Search in sources :

Example 1 with UserPermission

use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.

the class LDAPStatusChecker method checkUserPermissionValues.

private static List<HealthRecord> checkUserPermissionValues(final PwmApplication pwmApplication) {
    final List<HealthRecord> returnList = new ArrayList<>();
    final Configuration config = pwmApplication.getConfig();
    for (final PwmSetting pwmSetting : PwmSetting.values()) {
        if (!pwmSetting.isHidden() && pwmSetting.getSyntax() == PwmSettingSyntax.USER_PERMISSION) {
            if (!pwmSetting.getCategory().hasProfiles()) {
                final List<UserPermission> userPermissions = config.readSettingAsUserPermission(pwmSetting);
                for (final UserPermission userPermission : userPermissions) {
                    try {
                        returnList.addAll(checkUserPermission(pwmApplication, userPermission, pwmSetting));
                    } catch (PwmUnrecoverableException e) {
                        LOGGER.error("error checking configured permission settings:" + e.getMessage());
                    }
                }
            }
        }
    }
    return returnList;
}
Also used : PwmSetting(password.pwm.config.PwmSetting) Configuration(password.pwm.config.Configuration) ChaiConfiguration(com.novell.ldapchai.provider.ChaiConfiguration) ArrayList(java.util.ArrayList) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) UserPermission(password.pwm.config.value.data.UserPermission)

Example 2 with UserPermission

use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.

the class SessionManager method checkPermission.

public boolean checkPermission(final PwmApplication pwmApplication, final Permission permission) throws PwmUnrecoverableException {
    final boolean devDebugMode = pwmApplication.getConfig().isDevDebugMode();
    if (devDebugMode) {
        LOGGER.trace(pwmSession.getLabel(), String.format("entering checkPermission(%s, %s, %s)", permission, pwmSession, pwmApplication));
    }
    if (!pwmSession.isAuthenticated()) {
        if (devDebugMode) {
            LOGGER.trace(pwmSession.getLabel(), "user is not authenticated, returning false for permission check");
        }
        return false;
    }
    Permission.PermissionStatus status = pwmSession.getUserSessionDataCacheBean().getPermission(permission);
    if (status == Permission.PermissionStatus.UNCHECKED) {
        if (devDebugMode) {
            LOGGER.debug(pwmSession.getLabel(), String.format("checking permission %s for user %s", permission.toString(), pwmSession.getUserInfo().getUserIdentity().toDelimitedKey()));
        }
        final PwmSetting setting = permission.getPwmSetting();
        final List<UserPermission> userPermission = pwmApplication.getConfig().readSettingAsUserPermission(setting);
        final boolean result = LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession.getLabel(), pwmSession.getUserInfo().getUserIdentity(), userPermission);
        status = result ? Permission.PermissionStatus.GRANTED : Permission.PermissionStatus.DENIED;
        pwmSession.getUserSessionDataCacheBean().setPermission(permission, status);
        LOGGER.debug(pwmSession.getLabel(), String.format("permission %s for user %s is %s", permission.toString(), pwmSession.getUserInfo().getUserIdentity().toDelimitedKey(), status.toString()));
    }
    return status == Permission.PermissionStatus.GRANTED;
}
Also used : PwmSetting(password.pwm.config.PwmSetting) Permission(password.pwm.Permission) UserPermission(password.pwm.config.value.data.UserPermission) UserPermission(password.pwm.config.value.data.UserPermission)

Example 3 with UserPermission

use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.

the class CrService method determineChallengeProfileForUser.

