use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class ForgottenPasswordServlet method processResendToken.
@ActionHandler(action = "resendToken")
private ProcessStatus processResendToken(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException {
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
{
final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
final boolean resendEnabled = forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.TOKEN_RESEND_ENABLE);
if (!resendEnabled) {
final String errorMsg = "token resend is not enabled";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SERVICE_NOT_AVAILABLE, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
}
if (!forgottenPasswordBean.getProgress().isTokenSent()) {
final String errorMsg = "attempt to resend token, but initial token has not yet been sent";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SERVICE_NOT_AVAILABLE, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
{
LOGGER.trace(pwmRequest, "preparing to send a new token to user");
final long delayTime = Long.parseLong(pwmRequest.getConfig().readAppProperty(AppProperty.TOKEN_RESEND_DELAY_MS));
JavaHelper.pause(delayTime);
}
{
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
final TokenDestinationItem tokenDestinationItem = forgottenPasswordBean.getProgress().getTokenDestination();
ForgottenPasswordUtil.initializeAndSendToken(pwmRequest, userInfo, tokenDestinationItem);
}
final RestResultBean restResultBean = RestResultBean.forSuccessMessage(pwmRequest, Message.Success_TokenResend);
pwmRequest.outputJsonResult(restResultBean);
return ProcessStatus.Halt;
}
use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class ForgottenPasswordServlet method forwardUserBasedOnRecoveryMethod.
private void forwardUserBasedOnRecoveryMethod(final PwmRequest pwmRequest, final IdentityVerificationMethod method) throws ServletException, PwmUnrecoverableException, IOException {
LOGGER.debug(pwmRequest, "attempting to forward request to handle verification method " + method.toString());
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
ForgottenPasswordUtil.verifyRequirementsForAuthMethod(pwmRequest, forgottenPasswordBean, method);
switch(method) {
case PREVIOUS_AUTH:
{
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "previous authentication is required, but user has not previously authenticated"));
}
case ATTRIBUTES:
{
pwmRequest.addFormInfoToRequestAttr(forgottenPasswordBean.getAttributeForm(), Collections.emptyMap(), false, false);
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ATTRIBUTES);
}
break;
case CHALLENGE_RESPONSES:
{
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordChallengeSet, forgottenPasswordBean.getPresentableChallengeSet());
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_RESPONSES);
}
break;
case OTP:
{
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordOtpRecord, ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean).getOtpUserRecord());
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ENTER_OTP);
}
break;
case TOKEN:
{
final ForgottenPasswordBean.Progress progress = forgottenPasswordBean.getProgress();
final List<TokenDestinationItem> tokenDestinations = ForgottenPasswordUtil.figureAvailableTokenDestinations(pwmRequest, forgottenPasswordBean);
if (progress.getTokenDestination() == null) {
final boolean autoSelect = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.FORGOTTEN_PASSWORD_TOKEN_AUTO_SELECT_DEST));
if (autoSelect && tokenDestinations.size() == 1) {
final TokenDestinationItem singleItem = tokenDestinations.iterator().next();
progress.setTokenDestination(singleItem);
}
}
if (progress.getTokenDestination() == null) {
forwardToTokenChoiceJsp(pwmRequest);
return;
}
if (!progress.isTokenSent()) {
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
ForgottenPasswordUtil.initializeAndSendToken(pwmRequest, userInfo, progress.getTokenDestination());
progress.setTokenSent(true);
}
if (!progress.getSatisfiedMethods().contains(IdentityVerificationMethod.TOKEN)) {
forwardToEnterTokenJsp(pwmRequest);
return;
}
}
break;
case REMOTE_RESPONSES:
{
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
final VerificationMethodSystem remoteMethod;
if (forgottenPasswordBean.getProgress().getRemoteRecoveryMethod() == null) {
remoteMethod = new RemoteVerificationMethod();
remoteMethod.init(pwmRequest.getPwmApplication(), userInfo, pwmRequest.getSessionLabel(), pwmRequest.getLocale());
forgottenPasswordBean.getProgress().setRemoteRecoveryMethod(remoteMethod);
} else {
remoteMethod = forgottenPasswordBean.getProgress().getRemoteRecoveryMethod();
}
final List<VerificationMethodSystem.UserPrompt> prompts = remoteMethod.getCurrentPrompts();
final String displayInstructions = remoteMethod.getCurrentDisplayInstructions();
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordPrompts, new ArrayList<>(prompts));
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordInstructions, displayInstructions);
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_REMOTE);
}
break;
case OAUTH:
forgottenPasswordBean.getProgress().setInProgressVerificationMethod(IdentityVerificationMethod.OAUTH);
final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
final OAuthSettings oAuthSettings = OAuthSettings.forForgottenPassword(forgottenPasswordProfile);
final OAuthMachine oAuthMachine = new OAuthMachine(oAuthSettings);
pwmRequest.getPwmApplication().getSessionStateService().saveSessionBeans(pwmRequest);
final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
oAuthMachine.redirectUserToOAuthServer(pwmRequest, null, userIdentity, forgottenPasswordProfile.getIdentifier());
break;
default:
throw new UnsupportedOperationException("unexpected method during forward: " + method.toString());
}
}
use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class ForgottenPasswordServlet method nextStep.
