Examples with IdentityVerificationMethod password.pwm.config.option.IdentityVerificationMethod used on opensource projects

Example 1 with IdentityVerificationMethod

use of password.pwm.config.option.IdentityVerificationMethod in project pwm by pwm-project.

the class ForgottenPasswordUtil method calculateRecoveryFlags.

static ForgottenPasswordBean.RecoveryFlags calculateRecoveryFlags(final PwmApplication pwmApplication, final String forgottenPasswordProfileID) {
    final Configuration config = pwmApplication.getConfig();
    final ForgottenPasswordProfile forgottenPasswordProfile = config.getForgottenPasswordProfiles().get(forgottenPasswordProfileID);
    final Set<IdentityVerificationMethod> requiredRecoveryVerificationMethods = forgottenPasswordProfile.requiredRecoveryAuthenticationMethods();
    final Set<IdentityVerificationMethod> optionalRecoveryVerificationMethods = forgottenPasswordProfile.optionalRecoveryAuthenticationMethods();
    final int minimumOptionalRecoveryAuthMethods = forgottenPasswordProfile.getMinOptionalRequired();
    final boolean allowWhenLdapIntruderLocked = forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_WHEN_LOCKED);
    return new ForgottenPasswordBean.RecoveryFlags(allowWhenLdapIntruderLocked, requiredRecoveryVerificationMethods, optionalRecoveryVerificationMethods, minimumOptionalRecoveryAuthMethods);
}

Example 2 with IdentityVerificationMethod

use of password.pwm.config.option.IdentityVerificationMethod in project pwm by pwm-project.

the class VerificationMethodValue method toDebugString.

@Override
public String toDebugString(final Locale locale) {
    if (value == null) {
        return "No Verification Methods";
    }
    final StringBuilder out = new StringBuilder();
    final List<String> optionals = new ArrayList<>();
    final List<String> required = new ArrayList<>();
    for (final IdentityVerificationMethod method : value.getMethodSettings().keySet()) {
        switch(value.getMethodSettings().get(method).getEnabledState()) {
            case optional:
                optionals.add(method.getLabel(null, locale));
                break;
            case required:
                required.add(method.getLabel(null, locale));
                break;
            default:
                // continue processing
                break;
        }
        method.getLabel(null, locale);
    }
    out.append("optional methods: ").append(optionals.isEmpty() ? LocaleHelper.getLocalizedMessage(locale, Display.Value_NotApplicable, null) : JsonUtil.serializeCollection(optionals));
    out.append(", required methods: ").append(required.isEmpty() ? LocaleHelper.getLocalizedMessage(locale, Display.Value_NotApplicable, null) : JsonUtil.serializeCollection(required));
    if (value.getMinOptionalRequired() > 0) {
        out.append(",  minimum optional methods required: ").append(value.getMinOptionalRequired());
    }
    return out.toString();
}

Example 3 with IdentityVerificationMethod

use of password.pwm.config.option.IdentityVerificationMethod in project pwm by pwm-project.

the class AbstractProfile method readVerificationMethods.

Set<IdentityVerificationMethod> readVerificationMethods(final PwmSetting pwmSetting, final VerificationMethodValue.EnabledState enabledState) {
    final Set<IdentityVerificationMethod> result = new LinkedHashSet<>();
    final StoredValue configValue = storedValueMap.get(pwmSetting);
    final VerificationMethodValue.VerificationMethodSettings verificationMethodSettings = (VerificationMethodValue.VerificationMethodSettings) configValue.toNativeObject();
    for (final IdentityVerificationMethod recoveryVerificationMethods : IdentityVerificationMethod.availableValues()) {
        if (verificationMethodSettings.getMethodSettings().containsKey(recoveryVerificationMethods)) {
            if (verificationMethodSettings.getMethodSettings().get(recoveryVerificationMethods).getEnabledState() == enabledState) {
                result.add(recoveryVerificationMethods);
            }
        }
    }
    return result;
}

Example 4 with IdentityVerificationMethod

use of password.pwm.config.option.IdentityVerificationMethod in project pwm by pwm-project.

the class ForgottenPasswordServlet method processVerificationChoice.

