Search in sources :

Example 61 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class UserIdentity method toObfuscatedKey.

public String toObfuscatedKey(final PwmApplication pwmApplication) throws PwmUnrecoverableException {
    // use local cache first.
    if (!StringUtil.isEmpty(obfuscatedValue)) {
        return obfuscatedValue;
    }
    // check app cache.  This is used primarily so that keys are static over some meaningful lifetime, allowing browser caching based on keys.
    final CacheService cacheService = pwmApplication.getCacheService();
    final CacheKey cacheKey = CacheKey.makeCacheKey(this.getClass(), null, "userKey" + "|" + this.toDelimitedKey());
    final String cachedValue = cacheService.get(cacheKey);
    if (!StringUtil.isEmpty(cachedValue)) {
        obfuscatedValue = cachedValue;
        return cachedValue;
    }
    // generate key
    try {
        final String jsonValue = JsonUtil.serialize(this);
        final String localValue = CRYPO_HEADER + pwmApplication.getSecureService().encryptToString(jsonValue);
        this.obfuscatedValue = localValue;
        cacheService.put(cacheKey, CachePolicy.makePolicyWithExpiration(TimeDuration.DAY), localValue);
        return localValue;
    } catch (Exception e) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "unexpected error making obfuscated user key: " + e.getMessage()));
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) CacheKey(password.pwm.svc.cache.CacheKey) ChaiException(com.novell.ldapchai.exception.ChaiException) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) CacheService(password.pwm.svc.cache.CacheService)

Example 62 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class UserIdentity method fromDelimitedKey.

public static UserIdentity fromDelimitedKey(final String key) throws PwmUnrecoverableException {
    if (key == null || key.length() < 1) {
        return null;
    }
    final StringTokenizer st = new StringTokenizer(key, DELIM_SEPARATOR);
    if (st.countTokens() < 2) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "not enough tokens while parsing delimited identity key"));
    } else if (st.countTokens() > 2) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "too many string tokens while parsing delimited identity key"));
    }
    final String profileID = st.nextToken();
    final String userDN = st.nextToken();
    return new UserIdentity(userDN, profileID);
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) StringTokenizer(java.util.StringTokenizer) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)

Example 63 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class ForgottenPasswordUtil method doActionSendNewPassword.

