public void clear() throws LocalDBException, PwmUnrecoverableException {
final Date startTime = new Date();
LOGGER.info(PwmConstants.REPORTING_SESSION_LABEL, "clearing cached report data");
if (userCacheService != null) {
userCacheService.clear();
}
summaryData = ReportSummaryData.newSummaryData(settings.getTrackDays());
reportStatus = new ReportStatusInfo(settings.getSettingsHash());
saveTempData();
LOGGER.info(
PwmConstants.REPORTING_SESSION_LABEL,
"finished clearing report " + TimeDuration.fromCurrent(startTime).asCompactString());
}
@Override
public void clearOtpUserConfiguration(
final PwmSession pwmSession, final UserIdentity theUser, final String userGUID)
throws PwmUnrecoverableException {
if (userGUID == null || userGUID.length() < 1) {
throw new PwmUnrecoverableException(
new ErrorInformation(
PwmError.ERROR_MISSING_GUID,
"cannot save OTP secret to remote database, user "
+ theUser
+ " does not have a guid"));
}
LOGGER.trace(
"attempting to clear OTP secret for "
+ theUser
+ " in remote database (key="
+ userGUID
+ ")");
try {
final DatabaseAccessorImpl databaseAccessor = pwmApplication.getDatabaseAccessor();
databaseAccessor.remove(DatabaseTable.OTP, userGUID);
LOGGER.info(
"cleared OTP secret for " + theUser + " in remote database (key=" + userGUID + ")");
} catch (DatabaseException ex) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_WRITING_OTP_SECRET,
"unexpected error saving otp to db: " + ex.getMessage());
final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
pwmOE.initCause(ex);
throw pwmOE;
}
}
private boolean checkDbVersion() throws Exception {
LOGGER.trace("checking version number stored in LocalDB");
final Object versionInDB = localDB.get(META_DB, KEY_VERSION);
final String currentVersion = "version=" + settings.version;
final boolean result = currentVersion.equals(versionInDB);
if (!result) {
LOGGER.info(
"existing db version does not match current db version db=("
+ versionInDB
+ ") current=("
+ currentVersion
+ "), clearing db");
localDB.truncate(WORDS_DB);
localDB.put(META_DB, KEY_VERSION, currentVersion);
localDB.remove(META_DB, KEY_OLDEST_ENTRY);
} else {
LOGGER.trace(
"existing db version matches current db version db=("
+ versionInDB
+ ") current=("
+ currentVersion
+ ")");
}
return result;
}
public void clearResponses(final ChaiUser theUser, final String userGUID)
throws PwmUnrecoverableException {
if (userGUID == null || userGUID.length() < 1) {
throw new PwmUnrecoverableException(
new ErrorInformation(
PwmError.ERROR_MISSING_GUID,
"cannot clear responses to remote database, user "
+ theUser.getEntryDN()
+ " does not have a guid"));
}
try {
final DatabaseAccessorImpl databaseAccessor = pwmApplication.getDatabaseAccessor();
databaseAccessor.remove(DatabaseTable.PWM_RESPONSES, userGUID);
LOGGER.info("cleared responses for user " + theUser.getEntryDN() + " in remote database");
} catch (DatabaseException e) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_CLEARING_RESPONSES,
"unexpected error clearing responses for "
+ theUser.getEntryDN()
+ " in remote database, error: "
+ e.getMessage());
final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
pwmOE.initCause(e);
throw pwmOE;
}
}
private String fetchInstanceID(final LocalDB localDB, final PwmApplication pwmApplication) {
String newInstanceID =
pwmApplication.getConfig().readSettingAsString(PwmSetting.PWM_INSTANCE_NAME);
if (newInstanceID != null && newInstanceID.trim().length() > 0) {
return newInstanceID;
}
newInstanceID = readAppAttribute(AppAttribute.INSTANCE_ID);
if (newInstanceID == null || newInstanceID.length() < 1) {
newInstanceID = Long.toHexString(PwmRandom.getInstance().nextLong()).toUpperCase();
LOGGER.info("generated new random instanceID " + newInstanceID);
if (localDB != null) {
writeAppAttribute(AppAttribute.INSTANCE_ID, newInstanceID);
}
} else {
LOGGER.trace("retrieved instanceID " + newInstanceID + "" + " from localDB");
}
if (newInstanceID.length() < 1) {
newInstanceID = DEFAULT_INSTANCE_ID;
}
return newInstanceID;
}
public void shutdown() {
LOGGER.warn("shutting down");
{
// send system audit event
final SystemAuditRecord auditRecord =
SystemAuditRecord.create(AuditEvent.SHUTDOWN, null, getInstanceID());
try {
getAuditManager().submit(auditRecord);
} catch (PwmException e) {
LOGGER.warn("unable to submit alert event " + JsonUtil.serialize(auditRecord));
}
}
{
final List<Class> reverseServiceList = new ArrayList<Class>(PWM_SERVICE_CLASSES);
Collections.reverse(reverseServiceList);
for (final Class serviceClass : reverseServiceList) {
if (pwmServices.containsKey(serviceClass)) {
LOGGER.trace("closing service " + serviceClass.getName());
final PwmService loopService = pwmServices.get(serviceClass);
LOGGER.trace("successfully closed service " + serviceClass.getName());
try {
loopService.close();
} catch (Exception e) {
LOGGER.error(
"error closing " + loopService.getClass().getSimpleName() + ": " + e.getMessage(),
e);
}
}
}
}
if (localDBLogger != null) {
try {
localDBLogger.close();
} catch (Exception e) {
LOGGER.error("error closing localDBLogger: " + e.getMessage(), e);
}
localDBLogger = null;
}
if (localDB != null) {
try {
localDB.close();
} catch (Exception e) {
