Removed the intruder changes from the cef branch

server/src/main/java/password/pwm/http/servlet/forgottenpw/ForgottenPasswordServlet.java

@@ -34,6 +34,7 @@ import password.pwm.PwmApplication;
 import password.pwm.PwmConstants;
 import password.pwm.VerificationMethodSystem;
 import password.pwm.bean.LoginInfoBean;
+import password.pwm.bean.PasswordStatus;
 import password.pwm.bean.SessionLabel;
 import password.pwm.bean.TokenDestinationItem;
 import password.pwm.bean.UserIdentity;
@@ -253,22 +254,7 @@ public class ForgottenPasswordServlet extends ControlledPwmServlet {
                         break;
 
                     case resetPassword:
-                        if (forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_CHANGE_PW_WITHIN_MIN_LIFETIME)) {
-                            try {
-                                final boolean insideTime = ForgottenPasswordUtil.passwordWithinMinimumLifetime(pwmRequest, pwmRequest.getPwmSession().getUserInfo());
-                                if (!insideTime) {
-                                    this.executeResetPassword(pwmRequest);
-                                }
-
-                                throw new PwmUnrecoverableException(
-                                        PwmError.ERROR_SECURITY_VIOLATION,
-                                        "attempt to choose change password action, but not allowed due to minimum password lifetime"
-                                );
-                            } catch (PwmException e) {
-                                LOGGER.debug(pwmRequest, "exception while checking minimum lifetime: " + e.getMessage());
-                                return ProcessStatus.Halt;
-                            }
-                        }
+                        this.executeResetPassword(pwmRequest);
                         break;
 
                     default:
@@ -458,11 +444,10 @@ public class ForgottenPasswordServlet extends ControlledPwmServlet {
     {
         final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
         final String userEnteredCode = pwmRequest.readParameterAsString(PwmConstants.PARAM_TOKEN);
-        TokenPayload tokenPayload = null;
 
         ErrorInformation errorInformation = null;
         try {
-            tokenPayload = pwmRequest.getPwmApplication().getTokenService().processUserEnteredCode(
+            final TokenPayload tokenPayload = pwmRequest.getPwmApplication().getTokenService().processUserEnteredCode(
                     pwmRequest.getPwmSession(),
                     forgottenPasswordBean.getUserIdentity() == null ? null : forgottenPasswordBean.getUserIdentity(),
                     TokenType.FORGOTTEN_PW,
@@ -890,25 +875,10 @@ public class ForgottenPasswordServlet extends ControlledPwmServlet {
             StatisticsManager.incrementStat(pwmRequest, Statistic.RECOVERY_SUCCESSES);
         }
 
-        final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(config, forgottenPasswordBean);
-        if (recoveryAction == RecoveryAction.SENDNEWPW || recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
-            processSendNewPassword(pwmRequest);
-            return;
-        }
-
         final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
         try {
-            final boolean showPage = ForgottenPasswordUtil.showActionChoicePageToUser(
-                    pwmRequest,
-                    userInfo,
-                    forgottenPasswordProfile,
-                    forgottenPasswordBean
-            );
-
-            if (showPage) {
-                pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ACTION_CHOICE);
-                return;
-            } else {
+            final boolean enforceFromForgotten = pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.CHALLENGE_ENFORCE_MINIMUM_PASSWORD_LIFETIME);
+            if (enforceFromForgotten) {
                 final ChaiUser theUser = pwmApplication.getProxiedChaiUser(forgottenPasswordBean.getUserIdentity());
                 PasswordUtility.checkIfPasswordWithinMinimumLifetime(
                         theUser,
@@ -924,6 +894,28 @@ public class ForgottenPasswordServlet extends ControlledPwmServlet {
 
         LOGGER.trace(pwmRequest, "all recovery checks passed, proceeding to configured recovery action");
 
+        final RecoveryAction recoveryAction = ForgottenPasswordUtil.getRecoveryAction(config, forgottenPasswordBean);
+        if (recoveryAction == RecoveryAction.SENDNEWPW || recoveryAction == RecoveryAction.SENDNEWPW_AND_EXPIRE) {
+            processSendNewPassword(pwmRequest);
+            return;
+        }
+
+        if (forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_UNLOCK)) {
+            final PasswordStatus passwordStatus = userInfo.getPasswordStatus();
+
+            if (!passwordStatus.isExpired() && !passwordStatus.isPreExpired()) {
+                try {
+                    final ChaiUser theUser = pwmApplication.getProxiedChaiUser(forgottenPasswordBean.getUserIdentity());
+                    if (theUser.isPasswordLocked()) {
+                        pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ACTION_CHOICE);
+                        return;
+                    }
+                } catch (ChaiOperationException e) {
+                    LOGGER.error(pwmRequest, "chai operation error checking user lock status: " + e.getMessage());
+                }
+            }
+        }
+
         this.executeResetPassword(pwmRequest);
     }
 

server/src/main/java/password/pwm/http/servlet/forgottenpw/ForgottenPasswordUtil.java

