LdapTokenMachine.java

/*
 * Password Management Servlets (PWM)
 * http://www.pwm-project.org
 *
 * Copyright (c) 2006-2009 Novell, Inc.
 * Copyright (c) 2009-2016 The PWM Project
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

package password.pwm.svc.token;

import com.novell.ldapchai.ChaiUser;
import com.novell.ldapchai.exception.ChaiException;
import com.novell.ldapchai.util.SearchHelper;
import password.pwm.PwmApplication;
import password.pwm.bean.SessionLabel;
import password.pwm.bean.UserIdentity;
import password.pwm.config.PwmSetting;
import password.pwm.error.ErrorInformation;
import password.pwm.error.PwmError;
import password.pwm.error.PwmOperationalException;
import password.pwm.error.PwmUnrecoverableException;
import password.pwm.ldap.LdapUserDataReader;
import password.pwm.ldap.UserDataReader;
import password.pwm.ldap.search.SearchConfiguration;
import password.pwm.ldap.search.UserSearchEngine;

import java.util.HashMap;
import java.util.Map;

class LdapTokenMachine  implements TokenMachine {
    private PwmApplication pwmApplication;
    private String tokenAttribute;
    private final String KEY_VALUE_DELIMITER = " ";
    private TokenService tokenService;

    LdapTokenMachine(final TokenService tokenService, final PwmApplication pwmApplication)
            throws PwmOperationalException
    {
        this.tokenService = tokenService;
        this.pwmApplication = pwmApplication;
        this.tokenAttribute = pwmApplication.getConfig().readSettingAsString(PwmSetting.TOKEN_LDAP_ATTRIBUTE);
    }

    public String generateToken(
            final SessionLabel sessionLabel,
            final TokenPayload tokenPayload
    )
            throws PwmUnrecoverableException, PwmOperationalException
    {
        return tokenService.makeUniqueTokenForMachine(sessionLabel, this);
    }

    public TokenPayload retrieveToken(final TokenKey tokenKey)
            throws PwmOperationalException, PwmUnrecoverableException
    {
        final String searchFilter;
        {
            final String storedHash = tokenKey.getStoredHash();
            final SearchHelper tempSearchHelper = new SearchHelper();
            final Map<String,String> filterAttributes = new HashMap<>();
            for (final String loopStr : pwmApplication.getConfig().readSettingAsStringArray(PwmSetting.DEFAULT_OBJECT_CLASSES)) {
                filterAttributes.put("objectClass", loopStr);
            }
            filterAttributes.put(tokenAttribute,storedHash + "*");
            tempSearchHelper.setFilterAnd(filterAttributes);
            searchFilter = tempSearchHelper.getFilter();
        }

        try {
            final UserSearchEngine userSearchEngine = new UserSearchEngine();
            final SearchConfiguration searchConfiguration = SearchConfiguration.builder()
                    .filter(searchFilter)
                    .build();
            final UserIdentity user = userSearchEngine.performSingleUserSearch(searchConfiguration, null);
            if (user == null) {
                return null;
            }
            final UserDataReader userDataReader = LdapUserDataReader.appProxiedReader(pwmApplication, user);
            final String tokenAttributeValue = userDataReader.readStringAttribute(tokenAttribute);
            if (tokenAttribute != null && tokenAttributeValue.length() > 0) {
                final String[] splitString = tokenAttributeValue.split(KEY_VALUE_DELIMITER);
                if (splitString.length != 2) {
                    final String errorMsg = "error parsing ldap stored token, not enough delimited values";
                    final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_TOKEN_INCORRECT,errorMsg);
                    throw new PwmOperationalException(errorInformation);
                }
                return tokenService.fromEncryptedString(splitString[1]);
            }
        } catch (PwmOperationalException e) {
            if (e.getError() == PwmError.ERROR_CANT_MATCH_USER) {
                return null;
            }
            throw e;
        } catch (ChaiException e) {
            final String errorMsg = "unexpected ldap error searching for token: " + e.getMessage();
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_TOKEN_INCORRECT,errorMsg);
            throw new PwmOperationalException(errorInformation);
        }
        return null;
    }

    public void storeToken(final TokenKey tokenKey, final TokenPayload tokenPayload)
            throws PwmOperationalException, PwmUnrecoverableException
    {
        try {
            final String md5sumToken = tokenKey.getStoredHash();
            final String encodedTokenPayload = tokenService.toEncryptedString(tokenPayload);

            final UserIdentity userIdentity = tokenPayload.getUserIdentity();
            final ChaiUser chaiUser = pwmApplication.getProxiedChaiUser(userIdentity);
            chaiUser.writeStringAttribute(tokenAttribute, md5sumToken + KEY_VALUE_DELIMITER + encodedTokenPayload);
        } catch (ChaiException e) {
            final String errorMsg = "unexpected ldap error saving token: " + e.getMessage();
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN,errorMsg);
            throw new PwmOperationalException(errorInformation);
        }
    }

    public void removeToken(final TokenKey tokenKey)
            throws PwmOperationalException, PwmUnrecoverableException
    {
        final TokenPayload payload = retrieveToken(tokenKey);
        if (payload != null) {
            final UserIdentity userIdentity = payload.getUserIdentity();
            try {
                final ChaiUser chaiUser = pwmApplication.getProxiedChaiUser(userIdentity);
                chaiUser.deleteAttribute(tokenAttribute, null);
            } catch (ChaiException e) {
                final String errorMsg = "unexpected ldap error removing token: " + e.getMessage();
                final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN,errorMsg);
                throw new PwmOperationalException(errorInformation);
            }
        }
    }

    public int size() throws PwmOperationalException {
        return -1;
    }

    public void cleanup() throws PwmUnrecoverableException, PwmOperationalException {
    }

    @Override
    public boolean supportsName() {
        return false;
    }

    @Override
    public TokenKey keyFromKey(final String key) throws PwmUnrecoverableException {
        return StoredTokenKey.fromKeyValue(pwmApplication, key);
    }

    @Override
    public TokenKey keyFromStoredHash(final String storedHash) {
        return StoredTokenKey.fromStoredHash(storedHash);
    }

}