LOGGER.fatal("error closing localDB: " + e, e);
}
localDB = null;
}
LOGGER.info(
PwmConstants.PWM_APP_NAME
+ " "
+ PwmConstants.SERVLET_VERSION
+ " closed for bidness, cya!");
}
@Override
public void writeOtpUserConfiguration(
final PwmSession pwmSession,
final UserIdentity theUser,
final String userGUID,
final OTPUserRecord otpConfig)
throws PwmUnrecoverableException {
if (userGUID == null || userGUID.length() < 1) {
throw new PwmUnrecoverableException(
new ErrorInformation(
PwmError.ERROR_MISSING_GUID,
"cannot save OTP secret to remote database, user "
+ theUser
+ " does not have a guid"));
}
LOGGER.trace(
"attempting to save OTP secret for "
+ theUser
+ " in remote database (key="
+ userGUID
+ ")");
try {
String value = composeOtpAttribute(otpConfig);
if (getPwmApplication().getConfig().readSettingAsBoolean(PwmSetting.OTP_SECRET_ENCRYPT)) {
LOGGER.debug("Encrypting OTP secret for storage");
value = encryptAttributeValue(value);
}
final DatabaseAccessorImpl databaseAccessor = pwmApplication.getDatabaseAccessor();
databaseAccessor.put(DatabaseTable.OTP, userGUID, value);
LOGGER.info("saved OTP secret for " + theUser + " in remote database (key=" + userGUID + ")");
} catch (PwmOperationalException ex) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_WRITING_OTP_SECRET,
"unexpected error saving otp to db: " + ex.getMessage());
final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
pwmOE.initCause(ex);
throw pwmOE;
}
}
private void handleCreateRequest(
final PwmRequest pwmRequest, final GuestRegistrationBean guestRegistrationBean)
throws PwmUnrecoverableException, ChaiUnavailableException, IOException, ServletException {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final LocalSessionStateBean ssBean = pwmSession.getSessionStateBean();
final Configuration config = pwmApplication.getConfig();
final Locale locale = ssBean.getLocale();
final List<FormConfiguration> guestUserForm = config.readSettingAsForm(PwmSetting.GUEST_FORM);
try {
// read the values from the request
final Map<FormConfiguration, String> formValues =
FormUtility.readFormValuesFromRequest(pwmRequest, guestUserForm, locale);
// read the expiration date from the request.
final Date expirationDate = readExpirationFromRequest(pwmRequest);
// see if the values meet form requirements.
FormUtility.validateFormValues(config, formValues, locale);
// read new user DN
final String guestUserDN = determineUserDN(formValues, config);
// read a chai provider to make the user
final ChaiProvider provider = pwmSession.getSessionManager().getChaiProvider();
// set up the user creation attributes
final Map<String, String> createAttributes = new HashMap<>();
for (final FormConfiguration formItem : formValues.keySet()) {
LOGGER.debug(
pwmSession,
"Attribute from form: " + formItem.getName() + " = " + formValues.get(formItem));
final String n = formItem.getName();
final String v = formValues.get(formItem);
if (n != null && n.length() > 0 && v != null && v.length() > 0) {
createAttributes.put(n, v);
}
}
// Write creator DN
createAttributes.put(
config.readSettingAsString(PwmSetting.GUEST_ADMIN_ATTRIBUTE),
pwmSession.getUserInfoBean().getUserIdentity().getUserDN());
// read the creation object classes.
final Set<String> createObjectClasses =
new HashSet<>(config.readSettingAsStringArray(PwmSetting.DEFAULT_OBJECT_CLASSES));
provider.createEntry(guestUserDN, createObjectClasses, createAttributes);
LOGGER.info(pwmSession, "created user object: " + guestUserDN);
final ChaiUser theUser = ChaiFactory.createChaiUser(guestUserDN, provider);
final UserIdentity userIdentity =
new UserIdentity(
guestUserDN, pwmSession.getUserInfoBean().getUserIdentity().getLdapProfileID());
// write the expiration date:
if (expirationDate != null) {
final String expirationAttr =
config.readSettingAsString(PwmSetting.GUEST_EXPIRATION_ATTRIBUTE);
theUser.writeDateAttribute(expirationAttr, expirationDate);
}
final PwmPasswordPolicy passwordPolicy =
PasswordUtility.readPasswordPolicyForUser(
pwmApplication, pwmSession.getLabel(), userIdentity, theUser, locale);
final PasswordData newPassword =
RandomPasswordGenerator.createRandomPassword(
pwmSession.getLabel(), passwordPolicy, pwmApplication);
theUser.setPassword(newPassword.getStringValue());
/*
final UserInfoBean guestUserInfoBean = new UserInfoBean();
final UserStatusReader userStatusReader = new UserStatusReader(pwmApplication);
userStatusReader.populateUserInfoBean(
pwmSession.getLabel(),
guestUserInfoBean,
pwmSession.getSessionStateBean().getLocale(),
userIdentity,
theUser.getChaiProvider()
);
*/
{ // execute configured actions
LOGGER.debug(pwmSession, "executing configured actions to user " + theUser.getEntryDN());
final List<ActionConfiguration> actions =
pwmApplication.getConfig().readSettingAsAction(PwmSetting.GUEST_WRITE_ATTRIBUTES);
if (actions != null && !actions.isEmpty()) {
final MacroMachine macroMachine = MacroMachine.forUser(pwmRequest, userIdentity);
final ActionExecutor actionExecutor =
new ActionExecutor.ActionExecutorSettings(pwmApplication, theUser)
.setExpandPwmMacros(true)
.setMacroMachine(macroMachine)
.createActionExecutor();
actionExecutor.executeActions(actions, pwmSession);
}
}
// everything good so forward to success page.
