Merge remote-tracking branch 'origin/master' into macro-support

src/main/java/password/pwm/AppProperty.java

@@ -80,8 +80,6 @@ public enum AppProperty {
     HTTP_COOKIE_MAX_READ_LENGTH                     ("http.cookie.maxReadLength"),
     HTTP_COOKIE_CAPTCHA_SKIP_NAME                   ("http.cookie.captchaSkip.name"),
     HTTP_COOKIE_CAPTCHA_SKIP_AGE                    ("http.cookie.captchaSkip.age"),
-    HTTP_COOKIE_INSTANCE_GUID_NAME                  ("http.cookie.instanceGUID.name"),
-    HTTP_COOKIE_INSTANCE_GUID_AGE                   ("http.cookie.instanceGUID.age"),
     HTTP_COOKIE_LOGIN_NAME                          ("http.cookie.login.name"),
     HTTP_BASIC_AUTH_CHARSET                         ("http.basicAuth.charset"),
     HTTP_BODY_MAXREAD_LENGTH                        ("http.body.maxReadLength"),

src/main/java/password/pwm/PwmApplication.java

@@ -54,10 +54,7 @@
 import password.pwm.svc.wordlist.SeedlistManager;
 import password.pwm.svc.wordlist.SharedHistoryManager;
 import password.pwm.svc.wordlist.WordlistManager;
-import password.pwm.util.FileSystemUtility;
-import password.pwm.util.Helper;
-import password.pwm.util.JsonUtil;
-import password.pwm.util.TimeDuration;
+import password.pwm.util.*;
 import password.pwm.util.db.DatabaseAccessorImpl;
 import password.pwm.util.localdb.LocalDB;
 import password.pwm.util.localdb.LocalDBFactory;
@@ -476,6 +473,10 @@ public CacheService getCacheService() {
         return (CacheService)pwmServiceManager.getService(CacheService.class);
     }
 
+    public LoginCookieManager getLoginCookieManager() {
+        return (LoginCookieManager)pwmServiceManager.getService(LoginCookieManager.class);
+    }
+
     public SecureService getSecureService() {
         return (SecureService)pwmServiceManager.getService(SecureService.class);
     }

src/main/java/password/pwm/config/Configuration.java

@@ -749,6 +749,15 @@ public Map<String,HelpdeskProfile> getHelpdeskProfiles() {
         return returnMap;
     }
 
+    public Map<String,UpdateAttributesProfile> getUpdateAttributesProfile() {
+        final Map<String,UpdateAttributesProfile> returnMap = new LinkedHashMap<>();
+        final Map<String,Profile> profileMap = profileMap(ProfileType.UpdateAttributes);
+        for (final String profileID : profileMap.keySet()) {
+            returnMap.put(profileID, (UpdateAttributesProfile)profileMap.get(profileID));
+        }
+        return returnMap;
+    }
+
     public Map<String,ForgottenPasswordProfile> getForgottenPasswordProfiles() {
         final Map<String,ForgottenPasswordProfile> returnMap = new LinkedHashMap<>();
         final Map<String,Profile> profileMap = profileMap(ProfileType.ForgottenPassword);
@@ -784,6 +793,10 @@ private Profile newProfileForID(final ProfileType profileType, final String prof
                 newProfile = NewUserProfile.makeFromStoredConfiguration(storedConfiguration, profileID);
                 break;
 
+            case UpdateAttributes:
+                newProfile = UpdateAttributesProfile.makeFromStoredConfiguration(storedConfiguration, profileID);
+                break;
+
             default: throw new IllegalArgumentException("unknown profile type: " + profileType.toString());
         }
 

src/main/java/password/pwm/config/PwmSetting.java

@@ -433,9 +433,21 @@ public enum PwmSetting {
             "password.policy.charGroup.regExValues", PwmSettingSyntax.STRING_ARRAY, PwmSettingCategory.PASSWORD_POLICY),
 
