Search in sources :

Example 1 with MustChangePasswordException

use of org.apache.archiva.redback.policy.MustChangePasswordException in project archiva by apache.

the class ArchivaDavResourceFactory method isAuthorized.

protected boolean isAuthorized(DavServletRequest request, String repositoryId) throws DavException {
    try {
        AuthenticationResult result = httpAuth.getAuthenticationResult(request, null);
        SecuritySession securitySession = httpAuth.getSecuritySession(request.getSession(true));
        return // 
        servletAuth.isAuthenticated(request, result) && // 
        servletAuth.isAuthorized(// 
        request, // 
        securitySession, // 
        repositoryId, WebdavMethodUtil.getMethodPermission(request.getMethod()));
    } catch (AuthenticationException e) {
        // safety check for MRM-911
        String guest = UserManager.GUEST_USERNAME;
        try {
            if (servletAuth.isAuthorized(guest, ((ArchivaDavResourceLocator) request.getRequestLocator()).getRepositoryId(), WebdavMethodUtil.getMethodPermission(request.getMethod()))) {
                return true;
            }
        } catch (UnauthorizedException ae) {
            throw new UnauthorizedDavException(repositoryId, "You are not authenticated and authorized to access any repository.");
        }
        throw new UnauthorizedDavException(repositoryId, "You are not authenticated");
    } catch (MustChangePasswordException e) {
        throw new UnauthorizedDavException(repositoryId, "You must change your password.");
    } catch (AccountLockedException e) {
        throw new UnauthorizedDavException(repositoryId, "User account is locked.");
    } catch (AuthorizationException e) {
        throw new DavException(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Fatal Authorization Subsystem Error.");
    } catch (UnauthorizedException e) {
        throw new UnauthorizedDavException(repositoryId, e.getMessage());
    }
}
Also used : MustChangePasswordException(org.apache.archiva.redback.policy.MustChangePasswordException) AccountLockedException(org.apache.archiva.redback.policy.AccountLockedException) AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException) AuthorizationException(org.apache.archiva.redback.authorization.AuthorizationException) DavException(org.apache.jackrabbit.webdav.DavException) SecuritySession(org.apache.archiva.redback.system.SecuritySession) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)

Example 2 with MustChangePasswordException

use of org.apache.archiva.redback.policy.MustChangePasswordException in project archiva by apache.

the class ArchivaDavSessionProvider method attachSession.

@Override
public boolean attachSession(WebdavRequest request) throws DavException {
    final String repositoryId = RepositoryPathUtil.getRepositoryName(removeContextPath(request));
    try {
        AuthenticationResult result = httpAuth.getAuthenticationResult(request, null);
        // Create a dav session
        request.setDavSession(new ArchivaDavSession());
        return servletAuth.isAuthenticated(request, result);
    } catch (AuthenticationException e) {
        // safety check for MRM-911
        String guest = UserManager.GUEST_USERNAME;
        try {
            if (servletAuth.isAuthorized(guest, ((ArchivaDavResourceLocator) request.getRequestLocator()).getRepositoryId(), WebdavMethodUtil.getMethodPermission(request.getMethod()))) {
                request.setDavSession(new ArchivaDavSession());
                return true;
            }
        } catch (UnauthorizedException ae) {
            throw new UnauthorizedDavException(repositoryId, "You are not authenticated and authorized to access any repository.");
        }
        throw new UnauthorizedDavException(repositoryId, "You are not authenticated.");
    } catch (MustChangePasswordException e) {
        throw new UnauthorizedDavException(repositoryId, "You must change your password.");
    } catch (AccountLockedException e) {
        throw new UnauthorizedDavException(repositoryId, "User account is locked.");
    }
}
Also used : MustChangePasswordException(org.apache.archiva.redback.policy.MustChangePasswordException) AccountLockedException(org.apache.archiva.redback.policy.AccountLockedException) AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)

Example 3 with MustChangePasswordException

use of org.apache.archiva.redback.policy.MustChangePasswordException in project archiva by apache.

the class ArchivaUserManagerAuthenticator method authenticate.

