001/* 002 * The contents of this file are subject to the terms of the Common Development and 003 * Distribution License (the License). You may not use this file except in compliance with the 004 * License. 005 * 006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the 007 * specific language governing permission and limitations under the License. 008 * 009 * When distributing Covered Software, include this CDDL Header Notice in each file and include 010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL 011 * Header, with the fields enclosed by brackets [] replaced by your own identifying 012 * information: "Portions Copyright [year] [name of copyright owner]". 013 * 014 * Copyright 2006-2010 Sun Microsystems, Inc. 015 * Portions copyright 2011-2016 ForgeRock AS. 016 */ 017package org.opends.server.core; 018 019import java.util.Collection; 020import java.util.List; 021import java.util.Set; 022import java.util.SortedSet; 023 024import org.forgerock.opendj.server.config.meta.PasswordPolicyCfgDefn.*; 025import org.opends.server.api.*; 026import org.forgerock.opendj.ldap.schema.AttributeType; 027import org.forgerock.opendj.ldap.DN; 028import org.opends.server.types.DirectoryException; 029import org.opends.server.types.Entry; 030 031/** 032 * This class defines a data structure that holds information about a Directory 033 * Server password policy. 034 */ 035public abstract class PasswordPolicy extends AuthenticationPolicy 036{ 037 /** Creates a new password policy. */ 038 protected PasswordPolicy() 039 { 040 // Nothing to do. 041 } 042 043 @Override 044 public abstract DN getDN(); 045 046 /** 047 * Indicates whether the associated password attribute uses the auth password 048 * syntax. 049 * 050 * @return <CODE>true</CODE> if the associated password attribute uses the 051 * auth password syntax, or <CODE>false</CODE> if not. 052 */ 053 public abstract boolean isAuthPasswordSyntax(); 054 055 /** 056 * Retrieves the default set of password storage schemes that will be used for 057 * this password policy. The returned set should not be modified by the 058 * caller. 059 * 060 * @return The default set of password storage schemes that will be used for 061 * this password policy. 062 */ 063 public abstract List<PasswordStorageScheme<?>> 064 getDefaultPasswordStorageSchemes(); 065 066 /** 067 * Gets the "deprecated-password-storage-scheme" property. 068 * <p> 069 * Specifies the names of the password storage schemes that are considered 070 * deprecated for this password policy. 071 * <p> 072 * If a user with this password policy authenticates to the server and 073 * his/her password is encoded with a deprecated scheme, those values are 074 * removed and replaced with values encoded using the default password 075 * storage scheme(s). 076 * 077 * @return Returns an unmodifiable set containing the values of the 078 * "deprecated-password-storage-scheme" property. 079 */ 080 public abstract Set<String> getDeprecatedPasswordStorageSchemes(); 081 082 /** 083 * Indicates whether the specified storage scheme is a default scheme for this 084 * password policy. 085 * 086 * @param name 087 * The name of the password storage scheme for which to make the 088 * determination. 089 * @return <CODE>true</CODE> if the storage scheme is a default scheme for 090 * this password policy, or <CODE>false</CODE> if not. 091 */ 092 public abstract boolean isDefaultPasswordStorageScheme(String name); 093 094 /** 095 * Indicates whether the specified storage scheme is deprecated. 096 * 097 * @param name 098 * The name of the password storage scheme for which to make the 099 * determination. 100 * @return <CODE>true</CODE> if the storage scheme is deprecated, or 101 * <CODE>false</CODE> if not. 102 */ 103 public abstract boolean isDeprecatedPasswordStorageScheme(String name); 104 105 /** 106 * Retrieves the set of password validators for this password policy. The 107 * returned list should not be altered by the caller. 108 * 109 * @return The set of password validators for this password policy. 110 */ 111 public abstract Collection<PasswordValidator<?>> getPasswordValidators(); 112 113 /** 114 * Retrieves the set of account status notification handlers that should be 115 * used with this password policy. The returned list should not be altered by 116 * the caller. 117 * 118 * @return The set of account status notification handlers that should be used 119 * with this password policy. 120 */ 121 public abstract Collection<AccountStatusNotificationHandler<?>> 122 getAccountStatusNotificationHandlers(); 123 124 /** 125 * Retrieves the password generator that will be used with this password 126 * policy. 127 * 128 * @return The password generator that will be used with this password policy, 129 * or <CODE>null</CODE> if there is none. 130 */ 131 public abstract PasswordGenerator<?> getPasswordGenerator(); 132 133 /** 134 * Retrieves the time by which all users will be required to change their 135 * passwords, expressed in the number of milliseconds since midnight of 136 * January 1, 1970 (i.e., the zero time for 137 * <CODE>System.currentTimeMillis()</CODE>). Any passwords not changed before 138 * this time will automatically enter a state in which they must be changed 139 * before any other operation will be allowed. 