Example 31 with PwmOperationalException
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class SessionFilter method checkUrlAgainstWhitelist.
private static void checkUrlAgainstWhitelist(final PwmApplication pwmApplication, final SessionLabel sessionLabel, final String inputURL) throws PwmOperationalException {
LOGGER.trace(sessionLabel, "beginning test of requested redirect URL: " + inputURL);
if (inputURL == null || inputURL.isEmpty()) {
return;
}
final URI inputURI;
try {
inputURI = URI.create(inputURL);
} catch (IllegalArgumentException e) {
LOGGER.error(sessionLabel, "unable to parse requested redirect url '" + inputURL + "', error: " + e.getMessage());
// dont put input uri in error response
final String errorMsg = "unable to parse url: " + e.getMessage();
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_REDIRECT_ILLEGAL, errorMsg));
}
{
// check to make sure we werent handed a non-http uri.
final String scheme = inputURI.getScheme();
if (scheme != null && !scheme.isEmpty() && !"http".equalsIgnoreCase(scheme) && !"https".equals(scheme)) {
final String errorMsg = "unsupported url scheme";
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_REDIRECT_ILLEGAL, errorMsg));
}
}
if (inputURI.getHost() != null && !inputURI.getHost().isEmpty()) {
// disallow localhost uri
try {
final InetAddress inetAddress = InetAddress.getByName(inputURI.getHost());
if (inetAddress.isLoopbackAddress()) {
final String errorMsg = "redirect to loopback host is not permitted";
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_REDIRECT_ILLEGAL, errorMsg));
}
} catch (UnknownHostException e) {
/* noop */
}
}
final StringBuilder sb = new StringBuilder();
if (inputURI.getScheme() != null) {
sb.append(inputURI.getScheme());
sb.append("://");
}
if (inputURI.getHost() != null) {
sb.append(inputURI.getHost());
}
if (inputURI.getPort() != -1) {
sb.append(":");
sb.append(inputURI.getPort());
}
if (inputURI.getPath() != null) {
sb.append(inputURI.getPath());
}
final String testURI = sb.toString();
LOGGER.trace(sessionLabel, "preparing to whitelist test parsed and decoded URL: " + testURI);
final String regexPrefix = "regex:";
final List<String> whiteList = pwmApplication.getConfig().readSettingAsStringArray(PwmSetting.SECURITY_REDIRECT_WHITELIST);
for (final String loopFragment : whiteList) {
if (loopFragment.startsWith(regexPrefix)) {
try {
final String strPattern = loopFragment.substring(regexPrefix.length(), loopFragment.length());
final Pattern pattern = Pattern.compile(strPattern);
if (pattern.matcher(testURI).matches()) {
LOGGER.debug(sessionLabel, "positive URL match for regex pattern: " + strPattern);
return;
} else {
LOGGER.trace(sessionLabel, "negative URL match for regex pattern: " + strPattern);
}
} catch (Exception e) {
LOGGER.error(sessionLabel, "error while testing URL match for regex pattern: '" + loopFragment + "', error: " + e.getMessage());
}
} else {
if (testURI.startsWith(loopFragment)) {
LOGGER.debug(sessionLabel, "positive URL match for pattern: " + loopFragment);
return;
} else {
LOGGER.trace(sessionLabel, "negative URL match for pattern: " + loopFragment);
}
}
}
final String errorMsg = testURI + " is not a match for any configured redirect whitelist, see setting: " + PwmSetting.SECURITY_REDIRECT_WHITELIST.toMenuLocationDebug(null, PwmConstants.DEFAULT_LOCALE);
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_REDIRECT_ILLEGAL, errorMsg));
}
Also used :
ErrorInformation(password.pwm.error.ErrorInformation)
Pattern(java.util.regex.Pattern)
UnknownHostException(java.net.UnknownHostException)
URI(java.net.URI)
InetAddress(java.net.InetAddress)
ServletException(javax.servlet.ServletException)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
PwmOperationalException(password.pwm.error.PwmOperationalException)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
PwmOperationalException(password.pwm.error.PwmOperationalException)
Example 32 with PwmOperationalException
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class DeleteAccountServlet method handleDeleteRequest.