@Override
public AuthenticationResult authenticate(AuthenticationDataSource ds) throws AuthenticationException, AccountLockedException, MustChangePasswordException {
    boolean authenticationSuccess = false;
    String username = null;
    Exception resultException = null;
    PasswordBasedAuthenticationDataSource source = (PasswordBasedAuthenticationDataSource) ds;
    List<AuthenticationFailureCause> authnResultErrors = new ArrayList<>();
    for (UserManager userManager : userManagers) {
        try {
            log.debug("Authenticate: {} with userManager: {}", source, userManager.getId());
            User user = userManager.findUser(source.getUsername());
            username = user.getUsername();
            if (user.isLocked()) {
                // throw new AccountLockedException( "Account " + source.getUsername() + " is locked.", user );
                AccountLockedException e = new AccountLockedException("Account " + source.getUsername() + " is locked.", user);
                log.warn("{}", e.getMessage());
                resultException = e;
                authnResultErrors.add(new AuthenticationFailureCause(AuthenticationConstants.AUTHN_LOCKED_USER_EXCEPTION, e.getMessage()));
            }
            if (user.isPasswordChangeRequired() && source.isEnforcePasswordChange()) {
                // throw new MustChangePasswordException( "Password expired.", user );
                MustChangePasswordException e = new MustChangePasswordException("Password expired.", user);
                log.warn("{}", e.getMessage());
                resultException = e;
                authnResultErrors.add(new AuthenticationFailureCause(AuthenticationConstants.AUTHN_MUST_CHANGE_PASSWORD_EXCEPTION, e.getMessage()));
            }
            PasswordEncoder encoder = securityPolicy.getPasswordEncoder();
            log.debug("PasswordEncoder: {}", encoder.getClass().getName());
            boolean isPasswordValid = encoder.isPasswordValid(user.getEncodedPassword(), source.getPassword());
            if (isPasswordValid) {
                log.debug("User {} provided a valid password", source.getUsername());
                try {
                    securityPolicy.extensionPasswordExpiration(user);
                    authenticationSuccess = true;
                    // REDBACK-151 do not make unnessesary updates to the user object
                    if (user.getCountFailedLoginAttempts() > 0) {
                        user.setCountFailedLoginAttempts(0);
                        if (!userManager.isReadOnly()) {
                            userManager.updateUser(user);
                        }
                    }
                    return new AuthenticationResult(true, source.getUsername(), null);
                } catch (MustChangePasswordException e) {
                    user.setPasswordChangeRequired(true);
                    // throw e;
                    resultException = e;
                    authnResultErrors.add(new AuthenticationFailureCause(AuthenticationConstants.AUTHN_MUST_CHANGE_PASSWORD_EXCEPTION, e.getMessage()).user(user));
                }
            } else {
                log.warn("Password is Invalid for user {} and userManager '{}'.", source.getUsername(), userManager.getId());
                authnResultErrors.add(new AuthenticationFailureCause(AuthenticationConstants.AUTHN_NO_SUCH_USER, "Password is Invalid for user " + source.getUsername() + ".").user(user));
                try {
                    securityPolicy.extensionExcessiveLoginAttempts(user);
                } finally {
                    if (!userManager.isReadOnly()) {
                        userManager.updateUser(user);
                    }
                }
            // return new AuthenticationResult( false, source.getUsername(), null, authnResultExceptionsMap );
            }
        } catch (UserNotFoundException e) {
            log.warn("Login for user {} and userManager {} failed. user not found.", source.getUsername(), userManager.getId());
            resultException = e;
            authnResultErrors.add(new AuthenticationFailureCause(AuthenticationConstants.AUTHN_NO_SUCH_USER, "Login for user " + source.getUsername() + " failed. user not found."));
        } catch (Exception e) {
            log.warn("Login for user {} and userManager {} failed, message: {}", source.getUsername(), userManager.getId(), e.getMessage());
            e.printStackTrace();
            resultException = e;
            authnResultErrors.add(new AuthenticationFailureCause(AuthenticationConstants.AUTHN_RUNTIME_EXCEPTION, "Login for user " + source.getUsername() + " failed, message: " + e.getMessage()));
        }
    }
    return new AuthenticationResult(authenticationSuccess, username, resultException, authnResultErrors);
}
Also used : UserNotFoundException(org.apache.archiva.redback.users.UserNotFoundException) AccountLockedException(org.apache.archiva.redback.policy.AccountLockedException) User(org.apache.archiva.redback.users.User) PasswordEncoder(org.apache.archiva.redback.policy.PasswordEncoder) ArrayList(java.util.ArrayList) RepositoryAdminException(org.apache.archiva.admin.model.RepositoryAdminException) AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException) UserNotFoundException(org.apache.archiva.redback.users.UserNotFoundException) AccountLockedException(org.apache.archiva.redback.policy.AccountLockedException) MustChangePasswordException(org.apache.archiva.redback.policy.MustChangePasswordException) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) MustChangePasswordException(org.apache.archiva.redback.policy.MustChangePasswordException) AuthenticationFailureCause(org.apache.archiva.redback.authentication.AuthenticationFailureCause) UserManager(org.apache.archiva.redback.users.UserManager) PasswordBasedAuthenticationDataSource(org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource)

