Examples with AuditRecordFactory password.pwm.svc.event.AuditRecordFactory used on opensource projects

Example 1 with AuditRecordFactory

use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.

the class LDAPAuthenticationRequest method authenticateUserImpl.

private AuthenticationResult authenticateUserImpl(final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    if (startTime == null) {
        startTime = new Date();
    }
    log(PwmLogLevel.DEBUG, "preparing to authenticate user using authenticationType=" + this.requestedAuthType + " using strategy " + this.strategy);
    final StatisticsManager statisticsManager = pwmApplication.getStatisticsManager();
    final IntruderManager intruderManager = pwmApplication.getIntruderManager();
    intruderManager.convenience().checkUserIdentity(userIdentity);
    intruderManager.check(RecordType.ADDRESS, sessionLabel.getSrcAddress());
    // verify user is not account disabled
    AuthenticationUtility.checkIfUserEligibleToAuthentication(pwmApplication, userIdentity);
    boolean allowBindAsUser = true;
    if (strategy == AuthenticationStrategy.ADMIN_PROXY) {
        allowBindAsUser = false;
    }
    if (allowBindAsUser) {
        try {
            testCredentials(userIdentity, password);
        } catch (PwmOperationalException e) {
            boolean permitAuthDespiteError = false;
            final DirectoryVendor vendor = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID()).getDirectoryVendor();
            if (PwmError.PASSWORD_NEW_PASSWORD_REQUIRED == e.getError()) {
                if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'must change password on next login AD error', error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                } else if (vendor == DirectoryVendor.ORACLE_DS) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'pwdReset' user attribute, error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                }
            } else if (PwmError.PASSWORD_EXPIRED == e.getError()) {
                // handle ad case where password is expired
                if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_EXPIRED)) {
                            throw e;
                        }
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'password expired AD error', error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                }
            }
            if (!permitAuthDespiteError) {
                // auth failed, presumably due to wrong password.
                statisticsManager.incrementValue(Statistic.AUTHENTICATION_FAILURES);
                throw e;
            }
        }
    }
    statisticsManager.incrementValue(Statistic.AUTHENTICATIONS);
    statisticsManager.updateEps(EpsStatistic.AUTHENTICATION, 1);
    statisticsManager.updateAverageValue(Statistic.AVG_AUTHENTICATION_TIME, TimeDuration.fromCurrent(startTime).getTotalMilliseconds());
    final AuthenticationType returnAuthType;
    if (!allowBindAsUser) {
        returnAuthType = AuthenticationType.AUTH_BIND_INHIBIT;
    } else {
        if (requestedAuthType == null) {
            returnAuthType = AuthenticationType.AUTHENTICATED;
        } else {
            if (requestedAuthType == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
                returnAuthType = AuthenticationType.AUTHENTICATED;
            } else if (requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
                returnAuthType = AuthenticationType.AUTH_FROM_PUBLIC_MODULE;
            } else {
                returnAuthType = requestedAuthType;
            }
        }
    }
    final boolean useProxy = determineIfLdapProxyNeeded(returnAuthType, password);
    final ChaiProvider returnProvider = useProxy ? makeProxyProvider() : userProvider;
    final AuthenticationResult authenticationResult = new AuthenticationResult(returnProvider, returnAuthType, password);
    final StringBuilder debugMsg = new StringBuilder();
    debugMsg.append("successful ldap authentication for ").append(userIdentity);
    debugMsg.append(" (").append(TimeDuration.fromCurrent(startTime).asCompactString()).append(")");
    debugMsg.append(" type: ").append(returnAuthType).append(", using strategy ").append(strategy);
    debugMsg.append(", using proxy connection: ").append(useProxy);
    debugMsg.append(", returning bind dn: ").append(returnProvider == null ? "none" : returnProvider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
    log(PwmLogLevel.INFO, debugMsg);
    final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, PwmConstants.DEFAULT_LOCALE, sessionLabel, userIdentity);
    final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication, macroMachine).createUserAuditRecord(AuditEvent.AUTHENTICATE, this.userIdentity, makeAuditLogMessage(returnAuthType), sessionLabel.getSrcAddress(), sessionLabel.getSrcHostname());
    pwmApplication.getAuditManager().submit(auditRecord);
    pwmApplication.getSessionTrackService().addRecentLogin(userIdentity);
    return authenticationResult;
}

