use of org.wso2.carbon.identity.recovery.bean.ChallengeQuestionResponse in project identity-governance by wso2-extensions.
the class SecurityQuestionApiServiceImpl method securityQuestionGet.
@Override
public Response securityQuestionGet(String username, String realm, String tenantDomain) {
if (IdentityUtil.threadLocalProperties.get().get(Constants.TENANT_NAME_FROM_CONTEXT) != null) {
tenantDomain = (String) IdentityUtil.threadLocalProperties.get().get(Constants.TENANT_NAME_FROM_CONTEXT);
}
User user = new User();
user.setUserName(username);
if (StringUtils.isNotBlank(realm)) {
user.setUserStoreDomain(realm);
} else {
user.setUserStoreDomain(UserStoreConfigConstants.PRIMARY);
}
if (StringUtils.isBlank(tenantDomain)) {
user.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
} else {
user.setTenantDomain(tenantDomain);
}
int tenantId = IdentityTenantUtil.getTenantId(user.getTenantDomain());
if (StringUtils.isBlank(realm)) {
String[] userList = RecoveryUtil.getUserList(tenantId, username);
if (ArrayUtils.isEmpty(userList)) {
String msg = "Unable to find an user with username: " + username + " in the system.";
LOG.error(msg);
} else if (userList.length == 1) {
user.setUserStoreDomain(IdentityUtil.extractDomainFromName(userList[0]));
} else {
String msg = "There are multiple users with username: " + username + " in the system, " + "please send the correct user-store domain along with the username.";
LOG.error(msg);
RecoveryUtil.handleBadRequest(msg, Constants.ERROR_CODE_MULTIPLE_USERS_MATCHING);
}
}
InitiateQuestionResponseDTO initiateQuestionResponseDTO = null;
SecurityQuestionPasswordRecoveryManager securityQuestionBasedPwdRecoveryManager = RecoveryUtil.getSecurityQuestionBasedPwdRecoveryManager();
try {
ChallengeQuestionResponse challengeQuestionResponse = securityQuestionBasedPwdRecoveryManager.initiateUserChallengeQuestion(user);
initiateQuestionResponseDTO = RecoveryUtil.getInitiateQuestionResponseDTO(challengeQuestionResponse);
} catch (IdentityRecoveryClientException e) {
if (LOG.isDebugEnabled()) {
LOG.debug("Client Error while initiating password recovery flow using security questions ", e);
}
if (IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_CHALLENGE_QUESTION_NOT_FOUND.getCode().equals(e.getErrorCode())) {
return Response.noContent().build();
}
RecoveryUtil.handleBadRequest(e.getMessage(), e.getErrorCode());
} catch (IdentityRecoveryException e) {
RecoveryUtil.handleInternalServerError(Constants.SERVER_ERROR, e.getErrorCode(), LOG, e);
} catch (Throwable throwable) {
RecoveryUtil.handleInternalServerError(Constants.SERVER_ERROR, IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_UNEXPECTED.getCode(), LOG, throwable);
}
return Response.accepted(initiateQuestionResponseDTO).build();
}
use of org.wso2.carbon.identity.recovery.bean.ChallengeQuestionResponse in project identity-governance by wso2-extensions.
the class ValidateAnswerApiServiceImpl method validateAnswerPost.
@Override
public Response validateAnswerPost(AnswerVerificationRequestDTO answerVerificationRequest) {
SecurityQuestionPasswordRecoveryManager securityQuestionBasedPwdRecoveryManager = RecoveryUtil.getSecurityQuestionBasedPwdRecoveryManager();
ChallengeQuestionResponse challengeQuestion = null;
try {
challengeQuestion = securityQuestionBasedPwdRecoveryManager.validateUserChallengeQuestions(RecoveryUtil.getUserChallengeAnswers(answerVerificationRequest.getAnswers()), answerVerificationRequest.getKey(), RecoveryUtil.getProperties(answerVerificationRequest.getProperties()));
} catch (IdentityRecoveryClientException e) {
if (LOG.isDebugEnabled()) {
LOG.debug("Client Error while verifying challenge answers in recovery flow", e);
}
if (IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_ANSWER_FOR_SECURITY_QUESTION.getCode().equals(e.getErrorCode())) {
RetryErrorDTO errorDTO = new RetryErrorDTO();
errorDTO.setCode(e.getErrorCode());
errorDTO.setMessage(e.getMessage());
errorDTO.setDescription(e.getMessage());
errorDTO.setKey(answerVerificationRequest.getKey());
return Response.status(Response.Status.PRECONDITION_FAILED).entity(errorDTO).build();
}
RecoveryUtil.handleBadRequest(e.getMessage(), e.getErrorCode());
} catch (IdentityRecoveryException e) {
RecoveryUtil.handleInternalServerError(Constants.SERVER_ERROR, e.getErrorCode(), LOG, e);
} catch (Throwable throwable) {
RecoveryUtil.handleInternalServerError(Constants.SERVER_ERROR, IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_UNEXPECTED.getCode(), LOG, throwable);
}
return Response.ok(RecoveryUtil.getInitiateQuestionResponseDTO(challengeQuestion)).build();
}
use of org.wso2.carbon.identity.recovery.bean.ChallengeQuestionResponse in project identity-governance by wso2-extensions.
