PasswordPolicyState.java revision 90a6ab6c63699343acf3adcd4346bce2f5665bdd
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2010 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS
*/
/**
* This class provides a data structure for holding password policy state
* information for a user account.
*/
public final class PasswordPolicyState extends AuthenticationPolicyState
{
/** The string representation of the user's DN. */
private final String userDNString;
/** The password policy with which the account is associated. */
private final PasswordPolicy passwordPolicy;
/** The current time for use in all password policy calculations. */
private final long currentTime;
/** The time that the user's password was last changed. */
/** Indicates whether the user's account is expired. */
/** Indicates whether the user's password is expired. */
/** Indicates whether the warning to send to the client would be the first warning for the user. */
/** Indicates whether the user's account is locked by the idle lockout. */
/**
* Indicates whether the user may use a grace login if the password is expired and there are one
* or more grace logins remaining.
*/
/** Indicates whether the user's password must be changed. */
/** Indicates whether the user should be warned of an upcoming expiration. */
/** The number of seconds until the user's account is automatically unlocked. */
/** The set of authentication failure times for this user. */
/** The set of grace login times for this user. */
/** The time that the user's account should expire (or did expire). */
/** The time that the user's entry was locked due to too many authentication failures. */
/** The time that the user last authenticated to the Directory Server. */
/** The time that the user's password should expire (or did expire). */
/** The last required change time with which the user complied. */
/** The time that the user was first warned about an upcoming expiration. */
/** The set of modifications that should be applied to the user's entry. */
/**
* Creates a new password policy state object with the provided information.
* <p>
* Note that this version of the constructor should only be used for testing purposes when the tests should be
* evaluated with a fixed time rather than the actual current time. For all other purposes, the other constructor
* should be used.
* </p>
*
* @param policy The password policy associated with the state.
* @param userEntry The entry with the user account.
* @param currentTime The time to use as the current time for all time-related determinations.
*/
{
super(userEntry);
this.currentTime = currentTime;
this.passwordPolicy = policy;
}
/**
* Retrieves the value of the specified attribute as a string.
*
* @param attributeType The attribute type whose value should be retrieved.
*
* @return The value of the specified attribute as a string, or <CODE>null</CODE> if there is no such value.
*/
{
if (stringValue == null)
{
if (logger.isTraceEnabled())
{
}
}
else
{
if (logger.isTraceEnabled())
{
}
}
return stringValue;
}
{
{
{
if (!a.isEmpty())
{
return a;
}
}
}
return null;
}
/**
* Retrieves the set of values of the specified attribute from the user's entry in generalized time format.
*
* @param attributeType The attribute type whose values should be parsed as generalized time values.
*
* @return The set of generalized time values, or an empty list if there are none.
*
* @throws DirectoryException If a problem occurs while attempting to decode a value as a generalized time.
*/
throws DirectoryException
{
{
{
for (ByteString v : a)
{
try
{
}
catch (Exception e)
{
e);
}
}
}
}
if (timeValues.isEmpty())
{
}
return timeValues;
}
/**
* Get the password storage scheme used by a given password value.
*
* @param v The encoded password value to check.
*
* @return The scheme used by the password.
*
* @throws DirectoryException If the password could not be decoded.
*/
throws DirectoryException
{
{
}
else
{
}
}
/** {@inheritDoc} */
public PasswordPolicy getAuthenticationPolicy()
{
return passwordPolicy;
}
/**
* Retrieves the time that the password was last changed.
*
* @return The time that the password was last changed.
*/
public long getPasswordChangedTime()
{
if (passwordChangedTime < 0)
{
// Get the password changed time for the user.
try
{
}
catch (DirectoryException e)
{
/*
* The password change time could not be parsed (but has been logged in the debug log).
* The best effort we can do from here is to a) use the current time, b) use the start
* of the epoch (1/1/1970), or c) use the create time stamp. Lets treat this problem as if the change time
* attribute did not exist and resort to the create time stamp.
*/
}
if (passwordChangedTime < 0)
{
// Get the time that the user's account was created.
try
{
}
catch (DirectoryException e)
{
/*
* The create time stamp could not be parsed (but has been logged in the debug log).
* The best effort we can do from here is to a) use the current time, or b) use the start of
* the epoch (1/1/1970). Lets treat this problem as if the change time attribute did not exist
* and use the start of the epoch. Doing so stands a greater chance of forcing a password change.
*/
}
if (passwordChangedTime < 0)
{
passwordChangedTime = 0;
if (logger.isTraceEnabled())
{
}
}
}
}
return passwordChangedTime;
}
/**
* Retrieves the time that this password policy state object was created.
*
* @return The time that this password policy state object was created.
*/
public long getCurrentTime()
{
return currentTime;
}
/**
* Retrieves the unmodifiable set of values for the password attribute from the user entry.
*
* @return The unmodifiable set of values for the password attribute from the user entry.
*/
{
{
{
}
}
return Collections.emptySet();
}
/**
* Sets a new value for the password changed time equal to the current time.
*/
public void setPasswordChangedTime()
{
}
/**
* Sets a new value for the password changed time equal to the specified time.
* This method should generally only be used for testing purposes, since the variant that uses
* the current time is preferred almost everywhere else.
