Example 1 with AuditRecord
use of password.pwm.svc.event.AuditRecord in project pwm by pwm-project.
the class LDAPAuthenticationRequest method authenticateUserImpl.
private AuthenticationResult authenticateUserImpl(final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
if (startTime == null) {
startTime = new Date();
}
log(PwmLogLevel.DEBUG, "preparing to authenticate user using authenticationType=" + this.requestedAuthType + " using strategy " + this.strategy);
final StatisticsManager statisticsManager = pwmApplication.getStatisticsManager();
final IntruderManager intruderManager = pwmApplication.getIntruderManager();
intruderManager.convenience().checkUserIdentity(userIdentity);
intruderManager.check(RecordType.ADDRESS, sessionLabel.getSrcAddress());
// verify user is not account disabled
AuthenticationUtility.checkIfUserEligibleToAuthentication(pwmApplication, userIdentity);
boolean allowBindAsUser = true;
if (strategy == AuthenticationStrategy.ADMIN_PROXY) {
allowBindAsUser = false;
}
if (allowBindAsUser) {
try {
testCredentials(userIdentity, password);
} catch (PwmOperationalException e) {
boolean permitAuthDespiteError = false;
final DirectoryVendor vendor = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID()).getDirectoryVendor();
if (PwmError.PASSWORD_NEW_PASSWORD_REQUIRED == e.getError()) {
if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'must change password on next login AD error', error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
} else if (vendor == DirectoryVendor.ORACLE_DS) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'pwdReset' user attribute, error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
}
} else if (PwmError.PASSWORD_EXPIRED == e.getError()) {
// handle ad case where password is expired
if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_EXPIRED)) {
throw e;
}
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'password expired AD error', error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
}
}
if (!permitAuthDespiteError) {
// auth failed, presumably due to wrong password.
statisticsManager.incrementValue(Statistic.AUTHENTICATION_FAILURES);
throw e;
}
}
}
statisticsManager.incrementValue(Statistic.AUTHENTICATIONS);
statisticsManager.updateEps(EpsStatistic.AUTHENTICATION, 1);
statisticsManager.updateAverageValue(Statistic.AVG_AUTHENTICATION_TIME, TimeDuration.fromCurrent(startTime).getTotalMilliseconds());
final AuthenticationType returnAuthType;
if (!allowBindAsUser) {
returnAuthType = AuthenticationType.AUTH_BIND_INHIBIT;
} else {
if (requestedAuthType == null) {
returnAuthType = AuthenticationType.AUTHENTICATED;
} else {
if (requestedAuthType == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
returnAuthType = AuthenticationType.AUTHENTICATED;
} else if (requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
returnAuthType = AuthenticationType.AUTH_FROM_PUBLIC_MODULE;
} else {
returnAuthType = requestedAuthType;
}
}
}
final boolean useProxy = determineIfLdapProxyNeeded(returnAuthType, password);
final ChaiProvider returnProvider = useProxy ? makeProxyProvider() : userProvider;
final AuthenticationResult authenticationResult = new AuthenticationResult(returnProvider, returnAuthType, password);
final StringBuilder debugMsg = new StringBuilder();
debugMsg.append("successful ldap authentication for ").append(userIdentity);
debugMsg.append(" (").append(TimeDuration.fromCurrent(startTime).asCompactString()).append(")");
debugMsg.append(" type: ").append(returnAuthType).append(", using strategy ").append(strategy);
debugMsg.append(", using proxy connection: ").append(useProxy);
debugMsg.append(", returning bind dn: ").append(returnProvider == null ? "none" : returnProvider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
log(PwmLogLevel.INFO, debugMsg);
final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, PwmConstants.DEFAULT_LOCALE, sessionLabel, userIdentity);
final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication, macroMachine).createUserAuditRecord(AuditEvent.AUTHENTICATE, this.userIdentity, makeAuditLogMessage(returnAuthType), sessionLabel.getSrcAddress(), sessionLabel.getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
pwmApplication.getSessionTrackService().addRecentLogin(userIdentity);
return authenticationResult;
}
Also used :
Date(java.util.Date)
PwmOperationalException(password.pwm.error.PwmOperationalException)
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
StatisticsManager(password.pwm.svc.stats.StatisticsManager)
ChaiProvider(com.novell.ldapchai.provider.ChaiProvider)
MacroMachine(password.pwm.util.macro.MacroMachine)
DirectoryVendor(com.novell.ldapchai.provider.DirectoryVendor)
IntruderManager(password.pwm.svc.intruder.IntruderManager)
AuditRecord(password.pwm.svc.event.AuditRecord)
Example 2 with AuditRecord
use of password.pwm.svc.event.AuditRecord in project pwm by pwm-project.
the class PwmLogger method doLogEvent.
