Examples with IntruderManager password.pwm.svc.intruder.IntruderManager used on opensource projects

Example 1 with IntruderManager

use of password.pwm.svc.intruder.IntruderManager in project pwm by pwm-project.

the class LDAPAuthenticationRequest method authenticateUserImpl.

private AuthenticationResult authenticateUserImpl(final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
    if (startTime == null) {
        startTime = new Date();
    }
    log(PwmLogLevel.DEBUG, "preparing to authenticate user using authenticationType=" + this.requestedAuthType + " using strategy " + this.strategy);
    final StatisticsManager statisticsManager = pwmApplication.getStatisticsManager();
    final IntruderManager intruderManager = pwmApplication.getIntruderManager();
    intruderManager.convenience().checkUserIdentity(userIdentity);
    intruderManager.check(RecordType.ADDRESS, sessionLabel.getSrcAddress());
    // verify user is not account disabled
    AuthenticationUtility.checkIfUserEligibleToAuthentication(pwmApplication, userIdentity);
    boolean allowBindAsUser = true;
    if (strategy == AuthenticationStrategy.ADMIN_PROXY) {
        allowBindAsUser = false;
    }
    if (allowBindAsUser) {
        try {
            testCredentials(userIdentity, password);
        } catch (PwmOperationalException e) {
            boolean permitAuthDespiteError = false;
            final DirectoryVendor vendor = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID()).getDirectoryVendor();
            if (PwmError.PASSWORD_NEW_PASSWORD_REQUIRED == e.getError()) {
                if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'must change password on next login AD error', error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                } else if (vendor == DirectoryVendor.ORACLE_DS) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'pwdReset' user attribute, error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                }
            } else if (PwmError.PASSWORD_EXPIRED == e.getError()) {
                // handle ad case where password is expired
                if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
                    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
                        if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_EXPIRED)) {
                            throw e;
                        }
                        log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'password expired AD error', error: " + e.getErrorInformation().toDebugStr());
                        allowBindAsUser = false;
                        permitAuthDespiteError = true;
                    }
                }
            }
            if (!permitAuthDespiteError) {
                // auth failed, presumably due to wrong password.
                statisticsManager.incrementValue(Statistic.AUTHENTICATION_FAILURES);
                throw e;
            }
        }
    }
    statisticsManager.incrementValue(Statistic.AUTHENTICATIONS);
    statisticsManager.updateEps(EpsStatistic.AUTHENTICATION, 1);
    statisticsManager.updateAverageValue(Statistic.AVG_AUTHENTICATION_TIME, TimeDuration.fromCurrent(startTime).getTotalMilliseconds());
    final AuthenticationType returnAuthType;
    if (!allowBindAsUser) {
        returnAuthType = AuthenticationType.AUTH_BIND_INHIBIT;
    } else {
        if (requestedAuthType == null) {
            returnAuthType = AuthenticationType.AUTHENTICATED;
        } else {
            if (requestedAuthType == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
                returnAuthType = AuthenticationType.AUTHENTICATED;
            } else if (requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
                returnAuthType = AuthenticationType.AUTH_FROM_PUBLIC_MODULE;
            } else {
                returnAuthType = requestedAuthType;
            }
        }
    }
    final boolean useProxy = determineIfLdapProxyNeeded(returnAuthType, password);
    final ChaiProvider returnProvider = useProxy ? makeProxyProvider() : userProvider;
    final AuthenticationResult authenticationResult = new AuthenticationResult(returnProvider, returnAuthType, password);
    final StringBuilder debugMsg = new StringBuilder();
    debugMsg.append("successful ldap authentication for ").append(userIdentity);
    debugMsg.append(" (").append(TimeDuration.fromCurrent(startTime).asCompactString()).append(")");
    debugMsg.append(" type: ").append(returnAuthType).append(", using strategy ").append(strategy);
    debugMsg.append(", using proxy connection: ").append(useProxy);
    debugMsg.append(", returning bind dn: ").append(returnProvider == null ? "none" : returnProvider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
    log(PwmLogLevel.INFO, debugMsg);
    final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, PwmConstants.DEFAULT_LOCALE, sessionLabel, userIdentity);
    final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication, macroMachine).createUserAuditRecord(AuditEvent.AUTHENTICATE, this.userIdentity, makeAuditLogMessage(returnAuthType), sessionLabel.getSrcAddress(), sessionLabel.getSrcHostname());
    pwmApplication.getAuditManager().submit(auditRecord);
    pwmApplication.getSessionTrackService().addRecentLogin(userIdentity);
    return authenticationResult;
}

