use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class ChangePasswordServlet method processFormAction.
@ActionHandler(action = "form")
ProcessStatus processFormAction(final PwmRequest pwmRequest) throws ServletException, PwmUnrecoverableException, IOException, ChaiUnavailableException {
final ChangePasswordBean cpb = pwmRequest.getPwmApplication().getSessionStateService().getBean(pwmRequest, ChangePasswordBean.class);
final LocalSessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
final UserInfo userInfo = pwmRequest.getPwmSession().getUserInfo();
final LoginInfoBean loginBean = pwmRequest.getPwmSession().getLoginInfoBean();
final PasswordData currentPassword = pwmRequest.readParameterAsPassword("currentPassword");
// check the current password
if (cpb.isCurrentPasswordRequired() && loginBean.getUserCurrentPassword() != null) {
if (currentPassword == null) {
LOGGER.debug(pwmRequest, "failed password validation check: currentPassword value is missing");
setLastError(pwmRequest, new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER));
return ProcessStatus.Continue;
}
final boolean passed;
{
final boolean caseSensitive = Boolean.parseBoolean(userInfo.getPasswordPolicy().getValue(PwmPasswordRule.CaseSensitive));
final PasswordData storedPassword = loginBean.getUserCurrentPassword();
passed = caseSensitive ? storedPassword.equals(currentPassword) : storedPassword.equalsIgnoreCase(currentPassword);
}
if (!passed) {
pwmRequest.getPwmApplication().getIntruderManager().convenience().markUserIdentity(userInfo.getUserIdentity(), pwmRequest.getSessionLabel());
LOGGER.debug(pwmRequest, "failed password validation check: currentPassword value is incorrect");
setLastError(pwmRequest, new ErrorInformation(PwmError.ERROR_BAD_CURRENT_PASSWORD));
return ProcessStatus.Continue;
}
cpb.setCurrentPasswordPassed(true);
}
final List<FormConfiguration> formItem = pwmRequest.getConfig().readSettingAsForm(PwmSetting.PASSWORD_REQUIRE_FORM);
try {
// read the values from the request
final Map<FormConfiguration, String> formValues = FormUtility.readFormValuesFromRequest(pwmRequest, formItem, ssBean.getLocale());
ChangePasswordServletUtil.validateParamsAgainstLDAP(formValues, pwmRequest.getPwmSession(), pwmRequest.getPwmSession().getSessionManager().getActor(pwmRequest.getPwmApplication()));
cpb.setFormPassed(true);
} catch (PwmOperationalException e) {
pwmRequest.getPwmApplication().getIntruderManager().convenience().markAddressAndSession(pwmRequest.getPwmSession());
pwmRequest.getPwmApplication().getIntruderManager().convenience().markUserIdentity(userInfo.getUserIdentity(), pwmRequest.getSessionLabel());
LOGGER.debug(pwmRequest, e.getErrorInformation());
setLastError(pwmRequest, e.getErrorInformation());
return ProcessStatus.Continue;
}
return ProcessStatus.Continue;
}
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class LoginServlet method handleLoginRequest.
private void handleLoginRequest(final PwmRequest pwmRequest, final Map<String, String> valueMap, final boolean passwordOnly) throws PwmOperationalException, ChaiUnavailableException, PwmUnrecoverableException, IOException, ServletException {
final String username = valueMap.get(PwmConstants.PARAM_USERNAME);
final String passwordStr = valueMap.get(PwmConstants.PARAM_PASSWORD);
final PasswordData password = passwordStr != null && passwordStr.length() > 0 ? new PasswordData(passwordStr) : null;
final String context = valueMap.get(PwmConstants.PARAM_CONTEXT);
final String ldapProfile = valueMap.get(PwmConstants.PARAM_LDAP_PROFILE);
final String recaptchaResponse = valueMap.get("g-recaptcha-response");
if (!passwordOnly && (username == null || username.isEmpty())) {
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, "missing username parameter"));
}
if (password == null) {
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, "missing password parameter"));
}
if (CaptchaUtility.captchaEnabledForRequest(pwmRequest)) {
if (!CaptchaUtility.verifyReCaptcha(pwmRequest, recaptchaResponse)) {
throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_BAD_CAPTCHA_RESPONSE, "captcha incorrect"));
}
}
final SessionAuthenticator sessionAuthenticator = new SessionAuthenticator(pwmRequest.getPwmApplication(), pwmRequest.getPwmSession(), PwmAuthenticationSource.LOGIN_FORM);
if (passwordOnly) {
final UserIdentity userIdentity = pwmRequest.getPwmSession().getUserInfo().getUserIdentity();
sessionAuthenticator.authenticateUser(userIdentity, password);
} else {
sessionAuthenticator.searchAndAuthenticateUser(username, password, context, ldapProfile);
}
// if here then login was successful
// recycle the session to prevent session fixation attack.
pwmRequest.getPwmSession().getSessionStateBean().setSessionIdRecycleNeeded(true);
}
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class RestRandomPasswordServer method doOperation.