private void doLogEvent(final PwmLogEvent logEvent) {
pushMessageToLog4j(logEvent);
try {
if (!localDBDisabled && localDBLogger != null && minimumDbLogLevel != null) {
if (logEvent.getLevel().compareTo(minimumDbLogLevel) >= 0) {
localDBLogger.writeEvent(logEvent);
}
}
if (logEvent.getLevel() == PwmLogLevel.FATAL) {
if (!logEvent.getMessage().contains("5039")) {
final Map<String, String> messageInfo = new HashMap<>();
messageInfo.put("level", logEvent.getLevel() == null ? "null" : logEvent.getLevel().toString());
messageInfo.put("actor", logEvent.getActor());
messageInfo.put("source", logEvent.getSource());
messageInfo.put("topic", logEvent.getTopic());
messageInfo.put("errorMessage", logEvent.getMessage());
final String messageInfoStr = JsonUtil.serializeMap(messageInfo);
final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication).createSystemAuditRecord(AuditEvent.FATAL_EVENT, messageInfoStr);
pwmApplication.getAuditManager().submit(auditRecord);
}
}
} catch (Exception e2) {
// nothing can be done about it now;
}
}
Also used :
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
HashMap(java.util.HashMap)
AuditRecord(password.pwm.svc.event.AuditRecord)
IOException(java.io.IOException)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
Example 3 with AuditRecord
use of password.pwm.svc.event.AuditRecord in project pwm by pwm-project.
the class ForgottenPasswordUtil method doActionSendNewPassword.
static void doActionSendNewPassword(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final ForgottenPasswordBean forgottenPasswordBean = ForgottenPasswordServlet.forgottenPasswordBean(pwmRequest);
final ForgottenPasswordProfile forgottenPasswordProfile = forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(pwmApplication.getConfig(), forgottenPasswordBean);
LOGGER.trace(pwmRequest, "beginning process to send new password to user");
if (!forgottenPasswordBean.getProgress().isAllPassed()) {
return;
}
final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
final ChaiUser theUser = pwmRequest.getPwmApplication().getProxiedChaiUser(userIdentity);
try {
// try unlocking user
theUser.unlockPassword();
LOGGER.trace(pwmRequest, "unlock account succeeded");
} catch (ChaiOperationException e) {
final String errorMsg = "unable to unlock user " + theUser.getEntryDN() + " error: " + e.getMessage();
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNLOCK_FAILURE, errorMsg);
LOGGER.error(pwmRequest.getPwmSession(), errorInformation.toDebugStr());
pwmRequest.respondWithError(errorInformation);
return;
}
try {
final UserInfo userInfo = UserInfoFactory.newUserInfoUsingProxy(pwmApplication, pwmRequest.getSessionLabel(), userIdentity, pwmRequest.getLocale());
LOGGER.info(pwmRequest, "user successfully supplied password recovery responses, emailing new password to: " + theUser.getEntryDN());
// add post change actions
ForgottenPasswordServlet.addPostChangeAction(pwmRequest, userIdentity);
// create new password
final PasswordData newPassword = RandomPasswordGenerator.createRandomPassword(pwmRequest.getSessionLabel(), userInfo.getPasswordPolicy(), pwmApplication);
LOGGER.trace(pwmRequest, "generated random password value based on password policy for " + userIdentity.toDisplayString());
// set the password
try {
theUser.setPassword(newPassword.getStringValue());
LOGGER.trace(pwmRequest, "set user " + userIdentity.toDisplayString() + " password to system generated random value");
} catch (ChaiException e) {
throw PwmUnrecoverableException.fromChaiException(e);
}
if (recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
LOGGER.debug(pwmRequest, "marking user " + userIdentity.toDisplayString() + " password as expired");
theUser.expirePassword();
}
// mark the event log
{
final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication).createUserAuditRecord(AuditEvent.RECOVER_PASSWORD, userIdentity, pwmRequest.getSessionLabel());
pwmApplication.getAuditManager().submit(auditRecord);
}
final MessageSendMethod messageSendMethod = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
// send email or SMS
final String toAddress = PasswordUtility.sendNewPassword(userInfo, pwmApplication, newPassword, pwmRequest.getLocale(), messageSendMethod);
pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_PasswordSend, toAddress);
} catch (PwmException e) {
LOGGER.warn(pwmRequest, "unexpected error setting new password during recovery process for user: " + e.getMessage());
pwmRequest.respondWithError(e.getErrorInformation());
} catch (ChaiOperationException e) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, "unexpected ldap error while processing recovery action " + recoveryAction + ", error: " + e.getMessage());
LOGGER.warn(pwmRequest, errorInformation.toDebugStr());
pwmRequest.respondWithError(errorInformation);
} finally {
ForgottenPasswordServlet.clearForgottenPasswordBean(pwmRequest);
// the user should not be authenticated, this is a safety method
pwmRequest.getPwmSession().unauthenticateUser(pwmRequest);
// the password set flag should not have been set, this is a safety method
pwmRequest.getPwmSession().getSessionStateBean().setPasswordModified(false);
}
}
Also used :
ForgottenPasswordProfile(password.pwm.config.profile.ForgottenPasswordProfile)
PwmApplication(password.pwm.PwmApplication)
UserIdentity(password.pwm.bean.UserIdentity)
UserInfo(password.pwm.ldap.UserInfo)
MessageSendMethod(password.pwm.config.option.MessageSendMethod)
PwmException(password.pwm.error.PwmException)
ErrorInformation(password.pwm.error.ErrorInformation)
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
ChaiUser(com.novell.ldapchai.ChaiUser)
RecoveryAction(password.pwm.config.option.RecoveryAction)
PasswordData(password.pwm.util.PasswordData)
ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException)
AuditRecord(password.pwm.svc.event.AuditRecord)
ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)
ChaiException(com.novell.ldapchai.exception.ChaiException)
Example 4 with AuditRecord
use of password.pwm.svc.event.AuditRecord in project pwm by pwm-project.
