Search in sources :

Example 36 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class UserInfoReader method isRequiresUpdateProfile.

@Override
public boolean isRequiresUpdateProfile() throws PwmUnrecoverableException {
    final Configuration configuration = pwmApplication.getConfig();
    if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.UPDATE_PROFILE_ENABLE)) {
        LOGGER.debug(sessionLabel, "checkProfiles: " + userIdentity.toString() + " profile module is not enabled");
        return false;
    }
    UpdateProfileProfile updateProfileProfile = null;
    final Map<ProfileType, String> profileIDs = selfCachedReference.getProfileIDs();
    if (profileIDs.containsKey(ProfileType.UpdateAttributes)) {
        updateProfileProfile = configuration.getUpdateAttributesProfile().get(profileIDs.get(ProfileType.UpdateAttributes));
    }
    if (updateProfileProfile == null) {
        return false;
    }
    if (!updateProfileProfile.readSettingAsBoolean(PwmSetting.UPDATE_PROFILE_FORCE_SETUP)) {
        LOGGER.debug(sessionLabel, "checkProfiles: " + userIdentity.toString() + " profile force setup is not enabled");
        return false;
    }
    final List<FormConfiguration> updateFormFields = updateProfileProfile.readSettingAsForm(PwmSetting.UPDATE_PROFILE_FORM);
    try {
        final Map<FormConfiguration, List<String>> valueMap = FormUtility.populateFormMapFromLdap(updateFormFields, sessionLabel, selfCachedReference, FormUtility.Flag.ReturnEmptyValues);
        final Map<FormConfiguration, String> singleValueMap = FormUtility.multiValueMapToSingleValue(valueMap);
        FormUtility.validateFormValues(configuration, singleValueMap, locale);
        LOGGER.debug(sessionLabel, "checkProfile: " + userIdentity + " has value for attributes, update profile will not be required");
        return false;
    } catch (PwmDataValidationException e) {
        LOGGER.debug(sessionLabel, "checkProfile: " + userIdentity + " does not have good attributes (" + e.getMessage() + "), update profile will be required");
        return true;
    } catch (PwmUnrecoverableException e) {
        e.printStackTrace();
    }
    return false;
}
Also used : PwmDataValidationException(password.pwm.error.PwmDataValidationException) ProfileType(password.pwm.config.profile.ProfileType) FormConfiguration(password.pwm.config.value.data.FormConfiguration) Configuration(password.pwm.config.Configuration) UpdateProfileProfile(password.pwm.config.profile.UpdateProfileProfile) FormConfiguration(password.pwm.config.value.data.FormConfiguration) List(java.util.List) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)

Example 37 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class UserInfoReader method getPasswordStatus.

