use of password.pwm.config.Configuration in project pwm by pwm-project.
the class IdleTimeoutCalculator method idleTimeoutForRequest.
public static TimeDuration idleTimeoutForRequest(final PwmURL pwmURL, final PwmApplication pwmApplication, final PwmSession pwmSession) throws PwmUnrecoverableException {
if (pwmURL.isResourceURL()) {
return figureMaxSessionTimeout(pwmApplication, pwmSession).getIdleTimeout();
}
final Configuration config = pwmApplication.getConfig();
if (pwmURL.isPwmServletURL(PwmServletDefinition.Helpdesk)) {
if (config.readSettingAsBoolean(PwmSetting.HELPDESK_ENABLE)) {
final HelpdeskProfile helpdeskProfile = pwmSession.getSessionManager().getHelpdeskProfile(pwmApplication);
if (helpdeskProfile != null) {
final long helpdeskIdleTimeout = helpdeskProfile.readSettingAsLong(PwmSetting.HELPDESK_IDLE_TIMEOUT_SECONDS);
if (helpdeskIdleTimeout > 0) {
return new TimeDuration(helpdeskIdleTimeout, TimeUnit.SECONDS);
}
}
}
}
if ((pwmURL.isPwmServletURL(PwmServletDefinition.PrivatePeopleSearch) || pwmURL.isPwmServletURL(PwmServletDefinition.PublicPeopleSearch)) && pwmURL.isPrivateUrl()) {
if (config.readSettingAsBoolean(PwmSetting.PEOPLE_SEARCH_ENABLE)) {
final long peopleSearchIdleTimeout = config.readSettingAsLong(PwmSetting.PEOPLE_SEARCH_IDLE_TIMEOUT_SECONDS);
if (peopleSearchIdleTimeout > 0) {
return new TimeDuration(peopleSearchIdleTimeout, TimeUnit.SECONDS);
}
}
}
if (pwmURL.isPwmServletURL(PwmServletDefinition.ConfigEditor)) {
try {
if (pwmSession.getSessionManager().checkPermission(pwmApplication, Permission.PWMADMIN)) {
final long configEditorIdleTimeout = Long.parseLong(config.readAppProperty(AppProperty.CONFIG_EDITOR_IDLE_TIMEOUT));
if (configEditorIdleTimeout > 0) {
return new TimeDuration(configEditorIdleTimeout, TimeUnit.SECONDS);
}
}
} catch (PwmUnrecoverableException e) {
LOGGER.error(pwmSession, "error while figuring max idle timeout for session: " + e.getMessage());
}
}
if (pwmURL.isPwmServletURL(PwmServletDefinition.ConfigGuide)) {
if (pwmApplication.getApplicationMode() == PwmApplicationMode.NEW) {
final long configGuideIdleTimeout = Long.parseLong(config.readAppProperty(AppProperty.CONFIG_GUIDE_IDLE_TIMEOUT));
if (configGuideIdleTimeout > 0) {
return new TimeDuration(configGuideIdleTimeout, TimeUnit.SECONDS);
}
}
}
final long idleTimeout = config.readSettingAsLong(PwmSetting.IDLE_TIMEOUT_SECONDS);
return new TimeDuration(idleTimeout, TimeUnit.SECONDS);
}
use of password.pwm.config.Configuration in project pwm by pwm-project.
the class RequestInitializationFilter method addStaticResponseHeaders.
