Search in sources :

Example 1 with PwmSecurityKey

use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.

the class BooleanValue method factory.

public static StoredValueFactory factory() {
    return new StoredValueFactory() {

        public BooleanValue fromJson(final String value) {
            return new BooleanValue(JsonUtil.deserialize(value, Boolean.class));
        }

        public BooleanValue fromXmlElement(final Element settingElement, final PwmSecurityKey input) {
            final Element valueElement = settingElement.getChild("value");
            final String value = valueElement.getText();
            return new BooleanValue(Boolean.valueOf(value));
        }
    };
}
Also used : PwmSecurityKey(password.pwm.util.secure.PwmSecurityKey) Element(org.jdom2.Element)

Example 2 with PwmSecurityKey

use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.

the class ConfigAccessFilter method checkAuthentication.

@SuppressWarnings("checkstyle:MethodLength")
static ProcessStatus checkAuthentication(final PwmRequest pwmRequest, final ConfigManagerBean configManagerBean) throws IOException, PwmUnrecoverableException, ServletException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final ConfigurationReader runningConfigReader = ContextManager.getContextManager(pwmRequest.getHttpServletRequest().getSession()).getConfigReader();
    final StoredConfigurationImpl storedConfig = runningConfigReader.getStoredConfiguration();
    boolean authRequired = false;
    if (storedConfig.hasPassword()) {
        authRequired = true;
    }
    if (PwmApplicationMode.RUNNING == pwmRequest.getPwmApplication().getApplicationMode()) {
        if (!pwmRequest.isAuthenticated()) {
            throw new PwmUnrecoverableException(PwmError.ERROR_AUTHENTICATION_REQUIRED);
        }
        if (!pwmRequest.getPwmSession().getSessionManager().checkPermission(pwmRequest.getPwmApplication(), Permission.PWMADMIN)) {
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED);
            denyAndError(pwmRequest, errorInformation);
            return ProcessStatus.Halt;
        }
    }
    if (PwmApplicationMode.CONFIGURATION != pwmRequest.getPwmApplication().getApplicationMode()) {
        authRequired = true;
    }
    if (!authRequired) {
        return ProcessStatus.Continue;
    }
    if (!storedConfig.hasPassword()) {
        final String errorMsg = "config file does not have a configuration password";
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.CONFIG_FORMAT_ERROR, errorMsg, new String[] { errorMsg });
        return denyAndError(pwmRequest, errorInformation);
    }
    if (configManagerBean.isPasswordVerified()) {
        return ProcessStatus.Continue;
    }
    String persistentLoginValue = null;
    boolean persistentLoginAccepted = false;
    boolean persistentLoginEnabled = false;
    if (pwmRequest.getConfig().isDefaultValue(PwmSetting.PWM_SECURITY_KEY)) {
        LOGGER.debug(pwmRequest, "security not available, persistent login not possible.");
    } else {
        persistentLoginEnabled = true;
        final PwmSecurityKey securityKey = pwmRequest.getConfig().getSecurityKey();
        if (PwmApplicationMode.RUNNING == pwmRequest.getPwmApplication().getApplicationMode()) {
            persistentLoginValue = SecureEngine.hash(storedConfig.readConfigProperty(ConfigurationProperty.PASSWORD_HASH) + pwmSession.getUserInfo().getUserIdentity().toDelimitedKey(), PwmHashAlgorithm.SHA512);
        } else {
            persistentLoginValue = SecureEngine.hash(storedConfig.readConfigProperty(ConfigurationProperty.PASSWORD_HASH), PwmHashAlgorithm.SHA512);
        }
        {
            final String cookieStr = pwmRequest.readCookie(PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN);
            if (securityKey != null && cookieStr != null && !cookieStr.isEmpty()) {
                try {
                    final String jsonStr = pwmApplication.getSecureService().decryptStringValue(cookieStr);
                    final PersistentLoginInfo persistentLoginInfo = JsonUtil.deserialize(jsonStr, PersistentLoginInfo.class);
                    if (persistentLoginInfo != null && persistentLoginValue != null) {
                        if (persistentLoginInfo.getExpireDate().isAfter(Instant.now())) {
                            if (persistentLoginValue.equals(persistentLoginInfo.getPassword())) {
                                persistentLoginAccepted = true;
