public String replaceValue(String matchValue, MacroRequestInfo macroRequestInfo) { final UserInfoBean userInfoBean = macroRequestInfo.getUserInfoBean(); if (userInfoBean != null && userInfoBean.getResponseInfoBean() != null && userInfoBean.getResponseInfoBean().getTimestamp() != null) { return PwmConstants.DEFAULT_DATETIME_FORMAT.format( userInfoBean.getResponseInfoBean().getTimestamp()); } return null; }
public UserCacheRecord updateUserCache(final UserInfoBean userInfoBean) throws PwmUnrecoverableException { final StorageKey storageKey = StorageKey.fromUserInfoBean(userInfoBean); boolean preExisting = false; try { UserCacheRecord userCacheRecord = readStorageKey(storageKey); if (userCacheRecord == null) { userCacheRecord = new UserCacheRecord(); } else { preExisting = true; } userCacheRecord.addUiBeanData(userInfoBean); store(userCacheRecord); return userCacheRecord; } catch (LocalDBException e) { LOGGER.error("unable to store user status cache to localdb: " + e.getMessage()); } LOGGER.trace( "updateCache: " + (preExisting ? "updated existing" : "created new") + " user cache for " + userInfoBean.getUserIdentity() + " user key " + storageKey.getKey()); return null; }
private static ErrorInformation sendNewPasswordEmail( final UserInfoBean userInfoBean, final PwmApplication pwmApplication, final MacroMachine macroMachine, final PasswordData newPassword, final String toAddress, final Locale userLocale) throws PwmOperationalException, PwmUnrecoverableException { final Configuration config = pwmApplication.getConfig(); final EmailItemBean configuredEmailSetting = config.readSettingAsEmail(PwmSetting.EMAIL_SENDPASSWORD, userLocale); if (configuredEmailSetting == null) { final String errorMsg = "send password email contents are not configured"; return new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg); } final EmailItemBean emailItemBean = new EmailItemBean( configuredEmailSetting.getTo(), configuredEmailSetting.getFrom(), configuredEmailSetting.getSubject(), configuredEmailSetting.getBodyPlain().replace("%TOKEN%", newPassword.getStringValue()), configuredEmailSetting.getBodyHtml().replace("%TOKEN%", newPassword.getStringValue())); pwmApplication.getEmailQueue().submitEmail(emailItemBean, userInfoBean, macroMachine); LOGGER.debug( "new password email to " + userInfoBean.getUserIdentity() + " added to send queue for " + toAddress); return null; }
@Override public void init( PwmApplication pwmApplication, UserInfoBean userInfoBean, SessionLabel sessionLabel, Locale locale) throws PwmUnrecoverableException { this.pwmApplication = pwmApplication; this.locale = locale; String serverUrl = pwmApplication.getConfig().readSettingAsString(PwmSetting.NAAF_WS_URL); String naafUsername = pwmApplication.getConfig().readSettingAsString(PwmSetting.NAAF_USER_IDENTIFIER); final MacroMachine macroMachine = MacroMachine.forUser( pwmApplication, PwmConstants.DEFAULT_LOCALE, sessionLabel, userInfoBean.getUserIdentity()); serverUrl = macroMachine.expandMacros(serverUrl); naafUsername = macroMachine.expandMacros(naafUsername); NAAFEndPoint naafEndPoint = new NAAFEndPoint(pwmApplication, serverUrl, locale); naafEndPoint.establishEndpointSession(); Set<NAAFLoginMethod> loginMethods = pwmApplication .getConfig() .readSettingAsOptionList(PwmSetting.NAAF_METHODS, NAAFLoginMethod.class); naafLoginSequence = new NAAFLoginSequence(naafEndPoint, loginMethods, naafUsername, locale); }
private static ErrorInformation sendNewPasswordSms( final UserInfoBean userInfoBean, final PwmApplication pwmApplication, final MacroMachine macroMachine, final PasswordData newPassword, final String toNumber, final Locale userLocale) throws PwmOperationalException, PwmUnrecoverableException { final Configuration config = pwmApplication.getConfig(); String message = config.readSettingAsLocalizedString(PwmSetting.SMS_CHALLENGE_NEW_PASSWORD_TEXT, userLocale); if (toNumber == null || toNumber.length() < 1) { final String errorMsg = String.format( "unable to send new password email for '%s'; no SMS number available in ldap", userInfoBean.getUserIdentity()); return new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg); } message = message.replace("%TOKEN%", newPassword.getStringValue()); pwmApplication.sendSmsUsingQueue(new SmsItemBean(toNumber, message), macroMachine); LOGGER.debug(String.format("password SMS added to send queue for %s", toNumber)); return null; }
