PasswordPolicyState.java revision 99faa045b6241c1d2843cce1b7a9d9c97055beae
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Portions Copyright 2006-2007 Sun Microsystems, Inc.
*/
/**
* This class provides a data structure for holding password policy state
* information for a user account.
*/
public class PasswordPolicyState
{
// The user entry with which this state information is associated.
// Indicates whether the user entry itself should be updated or if the updates
// should be stored as modifications.
private final boolean updateEntry;
// Indicates whether to debug password policy processing performed wth this
// state object.
private final boolean debug;
// The string representation of the user's DN.
private final String userDNString;
// The password policy with which the account is associated.
private final PasswordPolicy passwordPolicy;
// The current time for use in all password policy calculations.
private final long currentTime;
// The time that the user's password was last changed.
// Indicates whether the user's account is expired.
// Indicates whether the user's account is disabled.
// Indicates whether the user's password is expired.
// Indicates whether the warning to send to the client would be the first
// warning for the user.
// Indicates whether the user's account is locked by the idle lockout.
// Indicates whether the user may use a grace login if the password is expired
// and there are one or more grace logins remaining.
// Indicates whether the user's password must be changed.
// Indicates whether the user should be warned of an upcoming expiration.
// The number of seconds until the user's account is automatically unlocked.
// The set of authentication failure times for this user.
// The set of grace login times for this user.
// The time that the user's password should expire (or did expire).
// The time that the user's entry was locked due to too many authentication
// failures.
// The time that the user last authenticated to the Directory Server.
// The last required change time with which the user complied.
// The time that the user was first warned about an upcoming expiration.
// The set of modifications that should be applied to the user's entry.
= new LinkedList<Modification>();
/**
* Creates a new password policy state object with the provided information.
*
* @param userEntry The entry with the user account.
* @param updateEntry Indicates whether changes should update the provided
* user entry directly or whether they should be
* collected as a set of modifications.
* @param debug Indicates whether to enable debugging for the
* operations performed.
*
* @throws DirectoryException If a problem occurs while attempting to
* determine the password policy for the user or
* perform any other state initialization.
*/
boolean debug)
throws DirectoryException
{
this.updateEntry = updateEntry;
// Get the password changed time for the user.
{
}
if (passwordChangedTime <= 0)
{
// Get the time that the user's account was created.
if (createTimeType == null)
{
}
if (passwordChangedTime <= 0)
{
passwordChangedTime = 0;
if (debug)
{
debugWarning("Could not determine password changed time for user %s.",
}
}
}
}
/**
* Retrieves the password policy for the user. If the user entry contains the
* ds-pwp-password-policy-dn attribute (whether real or virtual), that
* password policy is returned, otherwise the default password policy is
* returned.
*
* @param userEntry The user entry.
* @param debug Indicates whether to enable debugging for the
* operations performed.
*
* @return The password policy for the user.
*
* @throws DirectoryException If a problem occurs while attempting to
* determine the password policy for the user.
*/
boolean debug)
throws DirectoryException
{
{
{
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugError("Could not parse password policy subentry DN %s " +
"for user %s: %s",
v.getStringValue(), userDNString,
}
e.getMessage());
msgID, e);
}
{
if (debug)
{
debugError("Password policy subentry %s for user %s " +
"is not defined in the Directory Server.",
}
throw new DirectoryException(
msgID);
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Using password policy subentry %s for user %s.",
}
}
return policy;
}
}
// There is no policy subentry defined: use the default.
if (debug)
{
if (debugEnabled())
{
debugInfo("Using the default password policy for user %s",
}
}
return DirectoryServer.getDefaultPasswordPolicy();
}
/**
* Retrieves the value of the specified attribute as a string.
*
* @param attributeType The attribute type whose value should be retrieved.
*
* @return The value of the specified attribute as a string, or
* <CODE>null</CODE> if there is no such value.
*/
{
{
{
break ;
}
}
if (debug)
{
if (stringValue == null)
{
if (debugEnabled())
{
debugInfo("Returning null because attribute %s does not " +
"exist in user entry %s",
}
}
else
{
if (debugEnabled())
{
debugInfo("Returning value %s for user %s",
}
}
}
return stringValue;
}
/**
* Retrieves the value of the specified attribute from the user's entry as a
* time in generalized time format.
*
* @param attributeType The attribute type whose value should be parsed as a
* generalized time value.
*
* @return The requested time, or -1 if it could not be determined.
*
* @throws DirectoryException If a problem occurs while attempting to
* decode the value as a generalized time.