@ActionHandler(action = "delete")
private ProcessStatus handleDeleteRequest(final PwmRequest pwmRequest) throws ServletException, IOException, PwmUnrecoverableException, ChaiUnavailableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final DeleteAccountProfile deleteAccountProfile = getProfile(pwmRequest);
final UserIdentity userIdentity = pwmRequest.getUserInfoIfLoggedIn();
{
// execute configured actions
final List<ActionConfiguration> actions = deleteAccountProfile.readSettingAsAction(PwmSetting.DELETE_ACCOUNT_ACTIONS);
if (actions != null && !actions.isEmpty()) {
LOGGER.debug(pwmRequest, "executing configured actions to user " + userIdentity);
final ActionExecutor actionExecutor = new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity).setExpandPwmMacros(true).setMacroMachine(pwmRequest.getPwmSession().getSessionManager().getMacroMachine(pwmApplication)).createActionExecutor();
try {
actionExecutor.executeActions(actions, pwmRequest.getSessionLabel());
} catch (PwmOperationalException e) {
LOGGER.error("error during user delete action execution: " + e.getMessage());
throw new PwmUnrecoverableException(e.getErrorInformation(), e.getCause());
}
}
}
// send notification
sendProfileUpdateEmailNotice(pwmRequest);
// mark the event log
pwmApplication.getAuditManager().submit(AuditEvent.DELETE_ACCOUNT, pwmRequest.getPwmSession().getUserInfo(), pwmRequest.getPwmSession());
final String nextUrl = deleteAccountProfile.readSettingAsString(PwmSetting.DELETE_ACCOUNT_NEXT_URL);
if (nextUrl != null && !nextUrl.isEmpty()) {
final MacroMachine macroMachine = pwmRequest.getPwmSession().getSessionManager().getMacroMachine(pwmApplication);
final String macroedUrl = macroMachine.expandMacros(nextUrl);
LOGGER.debug(pwmRequest, "settinging forward url to post-delete next url: " + macroedUrl);
pwmRequest.getPwmSession().getSessionStateBean().setForwardURL(macroedUrl);
}
// perform ldap entry delete.
if (deleteAccountProfile.readSettingAsBoolean(PwmSetting.DELETE_ACCOUNT_DELETE_USER_ENTRY)) {
final ChaiUser chaiUser = pwmApplication.getProxiedChaiUser(pwmRequest.getUserInfoIfLoggedIn());
try {
chaiUser.getChaiProvider().deleteEntry(chaiUser.getEntryDN());
} catch (ChaiException e) {
final PwmUnrecoverableException pwmException = PwmUnrecoverableException.fromChaiException(e);
LOGGER.error("error during user delete", pwmException);
throw pwmException;
}
}
// clear the delete bean
pwmApplication.getSessionStateService().clearBean(pwmRequest, DeleteAccountBean.class);
// delete finished, so logout and redirect.
pwmRequest.getPwmSession().unauthenticateUser(pwmRequest);
pwmRequest.sendRedirectToContinue();
return ProcessStatus.Halt;
}
Also used :
ActionExecutor(password.pwm.util.operations.ActionExecutor)
PwmApplication(password.pwm.PwmApplication)
ChaiUser(com.novell.ldapchai.ChaiUser)
UserIdentity(password.pwm.bean.UserIdentity)
DeleteAccountProfile(password.pwm.config.profile.DeleteAccountProfile)
MacroMachine(password.pwm.util.macro.MacroMachine)
List(java.util.List)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
ChaiException(com.novell.ldapchai.exception.ChaiException)
PwmOperationalException(password.pwm.error.PwmOperationalException)
Example 33 with PwmOperationalException
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class GuestRegistrationServlet method handleUpdateRequest.
protected void handleUpdateRequest(final PwmRequest pwmRequest, final GuestRegistrationBean guestRegistrationBean) throws ServletException, ChaiUnavailableException, IOException, PwmUnrecoverableException {
// Fetch the session state bean.
final PwmSession pwmSession = pwmRequest.getPwmSession();
final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final Configuration config = pwmApplication.getConfig();
final List<FormConfiguration> formItems = pwmApplication.getConfig().readSettingAsForm(PwmSetting.GUEST_UPDATE_FORM);
final String expirationAttribute = config.readSettingAsString(PwmSetting.GUEST_EXPIRATION_ATTRIBUTE);
try {
// read the values from the request
final Map<FormConfiguration, String> formValues = FormUtility.readFormValuesFromRequest(pwmRequest, formItems, pwmRequest.getLocale());
// see if the values meet form requirements.