*
* @param passwordChangedTime The time to use
*/
public void setPasswordChangedTime(long passwordChangedTime)
{
if (logger.isTraceEnabled())
{
logger.trace("Setting password changed time for user %s to current time of %d", userDNString, currentTime);
}
// passwordChangedTime is computed in the constructor from values in the entry.
if (getPasswordChangedTime() != passwordChangedTime)
{
}
}
/**
* Removes the password changed time value from the user's entry. This should only be used for testing
* purposes, as it can really mess things up if you don't know what you're doing.
*/
public void clearPasswordChangedTime()
{
if (logger.isTraceEnabled())
{
}
// Fall back to using the entry creation time as the password changed time, if it's defined.
// Otherwise, use a value of zero.
try
{
if (passwordChangedTime < 0)
{
passwordChangedTime = 0;
}
}
catch (Exception e)
{
passwordChangedTime = 0;
}
}
/**
* Updates the user entry to indicate whether user account has been administratively disabled.
*
* @param isDisabled
* Indicates whether the user account has been administratively disabled.
*/
public void setDisabled(boolean isDisabled)
{
if (logger.isTraceEnabled())
{
}
if (isDisabled == isDisabled())
{
return; // requested state matches current state
}
if (isDisabled)
{
}
else
{
// erase
}
}
/**
* Indicates whether the user's account is currently expired.
*
* @return <CODE>true</CODE> if the user's account is expired, or <CODE>false</CODE> if not.
*/
public boolean isAccountExpired()
{
{
if (logger.isTraceEnabled())
{
}
}
try {
}
catch (Exception e)
{
logger.traceException(e, "User %s is considered to have an expired account because an error occurred " +
"while attempting to make the determination.", userDNString);
return true;
}
if (accountExpirationTime > currentTime)
{
// The user does have an expiration time, but it hasn't arrived yet.
logger.trace("The account for user %s is not expired because the expiration time has not yet arrived.",
}
else if (accountExpirationTime >= 0)
{
// The user does have an expiration time, and it is in the past.
logger.trace("The account for user %s is expired because the expiration time in that account has passed.",
}
else
{
// The user doesn't have an expiration time in their entry, so it can't be expired.
logger.trace("The account for user %s is not expired because there is no expiration time in the user's entry.",
}
}
/**
* Retrieves the time at which the user's account will expire.
*
* @return The time at which the user's account will expire, or -1 if it is not configured with an expiration time.
*/
public long getAccountExpirationTime()
{
{
}
return accountExpirationTime;
}
/**
* Sets the user's account expiration time to the specified value.
*
* @param accountExpirationTime The time that the user's account should expire.
*/
public void setAccountExpirationTime(long accountExpirationTime)
{
if (accountExpirationTime < 0)
{
}
else
{
if (logger.isTraceEnabled())
{
}
}
}
/**
* Clears the user's account expiration time.
*/
public void clearAccountExpirationTime()
{
if (logger.isTraceEnabled())
{
}
accountExpirationTime = -1;
}
/**
* Retrieves the set of times of failed authentication attempts for the user. If authentication failure
* time expiration is enabled, and there are expired times in the entry, these times are removed
* from the instance field and an update is provided to delete those values from the entry.
*
* @return The set of times of failed authentication attempts for the user, which will be an empty list
* in the case of no valid (unexpired) times in the entry.
*/
{
if (authFailureTimes != null)
{
if (logger.isTraceEnabled())
{
}
return authFailureTimes;
}
{
}
try
{
}
catch (Exception e)
{
authFailureTimes = new ArrayList<>();
return authFailureTimes;
}
if (authFailureTimes.isEmpty())
{
if (logger.isTraceEnabled())
{
" is absent from the entry.", userDNString);
}
return authFailureTimes;
}
// Remove any expired failures from the list.
{
{
if (l < expirationTime)
{
if (logger.isTraceEnabled())
{
}
if (valuesToRemove == null)
{
valuesToRemove = new LinkedHashSet<>();
}
}
}
if (valuesToRemove != null)
{
}
}
if (logger.isTraceEnabled())
{
}
return authFailureTimes;
}
/**
* Updates the set of authentication failure times to include the current time.
* If the number of failures reaches the policy configuration limit, lock the account.
*/
public void updateAuthFailureTimes()
{
{
return;
}
if (logger.isTraceEnabled())
{
}
// Note: failureTimes == this.authFailureTimes
long highestFailureTime = -1;
for (Long l : failureTimes)
{
}
if (highestFailureTime >= currentTime)
{
}
else
{
}
// Update the current policy state
// And the attribute in the user entry
{
}
// Now check to see if there have been sufficient failures to lock the account.
{
if (logger.isTraceEnabled())
{
}
}
}
/**
* Explicitly specifies the auth failure times for the associated user. This should generally only be used
* for testing purposes. Note that it will also set or clear the locked time as appropriate.
*
* @param authFailureTimes The set of auth failure times to use for the account. An empty list or
* {@code null} will clear the account of any existing failures.
*/
{
{
return;
}
this.authFailureTimes = authFailureTimes;
long highestFailureTime = -1;
for (Long l : authFailureTimes)
{
}
// Now check to see if there have been sufficient failures to lock the account.
{
if (logger.isTraceEnabled())
{
}
}
}
/**
* Updates the user entry to remove any record of previous authentication failure times.