Example 2 with AuditRecordFactory

use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.

the class PasswordUtility method helpdeskSetUserPassword.

public static void helpdeskSetUserPassword(final PwmSession pwmSession, final ChaiUser chaiUser, final UserInfo userInfo, final PwmApplication pwmApplication, final PasswordData newPassword) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    final SessionLabel sessionLabel = pwmSession.getLabel();
    final UserIdentity userIdentity = userInfo.getUserIdentity();
    if (!pwmSession.isAuthenticated()) {
        final String errorMsg = "attempt to helpdeskSetUserPassword, but user is not authenticated";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
        throw new PwmOperationalException(errorInformation);
    }
    final HelpdeskProfile helpdeskProfile = pwmSession.getSessionManager().getHelpdeskProfile(pwmApplication);
    if (helpdeskProfile == null) {
        final String errorMsg = "attempt to helpdeskSetUserPassword, but user does not have helpdesk permission";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
        throw new PwmOperationalException(errorInformation);
    }
    setPassword(pwmApplication, pwmSession.getLabel(), chaiUser.getChaiProvider(), userInfo, null, newPassword);
    // create a proxy user object for pwm to update/read the user.
    final ChaiUser proxiedUser = pwmApplication.getProxiedChaiUser(userIdentity);
    // mark the event log
    {
        final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmApplication, pwmSession).createHelpdeskAuditRecord(AuditEvent.HELPDESK_SET_PASSWORD, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
        pwmApplication.getAuditManager().submit(auditRecord);
    }
    // update statistics
    pwmApplication.getStatisticsManager().incrementValue(Statistic.HELPDESK_PASSWORD_SET);
    {
        // execute configured actions
        LOGGER.debug(sessionLabel, "executing changepassword and helpdesk post password change writeAttributes to user " + userIdentity);
        final List<ActionConfiguration> actions = new ArrayList<>();
        actions.addAll(pwmApplication.getConfig().readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES));
        actions.addAll(helpdeskProfile.readSettingAsAction(PwmSetting.HELPDESK_POST_SET_PASSWORD_WRITE_ATTRIBUTES));
        if (!actions.isEmpty()) {
            final LoginInfoBean loginInfoBean = new LoginInfoBean();
            loginInfoBean.setUserCurrentPassword(newPassword);
            final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, sessionLabel, userInfo, loginInfoBean);
            final ActionExecutor actionExecutor = new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity).setMacroMachine(macroMachine).setExpandPwmMacros(true).createActionExecutor();
            actionExecutor.executeActions(actions, pwmSession.getLabel());
        }
    }
    final HelpdeskClearResponseMode settingClearResponses = HelpdeskClearResponseMode.valueOf(helpdeskProfile.readSettingAsString(PwmSetting.HELPDESK_CLEAR_RESPONSES));
    if (settingClearResponses == HelpdeskClearResponseMode.yes) {
        final String userGUID = LdapOperationsHelper.readLdapGuidValue(pwmApplication, sessionLabel, userIdentity, false);
        pwmApplication.getCrService().clearResponses(pwmSession.getLabel(), userIdentity, proxiedUser, userGUID);
        // mark the event log
        final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmApplication, pwmSession).createHelpdeskAuditRecord(AuditEvent.HELPDESK_CLEAR_RESPONSES, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
        pwmApplication.getAuditManager().submit(auditRecord);
    }
    // send email notification
    sendChangePasswordHelpdeskEmailNotice(pwmSession, pwmApplication, userInfo);
    // expire if so configured
    if (helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_FORCE_PW_EXPIRATION)) {
        LOGGER.trace(pwmSession, "preparing to expire password for user " + userIdentity.toDisplayString());
        try {
            proxiedUser.expirePassword();
        } catch (ChaiOperationException e) {
            LOGGER.warn(pwmSession, "error while forcing password expiration for user " + userIdentity.toDisplayString() + ", error: " + e.getMessage());
        }
    }
    // send password
    final boolean sendPassword = helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_SEND_PASSWORD);
    if (sendPassword) {
        final MessageSendMethod messageSendMethod;
        {
            final String profileID = ProfileUtility.discoverProfileIDforUser(pwmApplication, sessionLabel, userIdentity, ProfileType.ForgottenPassword);
            final ForgottenPasswordProfile forgottenPasswordProfile = pwmApplication.getConfig().getForgottenPasswordProfiles().get(profileID);
            messageSendMethod = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
        }
        PasswordUtility.sendNewPassword(userInfo, pwmApplication, newPassword, pwmSession.getSessionStateBean().getLocale(), messageSendMethod);
    }
}