Example 4 with MustChangePasswordException

use of org.apache.archiva.redback.policy.MustChangePasswordException in project archiva by apache.

the class RssFeedServlet method doGet.

@Override
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
    String repoId = null;
    String groupId = null;
    String artifactId = null;
    String url = StringUtils.removeEnd(req.getRequestURL().toString(), "/");
    if (StringUtils.countMatches(StringUtils.substringAfter(url, "feeds/"), "/") > 0) {
        artifactId = StringUtils.substringAfterLast(url, "/");
        groupId = StringUtils.substringBeforeLast(StringUtils.substringAfter(url, "feeds/"), "/");
        groupId = StringUtils.replaceChars(groupId, '/', '.');
    } else if (StringUtils.countMatches(StringUtils.substringAfter(url, "feeds/"), "/") == 0) {
        // we receive feeds?babla=ded which is not correct
        if (StringUtils.countMatches(url, "feeds?") > 0) {
            res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid request url.");
            return;
        }
        repoId = StringUtils.substringAfterLast(url, "/");
    } else {
        res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid request url.");
        return;
    }
    RssFeedProcessor processor = null;
    try {
        Map<String, String> map = new HashMap<>();
        SyndFeed feed = null;
        if (isAllowed(req, repoId, groupId, artifactId)) {
            if (repoId != null) {
                // new artifacts in repo feed request
                processor = newArtifactsprocessor;
                map.put(RssFeedProcessor.KEY_REPO_ID, repoId);
            } else if ((groupId != null) && (artifactId != null)) {
                // TODO: this only works for guest - we could pass in the list of repos
                // new versions of artifact feed request
                processor = newVersionsprocessor;
                map.put(RssFeedProcessor.KEY_GROUP_ID, groupId);
                map.put(RssFeedProcessor.KEY_ARTIFACT_ID, artifactId);
            }
        } else {
            res.sendError(HttpServletResponse.SC_UNAUTHORIZED, USER_NOT_AUTHORIZED);
            return;
        }
        RepositorySession repositorySession = repositorySessionFactory.createSession();
        try {
            feed = processor.process(map, repositorySession.getRepository());
        } finally {
            repositorySession.close();
        }
        if (feed == null) {
            res.sendError(HttpServletResponse.SC_NO_CONTENT, "No information available.");
            return;
        }
        res.setContentType(MIME_TYPE);
        if (repoId != null) {
            feed.setLink(req.getRequestURL().toString());
        } else if ((groupId != null) && (artifactId != null)) {
            feed.setLink(req.getRequestURL().toString());
        }
        SyndFeedOutput output = new SyndFeedOutput();
        output.output(feed, res.getWriter());
    } catch (UserNotFoundException unfe) {
        log.debug(COULD_NOT_AUTHENTICATE_USER, unfe);
        res.sendError(HttpServletResponse.SC_UNAUTHORIZED, COULD_NOT_AUTHENTICATE_USER);
    } catch (AccountLockedException acce) {
