@Override public String getPlaintext(ProtectedStringType protectedStringType) throws EncryptionException { if (protectedStringType != null) { return protector.decryptString(protectedStringType); } else { return null; } }
/** * Hashes cleartext password in an (unofficial) LDAP password format. Supported algorithms: SSHA, SHA and MD5. */ public String hashLdapPassword(ProtectedStringType protectedString, String alg) throws NoSuchAlgorithmException, EncryptionException { if (protectedString == null) { return null; } String clearString = protector.decryptString(protectedString); if (clearString == null) { return null; } return hashLdapPassword(clearString.getBytes(UTF8_CHARSET), alg); }
public String decrypt(ProtectedStringType protectedString) { try { return protector.decryptString(protectedString); } catch (EncryptionException e) { throw new SystemException(e.getMessage(), e); } }
protected <O extends ObjectType> void assertLdapPassword(ProtectedStringType protectedStringType, String expectedPassword, PrismObject<O> source) throws EncryptionException { assertNotNull("No password value in "+source, protectedStringType); String decryptedUserPassword = protector.decryptString(protectedStringType); assertNotNull("Null password in " + source, decryptedUserPassword); if (decryptedUserPassword.startsWith("{") || decryptedUserPassword.contains("}")) { assertTrue("Wrong password hash in "+source+": "+decryptedUserPassword+", expected "+expectedPassword, ldapShaPasswordEncoder.matches(decryptedUserPassword, expectedPassword)); } else { assertEquals("Wrong password in "+source, expectedPassword, decryptedUserPassword); } }
private String getClearValue(ProtectedStringType protectedString) throws SchemaException, PolicyViolationException { try { if (protectedString.isEncrypted()) { return protector.decryptString(protectedString); } else if (protectedString.getClearValue() != null) { return protector.decryptString(protectedString); } else if (protectedString.isHashed()) { throw new SchemaException("Cannot validate value of hashed password"); } } catch (EncryptionException e) { throw new PolicyViolationException(e.getMessage(), e); } return null; }
private String determinePasswordValue(ProtectedStringType passValue) { if (passValue == null) { return null; } String passwordStr = passValue.getClearValue(); if (passwordStr == null && passValue.getEncryptedDataType () != null) { // TODO: is this appropriate handling??? try { passwordStr = protector.decryptString(passValue); } catch (EncryptionException ex) { throw new SystemException("Failed to process password for user: " , ex); } } return passwordStr; }
@Override public String getPlaintextAccountPasswordFromDelta(ObjectDelta<? extends ShadowType> delta) throws EncryptionException { if (delta.isAdd()) { ShadowType newShadow = delta.getObjectToAdd().asObjectable(); return getPlaintextAccountPassword(newShadow); } if (!delta.isModify()) { return null; } List<ProtectedStringType> passwords = new ArrayList<>(); for (ItemDelta itemDelta : delta.getModifications()) { takePasswordsFromItemDelta(passwords, itemDelta); } LOGGER.trace("Found " + passwords.size() + " password change value(s)"); if (!passwords.isEmpty()) { return protector.decryptString(passwords.get(passwords.size() - 1)); } else { return null; } }
@Override public String getPlaintextUserPasswordFromDeltas(List<ObjectDelta<UserType>> objectDeltas) throws EncryptionException { List<ProtectedStringType> passwords = new ArrayList<>(); for (ObjectDelta<UserType> delta : objectDeltas) { if (delta.isAdd()) { UserType newUser = delta.getObjectToAdd().asObjectable(); return getPlaintextUserPassword(newUser); // for simplicity we do not look for other values } if (!delta.isModify()) { continue; } for (ItemDelta itemDelta : delta.getModifications()) { takePasswordsFromItemDelta(passwords, itemDelta); } } LOGGER.trace("Found " + passwords.size() + " password change value(s)"); if (!passwords.isEmpty()) { return protector.decryptString(passwords.get(passwords.size() - 1)); } else { return null; } }
private String getClearValue(ProtectedStringType protectedString) { if (protectedString == null) { return null; } String passwordStr = protectedString.getClearValue(); if (passwordStr == null && protectedString.isEncrypted()) { try { passwordStr = protector.decryptString(protectedString); } catch (EncryptionException e) { throw new SystemException("Failed to decrypt " + shortDesc + ": " + e.getMessage(), e); } } return passwordStr; }
public void assertProtectedString(String desc, Collection<PrismPropertyValue<ProtectedStringType>> set, String expected) throws EncryptionException { assertEquals("Unexpected size of "+desc+": "+set, 1, set.size()); PrismPropertyValue<ProtectedStringType> pval = set.iterator().next(); ProtectedStringType ps = pval.getValue(); String zeroString = protector.decryptString(ps); assertEquals("Unexpected value in "+desc+": "+set, expected, zeroString); }
protected void assertEncryptedUserPassword(PrismObject<UserType> user, String expectedClearPassword) throws EncryptionException { UserType userType = user.asObjectable(); ProtectedStringType protectedActualPassword = userType.getCredentials().getPassword().getValue(); String actualClearPassword = protector.decryptString(protectedActualPassword); assertEquals("Wrong password for "+user, expectedClearPassword, actualClearPassword); }