 
-    // security settings
+    // app security settings
     PWM_SECURITY_KEY(
             "pwm.securityKey", PwmSettingSyntax.PASSWORD, PwmSettingCategory.APP_SECURITY),
+    REVERSE_DNS_ENABLE(
+            "network.reverseDNS.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
+    DISPLAY_SHOW_DETAILED_ERRORS(
+            "display.showDetailedErrors", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
+    SESSION_MAX_SECONDS(
+            "session.maxSeconds", PwmSettingSyntax.DURATION, PwmSettingCategory.APP_SECURITY),
+    SECURITY_ENABLE_LOGIN_COOKIE(
+            "security.loginCookie.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
+
+
+
+    // web security
     SECURITY_ENABLE_REQUEST_SEQUENCE(
             "security.page.enableRequestSequence", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     SECURITY_ENABLE_FORM_NONCE(
@@ -450,8 +462,6 @@ public enum PwmSetting {
             "forceBasicAuth", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     USE_X_FORWARDED_FOR_HEADER(
             "useXForwardedForHeader", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
-    REVERSE_DNS_ENABLE(
-            "network.reverseDNS.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
     MULTI_IP_SESSION_ALLOWED(
             "network.allowMultiIPSession", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     REQUIRED_HEADERS(
@@ -460,10 +470,6 @@ public enum PwmSetting {
             "network.ip.permittedRange", PwmSettingSyntax.STRING_ARRAY, PwmSettingCategory.WEB_SECURITY),
     SECURITY_PAGE_LEAVE_NOTICE_TIMEOUT(
             "security.page.leaveNoticeTimeout", PwmSettingSyntax.NUMERIC, PwmSettingCategory.WEB_SECURITY),
-    DISPLAY_SHOW_DETAILED_ERRORS(
-            "display.showDetailedErrors", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
-    SESSION_MAX_SECONDS(
-            "session.maxSeconds", PwmSettingSyntax.DURATION, PwmSettingCategory.APP_SECURITY),
     SECURITY_PREVENT_FRAMING(
             "security.preventFraming", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     SECURITY_REDIRECT_WHITELIST(
@@ -760,21 +766,21 @@ public enum PwmSetting {
 
     // update profile
     UPDATE_PROFILE_ENABLE(
-            "updateAttributes.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.UPDATE),
-    UPDATE_PROFILE_FORCE_SETUP(
-            "updateAttributes.forceSetup", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.UPDATE),
-    UPDATE_PROFILE_AGREEMENT_MESSAGE(
-            "display.updateAttributes.agreement", PwmSettingSyntax.LOCALIZED_TEXT_AREA, PwmSettingCategory.UPDATE),
+            "updateAttributes.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.UPDATE_SETTINGS),
+    UPDATE_PROFILE__PROFILE_LIST(
+            "updateAttributes.profile.list", PwmSettingSyntax.PROFILE, PwmSettingCategory.GENERAL),
     UPDATE_PROFILE_QUERY_MATCH(
-            "updateAttributes.queryMatch", PwmSettingSyntax.USER_PERMISSION, PwmSettingCategory.UPDATE),
+            "updateAttributes.queryMatch", PwmSettingSyntax.USER_PERMISSION, PwmSettingCategory.UPDATE_PROFILE),
     UPDATE_PROFILE_WRITE_ATTRIBUTES(
-            "updateAttributes.writeAttributes", PwmSettingSyntax.ACTION, PwmSettingCategory.UPDATE),
+            "updateAttributes.writeAttributes", PwmSettingSyntax.ACTION, PwmSettingCategory.UPDATE_PROFILE),
+    UPDATE_PROFILE_FORCE_SETUP(
+            "updateAttributes.forceSetup", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.UPDATE_PROFILE),
+    UPDATE_PROFILE_AGREEMENT_MESSAGE(
+            "display.updateAttributes.agreement", PwmSettingSyntax.LOCALIZED_TEXT_AREA, PwmSettingCategory.UPDATE_PROFILE),
     UPDATE_PROFILE_FORM(
-            "updateAttributes.form", PwmSettingSyntax.FORM, PwmSettingCategory.UPDATE),
-    UPDATE_PROFILE_CHECK_QUERY_MATCH(
-            "updateAttributes.check.queryMatch", PwmSettingSyntax.USER_PERMISSION, PwmSettingCategory.UPDATE),
+            "updateAttributes.form", PwmSettingSyntax.FORM, PwmSettingCategory.UPDATE_PROFILE),
     UPDATE_PROFILE_SHOW_CONFIRMATION(
-            "updateAttributes.showConfirmation", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.UPDATE),
+            "updateAttributes.showConfirmation", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.UPDATE_PROFILE),
 