140 * 141 * @return The time by which all users will be required to change their 142 * passwords, or zero if no such constraint is in effect. 143 */ 144 public abstract long getRequireChangeByTime(); 145 146 /** 147 * Gets the "allow-expired-password-changes" property. 148 * <p> 149 * Indicates whether a user whose password is expired is still allowed to 150 * change that password using the password modify extended operation. 151 * 152 * @return Returns the value of the "allow-expired-password-changes" property. 153 */ 154 public abstract boolean isAllowExpiredPasswordChanges(); 155 156 /** 157 * Gets the "allow-multiple-password-values" property. 158 * <p> 159 * Indicates whether user entries can have multiple distinct values for the 160 * password attribute. 161 * <p> 162 * This is potentially dangerous because many mechanisms used to change the 163 * password do not work well with such a configuration. If multiple password 164 * values are allowed, then any of them can be used to authenticate, and they 165 * are all subject to the same policy constraints. 166 * 167 * @return Returns the value of the "allow-multiple-password-values" property. 168 */ 169 public abstract boolean isAllowMultiplePasswordValues(); 170 171 /** 172 * Gets the "allow-pre-encoded-passwords" property. 173 * <p> 174 * Indicates whether users can change their passwords by providing a 175 * pre-encoded value. 176 * <p> 177 * This can cause a security risk because the clear-text version of the 178 * password is not known and therefore validation checks cannot be applied to 179 * it. 180 * 181 * @return Returns the value of the "allow-pre-encoded-passwords" property. 182 */ 183 public abstract boolean isAllowPreEncodedPasswords(); 184 185 /** 186 * Gets the "allow-user-password-changes" property. 187 * <p> 188 * Indicates whether users can change their own passwords. 189 * <p> 190 * This check is made in addition to access control evaluation. Both must 191 * allow the password change for it to occur. 192 * 193 * @return Returns the value of the "allow-user-password-changes" property. 194 */ 195 public abstract boolean isAllowUserPasswordChanges(); 196 197 /** 198 * Gets the "expire-passwords-without-warning" property. 199 * <p> 200 * Indicates whether the directory server allows a user's password to expire 201 * even if that user has never seen an expiration warning notification. 202 * <p> 203 * If this property is true, accounts always expire when the expiration time 204 * arrives. If this property is false or disabled, the user always receives at 205 * least one warning notification, and the password expiration is set to the 206 * warning time plus the warning interval. 207 * 208 * @return Returns the value of the "expire-passwords-without-warning" 209 * property. 210 */ 211 public abstract boolean isExpirePasswordsWithoutWarning(); 212 213 /** 214 * Gets the "force-change-on-add" property. 215 * <p> 216 * Indicates whether users are forced to change their passwords upon first 217 * authenticating to the directory server after their account has been 218 * created. 219 * 220 * @return Returns the value of the "force-change-on-add" property. 221 */ 222 public abstract boolean isForceChangeOnAdd(); 223 224 /** 225 * Gets the "force-change-on-reset" property. 226 * <p> 227 * Indicates whether users are forced to change their passwords if they are 228 * reset by an administrator. 229 * <p> 230 * For this purpose, anyone with permission to change a given user's password 231 * other than that user is considered an administrator. 232 * 233 * @return Returns the value of the "force-change-on-reset" property. 234 */ 235 public abstract boolean isForceChangeOnReset(); 236 237 /** 238 * Gets the "grace-login-count" property. 239 * <p> 240 * Specifies the number of grace logins that a user is allowed after the 241 * account has expired to allow that user to choose a new password. 242 * <p> 243 * A value of 0 indicates that no grace logins are allowed. 244 * 245 * @return Returns the value of the "grace-login-count" property. 246 */ 247 public abstract int getGraceLoginCount(); 248 249 /** 250 * Gets the "idle-lockout-interval" property. 251 * <p> 252 * Specifies the maximum length of time that an account may remain idle (that 253 * is, the associated user does not authenticate to the server) before that 254 * user is locked out. 255 * <p> 256 * The value of this attribute is an integer followed by a unit of seconds, 257 * minutes, hours, days, or weeks. A value of 0 seconds indicates that idle 258 * accounts are not automatically locked out. This feature is available only 259 * if the last login time is maintained. 260 * 261 * @return Returns the value of the "idle-lockout-interval" property. 262 */ 263 public abstract long getIdleLockoutInterval(); 264 265 /** 266 * Gets the "last-login-time-attribute" property. 267 * <p> 268 * Specifies the name or OID of the attribute type that is used to hold the 269 * last login time for users with the associated password policy. 270 * <p> 271 * This attribute type must be defined in the directory server schema and must 272 * either be defined as an operational attribute or must be allowed by the set 273 * of objectClasses for all users with the associated password policy. 