Search in sources :

Example 16 with PasswordData

use of password.pwm.util.PasswordData in project pwm by pwm-project.

the class ChangePasswordServlet method processFormAction.

@ActionHandler(action = "form")
ProcessStatus processFormAction(final PwmRequest pwmRequest) throws ServletException, PwmUnrecoverableException, IOException, ChaiUnavailableException {
    final ChangePasswordBean cpb = pwmRequest.getPwmApplication().getSessionStateService().getBean(pwmRequest, ChangePasswordBean.class);
    final LocalSessionStateBean ssBean = pwmRequest.getPwmSession().getSessionStateBean();
    final UserInfo userInfo = pwmRequest.getPwmSession().getUserInfo();
    final LoginInfoBean loginBean = pwmRequest.getPwmSession().getLoginInfoBean();
    final PasswordData currentPassword = pwmRequest.readParameterAsPassword("currentPassword");
    // check the current password
    if (cpb.isCurrentPasswordRequired() && loginBean.getUserCurrentPassword() != null) {
        if (currentPassword == null) {
            LOGGER.debug(pwmRequest, "failed password validation check: currentPassword value is missing");
            setLastError(pwmRequest, new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER));
            return ProcessStatus.Continue;
        }
        final boolean passed;
        {
            final boolean caseSensitive = Boolean.parseBoolean(userInfo.getPasswordPolicy().getValue(PwmPasswordRule.CaseSensitive));
            final PasswordData storedPassword = loginBean.getUserCurrentPassword();
            passed = caseSensitive ? storedPassword.equals(currentPassword) : storedPassword.equalsIgnoreCase(currentPassword);
        }
        if (!passed) {
            pwmRequest.getPwmApplication().getIntruderManager().convenience().markUserIdentity(userInfo.getUserIdentity(), pwmRequest.getSessionLabel());
            LOGGER.debug(pwmRequest, "failed password validation check: currentPassword value is incorrect");
            setLastError(pwmRequest, new ErrorInformation(PwmError.ERROR_BAD_CURRENT_PASSWORD));
            return ProcessStatus.Continue;
        }
        cpb.setCurrentPasswordPassed(true);
    }
    final List<FormConfiguration> formItem = pwmRequest.getConfig().readSettingAsForm(PwmSetting.PASSWORD_REQUIRE_FORM);
    try {
        // read the values from the request
        final Map<FormConfiguration, String> formValues = FormUtility.readFormValuesFromRequest(pwmRequest, formItem, ssBean.getLocale());
        ChangePasswordServletUtil.validateParamsAgainstLDAP(formValues, pwmRequest.getPwmSession(), pwmRequest.getPwmSession().getSessionManager().getActor(pwmRequest.getPwmApplication()));
        cpb.setFormPassed(true);
    } catch (PwmOperationalException e) {
        pwmRequest.getPwmApplication().getIntruderManager().convenience().markAddressAndSession(pwmRequest.getPwmSession());
        pwmRequest.getPwmApplication().getIntruderManager().convenience().markUserIdentity(userInfo.getUserIdentity(), pwmRequest.getSessionLabel());
        LOGGER.debug(pwmRequest, e.getErrorInformation());
        setLastError(pwmRequest, e.getErrorInformation());
        return ProcessStatus.Continue;
    }
    return ProcessStatus.Continue;
}
Also used : ChangePasswordBean(password.pwm.http.bean.ChangePasswordBean) ErrorInformation(password.pwm.error.ErrorInformation) LoginInfoBean(password.pwm.bean.LoginInfoBean) PasswordData(password.pwm.util.PasswordData) LocalSessionStateBean(password.pwm.bean.LocalSessionStateBean) UserInfo(password.pwm.ldap.UserInfo) FormConfiguration(password.pwm.config.value.data.FormConfiguration) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 17 with PasswordData

use of password.pwm.util.PasswordData in project pwm by pwm-project.

the class LoginServlet method handleLoginRequest.