*/
throws DirectoryException
{
long timeValue = -1 ;
{
{
try
{
v.getNormalizedValue());
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Unable to decode value %s for attribute %s " +
"in user entry %s: %s",
}
}
break ;
}
}
if (debug)
{
if (timeValue == -1)
{
if (debugEnabled())
{
debugInfo("Returning -1 because attribute %s does not " +
"exist in user entry %s",
}
}
// FIXME: else to be consistent...
}
return timeValue;
}
/**
* Retrieves the set of values of the specified attribute from the user's
* entry in generalized time format.
*
* @param attributeType The attribute type whose values should be parsed as
* generalized time values.
*
* @return The set of generalized time values, or an empty list if there are
* none.
*
* @throws DirectoryException If a problem occurs while attempting to
* decode a value as a generalized time.
*/
throws DirectoryException
{
{
{
for (AttributeValue v : a.getValues())
{
try
{
v.getNormalizedValue()));
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Unable to decode value %s for attribute %s" +
"in user entry %s: %s",
}
}
}
}
}
if (debug)
{
if (timeValues.isEmpty())
{
if (debugEnabled())
{
debugInfo("Returning an empty list because attribute %s " +
"does not exist in user entry %s",
}
}
}
return timeValues;
}
/**
* Retrieves the value of the specified attribute from the user's entry as a
* Boolean.
*
* @param attributeType The attribute type whose value should be parsed as a
* Boolean.
*
* @return The attribute's value represented as a ConditionResult value, or
* ConditionResult.UNDEFINED if the specified attribute does not
* exist in the entry.
*
* @throws DirectoryException If the value cannot be decoded as a Boolean.
*/
throws DirectoryException
{
{
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Attribute %s resolves to true for user entry %s",
}
}
return ConditionResult.TRUE;
}
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Attribute %s resolves to false for user entry %s",
}
}
return ConditionResult.FALSE;
}
if (debug)
{
debugError("Unable to resolve value %s for attribute %s " +
"in user entry %s as a Boolean.",
}
}
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning %s because attribute %s does not exist " +
"in user entry %s",
}
}
return ConditionResult.UNDEFINED;
}
/**
* Retrieves the password policy associated with this state information.
*
* @return The password policy associated with this state information.
*/
public PasswordPolicy getPolicy()
{
return passwordPolicy;
}
/**
* Retrieves the set of values for the password attribute from the user entry.
*
* @return The set of values for the password attribute from the user entry.
*/
{
{
{
return a.getValues();
}
}
}
/**
* Sets a new value for the password changed time equal to the current time.
*/
public void setPasswordChangedTime()
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Setting password changed time for user %s to current time " +
}
}
// passwordChangedTime is computed in the constructor from values in the
// entry.
if (passwordChangedTime != currentTime)
{
{
}
if (updateEntry)
{
}
else
{
}
}
}
/**
* Indicates whether the user account has been administratively disabled.
*
* @return <CODE>true</CODE> if the user account has been administratively
* disabled, or <CODE>false</CODE> otherwise.
*/
public boolean isDisabled()
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning stored result of %b for user %s",
}
}
}
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("User %s is considered administratively disabled " +
"because an error occurred while attempting to make " +
"the determination: %s.",
}
return true;
}
{
if (debug)
{
if (debugEnabled())
{
debugInfo("User %s is not administratively disabled since the" +
" attribute \"%s\" is not present in the entry.",
}
}
return false;
}
if (debug)
{
if (debugEnabled())
{
debugInfo("User %s %s administratively disabled.",
}
}
}
/**
* Updates the user entry to indicate whether user account has been
* administratively disabled.
*
* @param isDisabled Indicates whether the user account has been
* administratively disabled.
*/
public void setDisabled(boolean isDisabled)
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Updating user %s to set the disabled flag to %b",
}
}
if (isDisabled == isDisabled())
{
return; // requested state matches current state
}
if (isDisabled)
{
if (updateEntry)
{
}
else
{
}
}
else
{
// erase
if (updateEntry)
{
}
else
{
}
}
}
/**
* Indicates whether the user's account is currently expired.
*
* @return <CODE>true</CODE> if the user's account is expired, or
* <CODE>false</CODE> if not.
*/
public boolean isAccountExpired()
{
{
if(debug)
{
if (debugEnabled())
{
debugInfo("Returning stored result of %b for user %s",
}
}
}
true);
long expirationTime;
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("User %s is considered to have an expired account " +
"because an error occurred while attempting to make " +
"the determination: %s.",
}
return true;
}
if (expirationTime > currentTime)
{
// The user does have an expiration time, but it hasn't arrived yet.
if (debug)
{
if (debugEnabled())
{
debugInfo("The account for user %s is not expired because the " +
"expiration time has not yet arrived.", userDNString);
}
}
}
else if (expirationTime >= 0)
{
// The user does have an expiration time, and it is in the past.
if (debug)
{
if (debugEnabled())
{
debugInfo("The account for user %s is expired because the " +
"expiration time in that account has passed.", userDNString);
}
}
}
else
{
// The user doesn't have an expiration time in their entry, so it
// can't be expired.
if (debug)
{
if (debugEnabled())
{
debugInfo("The account for user %s is not expired because " +
"there is no expiration time in the user's entry.",
}
}
}
}
/**
* Retrieves the set of times of failed authentication attempts for the user.
