Search in sources :

Example 6 with ForgottenPasswordBean

use of password.pwm.http.bean.ForgottenPasswordBean in project pwm by pwm-project.

the class ForgottenPasswordServlet method processCheckAttributes.

@ActionHandler(action = "checkAttributes")
private ProcessStatus processCheckAttributes(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
    // final SessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    if (forgottenPasswordBean.isBogusUser()) {
        final FormConfiguration formConfiguration = forgottenPasswordBean.getAttributeForm().iterator().next();
        // add a bit of jitter to pretend like we're checking a data source
        JavaHelper.pause(300 + PwmRandom.getInstance().nextInt(700));
        if (forgottenPasswordBean.getUserSearchValues() != null) {
            final List<FormConfiguration> formConfigurations = pwmRequest.getConfig().readSettingAsForm(PwmSetting.FORGOTTEN_PASSWORD_SEARCH_FORM);
            final Map<FormConfiguration, String> formMap = FormUtility.asFormConfigurationMap(formConfigurations, forgottenPasswordBean.getUserSearchValues());
            pwmRequest.getPwmApplication().getIntruderManager().convenience().markAttributes(formMap, pwmRequest.getPwmSession());
        }
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INCORRECT_RESPONSE, "incorrect value for attribute '" + formConfiguration.getName() + "'", new String[] { formConfiguration.getLabel(pwmRequest.getLocale()) });
        forgottenPasswordBean.getProgress().setInProgressVerificationMethod(IdentityVerificationMethod.ATTRIBUTES);
        setLastError(pwmRequest, errorInformation);
        return ProcessStatus.Continue;
    }
    if (forgottenPasswordBean.getUserIdentity() == null) {
        return ProcessStatus.Continue;
    }
    final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
    try {
        // check attributes
        final ChaiUser theUser = pwmRequest.getPwmApplication().getProxiedChaiUser(userIdentity);
        final Locale userLocale = pwmRequest.getLocale();
        final List<FormConfiguration> requiredAttributesForm = forgottenPasswordBean.getAttributeForm();
        if (requiredAttributesForm.isEmpty()) {
            return ProcessStatus.Continue;
        }
        final Map<FormConfiguration, String> formValues = FormUtility.readFormValuesFromRequest(pwmRequest, requiredAttributesForm, userLocale);
        for (final Map.Entry<FormConfiguration, String> entry : formValues.entrySet()) {
            final FormConfiguration formConfiguration = entry.getKey();
            final String attrName = formConfiguration.getName();
            try {
                if (theUser.compareStringAttribute(attrName, entry.getValue())) {
                    LOGGER.trace(pwmRequest, "successful validation of ldap attribute value for '" + attrName + "'");
                } else {
                    throw new PwmDataValidationException(new ErrorInformation(PwmError.ERROR_INCORRECT_RESPONSE, "incorrect value for '" + attrName + "'", new String[] { formConfiguration.getLabel(pwmRequest.getLocale()) }));
                }
            } catch (ChaiOperationException e) {
                LOGGER.error(pwmRequest, "error during param validation of '" + attrName + "', error: " + e.getMessage());
                throw new PwmDataValidationException(new ErrorInformation(PwmError.ERROR_INCORRECT_RESPONSE, "ldap error testing value for '" + attrName + "'", new String[] { formConfiguration.getLabel(pwmRequest.getLocale()) }));
            }
        }
        forgottenPasswordBean.getProgress().getSatisfiedMethods().add(IdentityVerificationMethod.ATTRIBUTES);
    } catch (PwmDataValidationException e) {
        handleUserVerificationBadAttempt(pwmRequest, forgottenPasswordBean, new ErrorInformation(PwmError.ERROR_INCORRECT_RESPONSE, e.getErrorInformation().toDebugStr()));
    }
    return ProcessStatus.Continue;
}
Also used : Locale(java.util.Locale) UserIdentity(password.pwm.bean.UserIdentity) ErrorInformation(password.pwm.error.ErrorInformation) PwmDataValidationException(password.pwm.error.PwmDataValidationException) ChaiUser(com.novell.ldapchai.ChaiUser) FormConfiguration(password.pwm.config.value.data.FormConfiguration) ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean) Map(java.util.Map) LinkedHashMap(java.util.LinkedHashMap)

Example 7 with ForgottenPasswordBean

use of password.pwm.http.bean.ForgottenPasswordBean in project pwm by pwm-project.

the class ForgottenPasswordServlet method processOAuthReturn.

