/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* or http://forgerock.org/license/CDDLv1.0.html.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008-2011 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS
*/
package org.opends.server.workflowelement.localbackend;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.ListIterator;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageBuilder;
import org.forgerock.i18n.LocalizableMessageDescriptor.Arg3;
import org.forgerock.i18n.LocalizableMessageDescriptor.Arg4;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ModificationType;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.schema.MatchingRule;
import org.forgerock.opendj.ldap.schema.Syntax;
import org.forgerock.util.Reject;
import org.forgerock.util.Utils;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.api.AuthenticationPolicy;
import org.opends.server.api.Backend;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.PasswordStorageScheme;
import org.opends.server.api.SynchronizationProvider;
import org.opends.server.api.plugin.PluginResult.PostOperation;
import org.opends.server.controls.LDAPAssertionRequestControl;
import org.opends.server.controls.LDAPPostReadRequestControl;
import org.opends.server.controls.LDAPPreReadRequestControl;
import org.opends.server.controls.PasswordPolicyErrorType;
import org.opends.server.controls.PasswordPolicyResponseControl;
import org.opends.server.core.AccessControlConfigManager;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ModifyOperation;
import org.opends.server.core.ModifyOperationWrapper;
import org.opends.server.core.PasswordPolicy;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.core.PersistentSearch;
import org.opends.server.schema.AuthPasswordSyntax;
import org.opends.server.schema.UserPasswordSyntax;
import org.opends.server.types.AcceptRejectWarn;
import org.opends.server.types.AccountStatusNotification;
import org.opends.server.types.AccountStatusNotificationType;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeBuilder;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.CanceledOperationException;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.LockManager.DNLock;
import org.opends.server.types.Modification;
import org.opends.server.types.ObjectClass;
import org.opends.server.types.Privilege;
import org.opends.server.types.RDN;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SynchronizationProviderResult;
import org.opends.server.types.operation.PostOperationModifyOperation;
import org.opends.server.types.operation.PostResponseModifyOperation;
import org.opends.server.types.operation.PostSynchronizationModifyOperation;
import org.opends.server.types.operation.PreOperationModifyOperation;
import static org.opends.messages.CoreMessages.*;
import static org.opends.server.config.ConfigConstants.*;
import static org.opends.server.core.DirectoryServer.*;
import static org.opends.server.types.AbstractOperation.*;
import static org.opends.server.types.AccountStatusNotificationType.*;
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;
/** This class defines an operation used to modify an entry in a local backend of the Directory Server. */
public class LocalBackendModifyOperation
extends ModifyOperationWrapper
implements PreOperationModifyOperation, PostOperationModifyOperation,
PostResponseModifyOperation,
PostSynchronizationModifyOperation
{
private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
/** The backend in which the target entry exists. */
private Backend<?> backend;
/** The client connection associated with this operation. */
private ClientConnection clientConnection;
private boolean preOperationPluginsExecuted;
/** Indicates whether this modify operation includes a password change. */
private boolean passwordChanged;
/** Indicates whether the password change is a self-change. */
private boolean selfChange;
/** Indicates whether the request included the user's current password. */
private boolean currentPasswordProvided;
/** Indicates whether the user's account has been enabled or disabled by this modify operation. */
private boolean enabledStateChanged;
/** Indicates whether the user's account is currently enabled. */
private boolean isEnabled;
/** Indicates whether the user's account was locked before this change. */
private boolean wasLocked;
/** Indicates whether the request included the LDAP no-op control. */
private boolean noOp;
/** Indicates whether the request included the Permissive Modify control. */
private boolean permissiveModify;
/** Indicates whether the request included the password policy request control. */
private boolean pwPolicyControlRequested;
/** The post-read request control, if present. */
private LDAPPostReadRequestControl postReadRequest;
/** The pre-read request control, if present. */
private LDAPPreReadRequestControl preReadRequest;
/** The DN of the entry to modify. */
private DN entryDN;
/** The current entry, before any changes are applied. */
private Entry currentEntry;
/** The modified entry that will be stored in the backend. */
private Entry modifiedEntry;
/** The set of modifications contained in this request. */
private List<Modification> modifications;
/** The number of passwords contained in the modify operation. */
private int numPasswords;
/** The set of clear-text current passwords (if any were provided). */
private List<ByteString> currentPasswords;
/** The set of clear-text new passwords (if any were provided). */
private List<ByteString> newPasswords;
/** The password policy error type for this operation. */
private PasswordPolicyErrorType pwpErrorType;
/** The password policy state for this modify operation. */
private PasswordPolicyState pwPolicyState;
/**
* Creates a new operation that may be used to modify an entry in a
* local backend of the Directory Server.