* If authentication failure time expiration is enabled, and there are expired
* times in the entry, these times are removed from the instance field and an
* update is provided to delete those values from the entry.
*
* @return The set of times of failed authentication attempts for the user,
* which will be an empty list in the case of no valid (unexpired)
* times in the entry.
*/
{
if (authFailureTimes != null)
{
if(debug)
{
if (debugEnabled())
{
debugInfo("Returning stored auth failure time list of %d " +
"elements for user %s" +
}
}
return authFailureTimes;
}
{
}
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Error while processing auth failure times " +
"for user %s: %s",
}
if (updateEntry)
{
}
else
{
}
return authFailureTimes;
}
if (authFailureTimes.isEmpty())
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning an empty auth failure time list for user %s" +
" because the attribute is absent from the entry.",
}
}
return authFailureTimes;
}
// Remove any expired failures from the list.
{
long expirationTime = currentTime -
{
if (l < expirationTime)
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Removing expired auth failure time %d for user %s",
l, userDNString);
}
}
if (valuesToRemove == null)
{
}
GeneralizedTimeSyntax.format(l)));
}
}
if (valuesToRemove != null)
{
if (updateEntry)
{
if (authFailureTimes.isEmpty())
{
}
else
{
for (Long l : authFailureTimes)
{
}
keepValues));
}
}
else
{
true));
}
}
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning auth failure time list of %d elements for user %s",
}
}
return authFailureTimes;
}
/**
* Updates the set of authentication failure times to include the current
* time. If the number of failures reaches the policy configuration limit,
* lock the account.
*/
public void updateAuthFailureTimes()
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Updating authentication failure times for user %s",
}
}
// Note: failureTimes == this.authFailureTimes
long highestFailureTime = -1;
for (Long l : failureTimes)
{
}
if (highestFailureTime >= currentTime)
{
}
else
{
}
{
}
for (Long l : failureTimes)
{
}
if (updateEntry)
{
}
else
{
}
// Now check to see if there have been sufficient failures to lock the
// account.
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Locking user account %s due to too many failures.",
}
}
}
}
/**
* Updates the user entry to remove any record of previous authentication
* failure times.
*/
private void clearAuthFailureTimes()
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Clearing authentication failure times for user %s",
}
}
if (failureTimes.isEmpty())
{
return;
}
{
}
if (updateEntry)
{
}
else
{
}
}
/**
* Retrieves the time of an authentication failure lockout for the user.
*
* @return The time of an authentication failure lockout for the user, or -1
* if no such time is present in the entry.
*/
private long getFailureLockedTime()
{
{
return failureLockedTime;
}
{
}
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Returning current time for user %s because an error " +
"occurred: %s",
}
return failureLockedTime;
}
// An expired locked time is handled in lockedDueToFailures.
return failureLockedTime;
}
/**
Sets the failure lockout attribute in the entry to the requested time.
@param time The time to which to set the entry's failure lockout attribute.
*/
private void setFailureLockedTime(final long time)
{
if (time == getFailureLockedTime())
{
return;
}
{
}
if (updateEntry)
{
}
else
{
}
}
/**
* Updates the user entry to remove any record of previous authentication
* failure lockout.
*/
private void clearFailureLockedTime()
{
if (debug)
{
if (debugEnabled())
{
}
}
if (-1L == getFailureLockedTime())
{
return;
}
failureLockedTime = -1L;
{
}
if (updateEntry)
{
}
else
{
}
}
/**
* Indicates whether the associated user should be considered locked out as a
* result of too many authentication failures. In the case of an expired
* lock-out, this routine produces the update to clear the lock-out attribute
* and the authentication failure timestamps.
* In case the failure lockout time is absent from the entry, but sufficient
* authentication failure timestamps are present in the entry, this routine
* produces the update to set the lock-out attribute.
*
* @return <CODE>true</CODE> if the user is currently locked out due to too
* many authentication failures, or <CODE>false</CODE> if not.
*/
public boolean lockedDueToFailures()
{
// FIXME: Introduce a state field to cache the computed value of this
// method. Note that only a cached "locked" status can be returned due to
// the possibility of intervening updates to this.failureLockedTime by
// updateAuthFailureTimes.