this.sendGuestUserEmailConfirmation(pwmRequest, userIdentity);
pwmApplication.getStatisticsManager().incrementValue(Statistic.NEW_USERS);
pwmRequest.getPwmResponse().forwardToSuccessPage(Message.Success_CreateGuest);
} catch (ChaiOperationException e) {
final ErrorInformation info =
new ErrorInformation(
PwmError.ERROR_NEW_USER_FAILURE, "error creating user: " + e.getMessage());
pwmRequest.setResponseError(info);
LOGGER.warn(pwmSession, info);
this.forwardToJSP(pwmRequest, guestRegistrationBean);
} catch (PwmOperationalException e) {
LOGGER.error(pwmSession, e.getErrorInformation().toDebugStr());
pwmRequest.setResponseError(e.getErrorInformation());
this.forwardToJSP(pwmRequest, guestRegistrationBean);
}
}
public static void doProfileUpdate(
final PwmRequest pwmRequest,
final Map<FormConfiguration, String> formValues,
final ChaiUser theUser)
throws PwmUnrecoverableException, ChaiUnavailableException, PwmOperationalException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final UserInfoBean uiBean = pwmRequest.getPwmSession().getUserInfoBean();
// verify form meets the form requirements (may be redundant, but shouldn't hurt)
verifyFormAttributes(pwmRequest, formValues, false);
// write values.
LOGGER.info(
"updating profile for " + pwmRequest.getPwmSession().getUserInfoBean().getUserIdentity());
pwmRequest.getPwmSession().getSessionManager().getChaiProvider();
Helper.writeFormValuesToLdap(
pwmRequest.getPwmApplication(), pwmRequest.getPwmSession(), theUser, formValues, false);
final UserIdentity userIdentity = uiBean.getUserIdentity();
// re-populate the uiBean because we have changed some values.
final UserStatusReader userStatusReader =
new UserStatusReader(pwmRequest.getPwmApplication(), pwmRequest.getSessionLabel());
userStatusReader.populateActorUserInfoBean(pwmRequest.getPwmSession(), userIdentity);
// clear cached read attributes.
pwmRequest.getPwmSession().getSessionManager().clearUserDataReader();
{ // execute configured actions
final List<ActionConfiguration> actions =
pwmApplication
.getConfig()
.readSettingAsAction(PwmSetting.UPDATE_PROFILE_WRITE_ATTRIBUTES);
if (actions != null && !actions.isEmpty()) {
LOGGER.debug(pwmRequest, "executing configured actions to user " + userIdentity);
final ActionExecutor actionExecutor =
new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity)
.setExpandPwmMacros(true)
.createActionExecutor();
actionExecutor.executeActions(actions, pwmSession);
}
}
sendProfileUpdateEmailNotice(pwmSession, pwmApplication);
// mark the event log
pwmApplication
.getAuditManager()
.submit(AuditEvent.UPDATE_PROFILE, pwmSession.getUserInfoBean(), pwmSession);
// mark the uiBean so we user isn't recycled to the update profile page by the CommandServlet
uiBean.setRequiresUpdateProfile(false);
// clear out the updateProfileBean
pwmSession.clearUpdateProfileBean();
// success, so forward to success page
pwmApplication.getStatisticsManager().incrementValue(Statistic.UPDATE_ATTRIBUTES);
}
/**
* This is the entry point under which all password changes are managed. The following is the
* general procedure when this method is invoked.
*
* <ul>
* <li>password is checked against PWM password requirement
* <li>ldap password set is attempted<br>
* <br>
* if successful:
* <ul>
* <li>uiBean is updated with old and new passwords
* <li>uiBean's password expire flag is set to false
* <li>any configured external methods are invoked
* <li>user email notification is sent
* <li>return true
* </ul>
* <br>
* if unsuccessful
* <ul>
* <li>ssBean is updated with appropriate error
* <li>return false
* </ul>
* </ul>
*
* @param newPassword the new password that is being set.
* @param pwmSession beanmanager for config and user info lookup
* @throws com.novell.ldapchai.exception.ChaiUnavailableException if the ldap directory is not
* unavailable
* @throws password.pwm.error.PwmUnrecoverableException if user is not authenticated
*/
public static void setActorPassword(
final PwmSession pwmSession,
final PwmApplication pwmApplication,
final PasswordData newPassword)
throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
final UserInfoBean uiBean = pwmSession.getUserInfoBean();
if (!pwmSession
.getSessionManager()
.checkPermission(pwmApplication, Permission.CHANGE_PASSWORD)) {
final String errorMsg =
"attempt to setActorPassword, but user does not have password change permission";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
// double check to make sure password meets PWM rule requirements. This should
// have been done before setActorPassword() is invoked, so it should be redundant
// but we do it just in case.
