use of org.wso2.carbon.identity.governance.IdentityGovernanceException in project identity-governance by wso2-extensions.
the class PasswordRecoveryReCaptchaConnector method preValidate.
@Override
public CaptchaPreValidationResponse preValidate(ServletRequest servletRequest, ServletResponse servletResponse) throws CaptchaException {
CaptchaPreValidationResponse preValidationResponse = new CaptchaPreValidationResponse();
boolean forgotPasswordRecaptchaEnabled = checkReCaptchaEnabledForForgotPassoword(servletRequest, FORGOT_PASSWORD_RECAPTCHA_ENABLE);
String pathUrl = ((HttpServletRequest) servletRequest).getRequestURI();
if (forgotPasswordRecaptchaEnabled && (CaptchaUtil.isPathAvailable(pathUrl, ACCOUNT_SECURITY_QUESTION_URL) || CaptchaUtil.isPathAvailable(pathUrl, ACCOUNT_SECURITY_QUESTIONS_URL) || CaptchaUtil.isPathAvailable(pathUrl, RECOVER_PASSWORD_URL))) {
preValidationResponse.setCaptchaValidationRequired(true);
}
// Handle recover with Email option.
if (pathUrl.equals(RECOVER_PASSWORD_URL)) {
return preValidationResponse;
}
// Handle recover with security questions option.
HttpServletRequest httpServletRequestWrapper;
try {
httpServletRequestWrapper = new CaptchaHttpServletRequestWrapper((HttpServletRequest) servletRequest);
preValidationResponse.setWrappedHttpServletRequest(httpServletRequestWrapper);
} catch (IOException e) {
log.error("Error occurred while wrapping ServletRequest.", e);
return preValidationResponse;
}
String path = httpServletRequestWrapper.getRequestURI();
User user = new User();
boolean initializationFlow = false;
if (CaptchaUtil.isPathAvailable(path, ACCOUNT_SECURITY_QUESTION_URL) || CaptchaUtil.isPathAvailable(path, ACCOUNT_SECURITY_QUESTIONS_URL)) {
user.setUserName(servletRequest.getParameter("username"));
if (StringUtils.isNotBlank(servletRequest.getParameter("realm"))) {
user.setUserStoreDomain(servletRequest.getParameter("realm"));
} else {
user.setUserStoreDomain(IdentityUtil.getPrimaryDomainName());
}
user.setTenantDomain(servletRequest.getParameter("tenant-domain"));
initializationFlow = true;
} else {
JsonObject requestObject;
try {
try (InputStream in = httpServletRequestWrapper.getInputStream()) {
requestObject = new JsonParser().parse(IOUtils.toString(in)).getAsJsonObject();
}
} catch (IOException e) {
return preValidationResponse;
}
UserRecoveryDataStore userRecoveryDataStore = JDBCRecoveryDataStore.getInstance();
try {
UserRecoveryData userRecoveryData = userRecoveryDataStore.load(requestObject.get("key").getAsString());
if (userRecoveryData != null) {
user = userRecoveryData.getUser();
}
} catch (IdentityRecoveryException e) {
return preValidationResponse;
}
}
if (StringUtils.isBlank(user.getUserName())) {
// Invalid Request
return preValidationResponse;
}
if (StringUtils.isBlank(user.getTenantDomain())) {
user.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
}
Property[] connectorConfigs;
try {
connectorConfigs = identityGovernanceService.getConfiguration(new String[] { RECOVERY_QUESTION_PASSWORD_RECAPTCHA_ENABLE, RECOVERY_QUESTION_PASSWORD_RECAPTCHA_MAX_FAILED_ATTEMPTS }, user.getTenantDomain());
} catch (IdentityGovernanceException e) {
throw new CaptchaServerException("Unable to retrieve connector configs.", e);
}
String connectorEnabled = null;
String maxAttemptsStr = null;
for (Property connectorConfig : connectorConfigs) {
if ((RECOVERY_QUESTION_PASSWORD_RECAPTCHA_ENABLE).equals(connectorConfig.getName())) {
connectorEnabled = connectorConfig.getValue();