// Check if the feature is enabled in the policy.
if (maxFailures <= 0)
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false for user %s because lockout due to " +
"failures is not enabled.", userDNString);
}
}
return false;
}
// Get the locked time from the user's entry. If it is present and not
// expired, the account is locked. If it is absent, the failure timestamps
// must be checked, since failure timestamps sufficient to lock the
// account could be produced across the synchronization topology within the
// synchronization latency. Also, note that IETF
// draft-behera-ldap-password-policy-09 specifies "19700101000000Z" as
// the value to be set under a "locked until reset" regime; however, this
// implementation accepts the value as a locked entry, but observes the
// lockout expiration policy for all values including this one.
// FIXME: This "getter" is unusual in that it might produce an update to the
// entry in two cases. Does it make sense to factor the methods so that,
// e.g., an expired lockout is reported, and clearing the lockout is left to
// the caller?
if (getFailureLockedTime() < 0L)
{
// There was no locked time present in the entry; however, sufficient
// failure times might have accumulated to trigger a lockout.
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false for user %s because there is no " +
"locked time.", userDNString);
}
}
return false;
}
// The account isn't locked but should be, so do so now.
if (debug)
{
if (debugEnabled())
{
debugInfo("Locking user %s because there were enough existing " +
"failures even though there was no account locked time.",
}
}
// Fall through...
}
// There is a failure locked time, but it may be expired.
{
final long unlockTime = getFailureLockedTime() +
if (unlockTime > currentTime)
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning true for user %s because there is a locked " +
"time and the lockout duration has not been reached.",
}
}
return true;
}
// The lockout in the entry has expired...
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false for user %s " +
"because the existing lockout has expired.", userDNString);
}
}
assert -1L == getFailureLockedTime();
return false;
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning true for user %s " +
"because there is a locked time and no lockout duration.",
}
}
assert -1L <= getFailureLockedTime();
return true;
}
/**
* Retrieves the length of time in seconds until the user's account is
* automatically unlocked. This should only be called after calling
* <CODE>lockedDueToFailures</CODE>.
*
* @return The length of time in seconds until the user's account is
* automatically unlocked, or -1 if the account is not locked or the
* lockout requires administrative action to clear.
*/
public int getSecondsUntilUnlock()
{
// secondsUntilUnlock is only set when failureLockedTime is present and
// PasswordPolicy.getLockoutDuration is enabled; hence it is not
// unreasonable to find secondsUntilUnlock uninitialized.
}
/**
* Updates the user account to remove any record of a previous lockout due to
* failed authentications.
*/
public void clearFailureLockout()
{
}
/**
* Retrieves the time that the user last authenticated to the Directory
* Server.
*
* @return The time that the user last authenticated to the Directory Server,
* or -1 if it cannot be determined.
*/
public long getLastLoginTime()
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning stored last login time of %d for user %s.",
}
}
return lastLoginTime;
}
// The policy configuration must be checked since the entry cannot be
// evaluated without both an attribute name and timestamp format.
{
lastLoginTime = -1;
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning -1 for user %s because no last login time " +
"will be maintained.", userDNString);
}
}
return lastLoginTime;
}
lastLoginTime = -1;
{
{
try
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning last login time of %d for user %s" +
"decoded using current last login time format.",
}
}
return lastLoginTime;
}
catch (Exception e)
{
if (debugEnabled())
{
}
// This could mean that the last login time was encoded using a
// previous format.
{
try
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning last login time of %d for user %s" +
"decoded using previous last login time format of %s.",
lastLoginTime, userDNString, f);
}
}
return lastLoginTime;
}
{
if (debugEnabled())
{
}
}
}
assert lastLoginTime == -1;
if (debug)
{
debugWarning("Returning -1 for user %s because the last login " +
"time value %s could not be parsed using any known format.",
}
return lastLoginTime;
}
}
}
assert lastLoginTime == -1;
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning %d for user %s because no last " +
}
}
return lastLoginTime;
}
/**
* Updates the user entry to set the current time as the last login time.
*/
public void setLastLoginTime()
{
{
return;
}
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Unable to set last login time for user %s because an " +
"error occurred: %s",
}
return;
}
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Not updating last login time for user %s because the " +
"new value matches the existing value.", userDNString);
}
}
return;
}
if (updateEntry)
{
}
else
{
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Updated the last login time for user %s to %s",
}
}
}
/**
* Indicates whether the user's account is currently locked because it has
* been idle for too long.
*
* @return <CODE>true</CODE> if the user's account is locked because it has
* been idle for too long, or <CODE>false</CODE> if not.
