use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.
the class LDAPStatusChecker method checkUserPermissionValues.
private static List<HealthRecord> checkUserPermissionValues(final PwmApplication pwmApplication) {
final List<HealthRecord> returnList = new ArrayList<>();
final Configuration config = pwmApplication.getConfig();
for (final PwmSetting pwmSetting : PwmSetting.values()) {
if (!pwmSetting.isHidden() && pwmSetting.getSyntax() == PwmSettingSyntax.USER_PERMISSION) {
if (!pwmSetting.getCategory().hasProfiles()) {
final List<UserPermission> userPermissions = config.readSettingAsUserPermission(pwmSetting);
for (final UserPermission userPermission : userPermissions) {
try {
returnList.addAll(checkUserPermission(pwmApplication, userPermission, pwmSetting));
} catch (PwmUnrecoverableException e) {
LOGGER.error("error checking configured permission settings:" + e.getMessage());
}
}
}
}
}
return returnList;
}
use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.
the class SessionManager method checkPermission.
public boolean checkPermission(final PwmApplication pwmApplication, final Permission permission) throws PwmUnrecoverableException {
final boolean devDebugMode = pwmApplication.getConfig().isDevDebugMode();
if (devDebugMode) {
LOGGER.trace(pwmSession.getLabel(), String.format("entering checkPermission(%s, %s, %s)", permission, pwmSession, pwmApplication));
}
if (!pwmSession.isAuthenticated()) {
if (devDebugMode) {
LOGGER.trace(pwmSession.getLabel(), "user is not authenticated, returning false for permission check");
}
return false;
}
Permission.PermissionStatus status = pwmSession.getUserSessionDataCacheBean().getPermission(permission);
if (status == Permission.PermissionStatus.UNCHECKED) {
if (devDebugMode) {
LOGGER.debug(pwmSession.getLabel(), String.format("checking permission %s for user %s", permission.toString(), pwmSession.getUserInfo().getUserIdentity().toDelimitedKey()));
}
final PwmSetting setting = permission.getPwmSetting();
final List<UserPermission> userPermission = pwmApplication.getConfig().readSettingAsUserPermission(setting);
final boolean result = LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession.getLabel(), pwmSession.getUserInfo().getUserIdentity(), userPermission);
status = result ? Permission.PermissionStatus.GRANTED : Permission.PermissionStatus.DENIED;
pwmSession.getUserSessionDataCacheBean().setPermission(permission, status);
LOGGER.debug(pwmSession.getLabel(), String.format("permission %s for user %s is %s", permission.toString(), pwmSession.getUserInfo().getUserIdentity().toDelimitedKey(), status.toString()));
}
return status == Permission.PermissionStatus.GRANTED;
}
use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.
the class CrService method determineChallengeProfileForUser.
protected static String determineChallengeProfileForUser(final PwmApplication pwmApplication, final SessionLabel sessionLabel, final UserIdentity userIdentity, final Locale locale) throws PwmUnrecoverableException {
final List<String> profiles = pwmApplication.getConfig().getChallengeProfileIDs();
if (profiles.isEmpty()) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is configured"));
}
for (final String profile : profiles) {
final ChallengeProfile loopPolicy = pwmApplication.getConfig().getChallengeProfile(profile, locale);
final List<UserPermission> queryMatch = loopPolicy.getUserPermissions();
if (queryMatch != null && !queryMatch.isEmpty()) {
LOGGER.debug(sessionLabel, "testing challenge profiles '" + profile + "'");
try {
final boolean match = LdapPermissionTester.testUserPermissions(pwmApplication, sessionLabel, userIdentity, queryMatch);
if (match) {
return profile;
}
} catch (PwmUnrecoverableException e) {
LOGGER.error(sessionLabel, "unexpected error while testing password policy profile '" + profile + "', error: " + e.getMessage());
}
}
}
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is assigned"));
}
use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.
the class PasswordUtility method determineConfiguredPolicyProfileForUser.