FormUtility.validateFormValues(config, formValues, ssBean.getLocale());
// read current values from user.
final ChaiUser theGuest = pwmSession.getSessionManager().getActor(pwmApplication, guestRegistrationBean.getUpdateUserIdentity());
// check unique fields against ldap
FormUtility.validateFormValueUniqueness(pwmApplication, formValues, ssBean.getLocale(), Collections.singletonList(guestRegistrationBean.getUpdateUserIdentity()));
final Instant expirationDate = readExpirationFromRequest(pwmRequest);
// Update user attributes
LdapOperationsHelper.writeFormValuesToLdap(pwmApplication, pwmSession.getSessionManager().getMacroMachine(pwmApplication), theGuest, formValues, false);
// Write expirationDate
if (expirationDate != null) {
theGuest.writeDateAttribute(expirationAttribute, expirationDate);
}
// send email.
final UserInfo guestUserInfoBean = UserInfoFactory.newUserInfo(pwmApplication, pwmRequest.getSessionLabel(), pwmRequest.getLocale(), guestRegistrationBean.getUpdateUserIdentity(), theGuest.getChaiProvider());
this.sendUpdateGuestEmailConfirmation(pwmRequest, guestUserInfoBean);
pwmApplication.getStatisticsManager().incrementValue(Statistic.UPDATED_GUESTS);
// everything good so forward to confirmation page.
pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_UpdateGuest);
return;
} catch (PwmOperationalException e) {
LOGGER.error(pwmSession, e.getErrorInformation().toDebugStr());
setLastError(pwmRequest, e.getErrorInformation());
} catch (ChaiOperationException e) {
final ErrorInformation info = new ErrorInformation(PwmError.ERROR_UNKNOWN, "unexpected error writing to ldap: " + e.getMessage());
LOGGER.error(pwmSession, info);
setLastError(pwmRequest, info);
}
this.forwardToUpdateJSP(pwmRequest, guestRegistrationBean);
}
Also used :
PwmApplication(password.pwm.PwmApplication)
FormConfiguration(password.pwm.config.value.data.FormConfiguration)
SearchConfiguration(password.pwm.ldap.search.SearchConfiguration)
ActionConfiguration(password.pwm.config.value.data.ActionConfiguration)
Configuration(password.pwm.config.Configuration)
Instant(java.time.Instant)
UserInfo(password.pwm.ldap.UserInfo)
PwmOperationalException(password.pwm.error.PwmOperationalException)
ErrorInformation(password.pwm.error.ErrorInformation)
ChaiUser(com.novell.ldapchai.ChaiUser)
LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean)
FormConfiguration(password.pwm.config.value.data.FormConfiguration)
ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException)
PwmSession(password.pwm.http.PwmSession)
Example 34 with PwmOperationalException
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class ChangePasswordServlet method processFormAction.
