use of password.pwm.util.macro.MacroMachine in project pwm by pwm-project.
the class LDAPAuthenticationRequest method authenticateUserImpl.
private AuthenticationResult authenticateUserImpl(final PasswordData password) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
if (startTime == null) {
startTime = new Date();
}
log(PwmLogLevel.DEBUG, "preparing to authenticate user using authenticationType=" + this.requestedAuthType + " using strategy " + this.strategy);
final StatisticsManager statisticsManager = pwmApplication.getStatisticsManager();
final IntruderManager intruderManager = pwmApplication.getIntruderManager();
intruderManager.convenience().checkUserIdentity(userIdentity);
intruderManager.check(RecordType.ADDRESS, sessionLabel.getSrcAddress());
// verify user is not account disabled
AuthenticationUtility.checkIfUserEligibleToAuthentication(pwmApplication, userIdentity);
boolean allowBindAsUser = true;
if (strategy == AuthenticationStrategy.ADMIN_PROXY) {
allowBindAsUser = false;
}
if (allowBindAsUser) {
try {
testCredentials(userIdentity, password);
} catch (PwmOperationalException e) {
boolean permitAuthDespiteError = false;
final DirectoryVendor vendor = pwmApplication.getProxyChaiProvider(userIdentity.getLdapProfileID()).getDirectoryVendor();
if (PwmError.PASSWORD_NEW_PASSWORD_REQUIRED == e.getError()) {
if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'must change password on next login AD error', error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
} else if (vendor == DirectoryVendor.ORACLE_DS) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'pwdReset' user attribute, error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
}
} else if (PwmError.PASSWORD_EXPIRED == e.getError()) {
// handle ad case where password is expired
if (vendor == DirectoryVendor.ACTIVE_DIRECTORY) {
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD)) {
if (!pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.AD_ALLOW_AUTH_EXPIRED)) {
throw e;
}
log(PwmLogLevel.INFO, "auth bind failed, but will allow login due to 'password expired AD error', error: " + e.getErrorInformation().toDebugStr());
allowBindAsUser = false;
permitAuthDespiteError = true;
}
}
}
if (!permitAuthDespiteError) {
// auth failed, presumably due to wrong password.
statisticsManager.incrementValue(Statistic.AUTHENTICATION_FAILURES);
throw e;
}
}
}
statisticsManager.incrementValue(Statistic.AUTHENTICATIONS);
statisticsManager.updateEps(EpsStatistic.AUTHENTICATION, 1);
statisticsManager.updateAverageValue(Statistic.AVG_AUTHENTICATION_TIME, TimeDuration.fromCurrent(startTime).getTotalMilliseconds());
final AuthenticationType returnAuthType;
if (!allowBindAsUser) {
returnAuthType = AuthenticationType.AUTH_BIND_INHIBIT;
} else {
if (requestedAuthType == null) {
returnAuthType = AuthenticationType.AUTHENTICATED;
} else {
if (requestedAuthType == AuthenticationType.AUTH_WITHOUT_PASSWORD) {
returnAuthType = AuthenticationType.AUTHENTICATED;
} else if (requestedAuthType == AuthenticationType.AUTH_FROM_PUBLIC_MODULE) {
returnAuthType = AuthenticationType.AUTH_FROM_PUBLIC_MODULE;
} else {
returnAuthType = requestedAuthType;
}
}
}
final boolean useProxy = determineIfLdapProxyNeeded(returnAuthType, password);
final ChaiProvider returnProvider = useProxy ? makeProxyProvider() : userProvider;
final AuthenticationResult authenticationResult = new AuthenticationResult(returnProvider, returnAuthType, password);
final StringBuilder debugMsg = new StringBuilder();
debugMsg.append("successful ldap authentication for ").append(userIdentity);
debugMsg.append(" (").append(TimeDuration.fromCurrent(startTime).asCompactString()).append(")");
debugMsg.append(" type: ").append(returnAuthType).append(", using strategy ").append(strategy);
debugMsg.append(", using proxy connection: ").append(useProxy);
debugMsg.append(", returning bind dn: ").append(returnProvider == null ? "none" : returnProvider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
log(PwmLogLevel.INFO, debugMsg);
final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, PwmConstants.DEFAULT_LOCALE, sessionLabel, userIdentity);
final AuditRecord auditRecord = new AuditRecordFactory(pwmApplication, macroMachine).createUserAuditRecord(AuditEvent.AUTHENTICATE, this.userIdentity, makeAuditLogMessage(returnAuthType), sessionLabel.getSrcAddress(), sessionLabel.getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
pwmApplication.getSessionTrackService().addRecentLogin(userIdentity);
return authenticationResult;
}
use of password.pwm.util.macro.MacroMachine in project pwm by pwm-project.
