Search in sources :

Example 76 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class ForgottenPasswordServlet method processOAuthReturn.

@ActionHandler(action = "oauthReturn")
private ProcessStatus processOAuthReturn(final PwmRequest pwmRequest) throws IOException, ServletException, PwmUnrecoverableException, ChaiUnavailableException {
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    if (forgottenPasswordBean.getProgress().getInProgressVerificationMethod() != IdentityVerificationMethod.OAUTH) {
        LOGGER.debug(pwmRequest, "oauth return detected, however current session did not issue an oauth request; will restart forgotten password sequence");
        pwmRequest.getPwmApplication().getSessionStateService().clearBean(pwmRequest, ForgottenPasswordBean.class);
        pwmRequest.sendRedirect(PwmServletDefinition.ForgottenPassword);
        return ProcessStatus.Halt;
    }
    if (forgottenPasswordBean.getUserIdentity() == null) {
        LOGGER.debug(pwmRequest, "oauth return detected, however current session does not have a user identity stored; will restart forgotten password sequence");
        pwmRequest.getPwmApplication().getSessionStateService().clearBean(pwmRequest, ForgottenPasswordBean.class);
        pwmRequest.sendRedirect(PwmServletDefinition.ForgottenPassword);
        return ProcessStatus.Halt;
    }
    final String encryptedResult = pwmRequest.readParameterAsString(PwmConstants.PARAM_RECOVERY_OAUTH_RESULT, PwmHttpRequestWrapper.Flag.BypassValidation);
    final OAuthForgottenPasswordResults results = pwmRequest.getPwmApplication().getSecureService().decryptObject(encryptedResult, OAuthForgottenPasswordResults.class);
    LOGGER.trace(pwmRequest, "received ");
    final String userDNfromOAuth = results.getUsername();
    if (userDNfromOAuth == null || userDNfromOAuth.isEmpty()) {
        final String errorMsg = "oauth server coderesolver endpoint did not return a username value";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    final UserIdentity oauthUserIdentity;
    {
        final UserSearchEngine userSearchEngine = pwmRequest.getPwmApplication().getUserSearchEngine();
        try {
            oauthUserIdentity = userSearchEngine.resolveUsername(userDNfromOAuth, null, null, pwmRequest.getSessionLabel());
        } catch (PwmOperationalException e) {
            final String errorMsg = "unexpected error searching for oauth supplied username in ldap; error: " + e.getMessage();
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg);
            throw new PwmUnrecoverableException(errorInformation);
        }
    }
    final boolean userMatch;
    {
        final UserIdentity userIdentityInBean = forgottenPasswordBean.getUserIdentity();
        userMatch = userIdentityInBean != null && userIdentityInBean.equals(oauthUserIdentity);
    }
    if (userMatch) {
        forgottenPasswordBean.getProgress().getSatisfiedMethods().add(IdentityVerificationMethod.OAUTH);
    } else {
        final String errorMsg = "oauth server username does not match previously identified user";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    return ProcessStatus.Continue;
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) UserIdentity(password.pwm.bean.UserIdentity) UserSearchEngine(password.pwm.ldap.search.UserSearchEngine) OAuthForgottenPasswordResults(password.pwm.http.servlet.oauth.OAuthForgottenPasswordResults) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 77 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class ForgottenPasswordServlet method processCheckResponses.