274 * 275 * @return Returns the value of the "last-login-time-attribute" property. 276 */ 277 public abstract AttributeType getLastLoginTimeAttribute(); 278 279 /** 280 * Gets the "last-login-time-format" property. 281 * <p> 282 * Specifies the format string that is used to generate the last login time 283 * value for users with the associated password policy. 284 * <p> 285 * This format string conforms to the syntax described in the API 286 * documentation for the java.text.SimpleDateFormat class. 287 * 288 * @return Returns the value of the "last-login-time-format" property. 289 */ 290 public abstract String getLastLoginTimeFormat(); 291 292 /** 293 * Gets the "lockout-duration" property. 294 * <p> 295 * Specifies the length of time that an account is locked after too many 296 * authentication failures. 297 * <p> 298 * The value of this attribute is an integer followed by a unit of seconds, 299 * minutes, hours, days, or weeks. A value of 0 seconds indicates that the 300 * account must remain locked until an administrator resets the password. 301 * 302 * @return Returns the value of the "lockout-duration" property. 303 */ 304 public abstract long getLockoutDuration(); 305 306 /** 307 * Gets the "lockout-failure-count" property. 308 * <p> 309 * Specifies the maximum number of authentication failures that a user is 310 * allowed before the account is locked out. 311 * <p> 312 * A value of 0 indicates that accounts are never locked out due to failed 313 * attempts. 314 * 315 * @return Returns the value of the "lockout-failure-count" property. 316 */ 317 public abstract int getLockoutFailureCount(); 318 319 /** 320 * Gets the "lockout-failure-expiration-interval" property. 321 * <p> 322 * Specifies the length of time before an authentication failure is no longer 323 * counted against a user for the purposes of account lockout. 324 * <p> 325 * The value of this attribute is an integer followed by a unit of seconds, 326 * minutes, hours, days, or weeks. A value of 0 seconds indicates that the 327 * authentication failures must never expire. The failure count is always 328 * cleared upon a successful authentication. 329 * 330 * @return Returns the value of the "lockout-failure-expiration-interval" 331 * property. 332 */ 333 public abstract long getLockoutFailureExpirationInterval(); 334 335 /** 336 * Gets the "max-password-age" property. 337 * <p> 338 * Specifies the maximum length of time that a user can continue using the 339 * same password before it must be changed (that is, the password expiration 340 * interval). 341 * <p> 342 * The value of this attribute is an integer followed by a unit of seconds, 343 * minutes, hours, days, or weeks. A value of 0 seconds disables password 344 * expiration. 345 * 346 * @return Returns the value of the "max-password-age" property. 347 */ 348 public abstract long getMaxPasswordAge(); 349 350 /** 351 * Gets the "max-password-reset-age" property. 352 * <p> 353 * Specifies the maximum length of time that users have to change passwords 354 * after they have been reset by an administrator before they become locked. 355 * <p> 356 * The value of this attribute is an integer followed by a unit of seconds, 357 * minutes, hours, days, or weeks. A value of 0 seconds disables this feature. 358 * 359 * @return Returns the value of the "max-password-reset-age" property. 360 */ 361 public abstract long getMaxPasswordResetAge(); 362 363 /** 364 * Gets the "min-password-age" property. 365 * <p> 366 * Specifies the minimum length of time after a password change before the 367 * user is allowed to change the password again. 368 * <p> 369 * The value of this attribute is an integer followed by a unit of seconds, 370 * minutes, hours, days, or weeks. This setting can be used to prevent users 371 * from changing their passwords repeatedly over a short period of time to 372 * flush an old password from the history so that it can be re-used. 373 * 374 * @return Returns the value of the "min-password-age" property. 375 */ 376 public abstract long getMinPasswordAge(); 377 378 /** 379 * Gets the "password-attribute" property. 380 * <p> 381 * Specifies the attribute type used to hold user passwords. 382 * <p> 383 * This attribute type must be defined in the server schema, and it must have 384 * either the user password or auth password syntax. 385 * 386 * @return Returns the value of the "password-attribute" property. 387 */ 388 public abstract AttributeType getPasswordAttribute(); 389 390 /** 391 * Gets the "password-change-requires-current-password" property. 392 * <p> 393 * Indicates whether user password changes must use the password modify 394 * extended operation and must include the user's current password before the 395 * change is allowed. 396 * 397 * @return Returns the value of the 398 * "password-change-requires-current-password" property. 399 */ 400 public abstract boolean isPasswordChangeRequiresCurrentPassword(); 401 402 /** 403 * Gets the "password-expiration-warning-interval" property. 404 * <p> 405 * Specifies the maximum length of time before a user's password actually 406 * expires that the server begins to include warning notifications in bind 407 * responses for that user. 408 * <p> 409 * The value of this attribute is an integer followed by a unit of seconds, 410 * minutes, hours, days, or weeks. A value of 0 seconds disables the warning 411 * interval. 