Examples with SetupOtpProfile password.pwm.config.profile.SetupOtpProfile used on opensource projects

Example 1 with SetupOtpProfile

use of password.pwm.config.profile.SetupOtpProfile in project pwm by pwm-project.

the class UserInfoReader method isRequiresOtpConfig.

@Override
public boolean isRequiresOtpConfig() throws PwmUnrecoverableException {
    LOGGER.trace(sessionLabel, "checkOtp: beginning process to check if user OTP setup is required");
    SetupOtpProfile setupOtpProfile = null;
    final Map<ProfileType, String> profileIDs = selfCachedReference.getProfileIDs();
    if (profileIDs.containsKey(ProfileType.UpdateAttributes)) {
        setupOtpProfile = pwmApplication.getConfig().getSetupOTPProfiles().get(profileIDs.get(ProfileType.SetupOTPProfile));
    }
    if (setupOtpProfile == null) {
        LOGGER.trace(sessionLabel, "checkOtp: no otp setup profile assigned, user OTP setup is not required");
        return false;
    }
    if (!setupOtpProfile.readSettingAsBoolean(PwmSetting.OTP_ALLOW_SETUP)) {
        LOGGER.trace(sessionLabel, "checkOtp: OTP allow setup is not enabled");
        return false;
    }
    final ForceSetupPolicy policy = setupOtpProfile.readSettingAsEnum(PwmSetting.OTP_FORCE_SETUP, ForceSetupPolicy.class);
    if (policy == ForceSetupPolicy.SKIP) {
        LOGGER.trace(sessionLabel, "checkOtp: OTP force setup policy is set to SKIP, user OTP setup is not required");
        return false;
    }
    final OTPUserRecord otpUserRecord = selfCachedReference.getOtpUserRecord();
    final boolean hasStoredOtp = otpUserRecord != null && otpUserRecord.getSecret() != null;
    if (hasStoredOtp) {
        LOGGER.trace(sessionLabel, "checkOtp: user has existing valid otp record, user OTP setup is not required");
        return false;
    }
    // hasStoredOtp is always true at this point, so if forced then update needed
    LOGGER.debug(sessionLabel, "checkOtp: user does not have existing valid otp record, user OTP setup is required");
    return policy == ForceSetupPolicy.FORCE || policy == ForceSetupPolicy.FORCE_ALLOW_SKIP;
}

Example 2 with SetupOtpProfile

use of password.pwm.config.profile.SetupOtpProfile in project pwm by pwm-project.

the class SetupOtpServlet method handleSkipRequest.

@ActionHandler(action = "skip")
private ProcessStatus handleSkipRequest(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException, ServletException, ChaiUnavailableException {
    boolean allowSkip = false;
    if (!pwmRequest.isForcedPageView()) {
        allowSkip = true;
    } else {
        final SetupOtpProfile setupOtpProfile = getSetupOtpProfile(pwmRequest);
        final ForceSetupPolicy policy = setupOtpProfile.readSettingAsEnum(PwmSetting.OTP_FORCE_SETUP, ForceSetupPolicy.class);
        if (policy == ForceSetupPolicy.FORCE_ALLOW_SKIP) {
            allowSkip = true;
        }
    }
    if (allowSkip) {
        pwmRequest.getPwmSession().getLoginInfoBean().getLoginFlags().add(LoginInfoBean.LoginFlag.skipOtp);
        pwmRequest.sendRedirectToContinue();
        return ProcessStatus.Halt;
    }
    return ProcessStatus.Continue;
}

Example 3 with SetupOtpProfile

use of password.pwm.config.profile.SetupOtpProfile in project pwm by pwm-project.

the class SetupOtpServlet method preProcessCheck.

@Override
public ProcessStatus preProcessCheck(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException, ServletException {
    // fetch the required beans / managers
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final Configuration config = pwmApplication.getConfig();
    final SetupOtpProfile setupOtpProfile = getSetupOtpProfile(pwmRequest);
    if (setupOtpProfile == null || !setupOtpProfile.readSettingAsBoolean(PwmSetting.OTP_ALLOW_SETUP)) {
        final String errorMsg = "setup OTP is not enabled";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SERVICE_NOT_AVAILABLE, errorMsg);
        LOGGER.error(pwmRequest, errorInformation);
        pwmRequest.respondWithError(errorInformation);
        return ProcessStatus.Halt;
    }
    // check whether the setup can be stored
    if (!canSetupOtpSecret(config)) {
        LOGGER.error(pwmSession, "OTP Secret cannot be setup");
        pwmRequest.respondWithError(PwmError.ERROR_INVALID_CONFIG.toInfo());
        return ProcessStatus.Halt;
    }
    if (pwmSession.getLoginInfoBean().getType() == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
        LOGGER.error(pwmSession, "OTP Secret requires a password login");
        throw new PwmUnrecoverableException(PwmError.ERROR_PASSWORD_REQUIRED);
    }
    final SetupOtpBean otpBean = getSetupOtpBean(pwmRequest);
    initializeBean(pwmRequest, otpBean);
    return ProcessStatus.Continue;
}

Example 4 with SetupOtpProfile

use of password.pwm.config.profile.SetupOtpProfile in project pwm by pwm-project.

the class SetupOtpServlet method initializeBean.

private void initializeBean(final PwmRequest pwmRequest, final SetupOtpBean otpBean) throws PwmUnrecoverableException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    // has pre-existing, nothing to do.
    if (otpBean.isHasPreExistingOtp()) {
        return;
    }
    final OtpService service = pwmApplication.getOtpService();
    final UserIdentity theUser = pwmSession.getUserInfo().getUserIdentity();
    // first time here
    if (otpBean.getOtpUserRecord() == null) {
        final OTPUserRecord existingUserRecord;
        try {
            existingUserRecord = service.readOTPUserConfiguration(pwmRequest.getSessionLabel(), theUser);
        } catch (ChaiUnavailableException e) {
            throw PwmUnrecoverableException.fromChaiException(e);
        }
        if (existingUserRecord != null) {
            otpBean.setHasPreExistingOtp(true);
            LOGGER.trace(pwmSession, "user has existing otp record");
            return;
        }
    }
    // make a new user record.
    if (otpBean.getOtpUserRecord() == null) {
        try {
            final Configuration config = pwmApplication.getConfig();
            final SetupOtpProfile setupOtpProfile = getSetupOtpProfile(pwmRequest);
            final String identifierConfigValue = setupOtpProfile.readSettingAsString(PwmSetting.OTP_SECRET_IDENTIFIER);
            final String identifier = pwmSession.getSessionManager().getMacroMachine(pwmApplication).expandMacros(identifierConfigValue);
            final OTPUserRecord otpUserRecord = new OTPUserRecord();
            final List<String> rawRecoveryCodes = pwmApplication.getOtpService().initializeUserRecord(setupOtpProfile, otpUserRecord, pwmRequest.getSessionLabel(), identifier);
            otpBean.setOtpUserRecord(otpUserRecord);
            otpBean.setRecoveryCodes(rawRecoveryCodes);
            LOGGER.trace(pwmSession, "generated new otp record");
            if (config.isDevDebugMode()) {
                LOGGER.trace(pwmRequest, "newly generated otp record: " + JsonUtil.serialize(otpUserRecord));
            }
        } catch (Exception e) {
            final String errorMsg = "error setting up new OTP secret: " + e.getMessage();
            LOGGER.error(pwmSession, errorMsg);
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg));
        }
    }
}