try {
final PwmPasswordRuleValidator pwmPasswordRuleValidator =
new PwmPasswordRuleValidator(pwmApplication, uiBean.getPasswordPolicy());
pwmPasswordRuleValidator.testPassword(
newPassword, null, uiBean, pwmSession.getSessionManager().getActor(pwmApplication));
} catch (PwmDataValidationException e) {
final String errorMsg =
"attempt to setActorPassword, but password does not pass local policy validator";
final ErrorInformation errorInformation =
new ErrorInformation(e.getErrorInformation().getError(), errorMsg);
throw new PwmOperationalException(errorInformation);
}
// retrieve the user's old password from the userInfoBean in the session
final PasswordData oldPassword = pwmSession.getLoginInfoBean().getUserCurrentPassword();
boolean setPasswordWithoutOld = false;
if (oldPassword == null) {
if (pwmSession
.getSessionManager()
.getActor(pwmApplication)
.getChaiProvider()
.getDirectoryVendor()
== ChaiProvider.DIRECTORY_VENDOR.MICROSOFT_ACTIVE_DIRECTORY) {
setPasswordWithoutOld = true;
}
}
if (!setPasswordWithoutOld) {
// Check to make sure we actually have an old password
if (oldPassword == null) {
final String errorMsg = "cannot set password for user, old password is not available";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg);
throw new PwmOperationalException(errorInformation);
}
}
try {
final ChaiProvider provider = pwmSession.getSessionManager().getChaiProvider();
final ChaiUser theUser =
ChaiFactory.createChaiUser(
pwmSession.getUserInfoBean().getUserIdentity().getUserDN(), provider);
final boolean boundAsSelf =
theUser
.getEntryDN()
.equals(provider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
LOGGER.trace(
pwmSession,
"preparing to setActorPassword for '"
+ theUser.getEntryDN()
+ "', bindAsSelf="
+ boundAsSelf
+ ", authType="
+ pwmSession.getLoginInfoBean().getType());
if (setPasswordWithoutOld) {
theUser.setPassword(newPassword.getStringValue(), true);
} else {
theUser.changePassword(oldPassword.getStringValue(), newPassword.getStringValue());
}
} catch (ChaiPasswordPolicyException e) {
final String errorMsg =
"error setting password for user '" + uiBean.getUserIdentity() + "'' " + e.toString();
final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
final ErrorInformation error =
new ErrorInformation(
pwmError == null ? PwmError.PASSWORD_UNKNOWN_VALIDATION : pwmError, errorMsg);
throw new PwmOperationalException(error);
} catch (ChaiOperationException e) {
final String errorMsg =
"error setting password for user '" + uiBean.getUserIdentity() + "'' " + e.getMessage();
final PwmError pwmError =
PwmError.forChaiError(e.getErrorCode()) == null
? PwmError.ERROR_UNKNOWN
: PwmError.forChaiError(e.getErrorCode());
final ErrorInformation error = new ErrorInformation(pwmError, errorMsg);
throw new PwmOperationalException(error);
}
// at this point the password has been changed, so log it.
LOGGER.info(
pwmSession, "user '" + uiBean.getUserIdentity() + "' successfully changed password");
// update the session state bean's password modified flag
pwmSession.getSessionStateBean().setPasswordModified(true);
// update the login info bean with the user's new password
pwmSession.getLoginInfoBean().setUserCurrentPassword(newPassword);
// close any outstanding ldap connections (since they cache the old password)
pwmSession
.getSessionManager()
.updateUserPassword(pwmApplication, uiBean.getUserIdentity(), newPassword);
// clear the "requires new password flag"
uiBean.setRequiresNewPassword(false);
// mark the auth type as authenticatePd now that we have the user's natural password.
pwmSession.getLoginInfoBean().setType(AuthenticationType.AUTHENTICATED);
// update the uibean's "password expired flag".
final UserStatusReader userStatusReader =
new UserStatusReader(pwmApplication, pwmSession.getLabel());
uiBean.setPasswordState(
userStatusReader.readPasswordStatus(
pwmSession.getSessionManager().getActor(pwmApplication),
uiBean.getPasswordPolicy(),
uiBean,
newPassword));
// create a proxy user object for pwm to update/read the user.
final ChaiUser proxiedUser = pwmSession.getSessionManager().getActor(pwmApplication);
// update statistics
{
pwmApplication.getStatisticsManager().incrementValue(Statistic.PASSWORD_CHANGES);
pwmApplication.getStatisticsManager().updateEps(Statistic.EpsType.PASSWORD_CHANGES, 1);
final int passwordStrength =
PasswordUtility.judgePasswordStrength(newPassword.getStringValue());
pwmApplication
.getStatisticsManager()
.updateAverageValue(Statistic.AVG_PASSWORD_STRENGTH, passwordStrength);
}
// add the old password to the global history list (if the old password is known)
if (oldPassword != null
&& pwmApplication
.getConfig()
.readSettingAsBoolean(PwmSetting.PASSWORD_SHAREDHISTORY_ENABLE)) {
pwmApplication.getSharedHistoryManager().addWord(pwmSession, oldPassword.getStringValue());
}
// invoke post password change actions
invokePostChangePasswordActions(pwmSession, newPassword.getStringValue());
{ // execute configured actions
LOGGER.debug(pwmSession, "executing configured actions to user " + proxiedUser.getEntryDN());
final List<ActionConfiguration> configValues =
pwmApplication
.getConfig()
.readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES);
if (configValues != null && !configValues.isEmpty()) {
final LoginInfoBean clonedLoginInfoBean =
JsonUtil.cloneUsingJson(pwmSession.getLoginInfoBean(), LoginInfoBean.class);
clonedLoginInfoBean.setUserCurrentPassword(newPassword);
final MacroMachine macroMachine =
new MacroMachine(
pwmApplication,
pwmSession.getLabel(),
pwmSession.getUserInfoBean(),
clonedLoginInfoBean,
pwmSession.getSessionManager().getUserDataReader(pwmApplication));
final ActionExecutor actionExecutor =
new ActionExecutor.ActionExecutorSettings(pwmApplication, uiBean.getUserIdentity())
.setMacroMachine(macroMachine)