@Override
@SuppressWarnings("checkstyle:MethodLength")
protected void nextStep(final PwmRequest pwmRequest) throws IOException, ServletException, PwmUnrecoverableException, ChaiUnavailableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final Configuration config = pwmRequest.getConfig();
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
final ForgottenPasswordBean.RecoveryFlags recoveryFlags = forgottenPasswordBean.getRecoveryFlags();
final ForgottenPasswordBean.Progress progress = forgottenPasswordBean.getProgress();
// check for identified user;
if (forgottenPasswordBean.getUserIdentity() == null && !forgottenPasswordBean.isBogusUser()) {
pwmRequest.addFormInfoToRequestAttr(PwmSetting.FORGOTTEN_PASSWORD_SEARCH_FORM, false, false);
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_SEARCH);
return;
}
final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
{
final Map<String, ForgottenPasswordProfile> profileIDList = pwmRequest.getConfig().getForgottenPasswordProfiles();
final String profileDebugMsg = forgottenPasswordProfile != null && profileIDList != null && profileIDList.size() > 1 ? " profile=" + forgottenPasswordProfile.getIdentifier() + ", " : "";
LOGGER.trace(pwmRequest, "entering forgotten password progress engine: " + profileDebugMsg + "flags=" + JsonUtil.serialize(recoveryFlags) + ", " + "progress=" + JsonUtil.serialize(progress));
}
if (forgottenPasswordProfile == null) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED));
}
// check for previous authentication
if (recoveryFlags.getRequiredAuthMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH) || recoveryFlags.getOptionalAuthMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH)) {
if (!progress.getSatisfiedMethods().contains(IdentityVerificationMethod.PREVIOUS_AUTH)) {
final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
final String userGuid = LdapOperationsHelper.readLdapGuidValue(pwmApplication, pwmRequest.getSessionLabel(), userIdentity, true);
if (ForgottenPasswordUtil.checkAuthRecord(pwmRequest, userGuid)) {
LOGGER.debug(pwmRequest, "marking " + IdentityVerificationMethod.PREVIOUS_AUTH + " method as satisfied");
progress.getSatisfiedMethods().add(IdentityVerificationMethod.PREVIOUS_AUTH);
}
}
}
// dispatch required auth methods.
for (final IdentityVerificationMethod method : recoveryFlags.getRequiredAuthMethods()) {
if (!progress.getSatisfiedMethods().contains(method)) {
forwardUserBasedOnRecoveryMethod(pwmRequest, method);
return;
}
}
// redirect if an verification method is in progress
if (progress.getInProgressVerificationMethod() != null) {
if (progress.getSatisfiedMethods().contains(progress.getInProgressVerificationMethod())) {
progress.setInProgressVerificationMethod(null);
} else {
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordOptionalPageView, "true");
forwardUserBasedOnRecoveryMethod(pwmRequest, progress.getInProgressVerificationMethod());
return;
}
}
// check if more optional methods required
if (recoveryFlags.getMinimumOptionalAuthMethods() > 0) {
final Set<IdentityVerificationMethod> satisfiedOptionalMethods = ForgottenPasswordUtil.figureSatisfiedOptionalAuthMethods(recoveryFlags, progress);
if (satisfiedOptionalMethods.size() < recoveryFlags.getMinimumOptionalAuthMethods()) {
final Set<IdentityVerificationMethod> remainingAvailableOptionalMethods = ForgottenPasswordUtil.figureRemainingAvailableOptionalAuthMethods(pwmRequest, forgottenPasswordBean);
if (remainingAvailableOptionalMethods.isEmpty()) {
final String errorMsg = "additional optional verification methods are needed, however all available optional verification methods have been satisfied by user";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
LOGGER.error(pwmRequest, errorInformation);
pwmRequest.respondWithError(errorInformation);
return;
} else {
if (remainingAvailableOptionalMethods.size() == 1) {
final IdentityVerificationMethod remainingMethod = remainingAvailableOptionalMethods.iterator().next();
LOGGER.debug(pwmRequest, "only 1 remaining available optional verification method, will redirect to " + remainingMethod.toString());
forwardUserBasedOnRecoveryMethod(pwmRequest, remainingMethod);
progress.setInProgressVerificationMethod(remainingMethod);
return;
}
}
processVerificationChoice(pwmRequest);
return;
}
}
if (progress.getSatisfiedMethods().isEmpty()) {
final String errorMsg = "forgotten password recovery sequence completed, but user has not actually satisfied any verification methods";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
LOGGER.error(pwmRequest, errorInformation);
clearForgottenPasswordBean(pwmRequest);
throw new PwmUnrecoverableException(errorInformation);
}
{
final int satisfiedMethods = progress.getSatisfiedMethods().size();
final int totalMethodsNeeded = recoveryFlags.getRequiredAuthMethods().size() + recoveryFlags.getMinimumOptionalAuthMethods();
if (satisfiedMethods < totalMethodsNeeded) {