@ActionHandler(action = "form")
ProcessStatus processFormAction(final PwmRequest pwmRequest) throws ServletException, PwmUnrecoverableException, IOException, ChaiUnavailableException {
final ChangePasswordBean cpb = pwmRequest.getPwmApplication().getSessionStateService().getBean(pwmRequest, ChangePasswordBean.class);
final LocalSessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
final UserInfo userInfo = pwmRequest.getPwmSession().getUserInfo();
final LoginInfoBean loginBean = pwmRequest.getPwmSession().getLoginInfoBean();
final PasswordData currentPassword = pwmRequest.readParameterAsPassword("currentPassword");
// check the current password
if (cpb.isCurrentPasswordRequired() && loginBean.getUserCurrentPassword() != null) {
if (currentPassword == null) {
LOGGER.debug(pwmRequest, "failed password validation check: currentPassword value is missing");
setLastError(pwmRequest, new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER));
return ProcessStatus.Continue;
}
final boolean passed;
{
final boolean caseSensitive = Boolean.parseBoolean(userInfo.getPasswordPolicy().getValue(PwmPasswordRule.CaseSensitive));
final PasswordData storedPassword = loginBean.getUserCurrentPassword();
passed = caseSensitive ? storedPassword.equals(currentPassword) : storedPassword.equalsIgnoreCase(currentPassword);
}
if (!passed) {
pwmRequest.getPwmApplication().getIntruderManager().convenience().markUserIdentity(userInfo.getUserIdentity(), pwmRequest.getSessionLabel());
LOGGER.debug(pwmRequest, "failed password validation check: currentPassword value is incorrect");
setLastError(pwmRequest, new ErrorInformation(PwmError.ERROR_BAD_CURRENT_PASSWORD));
return ProcessStatus.Continue;
}
cpb.setCurrentPasswordPassed(true);
}
final List<FormConfiguration> formItem = pwmRequest.getConfig().readSettingAsForm(PwmSetting.PASSWORD_REQUIRE_FORM);
try {
// read the values from the request
final Map<FormConfiguration, String> formValues = FormUtility.readFormValuesFromRequest(pwmRequest, formItem, ssBean.getLocale());
ChangePasswordServletUtil.validateParamsAgainstLDAP(formValues, pwmRequest.getPwmSession(), pwmRequest.getPwmSession().getSessionManager().getActor(pwmRequest.getPwmApplication()));
cpb.setFormPassed(true);
} catch (PwmOperationalException e) {
pwmRequest.getPwmApplication().getIntruderManager().convenience().markAddressAndSession(pwmRequest.getPwmSession());
pwmRequest.getPwmApplication().getIntruderManager().convenience().markUserIdentity(userInfo.getUserIdentity(), pwmRequest.getSessionLabel());
LOGGER.debug(pwmRequest, e.getErrorInformation());
setLastError(pwmRequest, e.getErrorInformation());
return ProcessStatus.Continue;
}
return ProcessStatus.Continue;
}
Also used :
ChangePasswordBean(password.pwm.http.bean.ChangePasswordBean)
ErrorInformation(password.pwm.error.ErrorInformation)
LoginInfoBean(password.pwm.bean.LoginInfoBean)
PasswordData(password.pwm.util.PasswordData)
LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean)
UserInfo(password.pwm.ldap.UserInfo)
FormConfiguration(password.pwm.config.value.data.FormConfiguration)
PwmOperationalException(password.pwm.error.PwmOperationalException)
Example 35 with PwmOperationalException
use of password.pwm.error.PwmOperationalException in project pwm by pwm-project.
the class ForgottenUsernameServlet method handleSearchRequest.
public void handleSearchRequest(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException, ServletException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
if (CaptchaUtility.captchaEnabledForRequest(pwmRequest)) {
if (!CaptchaUtility.verifyReCaptcha(pwmRequest)) {
final ErrorInformation errorInfo = new ErrorInformation(PwmError.ERROR_BAD_CAPTCHA_RESPONSE);
LOGGER.debug(pwmRequest, errorInfo);
setLastError(pwmRequest, errorInfo);
forwardToFormJsp(pwmRequest);
return;
}
}
final String contextParam = pwmRequest.readParameterAsString(PwmConstants.PARAM_CONTEXT);
final String ldapProfile = pwmRequest.readParameterAsString(PwmConstants.PARAM_LDAP_PROFILE);
final List<FormConfiguration> forgottenUsernameForm = pwmApplication.getConfig().readSettingAsForm(PwmSetting.FORGOTTEN_USERNAME_FORM);
// read the values from the request
Map<FormConfiguration, String> formValues = new HashMap<>();
try {
formValues = FormUtility.readFormValuesFromRequest(pwmRequest, forgottenUsernameForm, ssBean.getLocale());
// check for intruder search
pwmApplication.getIntruderManager().convenience().checkAttributes(formValues);
// see if the values meet the configured form requirements.