static void doActionSendNewPassword(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final ForgottenPasswordBean forgottenPasswordBean = ForgottenPasswordServlet.forgottenPasswordBean(pwmRequest);
    final ForgottenPasswordProfile forgottenPasswordProfile = forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
    final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(pwmApplication.getConfig(), forgottenPasswordBean);
    LOGGER.trace(pwmRequest, "beginning process to send new password to user");
    if (!forgottenPasswordBean.getProgress().isAllPassed()) {
        return;
    }
    final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
    final ChaiUser theUser = pwmRequest.getPwmApplication().getProxiedChaiUser(userIdentity);
    try {
        // try unlocking user
        theUser.unlockPassword();
        LOGGER.trace(pwmRequest, "unlock account succeeded");
    } catch (ChaiOperationException e) {
        final String errorMsg = "unable to unlock user " + theUser.getEntryDN() + " error: " + e.getMessage();
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNLOCK_FAILURE, errorMsg);
        LOGGER.error(pwmRequest.getPwmSession(), errorInformation.toDebugStr());
        pwmRequest.respondWithError(errorInformation);
        return;
    }
    try {
        final UserInfo userInfo = UserInfoFactory.newUserInfoUsingProxy(pwmApplication, pwmRequest.getSessionLabel(), userIdentity, pwmRequest.getLocale());
        LOGGER.info(pwmRequest, "user successfully supplied password recovery responses, emailing new password to: " + theUser.getEntryDN());
        // add post change actions
        ForgottenPasswordServlet.addPostChangeAction(pwmRequest, userIdentity);
        // create new password
        final PasswordData newPassword = RandomPasswordGenerator.createRandomPassword(pwmRequest.getSessionLabel(), userInfo.getPasswordPolicy(), pwmApplication);
        LOGGER.trace(pwmRequest, "generated random password value based on password policy for " + userIdentity.toDisplayString());
        // set the password
        try {
            theUser.setPassword(newPassword.getStringValue());
            LOGGER.trace(pwmRequest, "set user " + userIdentity.toDisplayString() + " password to system generated random value");
        } catch (ChaiException e) {
            throw PwmUnrecoverableException.fromChaiException(e);
        }
        if (recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
            LOGGER.debug(pwmRequest, "marking user " + userIdentity.toDisplayString() + " password as expired");
            theUser.expirePassword();
        }
        // mark the event log
        {
            final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication).createUserAuditRecord(AuditEvent.RECOVER_PASSWORD, userIdentity, pwmRequest.getSessionLabel());
            pwmApplication.getAuditManager().submit(auditRecord);
        }
        final MessageSendMethod messageSendMethod = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
        // send email or SMS
        final String toAddress = PasswordUtility.sendNewPassword(userInfo, pwmApplication, newPassword, pwmRequest.getLocale(), messageSendMethod);
        pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_PasswordSend, toAddress);
    } catch (PwmException e) {
        LOGGER.warn(pwmRequest, "unexpected error setting new password during recovery process for user: " + e.getMessage());
        pwmRequest.respondWithError(e.getErrorInformation());
    } catch (ChaiOperationException e) {
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, "unexpected ldap error while processing recovery action " + recoveryAction + ", error: " + e.getMessage());
        LOGGER.warn(pwmRequest, errorInformation.toDebugStr());
        pwmRequest.respondWithError(errorInformation);
    } finally {
        ForgottenPasswordServlet.clearForgottenPasswordBean(pwmRequest);
        // the user should not be authenticated, this is a safety method
        pwmRequest.getPwmSession().unauthenticateUser(pwmRequest);
        // the password set flag should not have been set, this is a safety method
        pwmRequest.getPwmSession().getSessionStateBean().setPasswordModified(false);
    }
}
Also used : ForgottenPasswordProfile(password.pwm.config.profile.ForgottenPasswordProfile) PwmApplication(password.pwm.PwmApplication) UserIdentity(password.pwm.bean.UserIdentity) UserInfo(password.pwm.ldap.UserInfo) MessageSendMethod(password.pwm.config.option.MessageSendMethod) PwmException(password.pwm.error.PwmException) ErrorInformation(password.pwm.error.ErrorInformation) AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory) ChaiUser(com.novell.ldapchai.ChaiUser) RecoveryAction(password.pwm.config.option.RecoveryAction) PasswordData(password.pwm.util.PasswordData) ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException) AuditRecord(password.pwm.svc.event.AuditRecord) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean) ChaiException(com.novell.ldapchai.exception.ChaiException)

Example 64 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class ForgottenPasswordUtil method verifyRequirementsForAuthMethod.

static void verifyRequirementsForAuthMethod(final PwmRequest pwmRequest, final ForgottenPasswordBean forgottenPasswordBean, final IdentityVerificationMethod recoveryVerificationMethods) throws PwmUnrecoverableException {
    switch(recoveryVerificationMethods) {
        case TOKEN:
            {
                ForgottenPasswordUtil.figureAvailableTokenDestinations(pwmRequest, forgottenPasswordBean);
            }
            break;
        case ATTRIBUTES:
            {
                final List<FormConfiguration> formConfiguration = forgottenPasswordBean.getAttributeForm();
                if (formConfiguration == null || formConfiguration.isEmpty()) {
                    final String errorMsg = "user is required to complete LDAP attribute check, yet there are no LDAP attribute form items configured";
                    final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INVALID_CONFIG, errorMsg);
                    throw new PwmUnrecoverableException(errorInformation);
                }
            }
            break;
        case OTP:
            {
                final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
                if (userInfo.getOtpUserRecord() == null) {
                    final String errorMsg = "could not find a one time password configuration for " + userInfo.getUserIdentity();
                    final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_NO_OTP_CONFIGURATION, errorMsg);
                    throw new PwmUnrecoverableException(errorInformation);
                }
            }
            break;
        case CHALLENGE_RESPONSES:
            {
                final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
                final ResponseSet responseSet = ForgottenPasswordUtil.readResponseSet(pwmRequest, forgottenPasswordBean);
                if (responseSet == null) {
                    final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RESPONSES_NORESPONSES);
                    throw new PwmUnrecoverableException(errorInformation);
                }
                final ChallengeSet challengeSet = userInfo.getChallengeProfile().getChallengeSet();
                try {
                    if (responseSet.meetsChallengeSetRequirements(challengeSet)) {
                        if (challengeSet.getRequiredChallenges().isEmpty() && (challengeSet.getMinRandomRequired() <= 0)) {
                            final String errorMsg = "configured challenge set policy for " + userInfo.getUserIdentity().toString() + " is empty, user not qualified to recover password";
                            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_NO_CHALLENGES, errorMsg);
                            throw new PwmUnrecoverableException(errorInformation);
                        }
                    }
                } catch (ChaiValidationException e) {
                    final String errorMsg = "stored response set for user '" + userInfo.getUserIdentity() + "' do not meet current challenge set requirements: " + e.getLocalizedMessage();
                    final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_RESPONSES_NORESPONSES, errorMsg);
                    throw new PwmUnrecoverableException(errorInformation);
                }
            }
            break;
        default:
            // continue, assume no data requirements for method.
            break;
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ChallengeSet(com.novell.ldapchai.cr.ChallengeSet) ChaiValidationException(com.novell.ldapchai.exception.ChaiValidationException) ResponseSet(com.novell.ldapchai.cr.ResponseSet) List(java.util.List) ArrayList(java.util.ArrayList) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) UserInfo(password.pwm.ldap.UserInfo)

