3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * CDDL HEADER START
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * The contents of this file are subject to the terms of the
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * Common Development and Distribution License, Version 1.0 only
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * (the "License"). You may not use this file except in compliance
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * with the License.
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * or http://forgerock.org/license/CDDLv1.0.html.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * See the License for the specific language governing permissions
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * and limitations under the License.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * When distributing Covered Code, include this CDDL HEADER in each
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * file and include the License file at legal-notices/CDDLv1_0.txt.
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * If applicable, add the following below this CDDL HEADER, with the
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * fields enclosed by brackets "[]" replaced with your own identifying
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * information:
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * Portions Copyright [yyyy] [name of copyright owner]
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * CDDL HEADER END
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * Copyright 2011 ForgeRock AS.
2680aa2882577f4209e7f005c9a2edf095ebc183matthewimport static org.opends.server.config.ConfigConstants.OP_ATTR_ACCOUNT_DISABLED;
2680aa2882577f4209e7f005c9a2edf095ebc183matthewimport static org.opends.server.loggers.debug.DebugLogger.debugEnabled;
2680aa2882577f4209e7f005c9a2edf095ebc183matthewimport static org.opends.server.loggers.debug.DebugLogger.getTracer;
2680aa2882577f4209e7f005c9a2edf095ebc183matthewimport static org.opends.server.util.StaticUtils.stackTraceToSingleLineString;
2680aa2882577f4209e7f005c9a2edf095ebc183matthewimport static org.opends.server.util.StaticUtils.toLowerCase;
2680aa2882577f4209e7f005c9a2edf095ebc183matthewimport org.opends.server.schema.GeneralizedTimeSyntax;
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * The authentication policy context associated with a user's entry, which is
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * responsible for managing the user's account, their password, as well as
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * authenticating the user.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthewpublic abstract class AuthenticationPolicyState
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The tracer object for the debug logger.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew private static final DebugTracer TRACER = getTracer();
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * Returns the authentication policy state for the user provided user. This
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * method is equivalent to the following:
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * AuthenticationPolicy policy = AuthenticationPolicy.forUser(userEntry,
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * useDefaultOnError);
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * AuthenticationPolicyState state = policy
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * .createAuthenticationPolicyState(userEntry);
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * See the documentation of {@link AuthenticationPolicy#forUser} for a
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * description of the algorithm used to find a user's authentication policy.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * @param userEntry
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * The user entry.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * @param useDefaultOnError
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * Indicates whether the server should fall back to using the default
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * password policy if there is a problem with the configured policy
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * for the user.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * @return The password policy for the user.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * @throws DirectoryException
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * If a problem occurs while attempting to determine the password
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * policy for the user.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * @see AuthenticationPolicy#forUser(Entry, boolean)
2680aa2882577f4209e7f005c9a2edf095ebc183matthew public final static AuthenticationPolicyState forUser(final Entry userEntry,
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final boolean useDefaultOnError) throws DirectoryException
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final AuthenticationPolicy policy = AuthenticationPolicy.forUser(userEntry,
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew return policy.createAuthenticationPolicyState(userEntry);
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * A utility method which may be used by implementations in order to obtain
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * the value of the specified attribute from the provided entry as a boolean.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @param entry
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The entry whose attribute is to be parsed as a boolean.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @param attributeType
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The attribute type whose value should be parsed as a boolean.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @return The attribute's value represented as a ConditionResult value, or
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * ConditionResult.UNDEFINED if the specified attribute does not exist
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * in the entry.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @throws DirectoryException
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * If the value cannot be decoded as a boolean.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew protected static final ConditionResult getBoolean(final Entry entry,
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final AttributeType attributeType) throws DirectoryException
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final List<Attribute> attrList = entry.getAttribute(attributeType);
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final String valueString = toLowerCase(a.iterator().next().getValue()
2680aa2882577f4209e7f005c9a2edf095ebc183matthew if (valueString.equals("true") || valueString.equals("yes")
2680aa2882577f4209e7f005c9a2edf095ebc183matthew || valueString.equals("on") || valueString.equals("1"))
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugInfo("Attribute %s resolves to true for user entry "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew + "%s", attributeType.getNameOrOID(), entry.getDN().toString());
2680aa2882577f4209e7f005c9a2edf095ebc183matthew if (valueString.equals("false") || valueString.equals("no")
2680aa2882577f4209e7f005c9a2edf095ebc183matthew || valueString.equals("off") || valueString.equals("0"))
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugInfo("Attribute %s resolves to false for user "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew + "entry %s", attributeType.getNameOrOID(), entry.getDN()
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugError("Unable to resolve value %s for attribute %s "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew attributeType.getNameOrOID(), entry.getDN().toString());
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final Message message = ERR_PWPSTATE_CANNOT_DECODE_BOOLEAN
2680aa2882577f4209e7f005c9a2edf095ebc183matthew .get(valueString, attributeType.getNameOrOID(), entry.getDN()
2680aa2882577f4209e7f005c9a2edf095ebc183matthew throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX,