*/
public boolean lockedDueToIdleInterval()
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning stored result of %b for user %s",
}
}
}
// Return immediately if this feature is disabled, since the feature is not
// responsible for any state attribute in the entry.
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false for user %s because no idle lockout " +
"interval is defined.", userDNString);
}
}
return false;
}
long lockTime = currentTime -
long lastLoginTime = getLastLoginTime();
{
if (debug)
{
if (debugEnabled())
{
if(lastLoginTime > lockTime)
{
}
else
{
if(lastLoginTime < 0)
{
}
"the password changed time is in an acceptable window");
}
debugInfo("Returning false for user %s because %s.",
}
}
}
else
{
if (debug)
{
if (debugEnabled())
{
? "there is no last login time and the password " +
"changed time is not in an acceptable window"
: "neither last login time nor password " +
"changed time are in an acceptable window";
debugInfo("Returning true for user %s because %s.",
}
}
}
}
/**
* Indicates whether the user's password must be changed before any other
* operation can be performed.
*
* @return <CODE>true</CODE> if the user's password must be changed before
* any other operation can be performed.
*/
public boolean mustChangePassword()
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning stored result of %b for user %s.",
}
}
}
// If the password policy doesn't use force change on add or force change on
// reset, or if it forbids the user from changing his password, then return
// false.
// FIXME: the only getter responsible for a state attribute (pwdReset) that
// considers the policy before checking the entry for the presence of the
// attribute.
if (! (passwordPolicy.allowUserPasswordChanges()
|| passwordPolicy.forceChangeOnReset())))
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false for user %s because neither force " +
"change on add nor force change on reset is enabled, " +
"or users are not allowed to self-modify passwords.",
}
}
return false;
}
{
}
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Returning true for user %s because an error occurred: %s",
}
return true;
}
{
if(debug)
{
if (debugEnabled())
{
debugInfo("Returning %b for user since the attribute \"%s\"" +
" is not present in the entry.",
false, userDNString, OP_ATTR_PWPOLICY_RESET_REQUIRED);
}
}
return false;
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning %b for user %s.",
}
}
}
/**
* Updates the user entry to indicate whether the user's password must be
* changed.
*
* @param mustChangePassword Indicates whether the user's password must be
* changed.
*/
public void setMustChangePassword(boolean mustChangePassword)
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Updating user %s to set the reset flag to %b",
}
}
if (mustChangePassword == mustChangePassword())
{
return; // requested state matches current state
}
this.mustChangePassword =
{
}
if (mustChangePassword)
{
values);
if (updateEntry)
{
}
else
{
}
}
else
{
// erase
if (updateEntry)
{
}
else
{
}
}
}
/**
* Indicates whether the user's account is locked because the password has
* been reset by an administrator but the user did not change the password in
* a timely manner.
*
* @return <CODE>true</CODE> if the user's account is locked because of the
* maximum reset age, or <CODE>false</CODE> if not.
*/
public boolean lockedDueToMaximumResetAge()
{
// This feature is reponsible for neither a state field nor an entry state
// attribute.
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false for user %s because there is no maximum " +
"reset age.", userDNString);
}
}
return false;
}
if (! mustChangePassword())
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false for user %s because the user's password " +
"has not been reset.", userDNString);
}
}
return false;
}
long maxResetTime = passwordChangedTime +
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning %b for user %s after comparing the current and " +
}
}
return locked;
}
/**
* Retrieves the time that the user's password should expire (if the
* expiration is in the future) or did expire (if the expiration was in the
* past). Note that this method should be called after the
* <CODE>lockedDueToMaximumResetAge</CODE> method because grace logins will
* not be allowed in the case that the maximum reset age has passed whereas
* they may be used for expiration due to maximum password age or forced
* change time.
*
* should not expire.
*/
public long getPasswordExpirationTime()
{
{
boolean checkWarning = false;
if (maxAge > 0)
{
if (expTime < expirationTime)
{
checkWarning = true;
}
}
{
if (expTime < expirationTime)
{
checkWarning = false;
}
}
if (mustChangeTime > 0)
{
long reqChangeTime = getRequiredChangeTime();
if ((reqChangeTime != mustChangeTime) &&
{
checkWarning = true;
}
}
{
expirationTime = -1;
}
else if (checkWarning)
{
if (warningInterval > 0)
{
if (shouldWarnTime > currentTime)
{
// The warning time is in the future, so we know the password isn't
// expired.
}
else
{
// We're at least in the warning period, but the password may be
// expired.
long warnedTime = getWarnedTime();
if (expirationTime > currentTime)
{
// The password is not expired but we should warn the user.
if (warnedTime < 0)
{
{
}
}
else
{
{
}
}
}
else
{
// The expiration time has passed, but we may not actually be
// expired if the user has not yet seen a warning.
