Example 96 with PwmApplication
use of password.pwm.PwmApplication in project pwm by pwm-project.
the class ForgottenPasswordServlet method executeResetPassword.
private void executeResetPassword(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
if (!forgottenPasswordBean.getProgress().isAllPassed()) {
return;
}
final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
final ChaiUser theUser = pwmApplication.getProxiedChaiUser(userIdentity);
try {
// try unlocking user
theUser.unlockPassword();
LOGGER.trace(pwmSession, "unlock account succeeded");
} catch (ChaiOperationException e) {
final String errorMsg = "unable to unlock user " + theUser.getEntryDN() + " error: " + e.getMessage();
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNLOCK_FAILURE, errorMsg);
LOGGER.error(pwmSession, errorInformation.toDebugStr());
}
try {
final SessionAuthenticator sessionAuthenticator = new SessionAuthenticator(pwmApplication, pwmSession, PwmAuthenticationSource.FORGOTTEN_PASSWORD);
sessionAuthenticator.authUserWithUnknownPassword(userIdentity, AuthenticationType.AUTH_FROM_PUBLIC_MODULE);
pwmSession.getLoginInfoBean().getAuthFlags().add(AuthenticationType.AUTH_FROM_PUBLIC_MODULE);
LOGGER.info(pwmSession, "user successfully supplied password recovery responses, forward to change password page: " + theUser.getEntryDN());
// mark the event log
pwmApplication.getAuditManager().submit(AuditEvent.RECOVER_PASSWORD, pwmSession.getUserInfo(), pwmSession);
// add the post-forgotten password actions
addPostChangeAction(pwmRequest, userIdentity);
// mark user as requiring a new password.
pwmSession.getLoginInfoBean().getLoginFlags().add(LoginInfoBean.LoginFlag.forcePwChange);
// redirect user to change password screen.
pwmRequest.sendRedirect(PwmServletDefinition.PublicChangePassword.servletUrlName());
} catch (PwmUnrecoverableException e) {
LOGGER.warn(pwmSession, "unexpected error authenticating during forgotten password recovery process user: " + e.getMessage());
pwmRequest.respondWithError(e.getErrorInformation());
} finally {
clearForgottenPasswordBean(pwmRequest);
}
}
Also used :
ErrorInformation(password.pwm.error.ErrorInformation)
PwmApplication(password.pwm.PwmApplication)
ChaiUser(com.novell.ldapchai.ChaiUser)
SessionAuthenticator(password.pwm.ldap.auth.SessionAuthenticator)
UserIdentity(password.pwm.bean.UserIdentity)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException)
PwmSession(password.pwm.http.PwmSession)
ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)
Example 97 with PwmApplication
use of password.pwm.PwmApplication in project pwm by pwm-project.
the class ForgottenPasswordServlet method processSearch.
@ActionHandler(action = "search")
private ProcessStatus processSearch(final PwmRequest pwmRequest) throws ChaiUnavailableException, PwmUnrecoverableException, IOException, ServletException {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final Locale userLocale = pwmRequest.getLocale();
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final String contextParam = pwmRequest.readParameterAsString(PwmConstants.PARAM_CONTEXT);
final String ldapProfile = pwmRequest.readParameterAsString(PwmConstants.PARAM_LDAP_PROFILE);
final boolean bogusUserModeEnabled = pwmRequest.getConfig().readSettingAsBoolean(PwmSetting.RECOVERY_BOGUS_USER_ENABLE);
// clear the bean
clearForgottenPasswordBean(pwmRequest);
if (CaptchaUtility.captchaEnabledForRequest(pwmRequest)) {
if (!CaptchaUtility.verifyReCaptcha(pwmRequest)) {
final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_BAD_CAPTCHA_RESPONSE);
LOGGER.debug(pwmRequest, errorInfo);
setLastError(pwmRequest, errorInfo);
return ProcessStatus.Continue;
}
}
final List<FormConfiguration> forgottenPasswordForm = pwmApplication.getConfig().readSettingAsForm(PwmSetting.FORGOTTEN_PASSWORD_SEARCH_FORM);
Map<FormConfiguration, String> formValues = new LinkedHashMap<>();
try {
// read the values from the request
formValues = FormUtility.readFormValuesFromRequest(pwmRequest, forgottenPasswordForm, userLocale);
// check for intruder search values
pwmApplication.getIntruderManager().convenience().checkAttributes(formValues);
// see if the values meet the configured form requirements.
