use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class PasswordUtility method helpdeskSetUserPassword.
public static void helpdeskSetUserPassword(final PwmSession pwmSession, final ChaiUser chaiUser, final UserInfo userInfo, final PwmApplication pwmApplication, final PasswordData newPassword) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
final SessionLabel sessionLabel = pwmSession.getLabel();
final UserIdentity userIdentity = userInfo.getUserIdentity();
if (!pwmSession.isAuthenticated()) {
final String errorMsg = "attempt to helpdeskSetUserPassword, but user is not authenticated";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
final HelpdeskProfile helpdeskProfile = pwmSession.getSessionManager().getHelpdeskProfile(pwmApplication);
if (helpdeskProfile == null) {
final String errorMsg = "attempt to helpdeskSetUserPassword, but user does not have helpdesk permission";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
setPassword(pwmApplication, pwmSession.getLabel(), chaiUser.getChaiProvider(), userInfo, null, newPassword);
// create a proxy user object for pwm to update/read the user.
final ChaiUser proxiedUser = pwmApplication.getProxiedChaiUser(userIdentity);
// mark the event log
{
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmApplication, pwmSession).createHelpdeskAuditRecord(AuditEvent.HELPDESK_SET_PASSWORD, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
}
// update statistics
pwmApplication.getStatisticsManager().incrementValue(Statistic.HELPDESK_PASSWORD_SET);
{
// execute configured actions
LOGGER.debug(sessionLabel, "executing changepassword and helpdesk post password change writeAttributes to user " + userIdentity);
final List<ActionConfiguration> actions = new ArrayList<>();
actions.addAll(pwmApplication.getConfig().readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES));
actions.addAll(helpdeskProfile.readSettingAsAction(PwmSetting.HELPDESK_POST_SET_PASSWORD_WRITE_ATTRIBUTES));
if (!actions.isEmpty()) {
final LoginInfoBean loginInfoBean = new LoginInfoBean();
loginInfoBean.setUserCurrentPassword(newPassword);
final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, sessionLabel, userInfo, loginInfoBean);
final ActionExecutor actionExecutor = new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity).setMacroMachine(macroMachine).setExpandPwmMacros(true).createActionExecutor();
actionExecutor.executeActions(actions, pwmSession.getLabel());
}
}
final HelpdeskClearResponseMode settingClearResponses = HelpdeskClearResponseMode.valueOf(helpdeskProfile.readSettingAsString(PwmSetting.HELPDESK_CLEAR_RESPONSES));
if (settingClearResponses == HelpdeskClearResponseMode.yes) {
final String userGUID = LdapOperationsHelper.readLdapGuidValue(pwmApplication, sessionLabel, userIdentity, false);
pwmApplication.getCrService().clearResponses(pwmSession.getLabel(), userIdentity, proxiedUser, userGUID);
// mark the event log
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmApplication, pwmSession).createHelpdeskAuditRecord(AuditEvent.HELPDESK_CLEAR_RESPONSES, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
}
// send email notification
sendChangePasswordHelpdeskEmailNotice(pwmSession, pwmApplication, userInfo);
// expire if so configured
if (helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_FORCE_PW_EXPIRATION)) {
LOGGER.trace(pwmSession, "preparing to expire password for user " + userIdentity.toDisplayString());
try {
proxiedUser.expirePassword();
} catch (ChaiOperationException e) {
LOGGER.warn(pwmSession, "error while forcing password expiration for user " + userIdentity.toDisplayString() + ", error: " + e.getMessage());
}
}
// send password
final boolean sendPassword = helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_SEND_PASSWORD);
if (sendPassword) {
final MessageSendMethod messageSendMethod;
{
final String profileID = ProfileUtility.discoverProfileIDforUser(pwmApplication, sessionLabel, userIdentity, ProfileType.ForgottenPassword);
final ForgottenPasswordProfile forgottenPasswordProfile = pwmApplication.getConfig().getForgottenPasswordProfiles().get(profileID);
messageSendMethod = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
}
PasswordUtility.sendNewPassword(userInfo, pwmApplication, newPassword, pwmSession.getSessionStateBean().getLocale(), messageSendMethod);
}
}
use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class ForgottenPasswordUtil method doActionSendNewPassword.
