001/*
002 * The contents of this file are subject to the terms of the Common Development and
003 * Distribution License (the License). You may not use this file except in compliance with the
004 * License.
005 *
006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
007 * specific language governing permission and limitations under the License.
008 *
009 * When distributing Covered Software, include this CDDL Header Notice in each file and include
010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
011 * Header, with the fields enclosed by brackets [] replaced by your own identifying
012 * information: "Portions Copyright [year] [name of copyright owner]".
013 *
014 * Copyright 2006-2010 Sun Microsystems, Inc.
015 * Portions copyright 2011-2016 ForgeRock AS.
016 */
017package org.opends.server.core;
018
019import java.util.Collection;
020import java.util.List;
021import java.util.Set;
022import java.util.SortedSet;
023
024import org.forgerock.opendj.server.config.meta.PasswordPolicyCfgDefn.*;
025import org.opends.server.api.*;
026import org.forgerock.opendj.ldap.schema.AttributeType;
027import org.forgerock.opendj.ldap.DN;
028import org.opends.server.types.DirectoryException;
029import org.opends.server.types.Entry;
030
031/**
032 * This class defines a data structure that holds information about a Directory
033 * Server password policy.
034 */
035public abstract class PasswordPolicy extends AuthenticationPolicy
036{
037  /** Creates a new password policy. */
038  protected PasswordPolicy()
039  {
040    // Nothing to do.
041  }
042
043  @Override
044  public abstract DN getDN();
045
046  /**
047   * Indicates whether the associated password attribute uses the auth password
048   * syntax.
049   *
050   * @return <CODE>true</CODE> if the associated password attribute uses the
051   *         auth password syntax, or <CODE>false</CODE> if not.
052   */
053  public abstract boolean isAuthPasswordSyntax();
054
055  /**
056   * Retrieves the default set of password storage schemes that will be used for
057   * this password policy. The returned set should not be modified by the
058   * caller.
059   *
060   * @return The default set of password storage schemes that will be used for
061   *         this password policy.
062   */
063  public abstract List<PasswordStorageScheme<?>>
064    getDefaultPasswordStorageSchemes();
065
066  /**
067   * Gets the "deprecated-password-storage-scheme" property.
068   * <p>
069   * Specifies the names of the password storage schemes that are considered
070   * deprecated for this password policy.
071   * <p>
072   * If a user with this password policy authenticates to the server and
073   * his/her password is encoded with a deprecated scheme, those values are
074   * removed and replaced with values encoded using the default password
075   * storage scheme(s).
076   *
077   * @return Returns an unmodifiable set containing the values of the
078   *         "deprecated-password-storage-scheme" property.
079   */
080  public abstract Set<String> getDeprecatedPasswordStorageSchemes();
081
082  /**
083   * Indicates whether the specified storage scheme is a default scheme for this
084   * password policy.
085   *
086   * @param name
087   *          The name of the password storage scheme for which to make the
088   *          determination.
089   * @return <CODE>true</CODE> if the storage scheme is a default scheme for
090   *         this password policy, or <CODE>false</CODE> if not.
091   */
092  public abstract boolean isDefaultPasswordStorageScheme(String name);
093
094  /**
095   * Indicates whether the specified storage scheme is deprecated.
096   *
097   * @param name
098   *          The name of the password storage scheme for which to make the
099   *          determination.
100   * @return <CODE>true</CODE> if the storage scheme is deprecated, or
101   *         <CODE>false</CODE> if not.
102   */
103  public abstract boolean isDeprecatedPasswordStorageScheme(String name);
104
105  /**
106   * Retrieves the set of password validators for this password policy. The
107   * returned list should not be altered by the caller.
108   *
109   * @return The set of password validators for this password policy.
110   */
111  public abstract Collection<PasswordValidator<?>> getPasswordValidators();
112
113  /**
114   * Retrieves the set of account status notification handlers that should be
115   * used with this password policy. The returned list should not be altered by
116   * the caller.
117   *
118   * @return The set of account status notification handlers that should be used
119   *         with this password policy.
120   */
121  public abstract Collection<AccountStatusNotificationHandler<?>>
122    getAccountStatusNotificationHandlers();
123
124  /**
125   * Retrieves the password generator that will be used with this password
126   * policy.
127   *
128   * @return The password generator that will be used with this password policy,
129   *         or <CODE>null</CODE> if there is none.
130   */
131  public abstract PasswordGenerator<?> getPasswordGenerator();
132
133  /**
134   * Retrieves the time by which all users will be required to change their
135   * passwords, expressed in the number of milliseconds since midnight of
136   * January 1, 1970 (i.e., the zero time for
137   * <CODE>System.currentTimeMillis()</CODE>). Any passwords not changed before
138   * this time will automatically enter a state in which they must be changed
139   * before any other operation will be allowed.