the class ActivateUserServlet method handleAgreeRequest.
@ActionHandler(action = "agree")
public ProcessStatus handleAgreeRequest(final PwmRequest pwmRequest) throws ServletException, IOException, PwmUnrecoverableException, ChaiUnavailableException {
LOGGER.debug(pwmRequest, "user accepted agreement");
final ActivateUserBean activateUserBean = activateUserBean(pwmRequest);
if (!activateUserBean.isAgreementPassed()) {
activateUserBean.setAgreementPassed(true);
final AuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createUserAuditRecord(AuditEvent.AGREEMENT_PASSED, pwmRequest.getUserInfoIfLoggedIn(), pwmRequest.getSessionLabel(), "ActivateUser");
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
}
return ProcessStatus.Continue;
}
Also used :
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
AuditRecord(password.pwm.svc.event.AuditRecord)
ActivateUserBean(password.pwm.http.bean.ActivateUserBean)
Example 5 with AuditRecord
use of password.pwm.svc.event.AuditRecord in project pwm by pwm-project.
the class AdminServlet method restAuditDataHandler.
@ActionHandler(action = "auditData")
private ProcessStatus restAuditDataHandler(final PwmRequest pwmRequest) throws PwmUnrecoverableException, IOException {
final Instant startTime = Instant.now();
final TimeDuration maxSearchTime = new TimeDuration(10, TimeUnit.SECONDS);
final int max = readMaxParameter(pwmRequest, 100, 10 * 1000);
final AuditEvent.Type auditDataType = AuditEvent.Type.valueOf(pwmRequest.readParameterAsString("type", AuditEvent.Type.USER.name()));
final ArrayList<AuditRecord> records = new ArrayList<>();
final Iterator<AuditRecord> iterator = pwmRequest.getPwmApplication().getAuditManager().readVault();
while (iterator.hasNext() && records.size() < max && TimeDuration.fromCurrent(startTime).isShorterThan(maxSearchTime)) {
final AuditRecord loopRecord = iterator.next();
if (auditDataType == loopRecord.getType()) {
records.add(loopRecord);
}
}
final HashMap<String, Object> resultData = new HashMap<>(Collections.singletonMap("records", records));
final RestResultBean restResultBean = RestResultBean.withData(resultData);
LOGGER.debug(pwmRequest.getPwmSession(), "output " + records.size() + " audit records.");
pwmRequest.outputJsonResult(restResultBean);
return ProcessStatus.Halt;
}
Also used :
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Instant(java.time.Instant)
ArrayList(java.util.ArrayList)
TimeDuration(password.pwm.util.java.TimeDuration)
AuditEvent(password.pwm.svc.event.AuditEvent)
AuditRecord(password.pwm.svc.event.AuditRecord)
RestResultBean(password.pwm.ws.server.RestResultBean)
Aggregations
AuditRecord (password.pwm.svc.event.AuditRecord)11
AuditRecordFactory (password.pwm.svc.event.AuditRecordFactory)10
ErrorInformation (password.pwm.error.ErrorInformation)3
PwmException (password.pwm.error.PwmException)3
PwmOperationalException (password.pwm.error.PwmOperationalException)3
IOException (java.io.IOException)2
HashMap (java.util.HashMap)2
PwmApplication (password.pwm.PwmApplication)2
PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)2
ChaiUser (com.novell.ldapchai.ChaiUser)1
ChaiException (com.novell.ldapchai.exception.ChaiException)1
ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)1
ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)1
ChaiProvider (com.novell.ldapchai.provider.ChaiProvider)1
DirectoryVendor (com.novell.ldapchai.provider.DirectoryVendor)1
Instant (java.time.Instant)1
ArrayList (java.util.ArrayList)1
Date (java.util.Date)1
LinkedHashMap (java.util.LinkedHashMap)1
List (java.util.List)1
