private String oraclePreTemporaryPwHandler( final ChaiProvider chaiProvider, final ChaiUser chaiUser) throws PwmUnrecoverableException, ChaiUnavailableException, ChaiOperationException { if (!pwmApplication .getConfig() .readSettingAsBoolean(PwmSetting.ORACLE_DS_ENABLE_MANIP_ALLOWCHANGETIME)) { return null; } if (ChaiProvider.DIRECTORY_VENDOR.ORACLE_DS != chaiUser.getChaiProvider().getDirectoryVendor()) { return null; } // oracle DS special case: passwordAllowChangeTime handler final String oracleDS_PrePasswordAllowChangeTime = chaiProvider.readStringAttribute(chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME); log( PwmLogLevel.TRACE, "read OracleDS value of passwordAllowChangeTime value=" + oracleDS_PrePasswordAllowChangeTime); if (oracleDS_PrePasswordAllowChangeTime != null && !oracleDS_PrePasswordAllowChangeTime.isEmpty()) { final Date date = OracleDSEntries.convertZuluToDate(oracleDS_PrePasswordAllowChangeTime); if (new Date().before(date)) { final String errorMsg = "change not permitted until " + PwmConstants.DEFAULT_DATETIME_FORMAT.format(date); throw new PwmUnrecoverableException( new ErrorInformation(PwmError.PASSWORD_TOO_SOON, errorMsg)); } } return oracleDS_PrePasswordAllowChangeTime; }
private void oraclePostTemporaryPwHandler( final ChaiProvider chaiProvider, final ChaiUser chaiUser, final String oracleDS_PrePasswordAllowChangeTime) throws ChaiUnavailableException, ChaiOperationException { if (!pwmApplication .getConfig() .readSettingAsBoolean(PwmSetting.ORACLE_DS_ENABLE_MANIP_ALLOWCHANGETIME)) { return; } // oracle DS special case: passwordAllowChangeTime handler if (ChaiProvider.DIRECTORY_VENDOR.ORACLE_DS != chaiUser.getChaiProvider().getDirectoryVendor()) { return; } if (oracleDS_PrePasswordAllowChangeTime != null && !oracleDS_PrePasswordAllowChangeTime.isEmpty()) { // write back the original pre-password allow change time. final Set<String> values = new HashSet<>(Collections.singletonList(oracleDS_PrePasswordAllowChangeTime)); chaiProvider.writeStringAttribute( chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME, values, true); log( PwmLogLevel.TRACE, "re-wrote passwordAllowChangeTime attribute to user " + chaiUser.getEntryDN() + ", value=" + oracleDS_PrePasswordAllowChangeTime); } else { final String oracleDS_PostPasswordAllowChangeTime = chaiProvider.readStringAttribute(chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME); if (oracleDS_PostPasswordAllowChangeTime != null && !oracleDS_PostPasswordAllowChangeTime.isEmpty()) { // password allow change time has appeared, but wasn't present previously, so delete it. log( PwmLogLevel.TRACE, "a new value for passwordAllowChangeTime attribute to user " + chaiUser.getEntryDN() + " has appeared, will remove"); chaiProvider.deleteStringAttributeValue( chaiUser.getEntryDN(), ORACLE_ATTR_PW_ALLOW_CHG_TIME, oracleDS_PostPasswordAllowChangeTime); log( PwmLogLevel.TRACE, "deleted attribute value for passwordAllowChangeTime attribute on user " + chaiUser.getEntryDN()); } } }
@Override public void writeResponses(ChaiUser theUser, String userGUID, ResponseInfoBean responseInfoBean) throws PwmUnrecoverableException { if (userGUID == null || userGUID.length() < 1) { throw new PwmUnrecoverableException( new ErrorInformation( PwmError.ERROR_MISSING_GUID, "cannot save responses to remote database, user " + theUser.getEntryDN() + " does not have a guid")); } LOGGER.trace( "attempting to save responses for " + theUser.getEntryDN() + " in remote database (key=" + userGUID + ")"); try { final ChaiResponseSet responseSet = ChaiCrFactory.newChaiResponseSet( responseInfoBean.getCrMap(), responseInfoBean.getHelpdeskCrMap(), responseInfoBean.getLocale(), responseInfoBean.getMinRandoms(), theUser.getChaiProvider().getChaiConfiguration(), responseInfoBean.getCsIdentifier()); final DatabaseAccessorImpl databaseAccessor = pwmApplication.getDatabaseAccessor(); databaseAccessor.put(DatabaseTable.PWM_RESPONSES, userGUID, responseSet.stringValue()); LOGGER.info( "saved responses for " + theUser.getEntryDN() + " in remote database (key=" + userGUID + ")"); } catch (ChaiException e) { final ErrorInformation errorInfo = new ErrorInformation( PwmError.ERROR_WRITING_RESPONSES, "unexpected error saving responses for " + theUser.getEntryDN() + " in remote database: " + e.getMessage()); final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo); LOGGER.error(errorInfo.toDebugStr()); pwmOE.initCause(e); throw pwmOE; } catch (DatabaseException e) { final ErrorInformation errorInfo = new ErrorInformation( PwmError.ERROR_WRITING_RESPONSES, "unexpected error saving responses for " + theUser.getEntryDN() + " in remote database: " + e.getMessage()); final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo); LOGGER.error(errorInfo.toDebugStr()); pwmOE.initCause(e); throw pwmOE; } }
