Example 1 with PasswordData
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class LDAPStatusChecker method doLdapTestUserCheck.
@SuppressWarnings("checkstyle:MethodLength")
public List<HealthRecord> doLdapTestUserCheck(final Configuration config, final LdapProfile ldapProfile, final PwmApplication pwmApplication) {
String testUserDN = ldapProfile.readSettingAsString(PwmSetting.LDAP_TEST_USER_DN);
String proxyUserDN = ldapProfile.readSettingAsString(PwmSetting.LDAP_PROXY_USER_DN);
final PasswordData proxyUserPW = ldapProfile.readSettingAsPassword(PwmSetting.LDAP_PROXY_USER_PASSWORD);
final List<HealthRecord> returnRecords = new ArrayList<>();
if (testUserDN == null || testUserDN.length() < 1) {
return returnRecords;
}
try {
testUserDN = ldapProfile.readCanonicalDN(pwmApplication, testUserDN);
proxyUserDN = ldapProfile.readCanonicalDN(pwmApplication, proxyUserDN);
} catch (PwmUnrecoverableException e) {
final String msgString = e.getMessage();
LOGGER.trace(SessionLabel.HEALTH_SESSION_LABEL, "unexpected error while testing test user (during object creation): message=" + msgString + " debug info: " + JavaHelper.readHostileExceptionMessage(e));
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_TestUserUnexpected, PwmSetting.LDAP_TEST_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE), msgString));
return returnRecords;
}
if (proxyUserDN.equalsIgnoreCase(testUserDN)) {
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_ProxyTestSameUser, PwmSetting.LDAP_TEST_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE), PwmSetting.LDAP_PROXY_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE)));
return returnRecords;
}
ChaiUser theUser = null;
ChaiProvider chaiProvider = null;
try {
try {
chaiProvider = LdapOperationsHelper.createChaiProvider(pwmApplication, SessionLabel.HEALTH_SESSION_LABEL, ldapProfile, config, proxyUserDN, proxyUserPW);
theUser = chaiProvider.getEntryFactory().newChaiUser(testUserDN);
} catch (ChaiUnavailableException e) {
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_TestUserUnavailable, PwmSetting.LDAP_TEST_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE), e.getMessage()));
return returnRecords;
} catch (Throwable e) {
final String msgString = e.getMessage();
LOGGER.trace(SessionLabel.HEALTH_SESSION_LABEL, "unexpected error while testing test user (during object creation): message=" + msgString + " debug info: " + JavaHelper.readHostileExceptionMessage(e));
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_TestUserUnexpected, PwmSetting.LDAP_TEST_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE), msgString));
return returnRecords;
}
try {
theUser.readObjectClass();
} catch (ChaiException e) {
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_TestUserError, PwmSetting.LDAP_TEST_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE), e.getMessage()));
return returnRecords;
}
LOGGER.trace(SessionLabel.HEALTH_SESSION_LABEL, "beginning process to check ldap test user password read/write operations for profile " + ldapProfile.getIdentifier());
try {
final boolean readPwdEnabled = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.EDIRECTORY_READ_USER_PWD) && theUser.getChaiProvider().getDirectoryVendor() == DirectoryVendor.EDIRECTORY;
if (readPwdEnabled) {
try {
theUser.readPassword();
} catch (Exception e) {
LOGGER.debug(SessionLabel.HEALTH_SESSION_LABEL, "error reading user password from directory " + e.getMessage());
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_TestUserReadPwError, PwmSetting.EDIRECTORY_READ_USER_PWD.toMenuLocationDebug(null, PwmConstants.DEFAULT_LOCALE), PwmSetting.LDAP_TEST_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE), e.getMessage()));
return returnRecords;
}
} else {
final Locale locale = PwmConstants.DEFAULT_LOCALE;
final UserIdentity userIdentity = new UserIdentity(testUserDN, ldapProfile.getIdentifier());
final PwmPasswordPolicy passwordPolicy = PasswordUtility.readPasswordPolicyForUser(pwmApplication, null, userIdentity, theUser, locale);
