Example 6 with AuditRecordFactory
use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.
the class HelpdeskServlet method restVerifyVerificationTokenRequest.
@ActionHandler(action = "verifyVerificationToken")
private ProcessStatus restVerifyVerificationTokenRequest(final PwmRequest pwmRequest) throws IOException, PwmUnrecoverableException, ServletException {
final Instant startTime = Instant.now();
final HelpdeskVerificationRequestBean helpdeskVerificationRequestBean = JsonUtil.deserialize(pwmRequest.readRequestBodyAsString(), HelpdeskVerificationRequestBean.class);
final String token = helpdeskVerificationRequestBean.getCode();
final SecureService secureService = pwmRequest.getPwmApplication().getSecureService();
final HelpdeskVerificationRequestBean.TokenData tokenData = secureService.decryptObject(helpdeskVerificationRequestBean.getTokenData(), HelpdeskVerificationRequestBean.TokenData.class);
final UserIdentity userIdentity = UserIdentity.fromKey(helpdeskVerificationRequestBean.getUserKey(), pwmRequest.getPwmApplication());
if (tokenData == null || tokenData.getIssueDate() == null || tokenData.getToken() == null || tokenData.getToken().isEmpty()) {
final String errorMsg = "token data is corrupted";
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_TOKEN_INCORRECT, errorMsg));
}
final TimeDuration maxTokenAge = new TimeDuration(Long.parseLong(pwmRequest.getConfig().readAppProperty(AppProperty.HELPDESK_TOKEN_MAX_AGE)) * 1000);
final Date maxTokenAgeTimestamp = new Date(System.currentTimeMillis() - maxTokenAge.getTotalMilliseconds());
if (tokenData.getIssueDate().before(maxTokenAgeTimestamp)) {
final String errorMsg = "token is older than maximum issue time (" + maxTokenAge.asCompactString() + ")";
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_TOKEN_EXPIRED, errorMsg));
}
final boolean passed = tokenData.getToken().equals(token);
final HelpdeskVerificationStateBean verificationStateBean = HelpdeskVerificationStateBean.fromClientString(pwmRequest, helpdeskVerificationRequestBean.getVerificationState());
if (passed) {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_VERIFY_TOKEN, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
verificationStateBean.addRecord(userIdentity, IdentityVerificationMethod.TOKEN);
} else {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_VERIFY_TOKEN_INCORRECT, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
}
// add a delay to prevent continuous checks
final long delayMs = Long.parseLong(pwmRequest.getConfig().readAppProperty(AppProperty.HELPDESK_VERIFICATION_INVALID_DELAY_MS));
while (TimeDuration.fromCurrent(startTime).isShorterThan(delayMs)) {
JavaHelper.pause(100);
}
final HelpdeskVerificationResponseBean responseBean = new HelpdeskVerificationResponseBean(passed, verificationStateBean.toClientString(pwmRequest.getPwmApplication()));
final RestResultBean restResultBean = RestResultBean.withData(responseBean);
pwmRequest.outputJsonResult(restResultBean);
return ProcessStatus.Halt;
}
Also used :
SecureService(password.pwm.util.secure.SecureService)
Instant(java.time.Instant)
UserIdentity(password.pwm.bean.UserIdentity)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
Date(java.util.Date)
HelpdeskAuditRecord(password.pwm.svc.event.HelpdeskAuditRecord)
ErrorInformation(password.pwm.error.ErrorInformation)
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
TimeDuration(password.pwm.util.java.TimeDuration)
PwmSession(password.pwm.http.PwmSession)
RestResultBean(password.pwm.ws.server.RestResultBean)
Example 7 with AuditRecordFactory
use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.
the class HelpdeskServlet method processExecuteActionRequest.