protected void handleUpdateRequest( final PwmRequest pwmRequest, final GuestRegistrationBean guestRegistrationBean) throws ServletException, ChaiUnavailableException, IOException, PwmUnrecoverableException { // Fetch the session state bean. final PwmSession pwmSession = pwmRequest.getPwmSession(); final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean(); final PwmApplication pwmApplication = pwmRequest.getPwmApplication(); final Configuration config = pwmApplication.getConfig(); final List<FormConfiguration> formItems = pwmApplication.getConfig().readSettingAsForm(PwmSetting.GUEST_UPDATE_FORM); final String expirationAttribute = config.readSettingAsString(PwmSetting.GUEST_EXPIRATION_ATTRIBUTE); try { // read the values from the request final Map<FormConfiguration, String> formValues = FormUtility.readFormValuesFromRequest(pwmRequest, formItems, pwmRequest.getLocale()); // see if the values meet form requirements. FormUtility.validateFormValues(config, formValues, ssBean.getLocale()); // read current values from user. final ChaiUser theGuest = pwmSession .getSessionManager() .getActor(pwmApplication, guestRegistrationBean.getUpdateUserIdentity()); // check unique fields against ldap FormUtility.validateFormValueUniqueness( pwmApplication, formValues, ssBean.getLocale(), Collections.singletonList(guestRegistrationBean.getUpdateUserIdentity()), false); final Date expirationDate = readExpirationFromRequest(pwmRequest); // Update user attributes Helper.writeFormValuesToLdap(pwmApplication, pwmSession, theGuest, formValues, false); // Write expirationDate if (expirationDate != null) { theGuest.writeDateAttribute(expirationAttribute, expirationDate); } // send email. final UserStatusReader userStatusReader = new UserStatusReader(pwmApplication, pwmSession.getLabel()); final UserInfoBean guestUserInfoBean = new UserInfoBean(); userStatusReader.populateUserInfoBean( guestUserInfoBean, pwmSession.getSessionStateBean().getLocale(), guestRegistrationBean.getUpdateUserIdentity(), theGuest.getChaiProvider()); this.sendUpdateGuestEmailConfirmation(pwmRequest, guestUserInfoBean); pwmApplication.getStatisticsManager().incrementValue(Statistic.UPDATED_GUESTS); // everything good so forward to confirmation page. pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_UpdateGuest); return; } catch (PwmOperationalException e) { LOGGER.error(pwmSession, e.getErrorInformation().toDebugStr()); pwmRequest.setResponseError(e.getErrorInformation()); } catch (ChaiOperationException e) { final ErrorInformation info = new ErrorInformation( PwmError.ERROR_UNKNOWN, "unexpected error writing to ldap: " + e.getMessage()); LOGGER.error(pwmSession, info); pwmRequest.setResponseError(info); } this.forwardToUpdateJSP(pwmRequest, guestRegistrationBean); }
public static void helpdeskSetUserPassword( final PwmSession pwmSession, final ChaiUser chaiUser, final UserIdentity userIdentity, final PwmApplication pwmApplication, final PasswordData newPassword) throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException { final SessionLabel sessionLabel = pwmSession.getLabel(); if (!pwmSession.isAuthenticated()) { final String errorMsg = "attempt to helpdeskSetUserPassword, but user is not authenticated"; final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg); throw new PwmOperationalException(errorInformation); } final HelpdeskProfile helpdeskProfile = pwmSession.getSessionManager().getHelpdeskProfile(pwmApplication); if (helpdeskProfile == null) { final String errorMsg = "attempt to helpdeskSetUserPassword, but user does not have helpdesk permission"; final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg); throw new PwmOperationalException(errorInformation); } try { chaiUser.setPassword(newPassword.getStringValue()); } catch (ChaiPasswordPolicyException e) { final String errorMsg = "error setting password for user '" + chaiUser.getEntryDN() + "'' " + e.toString(); final PwmError pwmError = PwmError.forChaiError(e.getErrorCode()); final ErrorInformation error = new ErrorInformation( pwmError == null ? PwmError.PASSWORD_UNKNOWN_VALIDATION : pwmError, errorMsg); throw new PwmOperationalException(error); } catch (ChaiOperationException e) { final String errorMsg = "error setting password for user '" + chaiUser.getEntryDN() + "'' " + e.getMessage(); final PwmError pwmError = PwmError.forChaiError(e.getErrorCode()) == null ? PwmError.ERROR_UNKNOWN : PwmError.forChaiError(e.getErrorCode()); final ErrorInformation error = new ErrorInformation(pwmError, errorMsg); throw new PwmOperationalException(error); } // at this point the password has been changed, so log it. LOGGER.info( sessionLabel, "user '" + pwmSession.getUserInfoBean().getUserIdentity() + "' successfully changed password for " + chaiUser.getEntryDN()); // create a proxy user object for pwm to update/read the user. final ChaiUser proxiedUser = pwmApplication.getProxiedChaiUser(userIdentity); // mark the event log { final HelpdeskAuditRecord auditRecord = pwmApplication .getAuditManager() .createHelpdeskAuditRecord( AuditEvent.HELPDESK_SET_PASSWORD, pwmSession.getUserInfoBean().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname()); pwmApplication.getAuditManager().submit(auditRecord); } // update statistics pwmApplication.getStatisticsManager().updateEps(Statistic.EpsType.PASSWORD_CHANGES, 1); pwmApplication.getStatisticsManager().incrementValue(Statistic.HELPDESK_PASSWORD_SET); // create a uib for end user final UserInfoBean userInfoBean = new UserInfoBean(); final UserStatusReader userStatusReader = new UserStatusReader(pwmApplication, pwmSession.getLabel()); userStatusReader.populateUserInfoBean( userInfoBean, pwmSession.getSessionStateBean().getLocale(), userIdentity, proxiedUser.getChaiProvider()); { // execute configured actions LOGGER.debug( sessionLabel, "executing changepassword and helpdesk post password change writeAttributes to user " + userIdentity); final List<ActionConfiguration> actions = new ArrayList<>(); actions.addAll( pwmApplication .getConfig() .readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES)); actions.addAll( helpdeskProfile.readSettingAsAction( PwmSetting.HELPDESK_POST_SET_PASSWORD_WRITE_ATTRIBUTES)); if (!actions.isEmpty()) { final ActionExecutor actionExecutor = new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity) .setMacroMachine( MacroMachine.forUser( pwmApplication, pwmSession.getSessionStateBean().getLocale(), sessionLabel, userIdentity)) .setExpandPwmMacros(true) .createActionExecutor(); actionExecutor.executeActions(actions, pwmSession); } } final HelpdeskClearResponseMode settingClearResponses = HelpdeskClearResponseMode.valueOf( helpdeskProfile.readSettingAsString(PwmSetting.HELPDESK_CLEAR_RESPONSES)); if (settingClearResponses == HelpdeskClearResponseMode.yes) { final String userGUID = LdapOperationsHelper.readLdapGuidValue(pwmApplication, sessionLabel, userIdentity, false); pwmApplication.getCrService().clearResponses(pwmSession, proxiedUser, userGUID); // mark the event log final HelpdeskAuditRecord auditRecord = pwmApplication .getAuditManager() .createHelpdeskAuditRecord( AuditEvent.HELPDESK_CLEAR_RESPONSES, pwmSession.getUserInfoBean().getUserIdentity(), null, userIdentity, pwmSession.getSessionStateBean().getSrcAddress(), pwmSession.getSessionStateBean().getSrcHostname()); pwmApplication.getAuditManager().submit(auditRecord); } // send email notification sendChangePasswordHelpdeskEmailNotice(pwmSession, pwmApplication, userInfoBean); // expire if so configured if (helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_FORCE_PW_EXPIRATION)) { LOGGER.trace( pwmSession, "preparing to expire password for user " + userIdentity.toDisplayString()); try { proxiedUser.expirePassword(); } catch (ChaiOperationException e) { LOGGER.warn( pwmSession, "error while forcing password expiration for user " + userIdentity.toDisplayString() + ", error: " + e.getMessage()); e.printStackTrace(); } } // send password final boolean sendPassword = helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_SEND_PASSWORD); if (sendPassword) { final MessageSendMethod messageSendMethod; { final String profileID = ProfileUtility.discoverProfileIDforUser( pwmApplication, sessionLabel, userIdentity, ProfileType.ForgottenPassword); final ForgottenPasswordProfile forgottenPasswordProfile = pwmApplication.getConfig().getForgottenPasswordProfiles().get(profileID); messageSendMethod = forgottenPasswordProfile.readSettingAsEnum( PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class); } final UserDataReader userDataReader = new LdapUserDataReader(userIdentity, chaiUser); final LoginInfoBean loginInfoBean = new LoginInfoBean(); loginInfoBean.setUserCurrentPassword(newPassword); final MacroMachine macroMachine = new MacroMachine( pwmApplication, pwmSession.getLabel(), userInfoBean, loginInfoBean, userDataReader); PasswordUtility.sendNewPassword( userInfoBean, pwmApplication, macroMachine, newPassword, pwmSession.getSessionStateBean().getLocale(), messageSendMethod); } }