private String oraclePreTemporaryPwHandler(
final ChaiProvider chaiProvider, final ChaiUser chaiUser)
throws PwmUnrecoverableException, ChaiUnavailableException, ChaiOperationException {
if (!pwmApplication
.getConfig()
.readSettingAsBoolean(PwmSetting.ORACLE_DS_ENABLE_MANIP_ALLOWCHANGETIME)) {
return null;
}
if (ChaiProvider.DIRECTORY_VENDOR.ORACLE_DS
!= chaiUser.getChaiProvider().getDirectoryVendor()) {
return null;
}
// oracle DS special case: passwordAllowChangeTime handler
final String oracleDS_PrePasswordAllowChangeTime =
chaiProvider.readStringAttribute(chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME);
log(
PwmLogLevel.TRACE,
"read OracleDS value of passwordAllowChangeTime value="
+ oracleDS_PrePasswordAllowChangeTime);
if (oracleDS_PrePasswordAllowChangeTime != null
&& !oracleDS_PrePasswordAllowChangeTime.isEmpty()) {
final Date date = OracleDSEntries.convertZuluToDate(oracleDS_PrePasswordAllowChangeTime);
if (new Date().before(date)) {
final String errorMsg =
"change not permitted until " + PwmConstants.DEFAULT_DATETIME_FORMAT.format(date);
throw new PwmUnrecoverableException(
new ErrorInformation(PwmError.PASSWORD_TOO_SOON, errorMsg));
}
}
return oracleDS_PrePasswordAllowChangeTime;
}
private void oraclePostTemporaryPwHandler(
final ChaiProvider chaiProvider,
final ChaiUser chaiUser,
final String oracleDS_PrePasswordAllowChangeTime)
throws ChaiUnavailableException, ChaiOperationException {
if (!pwmApplication
.getConfig()
.readSettingAsBoolean(PwmSetting.ORACLE_DS_ENABLE_MANIP_ALLOWCHANGETIME)) {
return;
}
// oracle DS special case: passwordAllowChangeTime handler
if (ChaiProvider.DIRECTORY_VENDOR.ORACLE_DS
!= chaiUser.getChaiProvider().getDirectoryVendor()) {
return;
}
if (oracleDS_PrePasswordAllowChangeTime != null
&& !oracleDS_PrePasswordAllowChangeTime.isEmpty()) {
// write back the original pre-password allow change time.
final Set<String> values =
new HashSet<>(Collections.singletonList(oracleDS_PrePasswordAllowChangeTime));
chaiProvider.writeStringAttribute(
chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME, values, true);
log(
PwmLogLevel.TRACE,
"re-wrote passwordAllowChangeTime attribute to user "
+ chaiUser.getEntryDN()
+ ", value="
+ oracleDS_PrePasswordAllowChangeTime);
} else {
final String oracleDS_PostPasswordAllowChangeTime =
chaiProvider.readStringAttribute(chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME);
if (oracleDS_PostPasswordAllowChangeTime != null
&& !oracleDS_PostPasswordAllowChangeTime.isEmpty()) {
// password allow change time has appeared, but wasn't present previously, so delete it.
log(
PwmLogLevel.TRACE,
"a new value for passwordAllowChangeTime attribute to user "
+ chaiUser.getEntryDN()
+ " has appeared, will remove");
chaiProvider.deleteStringAttributeValue(
chaiUser.getEntryDN(),
ORACLE_ATTR_PW_ALLOW_CHG_TIME,
oracleDS_PostPasswordAllowChangeTime);
log(
PwmLogLevel.TRACE,
"deleted attribute value for passwordAllowChangeTime attribute on user "
+ chaiUser.getEntryDN());
}
}
}
@Override
public void writeResponses(ChaiUser theUser, String userGUID, ResponseInfoBean responseInfoBean)
throws PwmUnrecoverableException {
if (userGUID == null || userGUID.length() < 1) {
throw new PwmUnrecoverableException(
new ErrorInformation(
PwmError.ERROR_MISSING_GUID,
"cannot save responses to remote database, user "
+ theUser.getEntryDN()
+ " does not have a guid"));
}
LOGGER.trace(
"attempting to save responses for "
+ theUser.getEntryDN()
+ " in remote database (key="
+ userGUID
+ ")");
try {
final ChaiResponseSet responseSet =
ChaiCrFactory.newChaiResponseSet(
responseInfoBean.getCrMap(),
responseInfoBean.getHelpdeskCrMap(),
responseInfoBean.getLocale(),
responseInfoBean.getMinRandoms(),
theUser.getChaiProvider().getChaiConfiguration(),
responseInfoBean.getCsIdentifier());
final DatabaseAccessorImpl databaseAccessor = pwmApplication.getDatabaseAccessor();
databaseAccessor.put(DatabaseTable.PWM_RESPONSES, userGUID, responseSet.stringValue());
LOGGER.info(
"saved responses for "
+ theUser.getEntryDN()
+ " in remote database (key="
+ userGUID
+ ")");
} catch (ChaiException e) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_WRITING_RESPONSES,
"unexpected error saving responses for "
+ theUser.getEntryDN()
+ " in remote database: "
+ e.getMessage());
final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
LOGGER.error(errorInfo.toDebugStr());
pwmOE.initCause(e);
throw pwmOE;
} catch (DatabaseException e) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_WRITING_RESPONSES,
"unexpected error saving responses for "
+ theUser.getEntryDN()
+ " in remote database: "
+ e.getMessage());
final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
LOGGER.error(errorInfo.toDebugStr());
pwmOE.initCause(e);
throw pwmOE;
}
}
protected void handleUpdateRequest(
final PwmRequest pwmRequest, final GuestRegistrationBean guestRegistrationBean)
throws ServletException, ChaiUnavailableException, IOException, PwmUnrecoverableException {
// Fetch the session state bean.
