/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2010 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS
*/
/**
* This class implements the password modify extended operation defined in RFC
* 3062. It includes support for requiring the user's current password as well
* as for generating a new password if none was provided.
*/
public class PasswordModifyExtendedOperation
{
// The following attachments may be used by post-op plugins (e.g. Samba) in
// order to avoid re-decoding the request parameters and also to enforce
// atomicity.
/** The name of the attachment which will be used to store the fully resolved target entry. */
/** The name of the attachment which will be used to store the password attribute. */
/** The clear text password, which may not be present if the provided password was pre-encoded. */
/** A list containing the encoded passwords: plugins can perform changes atomically via CAS. */
static
{
}
/** The current configuration state. */
/** The DN of the identity mapper. */
/** The reference to the identity mapper. */
/**
* Create an instance of this password modify extended operation. All initialization should be performed in the
* <CODE>initializeExtendedOperationHandler</CODE> method.
*/
public PasswordModifyExtendedOperation()
{
}
{
try
{
if (identityMapper == null)
{
}
}
catch (Exception e)
{
logger.traceException(e);
throw new InitializationException(message, e);
}
// Save this configuration for future reference.
// Register this as a change listener.
}
public void finalizeExtendedOperationHandler()
{
super.finalizeExtendedOperationHandler();
}
{
// Initialize the variables associated with components that may be included in the request.
// Look at the set of controls included in the request, if there are any.
boolean noOpRequested = false;
boolean pwPolicyRequested = false;
{
{
{
noOpRequested = true;
}
{
pwPolicyRequested = true;
}
}
}
// Parse the encoded request, if there is one.
if (requestValue != null)
{
try
{
{
}
{
}
{
}
}
{
return;
}
}
// Get the entry for the user that issued the request.
// See if a user identity was provided. If so, then try to resolve it to an actual user.
try
{
if (userIdentity == null)
{
// This request must be targeted at changing the password for the currently-authenticated user.
// Make sure that the user actually is authenticated.
{
return;
}
}
else
{
// There was a userIdentity field in the request.
{
try
{
}
catch (DirectoryException de)
{
return;
}
// If the provided DN is an alternate DN for a root user, then replace it with the actual root DN.
if (actualRootDN != null)
{
}
{
return;
}
}
{
try
{
{
return;
}
}
catch (DirectoryException de)
{
//Encountered an exception while resolving identity.
operation.appendErrorMessage(ERR_EXTOP_PASSMOD_ERROR_MAPPING_USER.get(authzIDStr, de.getMessageObject()));
return;
}
}
else
{
/*
* the userIdentity provided does not follow Authorization Identity form. RFC3062
* declaration "may or may not be an LDAPDN" allows for pretty much anything in that
* field. we gonna try to parse it as DN first then if that fails as user ID.
*/
try
{
}
catch (DirectoryException ignored)
{
}
// If the provided DN is an alternate DN for a root user, then replace it with the actual root DN.
if (actualRootDN != null) {
}
} else {
try
{
}
catch (DirectoryException ignored)
{
}
}
// The userIdentity was invalid.
return;
}
}
}
{
return;
}
// At this point, we should have the user entry. Get the associated password policy.
try
{
if (!policy.isPasswordPolicy())
{
return;
}
}
catch (DirectoryException de)
{
operation.appendErrorMessage(ERR_EXTOP_PASSMOD_CANNOT_GET_PW_POLICY.get(userDN, de.getMessageObject()));
return;
}
// Determine whether the user is changing his own password or if it's an administrative reset.
// If it's an administrative reset, then the requester must have the PASSWORD_RESET privilege.
if (! selfChange)
{
{
return;
}
}
// See if the account is locked. If so, then reject the request.
if (pwPolicyState.isDisabled())
{
return;
}
{
return;
}
// If the current password was provided, then we'll need to verify whether it was correct.
// If it wasn't provided but this is a self change, then make sure that's OK.
if (oldPassword == null)
{
if (selfChange
{
return;
}
}
else
{
{
return;
}
{
}
else
{
{
}
return;
}
}
// If it is a self password change and we don't allow that, then reject the request.
if (selfChange
{
return;
}
// If we require secure password changes and the connection isn't secure, then reject the request.
{
return;
}
// If it's a self-change request and the user is within the minimum age, then reject it.
{
return;
}
// If the user's password is expired and it's a self-change request, then see if that's OK.
if (selfChange
{
addPwPolicyErrorResponseControl(operation, pwPolicyRequested, PasswordPolicyErrorType.PASSWORD_EXPIRED);
return;
}
// If the a new password was provided, then perform any appropriate validation on it.
// If not, then see if we can generate one.
boolean generatedPassword = false;
boolean isPreEncoded = false;
if (newPassword == null)
{
try
{
if (newPassword == null)
{
return;
}
generatedPassword = true;
}
catch (DirectoryException de)
{
return;
}
// Prepare to update the password history, if necessary.
if (pwPolicyState.maintainHistory())
{
{
return;
}
else
{
}
}
}
{
// The password modify extended operation isn't intended to be invoked
// by an internal operation or during synchronization, so we don't
// need to check for those cases.
isPreEncoded = true;
{
return;
}
}
else
{
// Run the new password through the set of password validators.