FormUtility.validateFormValues(pwmRequest.getConfig(), formValues, ssBean.getLocale());
final String searchFilter;
{
final String configuredSearchFilter = pwmApplication.getConfig().readSettingAsString(PwmSetting.FORGOTTEN_USERNAME_SEARCH_FILTER);
if (configuredSearchFilter == null || configuredSearchFilter.isEmpty()) {
searchFilter = FormUtility.ldapSearchFilterForForm(pwmApplication, forgottenUsernameForm);
LOGGER.trace(pwmSession, "auto generated ldap search filter: " + searchFilter);
} else {
searchFilter = configuredSearchFilter;
}
}
final UserIdentity userIdentity;
{
final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
final SearchConfiguration searchConfiguration = SearchConfiguration.builder().filter(searchFilter).formValues(formValues).ldapProfile(ldapProfile).contexts(Collections.singletonList(contextParam)).build();
userIdentity = userSearchEngine.performSingleUserSearch(searchConfiguration, pwmSession.getLabel());
}
if (userIdentity == null) {
pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
pwmApplication.getStatisticsManager().incrementValue(Statistic.FORGOTTEN_USERNAME_FAILURES);
setLastError(pwmRequest, PwmError.ERROR_CANT_MATCH_USER.toInfo());
forwardToFormJsp(pwmRequest);
return;
}
// make sure the user isn't locked.
pwmApplication.getIntruderManager().convenience().checkUserIdentity(userIdentity);
final UserInfo forgottenUserInfo = UserInfoFactory.newUserInfoUsingProxy(pwmApplication, pwmRequest.getSessionLabel(), userIdentity, pwmRequest.getLocale());
// send username
sendUsername(pwmApplication, pwmSession, forgottenUserInfo);
pwmApplication.getIntruderManager().convenience().clearAddressAndSession(pwmSession);
pwmApplication.getIntruderManager().convenience().clearAttributes(formValues);
pwmApplication.getStatisticsManager().incrementValue(Statistic.FORGOTTEN_USERNAME_SUCCESSES);
// redirect user to success page.
forwardToCompletePage(pwmRequest, userIdentity);
return;
} catch (PwmOperationalException e) {
final ErrorInformation errorInfo;
errorInfo = e.getError() == PwmError.ERROR_UNKNOWN ? new ErrorInformation(PwmError.ERROR_CANT_MATCH_USER, e.getErrorInformation().getDetailedErrorMsg(), e.getErrorInformation().getFieldValues()) : e.getErrorInformation();
setLastError(pwmRequest, errorInfo);
pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
pwmApplication.getIntruderManager().convenience().markAttributes(formValues, pwmSession);
}
pwmApplication.getStatisticsManager().incrementValue(Statistic.FORGOTTEN_USERNAME_FAILURES);
forwardToFormJsp(pwmRequest);
}
Also used :
PwmApplication(password.pwm.PwmApplication)
HashMap(java.util.HashMap)
UserIdentity(password.pwm.bean.UserIdentity)
UserSearchEngine(password.pwm.ldap.search.UserSearchEngine)
SearchConfiguration(password.pwm.ldap.search.SearchConfiguration)
UserInfo(password.pwm.ldap.UserInfo)
PwmOperationalException(password.pwm.error.PwmOperationalException)
ErrorInformation(password.pwm.error.ErrorInformation)
LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean)
FormConfiguration(password.pwm.config.value.data.FormConfiguration)
PwmSession(password.pwm.http.PwmSession)
Aggregations
PwmOperationalException (password.pwm.error.PwmOperationalException)134
ErrorInformation (password.pwm.error.ErrorInformation)104
PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)57
UserIdentity (password.pwm.bean.UserIdentity)39
PwmApplication (password.pwm.PwmApplication)27
PwmSession (password.pwm.http.PwmSession)26
ChaiUser (com.novell.ldapchai.ChaiUser)20
Configuration (password.pwm.config.Configuration)19
ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)17
UserSearchEngine (password.pwm.ldap.search.UserSearchEngine)17
FormConfiguration (password.pwm.config.value.data.FormConfiguration)16
PwmException (password.pwm.error.PwmException)16
ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)15
SearchConfiguration (password.pwm.ldap.search.SearchConfiguration)14
Instant (java.time.Instant)13
LinkedHashMap (java.util.LinkedHashMap)13
MacroMachine (password.pwm.util.macro.MacroMachine)13
ArrayList (java.util.ArrayList)12
Map (java.util.Map)12
UserInfo (password.pwm.ldap.UserInfo)11