final PwmSession pwmSession = pwmRequest.getPwmSession();
final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final Configuration config = pwmApplication.getConfig();
final List<FormConfiguration> formItems =
pwmApplication.getConfig().readSettingAsForm(PwmSetting.GUEST_UPDATE_FORM);
final String expirationAttribute =
config.readSettingAsString(PwmSetting.GUEST_EXPIRATION_ATTRIBUTE);
try {
// read the values from the request
final Map<FormConfiguration, String> formValues =
FormUtility.readFormValuesFromRequest(pwmRequest, formItems, pwmRequest.getLocale());
// see if the values meet form requirements.
FormUtility.validateFormValues(config, formValues, ssBean.getLocale());
// read current values from user.
final ChaiUser theGuest =
pwmSession
.getSessionManager()
.getActor(pwmApplication, guestRegistrationBean.getUpdateUserIdentity());
// check unique fields against ldap
FormUtility.validateFormValueUniqueness(
pwmApplication,
formValues,
ssBean.getLocale(),
Collections.singletonList(guestRegistrationBean.getUpdateUserIdentity()),
false);
final Date expirationDate = readExpirationFromRequest(pwmRequest);
// Update user attributes
Helper.writeFormValuesToLdap(pwmApplication, pwmSession, theGuest, formValues, false);
// Write expirationDate
if (expirationDate != null) {
theGuest.writeDateAttribute(expirationAttribute, expirationDate);
}
// send email.
final UserStatusReader userStatusReader =
new UserStatusReader(pwmApplication, pwmSession.getLabel());
final UserInfoBean guestUserInfoBean = new UserInfoBean();
userStatusReader.populateUserInfoBean(
guestUserInfoBean,
pwmSession.getSessionStateBean().getLocale(),
guestRegistrationBean.getUpdateUserIdentity(),
theGuest.getChaiProvider());
this.sendUpdateGuestEmailConfirmation(pwmRequest, guestUserInfoBean);
pwmApplication.getStatisticsManager().incrementValue(Statistic.UPDATED_GUESTS);
// everything good so forward to confirmation page.
pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_UpdateGuest);
return;
} catch (PwmOperationalException e) {
LOGGER.error(pwmSession, e.getErrorInformation().toDebugStr());
pwmRequest.setResponseError(e.getErrorInformation());
} catch (ChaiOperationException e) {
final ErrorInformation info =
new ErrorInformation(
PwmError.ERROR_UNKNOWN, "unexpected error writing to ldap: " + e.getMessage());
LOGGER.error(pwmSession, info);
pwmRequest.setResponseError(info);
}
this.forwardToUpdateJSP(pwmRequest, guestRegistrationBean);
}
public static void helpdeskSetUserPassword(
final PwmSession pwmSession,
final ChaiUser chaiUser,
final UserIdentity userIdentity,
final PwmApplication pwmApplication,
final PasswordData newPassword)
throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
final SessionLabel sessionLabel = pwmSession.getLabel();
if (!pwmSession.isAuthenticated()) {
final String errorMsg = "attempt to helpdeskSetUserPassword, but user is not authenticated";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
final HelpdeskProfile helpdeskProfile =
pwmSession.getSessionManager().getHelpdeskProfile(pwmApplication);
if (helpdeskProfile == null) {
final String errorMsg =
"attempt to helpdeskSetUserPassword, but user does not have helpdesk permission";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
try {
chaiUser.setPassword(newPassword.getStringValue());
} catch (ChaiPasswordPolicyException e) {
final String errorMsg =
"error setting password for user '" + chaiUser.getEntryDN() + "'' " + e.toString();
final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
final ErrorInformation error =
new ErrorInformation(
pwmError == null ? PwmError.PASSWORD_UNKNOWN_VALIDATION : pwmError, errorMsg);
throw new PwmOperationalException(error);
} catch (ChaiOperationException e) {
final String errorMsg =
"error setting password for user '" + chaiUser.getEntryDN() + "'' " + e.getMessage();
final PwmError pwmError =
PwmError.forChaiError(e.getErrorCode()) == null
? PwmError.ERROR_UNKNOWN
: PwmError.forChaiError(e.getErrorCode());
final ErrorInformation error = new ErrorInformation(pwmError, errorMsg);
throw new PwmOperationalException(error);
}
// at this point the password has been changed, so log it.