@ActionHandler(action = "executeAction")
private ProcessStatus processExecuteActionRequest(final PwmRequest pwmRequest) throws ChaiUnavailableException, PwmUnrecoverableException, IOException, ServletException {
final HelpdeskProfile helpdeskProfile = getHelpdeskProfile(pwmRequest);
final String userKey = pwmRequest.readBodyAsJsonStringMap(PwmHttpRequestWrapper.Flag.BypassValidation).get(PwmConstants.PARAM_USERKEY);
if (userKey == null || userKey.length() < 1) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, PwmConstants.PARAM_USERKEY + " parameter is missing");
setLastError(pwmRequest, errorInformation);
pwmRequest.respondWithError(errorInformation, false);
return ProcessStatus.Halt;
}
final UserIdentity userIdentity = UserIdentity.fromKey(userKey, pwmRequest.getPwmApplication());
LOGGER.debug(pwmRequest, "received executeAction request for user " + userIdentity.toString());
final List<ActionConfiguration> actionConfigurations = helpdeskProfile.readSettingAsAction(PwmSetting.HELPDESK_ACTIONS);
final String requestedName = pwmRequest.readParameterAsString("name");
ActionConfiguration action = null;
for (final ActionConfiguration loopAction : actionConfigurations) {
if (requestedName != null && requestedName.equals(loopAction.getName())) {
action = loopAction;
break;
}
}
if (action == null) {
final String errorMsg = "request to execute unknown action: " + requestedName;
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
LOGGER.debug(pwmRequest, errorInformation.toDebugStr());
final RestResultBean restResultBean = RestResultBean.fromError(errorInformation, pwmRequest);
pwmRequest.outputJsonResult(restResultBean);
return ProcessStatus.Halt;
}
// check if user should be seen by actor
HelpdeskServletUtil.checkIfUserIdentityViewable(pwmRequest, helpdeskProfile, userIdentity);
final boolean useProxy = helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_USE_PROXY);
try {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final ChaiUser chaiUser = useProxy ? pwmRequest.getPwmApplication().getProxiedChaiUser(userIdentity) : pwmRequest.getPwmSession().getSessionManager().getActor(pwmRequest.getPwmApplication(), userIdentity);
final MacroMachine macroMachine = MacroMachine.forUser(pwmRequest, userIdentity);
final ActionExecutor actionExecutor = new ActionExecutor.ActionExecutorSettings(pwmRequest.getPwmApplication(), chaiUser).setExpandPwmMacros(true).setMacroMachine(macroMachine).createActionExecutor();
actionExecutor.executeAction(action, pwmRequest.getSessionLabel());
// mark the event log
{
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_ACTION, pwmSession.getUserInfo().getUserIdentity(), action.getName(), userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
}
final RestResultBean restResultBean = RestResultBean.forSuccessMessage(pwmRequest.getLocale(), pwmRequest.getConfig(), Message.Success_Action, action.getName());
pwmRequest.outputJsonResult(restResultBean);
return ProcessStatus.Halt;
} catch (PwmOperationalException e) {
LOGGER.error(pwmRequest, e.getErrorInformation().toDebugStr());
final RestResultBean restResultBean = RestResultBean.fromError(e.getErrorInformation(), pwmRequest);
pwmRequest.outputJsonResult(restResultBean);
return ProcessStatus.Halt;
}
}
Also used :
ActionExecutor(password.pwm.util.operations.ActionExecutor)
UserIdentity(password.pwm.bean.UserIdentity)
HelpdeskProfile(password.pwm.config.profile.HelpdeskProfile)
HelpdeskAuditRecord(password.pwm.svc.event.HelpdeskAuditRecord)
PwmOperationalException(password.pwm.error.PwmOperationalException)
ErrorInformation(password.pwm.error.ErrorInformation)
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
ChaiUser(com.novell.ldapchai.ChaiUser)
MacroMachine(password.pwm.util.macro.MacroMachine)
ActionConfiguration(password.pwm.config.value.data.ActionConfiguration)
PwmSession(password.pwm.http.PwmSession)
RestResultBean(password.pwm.ws.server.RestResultBean)
Example 8 with AuditRecordFactory
use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.
the class HelpdeskServlet method restValidateOtpCodeRequest.