protected static String determineChallengeProfileForUser(final PwmApplication pwmApplication, final SessionLabel sessionLabel, final UserIdentity userIdentity, final Locale locale) throws PwmUnrecoverableException {
    final List<String> profiles = pwmApplication.getConfig().getChallengeProfileIDs();
    if (profiles.isEmpty()) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is configured"));
    }
    for (final String profile : profiles) {
        final ChallengeProfile loopPolicy = pwmApplication.getConfig().getChallengeProfile(profile, locale);
        final List<UserPermission> queryMatch = loopPolicy.getUserPermissions();
        if (queryMatch != null && !queryMatch.isEmpty()) {
            LOGGER.debug(sessionLabel, "testing challenge profiles '" + profile + "'");
            try {
                final boolean match = LdapPermissionTester.testUserPermissions(pwmApplication, sessionLabel, userIdentity, queryMatch);
                if (match) {
                    return profile;
                }
            } catch (PwmUnrecoverableException e) {
                LOGGER.error(sessionLabel, "unexpected error while testing password policy profile '" + profile + "', error: " + e.getMessage());
            }
        }
    }
    throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is assigned"));
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ChallengeProfile(password.pwm.config.profile.ChallengeProfile) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) UserPermission(password.pwm.config.value.data.UserPermission)

Example 4 with UserPermission

use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.

the class PasswordUtility method determineConfiguredPolicyProfileForUser.

public static PwmPasswordPolicy determineConfiguredPolicyProfileForUser(final PwmApplication pwmApplication, final SessionLabel pwmSession, final UserIdentity userIdentity, final Locale locale) throws PwmUnrecoverableException {
    final List<String> profiles = pwmApplication.getConfig().getPasswordProfileIDs();
    if (profiles.isEmpty()) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no password profiles are configured"));
    }
    for (final String profile : profiles) {
        final PwmPasswordPolicy loopPolicy = pwmApplication.getConfig().getPasswordPolicy(profile, locale);
        final List<UserPermission> userPermissions = loopPolicy.getUserPermissions();
        LOGGER.debug(pwmSession, "testing password policy profile '" + profile + "'");
        try {
            final boolean match = LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession, userIdentity, userPermissions);
            if (match) {
                return loopPolicy;
            }
        } catch (PwmUnrecoverableException e) {
            LOGGER.error(pwmSession, "unexpected error while testing password policy profile '" + profile + "', error: " + e.getMessage());
        }
    }
    throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is configured"));
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PwmPasswordPolicy(password.pwm.config.profile.PwmPasswordPolicy) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) UserPermission(password.pwm.config.value.data.UserPermission)

Example 5 with UserPermission

use of password.pwm.config.value.data.UserPermission in project pwm by pwm-project.

the class ActivateUserServlet method handleActivateRequest.