Example 2 with IntruderManager

use of password.pwm.svc.intruder.IntruderManager in project pwm by pwm-project.

the class SessionAuthenticator method postAuthenticationSequence.

private void postAuthenticationSequence(final UserIdentity userIdentity, final AuthenticationResult authenticationResult) throws PwmUnrecoverableException, ChaiUnavailableException {
    final IntruderManager intruderManager = pwmApplication.getIntruderManager();
    final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
    final LoginInfoBean loginInfoBean = pwmSession.getLoginInfoBean();
    // auth succeed
    loginInfoBean.setAuthenticated(true);
    loginInfoBean.setUserIdentity(userIdentity);
    // update the session connection
    pwmSession.getSessionManager().setChaiProvider(authenticationResult.getUserProvider());
    // update the actor user info bean
    {
        final UserInfo userInfoBean;
        if (authenticationResult.getAuthenticationType() == AuthenticationType.AUTH_BIND_INHIBIT) {
            userInfoBean = UserInfoFactory.newUserInfo(pwmApplication, pwmSession.getLabel(), ssBean.getLocale(), userIdentity, pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID()));
        } else {
            userInfoBean = UserInfoFactory.newUserInfoUsingProxy(pwmApplication, pwmSession.getLabel(), userIdentity, ssBean.getLocale(), authenticationResult.getUserPassword());
        }
        pwmSession.setUserInfo(userInfoBean);
    }
    // mark the auth time
    pwmSession.getLoginInfoBean().setAuthTime(Instant.now());
    // update the resulting authType
    pwmSession.getLoginInfoBean().setType(authenticationResult.getAuthenticationType());
    pwmSession.getLoginInfoBean().setAuthSource(authenticationSource);
    // save the password in the login bean
    final PasswordData userPassword = authenticationResult.getUserPassword();
    pwmSession.getLoginInfoBean().setUserCurrentPassword(userPassword);
    // notify the intruder manager with a successful login
    intruderManager.clear(RecordType.USERNAME, pwmSession.getUserInfo().getUsername());
    intruderManager.convenience().clearUserIdentity(userIdentity);
    intruderManager.convenience().clearAddressAndSession(pwmSession);
    if (pwmApplication.getStatisticsManager() != null) {
        final StatisticsManager statisticsManager = pwmApplication.getStatisticsManager();
        if (pwmSession.getUserInfo().getPasswordStatus().isWarnPeriod()) {
            statisticsManager.incrementValue(Statistic.AUTHENTICATION_EXPIRED_WARNING);
        } else if (pwmSession.getUserInfo().getPasswordStatus().isPreExpired()) {
            statisticsManager.incrementValue(Statistic.AUTHENTICATION_PRE_EXPIRED);
        } else if (pwmSession.getUserInfo().getPasswordStatus().isExpired()) {
            statisticsManager.incrementValue(Statistic.AUTHENTICATION_EXPIRED);
        }
    }
    // clear permission cache - needs rechecking after login
    LOGGER.debug(pwmSession, "clearing permission cache");
    pwmSession.getUserSessionDataCacheBean().clearPermissions();
}

Example 3 with IntruderManager

use of password.pwm.svc.intruder.IntruderManager in project pwm by pwm-project.

the class SessionAuthenticator method postFailureSequence.

private void postFailureSequence(final PwmOperationalException exception, final String username, final UserIdentity userIdentity) throws PwmUnrecoverableException {
    LOGGER.error(sessionLabel, "ldap error during search: " + exception.getMessage());
    final IntruderManager intruderManager = pwmApplication.getIntruderManager();
    if (intruderManager != null) {
        intruderManager.convenience().markAddressAndSession(pwmSession);
        if (username != null) {
            intruderManager.mark(RecordType.USERNAME, username, pwmSession.getLabel());
        }
        if (userIdentity != null) {
            intruderManager.convenience().markUserIdentity(userIdentity, sessionLabel);
        }
    }
}

Example 4 with IntruderManager

use of password.pwm.svc.intruder.IntruderManager in project pwm by pwm-project.

the class CaptchaUtility method checkIntruderCount.