140   *
141   * @return The time by which all users will be required to change their
142   *         passwords, or zero if no such constraint is in effect.
143   */
144  public abstract long getRequireChangeByTime();
145
146  /**
147   * Gets the "allow-expired-password-changes" property.
148   * <p>
149   * Indicates whether a user whose password is expired is still allowed to
150   * change that password using the password modify extended operation.
151   *
152   * @return Returns the value of the "allow-expired-password-changes" property.
153   */
154  public abstract boolean isAllowExpiredPasswordChanges();
155
156  /**
157   * Gets the "allow-multiple-password-values" property.
158   * <p>
159   * Indicates whether user entries can have multiple distinct values for the
160   * password attribute.
161   * <p>
162   * This is potentially dangerous because many mechanisms used to change the
163   * password do not work well with such a configuration. If multiple password
164   * values are allowed, then any of them can be used to authenticate, and they
165   * are all subject to the same policy constraints.
166   *
167   * @return Returns the value of the "allow-multiple-password-values" property.
168   */
169  public abstract boolean isAllowMultiplePasswordValues();
170
171  /**
172   * Gets the "allow-pre-encoded-passwords" property.
173   * <p>
174   * Indicates whether users can change their passwords by providing a
175   * pre-encoded value.
176   * <p>
177   * This can cause a security risk because the clear-text version of the
178   * password is not known and therefore validation checks cannot be applied to
179   * it.
180   *
181   * @return Returns the value of the "allow-pre-encoded-passwords" property.
182   */
183  public abstract boolean isAllowPreEncodedPasswords();
184
185  /**
186   * Gets the "allow-user-password-changes" property.
187   * <p>
188   * Indicates whether users can change their own passwords.
189   * <p>
190   * This check is made in addition to access control evaluation. Both must
191   * allow the password change for it to occur.
192   *
193   * @return Returns the value of the "allow-user-password-changes" property.
194   */
195  public abstract boolean isAllowUserPasswordChanges();
196
197  /**
198   * Gets the "expire-passwords-without-warning" property.
199   * <p>
200   * Indicates whether the directory server allows a user's password to expire
201   * even if that user has never seen an expiration warning notification.
202   * <p>
203   * If this property is true, accounts always expire when the expiration time
204   * arrives. If this property is false or disabled, the user always receives at
205   * least one warning notification, and the password expiration is set to the
206   * warning time plus the warning interval.
207   *
208   * @return Returns the value of the "expire-passwords-without-warning"
209   *         property.
210   */
211  public abstract boolean isExpirePasswordsWithoutWarning();
212
213  /**
214   * Gets the "force-change-on-add" property.
215   * <p>
216   * Indicates whether users are forced to change their passwords upon first
217   * authenticating to the directory server after their account has been
218   * created.
219   *
220   * @return Returns the value of the "force-change-on-add" property.
221   */
222  public abstract boolean isForceChangeOnAdd();
223
224  /**
225   * Gets the "force-change-on-reset" property.
226   * <p>
227   * Indicates whether users are forced to change their passwords if they are
228   * reset by an administrator.
229   * <p>
230   * For this purpose, anyone with permission to change a given user's password
231   * other than that user is considered an administrator.
232   *
233   * @return Returns the value of the "force-change-on-reset" property.
234   */
235  public abstract boolean isForceChangeOnReset();
236
237  /**
238   * Gets the "grace-login-count" property.
239   * <p>
240   * Specifies the number of grace logins that a user is allowed after the
241   * account has expired to allow that user to choose a new password.
242   * <p>
243   * A value of 0 indicates that no grace logins are allowed.
244   *
245   * @return Returns the value of the "grace-login-count" property.
246   */
247  public abstract int getGraceLoginCount();
248
249  /**
250   * Gets the "idle-lockout-interval" property.
251   * <p>
252   * Specifies the maximum length of time that an account may remain idle (that
253   * is, the associated user does not authenticate to the server) before that
254   * user is locked out.
255   * <p>
256   * The value of this attribute is an integer followed by a unit of seconds,
257   * minutes, hours, days, or weeks. A value of 0 seconds indicates that idle
258   * accounts are not automatically locked out. This feature is available only
259   * if the last login time is maintained.
260   *
261   * @return Returns the value of the "idle-lockout-interval" property.
262   */
263  public abstract long getIdleLockoutInterval();
264
265  /**
266   * Gets the "last-login-time-attribute" property.
267   * <p>
268   * Specifies the name or OID of the attribute type that is used to hold the
269   * last login time for users with the associated password policy.
