use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.
the class BooleanValue method factory.
public static StoredValueFactory factory() {
return new StoredValueFactory() {
public BooleanValue fromJson(final String value) {
return new BooleanValue(JsonUtil.deserialize(value, Boolean.class));
}
public BooleanValue fromXmlElement(final Element settingElement, final PwmSecurityKey input) {
final Element valueElement = settingElement.getChild("value");
final String value = valueElement.getText();
return new BooleanValue(Boolean.valueOf(value));
}
};
}
use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.
the class ConfigAccessFilter method checkAuthentication.
@SuppressWarnings("checkstyle:MethodLength")
static ProcessStatus checkAuthentication(final PwmRequest pwmRequest, final ConfigManagerBean configManagerBean) throws IOException, PwmUnrecoverableException, ServletException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final ConfigurationReader runningConfigReader = ContextManager.getContextManager(pwmRequest.getHttpServletRequest().getSession()).getConfigReader();
final StoredConfigurationImpl storedConfig = runningConfigReader.getStoredConfiguration();
boolean authRequired = false;
if (storedConfig.hasPassword()) {
authRequired = true;
}
if (PwmApplicationMode.RUNNING == pwmRequest.getPwmApplication().getApplicationMode()) {
if (!pwmRequest.isAuthenticated()) {
throw new PwmUnrecoverableException(PwmError.ERROR_AUTHENTICATION_REQUIRED);
}
if (!pwmRequest.getPwmSession().getSessionManager().checkPermission(pwmRequest.getPwmApplication(), Permission.PWMADMIN)) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED);
denyAndError(pwmRequest, errorInformation);
return ProcessStatus.Halt;
}
}
if (PwmApplicationMode.CONFIGURATION != pwmRequest.getPwmApplication().getApplicationMode()) {
authRequired = true;
}
if (!authRequired) {
return ProcessStatus.Continue;
}
if (!storedConfig.hasPassword()) {
final String errorMsg = "config file does not have a configuration password";
final ErrorInformation errorInformation = new ErrorInformation(PwmError.CONFIG_FORMAT_ERROR, errorMsg, new String[] { errorMsg });
return denyAndError(pwmRequest, errorInformation);
}
if (configManagerBean.isPasswordVerified()) {
return ProcessStatus.Continue;
}
String persistentLoginValue = null;
boolean persistentLoginAccepted = false;
boolean persistentLoginEnabled = false;
if (pwmRequest.getConfig().isDefaultValue(PwmSetting.PWM_SECURITY_KEY)) {
LOGGER.debug(pwmRequest, "security not available, persistent login not possible.");
} else {
persistentLoginEnabled = true;
final PwmSecurityKey securityKey = pwmRequest.getConfig().getSecurityKey();
if (PwmApplicationMode.RUNNING == pwmRequest.getPwmApplication().getApplicationMode()) {
persistentLoginValue = SecureEngine.hash(storedConfig.readConfigProperty(ConfigurationProperty.PASSWORD_HASH) + pwmSession.getUserInfo().getUserIdentity().toDelimitedKey(), PwmHashAlgorithm.SHA512);
} else {
persistentLoginValue = SecureEngine.hash(storedConfig.readConfigProperty(ConfigurationProperty.PASSWORD_HASH), PwmHashAlgorithm.SHA512);
}
{
final String cookieStr = pwmRequest.readCookie(PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN);
if (securityKey != null && cookieStr != null && !cookieStr.isEmpty()) {
try {
final String jsonStr = pwmApplication.getSecureService().decryptStringValue(cookieStr);
final PersistentLoginInfo persistentLoginInfo = JsonUtil.deserialize(jsonStr, PersistentLoginInfo.class);
if (persistentLoginInfo != null && persistentLoginValue != null) {
if (persistentLoginInfo.getExpireDate().isAfter(Instant.now())) {
if (persistentLoginValue.equals(persistentLoginInfo.getPassword())) {
persistentLoginAccepted = true;
LOGGER.debug(pwmRequest, "accepting persistent config login from cookie (expires " + JavaHelper.toIsoDate(persistentLoginInfo.getExpireDate()) + ")");
}
}
}
} catch (Exception e) {
LOGGER.error(pwmRequest, "error examining persistent config login cookie: " + e.getMessage());
}
if (!persistentLoginAccepted) {
pwmRequest.getPwmResponse().removeCookie(PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN, null);
LOGGER.debug(pwmRequest, "removing non-working persistent config login cookie");
}
}
}
}
final String password = pwmRequest.readParameterAsString("password");
boolean passwordAccepted = false;
if (!persistentLoginAccepted) {
if (password != null && password.length() > 0) {
if (storedConfig.verifyPassword(password, pwmRequest.getConfig())) {
passwordAccepted = true;
LOGGER.trace(pwmRequest, "valid configuration password accepted");
updateLoginHistory(pwmRequest, pwmRequest.getUserInfoIfLoggedIn(), true);
} else {
LOGGER.trace(pwmRequest, "configuration password is not correct");
pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
pwmApplication.getIntruderManager().mark(RecordType.USERNAME, PwmConstants.CONFIGMANAGER_INTRUDER_USERNAME, pwmSession.getLabel());
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_PASSWORD_ONLY_BAD);
updateLoginHistory(pwmRequest, pwmRequest.getUserInfoIfLoggedIn(), false);
return denyAndError(pwmRequest, errorInformation);
}
}
}
if ((persistentLoginAccepted || passwordAccepted)) {
configManagerBean.setPasswordVerified(true);
pwmApplication.getIntruderManager().convenience().clearAddressAndSession(pwmSession);
