Package org.opends.server.core

Class PasswordPolicyState

  • public final class PasswordPolicyState
extends AuthenticationPolicyState
    This class provides a data structure for holding password policy state information for a user account.

    • Method Detail

      • getPasswordChangedTime

        public long getPasswordChangedTime()
        Retrieves the time that the password was last changed.
        Returns:
        The time that the password was last changed.

      • getCurrentTime

        public long getCurrentTime()
        Retrieves the time that this password policy state object was created.
        Returns:
        The time that this password policy state object was created.

      • getPasswordValues

        public Collection<ByteString> getPasswordValues()
        Retrieves the unmodifiable set of values for the password attribute from the user entry.
        Returns:
        The unmodifiable set of values for the password attribute from the user entry.

      • setPasswordChangedTime

        public void setPasswordChangedTime()
        Sets a new value for the password changed time equal to the current time.

      • setPasswordChangedTime

        public void setPasswordChangedTime​(long passwordChangedTime)
        Sets a new value for the password changed time equal to the specified time. This method should generally only be used for testing purposes, since the variant that uses the current time is preferred almost everywhere else.
        Parameters:
        passwordChangedTime - The time to use

      • clearPasswordChangedTime

        public void clearPasswordChangedTime()
        Removes the password changed time value from the user's entry. This should only be used for testing purposes, as it can really mess things up if you don't know what you're doing.

      • setDisabled

        public void setDisabled​(boolean isDisabled)
        Updates the user entry to indicate whether user account has been administratively disabled.
        Parameters:
        isDisabled - Indicates whether the user account has been administratively disabled.

      • isAccountExpired

        public boolean isAccountExpired()
        Indicates whether the user's account is currently expired.
        Returns:
        true if the user's account is expired, or false if not.

      • getAccountExpirationTime

        public long getAccountExpirationTime()
        Retrieves the time at which the user's account will expire.
        Returns:
        The time at which the user's account will expire, or -1 if it is not configured with an expiration time.

      • setAccountExpirationTime

        public void setAccountExpirationTime​(long accountExpirationTime)
        Sets the user's account expiration time to the specified value.
        Parameters:
        accountExpirationTime - The time that the user's account should expire.

      • clearAccountExpirationTime

        public void clearAccountExpirationTime()
        Clears the user's account expiration time.

      • getAuthFailureTimes

        public List<Long> getAuthFailureTimes()
        Retrieves the set of times of failed authentication attempts for the user. If authentication failure time expiration is enabled, and there are expired times in the entry, these times are removed from the instance field and an update is provided to delete those values from the entry.
        Returns:
        The set of times of failed authentication attempts for the user, which will be an empty list in the case of no valid (unexpired) times in the entry.

      • updateAuthFailureTimes

        public void updateAuthFailureTimes()
        Updates the set of authentication failure times to include the current time. If the number of failures reaches the policy configuration limit, lock the account.

      • setAuthFailureTimes

        public void setAuthFailureTimes​(List<Long> authFailureTimes)
        Explicitly specifies the auth failure times for the associated user. This should generally only be used for testing purposes. Note that it will also set or clear the locked time as appropriate.
        Parameters:
        authFailureTimes - The set of auth failure times to use for the account. An empty list or null will clear the account of any existing failures.

      • lockedDueToFailures

        public boolean lockedDueToFailures()
        Indicates whether the associated user should be considered locked out as a result of too many authentication failures. In the case of an expired lock-out, this routine produces the update to clear the lock-out attribute and the authentication failure timestamps. In case the failure lockout time is absent from the entry, but sufficient authentication failure timestamps are present in the entry, this routine produces the update to set the lock-out attribute.
        Returns:
        true if the user is currently locked out due to too many authentication failures, or false if not.

