public static String makeClientEtag(
final PwmApplication pwmApplication,
final PwmSession pwmSession,
final HttpServletRequest httpServletRequest)
throws PwmUnrecoverableException {
final StringBuilder inputString = new StringBuilder();
inputString.append(PwmConstants.BUILD_NUMBER);
inputString.append(pwmApplication.getStartupTime().getTime());
inputString.append(httpServletRequest.getSession().getMaxInactiveInterval());
inputString.append(pwmApplication.getInstanceNonce());
if (pwmSession.getSessionStateBean().getLocale() != null) {
inputString.append(pwmSession.getSessionStateBean().getLocale());
}
inputString.append(pwmSession.getSessionStateBean().getSessionID());
if (pwmSession.isAuthenticated()) {
inputString.append(pwmSession.getUserInfoBean().getUserGuid());
inputString.append(pwmSession.getLoginInfoBean().getAuthTime());
}
return SecureEngine.hash(inputString.toString(), PwmHashAlgorithm.SHA1).toLowerCase();
}
/**
* This is the entry point under which all password changes are managed. The following is the
* general procedure when this method is invoked.
*
* <ul>
* <li>password is checked against PWM password requirement
* <li>ldap password set is attempted<br>
* <br>
* if successful:
* <ul>
* <li>uiBean is updated with old and new passwords
* <li>uiBean's password expire flag is set to false
* <li>any configured external methods are invoked
* <li>user email notification is sent
* <li>return true
* </ul>
* <br>
* if unsuccessful
* <ul>
* <li>ssBean is updated with appropriate error
* <li>return false
* </ul>
* </ul>
*
* @param newPassword the new password that is being set.
* @param pwmSession beanmanager for config and user info lookup
* @throws com.novell.ldapchai.exception.ChaiUnavailableException if the ldap directory is not
* unavailable
* @throws password.pwm.error.PwmUnrecoverableException if user is not authenticated
*/
public static void setActorPassword(
final PwmSession pwmSession,
final PwmApplication pwmApplication,
final PasswordData newPassword)
throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException {
final UserInfoBean uiBean = pwmSession.getUserInfoBean();
if (!pwmSession
.getSessionManager()
.checkPermission(pwmApplication, Permission.CHANGE_PASSWORD)) {
final String errorMsg =
"attempt to setActorPassword, but user does not have password change permission";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_UNAUTHORIZED, errorMsg);
throw new PwmOperationalException(errorInformation);
}
// double check to make sure password meets PWM rule requirements. This should
// have been done before setActorPassword() is invoked, so it should be redundant
// but we do it just in case.
try {
final PwmPasswordRuleValidator pwmPasswordRuleValidator =
new PwmPasswordRuleValidator(pwmApplication, uiBean.getPasswordPolicy());
pwmPasswordRuleValidator.testPassword(
newPassword, null, uiBean, pwmSession.getSessionManager().getActor(pwmApplication));
} catch (PwmDataValidationException e) {
final String errorMsg =
"attempt to setActorPassword, but password does not pass local policy validator";
final ErrorInformation errorInformation =
new ErrorInformation(e.getErrorInformation().getError(), errorMsg);
throw new PwmOperationalException(errorInformation);
}
// retrieve the user's old password from the userInfoBean in the session
final PasswordData oldPassword = pwmSession.getLoginInfoBean().getUserCurrentPassword();
boolean setPasswordWithoutOld = false;
if (oldPassword == null) {
if (pwmSession
.getSessionManager()
.getActor(pwmApplication)
.getChaiProvider()
.getDirectoryVendor()
== ChaiProvider.DIRECTORY_VENDOR.MICROSOFT_ACTIVE_DIRECTORY) {
setPasswordWithoutOld = true;
}
}
if (!setPasswordWithoutOld) {
// Check to make sure we actually have an old password
if (oldPassword == null) {