FormUtility.validateFormValues(pwmRequest.getConfig(), formValues, userLocale);
final String searchFilter;
{
final String configuredSearchFilter = pwmApplication.getConfig().readSettingAsString(PwmSetting.FORGOTTEN_PASSWORD_SEARCH_FILTER);
if (configuredSearchFilter == null || configuredSearchFilter.isEmpty()) {
searchFilter = FormUtility.ldapSearchFilterForForm(pwmApplication, forgottenPasswordForm);
LOGGER.trace(pwmSession, "auto generated ldap search filter: " + searchFilter);
} else {
searchFilter = configuredSearchFilter;
}
}
// convert the username field to an identity
final UserIdentity userIdentity;
{
final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
final SearchConfiguration searchConfiguration = SearchConfiguration.builder().filter(searchFilter).formValues(formValues).contexts(Collections.singletonList(contextParam)).ldapProfile(ldapProfile).build();
userIdentity = userSearchEngine.performSingleUserSearch(searchConfiguration, pwmRequest.getSessionLabel());
}
if (userIdentity == null) {
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_CANT_MATCH_USER));
}
AuthenticationUtility.checkIfUserEligibleToAuthentication(pwmApplication, userIdentity);
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
ForgottenPasswordUtil.initForgottenPasswordBean(pwmRequest, userIdentity, forgottenPasswordBean);
// clear intruder search values
pwmApplication.getIntruderManager().convenience().clearAttributes(formValues);
return ProcessStatus.Continue;
} catch (PwmOperationalException e) {
if (e.getError() != PwmError.ERROR_CANT_MATCH_USER || !bogusUserModeEnabled) {
final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_RESPONSES_NORESPONSES, e.getErrorInformation().getDetailedErrorMsg(), e.getErrorInformation().getFieldValues());
pwmApplication.getStatisticsManager().incrementValue(Statistic.RECOVERY_FAILURES);
pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
pwmApplication.getIntruderManager().convenience().markAttributes(formValues, pwmSession);
LOGGER.debug(pwmSession, errorInfo.toDebugStr());
setLastError(pwmRequest, errorInfo);
return ProcessStatus.Continue;
}
}
if (bogusUserModeEnabled) {
ForgottenPasswordUtil.initBogusForgottenPasswordBean(pwmRequest);
forgottenPasswordBean(pwmRequest).setUserSearchValues(FormUtility.asStringMap(formValues));
}
return ProcessStatus.Continue;
}
Also used :
Locale(java.util.Locale)
PwmApplication(password.pwm.PwmApplication)
UserIdentity(password.pwm.bean.UserIdentity)
UserSearchEngine(password.pwm.ldap.search.UserSearchEngine)
SearchConfiguration(password.pwm.ldap.search.SearchConfiguration)
LinkedHashMap(java.util.LinkedHashMap)
PwmOperationalException(password.pwm.error.PwmOperationalException)
ErrorInformation(password.pwm.error.ErrorInformation)
FormConfiguration(password.pwm.config.value.data.FormConfiguration)
PwmSession(password.pwm.http.PwmSession)
ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)
Example 98 with PwmApplication
use of password.pwm.PwmApplication in project pwm by pwm-project.
the class ForgottenPasswordServlet method executeUnlock.
