search

pwm-project / pwm

pwm
Other
894 stars 251 forks source link

PWM 5015 - "forgotten password" is unable to parse valid magic `000001010000Z` of pwdAccountLockedTime #582

Open msoltyspl opened 3 years ago

msoltyspl commented 3 years ago

If we configure the "forgotten password" module to be able to also unlock locked account, then it only works for normally locked accounts due to repeated password failures.

Administratively locked accounts having 000001010000Z in the pwdAccountLockedTime will cause internal error exception (parse issue) in PWM.

While it shouldn't be possible for a user to unlock such account by himself, it would be better if it informed the user correctly about it.

The issue exists in at least the latest snapshot and in 1.9.1.

2020-11-25T16:39:32Z, TRACE, http.PwmRequest, {jpFo8} GET request for: /pwm/public/forgottenpassword  [172.17.0.1]
  pwmFormID='H4sIAAAAAAAAAAGaAGX_UFdNLkdDTTEQmgBQp1ov-pZXvMkeo3caXoYm4wUTNXqn6kcq9MxjBbPgHNfPnqif2JhJWPr9__f7_swDlDXRqQMt7dccyCRG31R0pm_F0t8xrtXn1ZmbxyrOkc58zUDVKUmhK-BbCdqNy8QTyzTsqVJG9C1biXhOZjb6FjcEswnZ6xEH9j35mc33qwMf0Fz9T0C0YQPLXEgDDrr8TFeaAAAA'
2020-11-25T16:39:32Z, TRACE, forgottenpw.ForgottenPasswordServlet, {jpFo8} entering forgotten password progress engine: flags={"a":true,"r":[],"o":["TOKEN","OTP"],"m":1}, progress={"s":true,"p":false,"m":["TOKEN"],"d":{"id":"C265F684E5E8603EB848456456F3ADEEB15FA2C57273D4E941F3137C1084BD0E922F765691CB3038730F01D7213B6A417D7AC2805D6B0E424BCCC3CCBC2FFF0F","display":"+*******4423","value":"+48601634423","type":"sms"},"i":"TOKEN"} [172.17.0.1]
2020-11-25T16:39:32Z, ERROR, servlet.AbstractPwmServlet, {jpFo8} unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12 [7529F067A0E2586CDF8E7C459211B9A11E01792A] [172.17.0.1] (stacktrace follows)
java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12
    at com.novell.ldapchai.impl.edir.entry.EdirEntries.convertZuluToInstant(EdirEntries.java:120)
    at com.novell.ldapchai.impl.openldap.entry.OpenLDAPEntries.convertZuluToDate(OpenLDAPEntries.java:40)
    at com.novell.ldapchai.impl.openldap.entry.OpenLDAPVendorFactory.stringToInstant(OpenLDAPVendorFactory.java:101)
    at com.novell.ldapchai.impl.AbstractChaiEntry.readDateAttribute(AbstractChaiEntry.java:497)
    at com.novell.ldapchai.impl.openldap.entry.OpenLDAPUser.isPasswordLocked(OpenLDAPUser.java:149)
    at password.pwm.ldap.UserInfoReader.isPasswordLocked(UserInfoReader.java:398)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at password.pwm.util.java.CachingProxyWrapper$ProxyInstance.invoke(CachingProxyWrapper.java:84)
    at com.sun.proxy.$Proxy13.isPasswordLocked(Unknown Source)
    at password.pwm.http.servlet.forgottenpw.ForgottenPasswordServlet.nextStep(ForgottenPasswordServlet.java:1115)
    at password.pwm.http.servlet.ControlledPwmServlet.processAction(ControlledPwmServlet.java:191)
    at password.pwm.http.servlet.AbstractPwmServlet.handleRequest(AbstractPwmServlet.java:125)
    at password.pwm.http.servlet.AbstractPwmServlet.doGet(AbstractPwmServlet.java:65)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:626)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
    at password.pwm.http.filter.SessionFilter.processFilter(SessionFilter.java:111)
    at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
    at password.pwm.http.filter.ApplicationModeFilter.processFilter(ApplicationModeFilter.java:82)
    at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
    at password.pwm.http.filter.ObsoleteUrlFilter.processFilter(ObsoleteUrlFilter.java:65)
    at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.RequestInitializationFilter.initializeServletRequest(RequestInitializationFilter.java:245)
    at password.pwm.http.filter.RequestInitializationFilter.doFilter(RequestInitializationFilter.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.github.ziplet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:263)
    at password.pwm.http.filter.GZIPFilter.doFilter(GZIPFilter.java:81)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.CookieManagementFilter.doFilter(CookieManagementFilter.java:77)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12
    at com.novell.ldapchai.impl.edir.entry.EdirEntries.convertZuluToInstant(EdirEntries.java:120)
    at com.novell.ldapchai.impl.openldap.entry.OpenLDAPEntries.convertZuluToDate(OpenLDAPEntries.java:40)
    at com.novell.ldapchai.impl.openldap.entry.OpenLDAPVendorFactory.stringToInstant(OpenLDAPVendorFactory.java:101)
    at com.novell.ldapchai.impl.AbstractChaiEntry.readDateAttribute(AbstractChaiEntry.java:497)
    at com.novell.ldapchai.impl.openldap.entry.OpenLDAPUser.isPasswordLocked(OpenLDAPUser.java:149)
    at password.pwm.ldap.UserInfoReader.isPasswordLocked(UserInfoReader.java:398)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at password.pwm.util.java.CachingProxyWrapper$ProxyInstance.invoke(CachingProxyWrapper.java:84)
    at com.sun.proxy.$Proxy13.isPasswordLocked(Unknown Source)
    at password.pwm.http.servlet.forgottenpw.ForgottenPasswordServlet.nextStep(ForgottenPasswordServlet.java:1115)
    at password.pwm.http.servlet.ControlledPwmServlet.processAction(ControlledPwmServlet.java:191)
    at password.pwm.http.servlet.AbstractPwmServlet.handleRequest(AbstractPwmServlet.java:125)
    at password.pwm.http.servlet.AbstractPwmServlet.doGet(AbstractPwmServlet.java:65)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:626)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
    at password.pwm.http.filter.SessionFilter.processFilter(SessionFilter.java:111)
    at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
    at password.pwm.http.filter.ApplicationModeFilter.processFilter(ApplicationModeFilter.java:82)
    at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:153)
    at password.pwm.http.filter.ObsoleteUrlFilter.processFilter(ObsoleteUrlFilter.java:65)
    at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:97)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.RequestInitializationFilter.initializeServletRequest(RequestInitializationFilter.java:245)
    at password.pwm.http.filter.RequestInitializationFilter.doFilter(RequestInitializationFilter.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.github.ziplet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:263)
    at password.pwm.http.filter.GZIPFilter.doFilter(GZIPFilter.java:81)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at password.pwm.http.filter.CookieManagementFilter.doFilter(CookieManagementFilter.java:77)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
2020-11-25T16:39:32Z, FATAL, servlet.AbstractPwmServlet, {jpFo8} unexpected error: 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12 [7529F067A0E2586CDF8E7C459211B9A11E01792A]) [172.17.0.1]
2020-11-25T16:39:32Z, ERROR, http.PwmResponse, {jpFo8} 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12 [7529F067A0E2586CDF8E7C459211B9A11E01792A]) [172.17.0.1]
2020-11-25T16:39:32Z, DEBUG, http.PwmResponse, {jpFo8} forcing logout due to error 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12 [7529F067A0E2586CDF8E7C459211B9A11E01792A]) [172.17.0.1]
2020-11-25T16:39:32Z, TRACE, http.SessionManager, {jpFo8} incremented request counter to 1 [172.17.0.1]
jrivard commented 3 years ago