      • getSecondsUntilUnlock

        public int getSecondsUntilUnlock()
        Retrieves the length of time in seconds until the user's account is automatically unlocked. This should only be called after calling lockedDueToFailures().
        Returns:
        The length of time in seconds until the user's account is automatically unlocked, or -1 if the account is not locked or the lockout requires administrative action to clear.

      • clearFailureLockout

        public void clearFailureLockout()
        Updates the user account to remove any record of a previous lockout due to failed authentications.

      • getLastLoginTime

        public long getLastLoginTime()
        Retrieves the time that the user last authenticated to the Directory Server.
        Returns:
        The time that the user last authenticated to the Directory Server, or -1 if it cannot be determined.

      • setLastLoginTime

        public void setLastLoginTime()
        Updates the user entry to set the current time as the last login time.

      • setLastLoginTime

        public void setLastLoginTime​(long lastLoginTime)
        Updates the user entry to use the specified last login time. This should be used primarily for testing purposes, as the variant that uses the current time should be used most of the time.
        Parameters:
        lastLoginTime - The last login time to set in the user entry.

      • clearLastLoginTime

        public void clearLastLoginTime()
        Clears the last login time from the user's entry. This should generally be used only for testing purposes.

      • lockedDueToIdleInterval

        public boolean lockedDueToIdleInterval()
        Indicates whether the user's account is currently locked because it has been idle for too long.
        Returns:
        true if the user's account is locked because it has been idle for too long, or false if not.

      • mustChangePassword

        public boolean mustChangePassword()
        Indicates whether the user's password must be changed before any other operation can be performed.
        Returns:
        true if the user's password must be changed before any other operation can be performed.

      • setMustChangePassword

        public void setMustChangePassword​(boolean mustChangePassword)
        Updates the user entry to indicate whether the user's password must be changed.
        Parameters:
        mustChangePassword - Indicates whether the user's password must be changed.

      • lockedDueToMaximumResetAge

        public boolean lockedDueToMaximumResetAge()
        Indicates whether the user's account is locked because the password has been reset by an administrator but the user did not change the password in a timely manner.
        Returns:
        true if the user's account is locked because of the maximum reset age, or >false if not.

      • isLocked

        public boolean isLocked()
        Returns whether the account was locked for any reason.
        Returns:
        true if the account is locked, false otherwise

      • getPasswordExpirationTime

        public long getPasswordExpirationTime()
        Retrieves the time that the user's password should expire (if the expiration is in the future) or did expire (if the expiration was in the past). Note that this method should be called after the lockedDueToMaximumResetAge method because grace logins will not be allowed in the case that the maximum reset age has passed whereas they may be used for expiration due to maximum password age or forced change time.
        Returns:
        The time that the user's password should/did expire, or -1 if it should not expire.

      • isPasswordExpired

        public boolean isPasswordExpired()
        Indicates whether the user's password is currently expired.
        Returns:
        true if the user's password is currently expired, or false if not.

      • isWithinMinimumAge

        public boolean isWithinMinimumAge()
        Indicates whether the user's last password change was within the minimum password age.
        Returns:
        true if the password minimum age is nonzero, the account is not in force-change mode, and the last password change was within the minimum age, or false otherwise.

      • mayUseGraceLogin

        public boolean mayUseGraceLogin()
        Indicates whether the user may use a grace login if the password is expired and there is at least one grace login remaining. Note that this does not check to see if the user's password is expired, does not verify that there are any remaining grace logins, and does not update the set of grace login times.
        Returns:
        true if the user may use a grace login if the password is expired and there is at least one grace login remaining, or false if the user may not use a grace login for some reason.

      • shouldWarn

        public boolean shouldWarn()
        Indicates whether the user should receive a warning notification that the password is about to expire.
        Returns:
        true if the user should receive a warning notification that the password is about to expire, or false if not.

      • isFirstWarning

        public boolean isFirstWarning()
        Indicates whether the warning that the user should receive would be the first warning for the user.
        Returns:
        true if the warning that should be sent to the user would be the first warning, or false if not.