private void executeUnlock(final PwmRequest pwmRequest) throws IOException, ServletException, ChaiUnavailableException, PwmUnrecoverableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
try {
final ChaiUser theUser = pwmApplication.getProxiedChaiUser(userIdentity);
theUser.unlockPassword();
// mark the event log
final UserInfo userInfoBean = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
pwmApplication.getAuditManager().submit(AuditEvent.UNLOCK_PASSWORD, userInfoBean, pwmSession);
ForgottenPasswordUtil.sendUnlockNoticeEmail(pwmRequest, forgottenPasswordBean);
pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_UnlockAccount);
} catch (ChaiOperationException e) {
final String errorMsg = "unable to unlock user " + userIdentity + " error: " + e.getMessage();
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNLOCK_FAILURE, errorMsg);
LOGGER.error(pwmSession, errorInformation.toDebugStr());
pwmRequest.respondWithError(errorInformation, true);
} finally {
clearForgottenPasswordBean(pwmRequest);
}
}
Also used :
ErrorInformation(password.pwm.error.ErrorInformation)
PwmApplication(password.pwm.PwmApplication)
ChaiUser(com.novell.ldapchai.ChaiUser)
UserIdentity(password.pwm.bean.UserIdentity)
UserInfo(password.pwm.ldap.UserInfo)
ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException)
PwmSession(password.pwm.http.PwmSession)
ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)
Example 99 with PwmApplication
use of password.pwm.PwmApplication in project pwm by pwm-project.
the class ForgottenPasswordServlet method preProcessCheck.
@Override
public ProcessStatus preProcessCheck(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException, ServletException {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final Configuration config = pwmApplication.getConfig();
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
if (!config.readSettingAsBoolean(PwmSetting.FORGOTTEN_PASSWORD_ENABLE)) {
pwmRequest.respondWithError(PwmError.ERROR_SERVICE_NOT_AVAILABLE.toInfo());
return ProcessStatus.Halt;
}
if (pwmSession.isAuthenticated()) {
pwmRequest.respondWithError(PwmError.ERROR_USERAUTHENTICATED.toInfo());
return ProcessStatus.Halt;
}
if (forgottenPasswordBean.getUserIdentity() != null) {
pwmApplication.getIntruderManager().convenience().checkUserIdentity(forgottenPasswordBean.getUserIdentity());
}
checkForLocaleSwitch(pwmRequest, forgottenPasswordBean);
final ProcessAction action = this.readProcessAction(pwmRequest);
// convert a url command like /public/newuser/12321321 to redirect with a process action.
if (action == null) {
if (pwmRequest.convertURLtokenCommand(PwmServletDefinition.ForgottenPassword, ForgottenPasswordAction.enterCode)) {
return ProcessStatus.Halt;
}
}
return ProcessStatus.Continue;
}
Also used :
PwmApplication(password.pwm.PwmApplication)
FormConfiguration(password.pwm.config.value.data.FormConfiguration)
SearchConfiguration(password.pwm.ldap.search.SearchConfiguration)
ActionConfiguration(password.pwm.config.value.data.ActionConfiguration)
Configuration(password.pwm.config.Configuration)
PwmSession(password.pwm.http.PwmSession)
ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)
Example 100 with PwmApplication
use of password.pwm.PwmApplication in project pwm by pwm-project.
the class ForgottenPasswordServlet method nextStep.
@Override
@SuppressWarnings("checkstyle:MethodLength")
protected void nextStep(final PwmRequest pwmRequest) throws IOException, ServletException, PwmUnrecoverableException, ChaiUnavailableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final Configuration config = pwmRequest.getConfig();
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
final ForgottenPasswordBean.RecoveryFlags recoveryFlags = forgottenPasswordBean.getRecoveryFlags();
final ForgottenPasswordBean.Progress progress = forgottenPasswordBean.getProgress();
// check for identified user;
if (forgottenPasswordBean.getUserIdentity() == null && !forgottenPasswordBean.isBogusUser()) {
pwmRequest.addFormInfoToRequestAttr(PwmSetting.FORGOTTEN_PASSWORD_SEARCH_FORM, false, false);
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_SEARCH);
return;
}
final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
{
final Map<String, ForgottenPasswordProfile> profileIDList = pwmRequest.getConfig().getForgottenPasswordProfiles();
final String profileDebugMsg = forgottenPasswordProfile != null && profileIDList != null && profileIDList.size() > 1 ? " profile=" + forgottenPasswordProfile.getIdentifier() + ", " : "";
LOGGER.trace(pwmRequest, "entering forgotten password progress engine: " + profileDebugMsg + "flags=" + JsonUtil.serialize(recoveryFlags) + ", " + "progress=" + JsonUtil.serialize(progress));
}
if (forgottenPasswordProfile == null) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED));
}
// check for previous authentication
if (recoveryFlags.getRequiredAuthMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH) || recoveryFlags.getOptionalAuthMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH)) {
if (!progress.getSatisfiedMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH)) {
final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
final String userGuid = LdapOperationsHelper.readLdapGuidValue(pwmApplication, pwmRequest.getSessionLabel(), userIdentity, true);
if (ForgottenPasswordUtil.checkAuthRecord(pwmRequest, userGuid)) {
LOGGER.debug(pwmRequest, "marking " + IdentityVerificationMethod.PREVIOUS_AUTH + " method as satisfied");
progress.getSatisfiedMethods().add(IdentityVerificationMethod.PREVIOUS_AUTH);
}
}
}
// dispatch required auth methods.