private static boolean checkIntruderCount(final PwmRequest pwmRequest) {
    final long maxIntruderCount = pwmRequest.getConfig().readSettingAsLong(PwmSetting.CAPTCHA_INTRUDER_COUNT_TRIGGER);
    if (maxIntruderCount == 0) {
        return true;
    }
    final int currentSessionAttempts = pwmRequest.getPwmSession().getSessionStateBean().getIntruderAttempts();
    if (currentSessionAttempts >= maxIntruderCount) {
        LOGGER.debug(pwmRequest, "session intruder attempt count '" + currentSessionAttempts + "', therefore captcha will be required");
        return true;
    }
    final IntruderManager intruderManager = pwmRequest.getPwmApplication().getIntruderManager();
    if (intruderManager == null || intruderManager.status() != PwmService.STATUS.OPEN) {
        return false;
    }
    final int intruderAttemptCount = intruderManager.countForNetworkEndpointInRequest(pwmRequest);
    if (intruderAttemptCount >= maxIntruderCount) {
        LOGGER.debug(pwmRequest, "network intruder attempt count '" + intruderAttemptCount + "', therefore captcha will be required");
        return true;
    }
    return false;
}

Example 5 with IntruderManager

use of password.pwm.svc.intruder.IntruderManager in project pwm by pwm-project.

the class HelpdeskServlet method restUnlockIntruder.

@ActionHandler(action = "unlockIntruder")
private ProcessStatus restUnlockIntruder(final PwmRequest pwmRequest) throws PwmUnrecoverableException, ChaiUnavailableException, IOException, ServletException {
    final HelpdeskProfile helpdeskProfile = getHelpdeskProfile(pwmRequest);
    final String userKey = pwmRequest.readParameterAsString(PwmConstants.PARAM_USERKEY, PwmHttpRequestWrapper.Flag.BypassValidation);
    if (userKey.length() < 1) {
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, "userKey parameter is missing");
        pwmRequest.respondWithError(errorInformation, false);
        return ProcessStatus.Halt;
    }
    final UserIdentity userIdentity = UserIdentity.fromKey(userKey, pwmRequest.getPwmApplication());
    if (!helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_ENABLE_UNLOCK)) {
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, "password unlock request, but helpdesk unlock is not enabled");
        LOGGER.error(pwmRequest, errorInformation);
        pwmRequest.respondWithError(errorInformation);
        return ProcessStatus.Halt;
    }
    // clear pwm intruder setting.
    {
        final IntruderManager intruderManager = pwmRequest.getPwmApplication().getIntruderManager();
        intruderManager.convenience().clearUserIdentity(userIdentity);
    }
    try {
        final ChaiUser chaiUser = getChaiUser(pwmRequest, helpdeskProfile, userIdentity);
        // send notice email
        HelpdeskServletUtil.sendUnlockNoticeEmail(pwmRequest, helpdeskProfile, userIdentity, chaiUser);
        chaiUser.unlockPassword();
        {
            // mark the event log
            final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmRequest).createHelpdeskAuditRecord(AuditEvent.HELPDESK_UNLOCK_PASSWORD, pwmRequest.getPwmSession().getUserInfo().getUserIdentity(), null, userIdentity, pwmRequest.getSessionLabel().getSrcAddress(), pwmRequest.getSessionLabel().getSrcHostname());
            pwmRequest.getPwmApplication().getAuditManager().submit(auditRecord);
        }
    } catch (ChaiPasswordPolicyException e) {
        final ChaiError passwordError = e.getErrorCode();
        final PwmError pwmError = PwmError.forChaiError(passwordError);
        pwmRequest.respondWithError(new ErrorInformation(pwmError == null ? PwmError.PASSWORD_UNKNOWN_VALIDATION : pwmError));
        LOGGER.trace(pwmRequest, "ChaiPasswordPolicyException was thrown while resetting password: " + e.toString());
        return ProcessStatus.Halt;
    } catch (ChaiOperationException e) {
        final PwmError returnMsg = PwmError.forChaiError(e.getErrorCode()) == null ? PwmError.ERROR_UNKNOWN : PwmError.forChaiError(e.getErrorCode());
        final ErrorInformation error = new ErrorInformation(returnMsg, e.getMessage());
        pwmRequest.respondWithError(error);
        LOGGER.warn(pwmRequest, "error resetting password for user '" + userIdentity.toDisplayString() + "'' " + error.toDebugStr() + ", " + e.getMessage());
        return ProcessStatus.Halt;
    }
    final RestResultBean restResultBean = RestResultBean.forSuccessMessage(pwmRequest, Message.Success_Unknown);
    pwmRequest.outputJsonResult(restResultBean);
    return ProcessStatus.Halt;
}