use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class UserInfoReader method isRequiresUpdateProfile.
@Override
public boolean isRequiresUpdateProfile() throws PwmUnrecoverableException {
final Configuration configuration = pwmApplication.getConfig();
if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.UPDATE_PROFILE_ENABLE)) {
LOGGER.debug(sessionLabel, "checkProfiles: " + userIdentity.toString() + " profile module is not enabled");
return false;
}
UpdateProfileProfile updateProfileProfile = null;
final Map<ProfileType, String> profileIDs = selfCachedReference.getProfileIDs();
if (profileIDs.containsKey(ProfileType.UpdateAttributes)) {
updateProfileProfile = configuration.getUpdateAttributesProfile().get(profileIDs.get(ProfileType.UpdateAttributes));
}
if (updateProfileProfile == null) {
return false;
}
if (!updateProfileProfile.readSettingAsBoolean(PwmSetting.UPDATE_PROFILE_FORCE_SETUP)) {
LOGGER.debug(sessionLabel, "checkProfiles: " + userIdentity.toString() + " profile force setup is not enabled");
return false;
}
final List<FormConfiguration> updateFormFields = updateProfileProfile.readSettingAsForm(PwmSetting.UPDATE_PROFILE_FORM);
try {
final Map<FormConfiguration, List<String>> valueMap = FormUtility.populateFormMapFromLdap(updateFormFields, sessionLabel, selfCachedReference, FormUtility.Flag.ReturnEmptyValues);
final Map<FormConfiguration, String> singleValueMap = FormUtility.multiValueMapToSingleValue(valueMap);
FormUtility.validateFormValues(configuration, singleValueMap, locale);
LOGGER.debug(sessionLabel, "checkProfile: " + userIdentity + " has value for attributes, update profile will not be required");
return false;
} catch (PwmDataValidationException e) {
LOGGER.debug(sessionLabel, "checkProfile: " + userIdentity + " does not have good attributes (" + e.getMessage() + "), update profile will be required");
return true;
} catch (PwmUnrecoverableException e) {
e.printStackTrace();
}
return false;
}
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class UserInfoReader method getPasswordStatus.
@Override
public PasswordStatus getPasswordStatus() throws PwmUnrecoverableException {
final Configuration config = pwmApplication.getConfig();
final PasswordStatus.PasswordStatusBuilder passwordStatusBuilder = PasswordStatus.builder();
final String userDN = chaiUser.getEntryDN();
final PwmPasswordPolicy passwordPolicy = selfCachedReference.getPasswordPolicy();
final long startTime = System.currentTimeMillis();
LOGGER.trace(sessionLabel, "beginning password status check process for " + userDN);
// check if password meets existing policy.
if (passwordPolicy.getRuleHelper().readBooleanValue(PwmPasswordRule.EnforceAtLogin)) {
if (currentPassword != null) {
try {
final PwmPasswordRuleValidator passwordRuleValidator = new PwmPasswordRuleValidator(pwmApplication, passwordPolicy);
passwordRuleValidator.testPassword(currentPassword, null, selfCachedReference, chaiUser);
} catch (PwmDataValidationException | PwmUnrecoverableException e) {
LOGGER.debug(sessionLabel, "user " + userDN + " password does not conform to current password policy (" + e.getMessage() + "), marking as requiring change.");
passwordStatusBuilder.violatesPolicy(true);
} catch (ChaiUnavailableException e) {
throw PwmUnrecoverableException.fromChaiException(e);
}
}
}
boolean ldapPasswordExpired = false;
try {
ldapPasswordExpired = chaiUser.isPasswordExpired();
if (ldapPasswordExpired) {
LOGGER.trace(sessionLabel, "password for " + userDN + " appears to be expired");
} else {
LOGGER.trace(sessionLabel, "password for " + userDN + " does not appear to be expired");
}
} catch (ChaiOperationException e) {
LOGGER.info(sessionLabel, "error reading LDAP attributes for " + userDN + " while reading isPasswordExpired(): " + e.getMessage());
} catch (ChaiUnavailableException e) {
throw PwmUnrecoverableException.fromChaiException(e);
}
final Instant ldapPasswordExpirationTime = selfCachedReference.getPasswordExpirationTime();
boolean preExpired = false;
if (ldapPasswordExpirationTime != null) {
final TimeDuration expirationInterval = TimeDuration.fromCurrent(ldapPasswordExpirationTime);
LOGGER.trace(sessionLabel, "read password expiration time: " + JavaHelper.toIsoDate(ldapPasswordExpirationTime) + ", " + expirationInterval.asCompactString() + " from now");
final TimeDuration diff = TimeDuration.fromCurrent(ldapPasswordExpirationTime);
// now check to see if the user's expire time is within the 'preExpireTime' setting.
final long preExpireMs = config.readSettingAsLong(PwmSetting.PASSWORD_EXPIRE_PRE_TIME) * 1000;
if (diff.getTotalMilliseconds() > 0 && diff.getTotalMilliseconds() < preExpireMs) {
LOGGER.debug(sessionLabel, "user " + userDN + " password will expire within " + diff.asCompactString() + ", marking as pre-expired");
preExpired = true;
} else if (ldapPasswordExpired) {
preExpired = true;
LOGGER.debug(sessionLabel, "user " + userDN + " password is expired, marking as pre-expired.");
}
// now check to see if the user's expire time is within the 'preWarnTime' setting.