} else if ((RECOVERY_QUESTION_PASSWORD_RECAPTCHA_MAX_FAILED_ATTEMPTS).equals(connectorConfig.getName())) {
maxAttemptsStr = connectorConfig.getValue();
}
}
if (!Boolean.parseBoolean(connectorEnabled)) {
return preValidationResponse;
}
if (StringUtils.isBlank(maxAttemptsStr) || !NumberUtils.isNumber(maxAttemptsStr)) {
log.warn("Invalid configuration found in the PasswordRecoveryReCaptchaConnector for the tenant - " + user.getTenantDomain());
return preValidationResponse;
}
int maxFailedAttempts = Integer.parseInt(maxAttemptsStr);
int tenantId;
try {
tenantId = IdentityTenantUtil.getTenantId(user.getTenantDomain());
} catch (Exception e) {
// Invalid tenant
return preValidationResponse;
}
try {
if (CaptchaDataHolder.getInstance().getAccountLockService().isAccountLocked(user.getUserName(), user.getTenantDomain(), user.getUserStoreDomain())) {
return preValidationResponse;
}
} catch (AccountLockServiceException e) {
if (log.isDebugEnabled()) {
log.debug("Error while validating if account is locked for user: " + user.getUserName() + " of user " + "store domain: " + user.getUserStoreDomain() + " and tenant domain: " + user.getTenantDomain());
}
return preValidationResponse;
}
Map<String, String> claimValues = CaptchaUtil.getClaimValues(user, tenantId, new String[] { FAIL_ATTEMPTS_CLAIM });
if (claimValues == null || claimValues.isEmpty()) {
// Invalid user
return preValidationResponse;
}
int currentFailedAttempts = 0;
if (NumberUtils.isNumber(claimValues.get(FAIL_ATTEMPTS_CLAIM))) {
currentFailedAttempts = Integer.parseInt(claimValues.get(FAIL_ATTEMPTS_CLAIM));
}
HttpServletResponse httpServletResponse = ((HttpServletResponse) servletResponse);
if (currentFailedAttempts > maxFailedAttempts) {
if (initializationFlow) {
httpServletResponse.setHeader("reCaptcha", "true");
httpServletResponse.setHeader("reCaptchaKey", CaptchaDataHolder.getInstance().getReCaptchaSiteKey());
httpServletResponse.setHeader("reCaptchaAPI", CaptchaDataHolder.getInstance().getReCaptchaAPIUrl());
} else {
preValidationResponse.setCaptchaValidationRequired(true);
preValidationResponse.setMaxFailedLimitReached(true);
addPostValidationData(servletRequest);
}
} else if (currentFailedAttempts == maxFailedAttempts && !initializationFlow) {
addPostValidationData(servletRequest);
}
return preValidationResponse;
}
use of org.wso2.carbon.identity.governance.IdentityGovernanceException in project identity-governance by wso2-extensions.
the class SSOLoginReCaptchaConfig method canHandle.
@Override
public boolean canHandle(ServletRequest servletRequest, ServletResponse servletResponse) throws CaptchaException {
String username = servletRequest.getParameter("username");
if (StringUtils.isBlank(username)) {
return false;
}
String sessionDataKey = servletRequest.getParameter(FrameworkUtils.SESSION_DATA_KEY);
if (sessionDataKey == null) {
return false;
}
AuthenticationContext context = FrameworkUtils.getAuthenticationContextFromCache(sessionDataKey);
if (context == null) {
return false;
}
String tenantDomain = getTenant(context, username);
if (StringUtils.isBlank(tenantDomain)) {
return false;
}
Property[] connectorConfigs;
try {
connectorConfigs = identityGovernanceService.getConfiguration(new String[] { CONNECTOR_NAME + ReCaptchaConnectorPropertySuffixes.ENABLE_ALWAYS, CONNECTOR_NAME + ReCaptchaConnectorPropertySuffixes.ENABLE }, tenantDomain);
} catch (IdentityGovernanceException e) {
// Can happen due to invalid user/ invalid tenant/ invalid configuration.