boolean doPasswordChange = true;
final int minLifetimeSeconds = passwordPolicy.getRuleHelper().readIntValue(PwmPasswordRule.MinimumLifetime);
if (minLifetimeSeconds > 0) {
final Instant pwdLastModified = PasswordUtility.determinePwdLastModified(pwmApplication, SessionLabel.HEALTH_SESSION_LABEL, userIdentity);
final PasswordStatus passwordStatus;
{
final UserInfo userInfo = UserInfoFactory.newUserInfo(pwmApplication, SessionLabel.HEALTH_SESSION_LABEL, locale, userIdentity, chaiProvider);
passwordStatus = userInfo.getPasswordStatus();
}
{
final boolean withinMinLifetime = PasswordUtility.isPasswordWithinMinimumLifetimeImpl(theUser, SessionLabel.HEALTH_SESSION_LABEL, passwordPolicy, pwdLastModified, passwordStatus);
if (withinMinLifetime) {
LOGGER.trace(SessionLabel.HEALTH_SESSION_LABEL, "skipping test user password set due to password being within minimum lifetime");
doPasswordChange = false;
}
}
}
if (doPasswordChange) {
final PasswordData newPassword = RandomPasswordGenerator.createRandomPassword(null, passwordPolicy, pwmApplication);
try {
theUser.setPassword(newPassword.getStringValue());
LOGGER.debug(SessionLabel.HEALTH_SESSION_LABEL, "set random password on test user " + userIdentity.toDisplayString());
} catch (ChaiException e) {
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_TestUserWritePwError, PwmSetting.LDAP_TEST_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE), e.getMessage()));
return returnRecords;
}
}
}
} catch (Exception e) {
final String msg = "error setting test user password: " + JavaHelper.readHostileExceptionMessage(e);
LOGGER.error(SessionLabel.HEALTH_SESSION_LABEL, msg, e);
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_TestUserUnexpected, PwmSetting.LDAP_TEST_USER_DN.toMenuLocationDebug(ldapProfile.getIdentifier(), PwmConstants.DEFAULT_LOCALE), msg));
return returnRecords;
}
try {
final UserIdentity userIdentity = new UserIdentity(theUser.getEntryDN(), ldapProfile.getIdentifier());
final UserInfo userInfo = UserInfoFactory.newUserInfo(pwmApplication, SessionLabel.HEALTH_SESSION_LABEL, PwmConstants.DEFAULT_LOCALE, userIdentity, chaiProvider);
userInfo.getPasswordStatus();
userInfo.getAccountExpirationTime();
userInfo.getResponseInfoBean();
userInfo.getPasswordPolicy();
userInfo.getChallengeProfile();
userInfo.getProfileIDs();
userInfo.getOtpUserRecord();
userInfo.getUserGuid();
userInfo.getUsername();
userInfo.getUserEmailAddress();
userInfo.getUserSmsNumber();
} catch (PwmUnrecoverableException e) {
returnRecords.add(new HealthRecord(HealthStatus.WARN, makeLdapTopic(ldapProfile, config), "unable to read test user data: " + e.getMessage()));
return returnRecords;
}
} finally {
if (chaiProvider != null) {
try {
chaiProvider.close();
} catch (Exception e) {
// ignore
}
}
}
returnRecords.add(HealthRecord.forMessage(HealthMessage.LDAP_TestUserOK, ldapProfile.getDisplayName(PwmConstants.DEFAULT_LOCALE)));
return returnRecords;
}
Also used :
Locale(java.util.Locale)
ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException)
UserIdentity(password.pwm.bean.UserIdentity)
Instant(java.time.Instant)
ArrayList(java.util.ArrayList)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
UserInfo(password.pwm.ldap.UserInfo)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
ChaiException(com.novell.ldapchai.exception.ChaiException)
ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException)
MalformedURLException(java.net.MalformedURLException)
UnknownHostException(java.net.UnknownHostException)
ChaiUser(com.novell.ldapchai.ChaiUser)
ChaiProvider(com.novell.ldapchai.provider.ChaiProvider)
PasswordData(password.pwm.util.PasswordData)
PwmPasswordPolicy(password.pwm.config.profile.PwmPasswordPolicy)
PasswordStatus(password.pwm.bean.PasswordStatus)
ChaiException(com.novell.ldapchai.exception.ChaiException)
Example 2 with PasswordData
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class StoredConfigurationImpl method initNewRandomSecurityKey.