@ActionHandler(action = "verificationChoice")
private ProcessStatus processVerificationChoice(final PwmRequest pwmRequest) throws PwmUnrecoverableException, ServletException, IOException {
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    final String requestedChoiceStr = pwmRequest.readParameterAsString("choice");
    final LinkedHashSet<IdentityVerificationMethod> remainingAvailableOptionalMethods = new LinkedHashSet<>(ForgottenPasswordUtil.figureRemainingAvailableOptionalAuthMethods(pwmRequest, forgottenPasswordBean));
    pwmRequest.setAttribute(PwmRequestAttribute.AvailableAuthMethods, remainingAvailableOptionalMethods);
    IdentityVerificationMethod requestedChoice = null;
    if (requestedChoiceStr != null && !requestedChoiceStr.isEmpty()) {
        try {
            requestedChoice = IdentityVerificationMethod.valueOf(requestedChoiceStr);
        } catch (IllegalArgumentException e) {
            final String errorMsg = "unknown verification method requested";
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, errorMsg);
            setLastError(pwmRequest, errorInformation);
            pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_METHOD_CHOICE);
            return ProcessStatus.Halt;
        }
    }
    if (remainingAvailableOptionalMethods.contains(requestedChoice)) {
        forgottenPasswordBean.getProgress().setInProgressVerificationMethod(requestedChoice);
        pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordOptionalPageView, "true");
        forwardUserBasedOnRecoveryMethod(pwmRequest, requestedChoice);
        return ProcessStatus.Continue;
    } else if (requestedChoice != null) {
        final String errorMsg = "requested verification method is not available at this time";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, errorMsg);
        setLastError(pwmRequest, errorInformation);
    }
    pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_METHOD_CHOICE);
    return ProcessStatus.Halt;
}

Example 5 with IdentityVerificationMethod

use of password.pwm.config.option.IdentityVerificationMethod in project pwm by pwm-project.

the class ForgottenPasswordServlet method nextStep.