final String errorMsg = "cannot set password for user, old password is not available";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg);
throw new PwmOperationalException(errorInformation);
}
}
try {
final ChaiProvider provider = pwmSession.getSessionManager().getChaiProvider();
final ChaiUser theUser =
ChaiFactory.createChaiUser(
pwmSession.getUserInfoBean().getUserIdentity().getUserDN(), provider);
final boolean boundAsSelf =
theUser
.getEntryDN()
.equals(provider.getChaiConfiguration().getSetting(ChaiSetting.BIND_DN));
LOGGER.trace(
pwmSession,
"preparing to setActorPassword for '"
+ theUser.getEntryDN()
+ "', bindAsSelf="
+ boundAsSelf
+ ", authType="
+ pwmSession.getLoginInfoBean().getType());
if (setPasswordWithoutOld) {
theUser.setPassword(newPassword.getStringValue(), true);
} else {
theUser.changePassword(oldPassword.getStringValue(), newPassword.getStringValue());
}
} catch (ChaiPasswordPolicyException e) {
final String errorMsg =
"error setting password for user '" + uiBean.getUserIdentity() + "'' " + e.toString();
final PwmError pwmError = PwmError.forChaiError(e.getErrorCode());
final ErrorInformation error =
new ErrorInformation(
pwmError == null ? PwmError.PASSWORD_UNKNOWN_VALIDATION : pwmError, errorMsg);
throw new PwmOperationalException(error);
} catch (ChaiOperationException e) {
final String errorMsg =
"error setting password for user '" + uiBean.getUserIdentity() + "'' " + e.getMessage();
final PwmError pwmError =
PwmError.forChaiError(e.getErrorCode()) == null
? PwmError.ERROR_UNKNOWN
: PwmError.forChaiError(e.getErrorCode());
final ErrorInformation error = new ErrorInformation(pwmError, errorMsg);
throw new PwmOperationalException(error);
}
// at this point the password has been changed, so log it.
LOGGER.info(
pwmSession, "user '" + uiBean.getUserIdentity() + "' successfully changed password");
// update the session state bean's password modified flag
pwmSession.getSessionStateBean().setPasswordModified(true);
// update the login info bean with the user's new password
pwmSession.getLoginInfoBean().setUserCurrentPassword(newPassword);
// close any outstanding ldap connections (since they cache the old password)
pwmSession
.getSessionManager()
.updateUserPassword(pwmApplication, uiBean.getUserIdentity(), newPassword);
// clear the "requires new password flag"
uiBean.setRequiresNewPassword(false);
// mark the auth type as authenticatePd now that we have the user's natural password.
pwmSession.getLoginInfoBean().setType(AuthenticationType.AUTHENTICATED);
// update the uibean's "password expired flag".
final UserStatusReader userStatusReader =
new UserStatusReader(pwmApplication, pwmSession.getLabel());
uiBean.setPasswordState(
userStatusReader.readPasswordStatus(
pwmSession.getSessionManager().getActor(pwmApplication),
uiBean.getPasswordPolicy(),
uiBean,
newPassword));
// create a proxy user object for pwm to update/read the user.
final ChaiUser proxiedUser = pwmSession.getSessionManager().getActor(pwmApplication);
// update statistics
{
pwmApplication.getStatisticsManager().incrementValue(Statistic.PASSWORD_CHANGES);
pwmApplication.getStatisticsManager().updateEps(Statistic.EpsType.PASSWORD_CHANGES, 1);
final int passwordStrength =
PasswordUtility.judgePasswordStrength(newPassword.getStringValue());
pwmApplication
.getStatisticsManager()
.updateAverageValue(Statistic.AVG_PASSWORD_STRENGTH, passwordStrength);
}
// add the old password to the global history list (if the old password is known)
if (oldPassword != null
&& pwmApplication
.getConfig()
.readSettingAsBoolean(PwmSetting.PASSWORD_SHAREDHISTORY_ENABLE)) {
pwmApplication.getSharedHistoryManager().addWord(pwmSession, oldPassword.getStringValue());
}
// invoke post password change actions
invokePostChangePasswordActions(pwmSession, newPassword.getStringValue());
{ // execute configured actions