      • getSecondsUntilExpiration

        public int getSecondsUntilExpiration()
        Retrieves the length of time in seconds until the user's password expires.
        Returns:
        The length of time in seconds until the user's password expires, 0 if the password is currently expired, or -1 if the password should not expire.

      • getRequiredChangeTime

        public long getRequiredChangeTime()
        Retrieves the timestamp for the last required change time that the user complied with.
        Returns:
        The timestamp for the last required change time that the user complied with, or -1 if the user's password has not been changed in compliance with this configuration.

      • setRequiredChangeTime

        public void setRequiredChangeTime()
        Updates the user entry with a timestamp indicating that the password has been changed in accordance with the require change time.

      • setRequiredChangeTime

        public void setRequiredChangeTime​(long requiredChangeTime)
        Updates the user entry with a timestamp indicating that the password has been changed in accordance with the require change time.
        Parameters:
        requiredChangeTime - The timestamp to use for the required change time value.

      • clearRequiredChangeTime

        public void clearRequiredChangeTime()
        Updates the user entry to remove any timestamp indicating that the password has been changed in accordance with the required change time.

      • getWarnedTime

        public long getWarnedTime()
        Retrieves the time that the user was first warned about an upcoming expiration.
        Returns:
        The time that the user was first warned about an upcoming expiration, or -1 if the user has not been warned.

      • setWarnedTime

        public void setWarnedTime()
        Updates the user entry to set the warned time to the current time.

      • setWarnedTime

        public void setWarnedTime​(long warnedTime)
        Updates the user entry to set the warned time to the specified time. This method should generally only be used for testing purposes, since the variant that uses the current time is preferred almost everywhere else.
        Parameters:
        warnedTime - The value to use for the warned time.

      • clearWarnedTime

        public void clearWarnedTime()
        Updates the user entry to clear the warned time.

      • getGraceLoginTimes

        public List<Long> getGraceLoginTimes()
        Retrieves the times that the user has authenticated to the server using a grace login.
        Returns:
        The times that the user has authenticated to the server using a grace login.

      • getGraceLoginsRemaining

        public int getGraceLoginsRemaining()
        Retrieves the number of grace logins that the user has left.
        Returns:
        The number of grace logins that the user has left, or -1 if grace logins are not allowed.

      • updateGraceLoginTimes

        public void updateGraceLoginTimes()
        Updates the set of grace login times for the user to include the current time.

      • setGraceLoginTimes

        public void setGraceLoginTimes​(List<Long> graceLoginTimes)
        Specifies the set of grace login use times for the associated user. If the provided list is empty or null, then the set will be cleared.
        Parameters:
        graceLoginTimes - The grace login use times for the associated user.

      • clearGraceLoginTimes

        public void clearGraceLoginTimes()
        Updates the user entry to remove any record of previous grace logins.

      • getClearPasswords

        public List<ByteString> getClearPasswords()
        Retrieves a list of the clear-text passwords for the user. If the user does not have any passwords in the clear, then the list will be empty.
        Returns:
        A list of the clear-text passwords for the user.

      • getScramCredentials

        public List<ScramCredential> getScramCredentials​(String scramMechanism)
        Retrieves a list of the SCRAM credentials for the user, or an empty list if the user does not have any.
        Parameters:
        scramMechanism - The name of the SCRAM mechanism. Only SCRAM credentials compatible with the mechanism will be returned.
        Returns:
        A list of the SCRAM credentials for the user.

      • passwordMatches

        public boolean passwordMatches​(ByteString password)
        Description copied from class: AuthenticationPolicyState
        Returns true if the provided password value matches any of the user's passwords.
        Specified by:
        passwordMatches in class AuthenticationPolicyState
        Parameters:
        password - The user-provided password to verify.
        Returns:
        true if the provided password value matches any of the user's passwords.

