Search in sources :

Example 6 with PwmOperationalException

use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.

the class LDAPAuthenticationRequest method authenticateUserImpl.

private AuthenticationResult authenticateUserImpl(final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    if (startTime == null) {
        startTime = new Date();
    }
    log(PwmLogLevel.DEBUG, "preparing to authenticate user using authenticationType=" + this.requestedAuthType + " using strategy " + this.strategy);
    final StatisticsManager statisticsManager = pwmApplication.getStatisticsManager();
    final IntruderManager intruderManager = pwmApplication.getIntruderManager();
    intruderManager.convenience().checkUserIdentity(userIdentity);
    intruderManager.check(RecordType.ADDRESS, sessionLabel.getSrcAddress());
    // verify user is not account disabled
    AuthenticationUtility.checkIfUserEligibleToAuthentication(pwmApplication, userIdentity);
    boolean allowBindAsUser = true;
    if (strategy == AuthenticationStrategy.ADMIN_PROXY) {
        allowBindAsUser = false;
    }
    if (allowBindAsUser) {
        try {
            testCredentials(userIdentity, password);
        } catch (PwmOperationalException e) {
            boolean permitAuthDespiteError = false;
            final DirectoryVendor vendor = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID()).getDirectoryVendor();
            if (PwmError.PASSWORD_NEW_PASSWORD_REQUIRED == e.getError()) {
                if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'must change password on next login AD error', error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                } else if (vendor == DirectoryVendor.ORACLE_DS) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'pwdReset' user attribute, error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                }
            } else if (PwmError.PASSWORD_EXPIRED == e.getError()) {
                // handle ad case where password is expired
                if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_EXPIRED)) {
                            throw e;
                        }
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'password expired AD error', error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                }
            }
            if (!permitAuthDespiteError) {
                // auth failed, presumably due to wrong password.
                statisticsManager.incrementValue(Statistic.AUTHENTICATION_FAILURES);
                throw e;
            }
        }
    }
    statisticsManager.incrementValue(Statistic.AUTHENTICATIONS);
    statisticsManager.updateEps(EpsStatistic.AUTHENTICATION, 1);
    statisticsManager.updateAverageValue(Statistic.AVG_AUTHENTICATION_TIME, TimeDuration.fromCurrent(startTime).getTotalMilliseconds());
    final AuthenticationType returnAuthType;
    if (!allowBindAsUser) {
        returnAuthType = AuthenticationType.AUTH_BIND_INHIBIT;
    } else {
        if (requestedAuthType == null) {
            returnAuthType = AuthenticationType.AUTHENTICATED;
        } else {
            if (requestedAuthType == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
                returnAuthType = AuthenticationType.AUTHENTICATED;
            } else if (requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
                returnAuthType = AuthenticationType.AUTH_FROM_PUBLIC_MODULE;
            } else {
                returnAuthType = requestedAuthType;
            }
        }
    }
    final boolean useProxy = determineIfLdapProxyNeeded(returnAuthType, password);
    final ChaiProvider returnProvider = useProxy ? makeProxyProvider() : userProvider;
    final AuthenticationResult authenticationResult = new AuthenticationResult(returnProvider, returnAuthType, password);
    final StringBuilder debugMsg = new StringBuilder();
    debugMsg.append("successful ldap authentication for ").append(userIdentity);
    debugMsg.append(" (").append(TimeDuration.fromCurrent(startTime).asCompactString()).append(")");
    debugMsg.append(" type: ").append(returnAuthType).append(", using strategy ").append(strategy);
    debugMsg.append(", using proxy connection: ").append(useProxy);
    debugMsg.append(", returning bind dn: ").append(returnProvider == null ? "none" : returnProvider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
    log(PwmLogLevel.INFO, debugMsg);
    final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, PwmConstants.DEFAULT_LOCALE, sessionLabel, userIdentity);
    final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication, macroMachine).createUserAuditRecord(AuditEvent.AUTHENTICATE, this.userIdentity, makeAuditLogMessage(returnAuthType), sessionLabel.getSrcAddress(), sessionLabel.getSrcHostname());
    pwmApplication.getAuditManager().submit(auditRecord);
    pwmApplication.getSessionTrackService().addRecentLogin(userIdentity);
    return authenticationResult;
}
Also used : Date(java.util.Date) PwmOperationalException(password.pwm.error.PwmOperationalException) AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory) StatisticsManager(password.pwm.svc.stats.StatisticsManager) ChaiProvider(com.novell.ldapchai.provider.ChaiProvider) MacroMachine(password.pwm.util.macro.MacroMachine) DirectoryVendor(com.novell.ldapchai.provider.DirectoryVendor) IntruderManager(password.pwm.svc.intruder.IntruderManager) AuditRecord(password.pwm.svc.event.AuditRecord)