@Override
public PasswordStatus getPasswordStatus() throws PwmUnrecoverableException {
    final Configuration config = pwmApplication.getConfig();
    final PasswordStatus.PasswordStatusBuilder passwordStatusBuilder = PasswordStatus.builder();
    final String userDN = chaiUser.getEntryDN();
    final PwmPasswordPolicy passwordPolicy = selfCachedReference.getPasswordPolicy();
    final long startTime = System.currentTimeMillis();
    LOGGER.trace(sessionLabel, "beginning password status check process for " + userDN);
    // check if password meets existing policy.
    if (passwordPolicy.getRuleHelper().readBooleanValue(PwmPasswordRule.EnforceAtLogin)) {
        if (currentPassword != null) {
            try {
                final PwmPasswordRuleValidator passwordRuleValidator = new PwmPasswordRuleValidator(pwmApplication, passwordPolicy);
                passwordRuleValidator.testPassword(currentPassword, null, selfCachedReference, chaiUser);
            } catch (PwmDataValidationException | PwmUnrecoverableException e) {
                LOGGER.debug(sessionLabel, "user " + userDN + " password does not conform to current password policy (" + e.getMessage() + "), marking as requiring change.");
                passwordStatusBuilder.violatesPolicy(true);
            } catch (ChaiUnavailableException e) {
                throw PwmUnrecoverableException.fromChaiException(e);
            }
        }
    }
    boolean ldapPasswordExpired = false;
    try {
        ldapPasswordExpired = chaiUser.isPasswordExpired();
        if (ldapPasswordExpired) {
            LOGGER.trace(sessionLabel, "password for " + userDN + " appears to be expired");
        } else {
            LOGGER.trace(sessionLabel, "password for " + userDN + " does not appear to be expired");
        }
    } catch (ChaiOperationException e) {
        LOGGER.info(sessionLabel, "error reading LDAP attributes for " + userDN + " while reading isPasswordExpired(): " + e.getMessage());
    } catch (ChaiUnavailableException e) {
        throw PwmUnrecoverableException.fromChaiException(e);
    }
    final Instant ldapPasswordExpirationTime = selfCachedReference.getPasswordExpirationTime();
    boolean preExpired = false;
    if (ldapPasswordExpirationTime != null) {
        final TimeDuration expirationInterval = TimeDuration.fromCurrent(ldapPasswordExpirationTime);
        LOGGER.trace(sessionLabel, "read password expiration time: " + JavaHelper.toIsoDate(ldapPasswordExpirationTime) + ", " + expirationInterval.asCompactString() + " from now");
        final TimeDuration diff = TimeDuration.fromCurrent(ldapPasswordExpirationTime);
        // now check to see if the user's expire time is within the 'preExpireTime' setting.
        final long preExpireMs = config.readSettingAsLong(PwmSetting.PASSWORD_EXPIRE_PRE_TIME) * 1000;
        if (diff.getTotalMilliseconds() > 0 && diff.getTotalMilliseconds() < preExpireMs) {
            LOGGER.debug(sessionLabel, "user " + userDN + " password will expire within " + diff.asCompactString() + ", marking as pre-expired");
            preExpired = true;
        } else if (ldapPasswordExpired) {
            preExpired = true;
            LOGGER.debug(sessionLabel, "user " + userDN + " password is expired, marking as pre-expired.");
        }
        // now check to see if the user's expire time is within the 'preWarnTime' setting.
        final long preWarnMs = config.readSettingAsLong(PwmSetting.PASSWORD_EXPIRE_WARN_TIME) * 1000;
        // don't check if the 'preWarnTime' setting is zero or less than the expirePreTime
        if (!ldapPasswordExpired && !preExpired) {
            if (!(preWarnMs == 0 || preWarnMs < preExpireMs)) {
                if (diff.getTotalMilliseconds() > 0 && diff.getTotalMilliseconds() < preWarnMs) {
                    LOGGER.debug(sessionLabel, "user " + userDN + " password will expire within " + diff.asCompactString() + ", marking as within warn period");
                    passwordStatusBuilder.warnPeriod(true);
                }
            }
        }
        passwordStatusBuilder.preExpired(preExpired);
    }
    LOGGER.debug(sessionLabel, "completed user password status check for " + userDN + " " + passwordStatusBuilder + " (" + TimeDuration.fromCurrent(startTime).asCompactString() + ")");
    passwordStatusBuilder.expired(ldapPasswordExpired);
    return passwordStatusBuilder.build();
}
Also used : ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException) FormConfiguration(password.pwm.config.value.data.FormConfiguration) Configuration(password.pwm.config.Configuration) Instant(java.time.Instant) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmPasswordRuleValidator(password.pwm.util.PwmPasswordRuleValidator) PwmDataValidationException(password.pwm.error.PwmDataValidationException) PwmPasswordPolicy(password.pwm.config.profile.PwmPasswordPolicy) PasswordStatus(password.pwm.bean.PasswordStatus) TimeDuration(password.pwm.util.java.TimeDuration) ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException)

Example 38 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class ActionExecutor method executeLdapAction.

private void executeLdapAction(final SessionLabel sessionLabel, final ActionConfiguration actionConfiguration) throws ChaiUnavailableException, PwmOperationalException, PwmUnrecoverableException {
    String attributeName = actionConfiguration.getAttributeName();
    String attributeValue = actionConfiguration.getAttributeValue();
    final ChaiUser theUser;
    if (settings.getChaiUser() != null) {
        theUser = settings.getChaiUser();
    } else {
        if (settings.getUserIdentity() == null) {
            final String errorMsg = "attempt to execute lap action but neither chaiUser or userIdentity is specified";
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
            throw new PwmUnrecoverableException(errorInformation);
        }
        theUser = pwmApplication.getProxiedChaiUser(settings.getUserIdentity());
    }
    if (settings.isExpandPwmMacros()) {
        if (settings.getMacroMachine() == null) {
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "executor specified macro expansion but did not supply macro machine"));
        }
        final MacroMachine macroMachine = settings.getMacroMachine();
        attributeName = macroMachine.expandMacros(attributeName);
        attributeValue = macroMachine.expandMacros(attributeValue);
    }
    writeLdapAttribute(sessionLabel, theUser, attributeName, attributeValue, actionConfiguration.getLdapMethod(), settings.getMacroMachine());
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ChaiUser(com.novell.ldapchai.ChaiUser) MacroMachine(password.pwm.util.macro.MacroMachine) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)

Example 39 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class CrService method checkIfResponseConfigNeeded.