public static PwmPasswordPolicy determineConfiguredPolicyProfileForUser(final PwmApplication pwmApplication, final SessionLabel pwmSession, final UserIdentity userIdentity, final Locale locale) throws PwmUnrecoverableException {
final List<String> profiles = pwmApplication.getConfig().getPasswordProfileIDs();
if (profiles.isEmpty()) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no password profiles are configured"));
}
for (final String profile : profiles) {
final PwmPasswordPolicy loopPolicy = pwmApplication.getConfig().getPasswordPolicy(profile, locale);
final List<UserPermission> userPermissions = loopPolicy.getUserPermissions();
LOGGER.debug(pwmSession, "testing password policy profile '" + profile + "'");
try {
final boolean match = LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession, userIdentity, userPermissions);
if (match) {
return loopPolicy;
}
} catch (PwmUnrecoverableException e) {
LOGGER.error(pwmSession, "unexpected error while testing password policy profile '" + profile + "', error: " + e.getMessage());
}
}
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is configured"));
}
use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.
the class ActivateUserServlet method handleActivateRequest.
@ActionHandler(action = "activate")
public ProcessStatus handleActivateRequest(final PwmRequest pwmRequest) throws PwmUnrecoverableException, ChaiUnavailableException, IOException, ServletException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final Configuration config = pwmApplication.getConfig();
final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
if (CaptchaUtility.captchaEnabledForRequest(pwmRequest)) {
if (!CaptchaUtility.verifyReCaptcha(pwmRequest)) {
final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_BAD_CAPTCHA_RESPONSE);
throw new PwmUnrecoverableException(errorInfo);
}
}
pwmApplication.getSessionStateService().clearBean(pwmRequest, ActivateUserBean.class);
final List<FormConfiguration> configuredActivationForm = config.readSettingAsForm(PwmSetting.ACTIVATE_USER_FORM);
Map<FormConfiguration, String> formValues = new HashMap<>();
try {
// read the values from the request
formValues = FormUtility.readFormValuesFromRequest(pwmRequest, configuredActivationForm, ssBean.getLocale());
// check for intruders
pwmApplication.getIntruderManager().convenience().checkAttributes(formValues);
// read the context attr
final String contextParam = pwmRequest.readParameterAsString(PwmConstants.PARAM_CONTEXT);
// read the profile attr
final String ldapProfile = pwmRequest.readParameterAsString(PwmConstants.PARAM_LDAP_PROFILE);
// see if the values meet the configured form requirements.
FormUtility.validateFormValues(config, formValues, ssBean.getLocale());
final String searchFilter = ActivateUserUtils.figureLdapSearchFilter(pwmRequest);
// read an ldap user object based on the params
final UserIdentity userIdentity;
{
final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
final SearchConfiguration searchConfiguration = SearchConfiguration.builder().contexts(Collections.singletonList(contextParam)).filter(searchFilter).formValues(formValues).ldapProfile(ldapProfile).build();
userIdentity = userSearchEngine.performSingleUserSearch(searchConfiguration, pwmRequest.getSessionLabel());
}
ActivateUserUtils.validateParamsAgainstLDAP(pwmRequest, formValues, userIdentity);
final List<UserPermission> userPermissions = config.readSettingAsUserPermission(PwmSetting.ACTIVATE_USER_QUERY_MATCH);
if (!LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession.getLabel(), userIdentity, userPermissions)) {
final String errorMsg = "user " + userIdentity + " attempted activation, but does not match query string";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_ACTIVATE_NO_PERMISSION, errorMsg);
pwmApplication.getIntruderManager().convenience().markUserIdentity(userIdentity, pwmSession);
pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
throw new PwmUnrecoverableException(errorInformation);
}
final ActivateUserBean activateUserBean = pwmApplication.getSessionStateService().getBean(pwmRequest, ActivateUserBean.class);
activateUserBean.setUserIdentity(userIdentity);
activateUserBean.setFormValidated(true);
pwmApplication.getIntruderManager().convenience().clearAttributes(formValues);
pwmApplication.getIntruderManager().convenience().clearAddressAndSession(pwmSession);
} catch (PwmOperationalException e) {
pwmApplication.getIntruderManager().convenience().markAttributes(formValues, pwmSession);
pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
setLastError(pwmRequest, e.getErrorInformation());
LOGGER.debug(pwmSession.getLabel(), e.getErrorInformation().toDebugStr());
}
return ProcessStatus.Continue;
}
Aggregations