.setExpandPwmMacros(true)
.createActionExecutor();
actionExecutor.executeActions(configValues, pwmSession);
}
}
// update the current last password update field in ldap
LdapOperationsHelper.updateLastPasswordUpdateAttribute(
pwmApplication, pwmSession.getLabel(), uiBean.getUserIdentity());
}
private void initialize(final boolean initLogging) throws PwmUnrecoverableException {
final Date startTime = new Date();
// initialize log4j
if (initLogging) {
final String log4jFileName =
configuration.readSettingAsString(PwmSetting.EVENTS_JAVA_LOG4JCONFIG_FILE);
final File log4jFile = Helper.figureFilepath(log4jFileName, applicationPath);
final String consoleLevel, fileLevel;
switch (getApplicationMode()) {
case ERROR:
case NEW:
consoleLevel = PwmLogLevel.TRACE.toString();
fileLevel = PwmLogLevel.TRACE.toString();
break;
default:
consoleLevel = configuration.readSettingAsString(PwmSetting.EVENTS_JAVA_STDOUT_LEVEL);
fileLevel = configuration.readSettingAsString(PwmSetting.EVENTS_FILE_LEVEL);
break;
}
PwmLogManager.initializeLogger(
this, configuration, log4jFile, consoleLevel, applicationPath, fileLevel);
switch (getApplicationMode()) {
case RUNNING:
break;
case ERROR:
LOGGER.fatal(
"starting up in ERROR mode! Check log or health check information for cause");
break;
default:
LOGGER.trace(
"setting log level to TRACE because application mode is " + getApplicationMode());
break;
}
}
LOGGER.info(
"initializing, application mode="
+ getApplicationMode()
+ ", applicationPath="
+ (applicationPath == null ? "null" : applicationPath.getAbsolutePath())
+ ", configurationFile="
+ (configurationFile == null ? "null" : configurationFile.getAbsolutePath()));
this.localDB = Initializer.initializeLocalDB(this);
this.localDBLogger = PwmLogManager.initializeLocalDBLogger(this);
// log the loaded configuration
LOGGER.info("configuration load completed");
// read the pwm servlet instance id
instanceID = fetchInstanceID(localDB, this);
LOGGER.info("using '" + getInstanceID() + "' for instance's ID (instanceID)");
// read the pwm installation date
installTime = fetchInstallDate(startupTime);
LOGGER.debug(
"this application instance first installed on "
+ PwmConstants.DEFAULT_DATETIME_FORMAT.format(installTime));
initServices();
final TimeDuration totalTime = TimeDuration.fromCurrent(startTime);
LOGGER.info(
PwmConstants.PWM_APP_NAME
+ " "
+ PwmConstants.SERVLET_VERSION
+ " open for bidness! ("
+ totalTime.asCompactString()
+ ")");
StatisticsManager.incrementStat(this, Statistic.PWM_STARTUPS);
LOGGER.debug(
"buildTime="
+ PwmConstants.BUILD_TIME
+ ", javaLocale="
+ Locale.getDefault()
+ ", DefaultLocale="
+ PwmConstants.DEFAULT_LOCALE);
final Thread postInitThread =
new Thread() {
@Override
public void run() {
postInitTasks();
}
};
postInitThread.setDaemon(true);
postInitThread.setName(Helper.makeThreadName(this, PwmApplication.class));
postInitThread.start();
}
private void publishStatisticsToCloud()
throws URISyntaxException, IOException, PwmUnrecoverableException {
final StatsPublishBean statsPublishData;
{
final StatisticsBundle bundle = getStatBundleForKey(KEY_CUMULATIVE);
final Map<String, String> statData = new HashMap<>();
for (final Statistic loopStat : Statistic.values()) {
statData.put(loopStat.getKey(), bundle.getStatistic(loopStat));
}
final Configuration config = pwmApplication.getConfig();
final List<String> configuredSettings = new ArrayList<>();
for (final PwmSetting pwmSetting : config.nonDefaultSettings()) {
if (!pwmSetting.getCategory().hasProfiles() && !config.isDefaultValue(pwmSetting)) {
configuredSettings.add(pwmSetting.getKey());
}
}
final Map<String, String> otherData = new HashMap<>();
otherData.put(
StatsPublishBean.KEYS.SITE_URL.toString(),
config.readSettingAsString(PwmSetting.PWM_SITE_URL));
otherData.put(
StatsPublishBean.KEYS.SITE_DESCRIPTION.toString(),
config.readSettingAsString(PwmSetting.PUBLISH_STATS_SITE_DESCRIPTION));
otherData.put(
StatsPublishBean.KEYS.INSTALL_DATE.toString(),
PwmConstants.DEFAULT_DATETIME_FORMAT.format(pwmApplication.getInstallTime()));
try {
otherData.put(
StatsPublishBean.KEYS.LDAP_VENDOR.toString(),
pwmApplication
.getProxyChaiProvider(config.getDefaultLdapProfile().getIdentifier())
.getDirectoryVendor()
.toString());
} catch (Exception e) {
LOGGER.trace("unable to read ldap vendor type for stats publication: " + e.getMessage());
}
statsPublishData =
new StatsPublishBean(
pwmApplication.getInstanceID(),
new Date(),
statData,
configuredSettings,
PwmConstants.BUILD_NUMBER,
PwmConstants.BUILD_VERSION,
otherData);
}
final URI requestURI = new URI(PwmConstants.PWM_URL_CLOUD + "/rest/pwm/statistics");
final HttpPost httpPost = new HttpPost(requestURI.toString());
final String jsonDataString = JsonUtil.serialize(statsPublishData);
httpPost.setEntity(new StringEntity(jsonDataString));
httpPost.setHeader("Accept", PwmConstants.AcceptValue.json.getHeaderValue());
httpPost.setHeader("Content-Type", PwmConstants.ContentTypeValue.json.getHeaderValue());
LOGGER.debug(
"preparing to send anonymous statistics to "
+ requestURI.toString()
+ ", data to send: "
+ jsonDataString);
final HttpResponse httpResponse =
PwmHttpClient.getHttpClient(pwmApplication.getConfig()).execute(httpPost);
if (httpResponse.getStatusLine().getStatusCode() != HttpStatus.SC_OK) {
throw new IOException(
"http response error code: " + httpResponse.getStatusLine().getStatusCode());
}
LOGGER.info("published anonymous statistics to " + requestURI.toString());
try {
localDB.put(
LocalDB.DB.PWM_STATS,
KEY_CLOUD_PUBLISH_TIMESTAMP,
String.valueOf(System.currentTimeMillis()));
} catch (LocalDBException e) {
LOGGER.error(
"unexpected error trying to save last statistics published time to LocalDB: "
+ e.getMessage());
}
}
public void init(final PwmApplication pwmApplication) throws PwmException {