Example 3 with AuditRecordFactory

use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.

the class PwmLogger method doLogEvent.

private void doLogEvent(final PwmLogEvent logEvent) {
    pushMessageToLog4j(logEvent);
    try {
        if (!localDBDisabled && localDBLogger != null && minimumDbLogLevel != null) {
            if (logEvent.getLevel().compareTo(minimumDbLogLevel) >= 0) {
                localDBLogger.writeEvent(logEvent);
            }
        }
        if (logEvent.getLevel() == PwmLogLevel.FATAL) {
            if (!logEvent.getMessage().contains("5039")) {
                final Map<String, String> messageInfo = new HashMap<>();
                messageInfo.put("level", logEvent.getLevel() == null ? "null" : logEvent.getLevel().toString());
                messageInfo.put("actor", logEvent.getActor());
                messageInfo.put("source", logEvent.getSource());
                messageInfo.put("topic", logEvent.getTopic());
                messageInfo.put("errorMessage", logEvent.getMessage());
                final String messageInfoStr = JsonUtil.serializeMap(messageInfo);
                final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication).createSystemAuditRecord(AuditEvent.FATAL_EVENT, messageInfoStr);
                pwmApplication.getAuditManager().submit(auditRecord);
            }
        }
    } catch (Exception e2) {
    // nothing can be done about it now;
    }
}

Example 4 with AuditRecordFactory

use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.

the class ForgottenPasswordUtil method doActionSendNewPassword.

static void doActionSendNewPassword(final PwmRequest pwmRequest) throws ChaiUnavailableException, IOException, ServletException, PwmUnrecoverableException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final ForgottenPasswordBean forgottenPasswordBean = ForgottenPasswordServlet.forgottenPasswordBean(pwmRequest);
    final ForgottenPasswordProfile forgottenPasswordProfile = forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
    final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(pwmApplication.getConfig(), forgottenPasswordBean);
    LOGGER.trace(pwmRequest, "beginning process to send new password to user");
    if (!forgottenPasswordBean.getProgress().isAllPassed()) {
        return;
    }
    final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
    final ChaiUser theUser = pwmRequest.getPwmApplication().getProxiedChaiUser(userIdentity);
    try {
        // try unlocking user
        theUser.unlockPassword();
        LOGGER.trace(pwmRequest, "unlock account succeeded");
    } catch (ChaiOperationException e) {
        final String errorMsg = "unable to unlock user " + theUser.getEntryDN() + " error: " + e.getMessage();
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNLOCK_FAILURE, errorMsg);
        LOGGER.error(pwmRequest.getPwmSession(), errorInformation.toDebugStr());
        pwmRequest.respondWithError(errorInformation);
        return;
    }
    try {
        final UserInfo userInfo = UserInfoFactory.newUserInfoUsingProxy(pwmApplication, pwmRequest.getSessionLabel(), userIdentity, pwmRequest.getLocale());
        LOGGER.info(pwmRequest, "user successfully supplied password recovery responses, emailing new password to: " + theUser.getEntryDN());
        // add post change actions
        ForgottenPasswordServlet.addPostChangeAction(pwmRequest, userIdentity);
        // create new password
        final PasswordData newPassword = RandomPasswordGenerator.createRandomPassword(pwmRequest.getSessionLabel(), userInfo.getPasswordPolicy(), pwmApplication);
        LOGGER.trace(pwmRequest, "generated random password value based on password policy for " + userIdentity.toDisplayString());
        // set the password
        try {
            theUser.setPassword(newPassword.getStringValue());
            LOGGER.trace(pwmRequest, "set user " + userIdentity.toDisplayString() + " password to system generated random value");
        } catch (ChaiException e) {
            throw PwmUnrecoverableException.fromChaiException(e);
        }
        if (recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
            LOGGER.debug(pwmRequest, "marking user " + userIdentity.toDisplayString() + " password as expired");
            theUser.expirePassword();
        }
        // mark the event log
        {
            final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication).createUserAuditRecord(AuditEvent.RECOVER_PASSWORD, userIdentity, pwmRequest.getSessionLabel());
            pwmApplication.getAuditManager().submit(auditRecord);
        }
        final MessageSendMethod messageSendMethod = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
        // send email or SMS
        final String toAddress = PasswordUtility.sendNewPassword(userInfo, pwmApplication, newPassword, pwmRequest.getLocale(), messageSendMethod);
        pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_PasswordSend, toAddress);
    } catch (PwmException e) {
        LOGGER.warn(pwmRequest, "unexpected error setting new password during recovery process for user: " + e.getMessage());
        pwmRequest.respondWithError(e.getErrorInformation());
    } catch (ChaiOperationException e) {
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, "unexpected ldap error while processing recovery action " + recoveryAction + ", error: " + e.getMessage());
        LOGGER.warn(pwmRequest, errorInformation.toDebugStr());
        pwmRequest.respondWithError(errorInformation);
    } finally {
        ForgottenPasswordServlet.clearForgottenPasswordBean(pwmRequest);
        // the user should not be authenticated, this is a safety method
        pwmRequest.getPwmSession().unauthenticateUser(pwmRequest);
        // the password set flag should not have been set, this is a safety method
        pwmRequest.getPwmSession().getSessionStateBean().setPasswordModified(false);
    }
}