private void handleLoginRequest(final PwmRequest pwmRequest, final Map<String, String> valueMap, final boolean passwordOnly) throws PwmOperationalException, ChaiUnavailableException, PwmUnrecoverableException, IOException, ServletException {
    final String username = valueMap.get(PwmConstants.PARAM_USERNAME);
    final String passwordStr = valueMap.get(PwmConstants.PARAM_PASSWORD);
    final PasswordData password = passwordStr != null && passwordStr.length() > 0 ? new PasswordData(passwordStr) : null;
    final String context = valueMap.get(PwmConstants.PARAM_CONTEXT);
    final String ldapProfile = valueMap.get(PwmConstants.PARAM_LDAP_PROFILE);
    final String recaptchaResponse = valueMap.get("g-recaptcha-response");
    if (!passwordOnly && (username == null || username.isEmpty())) {
        throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, "missing username parameter"));
    }
    if (password == null) {
        throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_MISSING_PARAMETER, "missing password parameter"));
    }
    if (CaptchaUtility.captchaEnabledForRequest(pwmRequest)) {
        if (!CaptchaUtility.verifyReCaptcha(pwmRequest, recaptchaResponse)) {
            throw new PwmOperationalException(new ErrorInformation(PwmError.ERROR_BAD_CAPTCHA_RESPONSE, "captcha incorrect"));
        }
    }
    final SessionAuthenticator sessionAuthenticator = new SessionAuthenticator(pwmRequest.getPwmApplication(), pwmRequest.getPwmSession(), PwmAuthenticationSource.LOGIN_FORM);
    if (passwordOnly) {
        final UserIdentity userIdentity = pwmRequest.getPwmSession().getUserInfo().getUserIdentity();
        sessionAuthenticator.authenticateUser(userIdentity, password);
    } else {
        sessionAuthenticator.searchAndAuthenticateUser(username, password, context, ldapProfile);
    }
    // if here then login was successful
    // recycle the session to prevent session fixation attack.
    pwmRequest.getPwmSession().getSessionStateBean().setSessionIdRecycleNeeded(true);
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) SessionAuthenticator(password.pwm.ldap.auth.SessionAuthenticator) PasswordData(password.pwm.util.PasswordData) UserIdentity(password.pwm.bean.UserIdentity) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 18 with PasswordData

use of password.pwm.util.PasswordData in project pwm by pwm-project.

the class RestRandomPasswordServer method doOperation.

private static JsonOutput doOperation(final RestRequest restRequest, final JsonInput jsonInput) throws PwmUnrecoverableException {
    final PwmPasswordPolicy pwmPasswordPolicy;
    if (jsonInput.isNoUser() || StringUtil.isEmpty(jsonInput.getUsername())) {
        pwmPasswordPolicy = PwmPasswordPolicy.defaultPolicy();
    } else {
        final TargetUserIdentity targetUserIdentity = RestUtility.resolveRequestedUsername(restRequest, jsonInput.getUsername());
        pwmPasswordPolicy = PasswordUtility.readPasswordPolicyForUser(restRequest.getPwmApplication(), restRequest.getSessionLabel(), targetUserIdentity.getUserIdentity(), targetUserIdentity.getChaiUser(), restRequest.getLocale());
    }
    final RandomPasswordGenerator.RandomGeneratorConfig randomConfig = jsonInputToRandomConfig(jsonInput, pwmPasswordPolicy);
    final PasswordData randomPassword = RandomPasswordGenerator.createRandomPassword(restRequest.getSessionLabel(), randomConfig, restRequest.getPwmApplication());
    final JsonOutput outputMap = new JsonOutput();
    outputMap.password = randomPassword.getStringValue();
    StatisticsManager.incrementStat(restRequest.getPwmApplication(), Statistic.REST_SETPASSWORD);
    return outputMap;
}
Also used : PasswordData(password.pwm.util.PasswordData) PwmPasswordPolicy(password.pwm.config.profile.PwmPasswordPolicy) RandomPasswordGenerator(password.pwm.util.RandomPasswordGenerator)

Example 19 with PasswordData

use of password.pwm.util.PasswordData in project pwm by pwm-project.

the class NamedSecretValue method toXmlValues.

public List<Element> toXmlValues(final String valueElementName, final PwmSecurityKey key) {
    if (values == null) {
        final Element valueElement = new Element(valueElementName);
        return Collections.singletonList(valueElement);
    }
    final List<Element> valuesElement = new ArrayList<>();
    try {
        for (final Map.Entry<String, NamedSecretData> entry : values.entrySet()) {
            final String name = entry.getKey();
            final PasswordData passwordData = entry.getValue().getPassword();
            final String encodedValue = SecureEngine.encryptToString(passwordData.getStringValue(), key, PwmBlockAlgorithm.CONFIG);
            final Element newValueElement = new Element("value");
            final Element nameElement = new Element(ELEMENT_NAME);
            nameElement.setText(name);
            final Element encodedValueElement = new Element(ELEMENT_PASSWORD);
            encodedValueElement.setText(encodedValue);
            newValueElement.addContent(nameElement);
            newValueElement.addContent(encodedValueElement);
            for (final String usages : values.get(name).getUsage()) {
                final Element usageElement = new Element(ELEMENT_USAGE);
                usageElement.setText(usages);
                newValueElement.addContent(usageElement);
            }
            valuesElement.add(newValueElement);
        }
    } catch (Exception e) {
        throw new RuntimeException("missing required AES and SHA1 libraries, or other crypto fault: " + e.getMessage());
    }
    return Collections.unmodifiableList(valuesElement);
}
Also used : NamedSecretData(password.pwm.config.value.data.NamedSecretData) PasswordData(password.pwm.util.PasswordData) Element(org.jdom2.Element) ArrayList(java.util.ArrayList) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map) PwmOperationalException(password.pwm.error.PwmOperationalException) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)

