Beispiel #1
0
  public static PwmPasswordPolicy readPasswordPolicyForUser(
      final PwmApplication pwmApplication,
      final SessionLabel pwmSession,
      final UserIdentity userIdentity,
      final ChaiUser theUser,
      final Locale locale)
      throws PwmUnrecoverableException {
    final long startTime = System.currentTimeMillis();
    final PasswordPolicySource ppSource =
        PasswordPolicySource.valueOf(
            pwmApplication.getConfig().readSettingAsString(PwmSetting.PASSWORD_POLICY_SOURCE));

    final PwmPasswordPolicy returnPolicy;
    switch (ppSource) {
      case MERGE:
        final PwmPasswordPolicy pwmPolicy =
            determineConfiguredPolicyProfileForUser(
                pwmApplication, pwmSession, userIdentity, locale);
        final PwmPasswordPolicy userPolicy = readLdapPasswordPolicy(pwmApplication, theUser);
        LOGGER.trace(
            pwmSession,
            "read user policy for '"
                + theUser.getEntryDN()
                + "', policy: "
                + userPolicy.toString());
        returnPolicy = pwmPolicy.merge(userPolicy);
        LOGGER.debug(
            pwmSession,
            "merged user password policy of '"
                + theUser.getEntryDN()
                + "' with PWM configured policy: "
                + returnPolicy.toString());
        break;

      case LDAP:
        returnPolicy = readLdapPasswordPolicy(pwmApplication, theUser);
        LOGGER.debug(
            pwmSession,
            "discovered assigned password policy for "
                + theUser.getEntryDN()
                + " "
                + returnPolicy.toString());
        break;

      case PWM:
        returnPolicy =
            determineConfiguredPolicyProfileForUser(
                pwmApplication, pwmSession, userIdentity, locale);
        break;

      default:
        throw new IllegalStateException("unknown policy source defined: " + ppSource.name());
    }

    LOGGER.trace(
        pwmSession,
        "readPasswordPolicyForUser completed in "
            + TimeDuration.fromCurrent(startTime).asCompactString());
    return returnPolicy;
  }
Beispiel #2
0
  public static PwmPasswordPolicy readLdapPasswordPolicy(
      final PwmApplication pwmApplication, final ChaiUser theUser)
      throws PwmUnrecoverableException {
    try {
      final Map<String, String> ruleMap = new HashMap<>();
      final ChaiPasswordPolicy chaiPolicy;
      try {
        chaiPolicy = theUser.getPasswordPolicy();
      } catch (ChaiUnavailableException e) {
        throw new PwmUnrecoverableException(PwmError.forChaiError(e.getErrorCode()));
      }
      if (chaiPolicy != null) {
        for (final String key : chaiPolicy.getKeys()) {
          ruleMap.put(key, chaiPolicy.getValue(key));
        }

        if (!"read"
            .equals(
                pwmApplication
                    .getConfig()
                    .readSettingAsString(PwmSetting.PASSWORD_POLICY_CASE_SENSITIVITY))) {
          ruleMap.put(
              PwmPasswordRule.CaseSensitive.getKey(),
              pwmApplication
                  .getConfig()
                  .readSettingAsString(PwmSetting.PASSWORD_POLICY_CASE_SENSITIVITY));
        }

        return PwmPasswordPolicy.createPwmPasswordPolicy(ruleMap, chaiPolicy);
      }
    } catch (ChaiOperationException e) {
      LOGGER.warn(
          "error reading password policy for user "
              + theUser.getEntryDN()
              + ", error: "
              + e.getMessage());
    }
    return PwmPasswordPolicy.defaultPolicy();
  }
Beispiel #3
0
  protected static PwmPasswordPolicy determineConfiguredPolicyProfileForUser(
      final PwmApplication pwmApplication,
      final SessionLabel pwmSession,
      final UserIdentity userIdentity,
      final Locale locale)
      throws PwmUnrecoverableException {
    final List<String> profiles = pwmApplication.getConfig().getPasswordProfileIDs();
    if (profiles.isEmpty()) {
      throw new PwmUnrecoverableException(
          new ErrorInformation(
              PwmError.ERROR_NO_PROFILE_ASSIGNED, "no password profiles are configured"));
    }

    for (final String profile : profiles) {
      final PwmPasswordPolicy loopPolicy =
          pwmApplication.getConfig().getPasswordPolicy(profile, locale);
      final List<UserPermission> userPermissions = loopPolicy.getUserPermissions();
      LOGGER.debug(pwmSession, "testing password policy profile '" + profile + "'");
      try {
        boolean match =
            LdapPermissionTester.testUserPermissions(
                pwmApplication, pwmSession, userIdentity, userPermissions);
        if (match) {
          return loopPolicy;
        }
      } catch (PwmUnrecoverableException e) {
        LOGGER.error(
            pwmSession,
            "unexpected error while testing password policy profile '"
                + profile
                + "', error: "
                + e.getMessage());
      }
    }

    throw new PwmUnrecoverableException(
        new ErrorInformation(
            PwmError.ERROR_NO_PROFILE_ASSIGNED, "no challenge profile is configured"));
  }