*/
private void clearAuthFailureTimes()
{
if (logger.isTraceEnabled())
{
}
if (failureTimes.isEmpty())
{
return;
}
{
}
}
/**
* Retrieves the time of an authentication failure lockout for the user.
*
* @return The time of an authentication failure lockout for the user, or -1 if no such time is present in the entry.
*/
private long getFailureLockedTime()
{
{
return failureLockedTime;
}
{
}
try
{
}
catch (Exception e)
{
logger.traceException(e, "Returning current time for user %s because an error occurred", userDNString);
return failureLockedTime;
}
// An expired locked time is handled in lockedDueToFailures.
return failureLockedTime;
}
/**
Sets the failure lockout attribute in the entry to the requested time.
@param time The time to which to set the entry's failure lockout attribute.
*/
private void setFailureLockedTime(final long time)
{
if (time == getFailureLockedTime())
{
return;
}
{
}
}
/**
* Updates the user entry to remove any record of previous authentication failure lockout.
*/
private void clearFailureLockedTime()
{
if (logger.isTraceEnabled())
{
}
if (-1L == getFailureLockedTime())
{
return;
}
failureLockedTime = -1L;
{
}
}
/**
* Indicates whether the associated user should be considered locked out as a result of too many
* authentication failures. In the case of an expired lock-out, this routine produces the update
* to clear the lock-out attribute and the authentication failure timestamps.
* In case the failure lockout time is absent from the entry, but sufficient authentication failure
* timestamps are present in the entry, this routine produces the update to set the lock-out attribute.
*
* @return <CODE>true</CODE> if the user is currently locked out due to too many authentication failures,
* or <CODE>false</CODE> if not.
*/
public boolean lockedDueToFailures()
{
// FIXME: Introduce a state field to cache the computed value of this method.
// Note that only a cached "locked" status can be returned due to the possibility of intervening updates to
// this.failureLockedTime by updateAuthFailureTimes.
// Check if the feature is enabled in the policy.
if (maxFailures <= 0)
{
if (logger.isTraceEnabled())
{
logger.trace("Returning false for user %s because lockout due to failures is not enabled.", userDNString);
}
return false;
}
// Get the locked time from the user's entry. If it is present and not expired, the account is locked.
// If it is absent, the failure timestamps must be checked, since failure timestamps sufficient to lock the
// account could be produced across the synchronization topology within the synchronization latency.
// Also, note that IETF draft-behera-ldap-password-policy-09 specifies "19700101000000Z" as the value to be set
// under a "locked until reset" regime; however, this implementation accepts the value as a locked entry,
// but observes the lockout expiration policy for all values including this one.
// FIXME: This "getter" is unusual in that it might produce an update to the entry in two cases.
// Does it make sense to factor the methods so that, e.g., an expired lockout is reported, and clearing
// the lockout is left to the caller?
if (getFailureLockedTime() < 0L)
{
// There was no locked time present in the entry; however, sufficient failure times might have accumulated
// to trigger a lockout.
{
if (logger.isTraceEnabled())
{
}
return false;
}
// The account isn't locked but should be, so do so now.
if (logger.isTraceEnabled())
{
" no account locked time.", userDNString);
}
// Fall through...
}
// There is a failure locked time, but it may be expired.
{
if (unlockTime > currentTime)
{
if (logger.isTraceEnabled())
{
logger.trace("Returning true for user %s because there is a locked time and the lockout duration has" +
" not been reached.", userDNString);
}
return true;
}
// The lockout in the entry has expired...
if (logger.isTraceEnabled())
{
logger.trace("Returning false for user %s because the existing lockout has expired.", userDNString);
}
assert -1L == getFailureLockedTime();
return false;
}
if (logger.isTraceEnabled())
{
logger.trace("Returning true for user %s because there is a locked time and no lockout duration.", userDNString);
}
assert -1L <= getFailureLockedTime();
return true;
}
/**
* Retrieves the length of time in seconds until the user's account is automatically unlocked.
* This should only be called after calling <CODE>lockedDueToFailures</CODE>.
*
* @return The length of time in seconds until the user's account is automatically unlocked, or -1 if the account
* is not locked or the lockout requires administrative action to clear.
*/
public int getSecondsUntilUnlock()
{
// secondsUntilUnlock is only set when failureLockedTime is present and PasswordPolicy.getLockoutDuration
// is enabled; hence it is not unreasonable to find secondsUntilUnlock uninitialized.
}
/**
* Updates the user account to remove any record of a previous lockout due to failed authentications.
*/
public void clearFailureLockout()
{
}
/**
* Retrieves the time that the user last authenticated to the Directory Server.
*
* @return The time that the user last authenticated to the Directory Server, or -1 if it cannot be determined.
*/
public long getLastLoginTime()
{
{
if (logger.isTraceEnabled())
{
}
return lastLoginTime;
}
// The policy configuration must be checked since the entry cannot be evaluated without both an attribute
// name and timestamp format.
{
lastLoginTime = -1;
if (logger.isTraceEnabled())
{
logger.trace("Returning -1 for user %s because no last login time will be maintained.", userDNString);
}
return lastLoginTime;
}
lastLoginTime = -1;
{
{
if (a.isEmpty())
{
continue;
}
try
{
if (logger.isTraceEnabled())
{
logger.trace("Returning last login time of %d for user %s, decoded using current last login time format.",
}
return lastLoginTime;
}
catch (Exception e)
{
logger.traceException(e);
// This could mean that the last login time was encoded using a previous format.