pwmApplication.getIntruderManager().clear(RecordType.USERNAME, PwmConstants.CONFIGMANAGER_INTRUDER_USERNAME);
if (persistentLoginEnabled && !persistentLoginAccepted && "on".equals(pwmRequest.readParameterAsString("remember"))) {
final int persistentSeconds = figureMaxLoginSeconds(pwmRequest);
if (persistentSeconds > 0) {
final Instant expirationDate = Instant.ofEpochMilli(System.currentTimeMillis() + (persistentSeconds * 1000));
final PersistentLoginInfo persistentLoginInfo = new PersistentLoginInfo(expirationDate, persistentLoginValue);
final String jsonPersistentLoginInfo = JsonUtil.serialize(persistentLoginInfo);
final String cookieValue = pwmApplication.getSecureService().encryptToString(jsonPersistentLoginInfo);
pwmRequest.getPwmResponse().writeCookie(PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN, cookieValue, persistentSeconds);
LOGGER.debug(pwmRequest, "set persistent config login cookie (expires " + JavaHelper.toIsoDate(expirationDate) + ")");
}
}
if (configManagerBean.getPrePasswordEntryUrl() != null) {
final String originalUrl = configManagerBean.getPrePasswordEntryUrl();
configManagerBean.setPrePasswordEntryUrl(null);
pwmRequest.getPwmResponse().sendRedirect(originalUrl);
return ProcessStatus.Halt;
}
return ProcessStatus.Continue;
}
if (configManagerBean.getPrePasswordEntryUrl() == null) {
configManagerBean.setPrePasswordEntryUrl(pwmRequest.getHttpServletRequest().getRequestURL().toString());
}
forwardToJsp(pwmRequest);
return ProcessStatus.Halt;
}
use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.
the class NumericArrayValue method factory.
public static StoredValueFactory factory() {
return new StoredValueFactory() {
public NumericArrayValue fromJson(final String value) {
final long[] longArray = JsonUtil.deserialize(value, long[].class);
final List<Long> list = Arrays.stream(longArray).boxed().collect(Collectors.toList());
return new NumericArrayValue(list);
}
public NumericArrayValue fromXmlElement(final Element settingElement, final PwmSecurityKey input) {
final List<Long> returnList = new ArrayList<>();
final List<Element> valueElements = settingElement.getChildren("value");
for (final Element element : valueElements) {
final String strValue = element.getText();
final Long longValue = Long.parseLong(strValue);
returnList.add(longValue);
}
return new NumericArrayValue(returnList);
}
};
}
use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.
the class OptionListValue method factory.
public static StoredValueFactory factory() {
return new StoredValueFactory() {
public OptionListValue fromJson(final String input) {
if (input == null) {
return new OptionListValue(Collections.<String>emptySet());
} else {
Set<String> srcList = JsonUtil.deserialize(input, new TypeToken<Set<String>>() {
});
srcList = srcList == null ? Collections.<String>emptySet() : srcList;
while (srcList.contains(null)) {
srcList.remove(null);
}
return new OptionListValue(Collections.unmodifiableSet(srcList));
}
}
public OptionListValue fromXmlElement(final Element settingElement, final PwmSecurityKey key) throws PwmOperationalException {
final List valueElements = settingElement.getChildren("value");
final Set<String> values = new TreeSet<>();
for (final Object loopValue : valueElements) {
final Element loopValueElement = (Element) loopValue;
final String value = loopValueElement.getText();
if (value != null && !value.trim().isEmpty()) {
values.add(value);
}
}
return new OptionListValue(values);
}
};
}
use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.
the class PrivateKeyValue method factory.
public static StoredValue.StoredValueFactory factory() {
return new StoredValue.StoredValueFactory() {
public PrivateKeyValue fromXmlElement(final Element settingElement, final PwmSecurityKey key) {
if (settingElement != null && settingElement.getChild("value") != null) {
final Element valueElement = settingElement.getChild("value");
if (valueElement != null) {
final List<X509Certificate> certificates = new ArrayList<>();
for (final Element certificateElement : valueElement.getChildren(ELEMENT_NAME_CERTIFICATE)) {
try {
final String b64Text = certificateElement.getText();
final X509Certificate cert = X509Utils.certificateFromBase64(b64Text);
certificates.add(cert);
} catch (Exception e) {
LOGGER.error("error reading certificate: " + e.getMessage(), e);
}
}
PrivateKey privateKey = null;
try {
final Element keyElement = valueElement.getChild(ELEMENT_NAME_KEY);
final String encryptedText = keyElement.getText();
final String decryptedText = SecureEngine.decryptStringValue(encryptedText, key, PwmBlockAlgorithm.CONFIG);
final byte[] privateKeyBytes = StringUtil.base64Decode(decryptedText);
privateKey = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(privateKeyBytes));
} catch (Exception e) {
LOGGER.error("error reading privateKey: " + e.getMessage(), e);
}
if (!certificates.isEmpty() && privateKey != null) {
final PrivateKeyCertificate privateKeyCertificate = new PrivateKeyCertificate(certificates, privateKey);
return new PrivateKeyValue(privateKeyCertificate);
}
}
}
return new PrivateKeyValue(null);
}
public X509CertificateValue fromJson(final String input) {
return new X509CertificateValue(new X509Certificate[0]);
}
};
}
Aggregations