private static void sendChangePasswordHelpdeskEmailNotice( final PwmSession pwmSession, final PwmApplication pwmApplication, final UserInfoBean userInfoBean) throws PwmUnrecoverableException { final Configuration config = pwmApplication.getConfig(); final Locale locale = pwmSession.getSessionStateBean().getLocale(); final EmailItemBean configuredEmailSetting = config.readSettingAsEmail(PwmSetting.EMAIL_CHANGEPASSWORD_HELPDESK, locale); if (configuredEmailSetting == null) { LOGGER.debug( pwmSession, "skipping send change password email for '" + pwmSession.getUserInfoBean().getUserIdentity() + "' no email configured"); return; } final MacroMachine macroMachine = userInfoBean == null ? null : new MacroMachine( pwmApplication, pwmSession.getLabel(), userInfoBean, null, LdapUserDataReader.appProxiedReader( pwmApplication, userInfoBean.getUserIdentity())); pwmApplication.getEmailQueue().submitEmail(configuredEmailSetting, userInfoBean, macroMachine); }
public boolean updateCachedRecordFromLdap(final UserInfoBean uiBean) throws LocalDBException, PwmUnrecoverableException, ChaiUnavailableException { if (status != STATUS.OPEN) { return false; } final UserCacheService.StorageKey storageKey = UserCacheService.StorageKey.fromUserInfoBean(uiBean); return updateCachedRecordFromLdap(uiBean.getUserIdentity(), uiBean, storageKey); }
public static void doProfileUpdate( final PwmRequest pwmRequest, final Map<FormConfiguration, String> formValues, final ChaiUser theUser) throws PwmUnrecoverableException, ChaiUnavailableException, PwmOperationalException { final PwmApplication pwmApplication = pwmRequest.getPwmApplication(); final PwmSession pwmSession = pwmRequest.getPwmSession(); final UserInfoBean uiBean = pwmRequest.getPwmSession().getUserInfoBean(); // verify form meets the form requirements (may be redundant, but shouldn't hurt) verifyFormAttributes(pwmRequest, formValues, false); // write values. LOGGER.info( "updating profile for " + pwmRequest.getPwmSession().getUserInfoBean().getUserIdentity()); pwmRequest.getPwmSession().getSessionManager().getChaiProvider(); Helper.writeFormValuesToLdap( pwmRequest.getPwmApplication(), pwmRequest.getPwmSession(), theUser, formValues, false); final UserIdentity userIdentity = uiBean.getUserIdentity(); // re-populate the uiBean because we have changed some values. final UserStatusReader userStatusReader = new UserStatusReader(pwmRequest.getPwmApplication(), pwmRequest.getSessionLabel()); userStatusReader.populateActorUserInfoBean(pwmRequest.getPwmSession(), userIdentity); // clear cached read attributes. pwmRequest.getPwmSession().getSessionManager().clearUserDataReader(); { // execute configured actions final List<ActionConfiguration> actions = pwmApplication .getConfig() .readSettingAsAction(PwmSetting.UPDATE_PROFILE_WRITE_ATTRIBUTES); if (actions != null && !actions.isEmpty()) { LOGGER.debug(pwmRequest, "executing configured actions to user " + userIdentity); final ActionExecutor actionExecutor = new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity) .setExpandPwmMacros(true) .createActionExecutor(); actionExecutor.executeActions(actions, pwmSession); } } sendProfileUpdateEmailNotice(pwmSession, pwmApplication); // mark the event log pwmApplication .getAuditManager() .submit(AuditEvent.UPDATE_PROFILE, pwmSession.getUserInfoBean(), pwmSession); // mark the uiBean so we user isn't recycled to the update profile page by the CommandServlet uiBean.setRequiresUpdateProfile(false); // clear out the updateProfileBean pwmSession.clearUpdateProfileBean(); // success, so forward to success page pwmApplication.getStatisticsManager().incrementValue(Statistic.UPDATE_ATTRIBUTES); }
public static StorageKey fromUserInfoBean(final UserInfoBean userInfoBean) throws PwmUnrecoverableException { final String userGUID = userInfoBean.getUserGuid(); return fromUserGUID(userGUID); }