@ActionHandler(action = "oauthReturn")
private ProcessStatus processOAuthReturn(final PwmRequest pwmRequest) throws IOException, ServletException, PwmUnrecoverableException, ChaiUnavailableException {
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    if (forgottenPasswordBean.getProgress().getInProgressVerificationMethod() != IdentityVerificationMethod.OAUTH) {
        LOGGER.debug(pwmRequest, "oauth return detected, however current session did not issue an oauth request; will restart forgotten password sequence");
        pwmRequest.getPwmApplication().getSessionStateService().clearBean(pwmRequest, ForgottenPasswordBean.class);
        pwmRequest.sendRedirect(PwmServletDefinition.ForgottenPassword);
        return ProcessStatus.Halt;
    }
    if (forgottenPasswordBean.getUserIdentity() == null) {
        LOGGER.debug(pwmRequest, "oauth return detected, however current session does not have a user identity stored; will restart forgotten password sequence");
        pwmRequest.getPwmApplication().getSessionStateService().clearBean(pwmRequest, ForgottenPasswordBean.class);
        pwmRequest.sendRedirect(PwmServletDefinition.ForgottenPassword);
        return ProcessStatus.Halt;
    }
    final String encryptedResult = pwmRequest.readParameterAsString(PwmConstants.PARAM_RECOVERY_OAUTH_RESULT, PwmHttpRequestWrapper.Flag.BypassValidation);
    final OAuthForgottenPasswordResults results = pwmRequest.getPwmApplication().getSecureService().decryptObject(encryptedResult, OAuthForgottenPasswordResults.class);
    LOGGER.trace(pwmRequest, "received ");
    final String userDNfromOAuth = results.getUsername();
    if (userDNfromOAuth == null || userDNfromOAuth.isEmpty()) {
        final String errorMsg = "oauth server coderesolver endpoint did not return a username value";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    final UserIdentity oauthUserIdentity;
    {
        final UserSearchEngine userSearchEngine = pwmRequest.getPwmApplication().getUserSearchEngine();
        try {
            oauthUserIdentity = userSearchEngine.resolveUsername(userDNfromOAuth, null, null, pwmRequest.getSessionLabel());
        } catch (PwmOperationalException e) {
            final String errorMsg = "unexpected error searching for oauth supplied username in ldap; error: " + e.getMessage();
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg);
            throw new PwmUnrecoverableException(errorInformation);
        }
    }
    final boolean userMatch;
    {
        final UserIdentity userIdentityInBean = forgottenPasswordBean.getUserIdentity();
        userMatch = userIdentityInBean != null && userIdentityInBean.equals(oauthUserIdentity);
    }
    if (userMatch) {
        forgottenPasswordBean.getProgress().getSatisfiedMethods().add(IdentityVerificationMethod.OAUTH);
    } else {
        final String errorMsg = "oauth server username does not match previously identified user";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    return ProcessStatus.Continue;
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) UserIdentity(password.pwm.bean.UserIdentity) UserSearchEngine(password.pwm.ldap.search.UserSearchEngine) OAuthForgottenPasswordResults(password.pwm.http.servlet.oauth.OAuthForgottenPasswordResults) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 8 with ForgottenPasswordBean

use of password.pwm.http.bean.ForgottenPasswordBean in project pwm by pwm-project.

the class ForgottenPasswordServlet method processCheckResponses.