public static GuardedString toGuardedString(ProtectedStringType ps, Protector protector, String propertyName) { if (ps == null) { return null; } if (!protector.isEncrypted(ps)) { if (ps.getClearValue() == null) { return null; } // LOGGER.warn("Using cleartext value for {}", propertyName); return new GuardedString(ps.getClearValue().toCharArray()); } try { return new GuardedString(protector.decryptString(ps).toCharArray()); } catch (EncryptionException e) { // LOGGER.error("Unable to decrypt value of element {}: {}", // new Object[] { propertyName, e.getMessage(), e }); throw new SystemException("Unable to decrypt value of element " + propertyName + ": " + e.getMessage(), e); } }
private String getPassword(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, ProtectedStringType protectedString) { String decryptedPassword; if (protectedString.getEncryptedDataType() != null) { try { decryptedPassword = protector.decryptString(protectedString); } catch (EncryptionException e) { recordAuthenticationFailure(principal, connEnv, "error decrypting password: "+e.getMessage()); throw new AuthenticationServiceException("web.security.provider.unavailable", e); } } else { LOGGER.warn("Authenticating user based on clear value. Please check objects, " + "this should not happen. Protected string should be encrypted."); decryptedPassword = protectedString.getClearValue(); } return decryptedPassword; }
protected String getHumanReadablePassword(ProtectedStringType ps) throws EncryptionException { if (ps == null) { return null; } if (ps.isEncrypted()) { return "[E:"+protector.decryptString(ps)+"]"; } if (ps.isHashed()) { return "[H:"+ps.getHashedDataType().getDigestValue().length*8+"bit]"; } return ps.getClearValue(); }
protected String getDecryptedValue(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, ProtectedStringType protectedString) { String decryptedPassword; if (protectedString.getEncryptedDataType() != null) { try { decryptedPassword = protector.decryptString(protectedString); } catch (EncryptionException e) { recordAuthenticationFailure(principal, connEnv, "error decrypting password: "+e.getMessage()); throw new AuthenticationServiceException("web.security.provider.unavailable", e); } } else { LOGGER.warn("Authenticating user based on clear value. Please check objects, " + "this should not happen. Protected string should be encrypted."); decryptedPassword = protectedString.getClearValue(); } return decryptedPassword; }
@Override public String getPlaintextUserPassword(UserType user) throws EncryptionException { if (user == null || user.getCredentials() == null || user.getCredentials().getPassword() == null) { return null; // todo log a warning here? } ProtectedStringType protectedStringType = user.getCredentials().getPassword().getValue(); if (protectedStringType != null) { return protector.decryptString(protectedStringType); } else { return null; } }
@Override public String getPlaintextAccountPassword(ShadowType account) throws EncryptionException { if (account == null || account.getCredentials() == null || account.getCredentials().getPassword() == null) { return null; // todo log a warning here? } ProtectedStringType protectedStringType = account.getCredentials().getPassword().getValue(); if (protectedStringType != null) { return protector.decryptString(protectedStringType); } else { return null; } }
protected String getPassword(PrismObject<UserType> user) throws EncryptionException { CredentialsType credentialsType = user.asObjectable().getCredentials(); assertNotNull("No credentials in "+user, credentialsType); PasswordType passwordType = credentialsType.getPassword(); assertNotNull("No password in "+user, passwordType); ProtectedStringType protectedStringType = passwordType.getValue(); assertNotNull("No password value in "+user, protectedStringType); return protector.decryptString(protectedStringType); }
@SuppressWarnings("unchecked") private void checkPassword(PipelineItem item, String userOid) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException, EncryptionException { PrismProperty<ProtectedStringType> returnedPassword = (PrismProperty<ProtectedStringType>) item.getValue().find(SchemaConstants.PATH_PASSWORD_VALUE); ProtectedStringType returnedRealValue = returnedPassword.getRealValue(); PrismObject<UserType> user = getUser(userOid); ProtectedStringType repoRealValue = user.asObjectable().getCredentials().getPassword().getValue(); String returnedClearValue = protector.decryptString(returnedRealValue); String repoClearValue = protector.decryptString(repoRealValue); System.out.println("Returned password = " + returnedClearValue + ", repo password = " + repoClearValue); assertEquals("Wrong password stored in repository", returnedClearValue, repoClearValue); }
@Override protected void assertShadowPassword(ShadowType provisioningShadow) throws Exception { CredentialsType credentials = provisioningShadow.getCredentials(); if (credentials == null) { return; } PasswordType passwordType = credentials.getPassword(); if (passwordType == null) { return; } ProtectedStringType passwordValue = passwordType.getValue(); assertNotNull("Missing password value in "+provisioningShadow, passwordValue); assertFalse("Empty password value in "+provisioningShadow, passwordValue.isEmpty()); String clearPassword = protector.decryptString(passwordValue); display("Clear password of "+provisioningShadow+": "+clearPassword); PrismContainerValue<PasswordType> passwordContainer = passwordType.asPrismContainerValue(); PrismProperty<ProtectedStringType> valueProp = passwordContainer.findProperty(PasswordType.F_VALUE); assertFalse("Incomplete password value in "+provisioningShadow, valueProp.isIncomplete()); } }