      • passwordMatches

        public boolean passwordMatches​(ByteString password,
                               Entry entry)
        Returns true if the provided password value matches any of the user's passwords in the given entry.
        Parameters:
        password - The user-provided password to verify.
        entry - The user's entry.
        Returns:
        true if the provided password value matches any of the user's passwords.

      • passwordIsPreEncoded

        public boolean passwordIsPreEncoded​(ByteString passwordValue)
        Indicates whether the provided password value is pre-encoded.
        Parameters:
        passwordValue - The value for which to make the determination.
        Returns:
        true if the provided password value is pre-encoded, or false if it is not.

      • encodePassword

        public List<ByteString> encodePassword​(ByteString password)
                                throws LdapException
        Encodes the provided password using the default storage schemes (using the appropriate syntax for the password attribute).
        Parameters:
        password - The password to be encoded.
        Returns:
        The password encoded using the default schemes.
        Throws:
        LdapException - If a problem occurs while attempting to encode the password.

      • passwordIsAcceptable

        public boolean passwordIsAcceptable​(ByteString newPassword,
                                    Set<ByteString> currentPasswords,
                                    Operation operation,
                                    Entry userEntry,
                                    LocalizableMessageBuilder invalidReason)
        Indicates whether the provided password appears to be acceptable according to the password validators, and adds a PasswordQualityAdviceResponseControl to the operation's response if requested.
        Parameters:
        newPassword - The password to be validated.
        currentPasswords - The set of clear-text current passwords for the user (this may be a subset if not all of them are available in the clear, or empty if none of them are available in the clear).
        operation - The operation that provided the password.
        userEntry - The user entry in which the password is used.
        invalidReason - A buffer that may be used to hold the invalid reason if the password is rejected.
        Returns:
        true if the password is acceptable for use, or false if it is not.

      • handleDeprecatedStorageSchemes

        public void handleDeprecatedStorageSchemes​(ByteString password)
        Performs any processing that may be necessary to remove deprecated storage schemes from the user's entry that match the provided password and re-encodes them using the default schemes.
        Parameters:
        password - The clear-text password provided by the user.

      • maintainHistory

        public boolean maintainHistory()
        Indicates whether password history information should be maintained for this user.
        Returns:
        true if password history information should be maintained for this user, or false if not.

      • isPasswordInHistory

        public boolean isPasswordInHistory​(ByteString password)
        Indicates whether the provided password is equal to any of the current passwords, or any of the passwords in the history.
        Parameters:
        password - The password for which to make the determination.
        Returns:
        true if the provided password is equal to any of the current passwords or any of the passwords in the history, or false if not.

      • updatePasswordHistory

        public void updatePasswordHistory()
        Updates the password history information for this user by adding one of its passwords to the history. It will choose the first password encoded using a secure storage scheme, and will fall back to a password encoded using an insecure storage scheme if necessary.

      • clearPasswordHistory

        public void clearPasswordHistory()
        Clears the password history state information for the user. This is only intended for testing purposes.

      • generatePassword

        public ByteString generatePassword()
                            throws LdapException
        Generates a new password for the user.
        Returns:
        The new password that has been generated, or null if no password generator has been defined.
        Throws:
        LdapException - If an error occurs while attempting to generate the new password.

      • generateAccountStatusNotification

        public void generateAccountStatusNotification​(AccountStatusNotificationType notificationType,
                                              Entry userEntry,
                                              LocalizableMessage message,
                                              Map<AccountStatusNotificationProperty,​List<String>> notificationProperties)
        Generates an account status notification for this user.
        Parameters:
        notificationType - The type for the account status notification.
        userEntry - The entry for the user to which this notification applies.
        message - The human-readable message for the notification.
        notificationProperties - The set of properties for the notification.

      • getModifications

        public List<Modification> getModifications()
        Retrieves the set of modifications that correspond to changes made in password policy processing that may need to be applied to the user entry.
        Returns:
        The set of modifications that correspond to changes made in password policy processing that may need to be applied to the user entry.