@ActionHandler(action = "checkResponses")
private ProcessStatus processCheckResponses(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    if (forgottenPasswordBean.getUserIdentity() == null) {
        return ProcessStatus.Continue;
    }
    final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
    final ResponseSet responseSet = ForgottenPasswordUtil.readResponseSet(pwmRequest, forgottenPasswordBean);
    if (responseSet == null) {
        final String errorMsg = "attempt to check responses, but responses are not loaded into session bean";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
        throw new PwmUnrecoverableException(errorInformation);
    }
    try {
        // read the supplied responses from the user
        final Map<Challenge, String> crMap = ForgottenPasswordUtil.readResponsesFromHttpRequest(pwmRequest, forgottenPasswordBean.getPresentableChallengeSet());
        final boolean responsesPassed;
        try {
            responsesPassed = responseSet.test(crMap);
        } catch (ChaiUnavailableException e) {
            if (e.getCause() instanceof PwmUnrecoverableException) {
                throw (PwmUnrecoverableException) e.getCause();
            }
            throw e;
        }
        // special case for nmas, clear out existing challenges and input fields.
        if (!responsesPassed && responseSet instanceof NMASCrOperator.NMASCRResponseSet) {
            forgottenPasswordBean.setPresentableChallengeSet(responseSet.getPresentableChallengeSet());
        }
        if (responsesPassed) {
            LOGGER.debug(pwmRequest, "user '" + userIdentity + "' has supplied correct responses");
        } else {
            final String errorMsg = "incorrect response to one or more challenges";
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INCORRECT_RESPONSE, errorMsg);
            handleUserVerificationBadAttempt(pwmRequest, forgottenPasswordBean, errorInformation);
            return ProcessStatus.Continue;
        }
    } catch (ChaiValidationException e) {
        LOGGER.debug(pwmRequest, "chai validation error checking user responses: " + e.getMessage());
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.forChaiError(e.getErrorCode()));
        handleUserVerificationBadAttempt(pwmRequest, forgottenPasswordBean, errorInformation);
        return ProcessStatus.Continue;
    }
    forgottenPasswordBean.getProgress().getSatisfiedMethods().add(IdentityVerificationMethod.CHALLENGE_RESPONSES);
    return ProcessStatus.Continue;
}
Also used : ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException) UserIdentity(password.pwm.bean.UserIdentity) ResponseSet(com.novell.ldapchai.cr.ResponseSet) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) Challenge(com.novell.ldapchai.cr.Challenge) ErrorInformation(password.pwm.error.ErrorInformation) ChaiValidationException(com.novell.ldapchai.exception.ChaiValidationException) NMASCrOperator(password.pwm.util.operations.cr.NMASCrOperator) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)

Example 9 with ForgottenPasswordBean

use of password.pwm.http.bean.ForgottenPasswordBean in project pwm by pwm-project.

the class ForgottenPasswordServlet method forwardToEnterTokenJsp.

private static void forwardToEnterTokenJsp(final PwmRequest pwmRequest) throws ServletException, PwmUnrecoverableException, IOException {
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
    final List<TokenDestinationItem> destItems = ForgottenPasswordUtil.figureAvailableTokenDestinations(pwmRequest, forgottenPasswordBean);
    ResetAction goBackAction = null;
    final boolean autoSelect = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.FORGOTTEN_PASSWORD_TOKEN_AUTO_SELECT_DEST));
    if (destItems.size() > 1 || !autoSelect) {
        goBackAction = ResetAction.clearTokenDestination;
    } else if (ForgottenPasswordUtil.hasOtherMethodChoices(forgottenPasswordBean, IdentityVerificationMethod.TOKEN)) {
        goBackAction = ResetAction.clearActionChoice;
    }
    if (goBackAction != null) {
        pwmRequest.setAttribute(PwmRequestAttribute.GoBackAction, goBackAction);
    }
    {
        final boolean resendEnabled = forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.TOKEN_RESEND_ENABLE);
        pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordResendTokenEnabled, resendEnabled);
    }
    pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ENTER_TOKEN);
}
Also used : ForgottenPasswordProfile(password.pwm.config.profile.ForgottenPasswordProfile) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean) TokenDestinationItem(password.pwm.bean.TokenDestinationItem)