final String errorMsg = "forgotten password recovery sequence completed " + satisfiedMethods + " methods, " + " but policy requires a total of " + totalMethodsNeeded + " methods";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RECOVERY_SEQUENCE_INCOMPLETE, errorMsg);
LOGGER.error(pwmRequest, errorInformation);
clearForgottenPasswordBean(pwmRequest);
throw new PwmUnrecoverableException(errorInformation);
}
}
if (!forgottenPasswordBean.getProgress().isAllPassed()) {
forgottenPasswordBean.getProgress().setAllPassed(true);
StatisticsManager.incrementStat(pwmRequest, Statistic.RECOVERY_SUCCESSES);
}
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
if (userInfo == null) {
throw PwmUnrecoverableException.newException(PwmError.ERROR_UNKNOWN, "unable to load userInfo while processing forgotten password controller");
}
// check if user's pw is within min lifetime window
final RecoveryMinLifetimeOption minLifetimeOption = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_MINIMUM_PASSWORD_LIFETIME_OPTIONS, RecoveryMinLifetimeOption.class);
if (minLifetimeOption == RecoveryMinLifetimeOption.NONE || (!userInfo.isPasswordLocked() && minLifetimeOption == RecoveryMinLifetimeOption.UNLOCKONLY)) {
if (userInfo.isWithinPasswordMinimumLifetime()) {
PasswordUtility.throwPasswordTooSoonException(userInfo, pwmRequest.getSessionLabel());
}
}
final boolean disallowAllButUnlock = minLifetimeOption == RecoveryMinLifetimeOption.UNLOCKONLY && userInfo.isPasswordLocked();
LOGGER.trace(pwmRequest, "all recovery checks passed, proceeding to configured recovery action");
final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(config, forgottenPasswordBean);
if (recoveryAction == RecoveryAction.SENDNEWPW || recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
if (disallowAllButUnlock) {
PasswordUtility.throwPasswordTooSoonException(userInfo, pwmRequest.getSessionLabel());
}
ForgottenPasswordUtil.doActionSendNewPassword(pwmRequest);
return;
}
if (forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_UNLOCK)) {
final PasswordStatus passwordStatus = userInfo.getPasswordStatus();
if (!passwordStatus.isExpired() && !passwordStatus.isPreExpired()) {
if (userInfo.isPasswordLocked()) {
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordInhibitPasswordReset, Boolean.TRUE);
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ACTION_CHOICE);
return;
}
}
}
this.executeResetPassword(pwmRequest);
}
use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class OAuthConsumerServlet method makeOAuthSettings.
private static OAuthSettings makeOAuthSettings(final PwmRequest pwmRequest, final OAuthState oAuthState) throws IOException, ServletException, PwmUnrecoverableException {
final OAuthUseCase oAuthUseCase = oAuthState.getUseCase();
switch(oAuthUseCase) {
case Authentication:
return OAuthSettings.forSSOAuthentication(pwmRequest.getConfig());
case ForgottenPassword:
final String profileId = oAuthState.getForgottenProfileId();
final ForgottenPasswordProfile profile = pwmRequest.getConfig().getForgottenPasswordProfiles().get(profileId);
return OAuthSettings.forForgottenPassword(profile);
default:
JavaHelper.unhandledSwitchStatement(oAuthUseCase);
}
final String errorMsg = "unable to calculate oauth settings for incoming request state";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg);
LOGGER.error(pwmRequest, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
use of password.pwm.config.profile.ForgottenPasswordProfile in project pwm by pwm-project.
the class ForgottenPasswordUtil method figureAvailableTokenDestinations.
static List<TokenDestinationItem> figureAvailableTokenDestinations(final PwmRequest pwmRequest, final ForgottenPasswordBean forgottenPasswordBean) throws PwmUnrecoverableException {
{
@SuppressWarnings("unchecked") final List<TokenDestinationItem> cachedItems = (List<TokenDestinationItem>) pwmRequest.getHttpServletRequest().getAttribute(PwmConstants.REQUEST_ATTR_FORGOTTEN_PW_AVAIL_TOKEN_DEST_CACHE);
if (cachedItems != null) {
return cachedItems;
}
}
final String profileID = forgottenPasswordBean.getForgottenPasswordProfileID();
final ForgottenPasswordProfile forgottenPasswordProfile = pwmRequest.getConfig().getForgottenPasswordProfiles().get(profileID);
final MessageSendMethod tokenSendMethod = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_TOKEN_SEND_METHOD, MessageSendMethod.class);
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
final List<TokenDestinationItem> items = TokenUtil.figureAvailableTokenDestinations(pwmRequest.getPwmApplication(), pwmRequest.getSessionLabel(), pwmRequest.getLocale(), userInfo, tokenSendMethod);
final List<TokenDestinationItem> finalList = Collections.unmodifiableList(items);
pwmRequest.getHttpServletRequest().setAttribute(PwmConstants.REQUEST_ATTR_FORGOTTEN_PW_AVAIL_TOKEN_DEST_CACHE, finalList);
return finalList;
}
Aggregations