/**
   * A utility method which may be used by implementations in order to obtain the value of the
   * specified attribute from the provided entry as a boolean.
   *
   * @param entry The entry whose attribute is to be parsed as a boolean.
   * @param attributeType The attribute type whose value should be parsed as a boolean.
   * @return The attribute's value represented as a ConditionResult value, or
   *     ConditionResult.UNDEFINED if the specified attribute does not exist in the entry.
   * @throws DirectoryException If the value cannot be decoded as a boolean.
   */
  protected static final ConditionResult getBoolean(
      final Entry entry, final AttributeType attributeType) throws DirectoryException {
    final List<Attribute> attrList = entry.getAttribute(attributeType);
    if (attrList != null) {
      for (final Attribute a : attrList) {
        if (a.isEmpty()) {
          continue;
        }

        final String valueString = toLowerCase(a.iterator().next().getValue().toString());

        if (valueString.equals("true")
            || valueString.equals("yes")
            || valueString.equals("on")
            || valueString.equals("1")) {
          if (debugEnabled()) {
            TRACER.debugInfo(
                "Attribute %s resolves to true for user entry " + "%s",
                attributeType.getNameOrOID(), entry.getDN().toString());
          }

          return ConditionResult.TRUE;
        }

        if (valueString.equals("false")
            || valueString.equals("no")
            || valueString.equals("off")
            || valueString.equals("0")) {
          if (debugEnabled()) {
            TRACER.debugInfo(
                "Attribute %s resolves to false for user " + "entry %s",
                attributeType.getNameOrOID(), entry.getDN().toString());
          }

          return ConditionResult.FALSE;
        }

        if (debugEnabled()) {
          TRACER.debugError(
              "Unable to resolve value %s for attribute %s " + "in user entry %s as a Boolean.",
              valueString, attributeType.getNameOrOID(), entry.getDN().toString());
        }

        final Message message =
            ERR_PWPSTATE_CANNOT_DECODE_BOOLEAN.get(
                valueString, attributeType.getNameOrOID(), entry.getDN().toString());
        throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
      }
    }

    if (debugEnabled()) {
      TRACER.debugInfo(
          "Returning %s because attribute %s does not exist " + "in user entry %s",
          ConditionResult.UNDEFINED.toString(),
          attributeType.getNameOrOID(),
          entry.getDN().toString());
    }

    return ConditionResult.UNDEFINED;
  }
  /**
   * A utility method which may be used by implementations in order to obtain the value of the
   * specified attribute from the provided entry as a time in generalized time format.
   *
   * @param entry The entry whose attribute is to be parsed as a boolean.
   * @param attributeType The attribute type whose value should be parsed as a generalized time
   *     value.
   * @return The requested time, or -1 if it could not be determined.
   * @throws DirectoryException If a problem occurs while attempting to decode the value as a
   *     generalized time.
   */
  protected static final long getGeneralizedTime(
      final Entry entry, final AttributeType attributeType) throws DirectoryException {
    long timeValue = -1;

    final List<Attribute> attrList = entry.getAttribute(attributeType);
    if (attrList != null) {
      for (final Attribute a : attrList) {
        if (a.isEmpty()) {
          continue;
        }

        final AttributeValue v = a.iterator().next();
        try {
          timeValue = GeneralizedTimeSyntax.decodeGeneralizedTimeValue(v.getNormalizedValue());
        } catch (final Exception e) {
          if (debugEnabled()) {
            TRACER.debugCaught(DebugLogLevel.ERROR, e);

            TRACER.debugWarning(
                "Unable to decode value %s for attribute %s " + "in user entry %s: %s",
                v.getValue().toString(),
                attributeType.getNameOrOID(),
                entry.getDN().toString(),
                stackTraceToSingleLineString(e));
          }

          final Message message =
              ERR_PWPSTATE_CANNOT_DECODE_GENERALIZED_TIME.get(
                  v.getValue().toString(),
                  attributeType.getNameOrOID(),
                  entry.getDN().toString(),
                  String.valueOf(e));
          throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message, e);
        }
        break;
      }
    }

    if (timeValue == -1) {
      if (debugEnabled()) {
        TRACER.debugInfo(
            "Returning -1 because attribute %s does not " + "exist in user entry %s",
            attributeType.getNameOrOID(), entry.getDN().toString());
      }
    }
    // FIXME: else to be consistent...

    return timeValue;
  }
예제 #3
0
 private Integer getIntegerUserAttribute(
     Entry userEntry,
     String attributeTypeName,
     Arg1<Object> nonUniqueAttributeMessage,
     Arg2<Object, Object> cannotProcessAttributeMessage) {
   AttributeType attrType = DirectoryServer.getAttributeTypeOrDefault(attributeTypeName);
   List<Attribute> attrList = userEntry.getAttribute(attrType);
   if (attrList != null && attrList.size() == 1) {
     Attribute a = attrList.get(0);
     if (a.size() == 1) {
       ByteString v = a.iterator().next();
       try {
         return Integer.valueOf(v.toString());
       } catch (Exception e) {
         logger.traceException(e);
         logger.error(cannotProcessAttributeMessage.get(v, userEntry.getName()));
       }
     } else if (a.size() > 1) {
       logger.error(nonUniqueAttributeMessage.get(userEntry.getName()));
     }
   }
   return null;
 }
예제 #4
0
  /**
   * Performs the processing necessary for a simple bind operation.
   *
   * @return {@code true} if processing should continue for the operation, or {@code false} if not.
   * @throws DirectoryException If a problem occurs that should cause the bind operation to fail.
   */
  protected boolean processSimpleBind() throws DirectoryException {
    // See if this is an anonymous bind.  If so, then determine whether
    // to allow it.
    ByteString simplePassword = getSimplePassword();
    if (simplePassword == null || simplePassword.length() == 0) {
      return processAnonymousSimpleBind();
    }