if (log.isDebugEnabled()) {
log.debug("Unable to load connector configuration.", e);
}
return false;
}
if (ArrayUtils.isEmpty(connectorConfigs) || connectorConfigs.length != 2 || !(Boolean.parseBoolean(connectorConfigs[0].getValue()) || Boolean.parseBoolean(connectorConfigs[1].getValue()))) {
return false;
}
String currentPath = ((HttpServletRequest) servletRequest).getRequestURI();
if (StringUtils.isBlank(currentPath) || !CaptchaUtil.isPathAvailable(currentPath, SECURED_DESTINATIONS)) {
return false;
}
String[] connectorIdentifierAttributes = CONNECTOR_IDENTIFIER_ATTRIBUTE.split(",");
for (String attribute : connectorIdentifierAttributes) {
if (servletRequest.getParameter(attribute) == null) {
return false;
}
}
return true;
}
use of org.wso2.carbon.identity.governance.IdentityGovernanceException in project identity-governance by wso2-extensions.
the class RecoveryUtil method checkCaptchaEnabledResidentIdpConfiguration.
/**
* Return enable status of provided account recovery ReCaptcha by checking the corresponding resident Idp
* configurations.
*
* @param tenantDomain tenant domain name, default is carbon-super
* @param recoveryType Account recovery type. i.e username-recovery or password-recovery
* @return true or false for given recovery type
*/
public static boolean checkCaptchaEnabledResidentIdpConfiguration(String tenantDomain, String recoveryType) {
String recoveryReCaptchaType = null;
org.wso2.carbon.identity.application.common.model.Property[] connectorConfigs = new org.wso2.carbon.identity.application.common.model.Property[0];
IdentityGovernanceService identityGovernanceService = RecoveryUtil.getIdentityGovernanceService();
String enable = null;
if (StringUtils.isBlank(tenantDomain)) {
tenantDomain = org.wso2.carbon.utils.multitenancy.MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
} else if (!RecoveryUtil.isValidTenantDomain(tenantDomain)) {
RecoveryUtil.handleBadRequest(String.format("Invalid tenant domain : %s", tenantDomain), IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_TENANT.getCode());
}
if (Constants.USERNAME_RECOVERY.equals(recoveryType)) {
recoveryReCaptchaType = IdentityRecoveryConstants.ConnectorConfig.USERNAME_RECOVERY_RECAPTCHA_ENABLE;
} else if (Constants.PASSWORD_RECOVERY.equals(recoveryType)) {
recoveryReCaptchaType = IdentityRecoveryConstants.ConnectorConfig.PASSWORD_RECOVERY_RECAPTCHA_ENABLE;
}
try {
connectorConfigs = identityGovernanceService.getConfiguration(new String[] { recoveryReCaptchaType }, tenantDomain);
} catch (IdentityGovernanceException e) {
LOG.error(String.format("Error while retrieving resident Idp configurations for tenant %s. ", tenantDomain), e);
RecoveryUtil.handleBadRequest(String.format("Error while retrieving resident Idp configurations for tenant %s. ", tenantDomain), Constants.STATUS_INTERNAL_SERVER_ERROR_MESSAGE_DEFAULT);
}
for (org.wso2.carbon.identity.application.common.model.Property connectorConfig : connectorConfigs) {
if (recoveryReCaptchaType != null && recoveryReCaptchaType.equals(connectorConfig.getName())) {
enable = connectorConfig.getValue();
}
}
return Boolean.parseBoolean(enable);
}
use of org.wso2.carbon.identity.governance.IdentityGovernanceException in project identity-governance by wso2-extensions.
the class SelfRegistrationConfigImpl method getDefaultPropertyValues.
