/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2009 Sun Microsystems, Inc.
* Portions Copyright 2011-2013 ForgeRock AS
*/
/**
* This class implements an LDAP extended operation that can be used to query
* and update elements of the Directory Server password policy state for a given
* user. The ASN.1 definition for the value of the extended request is:
* <BR>
* <PRE>
* PasswordPolicyStateValue ::= SEQUENCE {
* targetUser LDAPDN
* operations SEQUENCE OF PasswordPolicyStateOperation OPTIONAL }
*
* PasswordPolicyStateOperation ::= SEQUENCE {
* opType ENUMERATED {
* getPasswordPolicyDN (0),
* getAccountDisabledState (1),
* setAccountDisabledState (2),
* clearAccountDisabledState (3),
* getAccountExpirationTime (4),
* setAccountExpirationTime (5),
* clearAccountExpirationTime (6),
* getSecondsUntilAccountExpiration (7),
* getPasswordChangedTime (8),
* setPasswordChangedTime (9),
* clearPasswordChangedTime (10),
* getPasswordExpirationWarnedTime (11),
* setPasswordExpirationWarnedTime (12),
* clearPasswordExpirationWarnedTime (13),
* getSecondsUntilPasswordExpiration (14),
* getSecondsUntilPasswordExpirationWarning (15),
* getAuthenticationFailureTimes (16),
* addAuthenticationFailureTime (17),
* setAuthenticationFailureTimes (18),
* clearAuthenticationFailureTimes (19),
* getSecondsUntilAuthenticationFailureUnlock (20),
* getRemainingAuthenticationFailureCount (21),
* getLastLoginTime (22),
* setLastLoginTime (23),
* clearLastLoginTime (24),
* getSecondsUntilIdleLockout (25),
* getPasswordResetState (26),
* setPasswordResetState (27),
* clearPasswordResetState (28),
* getSecondsUntilPasswordResetLockout (29),
* getGraceLoginUseTimes (30),
* addGraceLoginUseTime (31),
* setGraceLoginUseTimes (32),
* clearGraceLoginUseTimes (33),
* getRemainingGraceLoginCount (34),
* getPasswordChangedByRequiredTime (35),
* setPasswordChangedByRequiredTime (36),
* clearPasswordChangedByRequiredTime (37),
* getSecondsUntilRequiredChangeTime (38),
* getPasswordHistory (39),
* clearPasswordHistory (40),
* ... },
* opValues SEQUENCE OF OCTET STRING OPTIONAL }
* </PRE>
* <BR>
* Both the request and response values use the same encoded form, and they both
* use the same OID of "1.3.6.1.4.1.26027.1.6.1". The response value will only
* include get* elements. If the request did not include any operations, then
* the response will include all get* elements; otherwise, the response will
* only include the get* elements that correspond to the state fields referenced
* in the request (regardless of whether that operation was included in a get*,
* set*, add*, remove*, or clear* operation).
*/
public class PasswordPolicyStateExtendedOperation
extends ExtendedOperationHandler<
{
/**
* The tracer object for the debug logger.
*/
/** The enumerated value for the getPasswordPolicyDN operation. */
/** The enumerated value for the getAccountDisabledState operation. */
/** The enumerated value for the setAccountDisabledState operation. */
/** The enumerated value for the clearAccountDisabledState operation. */
/** The enumerated value for the getAccountExpirationTime operation. */
/** The enumerated value for the setAccountExpirationTime operation. */
/** The enumerated value for the clearAccountExpirationTime operation. */
/**
* The enumerated value for the getSecondsUntilAccountExpiration operation.
*/
/** The enumerated value for the getPasswordChangedTime operation. */
/** The enumerated value for the setPasswordChangedTime operation. */
/** The enumerated value for the clearPasswordChangedTime operation. */
/** The enumerated value for the getPasswordExpirationWarnedTime operation. */
/** The enumerated value for the setPasswordExpirationWarnedTime operation. */
/**
* The enumerated value for the clearPasswordExpirationWarnedTime operation.
