/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2011 ForgeRock AS.
*/
/**
* The authentication policy context associated with a user's entry, which is
* responsible for managing the user's account, their password, as well as
* authenticating the user.
*/
public abstract class AuthenticationPolicyState
{
/**
* The tracer object for the debug logger.
*/
/**
* Returns the authentication policy state for the user provided user. This
* method is equivalent to the following:
*
* <pre>
* AuthenticationPolicy policy = AuthenticationPolicy.forUser(userEntry,
* useDefaultOnError);
* AuthenticationPolicyState state = policy
* .createAuthenticationPolicyState(userEntry);
* </pre>
*
* See the documentation of {@link AuthenticationPolicy#forUser} for a
* description of the algorithm used to find a user's authentication policy.
*
* @param userEntry
* The user entry.
* @param useDefaultOnError
* Indicates whether the server should fall back to using the default
* password policy if there is a problem with the configured policy
* for the user.
* @return The password policy for the user.
* @throws DirectoryException
* If a problem occurs while attempting to determine the password
* policy for the user.
* @see AuthenticationPolicy#forUser(Entry, boolean)
*/
final boolean useDefaultOnError) throws DirectoryException
{
}
/**
* A utility method which may be used by implementations in order to obtain
* the value of the specified attribute from the provided entry as a boolean.
*
* @param entry
* The entry whose attribute is to be parsed as a boolean.
* @param attributeType
* The attribute type whose value should be parsed as a boolean.
* @return The attribute's value represented as a ConditionResult value, or
* ConditionResult.UNDEFINED if the specified attribute does not exist
* in the entry.
* @throws DirectoryException
* If the value cannot be decoded as a boolean.
*/
{
{
{
if (a.isEmpty())
{
continue;
}
.toString());
{
if (debugEnabled())
{
}
return ConditionResult.TRUE;
}
{
if (debugEnabled())
{
.toString());
}
return ConditionResult.FALSE;
}
if (debugEnabled())
{
+ "in user entry %s as a Boolean.", valueString,
}
.toString());
message);
}
}
if (debugEnabled())
{
}
return ConditionResult.UNDEFINED;
}
/**
* A utility method which may be used by implementations in order to obtain
* the value of the specified attribute from the provided entry as a time in
* generalized time format.
*
* @param entry
* The entry whose attribute is to be parsed as a boolean.
* @param attributeType
* The attribute type whose value should be parsed as a generalized
* time value.
* @return The requested time, or -1 if it could not be determined.
* @throws DirectoryException
* If a problem occurs while attempting to decode the value as a
* generalized time.
*/
{
long timeValue = -1;
{
{
if (a.isEmpty())
{
continue;
}
try
{
.getNormalizedValue());
}
catch (final Exception e)
{
if (debugEnabled())
{
}
message, e);
}
break;
}
}
if (timeValue == -1)
{
if (debugEnabled())
{
}
}
// FIXME: else to be consistent...
return timeValue;
}
/**
* A boolean indicating whether or not the account associated with this
* authentication state has been administratively disabled.
*/
/**
* The user entry associated with this authentication policy state.
*/
/**
* Creates a new abstract authentication policy context.
*
* @param userEntry
* The user's entry.
*/
{
}
/**
* Performs any finalization required after a bind operation has completed.
* Implementations may perform internal operations in order to persist
* internal state to the user's entry if needed.
*
* @throws DirectoryException
* If a problem occurs during finalization.
*/
{
// Do nothing by default.
}
/**
* Returns the authentication policy associated with this state.
*
* @return The authentication policy associated with this state.
*/
/**
* Returns {@code true} if this authentication policy state is associated with
* a user whose account has been administratively disabled.
* <p>
* The default implementation is use the value of the "ds-pwp-account-disable"
* attribute in the user's entry.
*
* @return {@code true} if this authentication policy state is associated with
* a user whose account has been administratively disabled.
*/
public boolean isDisabled()
{
OP_ATTR_ACCOUNT_DISABLED, true);
try
{
}
catch (final Exception e)
{
if (debugEnabled())
{
}
if (debugEnabled())
{
+ "disabled because an error occurred while "
.toString(), stackTraceToSingleLineString(e));
}
return true;
}
{
if (debugEnabled())
{
+ "the attribute \"%s\" is not present in the entry.", userEntry
}
return false;
}
if (debugEnabled())
{
: " is not"));
}
}
/**
* Returns {@code true} if this authentication policy state is associated with
* a password policy and the method {@link #getAuthenticationPolicy} will
* return a {@code PasswordPolicy}.
*
* @return {@code true} if this authentication policy state is associated with
* a password policy, otherwise {@code false}.
*/
public boolean isPasswordPolicy()
{
return getAuthenticationPolicy().isPasswordPolicy();
}
/**
* Returns {@code true} if the provided password value matches any of the
* user's passwords.
*
* @param password
* The user-provided password to verify.
* @return {@code true} if the provided password value matches any of the
* user's passwords.
* @throws DirectoryException
* If verification unexpectedly failed.
*/
throws DirectoryException;
}