@ActionHandler(action = "checkResponses")
private ProcessStatus processCheckResponses(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    if (forgottenPasswordBean.getUserIdentity() == null) {
        return ProcessStatus.Continue;
    }
    final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
    final ResponseSet responseSet = ForgottenPasswordUtil.readResponseSet(pwmRequest, forgottenPasswordBean);
    if (responseSet == null) {
        final String errorMsg = "attempt to check responses, but responses are not loaded into session bean";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    try {
        // read the supplied responses from the user
        final Map<Challenge, String> crMap = ForgottenPasswordUtil.readResponsesFromHttpRequest(pwmRequest, forgottenPasswordBean.getPresentableChallengeSet());
        final boolean responsesPassed;
        try {
            responsesPassed = responseSet.test(crMap);
        } catch (ChaiUnavailableException e) {
            if (e.getCause() instanceof PwmUnrecoverableException) {
                throw (PwmUnrecoverableException) e.getCause();
            }
            throw e;
        }
        // special case for nmas, clear out existing challenges and input fields.
        if (!responsesPassed && responseSet instanceof NMASCrOperator.NMASCRResponseSet) {
            forgottenPasswordBean.setPresentableChallengeSet(responseSet.getPresentableChallengeSet());
        }
        if (responsesPassed) {
            LOGGER.debug(pwmRequest, "user '" + userIdentity + "' has supplied correct responses");
        } else {
            final String errorMsg = "incorrect response to one or more challenges";
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INCORRECT_RESPONSE, errorMsg);
            handleUserVerificationBadAttempt(pwmRequest, forgottenPasswordBean, errorInformation);
            return ProcessStatus.Continue;
        }
    } catch (ChaiValidationException e) {
        LOGGER.debug(pwmRequest, "chai validation error checking user responses: " + e.getMessage());
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.forChaiError(e.getErrorCode()));
        handleUserVerificationBadAttempt(pwmRequest, forgottenPasswordBean, errorInformation);
        return ProcessStatus.Continue;
    }
    forgottenPasswordBean.getProgress().getSatisfiedMethods().add(IdentityVerificationMethod.CHALLENGE_RESPONSES);
    return ProcessStatus.Continue;
}
Also used : ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException) UserIdentity(password.pwm.bean.UserIdentity) ResponseSet(com.novell.ldapchai.cr.ResponseSet) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) Challenge(com.novell.ldapchai.cr.Challenge) ErrorInformation(password.pwm.error.ErrorInformation) ChaiValidationException(com.novell.ldapchai.exception.ChaiValidationException) NMASCrOperator(password.pwm.util.operations.cr.NMASCrOperator) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)

Example 78 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class GuestRegistrationServlet method handleSearchRequest.