    // See if the bind DN is actually one of the alternate root DNs
    // defined in the server.  If so, then replace it with the actual DN
    // for that user.
    DN actualRootDN = DirectoryServer.getActualRootBindDN(bindDN);
    if (actualRootDN != null) {
      bindDN = actualRootDN;
    }

    Entry userEntry;
    try {
      userEntry = backend.getEntry(bindDN);
    } catch (DirectoryException de) {
      logger.traceException(de);

      userEntry = null;

      if (de.getResultCode() == ResultCode.REFERRAL) {
        // Re-throw referral exceptions - these should be passed back
        // to the client.
        throw de;
      } else {
        // Replace other exceptions in case they expose any sensitive
        // information.
        throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, de.getMessageObject());
      }
    }

    if (userEntry == null) {
      throw new DirectoryException(
          ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_UNKNOWN_USER.get());
    } else {
      setUserEntryDN(userEntry.getName());
    }

    // Check to see if the user has a password. If not, then fail.
    // FIXME -- We need to have a way to enable/disable debugging.
    authPolicyState = AuthenticationPolicyState.forUser(userEntry, false);
    if (authPolicyState.isPasswordPolicy()) {
      // Account is managed locally.
      PasswordPolicyState pwPolicyState = (PasswordPolicyState) authPolicyState;
      PasswordPolicy policy = pwPolicyState.getAuthenticationPolicy();

      AttributeType pwType = policy.getPasswordAttribute();
      List<Attribute> pwAttr = userEntry.getAttribute(pwType);
      if (pwAttr == null || pwAttr.isEmpty()) {
        throw new DirectoryException(
            ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_NO_PASSWORD.get());
      }

      // Perform a number of password policy state checks for the
      // non-authenticated user.
      checkUnverifiedPasswordPolicyState(userEntry, null);

      // Invoke pre-operation plugins.
      if (!invokePreOpPlugins()) {
        return false;
      }

      // Determine whether the provided password matches any of the stored
      // passwords for the user.
      if (pwPolicyState.passwordMatches(simplePassword)) {
        setResultCode(ResultCode.SUCCESS);

        checkVerifiedPasswordPolicyState(userEntry, null);

        if (DirectoryServer.lockdownMode()
            && !ClientConnection.hasPrivilege(userEntry, BYPASS_LOCKDOWN)) {
          throw new DirectoryException(
              ResultCode.INVALID_CREDENTIALS, ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
        }
        setAuthenticationInfo(
            new AuthenticationInfo(
                userEntry, getBindDN(), DirectoryServer.isRootDN(userEntry.getName())));

        // Set resource limits for the authenticated user.
        setResourceLimits(userEntry);

        // Perform any remaining processing for a successful simple
        // authentication.
        pwPolicyState.handleDeprecatedStorageSchemes(simplePassword);
        pwPolicyState.clearFailureLockout();

        if (isFirstWarning) {
          pwPolicyState.setWarnedTime();

          int numSeconds = pwPolicyState.getSecondsUntilExpiration();
          LocalizableMessage m = WARN_BIND_PASSWORD_EXPIRING.get(secondsToTimeString(numSeconds));

          pwPolicyState.generateAccountStatusNotification(
              AccountStatusNotificationType.PASSWORD_EXPIRING,
              userEntry,
              m,
              AccountStatusNotification.createProperties(
                  pwPolicyState, false, numSeconds, null, null));
        }

        if (isGraceLogin) {
          pwPolicyState.updateGraceLoginTimes();
        }

        pwPolicyState.setLastLoginTime();
      } else {
        setResultCode(ResultCode.INVALID_CREDENTIALS);
        setAuthFailureReason(ERR_BIND_OPERATION_WRONG_PASSWORD.get());

        if (policy.getLockoutFailureCount() > 0) {
          generateAccountStatusNotificationForLockedBindAccount(userEntry, pwPolicyState);
        }
      }
    } else {
      // Check to see if the user is administratively disabled or locked.
      if (authPolicyState.isDisabled()) {
        throw new DirectoryException(
            ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_ACCOUNT_DISABLED.get());
      }

      // Invoke pre-operation plugins.
      if (!invokePreOpPlugins()) {
        return false;
      }

      if (authPolicyState.passwordMatches(simplePassword)) {
        setResultCode(ResultCode.SUCCESS);

        if (DirectoryServer.lockdownMode()
            && !ClientConnection.hasPrivilege(userEntry, BYPASS_LOCKDOWN)) {
          throw new DirectoryException(
              ResultCode.INVALID_CREDENTIALS, ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
        }
        setAuthenticationInfo(
            new AuthenticationInfo(
                userEntry, getBindDN(), DirectoryServer.isRootDN(userEntry.getName())));

        // Set resource limits for the authenticated user.
        setResourceLimits(userEntry);
      } else {
        setResultCode(ResultCode.INVALID_CREDENTIALS);
        setAuthFailureReason(ERR_BIND_OPERATION_WRONG_PASSWORD.get());
      }
    }

    return true;
  }