for (final IdentityVerificationMethod method : recoveryFlags.getRequiredAuthMethods()) {
if (!progress.getSatisfiedMethods().contains(method)) {
forwardUserBasedOnRecoveryMethod(pwmRequest, method);
return;
}
}
// redirect if an verification method is in progress
if (progress.getInProgressVerificationMethod() != null) {
if (progress.getSatisfiedMethods().contains(progress.getInProgressVerificationMethod())) {
progress.setInProgressVerificationMethod(null);
} else {
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordOptionalPageView, "true");
forwardUserBasedOnRecoveryMethod(pwmRequest, progress.getInProgressVerificationMethod());
return;
}
}
// check if more optional methods required
if (recoveryFlags.getMinimumOptionalAuthMethods() > 0) {
final Set<IdentityVerificationMethod> satisfiedOptionalMethods = ForgottenPasswordUtil.figureSatisfiedOptionalAuthMethods(recoveryFlags, progress);
if (satisfiedOptionalMethods.size() < recoveryFlags.getMinimumOptionalAuthMethods()) {
final Set<IdentityVerificationMethod> remainingAvailableOptionalMethods = ForgottenPasswordUtil.figureRemainingAvailableOptionalAuthMethods(pwmRequest, forgottenPasswordBean);
if (remainingAvailableOptionalMethods.isEmpty()) {
final String errorMsg = "additional optional verification methods are needed, however all available optional verification methods have been satisfied by user";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
LOGGER.error(pwmRequest, errorInformation);
pwmRequest.respondWithError(errorInformation);
return;
} else {
if (remainingAvailableOptionalMethods.size() == 1) {
final IdentityVerificationMethod remainingMethod = remainingAvailableOptionalMethods.iterator().next();
LOGGER.debug(pwmRequest, "only 1 remaining available optional verification method, will redirect to " + remainingMethod.toString());
forwardUserBasedOnRecoveryMethod(pwmRequest, remainingMethod);
progress.setInProgressVerificationMethod(remainingMethod);
return;
}
}
processVerificationChoice(pwmRequest);
return;
}
}
if (progress.getSatisfiedMethods().isEmpty()) {
final String errorMsg = "forgotten password recovery sequence completed, but user has not actually satisfied any verification methods";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
LOGGER.error(pwmRequest, errorInformation);
clearForgottenPasswordBean(pwmRequest);
throw new PwmUnrecoverableException(errorInformation);
}
{
final int satisfiedMethods = progress.getSatisfiedMethods().size();
final int totalMethodsNeeded = recoveryFlags.getRequiredAuthMethods().size() + recoveryFlags.getMinimumOptionalAuthMethods();
if (satisfiedMethods < totalMethodsNeeded) {
final String errorMsg = "forgotten password recovery sequence completed " + satisfiedMethods + " methods, " + " but policy requires a total of " + totalMethodsNeeded + " methods";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
LOGGER.error(pwmRequest, errorInformation);
clearForgottenPasswordBean(pwmRequest);
throw new PwmUnrecoverableException(errorInformation);
}
}
if (!forgottenPasswordBean.getProgress().isAllPassed()) {
forgottenPasswordBean.getProgress().setAllPassed(true);
StatisticsManager.incrementStat(pwmRequest, Statistic.RECOVERY_SUCCESSES);
}
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
if (userInfo == null) {
throw PwmUnrecoverableException.newException(PwmError.ERROR_UNKNOWN, "unable to load userInfo while processing forgotten password controller");
}
// check if user's pw is within min lifetime window