protected void handleSearchRequest(final PwmRequest pwmRequest, final GuestRegistrationBean guestRegistrationBean) throws ServletException, ChaiUnavailableException, IOException, PwmUnrecoverableException {
    LOGGER.trace(pwmRequest, "Enter: handleSearchRequest(...)");
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final ChaiProvider chaiProvider = pwmSession.getSessionManager().getChaiProvider();
    final Configuration config = pwmApplication.getConfig();
    final String adminDnAttribute = config.readSettingAsString(PwmSetting.GUEST_ADMIN_ATTRIBUTE);
    final Boolean origAdminOnly = config.readSettingAsBoolean(PwmSetting.GUEST_EDIT_ORIG_ADMIN_ONLY);
    final String usernameParam = pwmRequest.readParameterAsString("username");
    final GuestRegistrationBean guBean = pwmApplication.getSessionStateService().getBean(pwmRequest, GuestRegistrationBean.class);
    final SearchConfiguration searchConfiguration = SearchConfiguration.builder().chaiProvider(chaiProvider).contexts(Collections.singletonList(config.readSettingAsString(PwmSetting.GUEST_CONTEXT))).enableContextValidation(false).username(usernameParam).build();
    final UserSearchEngine userSearchEngine = pwmApplication.getUserSearchEngine();
    try {
        final UserIdentity theGuest = userSearchEngine.performSingleUserSearch(searchConfiguration, pwmSession.getLabel());
        final FormMap formProps = guBean.getFormValues();
        try {
            final List<FormConfiguration> guestUpdateForm = config.readSettingAsForm(PwmSetting.GUEST_UPDATE_FORM);
            final Set<String> involvedAttrs = new HashSet<>();
            for (final FormConfiguration formItem : guestUpdateForm) {
                if (!formItem.getName().equalsIgnoreCase(HTTP_PARAM_EXPIRATION_DATE)) {
                    involvedAttrs.add(formItem.getName());
                }
            }
            final UserInfo guestUserInfo = UserInfoFactory.newUserInfo(pwmApplication, pwmSession.getLabel(), pwmRequest.getLocale(), theGuest, pwmSession.getSessionManager().getChaiProvider());
            final Map<String, String> userAttrValues = guestUserInfo.readStringAttributes(involvedAttrs);
            if (origAdminOnly && adminDnAttribute != null && adminDnAttribute.length() > 0) {
                final String origAdminDn = userAttrValues.get(adminDnAttribute);
                if (origAdminDn != null && origAdminDn.length() > 0) {
                    if (!pwmSession.getUserInfo().getUserIdentity().getUserDN().equalsIgnoreCase(origAdminDn)) {
                        final ErrorInformation info = new ErrorInformation(PwmError.ERROR_ORIG_ADMIN_ONLY);
                        setLastError(pwmRequest, info);
                        LOGGER.warn(pwmSession, info);
                        this.forwardToJSP(pwmRequest, guestRegistrationBean);
                    }
                }
            }
            final String expirationAttribute = config.readSettingAsString(PwmSetting.GUEST_EXPIRATION_ATTRIBUTE);
            if (expirationAttribute != null && expirationAttribute.length() > 0) {
                final Instant expiration = guestUserInfo.readDateAttribute(expirationAttribute);
                if (expiration != null) {
                    guBean.setUpdateUserExpirationDate(expiration);
                }
            }
            for (final FormConfiguration formItem : guestUpdateForm) {
                final String key = formItem.getName();
                final String value = userAttrValues.get(key);
                if (value != null) {
                    formProps.put(key, value);
                }
            }
            guBean.setUpdateUserIdentity(theGuest);
            this.forwardToUpdateJSP(pwmRequest, guestRegistrationBean);
            return;
        } catch (PwmUnrecoverableException e) {
            LOGGER.warn(pwmSession, "error reading current attributes for user: " + e.getMessage());
        }
    } catch (PwmOperationalException e) {
        final ErrorInformation error = e.getErrorInformation();
        setLastError(pwmRequest, error);
        this.forwardToJSP(pwmRequest, guestRegistrationBean);
        return;
    }
    this.forwardToJSP(pwmRequest, guestRegistrationBean);
}
Also used : PwmApplication(password.pwm.PwmApplication) FormConfiguration(password.pwm.config.value.data.FormConfiguration) SearchConfiguration(password.pwm.ldap.search.SearchConfiguration) ActionConfiguration(password.pwm.config.value.data.ActionConfiguration) Configuration(password.pwm.config.Configuration) UserSearchEngine(password.pwm.ldap.search.UserSearchEngine) UserIdentity(password.pwm.bean.UserIdentity) Instant(java.time.Instant) SearchConfiguration(password.pwm.ldap.search.SearchConfiguration) UserInfo(password.pwm.ldap.UserInfo) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) FormMap(password.pwm.util.FormMap) PwmOperationalException(password.pwm.error.PwmOperationalException) ErrorInformation(password.pwm.error.ErrorInformation) ChaiProvider(com.novell.ldapchai.provider.ChaiProvider) FormConfiguration(password.pwm.config.value.data.FormConfiguration) PwmSession(password.pwm.http.PwmSession) GuestRegistrationBean(password.pwm.http.bean.GuestRegistrationBean) HashSet(java.util.HashSet)

Example 79 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class SetupResponsesServlet method preProcessCheck.

