Search in sources :

Example 16 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class LDAPAuthenticationRequest method testCredentials.

private void testCredentials(final UserIdentity userIdentity, final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    log(PwmLogLevel.TRACE, "beginning testCredentials process");
    if (userIdentity == null || userIdentity.getUserDN() == null || userIdentity.getUserDN().length() < 1) {
        final String errorMsg = "attempt to authenticate with null userDN";
        log(PwmLogLevel.DEBUG, errorMsg);
        throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
    }
    if (password == null) {
        final String errorMsg = "attempt to authenticate with null password";
        log(PwmLogLevel.DEBUG, errorMsg);
        throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg));
    }
    // try authenticating the user using a normal ldap BIND operation.
    log(PwmLogLevel.TRACE, "attempting authentication using ldap BIND");
    boolean bindSucceeded = false;
    try {
        // read a provider using the user's DN and password.
        userProvider = LdapOperationsHelper.createChaiProvider(pwmApplication, sessionLabel, userIdentity.getLdapProfile(pwmApplication.getConfig()), pwmApplication.getConfig(), userIdentity.getUserDN(), password);
        // issue a read operation to trigger a bind.
        userProvider.readStringAttribute(userIdentity.getUserDN(), ChaiConstant.ATTR_LDAP_OBJECTCLASS);
        bindSucceeded = true;
    } catch (ChaiException e) {
        if (e.getErrorCode() != null && e.getErrorCode() == ChaiError.INTRUDER_LOCKOUT) {
            final String errorMsg = "intruder lockout detected for user " + userIdentity + " marking session as locked out: " + e.getMessage();
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INTRUDER_LDAP, errorMsg);
            log(PwmLogLevel.WARN, errorInformation.toDebugStr());
            throw new PwmUnrecoverableException(errorInformation);
        }
        final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
        final ErrorInformation errorInformation;
        if (pwmError != null && PwmError.ERROR_UNKNOWN != pwmError) {
            errorInformation = new ErrorInformation(pwmError, e.getMessage());
        } else {
            errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, "ldap error during password check: " + e.getMessage());
        }
        log(PwmLogLevel.DEBUG, errorInformation.toDebugStr());
        throw new PwmOperationalException(errorInformation);
    } finally {
        if (!bindSucceeded && userProvider != null) {
            try {
                userProvider.close();
                userProvider = null;
            } catch (Throwable e) {
                log(PwmLogLevel.ERROR, "unexpected error closing invalid ldap connection after failed login attempt: " + e.getMessage());
            }
        }
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PwmError(password.pwm.error.PwmError) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ChaiException(com.novell.ldapchai.exception.ChaiException) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 17 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class LDAPAuthenticationRequest method setTempUserPassword.

private PasswordData setTempUserPassword() throws ChaiUnavailableException, ImpossiblePasswordPolicyException, PwmUnrecoverableException {
    final boolean configAlwaysUseProxy = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);
    final ChaiProvider chaiProvider = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID());
    final ChaiUser chaiUser = chaiProvider.getEntryFactory().newChaiUser(userIdentity.getUserDN());
    // try setting a random password on the account to authenticate.
    if (!configAlwaysUseProxy && requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
        log(PwmLogLevel.DEBUG, "attempting to set temporary random password");
        final PwmPasswordPolicy passwordPolicy = PasswordUtility.readPasswordPolicyForUser(pwmApplication, sessionLabel, userIdentity, chaiUser, PwmConstants.DEFAULT_LOCALE);
        // create random password for user
        final RandomPasswordGenerator.RandomGeneratorConfig randomGeneratorConfig = RandomPasswordGenerator.RandomGeneratorConfig.builder().seedlistPhrases(RandomPasswordGenerator.DEFAULT_SEED_PHRASES).passwordPolicy(passwordPolicy).build();
        final PasswordData currentPass = RandomPasswordGenerator.createRandomPassword(sessionLabel, randomGeneratorConfig, pwmApplication);
        try {
            final String oracleDSPrePasswordAllowChangeTime = oraclePreTemporaryPwHandler(chaiProvider, chaiUser);
            // write the random password for the user.
            chaiUser.setPassword(currentPass.getStringValue());
            oraclePostTemporaryPwHandler(chaiProvider, chaiUser, oracleDSPrePasswordAllowChangeTime);
            log(PwmLogLevel.INFO, "user " + userIdentity + " password has been set to random value to use for user authentication");
        } catch (ChaiOperationException e) {
            final String errorStr = "error setting random password for user " + userIdentity + " " + e.getMessage();
            log(PwmLogLevel.ERROR, errorStr);
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
        }
        return currentPass;
    }
    return null;
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ChaiProvider(com.novell.ldapchai.provider.ChaiProvider) ChaiUser(com.novell.ldapchai.ChaiUser) PasswordData(password.pwm.util.PasswordData) PwmPasswordPolicy(password.pwm.config.profile.PwmPasswordPolicy) RandomPasswordGenerator(password.pwm.util.RandomPasswordGenerator) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException)

Example 18 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class LDAPAuthenticationRequest method oraclePreTemporaryPwHandler.