@@ -26,7 +26,6 @@ import com.novell.ldapchai.ChaiUser;
 import com.novell.ldapchai.cr.Challenge;
 import com.novell.ldapchai.cr.ChallengeSet;
 import com.novell.ldapchai.cr.ResponseSet;
-import com.novell.ldapchai.exception.ChaiException;
 import com.novell.ldapchai.exception.ChaiUnavailableException;
 import com.novell.ldapchai.exception.ChaiValidationException;
 import password.pwm.AppProperty;
@@ -47,7 +46,6 @@ import password.pwm.error.PwmError;
 import password.pwm.error.PwmOperationalException;
 import password.pwm.error.PwmUnrecoverableException;
 import password.pwm.http.PwmRequest;
-import password.pwm.http.PwmRequestAttribute;
 import password.pwm.http.bean.ForgottenPasswordBean;
 import password.pwm.http.filter.AuthenticationFilter;
 import password.pwm.ldap.UserInfo;
@@ -487,80 +485,4 @@ class ForgottenPasswordUtil {
         return displayDestAddress;
     }
 
-    static boolean showActionChoicePageToUser(
-            final PwmRequest pwmRequest,
-            final UserInfo userInfo,
-            final ForgottenPasswordProfile forgottenPasswordProfile,
-            final ForgottenPasswordBean forgottenPasswordBean
-    )
-            throws ChaiUnavailableException, PwmUnrecoverableException, PwmOperationalException
-    {
-        boolean showUnlockAction = false;
-        {
-            if (forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_UNLOCK)) {
-                final ChaiUser theUser = pwmRequest.getPwmApplication().getProxiedChaiUser(forgottenPasswordBean.getUserIdentity());
-                try {
-                    if (theUser.isPasswordLocked()) {
-                        showUnlockAction = true;
-                    }
-                } catch (ChaiException e) {
-                    LOGGER.debug(pwmRequest, "unexpected error checking if user's password is locked: " + e.getMessage());
-                }
-            }
-        }
-
-        boolean showChangePasswordAction = true;
-        boolean userPasswordIsWithinMinimumLifetime = false;
-        {
-            userPasswordIsWithinMinimumLifetime = passwordWithinMinimumLifetime(pwmRequest, userInfo);
-
-            if (userPasswordIsWithinMinimumLifetime) {
-                if (!forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_CHANGE_PW_WITHIN_MIN_LIFETIME)) {
-                    showChangePasswordAction = false;
-                }
-            }
-        }
-
-        boolean showPage= false;
-        if (showUnlockAction && showChangePasswordAction) {
-            showPage = true;
-        }
-
-
-        if (userPasswordIsWithinMinimumLifetime) {
-            if (!forgottenPasswordProfile.readSettingAsBoolean(PwmSetting.RECOVERY_ALLOW_CHANGE_PW_WITHIN_MIN_LIFETIME)) {
-                showPage = true;
-            }
-        }
-
-        LOGGER.trace(pwmRequest, "showActionChoicePageToUser: showPage=" + showPage
-                + ", showUnlockAction:" + showUnlockAction
-                + ", showChangePasswordAction:" + showChangePasswordAction
-        );
-        pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordShowChangePasswordAction, showChangePasswordAction);
-        return showPage;
-    }
-
-    static boolean passwordWithinMinimumLifetime(
-            final PwmRequest pwmRequest,
-            final UserInfo userInfo
-    )
-            throws PwmUnrecoverableException, ChaiUnavailableException, PwmOperationalException
-    {
-        final ChaiUser chaiUser = pwmRequest.getPwmApplication().getProxiedChaiUser(userInfo.getUserIdentity());
-
-        try {
-            PasswordUtility.checkIfPasswordWithinMinimumLifetime(
-                    chaiUser,
-                    pwmRequest.getSessionLabel(),
-                    userInfo.getPasswordPolicy(),
-                    userInfo.getPasswordLastModifiedTime(),
-                    userInfo.getPasswordStatus()
-            );
-            return false;
-        } catch (PwmOperationalException e) {
-            LOGGER.debug(pwmRequest, "determined password to be within minimum lifetime: " + e.getMessage());
-            return true;
-        }
-    }
 }