the class SyslogAuditService method convertAuditRecordToCEFMessage.
private String convertAuditRecordToCEFMessage(final AuditRecord auditRecord, final Configuration configuration) throws PwmUnrecoverableException {
final Map<String, Object> auditRecordMap = JsonUtil.deserializeMap(JsonUtil.serialize(auditRecord));
final String separator = "|";
final String headerSeverity = configuration.readAppProperty(AppProperty.AUDIT_SYSLOG_CEF_HEADER_SEVERITY);
final String headerProduct = configuration.readAppProperty(AppProperty.AUDIT_SYSLOG_CEF_HEADER_PRODUCT);
final String headerVendor = configuration.readAppProperty(AppProperty.AUDIT_SYSLOG_CEF_HEADER_VENDOR);
final MacroMachine macroMachine = MacroMachine.forNonUserSpecific(pwmApplication, SessionLabel.SYSTEM_LABEL);
final String auditFieldName = LocaleHelper.getLocalizedMessage(PwmConstants.DEFAULT_LOCALE, auditRecord.getEventCode().getMessage(), configuration);
final StringBuilder cefOutput = new StringBuilder();
// cef declaration:version prefix
cefOutput.append("CEF:0");
// Device Vendor
cefOutput.append(separator);
cefOutput.append(macroMachine.expandMacros(headerVendor));
// Device Product
cefOutput.append(separator);
cefOutput.append(macroMachine.expandMacros(headerProduct));
// Device Version
cefOutput.append(separator);
cefOutput.append(PwmConstants.SERVLET_VERSION);
// Device Event Class ID
cefOutput.append(separator);
cefOutput.append(auditRecord.getEventCode());
// field name
cefOutput.append(separator);
cefOutput.append(auditFieldName);
// severity
cefOutput.append(separator);
cefOutput.append(macroMachine.expandMacros(headerSeverity));
boolean extensionAdded = false;
for (final Map.Entry<String, String> entry : syslogCefExtensions.entrySet()) {
final Object value = auditRecordMap.get(entry.getKey());
if (value != null) {
if (!extensionAdded) {
cefOutput.append(separator);
extensionAdded = true;
} else {
cefOutput.append(" ");
}
cefOutput.append(entry.getValue());
cefOutput.append("=");
cefOutput.append(escapeCEFValue(value.toString()));
}
}
return cefOutput.toString();
}
use of password.pwm.util.macro.MacroMachine in project pwm by pwm-project.
the class ActionExecutor method executeLdapAction.
private void executeLdapAction(final SessionLabel sessionLabel, final ActionConfiguration actionConfiguration) throws ChaiUnavailableException, PwmOperationalException, PwmUnrecoverableException {
String attributeName = actionConfiguration.getAttributeName();
String attributeValue = actionConfiguration.getAttributeValue();
final ChaiUser theUser;
if (settings.getChaiUser() != null) {
theUser = settings.getChaiUser();
} else {
if (settings.getUserIdentity() == null) {
final String errorMsg = "attempt to execute lap action but neither chaiUser or userIdentity is specified";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
throw new PwmUnrecoverableException(errorInformation);
}
theUser = pwmApplication.getProxiedChaiUser(settings.getUserIdentity());
}
if (settings.isExpandPwmMacros()) {
if (settings.getMacroMachine() == null) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "executor specified macro expansion but did not supply macro machine"));
}
final MacroMachine macroMachine = settings.getMacroMachine();
attributeName = macroMachine.expandMacros(attributeName);
attributeValue = macroMachine.expandMacros(attributeValue);
}
writeLdapAttribute(sessionLabel, theUser, attributeName, attributeValue, actionConfiguration.getLdapMethod(), settings.getMacroMachine());
}
use of password.pwm.util.macro.MacroMachine in project pwm by pwm-project.
the class PasswordUtility method helpdeskSetUserPassword.
public static void helpdeskSetUserPassword(final PwmSession pwmSession, final ChaiUser chaiUser, final UserInfo userInfo, final PwmApplication pwmApplication, final PasswordData newPassword) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
final SessionLabel sessionLabel = pwmSession.getLabel();
final UserIdentity userIdentity = userInfo.getUserIdentity();
if (!pwmSession.isAuthenticated()) {
final String errorMsg = "attempt to helpdeskSetUserPassword, but user is not authenticated";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
final HelpdeskProfile helpdeskProfile = pwmSession.getSessionManager().getHelpdeskProfile(pwmApplication);
if (helpdeskProfile == null) {
final String errorMsg = "attempt to helpdeskSetUserPassword, but user does not have helpdesk permission";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
setPassword(pwmApplication, pwmSession.getLabel(), chaiUser.getChaiProvider(), userInfo, null, newPassword);
// create a proxy user object for pwm to update/read the user.