{
try
{
if (logger.isTraceEnabled())
{
logger.trace("Returning last login time of %d for user %s decoded using previous last login time " +
}
return lastLoginTime;
}
{
logger.traceException(e);
}
}
assert lastLoginTime == -1;
if (logger.isTraceEnabled())
{
}
return lastLoginTime;
}
}
}
assert lastLoginTime == -1;
if (logger.isTraceEnabled())
{
logger.trace("Returning %d for user %s because no last login time value exists.", lastLoginTime, userDNString);
}
return lastLoginTime;
}
{
if (isGeneralizedTime)
{
}
}
/**
* Updates the user entry to set the current time as the last login time.
*/
public void setLastLoginTime()
{
}
/**
* Updates the user entry to use the specified last login time. This should be used primarily for testing purposes,
* as the variant that uses the current time should be used most of the time.
*
* @param lastLoginTime The last login time to set in the user entry.
*/
public void setLastLoginTime(long lastLoginTime)
{
{
return;
}
try
{
// If the attribute has a Generalized Time syntax, make it UTC time.
{
}
}
catch (Exception e)
{
logger.traceException(e, "Unable to set last login time for user %s because an error occurred", userDNString);
return;
}
{
logger.trace("Not updating last login time for user %s because the new value matches the existing value.",
return;
}
}
/**
* Clears the last login time from the user's entry. This should generally be used only for testing purposes.
*/
public void clearLastLoginTime()
{
if (logger.isTraceEnabled())
{
}
lastLoginTime = -1;
}
/**
* Indicates whether the user's account is currently locked because it has been idle for too long.
*
* @return <CODE>true</CODE> if the user's account is locked because it has been idle for too long,
* or <CODE>false</CODE> if not.
*/
public boolean lockedDueToIdleInterval()
{
{
if (logger.isTraceEnabled())
{
logger.trace("Returning stored result of %b for user %s", isIdleLocked == ConditionResult.TRUE, userDNString);
}
}
// Return immediately if this feature is disabled, since the feature is not responsible for any state attribute
// in the entry.
{
if (logger.isTraceEnabled())
{
logger.trace("Returning false for user %s because no idle lockout interval is defined.", userDNString);
}
return false;
}
if (lockTime < 0)
{
lockTime = 0;
}
long theLastLoginTime = getLastLoginTime();
{
if (logger.isTraceEnabled())
{
if(theLastLoginTime > lockTime)
{
}
else
{
if(theLastLoginTime < 0)
{
}
}
}
}
else
{
if (logger.isTraceEnabled())
{
? "there is no last login time and the password changed time is not in an acceptable window"
: "neither last login time nor password changed time are in an acceptable window";
}
}
}
/**
* Indicates whether the user's password must be changed before any other operation can be performed.
*
* @return <CODE>true</CODE> if the user's password must be changed before any other operation can be performed.
*/
public boolean mustChangePassword()
{
{
if (logger.isTraceEnabled())
{
}
}
// If the password policy doesn't use force change on add or force change on reset, or if it forbids the user
// from changing his password, then return false.
// FIXME: the only getter responsible for a state attribute (pwdReset) that considers the policy before
// checking the entry for the presence of the attribute.
{
if (logger.isTraceEnabled())
{
logger.trace("Returning false for user %s because neither force change on add nor force change on reset" +
" is enabled, or users are not allowed to self-modify passwords.", userDNString);
}
return false;
}
{
}
try
{
}
catch (Exception e)
{
return true;
}
{
false, userDNString, OP_ATTR_PWPOLICY_RESET_REQUIRED);
return false;
}
return result;
}
/**
* Updates the user entry to indicate whether the user's password must be changed.
*
* @param mustChangePassword Indicates whether the user's password must be changed.
*/
public void setMustChangePassword(boolean mustChangePassword)
{
if (logger.isTraceEnabled())
{
}
if (mustChangePassword == mustChangePassword())
{
return; // requested state matches current state
}
{
}
if (mustChangePassword)
{
}
else
{
}
}
/**
* Indicates whether the user's account is locked because the password has been reset by an administrator
* but the user did not change the password in a timely manner.
*
* @return <CODE>true</CODE> if the user's account is locked because of the maximum reset age,
* or <CODE>false</CODE> if not.
*/
public boolean lockedDueToMaximumResetAge()
{
// This feature is responsible for neither a state field nor an entry state attribute.
{
if (logger.isTraceEnabled())
{
}
return false;
}
if (! mustChangePassword())
{
if (logger.isTraceEnabled())
{
logger.trace("Returning false for user %s because the user's password has not been reset.", userDNString);
}
return false;
}
if (logger.isTraceEnabled())
{
logger.trace("Returning %b for user %s after comparing the current and max reset times.", locked, userDNString);
}
return locked;
}
/**
* Retrieves the time that the user's password should expire (if the expiration is in the future) or
* did expire (if the expiration was in the past). Note that this method should be called after the
* <CODE>lockedDueToMaximumResetAge</CODE> method because grace logins will not be allowed in the case
* that the maximum reset age has passed whereas they may be used for expiration due to maximum password
* age or forced change time.