the class SecurityQuestionPasswordRecoveryManager method validateUserChallengeQuestions.
public ChallengeQuestionResponse validateUserChallengeQuestions(UserChallengeAnswer[] userChallengeAnswer, String code, org.wso2.carbon.identity.recovery.model.Property[] properties) throws IdentityRecoveryException {
UserRecoveryDataStore userRecoveryDataStore = JDBCRecoveryDataStore.getInstance();
UserRecoveryData userRecoveryData = userRecoveryDataStore.load(code);
// if return data from load, it means the code is validated. Otherwise it returns exceptions.
User user = userRecoveryData.getUser();
validateFunctionalityForUser(user);
try {
boolean isRecoveryEnable = Boolean.parseBoolean(Utils.getRecoveryConfigs(IdentityRecoveryConstants.ConnectorConfig.QUESTION_BASED_PW_RECOVERY, userRecoveryData.getUser().getTenantDomain()));
if (!isRecoveryEnable) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_QUESTION_BASED_RECOVERY_NOT_ENABLE, null);
}
verifyUserExists(user);
if (Utils.isAccountDisabled(user)) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_DISABLED_ACCOUNT, user.getUserName());
} else if (Utils.isAccountLocked(user)) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_LOCKED_ACCOUNT, user.getUserName());
}
if (userChallengeAnswer == null) {
String error = "Challenge answers cannot be found for user: " + userRecoveryData.getUser();
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_CHALLENGE_QUESTION_NOT_FOUND, error);
}
String challengeQuestionSeparator = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.QUESTION_CHALLENGE_SEPARATOR);
if (StringUtils.isEmpty(challengeQuestionSeparator)) {
challengeQuestionSeparator = IdentityRecoveryConstants.DEFAULT_CHALLENGE_QUESTION_SEPARATOR;
}
if (RecoverySteps.VALIDATE_CHALLENGE_QUESTION.equals(userRecoveryData.getRecoveryStep())) {
if (userChallengeAnswer.length > 1) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_MULTIPLE_QUESTION_NOT_ALLOWED, null);
}
ChallengeQuestionManager challengeQuestionManager = ChallengeQuestionManager.getInstance();
boolean verified = challengeQuestionManager.verifyUserChallengeAnswer(userRecoveryData.getUser(), userChallengeAnswer[0]);
if (verified) {
boolean resetFailedLoginCount = false;
userRecoveryDataStore.invalidate(code);
String remainingSetIds = userRecoveryData.getRemainingSetIds();
ChallengeQuestionResponse challengeQuestionResponse = new ChallengeQuestionResponse();
String secretKey = UUIDGenerator.generateUUID();
challengeQuestionResponse.setCode(secretKey);
UserRecoveryData recoveryData = new UserRecoveryData(userRecoveryData.getUser(), secretKey, RecoveryScenarios.QUESTION_BASED_PWD_RECOVERY);
if (StringUtils.isNotBlank(remainingSetIds)) {
String[] ids = remainingSetIds.split(challengeQuestionSeparator);
ChallengeQuestion challengeQuestion = challengeQuestionManager.getUserChallengeQuestion(userRecoveryData.getUser(), ids[0]);
challengeQuestionResponse.setQuestion(challengeQuestion);
recoveryData.setRecoveryStep(RecoverySteps.VALIDATE_CHALLENGE_QUESTION);
challengeQuestionResponse.setStatus(IdentityRecoveryConstants.RECOVERY_STATUS_INCOMPLETE);
if (ids.length > 1) {
for (int i = 1; i < ids.length; i++) {
if (i == 1) {
remainingSetIds = ids[1];
} else {
remainingSetIds = remainingSetIds + challengeQuestionSeparator + ids[i];
}
}