{
if (oldPassword != null)
{
}
if (!pwPolicyState.passwordIsAcceptable(operation, userEntry, newPassword, clearPasswords, invalidReason))
{
return;
}
}
// Prepare to update the password history, if necessary.
if (pwPolicyState.maintainHistory())
{
{
{
return;
}
}
else
{
}
}
}
// Get the encoded forms of the new password.
if (isPreEncoded)
{
}
else
{
try
{
}
catch (DirectoryException de)
{
return;
}
}
// If the current password was provided, then remove all matching values from the user's entry
// and replace them with the new password. Otherwise replace all password values.
if (oldPassword != null)
{
// Remove all existing encoded values that match the old password.
for (ByteString v : existingValues)
{
try
{
if (// The password is encoded using an unknown scheme. Remove it from the user's entry.
{
deleteValues.add(v);
}
}
catch (DirectoryException de)
{
// We couldn't decode the provided password value, so remove it from the user's entry.
deleteValues.add(v);
}
}
}
else
{
}
// Update the password changed time for the user entry.
// If the password was changed by an end user, then clear any reset flag that might exist.
// If the password was changed by an administrator, then see if we need to set the reset flag.
// Clear any record of grace logins, auth failures, and expiration warnings.
// If the LDAP no-op control was included in the request, then set the
// appropriate response. Otherwise, process the operation.
if (noOpRequested)
{
return;
}
{
}
// Get an internal connection and use it to perform the modification.
{
// FIXME should it also call setMatchedDN()
return;
}
// If there were any password policy state changes, we need to apply
// them using a root connection because the end user may not have
// sufficient access to apply them. This is less efficient than
// doing them all in the same modification, but it's safer.
if (! pwPolicyMods.isEmpty())
{
{
// At this point, the user's password is already changed so there's
// not much point in returning a non-success result. However, we
// should at least log that something went wrong.
modOp.getErrorMessage());
}
}
// If we've gotten here, then everything is OK, so indicate that the operation was successful.
// Save attachments for post-op plugins (e.g. Samba password plugin).
operation.setAttachment(PWD_ATTRIBUTE_ATTACHMENT, pwPolicyState.getAuthenticationPolicy().getPasswordAttribute());
if (!isPreEncoded)
{
}
// If a password was generated, then include it in the response.
if (generatedPassword)
{
try
{
}
catch (IOException e)
{
logger.traceException(e);
}
}
// If this was a self password change, and the client is authenticated as the user whose password was changed,
// then clear the "must change password" flag in the client connection. Note that we're using the
// authentication DN rather than the authorization DN in this case to avoid mistakenly clearing the flag
// for the wrong user.
if (selfChange
{
}
}
finally
{
{
}
}
}
private void addPwPolicyErrorResponseControl(ExtendedOperation operation, boolean pwPolicyRequested,
{
if (pwPolicyRequested)
{
}
}
private void generateAccountStatusNotification(ByteString oldPassword, ByteString newPassword, Entry userEntry,
{
if (oldPassword != null)
{
}
AccountStatusNotification.createProperties(pwPolicyState, false, -1, currentPasswords, newPasswords);
if (selfChange)
{
}
else
{
}
}
private String[] decodePassword(PasswordPolicyState pwPolicyState, String encodedPassword) throws DirectoryException
{
}
private PasswordStorageScheme<?> getPasswordStorageScheme(PasswordPolicyState pwPolicyState, String scheme)
{
}
private boolean passwordMatches(
PasswordPolicyState pwPolicyState, PasswordStorageScheme<?> scheme, ByteString oldPassword, String[] components)
{
}
private boolean isSelfChange(ByteString userIdentity, Entry requestorEntry, DN userDN, ByteString oldPassword)
{
if (userIdentity == null)
{
return true;
}
else if (requestorEntry != null)
{
}
else
{
return oldPassword != null;
}
}
private Modification newModification(ModificationType modType, AttributeType attrType, Collection<ByteString> value)
{
}
/**
* Retrieves the entry for the specified user based on the provided DN. If any problem is encountered or
* the requested entry does not exist, then the provided operation will be updated with appropriate result
* information and this method will return <CODE>null</CODE>.
* The caller must hold a write lock on the specified entry.
*
* @param operation The extended operation being processed.
* @param entryDN The DN of the user entry to retrieve.
*
* @return The requested entry, or <CODE>null</CODE> if there was no such entry or it could not be retrieved.
*/
{
// Retrieve the user's entry from the directory. If it does not exist, then fail.
try
{
{
// See if one of the entry's ancestors exists.
return null;
}
return userEntry;
}
catch (DirectoryException de)
{
return null;
}
}
{
try
{
{
{
return matchedDN;
}
}
}
catch (Exception e)
{
logger.traceException(e);
}
return null;
}
{
PasswordModifyExtendedOperationHandlerCfg config = (PasswordModifyExtendedOperationHandlerCfg) configuration;
}
{
try
{
// Make sure that the specified identity mapper is OK.
{
return false;
}
return true;
}
catch (Exception e)
{
logger.traceException(e);
unacceptableReasons.add(ERR_EXTOP_PASSMOD_CANNOT_DETERMINE_ID_MAPPER.get(config.dn(), getExceptionMessage(e)));
return false;
}
}
public ConfigChangeResult applyConfigurationChange(PasswordModifyExtendedOperationHandlerCfg config)
{
// Make sure that the specified identity mapper is OK.
try
{
{
}
}
catch (Exception e)
{
logger.traceException(e);
ccr.addMessage(ERR_EXTOP_PASSMOD_CANNOT_DETERMINE_ID_MAPPER.get(config.dn(), getExceptionMessage(e)));
}
// If all of the changes were acceptable, then apply them.
{
}
// Save this configuration for future reference.
return ccr;
}
{
return OID_PASSWORD_MODIFY_REQUEST;
}
{
return "Password Modify";
}
}