Example 7 with PwmOperationalException

use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.

the class LDAPAuthenticationRequest method authUsingUnknownPw.

@Override
public AuthenticationResult authUsingUnknownPw() throws ChaiUnavailableException, PwmUnrecoverableException {
    initialize();
    log(PwmLogLevel.TRACE, "beginning authentication using unknown password procedure");
    PasswordData userPassword = null;
    final boolean configAlwaysUseProxy = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_USE_PROXY_FOR_FORGOTTEN);
    if (configAlwaysUseProxy) {
        strategy = AuthenticationStrategy.ADMIN_PROXY;
    } else {
        userPassword = learnUserPassword();
        if (userPassword != null) {
            strategy = AuthenticationStrategy.READ_THEN_BIND;
        } else {
            userPassword = setTempUserPassword();
            if (userPassword != null) {
                strategy = AuthenticationStrategy.WRITE_THEN_BIND;
            }
        }
        if (userPassword == null) {
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "no available unknown-pw authentication method"));
        }
    }
    try {
        return authenticateUserImpl(userPassword);
    } catch (PwmOperationalException e) {
        if (strategy == AuthenticationStrategy.READ_THEN_BIND) {
            final String errorStr = "unable to authenticate with password read from directory, check proxy rights, ldap logs; error: " + e.getMessage();
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
        } else if (strategy == AuthenticationStrategy.WRITE_THEN_BIND) {
            final String errorStr = "unable to authenticate with temporary password, check proxy rights, ldap logs; error: " + e.getMessage();
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_BAD_SESSION_PASSWORD, errorStr));
        }
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "unable to authenticate via authWithUnknownPw method: " + e.getMessage()));
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PasswordData(password.pwm.util.PasswordData) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 8 with PwmOperationalException

use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.

the class SessionAuthenticator method authUserWithUnknownPassword.

public void authUserWithUnknownPassword(final String username, final AuthenticationType requestedAuthType) throws ImpossiblePasswordPolicyException, PwmUnrecoverableException, PwmOperationalException {
    pwmApplication.getIntruderManager().check(RecordType.USERNAME, username);
    UserIdentity userIdentity = null;
    try {
        final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
        userIdentity = userSearchEngine.resolveUsername(username, null, null, sessionLabel);
        final AuthenticationRequest authEngine = LDAPAuthenticationRequest.createLDAPAuthenticationRequest(pwmApplication, sessionLabel, userIdentity, requestedAuthType, authenticationSource);
        final AuthenticationResult authResult = authEngine.authUsingUnknownPw();
        postAuthenticationSequence(userIdentity, authResult);
    } catch (ChaiUnavailableException e) {
        throw PwmUnrecoverableException.fromChaiException(e);
    } catch (PwmOperationalException e) {
        postFailureSequence(e, username, userIdentity);
        throw e;
    }
}
Also used : ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException) UserIdentity(password.pwm.bean.UserIdentity) UserSearchEngine(password.pwm.ldap.search.UserSearchEngine) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 9 with PwmOperationalException

use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.

the class SessionAuthenticator method searchAndAuthenticateUser.