     // shortcut settings
     SHORTCUT_ENABLE(
@@ -1040,6 +1046,8 @@ public enum PwmSetting {
 
 
     // deprecated.
+    UPDATE_PROFILE_CHECK_QUERY_MATCH(
+            "updateAttributes.check.queryMatch", PwmSettingSyntax.USER_PERMISSION, PwmSettingCategory.UPDATE_PROFILE),
     WORDLIST_FILENAME(
             "pwm.wordlist.location", PwmSettingSyntax.STRING, PwmSettingCategory.PASSWORD_GLOBAL),
     SEEDLIST_FILENAME(
@@ -1168,18 +1176,22 @@ public Map<String, String> getOptions() {
         return options;
     }
 
-    public Map<String, String> getProperties() {
-        final Map<String, String> properties = new LinkedHashMap<>();
+    public Map<PwmSettingProperty, String> getProperties() {
+        final Map<PwmSettingProperty, String> properties = new LinkedHashMap<>();
         final Element settingElement = PwmSettingXml.readSettingXml(this);
         final Element propertiesElement = settingElement.getChild("properties");
         if (propertiesElement != null) {
             final List<Element> propertyElements = propertiesElement.getChildren("property");
             if (propertyElements != null) {
                 for (Element propertyElement : propertyElements) {
-                    if (propertyElement.getAttribute("key") == null) {
+                    if (propertyElement.getAttributeValue("key") == null) {
                         throw new IllegalStateException("property element is missing 'key' attribute for value " + this.getKey());
                     }
-                    properties.put(propertyElement.getAttribute("key").getValue(), propertyElement.getValue());
+                    final PwmSettingProperty property = Helper.readEnumFromString(PwmSettingProperty.class, null, propertyElement.getAttributeValue("key"));
+                    if (property == null) {
+                        throw new IllegalStateException("property element has unknown 'key' attribute for value " + this.getKey());
+                    }
+                    properties.put(property, propertyElement.getValue());
                 }
             }
         }

src/main/java/password/pwm/config/PwmSettingCategory.java

@@ -119,10 +119,13 @@ public enum PwmSettingCategory {
     NEWUSER                     (MODULES),
     NEWUSER_SETTINGS            (NEWUSER),
     NEWUSER_PROFILE             (NEWUSER),
-
+
+    UPDATE                      (MODULES),
+    UPDATE_SETTINGS             (UPDATE),
+    UPDATE_PROFILE              (UPDATE),
+
     GUEST                       (MODULES),
     ACTIVATION                  (MODULES),
-    UPDATE                      (MODULES),
     SHORTCUT                    (MODULES),
     PEOPLE_SEARCH               (MODULES),
     HELPDESK_PROFILE            (MODULES),

src/main/java/password/pwm/config/PwmSettingFlag.java

@@ -32,4 +32,10 @@ public enum PwmSettingFlag {
 
     /* No Default - Makes the setting UI act as if there is not a default to reset to */
     NoDefault,
+
+    Permission_HideGroups,
+    Permission_HideMatch,
+
+    Form_HideOptions,
+
 }