public static PasswordCheckInfo checkEnteredPassword( final PwmApplication pwmApplication, final Locale locale, final ChaiUser user, final UserInfoBean userInfoBean, final LoginInfoBean loginInfoBean, final PasswordData password, final PasswordData confirmPassword) throws PwmUnrecoverableException, ChaiUnavailableException { if (userInfoBean == null) { throw new NullPointerException("userInfoBean cannot be null"); } boolean pass = false; String userMessage = ""; int errorCode = 0; final boolean passwordIsCaseSensitive = userInfoBean.getPasswordPolicy() == null || userInfoBean .getPasswordPolicy() .getRuleHelper() .readBooleanValue(PwmPasswordRule.CaseSensitive); final CachePolicy cachePolicy; { final long cacheLifetimeMS = Long.parseLong( pwmApplication .getConfig() .readAppProperty(AppProperty.CACHE_PWRULECHECK_LIFETIME_MS)); cachePolicy = CachePolicy.makePolicyWithExpirationMS(cacheLifetimeMS); } if (password == null) { userMessage = new ErrorInformation(PwmError.PASSWORD_MISSING) .toUserStr(locale, pwmApplication.getConfig()); } else { final CacheService cacheService = pwmApplication.getCacheService(); final CacheKey cacheKey = user != null && userInfoBean.getUserIdentity() != null ? CacheKey.makeCacheKey( PasswordUtility.class, userInfoBean.getUserIdentity(), user.getEntryDN() + ":" + password.hash()) : null; if (pwmApplication.getConfig().isDevDebugMode()) { LOGGER.trace("generated cacheKey for password check request: " + cacheKey); } try { if (cacheService != null && cacheKey != null) { final String cachedValue = cacheService.get(cacheKey); if (cachedValue != null) { if (NEGATIVE_CACHE_HIT.equals(cachedValue)) { pass = true; } else { LOGGER.trace("cache hit!"); final ErrorInformation errorInformation = JsonUtil.deserialize(cachedValue, ErrorInformation.class); throw new PwmDataValidationException(errorInformation); } } } if (!pass) { final PwmPasswordRuleValidator pwmPasswordRuleValidator = new PwmPasswordRuleValidator( pwmApplication, userInfoBean.getPasswordPolicy(), locale); final PasswordData oldPassword = loginInfoBean == null ? null : loginInfoBean.getUserCurrentPassword(); pwmPasswordRuleValidator.testPassword(password, oldPassword, userInfoBean, user); pass = true; if (cacheService != null && cacheKey != null) { cacheService.put(cacheKey, cachePolicy, NEGATIVE_CACHE_HIT); } } } catch (PwmDataValidationException e) { errorCode = e.getError().getErrorCode(); userMessage = e.getErrorInformation().toUserStr(locale, pwmApplication.getConfig()); pass = false; if (cacheService != null && cacheKey != null) { final String jsonPayload = JsonUtil.serialize(e.getErrorInformation()); cacheService.put(cacheKey, cachePolicy, jsonPayload); } } } final PasswordCheckInfo.MATCH_STATUS matchStatus = figureMatchStatus(passwordIsCaseSensitive, password, confirmPassword); if (pass) { switch (matchStatus) { case EMPTY: userMessage = new ErrorInformation(PwmError.PASSWORD_MISSING_CONFIRM) .toUserStr(locale, pwmApplication.getConfig()); break; case MATCH: userMessage = new ErrorInformation(PwmError.PASSWORD_MEETS_RULES) .toUserStr(locale, pwmApplication.getConfig()); break; case NO_MATCH: userMessage = new ErrorInformation(PwmError.PASSWORD_DOESNOTMATCH) .toUserStr(locale, pwmApplication.getConfig()); break; default: userMessage = ""; } } final int strength = judgePasswordStrength(password == null ? null : password.getStringValue()); return new PasswordCheckInfo(userMessage, pass, strength, matchStatus, errorCode); }
/** * This is the entry point under which all password changes are managed. The following is the * general procedure when this method is invoked. * * <ul> * <li>password is checked against PWM password requirement * <li>ldap password set is attempted<br> * <br> * if successful: * <ul> * <li>uiBean is updated with old and new passwords * <li>uiBean's password expire flag is set to false * <li>any configured external methods are invoked * <li>user email notification is sent * <li>return true * </ul> * <br> * if unsuccessful * <ul> * <li>ssBean is updated with appropriate error * <li>return false * </ul> * </ul> * * @param newPassword the new password that is being set. * @param pwmSession beanmanager for config and user info lookup * @throws com.novell.ldapchai.exception.ChaiUnavailableException if the ldap directory is not * unavailable * @throws password.pwm.error.PwmUnrecoverableException if user is not authenticated */ public static void setActorPassword( final PwmSession pwmSession, final PwmApplication pwmApplication, final PasswordData newPassword) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException { final UserInfoBean uiBean = pwmSession.getUserInfoBean(); if (!pwmSession .getSessionManager() .checkPermission(pwmApplication, Permission.CHANGE_PASSWORD)) { final String errorMsg = "attempt to setActorPassword, but user does not have password change permission"; final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg); throw new PwmOperationalException(errorInformation); } // double check to make sure password meets PWM rule requirements. This should // have been done before setActorPassword() is invoked, so it should be redundant // but we do it just in case. try { final PwmPasswordRuleValidator pwmPasswordRuleValidator = new PwmPasswordRuleValidator(pwmApplication, uiBean.getPasswordPolicy()); pwmPasswordRuleValidator.testPassword( newPassword, null, uiBean, pwmSession.getSessionManager().getActor(pwmApplication)); } catch (PwmDataValidationException e) { final String errorMsg = "attempt to setActorPassword, but password does not pass local policy validator"; final ErrorInformation errorInformation = new ErrorInformation(e.getErrorInformation().getError(), errorMsg); throw new PwmOperationalException(errorInformation); } // retrieve the user's old password from the userInfoBean in the session final PasswordData oldPassword = pwmSession.getLoginInfoBean().getUserCurrentPassword(); boolean setPasswordWithoutOld = false; if (oldPassword == null) { if (pwmSession .getSessionManager() .getActor(pwmApplication) .getChaiProvider() .getDirectoryVendor() == ChaiProvider.DIRECTORY_VENDOR.MICROSOFT_ACTIVE_DIRECTORY) { setPasswordWithoutOld = true; } } if (!setPasswordWithoutOld) { // Check to make sure we actually have an old password if (oldPassword == null) { final String errorMsg = "cannot set password for user, old password is not available"; final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg); throw new PwmOperationalException(errorInformation); } } try { final ChaiProvider provider = pwmSession.getSessionManager().getChaiProvider(); final ChaiUser theUser = ChaiFactory.createChaiUser( pwmSession.getUserInfoBean().getUserIdentity().getUserDN(), provider); final boolean boundAsSelf = theUser .getEntryDN() .equals(provider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN)); LOGGER.trace( pwmSession, "preparing to setActorPassword for '" + theUser.getEntryDN() + "', bindAsSelf=" + boundAsSelf + ", authType=" + pwmSession.getLoginInfoBean().getType()); if (setPasswordWithoutOld) { theUser.setPassword(newPassword.getStringValue(), true); } else { theUser.changePassword(oldPassword.getStringValue(), newPassword.getStringValue()); } } catch (ChaiPasswordPolicyException e) { final String errorMsg = "error setting password for user '" + uiBean.getUserIdentity() + "'' " + e.toString(); final PwmError pwmError = PwmError.forChaiError(e.getErrorCode()); final ErrorInformation error = new ErrorInformation( pwmError == null ? PwmError.PASSWORD_UNKNOWN_VALIDATION : pwmError, errorMsg); throw new PwmOperationalException(error); } catch (ChaiOperationException e) { final String errorMsg = "error setting password for user '" + uiBean.getUserIdentity() + "'' " + e.getMessage(); final PwmError pwmError = PwmError.forChaiError(e.getErrorCode()) == null ? PwmError.ERROR_UNKNOWN : PwmError.forChaiError(e.getErrorCode()); final ErrorInformation error = new ErrorInformation(pwmError, errorMsg); throw new PwmOperationalException(error); } // at this point the password has been changed, so log it. LOGGER.info( pwmSession, "user '" + uiBean.getUserIdentity() + "' successfully changed password"); // update the session state bean's password modified flag pwmSession.getSessionStateBean().setPasswordModified(true); // update the login info bean with the user's new password pwmSession.getLoginInfoBean().setUserCurrentPassword(newPassword); // close any outstanding ldap connections (since they cache the old password) pwmSession .getSessionManager() .updateUserPassword(pwmApplication, uiBean.getUserIdentity(), newPassword); // clear the "requires new password flag" uiBean.setRequiresNewPassword(false); // mark the auth type as authenticatePd now that we have the user's natural password. pwmSession.getLoginInfoBean().setType(AuthenticationType.AUTHENTICATED); // update the uibean's "password expired flag". final UserStatusReader userStatusReader = new UserStatusReader(pwmApplication, pwmSession.getLabel()); uiBean.setPasswordState( userStatusReader.readPasswordStatus( pwmSession.getSessionManager().getActor(pwmApplication), uiBean.getPasswordPolicy(), uiBean, newPassword)); // create