@Override
@SuppressWarnings("checkstyle:MethodLength")
protected void nextStep(final PwmRequest pwmRequest) throws IOException, ServletException, PwmUnrecoverableException, ChaiUnavailableException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final Configuration config = pwmRequest.getConfig();
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    final ForgottenPasswordBean.RecoveryFlags recoveryFlags = forgottenPasswordBean.getRecoveryFlags();
    final ForgottenPasswordBean.Progress progress = forgottenPasswordBean.getProgress();
    // check for identified user;
    if (forgottenPasswordBean.getUserIdentity() == null && !forgottenPasswordBean.isBogusUser()) {
        pwmRequest.addFormInfoToRequestAttr(PwmSetting.FORGOTTEN_PASSWORD_SEARCH_FORM, false, false);
        pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_SEARCH);
        return;
    }
    final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
    {
        final Map<String, ForgottenPasswordProfile> profileIDList = pwmRequest.getConfig().getForgottenPasswordProfiles();
        final String profileDebugMsg = forgottenPasswordProfile != null && profileIDList != null && profileIDList.size() > 1 ? " profile=" + forgottenPasswordProfile.getIdentifier() + ", " : "";
        LOGGER.trace(pwmRequest, "entering forgotten password progress engine: " + profileDebugMsg + "flags=" + JsonUtil.serialize(recoveryFlags) + ", " + "progress=" + JsonUtil.serialize(progress));
    }
    if (forgottenPasswordProfile == null) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED));
    }
    // check for previous authentication
    if (recoveryFlags.getRequiredAuthMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH) || recoveryFlags.getOptionalAuthMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH)) {
        if (!progress.getSatisfiedMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH)) {
            final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
            final String userGuid = LdapOperationsHelper.readLdapGuidValue(pwmApplication, pwmRequest.getSessionLabel(), userIdentity, true);
            if (ForgottenPasswordUtil.checkAuthRecord(pwmRequest, userGuid)) {
                LOGGER.debug(pwmRequest, "marking " + IdentityVerificationMethod.PREVIOUS_AUTH + " method as satisfied");
                progress.getSatisfiedMethods().add(IdentityVerificationMethod.PREVIOUS_AUTH);
            }
        }
    }
    // dispatch required auth methods.
    for (final IdentityVerificationMethod method : recoveryFlags.getRequiredAuthMethods()) {
        if (!progress.getSatisfiedMethods().contains(method)) {
            forwardUserBasedOnRecoveryMethod(pwmRequest, method);
            return;
        }
    }
    // redirect if an verification method is in progress
    if (progress.getInProgressVerificationMethod() != null) {
        if (progress.getSatisfiedMethods().contains(progress.getInProgressVerificationMethod())) {
            progress.setInProgressVerificationMethod(null);
        } else {
            pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordOptionalPageView, "true");
            forwardUserBasedOnRecoveryMethod(pwmRequest, progress.getInProgressVerificationMethod());
            return;
        }
    }
    // check if more optional methods required
    if (recoveryFlags.getMinimumOptionalAuthMethods() > 0) {
        final Set<IdentityVerificationMethod> satisfiedOptionalMethods = ForgottenPasswordUtil.figureSatisfiedOptionalAuthMethods(recoveryFlags, progress);
        if (satisfiedOptionalMethods.size() < recoveryFlags.getMinimumOptionalAuthMethods()) {
            final Set<IdentityVerificationMethod> remainingAvailableOptionalMethods = ForgottenPasswordUtil.figureRemainingAvailableOptionalAuthMethods(pwmRequest, forgottenPasswordBean);
            if (remainingAvailableOptionalMethods.isEmpty()) {
                final String errorMsg = "additional optional verification methods are needed, however all available optional verification methods have been satisfied by user";
                final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
                LOGGER.error(pwmRequest, errorInformation);
                pwmRequest.respondWithError(errorInformation);
                return;
            } else {
                if (remainingAvailableOptionalMethods.size() == 1) {
                    final IdentityVerificationMethod remainingMethod = remainingAvailableOptionalMethods.iterator().next();
                    LOGGER.debug(pwmRequest, "only 1 remaining available optional verification method, will redirect to " + remainingMethod.toString());
                    forwardUserBasedOnRecoveryMethod(pwmRequest, remainingMethod);
                    progress.setInProgressVerificationMethod(remainingMethod);
                    return;
                }
            }
            processVerificationChoice(pwmRequest);
            return;
        }
    }
    if (progress.getSatisfiedMethods().isEmpty()) {
        final String errorMsg = "forgotten password recovery sequence completed, but user has not actually satisfied any verification methods";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
        LOGGER.error(pwmRequest, errorInformation);
        clearForgottenPasswordBean(pwmRequest);
        throw new PwmUnrecoverableException(errorInformation);
    }
    {
        final int satisfiedMethods = progress.getSatisfiedMethods().size();
        final int totalMethodsNeeded = recoveryFlags.getRequiredAuthMethods().size() + recoveryFlags.getMinimumOptionalAuthMethods();
        if (satisfiedMethods < totalMethodsNeeded) {
            final String errorMsg = "forgotten password recovery sequence completed " + satisfiedMethods + " methods, " + " but policy requires a total of " + totalMethodsNeeded + " methods";
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
            LOGGER.error(pwmRequest, errorInformation);
            clearForgottenPasswordBean(pwmRequest);
            throw new PwmUnrecoverableException(errorInformation);
        }
    }
    if (!forgottenPasswordBean.getProgress().isAllPassed()) {
        forgottenPasswordBean.getProgress().setAllPassed(true);
        StatisticsManager.incrementStat(pwmRequest, Statistic.RECOVERY_SUCCESSES);
    }
    final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
    if (userInfo == null) {
        throw PwmUnrecoverableException.newException(PwmError.ERROR_UNKNOWN, "unable to load userInfo while processing forgotten password controller");
    }
    // check if user's pw is within min lifetime window
    final RecoveryMinLifetimeOption minLifetimeOption = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_MINIMUM_PASSWORD_LIFETIME_OPTIONS, RecoveryMinLifetimeOption.class);
    if (minLifetimeOption == RecoveryMinLifetimeOption.NONE || (!userInfo.isPasswordLocked() && minLifetimeOption == RecoveryMinLifetimeOption.UNLOCKONLY)) {
        if (userInfo.isWithinPasswordMinimumLifetime()) {
            PasswordUtility.throwPasswordTooSoonException(userInfo, pwmRequest.getSessionLabel());
        }
    }
    final boolean disallowAllButUnlock = minLifetimeOption == RecoveryMinLifetimeOption.UNLOCKONLY && userInfo.isPasswordLocked();
    LOGGER.trace(pwmRequest, "all recovery checks passed, proceeding to configured recovery action");
    final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(config, forgottenPasswordBean);
    if (recoveryAction == RecoveryAction.SENDNEWPW || recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
        if (disallowAllButUnlock) {
            PasswordUtility.throwPasswordTooSoonException(userInfo, pwmRequest.getSessionLabel());
        }
        ForgottenPasswordUtil.doActionSendNewPassword(pwmRequest);
        return;
    }
    if (forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_UNLOCK)) {
        final PasswordStatus passwordStatus = userInfo.getPasswordStatus();
        if (!passwordStatus.isExpired() && !passwordStatus.isPreExpired()) {
            if (userInfo.isPasswordLocked()) {
                pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordInhibitPasswordReset, Boolean.TRUE);
                pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ACTION_CHOICE);
                return;
            }
        }
    }
    this.executeResetPassword(pwmRequest);
}