*
*/
public long getPasswordExpirationTime()
{
{
boolean checkWarning = false;
if (maxAge > 0L)
{
if (expTime < passwordExpirationTime)
{
checkWarning = true;
}
}
{
if (expTime < passwordExpirationTime)
{
checkWarning = false;
}
}
if (mustChangeTime > 0)
{
long reqChangeTime = getRequiredChangeTime();
{
checkWarning = true;
}
}
{
passwordExpirationTime = -1;
}
else if (checkWarning)
{
if (warningInterval > 0L)
{
if (shouldWarnTime > currentTime)
{
// The warning time is in the future, so we know the password isn't expired.
}
else
{
// We're at least in the warning period, but the password may be expired.
long theWarnedTime = getWarnedTime();
{
// The password is not expired but we should warn the user.
if (theWarnedTime < 0)
{
{
}
}
else
{
{
}
}
}
else
{
// The expiration time has passed, but we may not actually be expired if the user has not
// yet seen a warning.
{
}
else if (theWarnedTime > 0)
{
{
}
else
{
}
}
else
{
}
}
}
}
else
{
// There will never be a warning, and the user's password may be expired.
{
}
else
{
}
}
}
else
{
{
}
else
{
}
}
}
if (logger.isTraceEnabled())
{
logger.trace("Returning password expiration time of %d for user %s.", passwordExpirationTime, userDNString);
}
return passwordExpirationTime;
}
/**
* Indicates whether the user's password is currently expired.
*
* @return <CODE>true</CODE> if the user's password is currently expired, or <CODE>false</CODE> if not.
*/
public boolean isPasswordExpired()
{
}
{
{
}
}
/**
* Indicates whether the user's last password change was within the minimum password age.
*
* @return <CODE>true</CODE> if the password minimum age is nonzero, the account is not in force-change mode,
* and the last password change was within the minimum age, or <CODE>false</CODE> otherwise.
*/
public boolean isWithinMinimumAge()
{
// This feature is responsible for neither a state field nor entry state attribute.
if (minAge <= 0L)
{
// There is no minimum age, so the user isn't in it.
if (logger.isTraceEnabled())
{
}
return false;
}
{
// It's been long enough since the user changed their password.
if (logger.isTraceEnabled())
{
}
return false;
}
else if (mustChangePassword())
{
// The user is in a must-change mode, so the minimum age doesn't apply.
if (logger.isTraceEnabled())
{
}
return false;
}
else
{
// The user is within the minimum age.
if (logger.isTraceEnabled())
{
}
return true;
}
}
/**
* Indicates whether the user may use a grace login if the password is expired and there is at least one
* grace login remaining. Note that this does not check to see if the user's password is expired, does not
* verify that there are any remaining grace logins, and does not update the set of grace login times.
*
* @return <CODE>true</CODE> if the user may use a grace login if the password is expired and there is
* at least one grace login remaining, or <CODE>false</CODE> if the user may not use a grace
* login for some reason.
*/
public boolean mayUseGraceLogin()
{
}
/**
* Indicates whether the user should receive a warning notification that the password is about to expire.
*
* @return <CODE>true</CODE> if the user should receive a warning notification that the password is about to expire,
* or <CODE>false</CODE> if not.
*/
public boolean shouldWarn()
{
}
/**
* Indicates whether the warning that the user should receive would be the first warning for the user.
*
* @return <CODE>true</CODE> if the warning that should be sent to the user would be the first warning,
* or <CODE>false</CODE> if not.
*/
public boolean isFirstWarning()
{
}
/**
* Retrieves the length of time in seconds until the user's password expires.
*
* @return The length of time in seconds until the user's password expires,
* 0 if the password is currently expired, or -1 if the password should not expire.
*/
public int getSecondsUntilExpiration()
{
long expirationTime = getPasswordExpirationTime();
if (expirationTime < 0)
{
return -1;
}
else if (expirationTime < currentTime)
{
return 0;
}
else
{
}
}
/**
* Retrieves the timestamp for the last required change time that the user complied with.
*
* @return The timestamp for the last required change time that the user complied with,
* or -1 if the user's password has not been changed in compliance with this configuration.
*/
public long getRequiredChangeTime()
{
{
if (logger.isTraceEnabled())
{
logger.trace("Returning stored required change time of %d for user %s", requiredChangeTime, userDNString);
}
return requiredChangeTime;
}
AttributeType type = DirectoryServer.getAttributeType(OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME, true);
try
{
}
catch (Exception e)
{
logger.traceException(e, "Returning %d for user %s because an error occurred", requiredChangeTime, userDNString);
requiredChangeTime = -1;
return requiredChangeTime;
}
return requiredChangeTime;
}
/**
* Updates the user entry with a timestamp indicating that the password has been changed in accordance
* with the require change time.
*/
public void setRequiredChangeTime()
{
if (requiredChangeByTimePolicy > 0)
{
}
}
/**
* Updates the user entry with a timestamp indicating that the password has been changed in accordance
* with the require change time.
*
* @param requiredChangeTime The timestamp to use for the required change time value.
*/
public void setRequiredChangeTime(long requiredChangeTime)
{
if (logger.isTraceEnabled())
{
}
if (getRequiredChangeTime() != requiredChangeTime)
{
this.requiredChangeTime = requiredChangeTime;
AttributeType type = DirectoryServer.getAttributeType(OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME, true);
}
}
/**
* Updates the user entry to remove any timestamp indicating that the password has been changed in accordance
* with the required change time.