270   * <p>
271   * This attribute type must be defined in the directory server schema and must
272   * either be defined as an operational attribute or must be allowed by the set
273   * of objectClasses for all users with the associated password policy.
274   *
275   * @return Returns the value of the "last-login-time-attribute" property.
276   */
277  public abstract AttributeType getLastLoginTimeAttribute();
278
279  /**
280   * Gets the "last-login-time-format" property.
281   * <p>
282   * Specifies the format string that is used to generate the last login time
283   * value for users with the associated password policy.
284   * <p>
285   * This format string conforms to the syntax described in the API
286   * documentation for the java.text.SimpleDateFormat class.
287   *
288   * @return Returns the value of the "last-login-time-format" property.
289   */
290  public abstract String getLastLoginTimeFormat();
291
292  /**
293   * Gets the "lockout-duration" property.
294   * <p>
295   * Specifies the length of time that an account is locked after too many
296   * authentication failures.
297   * <p>
298   * The value of this attribute is an integer followed by a unit of seconds,
299   * minutes, hours, days, or weeks. A value of 0 seconds indicates that the
300   * account must remain locked until an administrator resets the password.
301   *
302   * @return Returns the value of the "lockout-duration" property.
303   */
304  public abstract long getLockoutDuration();
305
306  /**
307   * Gets the "lockout-failure-count" property.
308   * <p>
309   * Specifies the maximum number of authentication failures that a user is
310   * allowed before the account is locked out.
311   * <p>
312   * A value of 0 indicates that accounts are never locked out due to failed
313   * attempts.
314   *
315   * @return Returns the value of the "lockout-failure-count" property.
316   */
317  public abstract int getLockoutFailureCount();
318
319  /**
320   * Gets the "lockout-failure-expiration-interval" property.
321   * <p>
322   * Specifies the length of time before an authentication failure is no longer
323   * counted against a user for the purposes of account lockout.
324   * <p>
325   * The value of this attribute is an integer followed by a unit of seconds,
326   * minutes, hours, days, or weeks. A value of 0 seconds indicates that the
327   * authentication failures must never expire. The failure count is always
328   * cleared upon a successful authentication.
329   *
330   * @return Returns the value of the "lockout-failure-expiration-interval"
331   *         property.
332   */
333  public abstract long getLockoutFailureExpirationInterval();
334
335  /**
336   * Gets the "max-password-age" property.
337   * <p>
338   * Specifies the maximum length of time that a user can continue using the
339   * same password before it must be changed (that is, the password expiration
340   * interval).
341   * <p>
342   * The value of this attribute is an integer followed by a unit of seconds,
343   * minutes, hours, days, or weeks. A value of 0 seconds disables password
344   * expiration.
345   *
346   * @return Returns the value of the "max-password-age" property.
347   */
348  public abstract long getMaxPasswordAge();
349
350  /**
351   * Gets the "max-password-reset-age" property.
352   * <p>
353   * Specifies the maximum length of time that users have to change passwords
354   * after they have been reset by an administrator before they become locked.
355   * <p>
356   * The value of this attribute is an integer followed by a unit of seconds,
357   * minutes, hours, days, or weeks. A value of 0 seconds disables this feature.
358   *
359   * @return Returns the value of the "max-password-reset-age" property.
360   */
361  public abstract long getMaxPasswordResetAge();
362
363  /**
364   * Gets the "min-password-age" property.
365   * <p>
366   * Specifies the minimum length of time after a password change before the
367   * user is allowed to change the password again.
368   * <p>
369   * The value of this attribute is an integer followed by a unit of seconds,
370   * minutes, hours, days, or weeks. This setting can be used to prevent users
371   * from changing their passwords repeatedly over a short period of time to
372   * flush an old password from the history so that it can be re-used.
373   *
374   * @return Returns the value of the "min-password-age" property.
375   */
376  public abstract long getMinPasswordAge();
377
378  /**
379   * Gets the "password-attribute" property.
380   * <p>
381   * Specifies the attribute type used to hold user passwords.
382   * <p>
383   * This attribute type must be defined in the server schema, and it must have
384   * either the user password or auth password syntax.
385   *
386   * @return Returns the value of the "password-attribute" property.
387   */
388  public abstract AttributeType getPasswordAttribute();
389
390  /**
391   * Gets the "password-change-requires-current-password" property.
392   * <p>
393   * Indicates whether user password changes must use the password modify
394   * extended operation and must include the user's current password before the
395   * change is allowed.
396   *
397   * @return Returns the value of the
398   *         "password-change-requires-current-password" property.
399   */
400  public abstract boolean isPasswordChangeRequiresCurrentPassword();
401
402  /**
403   * Gets the "password-expiration-warning-interval" property.