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugInfo("Returning %s because attribute %s does not exist "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew + "in user entry %s", ConditionResult.UNDEFINED.toString(),
2680aa2882577f4209e7f005c9a2edf095ebc183matthew attributeType.getNameOrOID(), entry.getDN().toString());
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * A utility method which may be used by implementations in order to obtain
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * the value of the specified attribute from the provided entry as a time in
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * generalized time format.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @param entry
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The entry whose attribute is to be parsed as a boolean.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @param attributeType
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The attribute type whose value should be parsed as a generalized
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * time value.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @return The requested time, or -1 if it could not be determined.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * @throws DirectoryException
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * If a problem occurs while attempting to decode the value as a
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * generalized time.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew protected static final long getGeneralizedTime(final Entry entry,
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final AttributeType attributeType) throws DirectoryException
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final List<Attribute> attrList = entry.getAttribute(attributeType);
2680aa2882577f4209e7f005c9a2edf095ebc183matthew timeValue = GeneralizedTimeSyntax.decodeGeneralizedTimeValue(v
2680aa2882577f4209e7f005c9a2edf095ebc183matthew catch (final Exception e)
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugWarning("Unable to decode value %s for attribute %s "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew attributeType.getNameOrOID(), entry.getDN().toString(),
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final Message message = ERR_PWPSTATE_CANNOT_DECODE_GENERALIZED_TIME
2680aa2882577f4209e7f005c9a2edf095ebc183matthew .get(v.getValue().toString(), attributeType.getNameOrOID(), entry
2680aa2882577f4209e7f005c9a2edf095ebc183matthew throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX,
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugInfo("Returning -1 because attribute %s does not "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew + "exist in user entry %s", attributeType.getNameOrOID(), entry
2680aa2882577f4209e7f005c9a2edf095ebc183matthew // FIXME: else to be consistent...
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * A boolean indicating whether or not the account associated with this
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * authentication state has been administratively disabled.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew protected ConditionResult isDisabled = ConditionResult.UNDEFINED;
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The user entry associated with this authentication policy state.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * Creates a new abstract authentication policy context.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @param userEntry
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The user's entry.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew protected AuthenticationPolicyState(final Entry userEntry)
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * Performs any finalization required after a bind operation has completed.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * Implementations may perform internal operations in order to persist
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * internal state to the user's entry if needed.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * @throws DirectoryException
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * If a problem occurs during finalization.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew public void finalizeStateAfterBind() throws DirectoryException
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew // Do nothing by default.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * Returns the authentication policy associated with this state.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @return The authentication policy associated with this state.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew public abstract AuthenticationPolicy getAuthenticationPolicy();
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * Returns {@code true} if this authentication policy state is associated with
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * a user whose account has been administratively disabled.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The default implementation is use the value of the "ds-pwp-account-disable"
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * attribute in the user's entry.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @return {@code true} if this authentication policy state is associated with
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * a user whose account has been administratively disabled.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew public boolean isDisabled()
2680aa2882577f4209e7f005c9a2edf095ebc183matthew final AttributeType type = DirectoryServer.getAttributeType(
2680aa2882577f4209e7f005c9a2edf095ebc183matthew catch (final Exception e)
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugWarning("User %s is considered administratively "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew + "disabled because an error occurred while "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew + "attempting to make the determination: %s.", userEntry.getDN()
2680aa2882577f4209e7f005c9a2edf095ebc183matthew return true;
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugInfo("User %s is not administratively disabled since "
2680aa2882577f4209e7f005c9a2edf095ebc183matthew + "the attribute \"%s\" is not present in the entry.", userEntry
2680aa2882577f4209e7f005c9a2edf095ebc183matthew return false;
2680aa2882577f4209e7f005c9a2edf095ebc183matthew TRACER.debugInfo("User %s %s administratively disabled.", userEntry
2680aa2882577f4209e7f005c9a2edf095ebc183matthew .getDN().toString(), ((isDisabled == ConditionResult.TRUE) ? " is"
2680aa2882577f4209e7f005c9a2edf095ebc183matthew : " is not"));
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * Returns {@code true} if this authentication policy state is associated with
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * a password policy and the method {@link #getAuthenticationPolicy} will
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * return a {@code PasswordPolicy}.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * @return {@code true} if this authentication policy state is associated with
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew * a password policy, otherwise {@code false}.
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew public boolean isPasswordPolicy()
3bfde8a324ef1dc0d757a9a34007cdb15018dc9amatthew return getAuthenticationPolicy().isPasswordPolicy();
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * Returns {@code true} if the provided password value matches any of the
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * user's passwords.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @param password
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * The user-provided password to verify.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @return {@code true} if the provided password value matches any of the
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * user's passwords.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * @throws DirectoryException
2680aa2882577f4209e7f005c9a2edf095ebc183matthew * If verification unexpectedly failed.
2680aa2882577f4209e7f005c9a2edf095ebc183matthew public abstract boolean passwordMatches(ByteString password)