static void doActionSendNewPassword(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final ForgottenPasswordBean forgottenPasswordBean = ForgottenPasswordServlet.forgottenPasswordBean(pwmRequest);
final ForgottenPasswordProfile forgottenPasswordProfile = forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(pwmApplication.getConfig(), forgottenPasswordBean);
LOGGER.trace(pwmRequest, "beginning process to send new password to user");
if (!forgottenPasswordBean.getProgress().isAllPassed()) {
return;
}
final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
final ChaiUser theUser = pwmRequest.getPwmApplication().getProxiedChaiUser(userIdentity);
try {
// try unlocking user
theUser.unlockPassword();
LOGGER.trace(pwmRequest, "unlock account succeeded");
} catch (ChaiOperationException e) {
final String errorMsg = "unable to unlock user " + theUser.getEntryDN() + " error: " + e.getMessage();
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNLOCK_FAILURE, errorMsg);
LOGGER.error(pwmRequest.getPwmSession(), errorInformation.toDebugStr());
pwmRequest.respondWithError(errorInformation);
return;
}
try {
final UserInfo userInfo = UserInfoFactory.newUserInfoUsingProxy(pwmApplication, pwmRequest.getSessionLabel(), userIdentity, pwmRequest.getLocale());
LOGGER.info(pwmRequest, "user successfully supplied password recovery responses, emailing new password to: " + theUser.getEntryDN());
// add post change actions
ForgottenPasswordServlet.addPostChangeAction(pwmRequest, userIdentity);
// create new password
final PasswordData newPassword = RandomPasswordGenerator.createRandomPassword(pwmRequest.getSessionLabel(), userInfo.getPasswordPolicy(), pwmApplication);
LOGGER.trace(pwmRequest, "generated random password value based on password policy for " + userIdentity.toDisplayString());
// set the password
try {
theUser.setPassword(newPassword.getStringValue());
LOGGER.trace(pwmRequest, "set user " + userIdentity.toDisplayString() + " password to system generated random value");
} catch (ChaiException e) {
throw PwmUnrecoverableException.fromChaiException(e);
}
if (recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
LOGGER.debug(pwmRequest, "marking user " + userIdentity.toDisplayString() + " password as expired");
theUser.expirePassword();
}
// mark the event log
{
final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication).createUserAuditRecord(AuditEvent.RECOVER_PASSWORD, userIdentity, pwmRequest.getSessionLabel());
pwmApplication.getAuditManager().submit(auditRecord);
}
final MessageSendMethod messageSendMethod = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
// send email or SMS
final String toAddress = PasswordUtility.sendNewPassword(userInfo, pwmApplication, newPassword, pwmRequest.getLocale(), messageSendMethod);
pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_PasswordSend, toAddress);
} catch (PwmException e) {
LOGGER.warn(pwmRequest, "unexpected error setting new password during recovery process for user: " + e.getMessage());
pwmRequest.respondWithError(e.getErrorInformation());
} catch (ChaiOperationException e) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, "unexpected ldap error while processing recovery action " + recoveryAction + ", error: " + e.getMessage());
LOGGER.warn(pwmRequest, errorInformation.toDebugStr());
pwmRequest.respondWithError(errorInformation);
} finally {
ForgottenPasswordServlet.clearForgottenPasswordBean(pwmRequest);
// the user should not be authenticated, this is a safety method
pwmRequest.getPwmSession().unauthenticateUser(pwmRequest);
// the password set flag should not have been set, this is a safety method
pwmRequest.getPwmSession().getSessionStateBean().setPasswordModified(false);
}
}
use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class ForgottenPasswordUtil method calculateRecoveryFlags.