{
}
else if (warnedTime > 0)
{
if (expirationTime > currentTime)
{
}
else
{
}
}
else
{
}
}
}
}
else
{
// There will never be a warning, and the user's password may be
// expired.
if (currentTime > expirationTime)
{
}
else
{
}
}
}
else
{
if (expirationTime < currentTime)
{
}
else
{
}
}
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning password expiration time of %d for user %s.",
}
}
return expirationTime;
}
/**
* Indicates whether the user's password is currently expired.
*
* @return <CODE>true</CODE> if the user's password is currently expired, or
* <CODE>false</CODE> if not.
*/
public boolean isPasswordExpired()
{
if ((isPasswordExpired == null) ||
{
}
}
/**
* Indicates whether the user's last password change was within the minimum
* password age.
*
* @return <CODE>true</CODE> if the password minimum age is nonzero, the
* account is not in force-change mode, and the last password change
* was within the minimum age, or <CODE>false</CODE> otherwise.
*/
public boolean isWithinMinimumAge()
{
// This feature is reponsible for neither a state field nor entry state
// attribute.
if (minAge <= 0)
{
// There is no minimum age, so the user isn't in it.
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false because there is no minimum age.");
}
}
return false;
}
{
// It's been long enough since the user changed their password.
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false because the minimum age has expired.");
}
}
return false;
}
else if (mustChangePassword())
{
// The user is in a must-change mode, so the minimum age doesn't apply.
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false because the account is in a must-change " +
"state.");
}
}
return false;
}
else
{
// The user is within the minimum age.
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning true.");
}
}
return true;
}
}
/**
* Indicates whether the user may use a grace login if the password is expired
* and there is at least one grace login remaining. Note that this does not
* check to see if the user's password is expired, does not verify that there
* are any remaining grace logins, and does not update the set of grace login
* times.
*
* @return <CODE>true</CODE> if the user may use a grace login if the
* password is expired and there is at least one grace login
* remaining, or <CODE>false</CODE> if the user may not use a grace
* login for some reason.
*/
public boolean mayUseGraceLogin()
{
if ((mayUseGraceLogin == null) ||
{
}
}
/**
* Indicates whether the user should receive a warning notification that the
* password is about to expire.
*
* @return <CODE>true</CODE> if the user should receive a warning
* notification that the password is about to expire, or
* <CODE>false</CODE> if not.
*/
public boolean shouldWarn()
{
{
}
}
/**
* Indicates whether the warning that the user should receive would be the
* first warning for the user.
*
* @return <CODE>true</CODE> if the warning that should be sent to the user
* would be the first warning, or <CODE>false</CODE> if not.
*/
public boolean isFirstWarning()
{
if ((isFirstWarning == null) ||
{
}
}
/**
* Retrieves the length of time in seconds until the user's password expires.
*
* @return The length of time in seconds until the user's password expires,
* 0 if the password is currently expired, or -1 if the password
* should not expire.
*/
public int getSecondsUntilExpiration()
{
long expirationTime = getPasswordExpirationTime();
if (expirationTime < 0)
{
return -1;
}
else if (expirationTime < currentTime)
{
return 0;
}
else
{
}
}
/**
* Retrieves the timestamp for the last required change time that the user
* complied with.
*
* @return The timestamp for the last required change time that the user
* complied with, or -1 if the user's password has not been changed
* in compliance with this configuration.
*/
public long getRequiredChangeTime()
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning stored required change time of %d for user %s",
}
}
return requiredChangeTime;
}
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
requiredChangeTime = -1;
if (debug)
{
debugWarning("Returning %d for user %s because an error occurred: %s",
}
return requiredChangeTime;
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning required change time of %d for user %s",
}
}
return requiredChangeTime;
}
/**
* Updates the user entry with a timestamp indicating that the password has
* been changed in accordance with the require change time.
*/
public void setRequiredChangeTime()
{
if (debug)
{
if (debugEnabled())
{
}
}
{
values);
if (updateEntry)
{
}
else
{
}
}
}
/**
* Retrieves the time that the user was first warned about an upcoming
* expiration.
*
* @return The time that the user was first warned about an upcoming
* expiration, or -1 if the user has not been warned.
*/
public long getWarnedTime()
{
{
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Unable to decode the warned time for user %s: %s",
}
warnedTime = -1;
}
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning a warned time of %d for user %s",
}
}
return warnedTime;
}
/**
* Updates the user entry to set the warned time to the current time.