@ActionHandler(action = "activate")
public ProcessStatus handleActivateRequest(final PwmRequest pwmRequest) throws PwmUnrecoverableException, ChaiUnavailableException, IOException, ServletException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final Configuration config = pwmApplication.getConfig();
    final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
    if (CaptchaUtility.captchaEnabledForRequest(pwmRequest)) {
        if (!CaptchaUtility.verifyReCaptcha(pwmRequest)) {
            final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_BAD_CAPTCHA_RESPONSE);
            throw new PwmUnrecoverableException(errorInfo);
        }
    }
    pwmApplication.getSessionStateService().clearBean(pwmRequest, ActivateUserBean.class);
    final List<FormConfiguration> configuredActivationForm = config.readSettingAsForm(PwmSetting.ACTIVATE_USER_FORM);
    Map<FormConfiguration, String> formValues = new HashMap<>();
    try {
        // read the values from the request
        formValues = FormUtility.readFormValuesFromRequest(pwmRequest, configuredActivationForm, ssBean.getLocale());
        // check for intruders
        pwmApplication.getIntruderManager().convenience().checkAttributes(formValues);
        // read the context attr
        final String contextParam = pwmRequest.readParameterAsString(PwmConstants.PARAM_CONTEXT);
        // read the profile attr
        final String ldapProfile = pwmRequest.readParameterAsString(PwmConstants.PARAM_LDAP_PROFILE);
        // see if the values meet the configured form requirements.
        FormUtility.validateFormValues(config, formValues, ssBean.getLocale());
        final String searchFilter = ActivateUserUtils.figureLdapSearchFilter(pwmRequest);
        // read an ldap user object based on the params
        final UserIdentity userIdentity;
        {
            final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
            final SearchConfiguration searchConfiguration = SearchConfiguration.builder().contexts(Collections.singletonList(contextParam)).filter(searchFilter).formValues(formValues).ldapProfile(ldapProfile).build();
            userIdentity = userSearchEngine.performSingleUserSearch(searchConfiguration, pwmRequest.getSessionLabel());
        }
        ActivateUserUtils.validateParamsAgainstLDAP(pwmRequest, formValues, userIdentity);
        final List<UserPermission> userPermissions = config.readSettingAsUserPermission(PwmSetting.ACTIVATE_USER_QUERY_MATCH);
        if (!LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession.getLabel(), userIdentity, userPermissions)) {
            final String errorMsg = "user " + userIdentity + " attempted activation, but does not match query string";
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_ACTIVATE_NO_PERMISSION, errorMsg);
            pwmApplication.getIntruderManager().convenience().markUserIdentity(userIdentity, pwmSession);
            pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
            throw new PwmUnrecoverableException(errorInformation);
        }
        final ActivateUserBean activateUserBean = pwmApplication.getSessionStateService().getBean(pwmRequest, ActivateUserBean.class);
        activateUserBean.setUserIdentity(userIdentity);
        activateUserBean.setFormValidated(true);
        pwmApplication.getIntruderManager().convenience().clearAttributes(formValues);
        pwmApplication.getIntruderManager().convenience().clearAddressAndSession(pwmSession);
    } catch (PwmOperationalException e) {
        pwmApplication.getIntruderManager().convenience().markAttributes(formValues, pwmSession);
        pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
        setLastError(pwmRequest, e.getErrorInformation());
        LOGGER.debug(pwmSession.getLabel(), e.getErrorInformation().toDebugStr());
    }
    return ProcessStatus.Continue;
}
Also used : PwmApplication(password.pwm.PwmApplication) FormConfiguration(password.pwm.config.value.data.FormConfiguration) SearchConfiguration(password.pwm.ldap.search.SearchConfiguration) Configuration(password.pwm.config.Configuration) HashMap(java.util.HashMap) UserIdentity(password.pwm.bean.UserIdentity) UserSearchEngine(password.pwm.ldap.search.UserSearchEngine) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) SearchConfiguration(password.pwm.ldap.search.SearchConfiguration) ActivateUserBean(password.pwm.http.bean.ActivateUserBean) PwmOperationalException(password.pwm.error.PwmOperationalException) ErrorInformation(password.pwm.error.ErrorInformation) LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean) FormConfiguration(password.pwm.config.value.data.FormConfiguration) PwmSession(password.pwm.http.PwmSession) UserPermission(password.pwm.config.value.data.UserPermission)

Aggregations

UserPermission (password.pwm.config.value.data.UserPermission)17 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)7 ArrayList (java.util.ArrayList)6 List (java.util.List)6 ErrorInformation (password.pwm.error.ErrorInformation)6 UserIdentity (password.pwm.bean.UserIdentity)3 Configuration (password.pwm.config.Configuration)3 PwmSetting (password.pwm.config.PwmSetting)3 PwmOperationalException (password.pwm.error.PwmOperationalException)3 TreeMap (java.util.TreeMap)2 Element (org.jdom2.Element)2 Permission (password.pwm.Permission)2 PwmApplication (password.pwm.PwmApplication)2 PwmPasswordPolicy (password.pwm.config.profile.PwmPasswordPolicy)2 FormConfiguration (password.pwm.config.value.data.FormConfiguration)2 SearchConfiguration (password.pwm.ldap.search.SearchConfiguration)2 UserSearchEngine (password.pwm.ldap.search.UserSearchEngine)2 ChaiChallengeSet (com.novell.ldapchai.cr.ChaiChallengeSet)1 ChallengeSet (com.novell.ldapchai.cr.ChallengeSet)1 ChaiConfiguration (com.novell.ldapchai.provider.ChaiConfiguration)1