LOGGER.info(
sessionLabel,
"user '"
+ pwmSession.getUserInfoBean().getUserIdentity()
+ "' successfully changed password for "
+ chaiUser.getEntryDN());
// create a proxy user object for pwm to update/read the user.
final ChaiUser proxiedUser = pwmApplication.getProxiedChaiUser(userIdentity);
// mark the event log
{
final HelpdeskAuditRecord auditRecord =
pwmApplication
.getAuditManager()
.createHelpdeskAuditRecord(
AuditEvent.HELPDESK_SET_PASSWORD,
pwmSession.getUserInfoBean().getUserIdentity(),
null,
userIdentity,
pwmSession.getSessionStateBean().getSrcAddress(),
pwmSession.getSessionStateBean().getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
}
// update statistics
pwmApplication.getStatisticsManager().updateEps(Statistic.EpsType.PASSWORD_CHANGES, 1);
pwmApplication.getStatisticsManager().incrementValue(Statistic.HELPDESK_PASSWORD_SET);
// create a uib for end user
final UserInfoBean userInfoBean = new UserInfoBean();
final UserStatusReader userStatusReader =
new UserStatusReader(pwmApplication, pwmSession.getLabel());
userStatusReader.populateUserInfoBean(
userInfoBean,
pwmSession.getSessionStateBean().getLocale(),
userIdentity,
proxiedUser.getChaiProvider());
{ // execute configured actions
LOGGER.debug(
sessionLabel,
"executing changepassword and helpdesk post password change writeAttributes to user "
+ userIdentity);
final List<ActionConfiguration> actions = new ArrayList<>();
actions.addAll(
pwmApplication
.getConfig()
.readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES));
actions.addAll(
helpdeskProfile.readSettingAsAction(
PwmSetting.HELPDESK_POST_SET_PASSWORD_WRITE_ATTRIBUTES));
if (!actions.isEmpty()) {
final ActionExecutor actionExecutor =
new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity)
.setMacroMachine(
MacroMachine.forUser(
pwmApplication,
pwmSession.getSessionStateBean().getLocale(),
sessionLabel,
userIdentity))
.setExpandPwmMacros(true)
.createActionExecutor();
actionExecutor.executeActions(actions, pwmSession);
}
}
final HelpdeskClearResponseMode settingClearResponses =
HelpdeskClearResponseMode.valueOf(
helpdeskProfile.readSettingAsString(PwmSetting.HELPDESK_CLEAR_RESPONSES));
if (settingClearResponses == HelpdeskClearResponseMode.yes) {
final String userGUID =
LdapOperationsHelper.readLdapGuidValue(pwmApplication, sessionLabel, userIdentity, false);
pwmApplication.getCrService().clearResponses(pwmSession, proxiedUser, userGUID);
// mark the event log
final HelpdeskAuditRecord auditRecord =
pwmApplication
.getAuditManager()
.createHelpdeskAuditRecord(
AuditEvent.HELPDESK_CLEAR_RESPONSES,
pwmSession.getUserInfoBean().getUserIdentity(),
null,
userIdentity,
pwmSession.getSessionStateBean().getSrcAddress(),
pwmSession.getSessionStateBean().getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
}
// send email notification
sendChangePasswordHelpdeskEmailNotice(pwmSession, pwmApplication, userInfoBean);
// expire if so configured
if (helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_FORCE_PW_EXPIRATION)) {
LOGGER.trace(
pwmSession, "preparing to expire password for user " + userIdentity.toDisplayString());
try {
proxiedUser.expirePassword();
} catch (ChaiOperationException e) {
LOGGER.warn(
pwmSession,
"error while forcing password expiration for user "
+ userIdentity.toDisplayString()
+ ", error: "
+ e.getMessage());
e.printStackTrace();
}
}
// send password
final boolean sendPassword =
helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_SEND_PASSWORD);
if (sendPassword) {
final MessageSendMethod messageSendMethod;
{
final String profileID =
ProfileUtility.discoverProfileIDforUser(
pwmApplication, sessionLabel, userIdentity, ProfileType.ForgottenPassword);
final ForgottenPasswordProfile forgottenPasswordProfile =
pwmApplication.getConfig().getForgottenPasswordProfiles().get(profileID);
messageSendMethod =
forgottenPasswordProfile.readSettingAsEnum(
PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
}
final UserDataReader userDataReader = new LdapUserDataReader(userIdentity, chaiUser);
final LoginInfoBean loginInfoBean = new LoginInfoBean();
loginInfoBean.setUserCurrentPassword(newPassword);
final MacroMachine macroMachine =
new MacroMachine(
pwmApplication, pwmSession.getLabel(), userInfoBean, loginInfoBean, userDataReader);
PasswordUtility.sendNewPassword(
userInfoBean,
pwmApplication,
macroMachine,
newPassword,
pwmSession.getSessionStateBean().getLocale(),
messageSendMethod);
}
}