final long preWarnMs = config.readSettingAsLong(PwmSetting.PASSWORD_EXPIRE_WARN_TIME) * 1000;
// don't check if the 'preWarnTime' setting is zero or less than the expirePreTime
if (!ldapPasswordExpired && !preExpired) {
if (!(preWarnMs == 0 || preWarnMs < preExpireMs)) {
if (diff.getTotalMilliseconds() > 0 && diff.getTotalMilliseconds() < preWarnMs) {
LOGGER.debug(sessionLabel, "user " + userDN + " password will expire within " + diff.asCompactString() + ", marking as within warn period");
passwordStatusBuilder.warnPeriod(true);
}
}
}
passwordStatusBuilder.preExpired(preExpired);
}
LOGGER.debug(sessionLabel, "completed user password status check for " + userDN + " " + passwordStatusBuilder + " (" + TimeDuration.fromCurrent(startTime).asCompactString() + ")");
passwordStatusBuilder.expired(ldapPasswordExpired);
return passwordStatusBuilder.build();
}
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class ActionExecutor method executeLdapAction.
private void executeLdapAction(final SessionLabel sessionLabel, final ActionConfiguration actionConfiguration) throws ChaiUnavailableException, PwmOperationalException, PwmUnrecoverableException {
String attributeName = actionConfiguration.getAttributeName();
String attributeValue = actionConfiguration.getAttributeValue();
final ChaiUser theUser;
if (settings.getChaiUser() != null) {
theUser = settings.getChaiUser();
} else {
if (settings.getUserIdentity() == null) {
final String errorMsg = "attempt to execute lap action but neither chaiUser or userIdentity is specified";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
theUser = pwmApplication.getProxiedChaiUser(settings.getUserIdentity());
}
if (settings.isExpandPwmMacros()) {
if (settings.getMacroMachine() == null) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "executor specified macro expansion but did not supply macro machine"));
}
final MacroMachine macroMachine = settings.getMacroMachine();
attributeName = macroMachine.expandMacros(attributeName);
attributeValue = macroMachine.expandMacros(attributeValue);
}
writeLdapAttribute(sessionLabel, theUser, attributeName, attributeValue, actionConfiguration.getLdapMethod(), settings.getMacroMachine());
}
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class CrService method checkIfResponseConfigNeeded.
public boolean checkIfResponseConfigNeeded(final PwmApplication pwmApplication, final SessionLabel pwmSession, final UserIdentity userIdentity, final ChallengeSet challengeSet, final ResponseInfoBean responseInfoBean) throws ChaiUnavailableException, PwmUnrecoverableException {
LOGGER.trace(pwmSession, "beginning check to determine if responses need to be configured for user");
final Configuration config = pwmApplication.getConfig();
if (!config.readSettingAsBoolean(PwmSetting.CHALLENGE_ENABLE)) {
LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: response setup is disabled, so user is not required to setup responses");
return false;
}
if (!config.readSettingAsBoolean(PwmSetting.CHALLENGE_FORCE_SETUP)) {
LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: force response setup is disabled, so user is not required to setup responses");
return false;
}
if (!LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession, userIdentity, config.readSettingAsUserPermission(PwmSetting.QUERY_MATCH_SETUP_RESPONSE))) {
LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: " + userIdentity + " does not have permission to setup responses");
return false;
}
if (!LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession, userIdentity, config.readSettingAsUserPermission(PwmSetting.QUERY_MATCH_CHECK_RESPONSES))) {
LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: " + userIdentity + " is not eligible for checkIfResponseConfigNeeded due to query match");
return false;
}
// check to be sure there are actually challenges in the challenge set
if (challengeSet == null || challengeSet.getChallenges().isEmpty()) {
LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: no challenge sets configured for user " + userIdentity);
return false;
}
// ignore NMAS based CR set if so configured
if (responseInfoBean != null && (responseInfoBean.getDataStorageMethod() == DataStorageMethod.NMAS)) {
final boolean ignoreNmasCr = Boolean.parseBoolean(pwmApplication.getConfig().readAppProperty(AppProperty.NMAS_IGNORE_NMASCR_DURING_FORCECHECK));
if (ignoreNmasCr) {
LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: app property " + AppProperty.NMAS_IGNORE_NMASCR_DURING_FORCECHECK.getKey() + "=true and user's responses are in " + responseInfoBean.getDataStorageMethod() + " format, so forcing setup of new responses.");
return true;
}
}
try {
// check if responses exist
if (responseInfoBean == null) {
throw new Exception("no responses configured");
}
// check if responses meet the challenge set policy for the user
// usersResponses.meetsChallengeSetRequirements(challengeSet);
LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: " + userIdentity + " has good responses");
return false;
} catch (Exception e) {
LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: " + userIdentity + " does not have good responses: " + e.getMessage());
return true;
}
}
use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.
the class CrService method determineChallengeProfileForUser.
protected static String determineChallengeProfileForUser(final PwmApplication pwmApplication, final SessionLabel sessionLabel, final UserIdentity userIdentity, final Locale locale) throws PwmUnrecoverableException {
final List<String> profiles = pwmApplication.getConfig().getChallengeProfileIDs();
if (profiles.isEmpty()) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is configured"));
}
for (final String profile : profiles) {
final ChallengeProfile loopPolicy = pwmApplication.getConfig().getChallengeProfile(profile, locale);
final List<UserPermission> queryMatch = loopPolicy.getUserPermissions();
if (queryMatch != null && !queryMatch.isEmpty()) {
LOGGER.debug(sessionLabel, "testing challenge profiles '" + profile + "'");
try {
final boolean match = LdapPermissionTester.testUserPermissions(pwmApplication, sessionLabel, userIdentity, queryMatch);
if (match) {
return profile;
}
} catch (PwmUnrecoverableException e) {
LOGGER.error(sessionLabel, "unexpected error while testing password policy profile '" + profile + "', error: " + e.getMessage());
}
}
}
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is assigned"));
}
Aggregations