private static JsonOutput doOperation(final RestRequest restRequest, final JsonInput jsonInput) throws PwmUnrecoverableException {
final PwmPasswordPolicy pwmPasswordPolicy;
if (jsonInput.isNoUser() || StringUtil.isEmpty(jsonInput.getUsername())) {
pwmPasswordPolicy = PwmPasswordPolicy.defaultPolicy();
} else {
final TargetUserIdentity targetUserIdentity = RestUtility.resolveRequestedUsername(restRequest, jsonInput.getUsername());
pwmPasswordPolicy = PasswordUtility.readPasswordPolicyForUser(restRequest.getPwmApplication(), restRequest.getSessionLabel(), targetUserIdentity.getUserIdentity(), targetUserIdentity.getChaiUser(), restRequest.getLocale());
}
final RandomPasswordGenerator.RandomGeneratorConfig randomConfig = jsonInputToRandomConfig(jsonInput, pwmPasswordPolicy);
final PasswordData randomPassword = RandomPasswordGenerator.createRandomPassword(restRequest.getSessionLabel(), randomConfig, restRequest.getPwmApplication());
final JsonOutput outputMap = new JsonOutput();
outputMap.password = randomPassword.getStringValue();
StatisticsManager.incrementStat(restRequest.getPwmApplication(), Statistic.REST_SETPASSWORD);
return outputMap;
}
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class NamedSecretValue method toXmlValues.
public List<Element> toXmlValues(final String valueElementName, final PwmSecurityKey key) {
if (values == null) {
final Element valueElement = new Element(valueElementName);
return Collections.singletonList(valueElement);
}
final List<Element> valuesElement = new ArrayList<>();
try {
for (final Map.Entry<String, NamedSecretData> entry : values.entrySet()) {
final String name = entry.getKey();
final PasswordData passwordData = entry.getValue().getPassword();
final String encodedValue = SecureEngine.encryptToString(passwordData.getStringValue(), key, PwmBlockAlgorithm.CONFIG);
final Element newValueElement = new Element("value");
final Element nameElement = new Element(ELEMENT_NAME);
nameElement.setText(name);
final Element encodedValueElement = new Element(ELEMENT_PASSWORD);
encodedValueElement.setText(encodedValue);
newValueElement.addContent(nameElement);
newValueElement.addContent(encodedValueElement);
for (final String usages : values.get(name).getUsage()) {
final Element usageElement = new Element(ELEMENT_USAGE);
usageElement.setText(usages);
newValueElement.addContent(usageElement);
}
valuesElement.add(newValueElement);
}
} catch (Exception e) {
throw new RuntimeException("missing required AES and SHA1 libraries, or other crypto fault: " + e.getMessage());
}
return Collections.unmodifiableList(valuesElement);
}
use of password.pwm.util.PasswordData in project pwm by pwm-project.
the class NamedSecretValue method factory.
public static StoredValue.StoredValueFactory factory() {
return new StoredValue.StoredValueFactory() {
public NamedSecretValue fromJson(final String value) {
try {
final Map<String, NamedSecretData> values = JsonUtil.deserialize(value, new TypeToken<Map<String, NamedSecretData>>() {
}.getType());
final Map<String, NamedSecretData> linkedValues = new LinkedHashMap<>(values);
return new NamedSecretValue(linkedValues);
} catch (Exception e) {
throw new IllegalStateException("NamedPasswordValue can not be json de-serialized: " + e.getMessage());
}
}
public NamedSecretValue fromXmlElement(final Element settingElement, final PwmSecurityKey key) throws PwmOperationalException, PwmUnrecoverableException {
final Map<String, NamedSecretData> values = new LinkedHashMap<>();
final List<Element> valueElements = settingElement.getChildren("value");
try {
if (valueElements != null) {
for (final Element value : valueElements) {
if (value.getChild(ELEMENT_NAME) != null && value.getChild(ELEMENT_PASSWORD) != null) {
final String name = value.getChild(ELEMENT_NAME).getText();
final String encodedValue = value.getChild(ELEMENT_PASSWORD).getText();
final PasswordData passwordData = new PasswordData(SecureEngine.decryptStringValue(encodedValue, key, PwmBlockAlgorithm.CONFIG));
final List<Element> usages = value.getChildren(ELEMENT_USAGE);
final List<String> strUsages = new ArrayList<>();
if (usages != null) {
for (final Element usageElement : usages) {
strUsages.add(usageElement.getText());
}
}
values.put(name, new NamedSecretData(passwordData, Collections.unmodifiableList(strUsages)));
}
}
}
} catch (Exception e) {
final String errorMsg = "unable to decode encrypted password value for setting: " + e.getMessage();
final ErrorInformation errorInfo = new ErrorInformation(PwmError.CONFIG_FORMAT_ERROR, errorMsg);
throw new PwmOperationalException(errorInfo);
}
return new NamedSecretValue(values);
}
};
}
Aggregations