412 * 413 * @return Returns the value of the "password-expiration-warning-interval" 414 * property. 415 */ 416 public abstract long getPasswordExpirationWarningInterval(); 417 418 /** 419 * Gets the "password-history-count" property. 420 * <p> 421 * Specifies the maximum number of former passwords to maintain in the 422 * password history. 423 * <p> 424 * When choosing a new password, the proposed password is checked to ensure 425 * that it does not match the current password, nor any other password in the 426 * history list. A value of zero indicates that either no password history is 427 * to be maintained (if the password history duration has a value of zero 428 * seconds), or that there is no maximum number of passwords to maintain in 429 * the history (if the password history duration has a value greater than zero 430 * seconds). 431 * 432 * @return Returns the value of the "password-history-count" property. 433 */ 434 public abstract int getPasswordHistoryCount(); 435 436 /** 437 * Gets the "password-history-duration" property. 438 * <p> 439 * Specifies the maximum length of time that passwords remain in the password 440 * history. 441 * <p> 442 * When choosing a new password, the proposed password is checked to ensure 443 * that it does not match the current password, nor any other password in the 444 * history list. A value of zero seconds indicates that either no password 445 * history is to be maintained (if the password history count has a value of 446 * zero), or that there is no maximum duration for passwords in the history 447 * (if the password history count has a value greater than zero). 448 * 449 * @return Returns the value of the "password-history-duration" property. 450 */ 451 public abstract long getPasswordHistoryDuration(); 452 453 /** 454 * Gets the "previous-last-login-time-format" property. 455 * <p> 456 * Specifies the format string(s) that might have been used with the last 457 * login time at any point in the past for users associated with the password 458 * policy. 459 * <p> 460 * These values are used to make it possible to parse previous values, but are 461 * not used to set new values. The format strings conform to the syntax 462 * described in the API documentation for the java.text.SimpleDateFormat 463 * class. 464 * 465 * @return Returns an unmodifiable set containing the values of the 466 * "previous-last-login-time-format" property. 467 */ 468 public abstract SortedSet<String> getPreviousLastLoginTimeFormats(); 469 470 /** 471 * Gets the "require-secure-authentication" property. 472 * <p> 473 * Indicates whether users with the associated password policy are required to 474 * authenticate in a secure manner. 475 * <p> 476 * This might mean either using a secure communication channel between the 477 * client and the server, or using a SASL mechanism that does not expose the 478 * credentials. 479 * 480 * @return Returns the value of the "require-secure-authentication" property. 481 */ 482 public abstract boolean isRequireSecureAuthentication(); 483 484 /** 485 * Gets the "require-secure-password-changes" property. 486 * <p> 487 * Indicates whether users with the associated password policy are required to 488 * change their password in a secure manner that does not expose the 489 * credentials. 490 * 491 * @return Returns the value of the "require-secure-password-changes" 492 * property. 493 */ 494 public abstract boolean isRequireSecurePasswordChanges(); 495 496 /** 497 * Gets the "skip-validation-for-administrators" property. 498 * <p> 499 * Indicates whether passwords set by administrators are allowed to bypass the 500 * password validation process that is required for user password changes. 501 * 502 * @return Returns the value of the "skip-validation-for-administrators" 503 * property. 504 */ 505 public abstract boolean isSkipValidationForAdministrators(); 506 507 /** 508 * Gets the "state-update-failure-policy" property. 509 * <p> 510 * Specifies how the server deals with the inability to update password policy 511 * state information during an authentication attempt. 512 * <p> 513 * In particular, this property can be used to control whether an otherwise 514 * successful bind operation fails if a failure occurs while attempting to 515 * update password policy state information (for example, to clear a record of 516 * previous authentication failures or to update the last login time). It can 517 * also be used to control whether to reject a bind request if it is known 518 * ahead of time that it will not be possible to update the authentication 519 * failure times in the event of an unsuccessful bind attempt (for example, if 520 * the backend writability mode is disabled). 521 * 522 * @return Returns the value of the "state-update-failure-policy" property. 523 */ 524 public abstract StateUpdateFailurePolicy getStateUpdateFailurePolicy(); 525 526 @Override 527 public boolean isPasswordPolicy() 528 { 529 return true; 530 } 531 532 @Override 533 public PasswordPolicyState createAuthenticationPolicyState(Entry userEntry, 534 long time) throws DirectoryException 535 { 536 return new PasswordPolicyState(this, userEntry, time); 537 } 538}