final ChaiUser theUser = pwmSession == null ? pwmApplication.getProxiedChaiUser(userIdentity) : pwmSession.getSessionManager().getActor(pwmApplication, userIdentity);
        theUser.deleteAttribute(ldapStorageAttribute, null);
        LOGGER.info("cleared OTP secret for user to chai-ldap format");
    } catch (ChaiOperationException e) {
        final String errorMsg;
        if (e.getErrorCode() == ChaiError.NO_ACCESS) {
            errorMsg = "permission error clearing responses to ldap attribute '" + ldapStorageAttribute + "', user does not appear to have correct permissions to clear OTP secret: " + e.getMessage();
        } else {
            errorMsg = "error clearing OTP secret to ldap attribute '" + ldapStorageAttribute + "': " + e.getMessage();
        }
        final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_WRITING_OTP_SECRET, errorMsg);
        final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
        pwmOE.initCause(e);
        throw pwmOE;
    } catch (ChaiUnavailableException e) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_DIRECTORY_UNAVAILABLE, e.getMessage()));
    }
}

Example 58 with ChaiUnavailableException

use of com.novell.ldapchai.exception.ChaiUnavailableException in project pwm by pwm-project.

the class LdapOtpOperator method readOtpUserConfiguration.

/**
 * Read OTP secret and instantiate a OTP User Configuration object.
 */
@Override
public OTPUserRecord readOtpUserConfiguration(final UserIdentity userIdentity, final String userGUID) throws PwmUnrecoverableException {
    final Configuration config = getPwmApplication().getConfig();
    final LdapProfile ldapProfile = config.getLdapProfiles().get(userIdentity.getLdapProfileID());
    final String ldapStorageAttribute = ldapProfile.readSettingAsString(PwmSetting.OTP_SECRET_LDAP_ATTRIBUTE);
    if (ldapStorageAttribute == null || ldapStorageAttribute.length() < 1) {
        final String errorMsg = "ldap storage attribute is not configured, unable to read OTP secret";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INVALID_CONFIG, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    OTPUserRecord otp = null;
    try {
        final ChaiUser theUser = pwmApplication.getProxiedChaiUser(userIdentity);
        String value = theUser.readStringAttribute(ldapStorageAttribute);
        if (config.readSettingAsBoolean(PwmSetting.OTP_SECRET_ENCRYPT)) {
            value = decryptAttributeValue(value);
        }
        if (value != null) {
            otp = decomposeOtpAttribute(value);
        }
    } catch (ChaiOperationException e) {
        final String errorMsg = "unexpected LDAP error reading responses: " + e.getMessage();
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    } catch (ChaiUnavailableException e) {
        final String errorMsg = "unexpected LDAP error reading responses: " + e.getMessage();
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    } catch (PwmOperationalException e) {
        final String errorMsg = "unexpected error reading responses: " + e.getMessage();
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    return otp;
}

Example 59 with ChaiUnavailableException

use of com.novell.ldapchai.exception.ChaiUnavailableException in project pwm by pwm-project.

the class RestVerifyOtpServer method doSetOtpDataJson.

@RestMethodHandler(method = HttpMethod.POST, consumes = HttpContentType.json, produces = HttpContentType.json)
public RestResultBean doSetOtpDataJson(final RestRequest restRequest) throws IOException, PwmUnrecoverableException {
    final RestVerifyOtpServer.JsonPutOtpInput jsonInput;
    {
        final RestVerifyOtpServer.JsonPutOtpInput jsonBody = RestUtility.deserializeJsonBody(restRequest, RestVerifyOtpServer.JsonPutOtpInput.class, RestUtility.Flag.AllowNullReturn);
        jsonInput = new RestVerifyOtpServer.JsonPutOtpInput(RestUtility.readValueFromJsonAndParam(jsonBody == null ? null : jsonBody.getToken(), restRequest.readParameterAsString("token"), "token"), RestUtility.readValueFromJsonAndParam(jsonBody == null ? null : jsonBody.getUsername(), restRequest.readParameterAsString("username"), "username"));
    }
    final TargetUserIdentity targetUserIdentity = RestUtility.resolveRequestedUsername(restRequest, jsonInput.getUsername());
    try {
        final OtpService otpService = restRequest.getPwmApplication().getOtpService();
        final OTPUserRecord otpUserRecord = otpService.readOTPUserConfiguration(restRequest.getSessionLabel(), targetUserIdentity.getUserIdentity());
        final boolean verified = otpUserRecord != null && otpService.validateToken(restRequest.getSessionLabel(), targetUserIdentity.getUserIdentity(), otpUserRecord, jsonInput.getToken(), false);
        StatisticsManager.incrementStat(restRequest.getPwmApplication(), Statistic.REST_VERIFYOTP);
        return RestResultBean.forSuccessMessage(verified, restRequest, Message.Success_Unknown);
    } catch (ChaiUnavailableException e) {
        throw PwmUnrecoverableException.fromChaiException(e);
    } catch (PwmOperationalException e) {
        final String errorMsg = "unexpected error reading json input: " + e.getMessage();
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
        return RestResultBean.fromError(restRequest, errorInformation);
    }
}

Example 60 with ChaiUnavailableException

use of com.novell.ldapchai.exception.ChaiUnavailableException in project pwm by pwm-project.

the class RestVerifyResponsesServer method doSetChallengeDataJson.

@RestMethodHandler(method = HttpMethod.POST, consumes = HttpContentType.json, produces = HttpContentType.json)
public RestResultBean doSetChallengeDataJson(final RestRequest restRequest) throws IOException, PwmUnrecoverableException {
    final Instant startTime = Instant.now();
    final JsonPutChallengesInput jsonInput = RestUtility.deserializeJsonBody(restRequest, JsonPutChallengesInput.class);
    final String username = RestUtility.readValueFromJsonAndParam(jsonInput.getUsername(), restRequest.readParameterAsString("username", PwmHttpRequestWrapper.Flag.BypassValidation), "username");
    final TargetUserIdentity targetUserIdentity = RestUtility.resolveRequestedUsername(restRequest, username);
    LOGGER.debug(restRequest.getSessionLabel(), "beginning /verifyresponses REST service against " + (targetUserIdentity.isSelf() ? "self" : targetUserIdentity.getUserIdentity().toDisplayString()));
    try {
        final ResponseSet responseSet = restRequest.getPwmApplication().getCrService().readUserResponseSet(restRequest.getSessionLabel(), targetUserIdentity.getUserIdentity(), targetUserIdentity.getChaiUser());
        final boolean verified = responseSet.test(jsonInput.toCrMap());
        final RestResultBean restResultBean = RestResultBean.forSuccessMessage(verified, restRequest, Message.Success_Unknown);
        LOGGER.debug(restRequest.getSessionLabel(), "completed /verifyresponses REST service in " + TimeDuration.fromCurrent(startTime).asCompactString() + ", response: " + JsonUtil.serialize(restResultBean));
        return restResultBean;
    } catch (ChaiUnavailableException e) {
        throw PwmUnrecoverableException.fromChaiException(e);
    }
}