public boolean checkIfResponseConfigNeeded(final PwmApplication pwmApplication, final SessionLabel pwmSession, final UserIdentity userIdentity, final ChallengeSet challengeSet, final ResponseInfoBean responseInfoBean) throws ChaiUnavailableException, PwmUnrecoverableException {
    LOGGER.trace(pwmSession, "beginning check to determine if responses need to be configured for user");
    final Configuration config = pwmApplication.getConfig();
    if (!config.readSettingAsBoolean(PwmSetting.CHALLENGE_ENABLE)) {
        LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: response setup is disabled, so user is not required to setup responses");
        return false;
    }
    if (!config.readSettingAsBoolean(PwmSetting.CHALLENGE_FORCE_SETUP)) {
        LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: force response setup is disabled, so user is not required to setup responses");
        return false;
    }
    if (!LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession, userIdentity, config.readSettingAsUserPermission(PwmSetting.QUERY_MATCH_SETUP_RESPONSE))) {
        LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: " + userIdentity + " does not have permission to setup responses");
        return false;
    }
    if (!LdapPermissionTester.testUserPermissions(pwmApplication, pwmSession, userIdentity, config.readSettingAsUserPermission(PwmSetting.QUERY_MATCH_CHECK_RESPONSES))) {
        LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: " + userIdentity + " is not eligible for checkIfResponseConfigNeeded due to query match");
        return false;
    }
    // check to be sure there are actually challenges in the challenge set
    if (challengeSet == null || challengeSet.getChallenges().isEmpty()) {
        LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: no challenge sets configured for user " + userIdentity);
        return false;
    }
    // ignore NMAS based CR set if so configured
    if (responseInfoBean != null && (responseInfoBean.getDataStorageMethod() == DataStorageMethod.NMAS)) {
        final boolean ignoreNmasCr = Boolean.parseBoolean(pwmApplication.getConfig().readAppProperty(AppProperty.NMAS_IGNORE_NMASCR_DURING_FORCECHECK));
        if (ignoreNmasCr) {
            LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: app property " + AppProperty.NMAS_IGNORE_NMASCR_DURING_FORCECHECK.getKey() + "=true and user's responses are in " + responseInfoBean.getDataStorageMethod() + " format, so forcing setup of new responses.");
            return true;
        }
    }
    try {
        // check if responses exist
        if (responseInfoBean == null) {
            throw new Exception("no responses configured");
        }
        // check if responses meet the challenge set policy for the user
        // usersResponses.meetsChallengeSetRequirements(challengeSet);
        LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: " + userIdentity + " has good responses");
        return false;
    } catch (Exception e) {
        LOGGER.debug(pwmSession, "checkIfResponseConfigNeeded: " + userIdentity + " does not have good responses: " + e.getMessage());
        return true;
    }
}
Also used : Configuration(password.pwm.config.Configuration) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmDataValidationException(password.pwm.error.PwmDataValidationException) ChaiValidationException(com.novell.ldapchai.exception.ChaiValidationException) ChaiException(com.novell.ldapchai.exception.ChaiException) PwmOperationalException(password.pwm.error.PwmOperationalException) ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException) PwmException(password.pwm.error.PwmException)

Example 40 with PwmUnrecoverableException

use of password.pwm.error.PwmUnrecoverableException in project pwm by pwm-project.

the class CrService method determineChallengeProfileForUser.

protected static String determineChallengeProfileForUser(final PwmApplication pwmApplication, final SessionLabel sessionLabel, final UserIdentity userIdentity, final Locale locale) throws PwmUnrecoverableException {
    final List<String> profiles = pwmApplication.getConfig().getChallengeProfileIDs();
    if (profiles.isEmpty()) {
        throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is configured"));
    }
    for (final String profile : profiles) {
        final ChallengeProfile loopPolicy = pwmApplication.getConfig().getChallengeProfile(profile, locale);
        final List<UserPermission> queryMatch = loopPolicy.getUserPermissions();
        if (queryMatch != null && !queryMatch.isEmpty()) {
            LOGGER.debug(sessionLabel, "testing challenge profiles '" + profile + "'");
            try {
                final boolean match = LdapPermissionTester.testUserPermissions(pwmApplication, sessionLabel, userIdentity, queryMatch);
                if (match) {
                    return profile;
                }
            } catch (PwmUnrecoverableException e) {
                LOGGER.error(sessionLabel, "unexpected error while testing password policy profile '" + profile + "', error: " + e.getMessage());
            }
        }
    }
    throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is assigned"));
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) ChallengeProfile(password.pwm.config.profile.ChallengeProfile) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) UserPermission(password.pwm.config.value.data.UserPermission)

Aggregations

PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)282 ErrorInformation (password.pwm.error.ErrorInformation)201 PwmOperationalException (password.pwm.error.PwmOperationalException)85 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)75 IOException (java.io.IOException)72 PwmException (password.pwm.error.PwmException)69 PwmApplication (password.pwm.PwmApplication)48 UserIdentity (password.pwm.bean.UserIdentity)48 Configuration (password.pwm.config.Configuration)43 ServletException (javax.servlet.ServletException)38 LinkedHashMap (java.util.LinkedHashMap)37 Instant (java.time.Instant)35 ArrayList (java.util.ArrayList)31 PwmSession (password.pwm.http.PwmSession)30 Map (java.util.Map)28 ChaiUser (com.novell.ldapchai.ChaiUser)26 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)25 FormConfiguration (password.pwm.config.value.data.FormConfiguration)24 HashMap (java.util.HashMap)23 ChaiException (com.novell.ldapchai.exception.ChaiException)22