settings.maxAgeMs =
1000
* pwmApplication
.getConfig()
.readSettingAsLong(PwmSetting.PASSWORD_SHAREDHISTORY_MAX_AGE); // convert to MS;
settings.caseInsensitive =
Boolean.parseBoolean(
pwmApplication
.getConfig()
.readAppProperty(AppProperty.SECURITY_SHAREDHISTORY_CASE_INSENSITIVE));
settings.hashName =
pwmApplication.getConfig().readAppProperty(AppProperty.SECURITY_SHAREDHISTORY_HASH_NAME);
settings.hashIterations =
Integer.parseInt(
pwmApplication
.getConfig()
.readAppProperty(AppProperty.SECURITY_SHAREDHISTORY_HASH_ITERATIONS));
settings.version =
"2"
+ "_"
+ settings.hashName
+ "_"
+ settings.hashIterations
+ "_"
+ settings.caseInsensitive;
final int SALT_LENGTH =
Integer.parseInt(
pwmApplication
.getConfig()
.readAppProperty(AppProperty.SECURITY_SHAREDHISTORY_SALT_LENGTH));
this.localDB = pwmApplication.getLocalDB();
boolean needsClearing = false;
if (localDB == null) {
LOGGER.info("LocalDB is not available, will remain closed");
status = STATUS.CLOSED;
return;
}
if (settings.maxAgeMs < 1) {
LOGGER.debug("max age=" + settings.maxAgeMs + ", will remain closed");
needsClearing = true;
}
{
this.salt = localDB.get(META_DB, KEY_SALT);
if (salt == null || salt.length() < SALT_LENGTH) {
LOGGER.warn("stored global salt value is not present, creating new salt");
this.salt = PwmRandom.getInstance().alphaNumericString(SALT_LENGTH);
localDB.put(META_DB, KEY_SALT, this.salt);
needsClearing = true;
}
}
if (needsClearing) {
LOGGER.trace("clearing wordlist");
try {
localDB.truncate(WORDS_DB);
} catch (Exception e) {
LOGGER.error("error during wordlist truncate", e);
}
}
new Thread(
new Runnable() {
public void run() {
LOGGER.debug("starting up in background thread");
init(pwmApplication, settings.maxAgeMs);
}
},
Helper.makeThreadName(pwmApplication, this.getClass()) + " initializer")
.start();
}
private void init(final PwmApplication pwmApplication, final long maxAgeMs) {
status = STATUS.OPENING;
final long startTime = System.currentTimeMillis();
try {
checkDbVersion();
} catch (Exception e) {
LOGGER.error("error checking db version", e);
status = STATUS.CLOSED;
return;
}
try {
final String oldestEntryStr = localDB.get(META_DB, KEY_OLDEST_ENTRY);
if (oldestEntryStr == null || oldestEntryStr.length() < 1) {
oldestEntry = 0;
LOGGER.trace("no oldestEntry timestamp stored, will rescan");
} else {
oldestEntry = Long.parseLong(oldestEntryStr);
LOGGER.trace(
"oldest timestamp loaded from localDB, age is "
+ TimeDuration.fromCurrent(oldestEntry).asCompactString());
}
} catch (LocalDBException e) {
LOGGER.error(
"unexpected error loading oldest-entry meta record, will remain closed: "
+ e.getMessage(),
e);
status = STATUS.CLOSED;
return;
}
try {
final int size = localDB.size(WORDS_DB);
final StringBuilder sb = new StringBuilder();
sb.append("open with ").append(size).append(" words (");
sb.append(new TimeDuration(System.currentTimeMillis(), startTime).asCompactString())
.append(")");
sb.append(", maxAgeMs=").append(new TimeDuration(maxAgeMs).asCompactString());
sb.append(", oldestEntry=")
.append(new TimeDuration(System.currentTimeMillis(), oldestEntry).asCompactString());
LOGGER.info(sb.toString());
} catch (LocalDBException e) {
LOGGER.error(
"unexpected error examining size of DB, will remain closed: " + e.getMessage(), e);
status = STATUS.CLOSED;
return;
}
status = STATUS.OPEN;
// populateFromWordlist(); //only used for debugging!!!
if (pwmApplication.getApplicationMode() == PwmApplication.MODE.RUNNING
|| pwmApplication.getApplicationMode() == PwmApplication.MODE.CONFIGURATION) {
long frequencyMs = maxAgeMs > MAX_CLEANER_FREQUENCY ? MAX_CLEANER_FREQUENCY : maxAgeMs;
frequencyMs = frequencyMs < MIN_CLEANER_FREQUENCY ? MIN_CLEANER_FREQUENCY : frequencyMs;
LOGGER.debug(
"scheduling cleaner task to run once every "
+ new TimeDuration(frequencyMs).asCompactString());
final String threadName = Helper.makeThreadName(pwmApplication, this.getClass()) + " timer";
cleanerTimer = new Timer(threadName, true);
cleanerTimer.schedule(new CleanerTask(), 1000, frequencyMs);
}
}
public static void helpdeskSetUserPassword(
final PwmSession pwmSession,
final ChaiUser chaiUser,
final UserIdentity userIdentity,
final PwmApplication pwmApplication,
final PasswordData newPassword)
throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
final SessionLabel sessionLabel = pwmSession.getLabel();
if (!pwmSession.isAuthenticated()) {
final String errorMsg = "attempt to helpdeskSetUserPassword, but user is not authenticated";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
final HelpdeskProfile helpdeskProfile =
pwmSession.getSessionManager().getHelpdeskProfile(pwmApplication);
if (helpdeskProfile == null) {
final String errorMsg =
"attempt to helpdeskSetUserPassword, but user does not have helpdesk permission";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
try {
chaiUser.setPassword(newPassword.getStringValue());
} catch (ChaiPasswordPolicyException e) {
final String errorMsg =
"error setting password for user '" + chaiUser.getEntryDN() + "'' " + e.toString();
final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
final ErrorInformation error =
new ErrorInformation(
pwmError == null ? PwmError.PASSWORD_UNKNOWN_VALIDATION : pwmError, errorMsg);
throw new PwmOperationalException(error);
} catch (ChaiOperationException e) {
final String errorMsg =
"error setting password for user '" + chaiUser.getEntryDN() + "'' " + e.getMessage();
final PwmError pwmError =
PwmError.forChaiError(e.getErrorCode()) == null
? PwmError.ERROR_UNKNOWN
: PwmError.forChaiError(e.getErrorCode());
final ErrorInformation error = new ErrorInformation(pwmError, errorMsg);
throw new PwmOperationalException(error);
}
// at this point the password has been changed, so log it.