recoveryData.setRemainingSetIds(remainingSetIds);
}
} else {
resetFailedLoginCount = true;
recoveryData.setRecoveryStep(RecoverySteps.UPDATE_PASSWORD);
challengeQuestionResponse.setStatus(IdentityRecoveryConstants.RECOVERY_STATUS_COMPLETE);
}
userRecoveryDataStore.store(recoveryData);
// Reset password recovery failed attempts
if (isPerUserFunctionalityLockingEnabled) {
resetRecoveryPasswordProperties(userRecoveryData.getUser(), resetFailedLoginCount);
} else {
resetRecoveryPasswordFailedAttempts(userRecoveryData.getUser(), resetFailedLoginCount);
}
return challengeQuestionResponse;
} else {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_ANSWER_FOR_SECURITY_QUESTION, null);
}
} else if (RecoverySteps.VALIDATE_ALL_CHALLENGE_QUESTION.equals(userRecoveryData.getRecoveryStep())) {
String allChallengeQuestions = userRecoveryData.getRemainingSetIds();
if (StringUtils.isNotBlank(allChallengeQuestions)) {
String[] requestedQuestions = allChallengeQuestions.split(challengeQuestionSeparator);
if (requestedQuestions.length != userChallengeAnswer.length) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NEED_TO_ANSWER_TO_REQUESTED_QUESTIONS, null);
}
validateQuestion(requestedQuestions, userChallengeAnswer);
// Validate whether user answered all the requested questions
} else {
String error = "Could not find requested challenge questions for user: " + userRecoveryData.getUser();
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_CHALLENGE_QUESTION_NOT_FOUND, error);
}
ChallengeQuestionManager challengeQuestionManager = ChallengeQuestionManager.getInstance();
for (int i = 0; i < userChallengeAnswer.length; i++) {
boolean verified = challengeQuestionManager.verifyUserChallengeAnswer(userRecoveryData.getUser(), userChallengeAnswer[i]);
if (!verified) {
// handleAnswerVerificationFail(userRecoveryData.getUser());
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_ANSWER_FOR_SECURITY_QUESTION, null);
}
}
// Reset password recovery failed attempts
if (isPerUserFunctionalityLockingEnabled) {
resetRecoveryPasswordProperties(userRecoveryData.getUser(), true);
} else {
resetRecoveryPasswordFailedAttempts(userRecoveryData.getUser(), true);
}
userRecoveryDataStore.invalidate(code);
ChallengeQuestionResponse challengeQuestionResponse = new ChallengeQuestionResponse();
String secretKey = UUIDGenerator.generateUUID();
challengeQuestionResponse.setCode(secretKey);
challengeQuestionResponse.setStatus(IdentityRecoveryConstants.RECOVERY_STATUS_COMPLETE);
UserRecoveryData recoveryData = new UserRecoveryData(userRecoveryData.getUser(), secretKey, RecoveryScenarios.QUESTION_BASED_PWD_RECOVERY);
recoveryData.setRecoveryStep(RecoverySteps.UPDATE_PASSWORD);
userRecoveryDataStore.store(recoveryData);
return challengeQuestionResponse;
} else {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE, null);
}
} catch (IdentityRecoveryClientException e) {
if (isPerUserFunctionalityLockingEnabled) {
handleAnswerVerificationFailInFunctionalityLockMode(userRecoveryData.getUser());
throw e;
}
handleAnswerVerificationFail(userRecoveryData.getUser());
throw e;
}
}
use of org.wso2.carbon.identity.recovery.bean.ChallengeQuestionResponse in project identity-governance by wso2-extensions.
the class SecurityQuestionPasswordRecoveryManager method initiateUserChallengeQuestion.