@Override
public Properties getDefaultPropertyValues(String tenantDomain) throws IdentityGovernanceException {
String enableSelfSignUp = "false";
String enableAccountLockOnCreation = "true";
String enableSendNotificationOnCreation = "false";
String enableNotificationInternallyManage = "true";
String enableSelfRegistrationReCaptcha = "true";
String verificationCodeExpiryTime = "1440";
String verificationSMSOTPExpiryTime = "1";
String selfRegistrationCallbackRegex = IdentityRecoveryConstants.DEFAULT_CALLBACK_REGEX;
String enableSelfSignUpConfirmationNotification = "false";
String enableResendConfirmationRecaptcha = "false";
String enableSelfRegistrationAutoLogin = "false";
String selfRegistrationAutoLoginAlias = "wso2carbon";
String selfSignUpProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.ENABLE_SELF_SIGNUP);
String accountLockProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.ACCOUNT_LOCK_ON_CREATION);
String sendNotificationOnCreationProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION);
String notificationInternallyMangedProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE);
String reCaptchaProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA);
String verificationCodeExpiryTimeProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_VERIFICATION_CODE_EXPIRY_TIME);
String verificationSMSOTPExpiryTimeProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_SMSOTP_VERIFICATION_CODE_EXPIRY_TIME);
String selfRegistrationCallbackRegexProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_CALLBACK_REGEX);
String selfSignUpConfirmationNotificationProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_NOTIFY_ACCOUNT_CONFIRMATION);
String selfRegistrationResendConfirmationCaptchaProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.RESEND_CONFIRMATION_RECAPTCHA_ENABLE);
String selfRegistrationAutoLogin = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_AUTO_LOGIN);
String selfRegistrationAutoLoginAliasProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_AUTO_LOGIN_ALIAS_NAME);
if (StringUtils.isNotEmpty(selfSignUpProperty)) {
enableSelfSignUp = selfSignUpProperty;
}
if (StringUtils.isNotEmpty(accountLockProperty)) {
enableAccountLockOnCreation = accountLockProperty;
}
if (StringUtils.isNotEmpty(sendNotificationOnCreationProperty)) {
enableSendNotificationOnCreation = sendNotificationOnCreationProperty;
}
if (StringUtils.isNotEmpty(notificationInternallyMangedProperty)) {
enableNotificationInternallyManage = notificationInternallyMangedProperty;
}
if (StringUtils.isNotEmpty(reCaptchaProperty)) {
enableSelfRegistrationReCaptcha = reCaptchaProperty;
}
if (StringUtils.isNotEmpty(verificationCodeExpiryTimeProperty)) {
verificationCodeExpiryTime = verificationCodeExpiryTimeProperty;
}
if (StringUtils.isNotEmpty(verificationSMSOTPExpiryTimeProperty)) {
verificationSMSOTPExpiryTime = verificationSMSOTPExpiryTimeProperty;
}
if (StringUtils.isNotEmpty(selfRegistrationCallbackRegexProperty)) {
selfRegistrationCallbackRegex = selfRegistrationCallbackRegexProperty;
}
if (StringUtils.isNotEmpty(selfSignUpConfirmationNotificationProperty)) {
enableSelfSignUpConfirmationNotification = selfSignUpConfirmationNotificationProperty;
}
if (StringUtils.isNotEmpty(selfRegistrationResendConfirmationCaptchaProperty)) {
enableResendConfirmationRecaptcha = selfRegistrationResendConfirmationCaptchaProperty;
}
if (StringUtils.isNotEmpty(selfRegistrationAutoLogin)) {
enableSelfRegistrationAutoLogin = selfRegistrationAutoLogin;
}
if (StringUtils.isNotEmpty(selfRegistrationAutoLoginAliasProperty)) {
selfRegistrationAutoLoginAlias = selfRegistrationAutoLoginAliasProperty;
}
Map<String, String> defaultProperties = new HashMap<>();
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.ENABLE_SELF_SIGNUP, enableSelfSignUp);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.ACCOUNT_LOCK_ON_CREATION, enableAccountLockOnCreation);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SEND_CONFIRMATION_NOTIFICATION, enableSendNotificationOnCreation);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SIGN_UP_NOTIFICATION_INTERNALLY_MANAGE, enableNotificationInternallyManage);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_RE_CAPTCHA, enableSelfRegistrationReCaptcha);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_VERIFICATION_CODE_EXPIRY_TIME, verificationCodeExpiryTime);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_SMSOTP_VERIFICATION_CODE_EXPIRY_TIME, verificationSMSOTPExpiryTime);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_AUTO_LOGIN, enableSelfRegistrationAutoLogin);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_AUTO_LOGIN_ALIAS_NAME, selfRegistrationAutoLoginAlias);
try {
defaultProperties.put(LIST_PURPOSE_PROPERTY_KEY, consentListURL + "&callback=" + URLEncoder.encode(CALLBACK_URL, StandardCharsets.UTF_8.name()));
} catch (UnsupportedEncodingException e) {
throw new IdentityGovernanceException("Error while encoding callback url: " + CALLBACK_URL, e);
}
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_CALLBACK_REGEX, selfRegistrationCallbackRegex);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.SELF_REGISTRATION_NOTIFY_ACCOUNT_CONFIRMATION, enableSelfSignUpConfirmationNotification);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.RESEND_CONFIRMATION_RECAPTCHA_ENABLE, enableResendConfirmationRecaptcha);
Properties properties = new Properties();
properties.putAll(defaultProperties);
return properties;
}
use of org.wso2.carbon.identity.governance.IdentityGovernanceException in project identity-governance by wso2-extensions.