                                LOGGER.debug(pwmRequest, "accepting persistent config login from cookie (expires " + JavaHelper.toIsoDate(persistentLoginInfo.getExpireDate()) + ")");
                            }
                        }
                    }
                } catch (Exception e) {
                    LOGGER.error(pwmRequest, "error examining persistent config login cookie: " + e.getMessage());
                }
                if (!persistentLoginAccepted) {
                    pwmRequest.getPwmResponse().removeCookie(PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN, null);
                    LOGGER.debug(pwmRequest, "removing non-working persistent config login cookie");
                }
            }
        }
    }
    final String password = pwmRequest.readParameterAsString("password");
    boolean passwordAccepted = false;
    if (!persistentLoginAccepted) {
        if (password != null && password.length() > 0) {
            if (storedConfig.verifyPassword(password, pwmRequest.getConfig())) {
                passwordAccepted = true;
                LOGGER.trace(pwmRequest, "valid configuration password accepted");
                updateLoginHistory(pwmRequest, pwmRequest.getUserInfoIfLoggedIn(), true);
            } else {
                LOGGER.trace(pwmRequest, "configuration password is not correct");
                pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
                pwmApplication.getIntruderManager().mark(RecordType.USERNAME, PwmConstants.CONFIGMANAGER_INTRUDER_USERNAME, pwmSession.getLabel());
                final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_PASSWORD_ONLY_BAD);
                updateLoginHistory(pwmRequest, pwmRequest.getUserInfoIfLoggedIn(), false);
                return denyAndError(pwmRequest, errorInformation);
            }
        }
    }
    if ((persistentLoginAccepted || passwordAccepted)) {
        configManagerBean.setPasswordVerified(true);
        pwmApplication.getIntruderManager().convenience().clearAddressAndSession(pwmSession);
        pwmApplication.getIntruderManager().clear(RecordType.USERNAME, PwmConstants.CONFIGMANAGER_INTRUDER_USERNAME);
        if (persistentLoginEnabled && !persistentLoginAccepted && "on".equals(pwmRequest.readParameterAsString("remember"))) {
            final int persistentSeconds = figureMaxLoginSeconds(pwmRequest);
            if (persistentSeconds > 0) {
                final Instant expirationDate = Instant.ofEpochMilli(System.currentTimeMillis() + (persistentSeconds * 1000));
                final PersistentLoginInfo persistentLoginInfo = new PersistentLoginInfo(expirationDate, persistentLoginValue);
                final String jsonPersistentLoginInfo = JsonUtil.serialize(persistentLoginInfo);
                final String cookieValue = pwmApplication.getSecureService().encryptToString(jsonPersistentLoginInfo);
                pwmRequest.getPwmResponse().writeCookie(PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN, cookieValue, persistentSeconds);
                LOGGER.debug(pwmRequest, "set persistent config login cookie (expires " + JavaHelper.toIsoDate(expirationDate) + ")");
            }
        }
        if (configManagerBean.getPrePasswordEntryUrl() != null) {
            final String originalUrl = configManagerBean.getPrePasswordEntryUrl();
            configManagerBean.setPrePasswordEntryUrl(null);
            pwmRequest.getPwmResponse().sendRedirect(originalUrl);
            return ProcessStatus.Halt;
        }
        return ProcessStatus.Continue;
    }
    if (configManagerBean.getPrePasswordEntryUrl() == null) {
        configManagerBean.setPrePasswordEntryUrl(pwmRequest.getHttpServletRequest().getRequestURL().toString());
    }
    forwardToJsp(pwmRequest);
    return ProcessStatus.Halt;
}
Also used : PwmApplication(password.pwm.PwmApplication) StoredConfigurationImpl(password.pwm.config.stored.StoredConfigurationImpl) Instant(java.time.Instant) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) ServletException(javax.servlet.ServletException) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmException(password.pwm.error.PwmException) IOException(java.io.IOException) ErrorInformation(password.pwm.error.ErrorInformation) PwmSecurityKey(password.pwm.util.secure.PwmSecurityKey) PwmSession(password.pwm.http.PwmSession) ConfigurationReader(password.pwm.config.stored.ConfigurationReader)