src/main/java/password/pwm/config/PwmSettingProperty.java

@@ -0,0 +1,15 @@
+package password.pwm.config;
+
+public enum PwmSettingProperty {
+
+    ModificationWarning,
+
+    Minimum,
+    Maximum,
+
+    Form_Types,
+
+    Cert_ImportHandler,
+
+
+}

src/main/java/password/pwm/config/profile/ProfileType.java

@@ -29,6 +29,7 @@ public enum ProfileType {
     Helpdesk            (true,  PwmSettingCategory.HELPDESK_PROFILE, PwmSetting.HELPDESK_PROFILE_QUERY_MATCH),
     ForgottenPassword   (false, PwmSettingCategory.RECOVERY_PROFILE, PwmSetting.RECOVERY_PROFILE_QUERY_MATCH),
     NewUser             (false, PwmSettingCategory.NEWUSER_PROFILE, null),
+    UpdateAttributes    (true,  PwmSettingCategory.UPDATE_PROFILE, PwmSetting.UPDATE_PROFILE_QUERY_MATCH),
     ;
 
     private final boolean authenticated;

src/main/java/password/pwm/config/profile/UpdateAttributesProfile.java

@@ -0,0 +1,34 @@
+package password.pwm.config.profile;
+
+import password.pwm.config.PwmSetting;
+import password.pwm.config.StoredValue;
+import password.pwm.config.stored.StoredConfiguration;
+
+import java.util.Locale;
+import java.util.Map;
+
+public class UpdateAttributesProfile extends AbstractProfile implements Profile {
+
+    private static final ProfileType PROFILE_TYPE = ProfileType.UpdateAttributes;
+
+    protected UpdateAttributesProfile(String identifier, Map<PwmSetting, StoredValue> storedValueMap) {
+        super(identifier, storedValueMap);
+    }
+
+    public static UpdateAttributesProfile makeFromStoredConfiguration(final StoredConfiguration storedConfiguration, final String identifier) {
+        final Map<PwmSetting,StoredValue> valueMap = makeValueMap(storedConfiguration, identifier, PROFILE_TYPE.getCategory());
+        return new UpdateAttributesProfile(identifier, valueMap);
+
+    }
+
+    @Override
+    public String getDisplayName(Locale locale)
+    {
+        return this.getIdentifier();
+    }
+
+    @Override
+    public ProfileType profileType() {
+        return PROFILE_TYPE;
+    }
+}

src/main/java/password/pwm/http/PwmHttpResponseWrapper.java

@@ -26,6 +26,7 @@
 import password.pwm.PwmConstants;
 import password.pwm.Validator;
 import password.pwm.config.Configuration;
+import password.pwm.config.PwmSetting;
 import password.pwm.util.StringUtil;
 import password.pwm.util.logging.PwmLogger;
 
@@ -35,6 +36,7 @@
 import java.io.IOException;
 import java.io.OutputStream;
 import java.io.PrintWriter;
+import java.net.URI;
 import java.util.Arrays;
 
 public class PwmHttpResponseWrapper {
@@ -44,6 +46,31 @@ public class PwmHttpResponseWrapper {
     private final HttpServletResponse httpServletResponse;
     private final Configuration configuration;
 