Example 65 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class ForgottenPasswordUtil method figureAttributeForm.

static List<FormConfiguration> figureAttributeForm(final ForgottenPasswordProfile forgottenPasswordProfile, final ForgottenPasswordBean forgottenPasswordBean, final PwmRequest pwmRequest, final UserIdentity userIdentity) throws ChaiUnavailableException, PwmOperationalException, PwmUnrecoverableException {
    final List<FormConfiguration> requiredAttributesForm = forgottenPasswordProfile.readSettingAsForm(PwmSetting.RECOVERY_ATTRIBUTE_FORM);
    if (requiredAttributesForm.isEmpty()) {
        return requiredAttributesForm;
    }
    final UserInfo userInfo = readUserInfo(pwmRequest, forgottenPasswordBean);
    final List<FormConfiguration> returnList = new ArrayList<>();
    for (final FormConfiguration formItem : requiredAttributesForm) {
        if (formItem.isRequired()) {
            returnList.add(formItem);
        } else {
            try {
                final String currentValue = userInfo.readStringAttribute(formItem.getName());
                if (currentValue != null && currentValue.length() > 0) {
                    returnList.add(formItem);
                } else {
                    LOGGER.trace(pwmRequest, "excluding optional required attribute(" + formItem.getName() + "), user has no value");
                }
            } catch (PwmUnrecoverableException e) {
                throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_NO_CHALLENGES, "unexpected error reading value for attribute " + formItem.getName()));
            }
        }
    }
    if (returnList.isEmpty()) {
        throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_NO_CHALLENGES, "user has no values for any optional attribute"));
    }
    return returnList;
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ArrayList(java.util.ArrayList) FormConfiguration(password.pwm.config.value.data.FormConfiguration) UserInfo(password.pwm.ldap.UserInfo) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmOperationalException(password.pwm.error.PwmOperationalException)

Aggregations

ErrorInformation (password.pwm.error.ErrorInformation)325 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)216 PwmOperationalException (password.pwm.error.PwmOperationalException)125 PwmException (password.pwm.error.PwmException)67 UserIdentity (password.pwm.bean.UserIdentity)62 IOException (java.io.IOException)58 PwmApplication (password.pwm.PwmApplication)54 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)53 ChaiUser (com.novell.ldapchai.ChaiUser)38 PwmSession (password.pwm.http.PwmSession)38 LinkedHashMap (java.util.LinkedHashMap)35 Configuration (password.pwm.config.Configuration)33 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)32 Map (java.util.Map)32 Instant (java.time.Instant)30 ArrayList (java.util.ArrayList)30 FormConfiguration (password.pwm.config.value.data.FormConfiguration)29 ServletException (javax.servlet.ServletException)28 RestResultBean (password.pwm.ws.server.RestResultBean)26 UserInfo (password.pwm.ldap.UserInfo)23