*/
public void clearRequiredChangeTime()
{
if (logger.isTraceEnabled())
{
}
AttributeType type = DirectoryServer.getAttributeType(OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME, true);
}
/**
* Retrieves the time that the user was first warned about an upcoming expiration.
*
* @return The time that the user was first warned about an upcoming expiration, or -1 if the user has
* not been warned.
*/
public long getWarnedTime()
{
{
try
{
}
catch (Exception e)
{
warnedTime = -1;
}
}
return warnedTime;
}
/**
* Updates the user entry to set the warned time to the current time.
*/
public void setWarnedTime()
{
}
/**
* Updates the user entry to set the warned time to the specified time. This method should generally
* only be used for testing purposes, since the variant that uses the current time is preferred almost
* everywhere else.
*
* @param warnedTime The value to use for the warned time.
*/
public void setWarnedTime(long warnedTime)
{
long warnTime = getWarnedTime();
if (warnTime == warnedTime)
{
if (logger.isTraceEnabled())
{
logger.trace("Not updating warned time for user %s because the warned time is the same as the specified time.",
}
return;
}
this.warnedTime = warnedTime;
Attribute a = Attributes.create(type, GeneralizedTimeSyntax.createGeneralizedTimeValue(currentTime));
if (logger.isTraceEnabled())
{
}
}
/**
* Updates the user entry to clear the warned time.
*/
public void clearWarnedTime()
{
if (logger.isTraceEnabled())
{
}
if (getWarnedTime() < 0)
{
return;
}
warnedTime = -1;
if (logger.isTraceEnabled())
{
}
}
/**
* Retrieves the times that the user has authenticated to the server using a grace login.
*
* @return The times that the user has authenticated to the server using a grace login.
*/
{
if (graceLoginTimes == null)
{
{
}
try
{
}
catch (Exception e)
{
graceLoginTimes = new ArrayList<>();
}
}
return graceLoginTimes;
}
/**
* Retrieves the number of grace logins that the user has left.
*
* @return The number of grace logins that the user has left, or -1 if grace logins are not allowed.
*/
public int getGraceLoginsRemaining()
{
if (maxGraceLogins <= 0)
{
return -1;
}
}
/**
* Updates the set of grace login times for the user to include the current time.
*/
public void updateGraceLoginTimes()
{
if (logger.isTraceEnabled())
{
}
long highestGraceTime = -1;
for (Long l : graceTimes)
{
}
if (highestGraceTime >= currentTime)
{
}
else
{
}
{
}
}
/**
* Specifies the set of grace login use times for the associated user. If the provided list is empty
* or {@code null}, then the set will be cleared.
*
* @param graceLoginTimes The grace login use times for the associated user.
*/
{
{
return;
}
if (logger.isTraceEnabled())
{
}
this.graceLoginTimes = graceLoginTimes;
for (Long l : graceLoginTimes)
{
}
}
/**
* Updates the user entry to remove any record of previous grace logins.
*/
public void clearGraceLoginTimes()
{
if (logger.isTraceEnabled())
{
}
if (graceTimes.isEmpty())
{
return;
}
{
}
}
/**
* Retrieves a list of the clear-text passwords for the user. If the user does not have any passwords
* in the clear, then the list will be empty.
*
* @return A list of the clear-text passwords for the user.
*/
{
{
return clearPasswords;
}
{
for (ByteString v : a)
{
try
{
{
if (logger.isTraceEnabled())
{
}
continue;
}
if (scheme.isReversible())
{
}
}
catch (Exception e)
{
logger.traceException(e);
if (logger.isTraceEnabled())
{
}
}
}
}
return clearPasswords;
}
/** {@inheritDoc} */
{
{
if (logger.isTraceEnabled())
{
}
return false;
}
{
for (ByteString v : a)
{
try
{
{
if (logger.isTraceEnabled())
{
}
continue;
}
boolean passwordMatches = usesAuthPasswordSyntax
if (passwordMatches)
{
if (logger.isTraceEnabled())
{
}
return true;
}
}
catch (Exception e)
{
logger.traceException(e, "An error occurred while attempting to process a password value for user %s",
}
}
}
// If we've gotten here, then we couldn't find a match.
logger.trace("Returning false because the provided password does not match any of the stored password " +
"values for user %s", userDNString);
return false;
}
/**
* Get the broken-down components of the given password value.
*
* @param usesAuthPasswordSyntax true if the value is an authPassword.
* @param v The encoded password value to break down.
*
* @return An array of components.
*/
private StringBuilder[] getPwComponents(boolean usesAuthPasswordSyntax, ByteString v) throws DirectoryException
{
{
}
{
}
return pwComponents;
}
/**
* Indicates whether the provided password value is pre-encoded.
*
* @param passwordValue The value for which to make the determination.
*
* @return <CODE>true</CODE> if the provided password value is pre-encoded, or <CODE>false</CODE> if it is not.
*/
{
{
}
else
{
}
}
/**
* Encodes the provided password using the default storage schemes (using the appropriate syntax for the
* password attribute).
*
* @param password The password to be encoded.
*
* @return The password encoded using the default schemes.
*
* @throws DirectoryException If a problem occurs while attempting to encode the password.