@ActionHandler(action = "validateOtpCode")
private ProcessStatus restValidateOtpCodeRequest(final PwmRequest pwmRequest) throws IOException, PwmUnrecoverableException, ServletException, ChaiUnavailableException {
final HelpdeskProfile helpdeskProfile = getHelpdeskProfile(pwmRequest);
final Instant startTime = Instant.now();
final HelpdeskVerificationRequestBean helpdeskVerificationRequestBean = JsonUtil.deserialize(pwmRequest.readRequestBodyAsString(), HelpdeskVerificationRequestBean.class);
final String userKey = helpdeskVerificationRequestBean.getUserKey();
if (userKey == null || userKey.isEmpty()) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, "userKey parameter is missing");
pwmRequest.respondWithError(errorInformation, false);
return ProcessStatus.Halt;
}
final UserIdentity userIdentity = UserIdentity.fromKey(userKey, pwmRequest.getPwmApplication());
if (!helpdeskProfile.readOptionalVerificationMethods().contains(IdentityVerificationMethod.OTP)) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, "password otp verification request, but otp verify is not enabled");
LOGGER.error(pwmRequest, errorInformation);
pwmRequest.respondWithError(errorInformation);
return ProcessStatus.Halt;
}
final String code = helpdeskVerificationRequestBean.getCode();
final OTPUserRecord otpUserRecord = pwmRequest.getPwmApplication().getOtpService().readOTPUserConfiguration(pwmRequest.getSessionLabel(), userIdentity);
try {
final boolean passed = pwmRequest.getPwmApplication().getOtpService().validateToken(pwmRequest.getSessionLabel(), userIdentity, otpUserRecord, code, false);
final HelpdeskVerificationStateBean verificationStateBean = HelpdeskVerificationStateBean.fromClientString(pwmRequest, helpdeskVerificationRequestBean.getVerificationState());
if (passed) {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_VERIFY_OTP, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
StatisticsManager.incrementStat(pwmRequest, Statistic.HELPDESK_VERIFY_OTP);
verificationStateBean.addRecord(userIdentity, IdentityVerificationMethod.OTP);
} else {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_VERIFY_OTP_INCORRECT, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
}
// add a delay to prevent continuous checks
final long delayMs = Long.parseLong(pwmRequest.getConfig().readAppProperty(AppProperty.HELPDESK_VERIFICATION_INVALID_DELAY_MS));
while (TimeDuration.fromCurrent(startTime).isShorterThan(delayMs)) {
JavaHelper.pause(100);
}
final HelpdeskVerificationResponseBean responseBean = new HelpdeskVerificationResponseBean(passed, verificationStateBean.toClientString(pwmRequest.getPwmApplication()));
final RestResultBean restResultBean = RestResultBean.withData(responseBean);
pwmRequest.outputJsonResult(restResultBean);
} catch (PwmOperationalException e) {
pwmRequest.outputJsonResult(RestResultBean.fromError(e.getErrorInformation(), pwmRequest));
}
return ProcessStatus.Halt;
}
Also used :
Instant(java.time.Instant)
UserIdentity(password.pwm.bean.UserIdentity)
HelpdeskProfile(password.pwm.config.profile.HelpdeskProfile)
HelpdeskAuditRecord(password.pwm.svc.event.HelpdeskAuditRecord)
PwmOperationalException(password.pwm.error.PwmOperationalException)
ErrorInformation(password.pwm.error.ErrorInformation)
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
PwmSession(password.pwm.http.PwmSession)
OTPUserRecord(password.pwm.util.operations.otp.OTPUserRecord)
RestResultBean(password.pwm.ws.server.RestResultBean)
Example 9 with AuditRecordFactory
use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.
the class HelpdeskServlet method restValidateAttributes.