Example 5 with AuditRecordFactory

use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.

the class HelpdeskServlet method restClearResponsesHandler.

@ActionHandler(action = "clearResponses")
private ProcessStatus restClearResponsesHandler(final PwmRequest pwmRequest) throws IOException, PwmUnrecoverableException, ServletException, ChaiUnavailableException, PwmOperationalException {
    final UserIdentity userIdentity;
    try {
        userIdentity = readUserKeyRequestParameter(pwmRequest);
    } catch (PwmUnrecoverableException e) {
        pwmRequest.outputJsonResult(RestResultBean.fromError(e.getErrorInformation()));
        return ProcessStatus.Halt;
    }
    final HelpdeskProfile helpdeskProfile = pwmRequest.getPwmSession().getSessionManager().getHelpdeskProfile(pwmRequest.getPwmApplication());
    HelpdeskServletUtil.checkIfUserIdentityViewable(pwmRequest, helpdeskProfile, userIdentity);
    {
        final boolean buttonEnabled = helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_CLEAR_RESPONSES_BUTTON);
        final HelpdeskClearResponseMode mode = helpdeskProfile.readSettingAsEnum(PwmSetting.HELPDESK_CLEAR_RESPONSES, HelpdeskClearResponseMode.class);
        if (!buttonEnabled && (mode == HelpdeskClearResponseMode.no)) {
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_SECURITY_VIOLATION, "setting " + PwmSetting.HELPDESK_CLEAR_RESPONSES_BUTTON.toMenuLocationDebug(helpdeskProfile.getIdentifier(), pwmRequest.getLocale()) + " must be enabled or setting " + PwmSetting.HELPDESK_CLEAR_RESPONSES.toMenuLocationDebug(helpdeskProfile.getIdentifier(), pwmRequest.getLocale()) + "must be set to yes or ask"));
        }
    }
    final ChaiUser chaiUser = getChaiUser(pwmRequest, helpdeskProfile, userIdentity);
    final String userGUID = LdapOperationsHelper.readLdapGuidValue(pwmRequest.getPwmApplication(), pwmRequest.getPwmSession().getLabel(), userIdentity, true);
    final CrService crService = pwmRequest.getPwmApplication().getCrService();
    crService.clearResponses(pwmRequest.getPwmSession().getLabel(), userIdentity, chaiUser, userGUID);
    // mark the event log
    {
        final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest.getPwmApplication(), pwmRequest.getPwmSession()).createHelpdeskAuditRecord(AuditEvent.HELPDESK_CLEAR_RESPONSES, pwmRequest.getPwmSession().getUserInfo().getUserIdentity(), null, userIdentity, pwmRequest.getPwmSession().getSessionStateBean().getSrcAddress(), pwmRequest.getPwmSession().getSessionStateBean().getSrcHostname());
        pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
    }
    final RestResultBean restResultBean = RestResultBean.forSuccessMessage(pwmRequest, Message.Success_Unknown);
    pwmRequest.outputJsonResult(restResultBean);
    return ProcessStatus.Halt;
}