*/
throws DirectoryException
{
{
for (PasswordStorageScheme<?> s : schemes)
{
}
}
else
{
for (PasswordStorageScheme<?> s : schemes)
{
}
}
return encodedPasswords;
}
/**
* Indicates whether the provided password appears to be acceptable according to the password validators.
*
* @param operation The operation that provided the password.
* @param userEntry The user entry in which the password is used.
* @param newPassword The password to be validated.
* @param currentPasswords The set of clear-text current passwords for the user (this may be a subset
* if not all of them are available in the clear, or empty if none of them
* are available in the clear).
* @param invalidReason A buffer that may be used to hold the invalid reason if the password is rejected.
*
* @return <CODE>true</CODE> if the password is acceptable for use, or <CODE>false</CODE> if it is not.
*/
{
{
if (!validator.passwordIsAcceptable(newPassword, currentPasswords, operation, userEntry, invalidReason))
{
if (logger.isTraceEnabled())
{
logger.trace("The password provided for user %s failed validation: %s", userDNString, invalidReason);
}
return false;
}
}
return true;
}
/**
* Performs any processing that may be necessary to remove deprecated storage schemes from the user's entry
* that match the provided password and re-encodes them using the default schemes.
*
* @param password The clear-text password provided by the user.
*/
{
{
if (logger.isTraceEnabled())
{
}
return;
}
{
if (logger.isTraceEnabled())
{
}
return;
}
{
for (ByteString v : a) {
try {
if (logger.isTraceEnabled()) {
}
continue;
}
boolean passwordMatches = usesAuthPasswordSyntax
if (passwordMatches) {
updatedValues.add(v);
if (logger.isTraceEnabled()) {
}
removedValues.add(v);
} else {
updatedValues.add(v);
}
}
} catch (Exception e) {
logger.traceException(e, "Skipping password value for user %s because an error occurred while attempting " +
"to decode it based on the user password syntax", userDNString);
}
}
}
if (removedValues.isEmpty())
{
logger.trace("User entry %s does not have any password values encoded using deprecated schemes.", userDNString);
return;
}
{
{
try
{
}
catch (Exception e)
{
logger.traceException(e);
if (logger.isTraceEnabled())
{
userDNString, s.getStorageSchemeName());
}
}
}
}
if (updatedValues.isEmpty())
{
"Not updating user entry %s because removing deprecated schemes would leave the user without a password.",
return;
}
if (! addedValues.isEmpty())
{
}
if (logger.isTraceEnabled())
{
"with values encoded with the default schemes.", userDNString);
}
}
/**
* Indicates whether password history information should be maintained for this user.
*
* @return {@code true} if password history information should be maintained for this user, or {@code false} if not.
*/
public boolean maintainHistory()
{
}
/**
* Indicates whether the provided password is equal to any of the current passwords,
* or any of the passwords in the history.
*
* @param password The password for which to make the determination.
*
* @return {@code true} if the provided password is equal to any of the current passwords or any of the passwords
* in the history, or {@code false} if not.
*/
{
if (! maintainHistory())
{
if (logger.isTraceEnabled())
{
}
return false;
}
// Check to see if the provided password is equal to any of the current passwords.
// If so, then we'll consider it to be in the history.
if (passwordMatches(password))
{
if (logger.isTraceEnabled())
{
}
return true;
}
// Get the attribute containing the history and check to see if any of the values is equal to the provided password.
// However, first prune the list by size and duration if necessary.
{
{
numToDelete--;
}
}
if (historyDuration > 0L)
{
{
if (historyDate < retainDate)
{
}
else
{
break;
}
}
}
{
if (historyValueMatches(password, v))
{
if (logger.isTraceEnabled())
{
}
return true;
}
}
// If we've gotten here, then the password isn't in the history.
if (logger.isTraceEnabled())
{
}
return false;
}
/**
* Gets a sorted list of the password history values contained in the user's entry.
* The values will be sorted by timestamp.
*
* @param removeAttrs A list into which any values will be placed that could not be properly decoded.
* It may be {@code null} if this is not needed.
*/
{
{
{
for (ByteString v : a)
{
if (hashPos <= 0)
{
if (logger.isTraceEnabled())
{
logger.trace("Found value " + histStr + " in the history with no timestamp. Marking it for removal.");
}
if (removeAttrs != null)
{
}
}
else
{
try
{
long timestamp =
GeneralizedTimeSyntax.decodeGeneralizedTimeValue(ByteString.valueOf(histStr.substring(0, hashPos)));
}
catch (Exception e)
{
if (logger.isTraceEnabled())
{
logger.traceException(e);
". Marking it for removal.");
}
if (removeAttrs != null)
{
}
}
}
}
}
}
return historyMap;
}
/**
* Indicates whether the provided password matches the given history value.
*
* @param password The clear-text password for which to make the determination.
* @param historyValue The encoded history value to compare against the clear-text password.
*
* @return {@code true} if the provided password matches the history value, or {@code false} if not.