LOGGER.debug(pwmSession, "executing configured actions to user " + proxiedUser.getEntryDN());
final List<ActionConfiguration> configValues =
pwmApplication
.getConfig()
.readSettingAsAction(PwmSetting.CHANGE_PASSWORD_WRITE_ATTRIBUTES);
if (configValues != null && !configValues.isEmpty()) {
final LoginInfoBean clonedLoginInfoBean =
JsonUtil.cloneUsingJson(pwmSession.getLoginInfoBean(), LoginInfoBean.class);
clonedLoginInfoBean.setUserCurrentPassword(newPassword);
final MacroMachine macroMachine =
new MacroMachine(
pwmApplication,
pwmSession.getLabel(),
pwmSession.getUserInfoBean(),
clonedLoginInfoBean,
pwmSession.getSessionManager().getUserDataReader(pwmApplication));
final ActionExecutor actionExecutor =
new ActionExecutor.ActionExecutorSettings(pwmApplication, uiBean.getUserIdentity())
.setMacroMachine(macroMachine)
.setExpandPwmMacros(true)
.createActionExecutor();
actionExecutor.executeActions(configValues, pwmSession);
}
}
// update the current last password update field in ldap
LdapOperationsHelper.updateLastPasswordUpdateAttribute(
pwmApplication, pwmSession.getLabel(), uiBean.getUserIdentity());
}
static boolean checkAuthentication(
final PwmRequest pwmRequest, final ConfigManagerBean configManagerBean)
throws IOException, PwmUnrecoverableException, ServletException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
final ConfigurationReader runningConfigReader =
ContextManager.getContextManager(pwmRequest.getHttpServletRequest().getSession())
.getConfigReader();
final StoredConfigurationImpl storedConfig = runningConfigReader.getStoredConfiguration();
boolean authRequired = false;
if (storedConfig.hasPassword()) {
authRequired = true;
}
if (PwmApplication.MODE.RUNNING == pwmRequest.getPwmApplication().getApplicationMode()) {
if (!pwmSession.getSessionStateBean().isAuthenticated()) {
throw new PwmUnrecoverableException(PwmError.ERROR_AUTHENTICATION_REQUIRED);
}
if (!pwmRequest
.getPwmSession()
.getSessionManager()
.checkPermission(pwmRequest.getPwmApplication(), Permission.PWMADMIN)) {
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNAUTHORIZED);
pwmRequest.respondWithError(errorInformation);
return true;
}
if (pwmSession.getLoginInfoBean().getAuthenticationType()
!= AuthenticationType.AUTHENTICATED) {
throw new PwmUnrecoverableException(
new ErrorInformation(
PwmError.ERROR_AUTHENTICATION_REQUIRED,
"Username/Password authentication is required to edit configuration. This session has not been authenticated using a user password (SSO or other method used)."));
}
}
if (PwmApplication.MODE.CONFIGURATION != pwmRequest.getPwmApplication().getApplicationMode()) {
authRequired = true;
}
if (!authRequired) {
return false;
}
if (!storedConfig.hasPassword()) {
final String errorMsg = "config file does not have a configuration password";
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.CONFIG_FORMAT_ERROR, errorMsg, new String[] {errorMsg});
pwmRequest.respondWithError(errorInformation, true);
return true;
}
if (configManagerBean.isPasswordVerified()) {
return false;
}
String persistentLoginValue = null;
boolean persistentLoginAccepted = false;
boolean persistentLoginEnabled = false;
if (pwmRequest.getConfig().isDefaultValue(PwmSetting.PWM_SECURITY_KEY)) {
LOGGER.debug(pwmRequest, "security not available, persistent login not possible.");
} else {
persistentLoginEnabled = true;
final PwmSecurityKey securityKey = pwmRequest.getConfig().getSecurityKey();
if (PwmApplication.MODE.RUNNING == pwmRequest.getPwmApplication().getApplicationMode()) {
persistentLoginValue =
SecureEngine.hash(
storedConfig.readConfigProperty(ConfigurationProperty.PASSWORD_HASH)
+ pwmSession.getUserInfoBean().getUserIdentity().toDelimitedKey(),
PwmHashAlgorithm.SHA512);
} else {
persistentLoginValue =
SecureEngine.hash(
storedConfig.readConfigProperty(ConfigurationProperty.PASSWORD_HASH),