Judging by stacktrace, this is due to using OpenLDAP, which doesn't have a proper timestamp reader (it's using the one from eDir LDAP Chai Impl). This needs an LDAP Chai Impl to be fixed.

smgabier commented 2 years ago

We are using pwm-onejar-2.1.0-SNAPSHOT integrated with OpenLDAP. The same issue is experienced after verifying any LDAP username in the forgotten password module.

We noticed setting the Last Password Update Attribute in the PWM configuration to an LDAP attribute where the value can be set manually, displays the full error.

LDAP attribute was set to ==> 2022-07-04T21:33:26Z

` 2022-07-04T22:08:48Z, ERROR, http.PwmResponse, {fQqQL,default} 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text 'Sun Mar 06 11:28:16 IST 2011' could not be parsed at index 0 [AF129C3DE059DE6AB7A70437AB1C45C88F11F370]) [192.168.xx.xx] ^[[B2022-07-04T22:15:00Z, ERROR, servlet.AbstractPwmServlet, {IQqsz,default} unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '2011-04-15T20:08:18Z' could not be parsed at index 4 [F2A0B32E0CD3D90604C2E9EBDDC6E8039220A152] [192.168.xx.xx] (stacktrace follows) java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '2011-04-15T20:08:18Z' could not be parsed at index 4 at com.novell.ldapchai.impl.edir.entry.EdirEntries.convertZuluToInstant(EdirEntries.java:120) at com.novell.ldapchai.impl.openldap.entry.OpenLDAPEntries.convertZuluToDate(OpenLDAPEntries.java:40) at com.novell.ldapchai.impl.openldap.entry.OpenLDAPVendorFactory.stringToInstant(OpenLDAPVendorFactory.java:101) at com.novell.ldapchai.impl.AbstractChaiEntry.readDateAttribute(AbstractChaiEntry.java:497) at password.pwm.util.password.PasswordUtility.determinePwdLastModified(PasswordUtility.java:1308)

`

We have tried different LDAP values and all display the same error above. We are not sure what format or timestamp PWM is expecting.

Is anyone else experiencing this issue and how can it be bypassed to allow forgotten passwords to be reset via email with or without the email token.

azdfzshffg commented 1 week ago

The same issue occurs on my side as well. When the attribute pwdAccountLockedTime has the value '000001010000Z' and the user tries to use the 'forgotten password' function, I get the same error: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12

Could you please fix it

jrivard commented 1 week ago

A link to some authoratative documentation on this attribute's syntax and behavior would be very helpful.

azdfzshffg commented 1 week ago

Hi,

A link like this https://backstage.forgerock.com/docs/ds/7/schemaref/at-pwdAccountLockedTime.html ?

The attribute is used to lock accounts. This value is typically used by an administrator to lock an account. Only the value 000001010000Z causes issues for PWM, the other values are handled correctly.

jrivard commented 1 week ago

Thanks for that link, but that is for a commercial product unrelated to OpenLDAP. I would like to see something specific to OpenLDAP.

azdfzshffg commented 1 week ago

okay. However, it works exactly the same way in "OpenLDAP" because, in reality, this attribute is used in the ppolicy module. For example, here is another link : https://tobru.ch/openldap-password-policy-overlay/

Another example : https://www.zytrax.com/books/ldap/ch6/ppolicy.html

image