*/
/**
* The enumerated value for the getSecondsUntilPasswordExpiration operation.
*/
/**
* The enumerated value for the getSecondsUntilPasswordExpirationWarning
* operation.
*/
/** The enumerated value for the getAuthenticationFailureTimes operation. */
/** The enumerated value for the addAuthenticationFailureTime operation. */
/** The enumerated value for the setAuthenticationFailureTimes operation. */
/** The enumerated value for the clearAuthenticationFailureTimes operation. */
/**
* The enumerated value for the getSecondsUntilAuthenticationFailureUnlock
* operation.
*/
public static final int OP_GET_SECONDS_UNTIL_AUTHENTICATION_FAILURE_UNLOCK =
20;
/**
* The enumerated value for the getRemainingAuthenticationFailureCount
* operation.
*/
/** The enumerated value for the getLastLoginTime operation. */
/** The enumerated value for the setLastLoginTime operation. */
/** The enumerated value for the clearLastLoginTime operation. */
/** The enumerated value for the getSecondsUntilIdleLockout operation. */
/** The enumerated value for the getPasswordResetState operation. */
/** The enumerated value for the setPasswordResetState operation. */
/** The enumerated value for the clearPasswordResetState operation. */
/**
* The enumerated value for the getSecondsUntilPasswordResetLockout operation.
*/
/** The enumerated value for the getGraceLoginUseTimes operation. */
/** The enumerated value for the addGraceLoginUseTime operation. */
/** The enumerated value for the setGraceLoginUseTimes operation. */
/** The enumerated value for the clearGraceLoginUseTimes operation. */
/** The enumerated value for the getRemainingGraceLoginCount operation. */
/**
* The enumerated value for the getPasswordChangedByRequiredTime operation.
*/
/**
* The enumerated value for the setPasswordChangedByRequiredTime operation.
*/
/**
* The enumerated value for the clearPasswordChangedByRequiredTime operation.
*/
/**
* The enumerated value for the getSecondsUntilRequiredChangeTime operation.
*/
/** The enumerated value for the getPasswordHistory operation. */
/** The enumerated value for the clearPasswordHistory operation. */
/** The set of attributes to request when retrieving a user's entry. */
/** The search filter that will be used to retrieve user entries. */
private boolean isAccountSetDisabled;
private boolean isAccountSetEnabled;
/**
* Create an instance of this password policy state extended operation. All
* initialization should be performed in the
* {@code initializeExtendedOperationHandler} method.
*/
public PasswordPolicyStateExtendedOperation()
{
super();
}
/**
* Initializes this extended operation handler based on the information in the
* provided configuration entry. It should also register itself with the
* Directory Server for the particular kinds of extended operations that it
* will process.
*
* @param config The configuration that contains the information
* to use to initialize this extended operation handler.
*
* @throws ConfigException If an unrecoverable problem arises in the
* process of performing the initialization.
*
* @throws InitializationException If a problem occurs during initialization
* that is not related to the server
* configuration.
*/
public void initializeExtendedOperationHandler(
{
// Construct the filter that will be used to retrieve user entries.
try
{
}
catch (Exception e)
{
// This should never happen.
if (debugEnabled())
{
}
}
// Construct the set of request attributes.
this);
// FIXME registerControlAndFeatures?
}
/**
* Processes the provided extended operation.
*
* @param operation The extended operation to be processed.
*/
{
// The user must have the password-reset privilege in order to be able to do
// anything with this extended operation.