LOGGER.info(
sessionLabel,
"user '"
+ pwmSession.getUserInfoBean().getUserIdentity()
+ "' successfully changed password for "
+ chaiUser.getEntryDN());
// create a proxy user object for pwm to update/read the user.
final ChaiUser proxiedUser = pwmApplication.getProxiedChaiUser(userIdentity);
// mark the event log
{
final HelpdeskAuditRecord auditRecord =
pwmApplication
.getAuditManager()
.createHelpdeskAuditRecord(
AuditEvent.HELPDESK_SET_PASSWORD,
pwmSession.getUserInfoBean().getUserIdentity(),
null,
userIdentity,
pwmSession.getSessionStateBean().getSrcAddress(),
pwmSession.getSessionStateBean().getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
}
// update statistics
pwmApplication.getStatisticsManager().updateEps(Statistic.EpsType.PASSWORD_CHANGES, 1);
pwmApplication.getStatisticsManager().incrementValue(Statistic.HELPDESK_PASSWORD_SET);
// create a uib for end user
final UserInfoBean userInfoBean = new UserInfoBean();
final UserStatusReader userStatusReader =
new UserStatusReader(pwmApplication, pwmSession.getLabel());
userStatusReader.populateUserInfoBean(
userInfoBean,
pwmSession.getSessionStateBean().getLocale(),
userIdentity,
proxiedUser.getChaiProvider());
{ // execute configured actions
LOGGER.debug(
sessionLabel,
"executing changepassword and helpdesk post password change writeAttributes to user "
+ userIdentity);
final List<ActionConfiguration> actions = new ArrayList<>();
actions.addAll(
pwmApplication
.getConfig()
.readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES));
actions.addAll(
helpdeskProfile.readSettingAsAction(
PwmSetting.HELPDESK_POST_SET_PASSWORD_WRITE_ATTRIBUTES));
if (!actions.isEmpty()) {
final ActionExecutor actionExecutor =
new ActionExecutor.ActionExecutorSettings(pwmApplication, userIdentity)
.setMacroMachine(
MacroMachine.forUser(
pwmApplication,
pwmSession.getSessionStateBean().getLocale(),
sessionLabel,
userIdentity))
.setExpandPwmMacros(true)
.createActionExecutor();
actionExecutor.executeActions(actions, pwmSession);
}
}
final HelpdeskClearResponseMode settingClearResponses =
HelpdeskClearResponseMode.valueOf(
helpdeskProfile.readSettingAsString(PwmSetting.HELPDESK_CLEAR_RESPONSES));
if (settingClearResponses == HelpdeskClearResponseMode.yes) {
final String userGUID =
LdapOperationsHelper.readLdapGuidValue(pwmApplication, sessionLabel, userIdentity, false);
pwmApplication.getCrService().clearResponses(pwmSession, proxiedUser, userGUID);
// mark the event log
final HelpdeskAuditRecord auditRecord =
pwmApplication
.getAuditManager()
.createHelpdeskAuditRecord(
AuditEvent.HELPDESK_CLEAR_RESPONSES,
pwmSession.getUserInfoBean().getUserIdentity(),
null,
userIdentity,
pwmSession.getSessionStateBean().getSrcAddress(),
pwmSession.getSessionStateBean().getSrcHostname());
pwmApplication.getAuditManager().submit(auditRecord);
}
// send email notification
sendChangePasswordHelpdeskEmailNotice(pwmSession, pwmApplication, userInfoBean);
// expire if so configured
if (helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_FORCE_PW_EXPIRATION)) {
LOGGER.trace(
pwmSession, "preparing to expire password for user " + userIdentity.toDisplayString());
try {
proxiedUser.expirePassword();
} catch (ChaiOperationException e) {
LOGGER.warn(
pwmSession,
"error while forcing password expiration for user "
+ userIdentity.toDisplayString()
+ ", error: "
+ e.getMessage());
e.printStackTrace();
}
}
// send password
final boolean sendPassword =
helpdeskProfile.readSettingAsBoolean(PwmSetting.HELPDESK_SEND_PASSWORD);
if (sendPassword) {
final MessageSendMethod messageSendMethod;
{
final String profileID =
ProfileUtility.discoverProfileIDforUser(
pwmApplication, sessionLabel, userIdentity, ProfileType.ForgottenPassword);
final ForgottenPasswordProfile forgottenPasswordProfile =
pwmApplication.getConfig().getForgottenPasswordProfiles().get(profileID);
messageSendMethod =
forgottenPasswordProfile.readSettingAsEnum(
PwmSetting.RECOVERY_SENDNEWPW_METHOD, MessageSendMethod.class);
}
final UserDataReader userDataReader = new LdapUserDataReader(userIdentity, chaiUser);
final LoginInfoBean loginInfoBean = new LoginInfoBean();
loginInfoBean.setUserCurrentPassword(newPassword);
final MacroMachine macroMachine =
new MacroMachine(
pwmApplication, pwmSession.getLabel(), userInfoBean, loginInfoBean, userDataReader);
PasswordUtility.sendNewPassword(
userInfoBean,
pwmApplication,
macroMachine,
newPassword,
pwmSession.getSessionStateBean().getLocale(),
messageSendMethod);
}
}
@Override
public void writeResponses(ChaiUser theUser, String userGUID, ResponseInfoBean responseInfoBean)