final RecoveryMinLifetimeOption minLifetimeOption = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_MINIMUM_PASSWORD_LIFETIME_OPTIONS, RecoveryMinLifetimeOption.class);
if (minLifetimeOption == RecoveryMinLifetimeOption.NONE || (!userInfo.isPasswordLocked() && minLifetimeOption == RecoveryMinLifetimeOption.UNLOCKONLY)) {
if (userInfo.isWithinPasswordMinimumLifetime()) {
PasswordUtility.throwPasswordTooSoonException(userInfo, pwmRequest.getSessionLabel());
}
}
final boolean disallowAllButUnlock = minLifetimeOption == RecoveryMinLifetimeOption.UNLOCKONLY && userInfo.isPasswordLocked();
LOGGER.trace(pwmRequest, "all recovery checks passed, proceeding to configured recovery action");
final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(config, forgottenPasswordBean);
if (recoveryAction == RecoveryAction.SENDNEWPW || recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
if (disallowAllButUnlock) {
PasswordUtility.throwPasswordTooSoonException(userInfo, pwmRequest.getSessionLabel());
}
ForgottenPasswordUtil.doActionSendNewPassword(pwmRequest);
return;
}
if (forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_UNLOCK)) {
final PasswordStatus passwordStatus = userInfo.getPasswordStatus();
if (!passwordStatus.isExpired() && !passwordStatus.isPreExpired()) {
if (userInfo.isPasswordLocked()) {
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordInhibitPasswordReset, Boolean.TRUE);
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ACTION_CHOICE);
return;
}
}
}
this.executeResetPassword(pwmRequest);
}
Also used :
ForgottenPasswordProfile(password.pwm.config.profile.ForgottenPasswordProfile)
IdentityVerificationMethod(password.pwm.config.option.IdentityVerificationMethod)
PwmApplication(password.pwm.PwmApplication)
FormConfiguration(password.pwm.config.value.data.FormConfiguration)
SearchConfiguration(password.pwm.ldap.search.SearchConfiguration)
ActionConfiguration(password.pwm.config.value.data.ActionConfiguration)
Configuration(password.pwm.config.Configuration)
UserIdentity(password.pwm.bean.UserIdentity)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
UserInfo(password.pwm.ldap.UserInfo)
RecoveryMinLifetimeOption(password.pwm.config.option.RecoveryMinLifetimeOption)
ErrorInformation(password.pwm.error.ErrorInformation)
RecoveryAction(password.pwm.config.option.RecoveryAction)
PasswordStatus(password.pwm.bean.PasswordStatus)
ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)
Map(java.util.Map)
LinkedHashMap(java.util.LinkedHashMap)
Aggregations
PwmApplication (password.pwm.PwmApplication)120
PwmSession (password.pwm.http.PwmSession)55
ErrorInformation (password.pwm.error.ErrorInformation)54
PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)49
PwmOperationalException (password.pwm.error.PwmOperationalException)36
Configuration (password.pwm.config.Configuration)33
UserIdentity (password.pwm.bean.UserIdentity)27
FormConfiguration (password.pwm.config.value.data.FormConfiguration)25
PwmException (password.pwm.error.PwmException)25
IOException (java.io.IOException)22
ServletException (javax.servlet.ServletException)18
UserInfo (password.pwm.ldap.UserInfo)18
ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)17
ChaiUser (com.novell.ldapchai.ChaiUser)16
Locale (java.util.Locale)13
ActionConfiguration (password.pwm.config.value.data.ActionConfiguration)13
SearchConfiguration (password.pwm.ldap.search.SearchConfiguration)13
MacroMachine (password.pwm.util.macro.MacroMachine)12
ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)11
Instant (java.time.Instant)10