server/src/main/resources/password/pwm/i18n/PwmSetting.properties

@@ -220,8 +220,6 @@ Setting_Description_activateUser.searchFilter=Specify an LDAP search filter @Pwm
 Setting_Description_activateUser.token.sendMethod=Select the methods used for sending the token code to the user.
 Setting_Description_activateUser.writePostAttributes=Add actions @PwmAppName@ executes after it actives the users and the users have changed or set their initial passwords.  Typically, use this to activate the account, as well as add some searchable indicator.<br/><br/>  You can use macros.
 Setting_Description_activateUser.writePreAttributes=Add actions @PwmAppName@ executes after it activates the users but before it sets the password.  Typically, use this to activate the account, as well as add some searchable indicator.<br/><br/>  You can use macros.
-Setting_Description_audit.syslog.certificates=Import the TLS Certificate of syslog service.
-Setting_Description_audit.syslog.servers=Specify one or more entries of the connection information for the syslog audit servers. When configured, @PwmAppName@ forwards all audit events to the specified syslog server entered as the first entry. If the first one fails then the others will be tried until there is a successful delivery. The format is <b>&lt;protocol&gt;</b>,<b>&lt;address&gt;</b>,<b>&lt;port&gt;</b>.  The value for <b>&lt;protocol&gt;</b> can be either <\b>UDP</b>, <b>TCP</b> or <b>TLS</b>. We recommend that UDP is used in the list as the last option because UDP does not report a failure.<br/><br/>Examples\:<table><tr><td>Protocol</td><td>Address</td><td>Port</td><td>Setting</td><tr><tr><td>UDP</td><td>127.0.0.1</td><td>514</td><td>udp,127.0.0.1,514</td><tr><tr><td>TCP</td><td>central-syslog.example.com</td><td>514</td><td>tcp,central-syslog.example.com,514</td><tr><tr><td>TLS</td><td>secure-syslog.example.com</td><td>6514</td><td>tls,central-syslog.example.com,6514</td><tr></table>
 Setting_Description_audit.CommonEventFormat.enable=Enable using Common Event Format as the logging format.
 Setting_Description_audit.system.eventList=Select system event types to record and act upon.
 Setting_Description_audit.user.eventList=Select user event types to record and act upon.
@@ -703,8 +701,6 @@ Setting_Label_activateUser.searchFilter=Activation Search Filter
 Setting_Label_activateUser.token.sendMethod=Token Send Method
 Setting_Label_activateUser.writePostAttributes=Post-Activation Actions (After Password Change)
 Setting_Label_activateUser.writePreAttributes=Activation Actions (Before Password Change)
-Setting_Label_audit.syslog.certificates=Syslog Audit Server Certificates
-Setting_Label_audit.syslog.servers=Syslog Audit Server
 Setting_Label_audit.CommonEventFormat.enable=Common Event Format
 Setting_Label_audit.system.eventList=System Audit Event Types
 Setting_Label_audit.user.eventList=User Audit Event Types

server/src/main/webapp/WEB-INF/jsp/forgottenpassword-actionchoice.jsp

@@ -26,7 +26,6 @@
 <%@ page language="java" session="true" isThreadSafe="true" contentType="text/html" %>
 <%@ taglib uri="pwm" prefix="pwm" %>
 <html lang="<pwm:value name="<%=PwmValue.localeCode%>"/>" dir="<pwm:value name="<%=PwmValue.localeDir%>"/>">
-<% boolean showForgottenPasswordAction = (Boolean)JspUtility.getAttribute(pageContext, PwmRequestAttribute.ForgottenPasswordShowChangePasswordAction); %>
 <%@ include file="fragment/header.jsp" %>
 <body class="nihilo">
 <div id="wrapper">
@@ -36,12 +35,7 @@
     <div id="centerbody">
         <div id="page-content-title"><pwm:display key="Title_ForgottenPassword" displayIfMissing="true"/></div>
         <%@ include file="/WEB-INF/jsp/fragment/message.jsp" %>
-        <% if (!showForgottenPasswordAction) { %>
-            <p><pwm:display key="Display_RecoverPasswordChoices"/></p>
-        <% } else { %>
-            <p><pwm:display key="Display_RecoverMinLifetimeChoices"/></p>
-        <% } %>
-
+        <p><pwm:display key="Display_RecoverPasswordChoices"/></p>
         <table class="noborder">
             <tr>
                 <td>
@@ -64,7 +58,6 @@
                     &nbsp;
                 </td>
             </tr>
-            <% if (!showForgottenPasswordAction) { %>
             <tr>
                 <td>
                     <form action="<pwm:current-url/>" method="post" enctype="application/x-www-form-urlencoded" name="search">