+    public enum CookiePath {
+        Application,
+        Private,
+        CurrentURL,
+
+        ;
+
+        String toStringPath(final HttpServletRequest httpServletRequest) {
+            switch (this) {
+                case Application:
+                    return httpServletRequest.getServletContext().getContextPath();
+
+                case Private:
+                    return httpServletRequest.getServletContext().getContextPath() + PwmConstants.URL_PREFIX_PRIVATE;
+
+                case CurrentURL:
+                    return httpServletRequest.getRequestURI();
+
+                default:
+                    throw new IllegalStateException("undefined CookiePath type: " + this);
+            }
+
+        }
+    }
+
     public enum Flag {
         NonHttpOnly,
         BypassSanitation,
@@ -115,14 +142,22 @@ public void writeCookie(
             final String cookieName,
             final String cookieValue,
             final int seconds,
-            final String path,
+            final CookiePath path,
             final Flag... flags
     ) {
-        final boolean secureFlag;
+        boolean secureFlag;
         {
             final String configValue = configuration.readAppProperty(AppProperty.HTTP_COOKIE_DEFAULT_SECURE_FLAG);
             if (configValue == null || "auto".equalsIgnoreCase(configValue)) {
                 secureFlag = this.httpServletRequest.isSecure();
+                if (!secureFlag) {
+                    final String siteURLstring = configuration.readSettingAsString(PwmSetting.PWM_SITE_URL);
+                    if (siteURLstring != null && !siteURLstring.isEmpty()) {
+                        if ("https".equals(URI.create(siteURLstring).getScheme())) {
+                            secureFlag = true;
+                        }
+                    }
+                }
             } else {
                 secureFlag = Boolean.parseBoolean(configValue);
             }
@@ -151,13 +186,12 @@ public void writeCookie(
         }
         theCookie.setHttpOnly(httpOnly);
         theCookie.setSecure(secureFlag);
-        if (path != null) {
-            theCookie.setPath(path);
-        }
+
+        theCookie.setPath(path == null ? CookiePath.CurrentURL.toStringPath(httpServletRequest) : path.toStringPath(httpServletRequest));
         this.getHttpServletResponse().addCookie(theCookie);
     }
 
-    public void removeCookie(final String cookieName, final String path) {
+    public void removeCookie(final String cookieName, final CookiePath path) {
         writeCookie(cookieName, null, 0, path);
     }
 }

src/main/java/password/pwm/http/PwmRequest.java

@@ -25,7 +25,6 @@
 import org.apache.commons.fileupload.FileItemIterator;
 import org.apache.commons.fileupload.FileItemStream;
 import org.apache.commons.fileupload.servlet.ServletFileUpload;
-import password.pwm.AppProperty;
 import password.pwm.PwmApplication;
 import password.pwm.PwmConstants;
 import password.pwm.Validator;
@@ -114,7 +113,6 @@ private PwmRequest(
         this.pwmSession = pwmSession;
         this.pwmApplication = pwmApplication;
         this.cspNonce = PwmRandom.getInstance().alphaNumericString(10);
-        checkRequestInstanceNonce();
     }
 
     public PwmApplication getPwmApplication()
@@ -588,12 +586,4 @@ public String getURLwithoutQueryString() throws PwmUnrecoverableException {
         final HttpServletRequest req = this.getHttpServletRequest();
         return req.getRequestURI();
     }
-
-    private void checkRequestInstanceNonce() {
-        final String cookieName = getConfig().readAppProperty(AppProperty.HTTP_COOKIE_INSTANCE_GUID_NAME);
-        final String cookieValue = readCookie(cookieName);
-        if (cookieValue != null && !cookieValue.equals(getPwmApplication().getInstanceNonce())) {
-            LOGGER.warn(this, "request was generated by client communicating with a foreign server instance");
-        }
-    }
 }

src/main/java/password/pwm/http/PwmResponse.java

@@ -160,13 +160,13 @@ public void outputJsonResult(
     }
 
 
-    public void writeEncryptedCookie(final String cookieName, final Serializable cookieValue, final String path)
+    public void writeEncryptedCookie(final String cookieName, final Serializable cookieValue, final CookiePath path)
             throws PwmUnrecoverableException
     {
-        pwmRequest.getPwmResponse().writeEncryptedCookie(cookieName, cookieValue, -1, path);
+        writeEncryptedCookie(cookieName, cookieValue, -1, path);
     }
 
-    public void writeEncryptedCookie(final String cookieName, final Serializable cookieValue, final int seconds, final String path)
+    public void writeEncryptedCookie(final String cookieName, final Serializable cookieValue, final int seconds, final CookiePath path)
             throws PwmUnrecoverableException
     {
         final String jsonValue = JsonUtil.serialize(cookieValue);