@ActionHandler(action = "validateAttributes")
private ProcessStatus restValidateAttributes(final PwmRequest pwmRequest) throws IOException, PwmUnrecoverableException, ServletException {
final HelpdeskProfile helpdeskProfile = getHelpdeskProfile(pwmRequest);
final Instant startTime = Instant.now();
final String bodyString = pwmRequest.readRequestBodyAsString();
final HelpdeskVerificationRequestBean helpdeskVerificationRequestBean = JsonUtil.deserialize(bodyString, HelpdeskVerificationRequestBean.class);
final UserIdentity userIdentity = UserIdentity.fromKey(helpdeskVerificationRequestBean.getUserKey(), pwmRequest.getPwmApplication());
boolean passed = false;
{
final List<FormConfiguration> verificationForms = helpdeskProfile.readSettingAsForm(PwmSetting.HELPDESK_VERIFICATION_FORM);
if (verificationForms == null || verificationForms.isEmpty()) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_INVALID_CONFIG, "attempt to verify ldap attributes with no ldap verification attributes configured");
throw new PwmUnrecoverableException(errorInformation);
}
final Map<String, String> bodyMap = JsonUtil.deserializeStringMap(bodyString);
final ChaiUser chaiUser;
try {
chaiUser = getChaiUser(pwmRequest, helpdeskProfile, userIdentity);
} catch (ChaiUnavailableException e) {
throw new PwmUnrecoverableException(PwmError.forChaiError(e.getErrorCode()));
}
int successCount = 0;
for (final FormConfiguration formConfiguration : verificationForms) {
final String name = formConfiguration.getName();
final String suppliedValue = bodyMap.get(name);
try {
if (chaiUser.compareStringAttribute(name, suppliedValue)) {
successCount++;
}
} catch (ChaiException e) {
LOGGER.error(pwmRequest, "error comparing ldap attribute during verification " + e.getMessage());
}
}
if (successCount == verificationForms.size()) {
passed = true;
}
}
final HelpdeskVerificationStateBean verificationStateBean = HelpdeskVerificationStateBean.fromClientString(pwmRequest, helpdeskVerificationRequestBean.getVerificationState());
if (passed) {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_VERIFY_ATTRIBUTES, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
verificationStateBean.addRecord(userIdentity, IdentityVerificationMethod.ATTRIBUTES);
} else {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_VERIFY_ATTRIBUTES_INCORRECT, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
}
// add a delay to prevent continuous checks
final long delayMs = Long.parseLong(pwmRequest.getConfig().readAppProperty(AppProperty.HELPDESK_VERIFICATION_INVALID_DELAY_MS));
while (TimeDuration.fromCurrent(startTime).isShorterThan(delayMs)) {
JavaHelper.pause(100);
}
final HelpdeskVerificationResponseBean responseBean = new HelpdeskVerificationResponseBean(passed, verificationStateBean.toClientString(pwmRequest.getPwmApplication()));
final RestResultBean restResultBean = RestResultBean.withData(responseBean);
pwmRequest.outputJsonResult(restResultBean);
return ProcessStatus.Halt;
}
Also used :
ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException)
Instant(java.time.Instant)
UserIdentity(password.pwm.bean.UserIdentity)
HelpdeskProfile(password.pwm.config.profile.HelpdeskProfile)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
HelpdeskAuditRecord(password.pwm.svc.event.HelpdeskAuditRecord)
ErrorInformation(password.pwm.error.ErrorInformation)
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
ChaiUser(com.novell.ldapchai.ChaiUser)
List(java.util.List)
ArrayList(java.util.ArrayList)
FormConfiguration(password.pwm.config.value.data.FormConfiguration)
ChaiException(com.novell.ldapchai.exception.ChaiException)
PwmSession(password.pwm.http.PwmSession)
Map(java.util.Map)
HashMap(java.util.HashMap)
RestResultBean(password.pwm.ws.server.RestResultBean)
Example 10 with AuditRecordFactory
use of password.pwm.svc.event.AuditRecordFactory in project pwm by pwm-project.
the class HelpdeskServlet method restClearOtpSecret.