Example 10 with ForgottenPasswordBean

use of password.pwm.http.bean.ForgottenPasswordBean in project pwm by pwm-project.

the class ForgottenPasswordServlet method executeResetPassword.

private void executeResetPassword(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    if (!forgottenPasswordBean.getProgress().isAllPassed()) {
        return;
    }
    final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
    final ChaiUser theUser = pwmApplication.getProxiedChaiUser(userIdentity);
    try {
        // try unlocking user
        theUser.unlockPassword();
        LOGGER.trace(pwmSession, "unlock account succeeded");
    } catch (ChaiOperationException e) {
        final String errorMsg = "unable to unlock user " + theUser.getEntryDN() + " error: " + e.getMessage();
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNLOCK_FAILURE, errorMsg);
        LOGGER.error(pwmSession, errorInformation.toDebugStr());
    }
    try {
        final SessionAuthenticator sessionAuthenticator = new SessionAuthenticator(pwmApplication, pwmSession, PwmAuthenticationSource.FORGOTTEN_PASSWORD);
        sessionAuthenticator.authUserWithUnknownPassword(userIdentity, AuthenticationType.AUTH_FROM_PUBLIC_MODULE);
        pwmSession.getLoginInfoBean().getAuthFlags().add(AuthenticationType.AUTH_FROM_PUBLIC_MODULE);
        LOGGER.info(pwmSession, "user successfully supplied password recovery responses, forward to change password page: " + theUser.getEntryDN());
        // mark the event log
        pwmApplication.getAuditManager().submit(AuditEvent.RECOVER_PASSWORD, pwmSession.getUserInfo(), pwmSession);
        // add the post-forgotten password actions
        addPostChangeAction(pwmRequest, userIdentity);
        // mark user as requiring a new password.
        pwmSession.getLoginInfoBean().getLoginFlags().add(LoginInfoBean.LoginFlag.forcePwChange);
        // redirect user to change password screen.
        pwmRequest.sendRedirect(PwmServletDefinition.PublicChangePassword.servletUrlName());
    } catch (PwmUnrecoverableException e) {
        LOGGER.warn(pwmSession, "unexpected error authenticating during forgotten password recovery process user: " + e.getMessage());
        pwmRequest.respondWithError(e.getErrorInformation());
    } finally {
        clearForgottenPasswordBean(pwmRequest);
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PwmApplication(password.pwm.PwmApplication) ChaiUser(com.novell.ldapchai.ChaiUser) SessionAuthenticator(password.pwm.ldap.auth.SessionAuthenticator) UserIdentity(password.pwm.bean.UserIdentity) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException) PwmSession(password.pwm.http.PwmSession) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)

Aggregations

ForgottenPasswordBean (password.pwm.http.bean.ForgottenPasswordBean)22 ErrorInformation (password.pwm.error.ErrorInformation)15 UserIdentity (password.pwm.bean.UserIdentity)9 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)9 UserInfo (password.pwm.ldap.UserInfo)8 PwmApplication (password.pwm.PwmApplication)7 ForgottenPasswordProfile (password.pwm.config.profile.ForgottenPasswordProfile)7 FormConfiguration (password.pwm.config.value.data.FormConfiguration)6 ChaiUser (com.novell.ldapchai.ChaiUser)5 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)5 TokenDestinationItem (password.pwm.bean.TokenDestinationItem)5 LinkedHashMap (java.util.LinkedHashMap)4 IdentityVerificationMethod (password.pwm.config.option.IdentityVerificationMethod)4 PwmOperationalException (password.pwm.error.PwmOperationalException)4 PwmSession (password.pwm.http.PwmSession)4 Locale (java.util.Locale)3 Map (java.util.Map)3 SearchConfiguration (password.pwm.ldap.search.SearchConfiguration)3 Challenge (com.novell.ldapchai.cr.Challenge)2 ChallengeSet (com.novell.ldapchai.cr.ChallengeSet)2