public ChallengeQuestionResponse initiateUserChallengeQuestion(User user) throws IdentityRecoveryException {
Utils.validateEmailUsername(user.getUserName());
if (StringUtils.isBlank(user.getTenantDomain())) {
user.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
log.info("initiateUserChallengeQuestion :Tenant domain is not in the request. set to default for user : " + user.getUserName());
}
if (StringUtils.isBlank(user.getUserStoreDomain())) {
user.setUserStoreDomain(IdentityUtil.getPrimaryDomainName());
log.info("initiateUserChallengeQuestion :User store domain is not in the request. set to default for user" + " : " + user.getUserName());
}
boolean isNotificationInternallyManaged = Boolean.parseBoolean(Utils.getRecoveryConfigs(IdentityRecoveryConstants.ConnectorConfig.NOTIFICATION_INTERNALLY_MANAGE, user.getTenantDomain()));
boolean isRecoveryEnable = Boolean.parseBoolean(Utils.getRecoveryConfigs(IdentityRecoveryConstants.ConnectorConfig.QUESTION_BASED_PW_RECOVERY, user.getTenantDomain()));
if (!isRecoveryEnable) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_QUESTION_BASED_RECOVERY_NOT_ENABLE, null);
}
verifyUserExists(user);
validateFunctionalityForUser(user);
UserRecoveryDataStore userRecoveryDataStore = JDBCRecoveryDataStore.getInstance();
userRecoveryDataStore.invalidate(user);
String challengeQuestionSeparator = IdentityUtil.getProperty(IdentityRecoveryConstants.ConnectorConfig.QUESTION_CHALLENGE_SEPARATOR);
if (StringUtils.isEmpty(challengeQuestionSeparator)) {
challengeQuestionSeparator = IdentityRecoveryConstants.DEFAULT_CHALLENGE_QUESTION_SEPARATOR;
}
if (Utils.isAccountDisabled(user)) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_DISABLED_ACCOUNT, user.getUserName());
} else if (Utils.isAccountLocked(user)) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_LOCKED_ACCOUNT, user.getUserName());
}
boolean isNotificationSendWhenInitiatingPWRecovery = Boolean.parseBoolean(Utils.getRecoveryConfigs(IdentityRecoveryConstants.ConnectorConfig.NOTIFICATION_SEND_RECOVERY_SECURITY_START, user.getTenantDomain()));
if (isNotificationInternallyManaged && isNotificationSendWhenInitiatingPWRecovery) {
try {
triggerNotification(user, IdentityRecoveryConstants.NOTIFICATION_TYPE_PASSWORD_RESET_INITIATE, null);
} catch (Exception e) {
log.warn("Error while sending password reset initiating notification to user :" + user.getUserName());
}
}
int minNoOfQuestionsToAnswer = Integer.parseInt(Utils.getRecoveryConfigs(IdentityRecoveryConstants.ConnectorConfig.QUESTION_MIN_NO_ANSWER, user.getTenantDomain()));
ChallengeQuestionManager challengeQuestionManager = ChallengeQuestionManager.getInstance();
String[] ids = challengeQuestionManager.getUserChallengeQuestionIds(user);
if (ids == null || ids.length == 0) {
throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_CHALLENGE_QUESTION_NOT_FOUND, user.getUserName());
}
if (ids.length > minNoOfQuestionsToAnswer) {
ids = getRandomQuestionIds(ids, minNoOfQuestionsToAnswer);
}
String metaData = null;
for (int i = 1; i < ids.length; i++) {
if (i == 1) {
metaData = ids[1];
} else {
metaData = metaData + challengeQuestionSeparator + ids[i];
}
}
ChallengeQuestion userChallengeQuestion = challengeQuestionManager.getUserChallengeQuestion(user, ids[0]);
ChallengeQuestionResponse challengeQuestionResponse = new ChallengeQuestionResponse(userChallengeQuestion);
String secretKey = UUIDGenerator.generateUUID();
UserRecoveryData recoveryData = new UserRecoveryData(user, secretKey, RecoveryScenarios.QUESTION_BASED_PWD_RECOVERY, RecoverySteps.VALIDATE_CHALLENGE_QUESTION);
recoveryData.setRemainingSetIds(metaData);
challengeQuestionResponse.setCode(secretKey);
if (ids.length > 1) {
challengeQuestionResponse.setStatus(IdentityRecoveryConstants.RECOVERY_STATUS_INCOMPLETE);
}
userRecoveryDataStore.store(recoveryData);
return challengeQuestionResponse;
}
use of org.wso2.carbon.identity.recovery.bean.ChallengeQuestionResponse in project identity-governance by wso2-extensions.
the class RecoveryUtil method getInitiateQuestionResponseDTO.
public static InitiateQuestionResponseDTO getInitiateQuestionResponseDTO(ChallengeQuestionResponse challengeQuestionResponse) {
InitiateQuestionResponseDTO initiateQuestionResponseDTO = new InitiateQuestionResponseDTO();
QuestionDTO questionDTO = new QuestionDTO();
if (challengeQuestionResponse.getQuestion() != null) {
questionDTO.setQuestion(challengeQuestionResponse.getQuestion().getQuestion());
questionDTO.setQuestionSetId(challengeQuestionResponse.getQuestion().getQuestionSetId());
initiateQuestionResponseDTO.setQuestion(questionDTO);
}
initiateQuestionResponseDTO.setKey(challengeQuestionResponse.getCode());
LinkDTO linkDTO = new LinkDTO();
if (IdentityRecoveryConstants.RECOVERY_STATUS_COMPLETE.equals(challengeQuestionResponse.getStatus())) {
linkDTO.setRel("set-password");
linkDTO.setUri("/api/identity/recovery/v0.9");
} else {
linkDTO.setRel("validate-answer");
linkDTO.setUri("/api/identity/recovery/v0.9");
}
initiateQuestionResponseDTO.setLink(linkDTO);
return initiateQuestionResponseDTO;
}
Aggregations