PwmHashAlgorithm.SHA512);
}
{
final String cookieStr =
ServletHelper.readCookie(
pwmRequest.getHttpServletRequest(), PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN);
if (securityKey != null && cookieStr != null && !cookieStr.isEmpty()) {
try {
final String jsonStr = pwmApplication.getSecureService().decryptStringValue(cookieStr);
final PersistentLoginInfo persistentLoginInfo =
JsonUtil.deserialize(jsonStr, PersistentLoginInfo.class);
if (persistentLoginInfo != null && persistentLoginValue != null) {
if (persistentLoginInfo.getExpireDate().after(new Date())) {
if (persistentLoginValue.equals(persistentLoginInfo.getPassword())) {
persistentLoginAccepted = true;
LOGGER.debug(
pwmRequest,
"accepting persistent config login from cookie (expires "
+ PwmConstants.DEFAULT_DATETIME_FORMAT.format(
persistentLoginInfo.getExpireDate())
+ ")");
}
}
}
} catch (Exception e) {
LOGGER.error(
pwmRequest, "error examining persistent config login cookie: " + e.getMessage());
}
if (!persistentLoginAccepted) {
Cookie removalCookie = new Cookie(PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN, null);
removalCookie.setMaxAge(0);
pwmRequest.getPwmResponse().addCookie(removalCookie);
LOGGER.debug(pwmRequest, "removing non-working persistent config login cookie");
}
}
}
}
final String password = pwmRequest.readParameterAsString("password");
boolean passwordAccepted = false;
if (!persistentLoginAccepted) {
if (password != null && password.length() > 0) {
if (storedConfig.verifyPassword(password)) {
passwordAccepted = true;
LOGGER.trace(pwmRequest, "valid configuration password accepted");
updateLoginHistory(pwmRequest, pwmRequest.getUserInfoIfLoggedIn(), true);
} else {
LOGGER.trace(pwmRequest, "configuration password is not correct");
pwmApplication.getIntruderManager().convenience().markAddressAndSession(pwmSession);
pwmApplication
.getIntruderManager()
.mark(
RecordType.USERNAME,
PwmConstants.CONFIGMANAGER_INTRUDER_USERNAME,
pwmSession.getLabel());
final ErrorInformation errorInformation =
new ErrorInformation(PwmError.ERROR_WRONGPASSWORD);
pwmRequest.setResponseError(errorInformation);
updateLoginHistory(pwmRequest, pwmRequest.getUserInfoIfLoggedIn(), false);
}
}
}
if ((persistentLoginAccepted || passwordAccepted)) {
configManagerBean.setPasswordVerified(true);
pwmApplication.getIntruderManager().convenience().clearAddressAndSession(pwmSession);
pwmApplication
.getIntruderManager()
.clear(RecordType.USERNAME, PwmConstants.CONFIGMANAGER_INTRUDER_USERNAME);
if (persistentLoginEnabled
&& !persistentLoginAccepted
&& "on".equals(pwmRequest.readParameterAsString("remember"))) {
final int persistentSeconds = figureMaxLoginSeconds(pwmRequest);
if (persistentSeconds > 0) {
final Date expirationDate =
new Date(System.currentTimeMillis() + (persistentSeconds * 1000));
final PersistentLoginInfo persistentLoginInfo =
new PersistentLoginInfo(expirationDate, persistentLoginValue);
final String jsonPersistentLoginInfo = JsonUtil.serialize(persistentLoginInfo);
final String cookieValue =
pwmApplication.getSecureService().encryptToString(jsonPersistentLoginInfo);
pwmRequest
.getPwmResponse()
.writeCookie(
PwmConstants.COOKIE_PERSISTENT_CONFIG_LOGIN, cookieValue, persistentSeconds);
LOGGER.debug(
pwmRequest,
"set persistent config login cookie (expires "
+ PwmConstants.DEFAULT_DATETIME_FORMAT.format(expirationDate)
+ ")");
}
}
if (configManagerBean.getPrePasswordEntryUrl() != null) {
final String originalUrl = configManagerBean.getPrePasswordEntryUrl();
configManagerBean.setPrePasswordEntryUrl(null);
pwmRequest.getPwmResponse().sendRedirect(originalUrl);
return true;
}
return false;
}
if (configManagerBean.getPrePasswordEntryUrl() == null) {
configManagerBean.setPrePasswordEntryUrl(
pwmRequest.getHttpServletRequest().getRequestURL().toString());
}
forwardToJsp(pwmRequest);
return true;
}