*/
public void setWarnedTime()
{
long warnTime = getWarnedTime();
if (warnTime == currentTime)
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Not updating warned time for user %s because the warned " +
"time is the same as the current time.", userDNString);
}
}
return;
}
if (updateEntry)
{
}
else
{
}
if (debug)
{
if (debugEnabled())
{
}
}
}
/**
* Updates the user entry to clear the warned time.
*/
public void clearWarnedTime()
{
if (debug)
{
if (debugEnabled())
{
}
}
if (getWarnedTime() < 0)
{
return;
}
warnedTime = -1;
if (updateEntry)
{
}
else
{
}
if (debug)
{
if (debugEnabled())
{
}
}
}
/**
* Retrieves the times that the user has authenticated to the server using a
* grace login.
*
* @return The times that the user has authenticated to the server using a
* grace login.
*/
{
if (graceLoginTimes == null)
{
{
}
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Error while processing grace login times " +
"for user %s: %s",
}
if (updateEntry)
{
}
else
{
}
}
}
if (debug)
{
if (debugEnabled())
{
}
}
return graceLoginTimes;
}
/**
* Retrieves the number of grace logins that the user has left.
*
* @return The number of grace logins that the user has left, or -1 if grace
* logins are not allowed.
*/
public int getGraceLoginsRemaining()
{
if (maxGraceLogins <= 0)
{
return -1;
}
}
/**
* Updates the set of grace login times for the user to include the current
* time.
*/
public void updateGraceLoginTimes()
{
if (debug)
{
if (debugEnabled())
{
}
}
long highestGraceTime = -1;
for (Long l : graceTimes)
{
}
if (highestGraceTime >= currentTime)
{
}
else
{
}
{
}
if (updateEntry)
{
for (Long l : graceTimes)
{
}
values);
}
else
{
}
}
/**
* Updates the user entry to remove any record of previous grace logins.
*/
public void clearGraceLoginTimes()
{
if (debug)
{
if (debugEnabled())
{
}
}
if (graceTimes.isEmpty())
{
return;
}
{
}
if (updateEntry)
{
}
else
{
}
}
/**
* Retrieves a list of the clear-text passwords for the user. If the user
* does not have any passwords in the clear, then the list will be empty.
*
* @return A list of the clear-text passwords for the user.
*/
{
{
return clearPasswords;
}
{
for (AttributeValue v : a.getValues())
{
try
{
{
}
else
{
{
}
}
{
if (debug)
{
debugWarning("User entry %s contains a password with scheme %s " +
"that is not defined in the server.",
}
continue;
}
if (scheme.isReversible())
{
}
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Cannot get clear password value foruser %s: %s",
userDNString, e);
}
}
}
}
return clearPasswords;
}
/**
* Indicates whether the provided password value matches any of the stored
* passwords in the user entry.
*
* @param password The user-provided password to verify.
*
* @return <CODE>true</CODE> if the provided password matches any of the
* stored password values, or <CODE>false</CODE> if not.
*/
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false because user %s does not have any " +
"values for password attribute %s",
}
}
return false;
}
{
for (AttributeValue v : a.getValues())
{
try
{
{
}
else
{
{
}
}
{
if (debug)
{
debugWarning("User entry %s contains a password with scheme %s " +
"that is not defined in the server.",
}
continue;
}
boolean passwordMatches = (usesAuthPasswordSyntax)
if (passwordMatches)
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning true for user %s because the provided " +
"password matches a value encoded with scheme %s",
}
}
return true;
}
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("An error occurred while attempting to process a " +
"password value for user %s: %s",
}
}
}
}
// If we've gotten here, then we couldn't find a match.
if (debug)
{
if (debugEnabled())
{
debugInfo("Returning false because the provided password does not " +
"match any of the stored password values for user %s",
}
}
return false;
}
/**
* Indicates whether the provided password value is pre-encoded.
*
* @param passwordValue The value for which to make the determination.
*
* @return <CODE>true</CODE> if the provided password value is pre-encoded,
* or <CODE>false</CODE> if it is not.
*/
{
{
}
else
{
}
}
/**
* Encodes the provided password using the default storage schemes (using the
* appropriate syntax for the password attribute).
*
* @param password The password to be encoded.
*
* @return The password encoded using the default schemes.
*
* @throws DirectoryException If a problem occurs while attempting to encode
* the password.
*/
throws DirectoryException
{
{
for (PasswordStorageScheme s : schemes)
{
}
}
else
{
for (PasswordStorageScheme s : schemes)
{
}
}
return encodedPasswords;
}
/**
* Indicates whether the provided password appears to be acceptable according
* to the password validators.
*
* @param operation The operation that provided the password.
* @param userEntry The user entry in which the password is used.