throws PwmUnrecoverableException {
if (userGUID == null || userGUID.length() < 1) {
throw new PwmUnrecoverableException(
new ErrorInformation(
PwmError.ERROR_MISSING_GUID,
"cannot save responses to remote database, user "
+ theUser.getEntryDN()
+ " does not have a guid"));
}
LOGGER.trace(
"attempting to save responses for "
+ theUser.getEntryDN()
+ " in remote database (key="
+ userGUID
+ ")");
try {
final ChaiResponseSet responseSet =
ChaiCrFactory.newChaiResponseSet(
responseInfoBean.getCrMap(),
responseInfoBean.getHelpdeskCrMap(),
responseInfoBean.getLocale(),
responseInfoBean.getMinRandoms(),
theUser.getChaiProvider().getChaiConfiguration(),
responseInfoBean.getCsIdentifier());
final DatabaseAccessorImpl databaseAccessor = pwmApplication.getDatabaseAccessor();
databaseAccessor.put(DatabaseTable.PWM_RESPONSES, userGUID, responseSet.stringValue());
LOGGER.info(
"saved responses for "
+ theUser.getEntryDN()
+ " in remote database (key="
+ userGUID
+ ")");
} catch (ChaiException e) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_WRITING_RESPONSES,
"unexpected error saving responses for "
+ theUser.getEntryDN()
+ " in remote database: "
+ e.getMessage());
final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
LOGGER.error(errorInfo.toDebugStr());
pwmOE.initCause(e);
throw pwmOE;
} catch (DatabaseException e) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_WRITING_RESPONSES,
"unexpected error saving responses for "
+ theUser.getEntryDN()
+ " in remote database: "
+ e.getMessage());
final PwmUnrecoverableException pwmOE = new PwmUnrecoverableException(errorInfo);
LOGGER.error(errorInfo.toDebugStr());
pwmOE.initCause(e);
throw pwmOE;
}
}
private void restLockConfiguration(final PwmRequest pwmRequest)
throws IOException, ServletException, PwmUnrecoverableException, ChaiUnavailableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
if (PwmConstants.TRIAL_MODE) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_TRIAL_VIOLATION, "configuration lock not available in trial");
final RestResultBean restResultBean = RestResultBean.fromError(errorInfo, pwmRequest);
LOGGER.debug(pwmSession, errorInfo);
pwmRequest.outputJsonResult(restResultBean);
return;
}
if (!pwmSession.isAuthenticated()) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_AUTHENTICATION_REQUIRED,
"You must be authenticated before restricting the configuration");
final RestResultBean restResultBean = RestResultBean.fromError(errorInfo, pwmRequest);
LOGGER.debug(pwmSession, errorInfo);
pwmRequest.outputJsonResult(restResultBean);
return;
}
if (!pwmSession.getSessionManager().checkPermission(pwmApplication, Permission.PWMADMIN)) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.ERROR_UNAUTHORIZED,
"You must be authenticated with admin privileges before restricting the configuration");
final RestResultBean restResultBean = RestResultBean.fromError(errorInfo, pwmRequest);
LOGGER.debug(pwmSession, errorInfo);
pwmRequest.outputJsonResult(restResultBean);
return;
}
try {
final StoredConfigurationImpl storedConfiguration = readCurrentConfiguration(pwmRequest);
if (!storedConfiguration.hasPassword()) {
final ErrorInformation errorInfo =
new ErrorInformation(
PwmError.CONFIG_FORMAT_ERROR,
null,
new String[] {
"Please set a configuration password before restricting the configuration"
});
final RestResultBean restResultBean = RestResultBean.fromError(errorInfo, pwmRequest);
LOGGER.debug(pwmSession, errorInfo);
pwmRequest.outputJsonResult(restResultBean);
return;
}
storedConfiguration.writeConfigProperty(ConfigurationProperty.CONFIG_IS_EDITABLE, "false");
saveConfiguration(pwmRequest, storedConfiguration);
final ConfigManagerBean configManagerBean =
pwmRequest
.getPwmApplication()
.getSessionStateService()
.getBean(pwmRequest, ConfigManagerBean.class);
configManagerBean.setConfiguration(null);
} catch (PwmException e) {
final ErrorInformation errorInfo = e.getErrorInformation();
final RestResultBean restResultBean = RestResultBean.fromError(errorInfo, pwmRequest);
LOGGER.debug(pwmSession, errorInfo.toDebugStr());
pwmRequest.outputJsonResult(restResultBean);
return;
} catch (Exception e) {
final ErrorInformation errorInfo =
new ErrorInformation(PwmError.ERROR_UNKNOWN, e.getMessage());
final RestResultBean restResultBean = RestResultBean.fromError(errorInfo, pwmRequest);
LOGGER.debug(pwmSession, errorInfo.toDebugStr());
pwmRequest.outputJsonResult(restResultBean);
return;
}
final HashMap<String, String> resultData = new HashMap<>();
LOGGER.info(pwmSession, "Configuration Locked");
pwmRequest.outputJsonResult(new RestResultBean(resultData));
}