{
return;
}
// There must be a request value, and it must be a sequence. Decode it
// into its components.
if (requestValue == null)
{
return;
}
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
return;
}
// Decode the DN and get the corresponding user entry.
try
{
}
catch (DirectoryException de)
{
if (debugEnabled())
{
}
return;
}
{
}
{
return;
}
// Get the password policy state for the user entry.
try
{
false);
if (!policy.isPasswordPolicy())
{
return;
}
}
catch (DirectoryException de)
{
if (debugEnabled())
{
}
return;
}
isAccountSetDisabled = false;
isAccountSetEnabled = false;
// Create a hash set that will be used to hold the types of the return
// types that should be included in the response.
boolean returnAll;
try
{
if (!reader.hasNextElement())
{
// There is no operations sequence.
returnAll = true;
}
{
// There is an operations sequence but its empty.
returnAll = true;
}
else
{
returnAll = false;
while(reader.hasNextElement())
{
int opType;
if (!reader.hasNextElement())
{
// There is no values sequence
}
{
// There is a values sequence but its empty
}
else
{
while (reader.hasNextElement())
{
}
}
{
return;
}
}
}
// If there are any modifications that need to be made to the password
// policy state, then apply them now.
{
{
return;
}
// Retrieve the updated entry
{
return;
}
// And it's updated password policy state
try
{
// We should not need to re-fetch the password policy.
}
catch (DirectoryException de)
{
if (debugEnabled())
{
}
return;
}
}
}
catch (Exception e)
{
if (debugEnabled())
{
}
e.getLocalizedMessage());
return;
}
try
{
// Construct the sequence of values to return.
}
catch(Exception e)
{
// TODO: Need a better message
e.getLocalizedMessage());
}
// Post AccountStatus Notifications if needed.
if (isAccountSetDisabled)
{
}
if (isAccountSetEnabled)
{
}
}
/**
* Searches and returns the entry referenced by targetDN. If there's not
* exactly one entry found, an error is reported for the operation.
*
* @param conn The internal connection used to issue the search
* @param operation The extended operation being processed
* @param targetDN The DN targeted by this operation
*
* @return the Entry if one and only one is found, null otherwise
*/
{
{
return null;
}
if (matchingEntries.isEmpty())
{
return null;
}
{
return null;
}
else
{
}
return entry;
}
/**
* Encodes the provided information in a form suitable for including in the
* response value.
*
* @param writer The ASN1Writer to use to encode.
* @param opType The operation type to use for the value.
* @param value The single value to include in the response.
*
* @throws IOException if an error occurs while encoding.
*/
throws IOException
{
{
}
}
/**
* Encodes the provided information in a form suitable for including in the
* response value.
*
* @param writer The ASN1Writer to use to encode.
* @param opType The operation type to use for the value.
* @param values The set of string values to include in the response.
*
* @throws IOException if an error occurs while encoding.
*/
throws IOException
{
{
{
}
}
}
/**
* Encodes the provided information in a form suitable for including in the
* response value.
*
* @param writer The ASN1Writer to use to encode.
* @param opType The operation type to use for the value.
* @param values The set of timestamp values to include in the response.
*
* @throws IOException if an error occurs while encoding.
*/
throws IOException
{
{
for (long l : values)
{
}
}
}
throws IOException
{
{
}
{
}
{
if (expTime < 0)
{
expTimeStr = null;
}
else
{
}
}
if (returnAll ||
{
if (expTime >= 0)
{
if (seconds > 0)
{
}
}
}
{
if (changedTime < 0)
{
}
else
{
}
}
if (returnAll ||
{
if (warnedTime < 0)
{
}
else
{
}
}
if (returnAll ||
{
if (secondsUntilExp < 0)
{
secondsStr = null;
}
else
{
}
}
if (returnAll ||
{
if (secondsUntilExp < 0)
{
secondsStr = null;
}
else
{
if (secondsUntilWarning <= 0)
{
secondsStr = "0";
}
else
{
}
}
}
{
}
{
// We have to check whether the account is locked due to failures before
// we can get the length of time until the account is unlocked.