final ChaiUser proxiedUser = pwmApplication.getProxiedChaiUser(userIdentity);
// mark the event log
{
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmApplication, pwmSession).createHelpdeskAuditRecord(AuditEvent.HELPDESK_SET_PASSWORD, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
}
// update statistics
pwmApplication.getStatisticsManager().incrementValue(Statistic.HELPDESK_PASSWORD_SET);
{
// execute configured actions
LOGGER.debug(sessionLabel, "executing changepassword and helpdesk post password change writeAttributes to user " + userIdentity);
final List<ActionConfiguration> actions = new ArrayList<>();
actions.addAll(pwmApplication.getConfig().readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES));
actions.addAll(helpdeskProfile.readSettingAsAction(PwmSetting.HELPDESK_POST_SET_PASSWORD_WRITE_ATTRIBUTES));
if (!actions.isEmpty()) {
final LoginInfoBean loginInfoBean = new LoginInfoBean();
loginInfoBean.setUserCurrentPassword(newPassword);
final MacroMachine macroMachine = MacroMachine.forUser(pwmApplication, sessionLabel, userInfo, loginInfoBean);
final ActionExecutor actionExecutor = new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity).setMacroMachine(macroMachine).setExpandPwmMacros(true).createActionExecutor();
actionExecutor.executeActions(actions, pwmSession.getLabel());
}
}
final HelpdeskClearResponseMode settingClearResponses = HelpdeskClearResponseMode.valueOf(helpdeskProfile.readSettingAsString(PwmSetting.HELPDESK_CLEAR_RESPONSES));
if (settingClearResponses == HelpdeskClearResponseMode.yes) {
final String userGUID = LdapOperationsHelper.readLdapGuidValue(pwmApplication, sessionLabel, userIdentity, false);
pwmApplication.getCrService().clearResponses(pwmSession.getLabel(), userIdentity, proxiedUser, userGUID);
// mark the event log
final HelpdeskAuditRecord auditRecord = new AuditRecordFactory(pwmApplication, pwmSession).createHelpdeskAuditRecord(AuditEvent.HELPDESK_CLEAR_RESPONSES, pwmSession.getUserInfo().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
}
// send email notification
sendChangePasswordHelpdeskEmailNotice(pwmSession, pwmApplication, userInfo);
// expire if so configured
if (helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_FORCE_PW_EXPIRATION)) {
LOGGER.trace(pwmSession, "preparing to expire password for user " + userIdentity.toDisplayString());
try {
proxiedUser.expirePassword();
} catch (ChaiOperationException e) {
LOGGER.warn(pwmSession, "error while forcing password expiration for user " + userIdentity.toDisplayString() + ", error: " + e.getMessage());
}
}
// send password
final boolean sendPassword = helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_SEND_PASSWORD);
if (sendPassword) {
final MessageSendMethod messageSendMethod;
{
final String profileID = ProfileUtility.discoverProfileIDforUser(pwmApplication, sessionLabel, userIdentity, ProfileType.ForgottenPassword);
final ForgottenPasswordProfile forgottenPasswordProfile = pwmApplication.getConfig().getForgottenPasswordProfiles().get(profileID);
messageSendMethod = forgottenPasswordProfile.readSettingAsEnum(PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
}
PasswordUtility.sendNewPassword(userInfo, pwmApplication, newPassword, pwmSession.getSessionStateBean().getLocale(), messageSendMethod);
}
}
use of password.pwm.util.macro.MacroMachine in project pwm by pwm-project.
the class HelpdeskDetailInfoBean method makeHelpdeskDetailInfo.