the class UserEmailVerificationConfigImpl method getDefaultPropertyValues.
@Override
public Properties getDefaultPropertyValues(String tenantDomain) throws IdentityGovernanceException {
String enableEmailVerification = "false";
String enableEmailAccountLockOnCreation = "true";
String enableNotificationInternallyManage = "true";
String emailVerificationCodeExpiry = "1440";
String askPasswordCodeExpiry = "1440";
String askPasswordTempPassExtension = "org.wso2.carbon.user.mgt.common.DefaultPasswordGenerator";
String emailVerificationProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.ENABLE_EMAIL_VERIFICATION);
String emailVerificationCodeExpiryProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.EMAIL_VERIFICATION_EXPIRY_TIME);
String askPasswordCodeExpiryProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.ASK_PASSWORD_EXPIRY_TIME);
String askPasswordTempPasswordProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.ASK_PASSWORD_TEMP_PASSWORD_GENERATOR);
String lockOnCreationProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.EMAIL_ACCOUNT_LOCK_ON_CREATION);
String notificationInternallyManagedProperty = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.EMAIL_VERIFICATION_NOTIFICATION_INTERNALLY_MANAGE);
if (StringUtils.isNotEmpty(emailVerificationProperty)) {
enableEmailVerification = emailVerificationProperty;
}
if (StringUtils.isNotEmpty(lockOnCreationProperty)) {
enableEmailAccountLockOnCreation = lockOnCreationProperty;
}
if (StringUtils.isNotEmpty(notificationInternallyManagedProperty)) {
enableNotificationInternallyManage = notificationInternallyManagedProperty;
}
if (StringUtils.isNotEmpty(emailVerificationCodeExpiryProperty)) {
emailVerificationCodeExpiry = emailVerificationCodeExpiryProperty;
}
if (StringUtils.isNotEmpty(askPasswordCodeExpiryProperty)) {
askPasswordCodeExpiry = askPasswordCodeExpiryProperty;
}
if (StringUtils.isNotBlank(askPasswordTempPasswordProperty)) {
askPasswordTempPassExtension = askPasswordTempPasswordProperty;
}
Map<String, String> defaultProperties = new HashMap<>();
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.ENABLE_EMAIL_VERIFICATION, enableEmailVerification);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.EMAIL_VERIFICATION_EXPIRY_TIME, emailVerificationCodeExpiry);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.ASK_PASSWORD_EXPIRY_TIME, askPasswordCodeExpiry);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.EMAIL_ACCOUNT_LOCK_ON_CREATION, enableEmailAccountLockOnCreation);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.EMAIL_VERIFICATION_NOTIFICATION_INTERNALLY_MANAGE, enableNotificationInternallyManage);
defaultProperties.put(IdentityRecoveryConstants.ConnectorConfig.ASK_PASSWORD_TEMP_PASSWORD_GENERATOR, askPasswordTempPassExtension);
try {
defaultProperties.put(LIST_PURPOSE_PROPERTY_KEY, CONSENT_LIST_URL + "&callback=" + URLEncoder.encode(CALLBACK_URL, StandardCharsets.UTF_8.name()));
} catch (UnsupportedEncodingException e) {
throw new IdentityGovernanceException("Error while url encoding callback url: " + CALLBACK_URL, e);
}
Properties properties = new Properties();
properties.putAll(defaultProperties);
return properties;
}
Aggregations