static ForgottenPasswordBean.RecoveryFlags calculateRecoveryFlags(final PwmApplication pwmApplication, final String forgottenPasswordProfileID) {
final Configuration config = pwmApplication.getConfig();
final ForgottenPasswordProfile forgottenPasswordProfile = config.getForgottenPasswordProfiles().get(forgottenPasswordProfileID);
final Set<IdentityVerificationMethod> requiredRecoveryVerificationMethods = forgottenPasswordProfile.requiredRecoveryAuthenticationMethods();
final Set<IdentityVerificationMethod> optionalRecoveryVerificationMethods = forgottenPasswordProfile.optionalRecoveryAuthenticationMethods();
final int minimumOptionalRecoveryAuthMethods = forgottenPasswordProfile.getMinOptionalRequired();
final boolean allowWhenLdapIntruderLocked = forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_WHEN_LOCKED);
return new ForgottenPasswordBean.RecoveryFlags(allowWhenLdapIntruderLocked, requiredRecoveryVerificationMethods, optionalRecoveryVerificationMethods, minimumOptionalRecoveryAuthMethods);
}
use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class ForgottenPasswordServlet method forwardToEnterTokenJsp.
private static void forwardToEnterTokenJsp(final PwmRequest pwmRequest) throws ServletException, PwmUnrecoverableException, IOException {
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
final List<TokenDestinationItem> destItems = ForgottenPasswordUtil.figureAvailableTokenDestinations(pwmRequest, forgottenPasswordBean);
ResetAction goBackAction = null;
final boolean autoSelect = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.FORGOTTEN_PASSWORD_TOKEN_AUTO_SELECT_DEST));
if (destItems.size() > 1 || !autoSelect) {
goBackAction = ResetAction.clearTokenDestination;
} else if (ForgottenPasswordUtil.hasOtherMethodChoices(forgottenPasswordBean, IdentityVerificationMethod.TOKEN)) {
goBackAction = ResetAction.clearActionChoice;
}
if (goBackAction != null) {
pwmRequest.setAttribute(PwmRequestAttribute.GoBackAction, goBackAction);
}
{
final boolean resendEnabled = forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.TOKEN_RESEND_ENABLE);
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordResendTokenEnabled, resendEnabled);
}
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ENTER_TOKEN);
}
use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class ForgottenPasswordServlet method processActionChoice.
@ActionHandler(action = "actionChoice")
private ProcessStatus processActionChoice(final PwmRequest pwmRequest) throws PwmUnrecoverableException, ServletException, IOException, ChaiUnavailableException {
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
final boolean resendEnabled = forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.TOKEN_RESEND_ENABLE);
if (resendEnabled) {
// clear token dest info in case we got here from a user 'go-back' request
forgottenPasswordBean.getProgress().clearTokenSentStatus();
}
final boolean disallowAllButUnlock;
{
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
final RecoveryMinLifetimeOption minLifetimeOption = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_MINIMUM_PASSWORD_LIFETIME_OPTIONS, RecoveryMinLifetimeOption.class);
disallowAllButUnlock = minLifetimeOption == RecoveryMinLifetimeOption.UNLOCKONLY && userInfo.isPasswordLocked();
}
if (forgottenPasswordBean.getProgress().isAllPassed()) {
final String choice = pwmRequest.readParameterAsString("choice");
final ActionChoice actionChoice = JavaHelper.readEnumFromString(ActionChoice.class, null, choice);
if (actionChoice != null) {
switch(actionChoice) {
case unlock:
this.executeUnlock(pwmRequest);
break;
case resetPassword:
if (disallowAllButUnlock) {
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
PasswordUtility.throwPasswordTooSoonException(userInfo, pwmRequest.getSessionLabel());
}
this.executeResetPassword(pwmRequest);
break;
default:
JavaHelper.unhandledSwitchStatement(actionChoice);
}
}
}
return ProcessStatus.Continue;
}
Aggregations