static HelpdeskDetailInfoBean makeHelpdeskDetailInfo(final PwmRequest pwmRequest, final HelpdeskProfile helpdeskProfile, final UserIdentity userIdentity) throws PwmUnrecoverableException, ChaiUnavailableException {
final HelpdeskDetailInfoBeanBuilder builder = HelpdeskDetailInfoBean.builder();
final Instant startTime = Instant.now();
LOGGER.trace(pwmRequest, "beginning to assemble detail data report for user " + userIdentity);
final Locale actorLocale = pwmRequest.getLocale();
final ChaiUser theUser = HelpdeskServlet.getChaiUser(pwmRequest, helpdeskProfile, userIdentity);
if (!theUser.exists()) {
return null;
}
final UserInfo userInfo = UserInfoFactory.newUserInfo(pwmRequest.getPwmApplication(), pwmRequest.getSessionLabel(), actorLocale, userIdentity, theUser.getChaiProvider());
final MacroMachine macroMachine = MacroMachine.forUser(pwmRequest.getPwmApplication(), pwmRequest.getSessionLabel(), userInfo, null);
try {
final List<AccountInformationBean.ActivityRecord> userHistory = AccountInformationBean.makeAuditInfo(pwmRequest.getPwmApplication(), pwmRequest.getSessionLabel(), userInfo, pwmRequest.getLocale());
builder.userHistory(userHistory);
} catch (Exception e) {
LOGGER.error(pwmRequest, "unexpected error reading userHistory for user '" + userIdentity + "', " + e.getMessage());
}
builder.userKey(userIdentity.toObfuscatedKey(pwmRequest.getPwmApplication()));
builder.profileData(getProfileData(helpdeskProfile, userInfo, pwmRequest.getSessionLabel(), pwmRequest.getLocale()));
builder.passwordPolicyRules(makePasswordPolicyRules(userInfo, pwmRequest.getLocale(), pwmRequest.getConfig()));
{
final List<String> requirementLines = PasswordRequirementsTag.getPasswordRequirementsStrings(userInfo.getPasswordPolicy(), pwmRequest.getConfig(), pwmRequest.getLocale(), macroMachine);
builder.passwordRequirements(Collections.unmodifiableList(requirementLines));
}
if ((userInfo.getPasswordPolicy() != null) && (userInfo.getPasswordPolicy().getChaiPasswordPolicy() != null) && (userInfo.getPasswordPolicy().getChaiPasswordPolicy().getPolicyEntry() != null) && (userInfo.getPasswordPolicy().getChaiPasswordPolicy().getPolicyEntry().getEntryDN() != null)) {
builder.passwordPolicyDN(userInfo.getPasswordPolicy().getChaiPasswordPolicy().getPolicyEntry().getEntryDN());
} else {
builder.passwordPolicyDN(LocaleHelper.getLocalizedMessage(Display.Value_NotApplicable, pwmRequest));
}
if ((userInfo.getPasswordPolicy() != null) && userInfo.getPasswordPolicy().getIdentifier() != null) {
builder.passwordPolicyID(userInfo.getPasswordPolicy().getIdentifier());
} else {
builder.passwordPolicyID(LocaleHelper.getLocalizedMessage(Display.Value_NotApplicable, pwmRequest));
}
{
final ResponseInfoBean responseInfoBean = userInfo.getResponseInfoBean();
if (responseInfoBean != null && responseInfoBean.getHelpdeskCrMap() != null) {
final List<DisplayElement> responseDisplay = new ArrayList<>();
int counter = 0;
for (final Map.Entry<Challenge, String> entry : responseInfoBean.getHelpdeskCrMap().entrySet()) {
counter++;
responseDisplay.add(new DisplayElement("item_" + counter, DisplayElement.Type.string, entry.getKey().getChallengeText(), entry.getValue()));
}
builder.helpdeskResponses = responseDisplay;
}
}
builder.userDisplayName(HelpdeskCardInfoBean.figureDisplayName(helpdeskProfile, macroMachine));
final TimeDuration timeDuration = TimeDuration.fromCurrent(startTime);
{
final Set<ViewStatusFields> viewStatusFields = helpdeskProfile.readSettingAsOptionList(PwmSetting.HELPDESK_VIEW_STATUS_VALUES, ViewStatusFields.class);
builder.statusData(ViewableUserInfoDisplayReader.makeDisplayData(viewStatusFields, pwmRequest.getConfig(), userInfo, null, pwmRequest.getLocale()));
}
{
final Set<HelpdeskDetailInfoBean.StandardButton> visibleButtons = determineVisibleButtons(helpdeskProfile);
builder.visibleButtons(visibleButtons);
builder.enabledButtons(determineEnabledButtons(visibleButtons, userInfo));
builder.customButtons(determineCustomButtons(helpdeskProfile));
}
final HelpdeskDetailInfoBean helpdeskDetailInfoBean = builder.build();
if (pwmRequest.getConfig().isDevDebugMode()) {
LOGGER.trace(pwmRequest, "completed assembly of detail data report for user " + userIdentity + " in " + timeDuration.asCompactString() + ", contents: " + JsonUtil.serialize(helpdeskDetailInfoBean));
}
return builder.build();
}
Aggregations