private String oraclePreTemporaryPwHandler(final ChaiProvider chaiProvider, final ChaiUser chaiUser) throws PwmUnrecoverableException, ChaiUnavailableException, ChaiOperationException {
    if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ENABLE_MANIP_ALLOWCHANGETIME)) {
        return null;
    }
    if (DirectoryVendor.ORACLE_DS != chaiUser.getChaiProvider().getDirectoryVendor()) {
        return null;
    }
    // oracle DS special case: passwordAllowChangeTime handler
    final String oracleDSPrePasswordAllowChangeTime = chaiProvider.readStringAttribute(chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME);
    log(PwmLogLevel.TRACE, "read OracleDS value of passwordAllowChangeTime value=" + oracleDSPrePasswordAllowChangeTime);
    if (oracleDSPrePasswordAllowChangeTime != null && !oracleDSPrePasswordAllowChangeTime.isEmpty()) {
        final Instant date = OracleDSEntries.convertZuluToDate(oracleDSPrePasswordAllowChangeTime);
        final boolean enforceFromForgotten = !ForgottenPasswordUtil.permitPwChangeDuringMinLifetime(pwmApplication, sessionLabel, userIdentity);
        if (enforceFromForgotten) {
            if (Instant.now().isBefore(date)) {
                final String errorMsg = "change not permitted until " + JavaHelper.toIsoDate(date);
                throw new PwmUnrecoverableException(new ErrorInformation(PwmError.PASSWORD_TOO_SOON, errorMsg));
            }
        }
    }
    return oracleDSPrePasswordAllowChangeTime;
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) Instant(java.time.Instant) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)

Example 19 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class LDAPAuthenticationRequest method authUsingUnknownPw.

@Override
public AuthenticationResult authUsingUnknownPw() throws ChaiUnavailableException, PwmUnrecoverableException {
    initialize();
    log(PwmLogLevel.TRACE, "beginning authentication using unknown password procedure");
    PasswordData userPassword = null;
    final boolean configAlwaysUseProxy = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);
    if (configAlwaysUseProxy) {
        strategy = AuthenticationStrategy.ADMIN_PROXY;
    } else {
        userPassword = learnUserPassword();
        if (userPassword != null) {
            strategy = AuthenticationStrategy.READ_THEN_BIND;
        } else {
            userPassword = setTempUserPassword();
            if (userPassword != null) {
                strategy = AuthenticationStrategy.WRITE_THEN_BIND;
            }
        }
        if (userPassword == null) {
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "no available unknown-pw authentication method"));
        }
    }
    try {
        return authenticateUserImpl(userPassword);
    } catch (PwmOperationalException e) {
        if (strategy == AuthenticationStrategy.READ_THEN_BIND) {
            final String errorStr = "unable to authenticate with password read from directory, check proxy rights, ldap logs; error: " + e.getMessage();
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
        } else if (strategy == AuthenticationStrategy.WRITE_THEN_BIND) {
            final String errorStr = "unable to authenticate with temporary password, check proxy rights, ldap logs; error: " + e.getMessage();
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
        }
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "unable to authenticate via authWithUnknownPw method: " + e.getMessage()));
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PasswordData(password.pwm.util.PasswordData) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 20 with ErrorInformation

use of password.pwm.error.ErrorInformation in project pwm by pwm-project.

the class SessionAuthenticator method searchAndAuthenticateUser.

public void searchAndAuthenticateUser(final String username, final PasswordData password, final String context, final String ldapProfile) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    pwmApplication.getIntruderManager().check(RecordType.USERNAME, username);
    UserIdentity userIdentity = null;
    try {
        final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
        userIdentity = userSearchEngine.resolveUsername(username, context, ldapProfile, sessionLabel);
        final AuthenticationRequest authEngine = LDAPAuthenticationRequest.createLDAPAuthenticationRequest(pwmApplication, sessionLabel, userIdentity, AuthenticationType.AUTHENTICATED, authenticationSource);
        final AuthenticationResult authResult = authEngine.authenticateUser(password);
        postAuthenticationSequence(userIdentity, authResult);
    } catch (PwmOperationalException e) {
        postFailureSequence(e, username, userIdentity);
        if (readHiddenErrorTypes().contains(e.getError())) {
            if (pwmApplication.determineIfDetailErrorMsgShown()) {
                LOGGER.debug(pwmSession, "allowing error " + e.getError() + " to be returned though it is configured as a hidden type; " + "app is currently permitting detailed error messages");
            } else {
                final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD);
                LOGGER.debug(pwmSession, "converting error from ldap " + e.getError() + " to " + PwmError.ERROR_WRONGPASSWORD + " due to app property " + AppProperty.SECURITY_LOGIN_HIDDEN_ERROR_TYPES.getKey());
                throw new PwmOperationalException(errorInformation);
            }
        }
        throw e;
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) UserIdentity(password.pwm.bean.UserIdentity) UserSearchEngine(password.pwm.ldap.search.UserSearchEngine) PwmOperationalException(password.pwm.error.PwmOperationalException)

Aggregations

ErrorInformation (password.pwm.error.ErrorInformation)325 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)216 PwmOperationalException (password.pwm.error.PwmOperationalException)125 PwmException (password.pwm.error.PwmException)67 UserIdentity (password.pwm.bean.UserIdentity)62 IOException (java.io.IOException)58 PwmApplication (password.pwm.PwmApplication)54 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)53 ChaiUser (com.novell.ldapchai.ChaiUser)38 PwmSession (password.pwm.http.PwmSession)38 LinkedHashMap (java.util.LinkedHashMap)35 Configuration (password.pwm.config.Configuration)33 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)32 Map (java.util.Map)32 Instant (java.time.Instant)30 ArrayList (java.util.ArrayList)30 FormConfiguration (password.pwm.config.value.data.FormConfiguration)29 ServletException (javax.servlet.ServletException)28 RestResultBean (password.pwm.ws.server.RestResultBean)26 UserInfo (password.pwm.ldap.UserInfo)23