@ActionHandler(action = "clearOtpSecret")
private ProcessStatus restClearOtpSecret(final PwmRequest pwmRequest) throws ServletException, IOException, PwmUnrecoverableException, ChaiUnavailableException {
final HelpdeskProfile helpdeskProfile = getHelpdeskProfile(pwmRequest);
final Map<String, String> bodyMap = pwmRequest.readBodyAsJsonStringMap(PwmHttpRequestWrapper.Flag.BypassValidation);
final UserIdentity userIdentity = HelpdeskServletUtil.userIdentityFromMap(pwmRequest, bodyMap);
if (!helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_CLEAR_OTP_BUTTON)) {
final String errorMsg = "clear otp request, but helpdesk clear otp button is not enabled";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_SERVICE_NOT_AVAILABLE, errorMsg);
LOGGER.error(pwmRequest, errorMsg);
pwmRequest.respondWithError(errorInformation);
return ProcessStatus.Halt;
}
// clear pwm intruder setting.
pwmRequest.getPwmApplication().getIntruderManager().convenience().clearUserIdentity(userIdentity);
try {
final OtpService service = pwmRequest.getPwmApplication().getOtpService();
service.clearOTPUserConfiguration(pwmRequest.getPwmSession(), userIdentity);
{
// mark the event log
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_CLEAR_OTP_SECRET, pwmRequest.getPwmSession().getUserInfo().getUserIdentity(), null, userIdentity, pwmRequest.getSessionLabel().getSrcAddress(), pwmRequest.getSessionLabel().getSrcHostname());
pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
}
} catch (PwmOperationalException e) {
final PwmError returnMsg = e.getError();
final ErrorInformation error = new ErrorInformation(returnMsg, e.getMessage());
pwmRequest.respondWithError(error);
LOGGER.warn(pwmRequest, "error clearing OTP secret for user '" + userIdentity + "'' " + error.toDebugStr() + ", " + e.getMessage());
return ProcessStatus.Halt;
}
final RestResultBean restResultBean = RestResultBean.forSuccessMessage(pwmRequest, Message.Success_Unknown);
pwmRequest.outputJsonResult(restResultBean);
return ProcessStatus.Halt;
}
Also used :
ErrorInformation(password.pwm.error.ErrorInformation)
AuditRecordFactory(password.pwm.svc.event.AuditRecordFactory)
OtpService(password.pwm.util.operations.OtpService)
UserIdentity(password.pwm.bean.UserIdentity)
PwmError(password.pwm.error.PwmError)
HelpdeskProfile(password.pwm.config.profile.HelpdeskProfile)
HelpdeskAuditRecord(password.pwm.svc.event.HelpdeskAuditRecord)
PwmOperationalException(password.pwm.error.PwmOperationalException)
RestResultBean(password.pwm.ws.server.RestResultBean)
Aggregations
AuditRecordFactory (password.pwm.svc.event.AuditRecordFactory)24
ErrorInformation (password.pwm.error.ErrorInformation)14
UserIdentity (password.pwm.bean.UserIdentity)13
PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)10
AuditRecord (password.pwm.svc.event.AuditRecord)10
HelpdeskAuditRecord (password.pwm.svc.event.HelpdeskAuditRecord)10
PwmOperationalException (password.pwm.error.PwmOperationalException)9
HelpdeskProfile (password.pwm.config.profile.HelpdeskProfile)8
RestResultBean (password.pwm.ws.server.RestResultBean)8
ChaiUser (com.novell.ldapchai.ChaiUser)7
PwmSession (password.pwm.http.PwmSession)7
PwmException (password.pwm.error.PwmException)6
PwmApplication (password.pwm.PwmApplication)5
ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)4
ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)4
IOException (java.io.IOException)4
Instant (java.time.Instant)4
HashMap (java.util.HashMap)3
List (java.util.List)3
Map (java.util.Map)3