404   * <p>
405   * Specifies the maximum length of time before a user's password actually
406   * expires that the server begins to include warning notifications in bind
407   * responses for that user.
408   * <p>
409   * The value of this attribute is an integer followed by a unit of seconds,
410   * minutes, hours, days, or weeks. A value of 0 seconds disables the warning
411   * interval.
412   *
413   * @return Returns the value of the "password-expiration-warning-interval"
414   *         property.
415   */
416  public abstract long getPasswordExpirationWarningInterval();
417
418  /**
419   * Gets the "password-history-count" property.
420   * <p>
421   * Specifies the maximum number of former passwords to maintain in the
422   * password history.
423   * <p>
424   * When choosing a new password, the proposed password is checked to ensure
425   * that it does not match the current password, nor any other password in the
426   * history list. A value of zero indicates that either no password history is
427   * to be maintained (if the password history duration has a value of zero
428   * seconds), or that there is no maximum number of passwords to maintain in
429   * the history (if the password history duration has a value greater than zero
430   * seconds).
431   *
432   * @return Returns the value of the "password-history-count" property.
433   */
434  public abstract int getPasswordHistoryCount();
435
436  /**
437   * Gets the "password-history-duration" property.
438   * <p>
439   * Specifies the maximum length of time that passwords remain in the password
440   * history.
441   * <p>
442   * When choosing a new password, the proposed password is checked to ensure
443   * that it does not match the current password, nor any other password in the
444   * history list. A value of zero seconds indicates that either no password
445   * history is to be maintained (if the password history count has a value of
446   * zero), or that there is no maximum duration for passwords in the history
447   * (if the password history count has a value greater than zero).
448   *
449   * @return Returns the value of the "password-history-duration" property.
450   */
451  public abstract long getPasswordHistoryDuration();
452
453  /**
454   * Gets the "previous-last-login-time-format" property.
455   * <p>
456   * Specifies the format string(s) that might have been used with the last
457   * login time at any point in the past for users associated with the password
458   * policy.
459   * <p>
460   * These values are used to make it possible to parse previous values, but are
461   * not used to set new values. The format strings conform to the syntax
462   * described in the API documentation for the java.text.SimpleDateFormat
463   * class.
464   *
465   * @return Returns an unmodifiable set containing the values of the
466   *         "previous-last-login-time-format" property.
467   */
468  public abstract SortedSet<String> getPreviousLastLoginTimeFormats();
469
470  /**
471   * Gets the "require-secure-authentication" property.
472   * <p>
473   * Indicates whether users with the associated password policy are required to
474   * authenticate in a secure manner.
475   * <p>
476   * This might mean either using a secure communication channel between the
477   * client and the server, or using a SASL mechanism that does not expose the
478   * credentials.
479   *
480   * @return Returns the value of the "require-secure-authentication" property.
481   */
482  public abstract boolean isRequireSecureAuthentication();
483
484  /**
485   * Gets the "require-secure-password-changes" property.
486   * <p>
487   * Indicates whether users with the associated password policy are required to
488   * change their password in a secure manner that does not expose the
489   * credentials.
490   *
491   * @return Returns the value of the "require-secure-password-changes"
492   *         property.
493   */
494  public abstract boolean isRequireSecurePasswordChanges();
495
496  /**
497   * Gets the "skip-validation-for-administrators" property.
498   * <p>
499   * Indicates whether passwords set by administrators are allowed to bypass the
500   * password validation process that is required for user password changes.
501   *
502   * @return Returns the value of the "skip-validation-for-administrators"
503   *         property.
504   */
505  public abstract boolean isSkipValidationForAdministrators();
506
507  /**
508   * Gets the "state-update-failure-policy" property.
509   * <p>
510   * Specifies how the server deals with the inability to update password policy
511   * state information during an authentication attempt.
512   * <p>
513   * In particular, this property can be used to control whether an otherwise
514   * successful bind operation fails if a failure occurs while attempting to
515   * update password policy state information (for example, to clear a record of
516   * previous authentication failures or to update the last login time). It can
517   * also be used to control whether to reject a bind request if it is known
518   * ahead of time that it will not be possible to update the authentication
519   * failure times in the event of an unsuccessful bind attempt (for example, if
520   * the backend writability mode is disabled).
521   *
522   * @return Returns the value of the "state-update-failure-policy" property.
523   */
524  public abstract StateUpdateFailurePolicy getStateUpdateFailurePolicy();
525
526  @Override
527  public boolean isPasswordPolicy()
528  {
529    return true;
530  }
531
532  @Override
533  public PasswordPolicyState createAuthenticationPolicyState(Entry userEntry,
534      long time) throws DirectoryException
535  {
536    return new PasswordPolicyState(this, userEntry, time);
537  }
538}