        res.sendError(HttpServletResponse.SC_UNAUTHORIZED, COULD_NOT_AUTHENTICATE_USER);
    } catch (AuthenticationException authe) {
        log.debug(COULD_NOT_AUTHENTICATE_USER, authe);
        res.sendError(HttpServletResponse.SC_UNAUTHORIZED, COULD_NOT_AUTHENTICATE_USER);
    } catch (FeedException ex) {
        log.debug(COULD_NOT_GENERATE_FEED_ERROR, ex);
        res.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, COULD_NOT_GENERATE_FEED_ERROR);
    } catch (MustChangePasswordException e) {
        res.sendError(HttpServletResponse.SC_UNAUTHORIZED, COULD_NOT_AUTHENTICATE_USER);
    } catch (UnauthorizedException e) {
        log.debug(e.getMessage());
        if (repoId != null) {
            res.setHeader("WWW-Authenticate", "Basic realm=\"Repository Archiva Managed " + repoId + " Repository");
        } else {
            res.setHeader("WWW-Authenticate", "Basic realm=\"Artifact " + groupId + ":" + artifactId);
        }
        res.sendError(HttpServletResponse.SC_UNAUTHORIZED, USER_NOT_AUTHORIZED);
    }
}
Also used : UserNotFoundException(org.apache.archiva.redback.users.UserNotFoundException) AccountLockedException(org.apache.archiva.redback.policy.AccountLockedException) HashMap(java.util.HashMap) AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException) FeedException(com.sun.syndication.io.FeedException) SyndFeedOutput(com.sun.syndication.io.SyndFeedOutput) RepositorySession(org.apache.archiva.metadata.repository.RepositorySession) MustChangePasswordException(org.apache.archiva.redback.policy.MustChangePasswordException) SyndFeed(com.sun.syndication.feed.synd.SyndFeed) RssFeedProcessor(org.apache.archiva.rss.processor.RssFeedProcessor) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException)

Aggregations

AuthenticationException (org.apache.archiva.redback.authentication.AuthenticationException)4 AccountLockedException (org.apache.archiva.redback.policy.AccountLockedException)4 MustChangePasswordException (org.apache.archiva.redback.policy.MustChangePasswordException)4 AuthenticationResult (org.apache.archiva.redback.authentication.AuthenticationResult)3 UnauthorizedException (org.apache.archiva.redback.authorization.UnauthorizedException)3 UserNotFoundException (org.apache.archiva.redback.users.UserNotFoundException)2 SyndFeed (com.sun.syndication.feed.synd.SyndFeed)1 FeedException (com.sun.syndication.io.FeedException)1 SyndFeedOutput (com.sun.syndication.io.SyndFeedOutput)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 RepositoryAdminException (org.apache.archiva.admin.model.RepositoryAdminException)1 RepositorySession (org.apache.archiva.metadata.repository.RepositorySession)1 AuthenticationFailureCause (org.apache.archiva.redback.authentication.AuthenticationFailureCause)1 PasswordBasedAuthenticationDataSource (org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource)1 AuthorizationException (org.apache.archiva.redback.authorization.AuthorizationException)1 PasswordEncoder (org.apache.archiva.redback.policy.PasswordEncoder)1 SecuritySession (org.apache.archiva.redback.system.SecuritySession)1 User (org.apache.archiva.redback.users.User)1 UserManager (org.apache.archiva.redback.users.UserManager)1