external call to REST randompassword 5004 ERROR_AUTHENTICATION_REQUIRED

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Setup an external REST client to fetch randompassword for a user.
2. POST a random password request to the PWM randompassword webservice. I.e:

Accept-Language: en
Accept: application/json
Content-Type: application/json
Authorization: Basic Y249dGVzdHVzZXIsb3U9dXNlcnMsbz1tZXRhOlRlc3QxMjM0"

{
  "chars":"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMONPQRSTUVWXYZ0123456789",
  "username":"cn=testuser,ou=users,o=meta",
  "strength":50
}

What is the expected output? What do you see instead?
The expected output is that I would get a JSON response back with a generated 
password that complies to the Password plicy of the username.

Instead I always get an JSON error response back:

{
  "error":true,
  "errorCode":5004,
  "errorMessage":"Authentication required.",
  "errorDetail":"5004 ERROR_AUTHENTICATION_REQUIRED"
}

I did some code analysis and there seems to be a bug in the RestServerHelper. 
The problem is that the lookupUsername method always checks wether the User is 
auhenticated. However the randompassword REST webservice calls the 
RestServerHelper with requiresAuthentication=false. Therefore lookupUsername 
always throws a PwmUnrecoverableException, because the RestServerHelper did not 
authenticate the user while this was not necessary.

What version of PWM are you using?
Latest build

Possible Solution:
I've patched RestServerHelper so that lookupUsername also checks the parameter 
requiresAuthentication. Only when requiresAuthentication=true a 
PwmUnrecoverableException should be thrown.

Original issue reported on code.google.com by sebastia...@gmail.com on 18 May 2013 at 12:57

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Attached the proposed patch. I have not tested this yet (will do that next 
week).

Original comment by sebastia...@gmail.com on 18 May 2013 at 1:19

Attachments:

• pwm-issue-388.diff

[GoogleCodeExporter]

Tested the patch, but this fix was not good enough. After further code analysis 
I've made a new patch which does the following:

1. RestServerHelper: handleAuthentication is now called when 
requiresAuthentication=true or a Basic Authentication header is present. This 
makes the Authentication optional if requiresAuthentication=false.

2. RestRandomPasswordServer: fixed a bug where jsonInput.username was provided 
to createChaiUser, instead of the User DN of the restRequestBean.

3. RestServerHelper + RestRandomPasswordServer: Used overloading on 
initializeRestRequest method to allow Random Password generation to be done if 
the userDN in the Basic Authoration header matches the DN of the JSON username. 
I've seperated the authorzation checks from lookupUsername in 
handleAuthorization. The old behaviour was that Helpdesk Permission was always 
mandatory if JSON username was provided.

Original comment by sebastia...@gmail.com on 21 May 2013 at 11:00

Attachments:

• pwm-issue-388.diff

[GoogleCodeExporter]

Original comment by jrivard on 23 May 2013 at 7:42

• Added labels: Type-Defect
• Removed labels: Type-Help

[GoogleCodeExporter]

This is actually working as designed.  To get a random password generated 
against any user is a privileged operation and should require authentication.  
Your reading the password policy of the user which in may involve privileged 
ldap operations.  

I think it also makes sense that Helpdesk permission is required for 3rd party 
operations.  Or at least some type of permission, perhaps there should be a 
separate permission for 3rd party operations.  However the actual helpdesk UI 
uses this service so it does fit that use case well.

Comments?

Original comment by jrivard on 14 Jun 2013 at 3:46

• Changed state: NeedInfo

[GoogleCodeExporter]

Some feedback on this :)

@Working on designed: The current REST documentation states that Authentication 
is Optional for the GET and POST methods. However, authentication is always 
necessary with the current code.

@security: The REST service is indeed reading the Password Policy of that user, 
but that is not returned in the REST call, so no sensitive information is 
revealed. Currently the REST service uses the Proxy LDAP account to read the 
Password Policy, so privileged ldap operations are not necessary for the user 
in the Basic Auth header.

Letting a user requesting a Random Password for her/himself after 
authentication is currently already available in the Change Password module 
(Settings -> User Interface -> Show Auto Generate Randoms). It would be nice 
for third party apps to have this same functionality over REST.

Note that by overloading initializeRestRequest only the Random Password 
generation is given this permission on self. For all other operations Helpdesk 
permission is still necessary.

Original comment by sebastia...@gmail.com on 14 Jun 2013 at 6:07