public void searchAndAuthenticateUser(final String username, final PasswordData password, final String context, final String ldapProfile) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    pwmApplication.getIntruderManager().check(RecordType.USERNAME, username);
    UserIdentity userIdentity = null;
    try {
        final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
        userIdentity = userSearchEngine.resolveUsername(username, context, ldapProfile, sessionLabel);
        final AuthenticationRequest authEngine = LDAPAuthenticationRequest.createLDAPAuthenticationRequest(pwmApplication, sessionLabel, userIdentity, AuthenticationType.AUTHENTICATED, authenticationSource);
        final AuthenticationResult authResult = authEngine.authenticateUser(password);
        postAuthenticationSequence(userIdentity, authResult);
    } catch (PwmOperationalException e) {
        postFailureSequence(e, username, userIdentity);
        if (readHiddenErrorTypes().contains(e.getError())) {
            if (pwmApplication.determineIfDetailErrorMsgShown()) {
                LOGGER.debug(pwmSession, "allowing error " + e.getError() + " to be returned though it is configured as a hidden type; " + "app is currently permitting detailed error messages");
            } else {
                final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD);
                LOGGER.debug(pwmSession, "converting error from ldap " + e.getError() + " to " + PwmError.ERROR_WRONGPASSWORD + " due to app property " + AppProperty.SECURITY_LOGIN_HIDDEN_ERROR_TYPES.getKey());
                throw new PwmOperationalException(errorInformation);
            }
        }
        throw e;
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) UserIdentity(password.pwm.bean.UserIdentity) UserSearchEngine(password.pwm.ldap.search.UserSearchEngine) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 10 with PwmOperationalException

use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.

the class CrService method writeResponses.

public void writeResponses(final UserIdentity userIdentity, final ChaiUser theUser, final String userGUID, final ResponseInfoBean responseInfoBean) throws PwmOperationalException, ChaiUnavailableException, ChaiValidationException {
    int attempts = 0;
    int successes = 0;
    final Map<DataStorageMethod, String> errorMessages = new LinkedHashMap<>();
    final Configuration config = pwmApplication.getConfig();
    final List<DataStorageMethod> writeMethods = config.helper().getCrWritePreference();
    for (final DataStorageMethod loopWriteMethod : writeMethods) {
        try {
            attempts++;
            operatorMap.get(loopWriteMethod).writeResponses(userIdentity, theUser, userGUID, responseInfoBean);
            LOGGER.debug("saved responses using storage method " + loopWriteMethod + " for user " + theUser.getEntryDN());
            errorMessages.put(loopWriteMethod, "Success");
            successes++;
        } catch (PwmUnrecoverableException e) {
            final String errorMsg = "error saving responses via " + loopWriteMethod + ", error: " + e.getMessage();
            errorMessages.put(loopWriteMethod, errorMsg);
            LOGGER.error(errorMsg);
        }
    }
    if (attempts == 0) {
        final String errorMsg = "no response save methods are available or configured";
        final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_WRITING_RESPONSES, errorMsg);
        throw new PwmOperationalException(errorInfo);
    }
    if (attempts != successes) {
        final String errorMsg = "response storage only partially successful; attempts=" + attempts + ", successes=" + successes + ", detail=" + JsonUtil.serializeMap(errorMessages);
        final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_WRITING_RESPONSES, errorMsg);
        throw new PwmOperationalException(errorInfo);
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) Configuration(password.pwm.config.Configuration) DataStorageMethod(password.pwm.config.option.DataStorageMethod) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) LinkedHashMap(java.util.LinkedHashMap) PwmOperationalException(password.pwm.error.PwmOperationalException)

Aggregations

PwmOperationalException (password.pwm.error.PwmOperationalException)134 ErrorInformation (password.pwm.error.ErrorInformation)104 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)57 UserIdentity (password.pwm.bean.UserIdentity)39 PwmApplication (password.pwm.PwmApplication)27 PwmSession (password.pwm.http.PwmSession)26 ChaiUser (com.novell.ldapchai.ChaiUser)20 Configuration (password.pwm.config.Configuration)19 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)17 UserSearchEngine (password.pwm.ldap.search.UserSearchEngine)17 FormConfiguration (password.pwm.config.value.data.FormConfiguration)16 PwmException (password.pwm.error.PwmException)16 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)15 SearchConfiguration (password.pwm.ldap.search.SearchConfiguration)14 Instant (java.time.Instant)13 LinkedHashMap (java.util.LinkedHashMap)13 MacroMachine (password.pwm.util.macro.MacroMachine)13 ArrayList (java.util.ArrayList)12 Map (java.util.Map)12 UserInfo (password.pwm.ldap.UserInfo)11