public static void addStaticResponseHeaders(final PwmApplication pwmApplication, final HttpServletResponse resp) throws PwmUnrecoverableException {
final Configuration config = pwmApplication.getConfig();
final String serverHeader = config.readAppProperty(AppProperty.HTTP_HEADER_SERVER);
final boolean includeXInstance = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_XINSTANCE));
final boolean includeXVersion = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_XVERSION));
final boolean includeXContentTypeOptions = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_XCONTENTTYPEOPTIONS));
final boolean includeXXSSProtection = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_XXSSPROTECTION));
final boolean includeXFrameDeny = config.readSettingAsBoolean(PwmSetting.SECURITY_PREVENT_FRAMING);
final boolean includeXAmb = Boolean.parseBoolean(config.readAppProperty(AppProperty.HTTP_HEADER_SEND_XAMB));
{
final String noiseHeader = makeNoiseHeader(config);
if (noiseHeader != null) {
resp.setHeader(HttpHeader.XNoise.getHttpName(), noiseHeader);
}
}
if (includeXVersion) {
resp.setHeader(HttpHeader.XVersion.getHttpName(), PwmConstants.SERVLET_VERSION);
}
if (includeXContentTypeOptions) {
resp.setHeader(HttpHeader.XContentTypeOptions.getHttpName(), "nosniff");
}
if (includeXXSSProtection) {
resp.setHeader(HttpHeader.XXSSProtection.getHttpName(), "1");
}
if (includeXInstance) {
resp.setHeader(HttpHeader.XInstance.getHttpName(), String.valueOf(pwmApplication.getInstanceID()));
}
if (serverHeader != null && !serverHeader.isEmpty()) {
final String value = MacroMachine.forNonUserSpecific(pwmApplication, null).expandMacros(serverHeader);
resp.setHeader(HttpHeader.Server.getHttpName(), value);
}
if (includeXFrameDeny) {
resp.setHeader(HttpHeader.XFrameOptions.getHttpName(), "DENY");
}
if (includeXAmb) {
resp.setHeader(HttpHeader.XAmb.getHttpName(), PwmConstants.X_AMB_HEADER.get(PwmRandom.getInstance().nextInt(PwmConstants.X_AMB_HEADER.size())));
}
resp.setHeader(HttpHeader.Cache_Control.getHttpName(), "no-cache, no-store, must-revalidate, proxy-revalidate");
}
use of password.pwm.config.Configuration in project pwm by pwm-project.
the class ConfigurationChecker method doHealthCheck.
public List<HealthRecord> doHealthCheck(final PwmApplication pwmApplication) {
if (pwmApplication.getConfig() == null) {
return Collections.emptyList();
}
final Configuration config = pwmApplication.getConfig();
final List<HealthRecord> records = new ArrayList<>();
if (pwmApplication.getApplicationMode() == PwmApplicationMode.CONFIGURATION) {
records.add(HealthRecord.forMessage(HealthMessage.Config_ConfigMode));
}
if (config.readSettingAsBoolean(PwmSetting.NEWUSER_ENABLE)) {
for (final NewUserProfile newUserProfile : config.getNewUserProfiles().values()) {
try {
newUserProfile.getNewUserPasswordPolicy(pwmApplication, PwmConstants.DEFAULT_LOCALE);
} catch (PwmUnrecoverableException e) {
records.add(new HealthRecord(HealthStatus.WARN, HealthTopic.Configuration, e.getMessage()));
}
}
}
records.addAll(doHealthCheck(config, PwmConstants.DEFAULT_LOCALE));
return records;
}
use of password.pwm.config.Configuration in project pwm by pwm-project.
the class UserInfoReader method isRequiresUpdateProfile.
@Override
public boolean isRequiresUpdateProfile() throws PwmUnrecoverableException {
final Configuration configuration = pwmApplication.getConfig();
if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.UPDATE_PROFILE_ENABLE)) {
LOGGER.debug(sessionLabel, "checkProfiles: " + userIdentity.toString() + " profile module is not enabled");
return false;
}
UpdateProfileProfile updateProfileProfile = null;
final Map<ProfileType, String> profileIDs = selfCachedReference.getProfileIDs();
if (profileIDs.containsKey(ProfileType.UpdateAttributes)) {
updateProfileProfile = configuration.getUpdateAttributesProfile().get(profileIDs.get(ProfileType.UpdateAttributes));
}
if (updateProfileProfile == null) {
return false;
}
if (!updateProfileProfile.readSettingAsBoolean(PwmSetting.UPDATE_PROFILE_FORCE_SETUP)) {
LOGGER.debug(sessionLabel, "checkProfiles: " + userIdentity.toString() + " profile force setup is not enabled");
return false;
}
final List<FormConfiguration> updateFormFields = updateProfileProfile.readSettingAsForm(PwmSetting.UPDATE_PROFILE_FORM);
try {
final Map<FormConfiguration, List<String>> valueMap = FormUtility.populateFormMapFromLdap(updateFormFields, sessionLabel, selfCachedReference, FormUtility.Flag.ReturnEmptyValues);
final Map<FormConfiguration, String> singleValueMap = FormUtility.multiValueMapToSingleValue(valueMap);
FormUtility.validateFormValues(configuration, singleValueMap, locale);
LOGGER.debug(sessionLabel, "checkProfile: " + userIdentity + " has value for attributes, update profile will not be required");
return false;
} catch (PwmDataValidationException e) {
LOGGER.debug(sessionLabel, "checkProfile: " + userIdentity + " does not have good attributes (" + e.getMessage() + "), update profile will be required");
return true;
} catch (PwmUnrecoverableException e) {
e.printStackTrace();
}
return false;
}
use of password.pwm.config.Configuration in project pwm by pwm-project.
the class UserInfoReader method getPasswordStatus.