* @param newPassword The password to be validated.
* @param currentPasswords The set of clear-text current passwords for the
* user (this may be a subset if not all of them are
* available in the clear, or empty if none of them
* are available in the clear).
* @param invalidReason A buffer that may be used to hold the invalid
* reason if the password is rejected.
*
* @return <CODE>true</CODE> if the password is acceptable for use, or
* <CODE>false</CODE> if it is not.
*/
{
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("The password provided for user %s failed the %s " +
}
}
return false;
}
else
{
if (debug)
{
if (debugEnabled())
{
debugInfo("The password provided for user %s passed the %s " +
}
}
}
}
return true;
}
/**
* Performs any processing that may be necessary to remove deprecated storage
* schemes from the user's entry that match the provided password and
* re-encodes them using the default schemes.
*
* @param password The clear-text password provided by the user.
*/
{
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Doing nothing for user %s because no " +
"deprecated storage schemes have been defined.", userDNString);
}
}
return;
}
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Doing nothing for entry %s because no password values " +
"were found.", userDNString);
}
}
return;
}
new LinkedHashSet<AttributeValue>();
new LinkedHashSet<AttributeValue>();
{
{
try
{
{
}
else
{
{
}
}
{
if (debug)
{
debugWarning("Skipping password value for user %s because the " +
"associated storage scheme %s is not configured for use.",
}
continue;
}
boolean passwordMatches = (usesAuthPasswordSyntax)
if (passwordMatches)
{
{
updatedValues.add(v);
}
{
if (debug)
{
if (debugEnabled())
{
debugInfo("Marking password with scheme %s for removal " +
}
}
removedValues.add(v);
}
else
{
updatedValues.add(v);
}
}
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Skipping password value for user %s because an " +
"error occurred while attempting to decode it " +
"based on the user password syntax: %s",
}
}
}
}
if (removedValues.isEmpty())
{
if (debug)
{
if (debugEnabled())
{
debugInfo("User entry %s does not have any password values " +
"encoded using deprecated schemes.", userDNString);
}
}
return;
}
for (PasswordStorageScheme s :
{
if (! existingDefaultSchemes.contains(
toLowerCase(s.getStorageSchemeName())))
{
try
{
addedValues.add(v);
updatedValues.add(v);
}
catch (Exception e)
{
if (debugEnabled())
{
}
if (debug)
{
debugWarning("Unable to encode password for user %s using " +
"default scheme %s: %s",
}
}
}
}
if (updatedValues.isEmpty())
{
if (debug)
{
debugWarning("Not updating user entry %s because removing " +
"deprecated schemes would leave the user without a password.",
}
return;
}
if (updateEntry)
{
}
else
{
if (! addedValues.isEmpty())
{
}
}
if (debug)
{
if (debugEnabled())
{
debugInfo("Updating user entry %s to replace password values " +
"encoded with deprecated schemes with values encoded " +
"with the default schemes.", userDNString);
}
}
}
/**
* Generates a new password for the user.
*
* @return The new password that has been generated, or <CODE>null</CODE> if
* no password generator has been defined.
*
* @throws DirectoryException If an error occurs while attempting to
* generate the new password.
*/
public ByteString generatePassword()
throws DirectoryException
{
{
if (debug)
{
debugWarning("Unable to generate a new password for user %s because " +
"no password generator has been defined in the associated " +
"password policy.",
}
return null;
}
}
/**
* Generates an account status notification for this user.
*
* @param notificationType The type for the account status notification.
* @param userDN The DN of the user entry to which this
* notification applies.
* @param messageID The unique ID for the notification.
* @param message The human-readable message for the notification.
*/
public void generateAccountStatusNotification(
{
{
return;
}
{
message);
}
}
/**
* Generates an account status notification for this user.
*
* @param notification The account status notification that should be
* generated.
*/
public void generateAccountStatusNotification(
{
{
return;
}
{
}
}
/**
* Retrieves the set of modifications that correspond to changes made in
* password policy processing that may need to be applied to the user entry.
*
* @return The set of modifications that correspond to changes made in
* password policy processing that may need to be applied to the user
* entry.
*/
{
return modifications;
}
/**
* Performs an internal modification to update the user's entry, if necessary.
* This will do nothing if no modifications are required.
*
* @throws DirectoryException If a problem occurs while processing the
* internal modification.
*/
public void updateUserEntry()
throws DirectoryException
{
// If there are no modifications, then there's nothing to do.
if (modifications.isEmpty())
{
return;
}
// Convert the set of modifications to a set of LDAP modifications.
for (Modification m : modifications)
{
new LDAPAttribute(m.getAttribute())));
}
{
}
}
}