Example 3 with PwmSecurityKey

use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.

the class NumericArrayValue method factory.

public static StoredValueFactory factory() {
    return new StoredValueFactory() {

        public NumericArrayValue fromJson(final String value) {
            final long[] longArray = JsonUtil.deserialize(value, long[].class);
            final List<Long> list = Arrays.stream(longArray).boxed().collect(Collectors.toList());
            return new NumericArrayValue(list);
        }

        public NumericArrayValue fromXmlElement(final Element settingElement, final PwmSecurityKey input) {
            final List<Long> returnList = new ArrayList<>();
            final List<Element> valueElements = settingElement.getChildren("value");
            for (final Element element : valueElements) {
                final String strValue = element.getText();
                final Long longValue = Long.parseLong(strValue);
                returnList.add(longValue);
            }
            return new NumericArrayValue(returnList);
        }
    };
}
Also used : PwmSecurityKey(password.pwm.util.secure.PwmSecurityKey) Element(org.jdom2.Element) ArrayList(java.util.ArrayList)

Example 4 with PwmSecurityKey

use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.

the class OptionListValue method factory.

public static StoredValueFactory factory() {
    return new StoredValueFactory() {

        public OptionListValue fromJson(final String input) {
            if (input == null) {
                return new OptionListValue(Collections.<String>emptySet());
            } else {
                Set<String> srcList = JsonUtil.deserialize(input, new TypeToken<Set<String>>() {
                });
                srcList = srcList == null ? Collections.<String>emptySet() : srcList;
                while (srcList.contains(null)) {
                    srcList.remove(null);
                }
                return new OptionListValue(Collections.unmodifiableSet(srcList));
            }
        }

        public OptionListValue fromXmlElement(final Element settingElement, final PwmSecurityKey key) throws PwmOperationalException {
            final List valueElements = settingElement.getChildren("value");
            final Set<String> values = new TreeSet<>();
            for (final Object loopValue : valueElements) {
                final Element loopValueElement = (Element) loopValue;
                final String value = loopValueElement.getText();
                if (value != null && !value.trim().isEmpty()) {
                    values.add(value);
                }
            }
            return new OptionListValue(values);
        }
    };
}
Also used : PwmSecurityKey(password.pwm.util.secure.PwmSecurityKey) Set(java.util.Set) TreeSet(java.util.TreeSet) TreeSet(java.util.TreeSet) Element(org.jdom2.Element) ArrayList(java.util.ArrayList) List(java.util.List)

Example 5 with PwmSecurityKey

use of password.pwm.util.secure.PwmSecurityKey in project pwm by pwm-project.

the class PrivateKeyValue method factory.

public static StoredValue.StoredValueFactory factory() {
    return new StoredValue.StoredValueFactory() {

        public PrivateKeyValue fromXmlElement(final Element settingElement, final PwmSecurityKey key) {
            if (settingElement != null && settingElement.getChild("value") != null) {
                final Element valueElement = settingElement.getChild("value");
                if (valueElement != null) {
                    final List<X509Certificate> certificates = new ArrayList<>();
                    for (final Element certificateElement : valueElement.getChildren(ELEMENT_NAME_CERTIFICATE)) {
                        try {
                            final String b64Text = certificateElement.getText();
                            final X509Certificate cert = X509Utils.certificateFromBase64(b64Text);
                            certificates.add(cert);
                        } catch (Exception e) {
                            LOGGER.error("error reading certificate: " + e.getMessage(), e);
                        }
                    }
                    PrivateKey privateKey = null;
                    try {
                        final Element keyElement = valueElement.getChild(ELEMENT_NAME_KEY);
                        final String encryptedText = keyElement.getText();
                        final String decryptedText = SecureEngine.decryptStringValue(encryptedText, key, PwmBlockAlgorithm.CONFIG);
                        final byte[] privateKeyBytes = StringUtil.base64Decode(decryptedText);
                        privateKey = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(privateKeyBytes));
                    } catch (Exception e) {
                        LOGGER.error("error reading privateKey: " + e.getMessage(), e);
                    }
                    if (!certificates.isEmpty() && privateKey != null) {
                        final PrivateKeyCertificate privateKeyCertificate = new PrivateKeyCertificate(certificates, privateKey);
                        return new PrivateKeyValue(privateKeyCertificate);
                    }
                }
            }
            return new PrivateKeyValue(null);
        }

        public X509CertificateValue fromJson(final String input) {
            return new X509CertificateValue(new X509Certificate[0]);
        }
    };
}
Also used : PrivateKey(java.security.PrivateKey) Element(org.jdom2.Element) ArrayList(java.util.ArrayList) PrivateKeyCertificate(password.pwm.bean.PrivateKeyCertificate) X509Certificate(java.security.cert.X509Certificate) PwmSecurityKey(password.pwm.util.secure.PwmSecurityKey) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec)

Aggregations

PwmSecurityKey (password.pwm.util.secure.PwmSecurityKey)26 Element (org.jdom2.Element)19 ArrayList (java.util.ArrayList)15 List (java.util.List)11 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)6 Map (java.util.Map)4 ErrorInformation (password.pwm.error.ErrorInformation)4 PasswordData (password.pwm.util.PasswordData)4 TreeMap (java.util.TreeMap)3 IOException (java.io.IOException)2 X509Certificate (java.security.cert.X509Certificate)2 LinkedHashMap (java.util.LinkedHashMap)2 PwmException (password.pwm.error.PwmException)2 PwmOperationalException (password.pwm.error.PwmOperationalException)2 PwmSessionBean (password.pwm.http.bean.PwmSessionBean)2 PwmBlockAlgorithm (password.pwm.util.secure.PwmBlockAlgorithm)2 TypeToken (com.google.gson.reflect.TypeToken)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 PrivateKey (java.security.PrivateKey)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1