a proxy user object for pwm to update/read the user. final ChaiUser proxiedUser = pwmSession.getSessionManager().getActor(pwmApplication); // update statistics { pwmApplication.getStatisticsManager().incrementValue(Statistic.PASSWORD_CHANGES); pwmApplication.getStatisticsManager().updateEps(Statistic.EpsType.PASSWORD_CHANGES, 1); final int passwordStrength = PasswordUtility.judgePasswordStrength(newPassword.getStringValue()); pwmApplication .getStatisticsManager() .updateAverageValue(Statistic.AVG_PASSWORD_STRENGTH, passwordStrength); } // add the old password to the global history list (if the old password is known) if (oldPassword != null && pwmApplication .getConfig() .readSettingAsBoolean(PwmSetting.PASSWORD_SHAREDHISTORY_ENABLE)) { pwmApplication.getSharedHistoryManager().addWord(pwmSession, oldPassword.getStringValue()); } // invoke post password change actions invokePostChangePasswordActions(pwmSession, newPassword.getStringValue()); { // execute configured actions LOGGER.debug(pwmSession, "executing configured actions to user " + proxiedUser.getEntryDN()); final List<ActionConfiguration> configValues = pwmApplication .getConfig() .readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES); if (configValues != null && !configValues.isEmpty()) { final LoginInfoBean clonedLoginInfoBean = JsonUtil.cloneUsingJson(pwmSession.getLoginInfoBean(), LoginInfoBean.class); clonedLoginInfoBean.setUserCurrentPassword(newPassword); final MacroMachine macroMachine = new MacroMachine( pwmApplication, pwmSession.getLabel(), pwmSession.getUserInfoBean(), clonedLoginInfoBean, pwmSession.getSessionManager().getUserDataReader(pwmApplication)); final ActionExecutor actionExecutor = new ActionExecutor.ActionExecutorSettings(pwmApplication, uiBean.getUserIdentity()) .setMacroMachine(macroMachine) .setExpandPwmMacros(true) .createActionExecutor(); actionExecutor.executeActions(configValues, pwmSession); } } // update the current last password update field in ldap LdapOperationsHelper.updateLastPasswordUpdateAttribute( pwmApplication, pwmSession.getLabel(), uiBean.getUserIdentity()); }
public static String sendNewPassword( final UserInfoBean userInfoBean, final PwmApplication pwmApplication, final MacroMachine macroMachine, final PasswordData newPassword, final Locale userLocale, final MessageSendMethod messageSendMethod) throws PwmOperationalException, PwmUnrecoverableException { final String emailAddress = userInfoBean.getUserEmailAddress(); final String smsNumber = userInfoBean.getUserSmsNumber(); String returnToAddress = emailAddress; ErrorInformation error = null; switch (messageSendMethod) { case BOTH: // Send both email and SMS, success if one of both succeeds final ErrorInformation err1 = sendNewPasswordEmail( userInfoBean, pwmApplication, macroMachine, newPassword, emailAddress, userLocale); final ErrorInformation err2 = sendNewPasswordSms( userInfoBean, pwmApplication, macroMachine, newPassword, smsNumber, userLocale); if (err1 != null) { error = err1; returnToAddress = smsNumber; } else if (err2 != null) { error = err2; } break; case EMAILFIRST: // Send email first, try SMS if email is not available error = sendNewPasswordEmail( userInfoBean, pwmApplication, macroMachine, newPassword, emailAddress, userLocale); if (error != null) { error = sendNewPasswordSms( userInfoBean, pwmApplication, macroMachine, newPassword, smsNumber, userLocale); returnToAddress = smsNumber; } break; case SMSFIRST: // Send SMS first, try email if SMS is not available error = sendNewPasswordSms( userInfoBean, pwmApplication, macroMachine, newPassword, smsNumber, userLocale); if (error != null) { error = sendNewPasswordEmail( userInfoBean, pwmApplication, macroMachine, newPassword, emailAddress, userLocale); } else { returnToAddress = smsNumber; } break; case SMSONLY: // Only try SMS error = sendNewPasswordSms( userInfoBean, pwmApplication, macroMachine, newPassword, smsNumber, userLocale); returnToAddress = smsNumber; break; case EMAILONLY: default: // Only try email error = sendNewPasswordEmail( userInfoBean, pwmApplication, macroMachine, newPassword, emailAddress, userLocale); break; } if (error != null) { throw new PwmOperationalException(error); } return returnToAddress; }