*/
// According to draft-behera-ldap-password-policy, password history values should be in the format
// time#syntaxoid#encodedvalue. In this method, we only care about the syntax OID and encoded password.
try
{
if (hashPos1 <= 0)
{
if (logger.isTraceEnabled())
{
logger.trace("Returning false because the password history value didn't include any hash characters.");
}
return false;
}
if (hashPos2 < 0)
{
if (logger.isTraceEnabled())
{
}
return false;
}
{
}
{
}
else
{
if (logger.isTraceEnabled())
{
" didn't match for either the auth or user password syntax.");
}
return false;
}
}
catch (Exception e)
{
if (logger.isTraceEnabled())
{
logger.traceException(e);
if (logger.isTraceEnabled())
{
}
}
return false;
}
}
private boolean encodedAuthPasswordMatches(ByteString password, String encodedAuthPassword) throws DirectoryException
{
PasswordStorageScheme<?> scheme = DirectoryServer.getAuthPasswordStorageScheme(authPWComponents[0].toString());
return scheme.authPasswordMatches(password, authPWComponents[1].toString(), authPWComponents[2].toString());
}
private boolean encodedUserPasswordMatches(ByteString password, String encodedUserPassword) throws DirectoryException
{
}
{
if (passwordMatches)
{
return true;
}
else
{
return false;
}
}
/**
* Updates the password history information for this user by adding one of the passwords to it.
* It will choose the first password encoded using a secure storage scheme, and will fall back to
* a password encoded using an insecure storage scheme if necessary.
*/
public void updatePasswordHistory()
{
{
{
for (ByteString v : a)
{
try
{
if (scheme.isStorageSchemeSecure())
{
addPasswordToHistory(v.toString());
// no need to check any more values for this attribute
break;
}
else if (insecurePassword == null)
{
insecurePassword = v;
}
}
catch (DirectoryException e)
{
if (logger.isTraceEnabled())
{
}
}
}
// If we get here we haven't found a password encoded securely, so we have to use one of the other values.
if (insecurePassword != null)
{
}
}
}
}
/**
* Adds the provided password to the password history. If appropriate, one or more old passwords may be
* evicted from the list if the total size would exceed the configured count, or if passwords are older
* than the configured duration.
*
* @param encodedPassword The encoded password (in either user password or auth password format)
* to be added to the history.
*/
{
if (! maintainHistory())
{
if (logger.isTraceEnabled())
{
}
return;
}
// Get a sorted list of the existing values to see if there are any that should be removed.
// If there is a maximum number of values to retain and we would be over the limit with the new value,
// then get rid of enough values (oldest first) to satisfy the count.
{
{
removeValues.add(v);
numToDelete--;
if (logger.isTraceEnabled())
{
}
}
if (! removeValues.isEmpty())
{
}
}
// If there is a maximum duration, then get rid of any values that would be over the duration.
if (historyDuration > 0L)
{
{
if (timestamp < minAgeToKeep)
{
removeValues.add(v);
if (logger.isTraceEnabled())
{
}
}
else
{
break;
}
}
if (! removeValues.isEmpty())
{
}
}
// At this point, we can add the new value. However, we want to make sure that its timestamp
// (which is the current time) doesn't conflict with any value already in the list. If there is a conflict,
// then simply add one to it until we don't have any more conflicts.
long newTimestamp = currentTime;
{
newTimestamp++;
}
if (logger.isTraceEnabled())
{
}
// Apply the changes, either by adding modifications or by directly updating the entry.
for (Attribute a : removeAttrs)
{
}
}
/**
* Retrieves the password history state values for the user. This is only intended for testing purposes.
*
* @return The password history state values for the user.
*/
public String[] getPasswordHistoryValues()
{
{
{
for (ByteString v : a)
{
}
}
}
}
/**
* Clears the password history state information for the user. This is only intended for testing purposes.
*/
public void clearPasswordHistory()
{
if (logger.isTraceEnabled())
{
}
}
/**
* Generates a new password for the user.
*
* @return The new password that has been generated, or <CODE>null</CODE> if no password generator has been defined.
*
* @throws DirectoryException If an error occurs while attempting to generate the new password.
*/
public ByteString generatePassword()
throws DirectoryException
{
{
if (logger.isTraceEnabled())
{
logger.trace("Unable to generate a new password for user %s because no password generator has been defined" +
"in the associated password policy.", userDNString);
}
return null;
}
}
/**
* Generates an account status notification for this user.
*
* @param notificationType The type for the account status notification.
* @param userEntry The entry for the user to which this notification applies.
* @param message The human-readable message for the notification.
* @param notificationProperties The set of properties for the notification.
*/
public void generateAccountStatusNotification(
{
}
/**
* Generates an account status notification for this user.
*
* @param notification The account status notification that should be generated.
*/
{
Collection<AccountStatusNotificationHandler<?>> handlers = passwordPolicy.getAccountStatusNotificationHandlers();
{
}
}
/**
* Retrieves the set of modifications that correspond to changes made in password policy processing
* that may need to be applied to the user entry.
*
* @return The set of modifications that correspond to changes made in password policy processing
* that may need to be applied to the user entry.
*/
{
return modifications;
}
/** {@inheritDoc} */
public void finalizeStateAfterBind()
throws DirectoryException
{
// If there are no modifications, then there's nothing to do.
if (modifications.isEmpty())
{
return;
}
// Convert the set of modifications to a set of LDAP modifications.
for (Modification m : modifications)
{
}
{
// If this is a root user, or if the password policy says that we should ignore these problems,
// then log a warning message. Otherwise, cause the bind to fail.
|| passwordPolicy.getStateUpdateFailurePolicy() == PasswordPolicyCfgDefn.StateUpdateFailurePolicy.IGNORE)
{
}
else
{
}
}
}
}