if (pwpState.lockedDueToFailures())
{
if (seconds <= 0)
{
secondsStr = null;
}
else
{
}
}
else
{
secondsStr = null;
}
}
if (returnAll ||
{
if (allowedFailureCount > 0)
{
int remainingFailures =
if (remainingFailures < 0)
{
remainingFailures = 0;
}
}
else
{
}
}
{
if (lastLoginTime < 0)
{
}
else
{
}
}
{
if (lockoutInterval > 0)
{
if (lastLoginTime < 0)
{
secondsStr = "0";
}
else
{
if (secondsUntilLockout <= 0)
{
secondsStr = "0";
}
else
{
}
}
}
else
{
secondsStr = null;
}
}
{
}
if (returnAll ||
{
if (pwpState.mustChangePassword())
{
if (maxAge > 0)
{
if (timeToLockout <= 0)
{
secondsStr = "0";
}
else
{
}
}
else
{
secondsStr = null;
}
}
else
{
secondsStr = null;
}
}
{
}
{
if (remainingGraceLogins <= 0)
{
remainingStr = "0";
}
else
{
}
}
if (returnAll ||
{
if (requiredChangeTime < 0)
{
}
else
{
}
}
if (returnAll ||
{
if (policyRequiredChangeTime > 0)
{
{
secondsStr = null;
}
else
{
if (currentTime >= policyRequiredChangeTime)
{
secondsStr = "0";
}
else
{
}
}
}
else
{
secondsStr = null;
}
}
{
}
return builder.toByteString();
}
{
switch (opType)
{
break;
break;
{
return false;
}
{
return false;
}
else
{
{
pwpState.setDisabled(true);
isAccountSetDisabled = true;
}
{
pwpState.setDisabled(false);
isAccountSetEnabled = true;
}
else
{
return false;
}
}
break;
pwpState.setDisabled(false);
isAccountSetEnabled = true;
break;
break;
{
}
{
return false;
}
else
{
try
{
}
catch (DirectoryException de)
{
de.getMessageObject()));
return false;
}
}
break;
break;
break;
break;
{
}
{
return false;
}
else
{
try
{
}
catch (DirectoryException de)
{
de.getMessageObject()));
return false;
}
}
break;
break;
break;
{
}
{
return false;
}
else
{
try
{
}
catch (DirectoryException de)
{
de.getMessageObject()));
return false;
}
}
break;
break;
break;
break;
break;
{
{
break;
}
}
{
return false;
}
else
{
try
{
}
catch (DirectoryException de)
{
de.getMessageObject());
return false;
}
}
break;
{
}
else
{
{
try
{
ByteString.valueOf(s)));
}
catch (DirectoryException de)
{
s,
de.getMessageObject());
return false;
}
}
}
break;
break;
break;
break;
case OP_GET_LAST_LOGIN_TIME:
break;
case OP_SET_LAST_LOGIN_TIME:
{
}
{
return false;
}
else
{
try
{
}
catch (DirectoryException de)
{
de.getMessageObject()));
return false;
}
}
break;
case OP_CLEAR_LAST_LOGIN_TIME:
break;
break;
break;
{
return false;
}
{
return false;
}
else
{
{
pwpState.setMustChangePassword(true);
}
{
pwpState.setMustChangePassword(false);
}
else
{
return false;
}
}
break;
pwpState.setMustChangePassword(false);
break;
break;
break;
{
}
{
return false;
}
else
{
try
{
}
catch (DirectoryException de)
{
de.getMessageObject());
return false;
}
}
break;
{
}
else
{
{
try
{
ByteString.valueOf(s)));
}
catch (DirectoryException de)
{
s, de.getMessageObject());
return false;
}
}
}
break;
break;
break;
break;
{
}
{
return false;
}
else
{
try
{
}
catch (DirectoryException de)
{
de.getMessageObject()));
return false;
}
}
break;
break;
break;
case OP_GET_PASSWORD_HISTORY:
break;
break;
default:
return false;
}
return true;
}
/** {@inheritDoc} */
{
return OID_PASSWORD_POLICY_STATE_EXTOP;
}
/** {@inheritDoc} */
{
return "Password Policy State";
}
}