@Override
public PasswordStatus getPasswordStatus() throws PwmUnrecoverableException {
final Configuration config = pwmApplication.getConfig();
final PasswordStatus.PasswordStatusBuilder passwordStatusBuilder = PasswordStatus.builder();
final String userDN = chaiUser.getEntryDN();
final PwmPasswordPolicy passwordPolicy = selfCachedReference.getPasswordPolicy();
final long startTime = System.currentTimeMillis();
LOGGER.trace(sessionLabel, "beginning password status check process for " + userDN);
// check if password meets existing policy.
if (passwordPolicy.getRuleHelper().readBooleanValue(PwmPasswordRule.EnforceAtLogin)) {
if (currentPassword != null) {
try {
final PwmPasswordRuleValidator passwordRuleValidator = new PwmPasswordRuleValidator(pwmApplication, passwordPolicy);
passwordRuleValidator.testPassword(currentPassword, null, selfCachedReference, chaiUser);
} catch (PwmDataValidationException | PwmUnrecoverableException e) {
LOGGER.debug(sessionLabel, "user " + userDN + " password does not conform to current password policy (" + e.getMessage() + "), marking as requiring change.");
passwordStatusBuilder.violatesPolicy(true);
} catch (ChaiUnavailableException e) {
throw PwmUnrecoverableException.fromChaiException(e);
}
}
}
boolean ldapPasswordExpired = false;
try {
ldapPasswordExpired = chaiUser.isPasswordExpired();
if (ldapPasswordExpired) {
LOGGER.trace(sessionLabel, "password for " + userDN + " appears to be expired");
} else {
LOGGER.trace(sessionLabel, "password for " + userDN + " does not appear to be expired");
}
} catch (ChaiOperationException e) {
LOGGER.info(sessionLabel, "error reading LDAP attributes for " + userDN + " while reading isPasswordExpired(): " + e.getMessage());
} catch (ChaiUnavailableException e) {
throw PwmUnrecoverableException.fromChaiException(e);
}
final Instant ldapPasswordExpirationTime = selfCachedReference.getPasswordExpirationTime();
boolean preExpired = false;
if (ldapPasswordExpirationTime != null) {
final TimeDuration expirationInterval = TimeDuration.fromCurrent(ldapPasswordExpirationTime);
LOGGER.trace(sessionLabel, "read password expiration time: " + JavaHelper.toIsoDate(ldapPasswordExpirationTime) + ", " + expirationInterval.asCompactString() + " from now");
final TimeDuration diff = TimeDuration.fromCurrent(ldapPasswordExpirationTime);
// now check to see if the user's expire time is within the 'preExpireTime' setting.
final long preExpireMs = config.readSettingAsLong(PwmSetting.PASSWORD_EXPIRE_PRE_TIME) * 1000;
if (diff.getTotalMilliseconds() > 0 && diff.getTotalMilliseconds() < preExpireMs) {
LOGGER.debug(sessionLabel, "user " + userDN + " password will expire within " + diff.asCompactString() + ", marking as pre-expired");
preExpired = true;
} else if (ldapPasswordExpired) {
preExpired = true;
LOGGER.debug(sessionLabel, "user " + userDN + " password is expired, marking as pre-expired.");
}
// now check to see if the user's expire time is within the 'preWarnTime' setting.
final long preWarnMs = config.readSettingAsLong(PwmSetting.PASSWORD_EXPIRE_WARN_TIME) * 1000;
// don't check if the 'preWarnTime' setting is zero or less than the expirePreTime
if (!ldapPasswordExpired && !preExpired) {
if (!(preWarnMs == 0 || preWarnMs < preExpireMs)) {
if (diff.getTotalMilliseconds() > 0 && diff.getTotalMilliseconds() < preWarnMs) {
LOGGER.debug(sessionLabel, "user " + userDN + " password will expire within " + diff.asCompactString() + ", marking as within warn period");
passwordStatusBuilder.warnPeriod(true);
}
}
}
passwordStatusBuilder.preExpired(preExpired);
}
LOGGER.debug(sessionLabel, "completed user password status check for " + userDN + " " + passwordStatusBuilder + " (" + TimeDuration.fromCurrent(startTime).asCompactString() + ")");
passwordStatusBuilder.expired(ldapPasswordExpired);
return passwordStatusBuilder.build();
}
Aggregations