Example 20 with PasswordData

use of password.pwm.util.PasswordData in project pwm by pwm-project.

the class NamedSecretValue method factory.

public static StoredValue.StoredValueFactory factory() {
    return new StoredValue.StoredValueFactory() {

        public NamedSecretValue fromJson(final String value) {
            try {
                final Map<String, NamedSecretData> values = JsonUtil.deserialize(value, new TypeToken<Map<String, NamedSecretData>>() {
                }.getType());
                final Map<String, NamedSecretData> linkedValues = new LinkedHashMap<>(values);
                return new NamedSecretValue(linkedValues);
            } catch (Exception e) {
                throw new IllegalStateException("NamedPasswordValue can not be json de-serialized: " + e.getMessage());
            }
        }

        public NamedSecretValue fromXmlElement(final Element settingElement, final PwmSecurityKey key) throws PwmOperationalException, PwmUnrecoverableException {
            final Map<String, NamedSecretData> values = new LinkedHashMap<>();
            final List<Element> valueElements = settingElement.getChildren("value");
            try {
                if (valueElements != null) {
                    for (final Element value : valueElements) {
                        if (value.getChild(ELEMENT_NAME) != null && value.getChild(ELEMENT_PASSWORD) != null) {
                            final String name = value.getChild(ELEMENT_NAME).getText();
                            final String encodedValue = value.getChild(ELEMENT_PASSWORD).getText();
                            final PasswordData passwordData = new PasswordData(SecureEngine.decryptStringValue(encodedValue, key, PwmBlockAlgorithm.CONFIG));
                            final List<Element> usages = value.getChildren(ELEMENT_USAGE);
                            final List<String> strUsages = new ArrayList<>();
                            if (usages != null) {
                                for (final Element usageElement : usages) {
                                    strUsages.add(usageElement.getText());
                                }
                            }
                            values.put(name, new NamedSecretData(passwordData, Collections.unmodifiableList(strUsages)));
                        }
                    }
                }
            } catch (Exception e) {
                final String errorMsg = "unable to decode encrypted password value for setting: " + e.getMessage();
                final ErrorInformation errorInfo = new ErrorInformation(PwmError.CONFIG_FORMAT_ERROR, errorMsg);
                throw new PwmOperationalException(errorInfo);
            }
            return new NamedSecretValue(values);
        }
    };
}
Also used : Element(org.jdom2.Element) ArrayList(java.util.ArrayList) PwmOperationalException(password.pwm.error.PwmOperationalException) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) LinkedHashMap(java.util.LinkedHashMap) PwmOperationalException(password.pwm.error.PwmOperationalException) PwmSecurityKey(password.pwm.util.secure.PwmSecurityKey) ErrorInformation(password.pwm.error.ErrorInformation) NamedSecretData(password.pwm.config.value.data.NamedSecretData) PasswordData(password.pwm.util.PasswordData) TypeToken(com.google.gson.reflect.TypeToken)

Aggregations

PasswordData (password.pwm.util.PasswordData)44 ErrorInformation (password.pwm.error.ErrorInformation)20 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)17 PwmOperationalException (password.pwm.error.PwmOperationalException)12 ChaiUser (com.novell.ldapchai.ChaiUser)10 UserInfo (password.pwm.ldap.UserInfo)10 ChaiProvider (com.novell.ldapchai.provider.ChaiProvider)8 ArrayList (java.util.ArrayList)8 UserIdentity (password.pwm.bean.UserIdentity)7 PwmException (password.pwm.error.PwmException)7 PwmPasswordPolicy (password.pwm.config.profile.PwmPasswordPolicy)6 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)5 LinkedHashMap (java.util.LinkedHashMap)5 ChaiException (com.novell.ldapchai.exception.ChaiException)4 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)4 Locale (java.util.Locale)4 Map (java.util.Map)4 FormConfiguration (password.pwm.config.value.data.FormConfiguration)4 RandomPasswordGenerator (password.pwm.util.RandomPasswordGenerator)4 PwmSecurityKey (password.pwm.util.secure.PwmSecurityKey)4