public void initNewRandomSecurityKey() throws PwmUnrecoverableException {
if (!isDefaultValue(PwmSetting.PWM_SECURITY_KEY)) {
return;
}
writeSetting(PwmSetting.PWM_SECURITY_KEY, new PasswordValue(new PasswordData(PwmRandom.getInstance().alphaNumericString(1024))), null);
LOGGER.debug("initialized new random security key");
}
Also used :
PasswordValue(password.pwm.config.value.PasswordValue)
PasswordData(password.pwm.util.PasswordData)
Example 3 with PasswordData
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class ConfigurationChecker method passwordStrengthChecks.
private List<HealthRecord> passwordStrengthChecks(final Configuration config, final Locale locale) {
final List<HealthRecord> records = new ArrayList<>();
for (final PwmSetting setting : PwmSetting.values()) {
if (setting.getSyntax() == PwmSettingSyntax.PASSWORD) {
if (!setting.getCategory().hasProfiles()) {
if (!config.isDefaultValue(setting)) {
try {
final PasswordData passwordValue = config.readSettingAsPassword(setting);
final int strength = PasswordUtility.judgePasswordStrength(config, passwordValue.getStringValue());
if (strength < 50) {
records.add(HealthRecord.forMessage(HealthMessage.Config_WeakPassword, setting.toMenuLocationDebug(null, locale), String.valueOf(strength)));
}
} catch (Exception e) {
LOGGER.error(SessionLabel.HEALTH_SESSION_LABEL, "error while inspecting setting " + setting.toMenuLocationDebug(null, locale) + ", error: " + e.getMessage());
}
}
}
}
}
for (final LdapProfile profile : config.getLdapProfiles().values()) {
final PwmSetting setting = PwmSetting.LDAP_PROXY_USER_PASSWORD;
try {
final PasswordData passwordValue = profile.readSettingAsPassword(setting);
final int strength = PasswordUtility.judgePasswordStrength(config, passwordValue == null ? null : passwordValue.getStringValue());
if (strength < 50) {
records.add(HealthRecord.forMessage(HealthMessage.Config_WeakPassword, setting.toMenuLocationDebug(profile.getIdentifier(), locale), String.valueOf(strength)));
}
} catch (PwmException e) {
LOGGER.error(SessionLabel.HEALTH_SESSION_LABEL, "error while inspecting setting " + setting.toMenuLocationDebug(profile.getIdentifier(), locale) + ", error: " + e.getMessage());
}
}
return records;
}
Also used :
PwmSetting(password.pwm.config.PwmSetting)
PwmException(password.pwm.error.PwmException)
PasswordData(password.pwm.util.PasswordData)
ArrayList(java.util.ArrayList)
LdapProfile(password.pwm.config.profile.LdapProfile)
URISyntaxException(java.net.URISyntaxException)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
PwmException(password.pwm.error.PwmException)
Example 4 with PasswordData
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class LdapOperationsHelper method openProxyChaiProvider.