@Override
public ProcessStatus preProcessCheck(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException, ServletException {
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final SetupResponsesBean setupResponsesBean = getSetupResponseBean(pwmRequest);
    if (!pwmSession.isAuthenticated()) {
        pwmRequest.respondWithError(PwmError.ERROR_AUTHENTICATION_REQUIRED.toInfo());
        return ProcessStatus.Halt;
    }
    if (pwmSession.getLoginInfoBean().getType() == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
        throw new PwmUnrecoverableException(PwmError.ERROR_PASSWORD_REQUIRED);
    }
    if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.CHALLENGE_ENABLE)) {
        throw new PwmUnrecoverableException(PwmError.ERROR_SERVICE_NOT_AVAILABLE);
    }
    // check to see if the user is permitted to setup responses
    if (!pwmSession.getSessionManager().checkPermission(pwmApplication, Permission.SETUP_RESPONSE)) {
        throw new PwmUnrecoverableException(PwmError.ERROR_UNAUTHORIZED);
    }
    // check if the locale has changed since first seen.
    if (pwmSession.getSessionStateBean().getLocale() != pwmApplication.getSessionStateService().getBean(pwmRequest, SetupResponsesBean.class).getUserLocale()) {
        pwmRequest.getPwmApplication().getSessionStateService().clearBean(pwmRequest, SetupResponsesBean.class);
        pwmApplication.getSessionStateService().getBean(pwmRequest, SetupResponsesBean.class).setUserLocale(pwmSession.getSessionStateBean().getLocale());
    }
    initializeBean(pwmRequest, setupResponsesBean);
    // check to see if the user has any challenges assigned
    final UserInfo uiBean = pwmSession.getUserInfo();
    if (setupResponsesBean.getResponseData().getChallengeSet() == null || setupResponsesBean.getResponseData().getChallengeSet().getChallenges().isEmpty()) {
        final String errorMsg = "no challenge sets configured for user " + uiBean.getUserIdentity();
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_NO_CHALLENGES, errorMsg);
        LOGGER.debug(pwmSession, errorInformation);
        throw new PwmUnrecoverableException(errorInformation);
    }
    return ProcessStatus.Continue;
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PwmApplication(password.pwm.PwmApplication) SetupResponsesBean(password.pwm.http.bean.SetupResponsesBean) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) UserInfo(password.pwm.ldap.UserInfo) PwmSession(password.pwm.http.PwmSession)

Example 80 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class AccountInformationBean method makeAuditInfo.

public static List<ActivityRecord> makeAuditInfo(final PwmApplication pwmApplication, final SessionLabel sessionLabel, final UserInfo userInfo, final Locale locale) {
    if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ACCOUNT_INFORMATION_HISTORY)) {
        return Collections.emptyList();
    }
    final List<UserAuditRecord> auditRecords = new ArrayList<>();
    try {
        auditRecords.addAll(pwmApplication.getAuditManager().readUserHistory(userInfo));
    } catch (PwmUnrecoverableException e) {
        LOGGER.debug(sessionLabel, "error reading audit data for user: " + e.getMessage());
    }
    final List<ActivityRecord> returnData = new ArrayList<>();
    for (final UserAuditRecord userAuditRecord : auditRecords) {
        returnData.add(new ActivityRecord(userAuditRecord.getTimestamp(), userAuditRecord.getEventCode().getLocalizedString(pwmApplication.getConfig(), locale)));
    }
    return Collections.unmodifiableList(returnData);
}
Also used : UserAuditRecord(password.pwm.svc.event.UserAuditRecord) ArrayList(java.util.ArrayList) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)

Aggregations

PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)282 ErrorInformation (password.pwm.error.ErrorInformation)201 PwmOperationalException (password.pwm.error.PwmOperationalException)85 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)75 IOException (java.io.IOException)72 PwmException (password.pwm.error.PwmException)69 PwmApplication (password.pwm.PwmApplication)48 UserIdentity (password.pwm.bean.UserIdentity)48 Configuration (password.pwm.config.Configuration)43 ServletException (javax.servlet.ServletException)38 LinkedHashMap (java.util.LinkedHashMap)37 Instant (java.time.Instant)35 ArrayList (java.util.ArrayList)31 PwmSession (password.pwm.http.PwmSession)30 Map (java.util.Map)28 ChaiUser (com.novell.ldapchai.ChaiUser)26 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)25 FormConfiguration (password.pwm.config.value.data.FormConfiguration)24 HashMap (java.util.HashMap)23 ChaiException (com.novell.ldapchai.exception.ChaiException)22