static ChaiProvider openProxyChaiProvider(final ChaiProviderFactory chaiProviderFactory, final SessionLabel sessionLabel, final LdapProfile ldapProfile, final Configuration config, final StatisticsManager statisticsManager) throws PwmUnrecoverableException {
LOGGER.trace(sessionLabel, "opening new ldap proxy connection");
final String proxyDN = ldapProfile.readSettingAsString(PwmSetting.LDAP_PROXY_USER_DN);
final PasswordData proxyPW = ldapProfile.readSettingAsPassword(PwmSetting.LDAP_PROXY_USER_PASSWORD);
try {
return createChaiProvider(chaiProviderFactory, sessionLabel, ldapProfile, config, proxyDN, proxyPW);
} catch (ChaiUnavailableException e) {
if (statisticsManager != null) {
statisticsManager.incrementValue(Statistic.LDAP_UNAVAILABLE_COUNT);
}
final StringBuilder errorMsg = new StringBuilder();
errorMsg.append("error connecting as proxy user: ");
final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
if (pwmError != null && pwmError != PwmError.ERROR_UNKNOWN) {
errorMsg.append(new ErrorInformation(pwmError, e.getMessage()).toDebugStr());
} else {
errorMsg.append(e.getMessage());
}
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_DIRECTORY_UNAVAILABLE, errorMsg.toString());
LOGGER.fatal(sessionLabel, "check ldap proxy settings: " + errorInformation.toDebugStr());
throw new PwmUnrecoverableException(errorInformation);
}
}
Also used :
ErrorInformation(password.pwm.error.ErrorInformation)
ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException)
PasswordData(password.pwm.util.PasswordData)
PwmError(password.pwm.error.PwmError)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
Example 5 with PasswordData
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class LdapOperationsHelper method readLdapPassword.
public static PasswordData readLdapPassword(final PwmApplication pwmApplication, final SessionLabel sessionLabel, final UserIdentity userIdentity) throws ChaiUnavailableException, PwmUnrecoverableException {
if (userIdentity == null || userIdentity.getUserDN() == null || userIdentity.getUserDN().length() < 1) {
throw new NullPointerException("invalid user (null)");
}
final ChaiProvider chaiProvider = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID());
final ChaiUser chaiUser = chaiProvider.getEntryFactory().newChaiUser(userIdentity.getUserDN());
// use chai (nmas) to retrieve user password
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.EDIRECTORY_READ_USER_PWD)) {
String currentPass = null;
try {
final String readPassword = chaiUser.readPassword();
if (readPassword != null && readPassword.length() > 0) {
currentPass = readPassword;
LOGGER.debug(sessionLabel, "successfully retrieved user's current password from ldap, now conducting standard authentication");
}
} catch (Exception e) {
LOGGER.debug(sessionLabel, "unable to retrieve user password from ldap: " + e.getMessage());
}
// actually do the authentication since we have user pw.
if (currentPass != null && currentPass.length() > 0) {
return new PasswordData(currentPass);
}
} else {
LOGGER.trace(sessionLabel, "skipping attempt to read user password, option disabled");
}
return null;
}
Also used :
ChaiProvider(com.novell.ldapchai.provider.ChaiProvider)
ChaiUser(com.novell.ldapchai.ChaiUser)
PasswordData(password.pwm.util.PasswordData)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
PwmOperationalException(password.pwm.error.PwmOperationalException)
ChaiUnavailableException(com.novell.ldapchai.exception.ChaiUnavailableException)
ChaiOperationException(com.novell.ldapchai.exception.ChaiOperationException)
IOException(java.io.IOException)
Aggregations
PasswordData (password.pwm.util.PasswordData)44
ErrorInformation (password.pwm.error.ErrorInformation)20
PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)17
PwmOperationalException (password.pwm.error.PwmOperationalException)12
ChaiUser (com.novell.ldapchai.ChaiUser)10
UserInfo (password.pwm.ldap.UserInfo)10
ChaiProvider (com.novell.ldapchai.provider.ChaiProvider)8
ArrayList (java.util.ArrayList)8
UserIdentity (password.pwm.bean.UserIdentity)7
PwmException (password.pwm.error.PwmException)7
PwmPasswordPolicy (password.pwm.config.profile.PwmPasswordPolicy)6
ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)5
LinkedHashMap (java.util.LinkedHashMap)5
ChaiException (com.novell.ldapchai.exception.ChaiException)4
ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)4
Locale (java.util.Locale)4
Map (java.util.Map)4
FormConfiguration (password.pwm.config.value.data.FormConfiguration)4
RandomPasswordGenerator (password.pwm.util.RandomPasswordGenerator)4
PwmSecurityKey (password.pwm.util.secure.PwmSecurityKey)4