*
* @param modify The operation to enhance.
*/
public LocalBackendModifyOperation(ModifyOperation modify)
{
super(modify);
LocalBackendWorkflowElement.attachLocalOperation (modify, this);
}
/**
* Returns whether authentication for this user is managed locally
* or via Pass-Through Authentication.
*/
private boolean isAuthnManagedLocally()
{
return pwPolicyState != null;
}
/**
* Retrieves the current entry before any modifications are applied. This
* will not be available to pre-parse plugins.
*
* @return The current entry, or {@code null} if it is not yet available.
*/
@Override
public final Entry getCurrentEntry()
{
return currentEntry;
}
/**
* Retrieves the set of clear-text current passwords for the user, if
* available. This will only be available if the modify operation contains
* one or more delete elements that target the password attribute and provide
* the values to delete in the clear. It will not be available to pre-parse
* plugins.
*
* @return The set of clear-text current password values as provided in the
* modify request, or {@code null} if there were none or this
* information is not yet available.
*/
@Override
public final List<ByteString> getCurrentPasswords()
{
return currentPasswords;
}
/**
* Retrieves the modified entry that is to be written to the backend. This
* will be available to pre-operation plugins, and if such a plugin does make
* a change to this entry, then it is also necessary to add that change to
* the set of modifications to ensure that the update will be consistent.
*
* @return The modified entry that is to be written to the backend, or
* {@code null} if it is not yet available.
*/
@Override
public final Entry getModifiedEntry()
{
return modifiedEntry;
}
/**
* Retrieves the set of clear-text new passwords for the user, if available.
* This will only be available if the modify operation contains one or more
* add or replace elements that target the password attribute and provide the
* values in the clear. It will not be available to pre-parse plugins.
*
* @return The set of clear-text new passwords as provided in the modify
* request, or {@code null} if there were none or this
* information is not yet available.
*/
@Override
public final List<ByteString> getNewPasswords()
{
return newPasswords;
}
/**
* Adds the provided modification to the set of modifications to this modify operation.
* In addition, the modification is applied to the modified entry.
* <p>
* This may only be called by pre-operation plugins.
*
* @param modification The modification to add to the set of changes for
* this modify operation.
* @throws DirectoryException If an unexpected problem occurs while applying
* the modification to the entry.
*/
@Override
public void addModification(Modification modification)
throws DirectoryException
{
modifiedEntry.applyModification(modification, permissiveModify);
super.addModification(modification);
}
/**
* Process this modify operation against a local backend.
*
* @param wfe
* The local backend work-flow element.
* @throws CanceledOperationException
* if this operation should be cancelled
*/
void processLocalModify(final LocalBackendWorkflowElement wfe) throws CanceledOperationException
{
this.backend = wfe.getBackend();
this.clientConnection = getClientConnection();
checkIfCanceled(false);
try
{
processModify();
if (pwPolicyControlRequested)
{
addResponseControl(new PasswordPolicyResponseControl(null, 0, pwpErrorType));
}
invokePostModifyPlugins();
}
finally
{
LocalBackendWorkflowElement.filterNonDisclosableMatchedDN(this);
}
// Register a post-response call-back which will notify persistent
// searches and change listeners.
if (getResultCode() == ResultCode.SUCCESS)
{
registerPostResponseCallback(new Runnable()
{
@Override
public void run()
{
for (PersistentSearch psearch : backend.getPersistentSearches())
{
psearch.processModify(modifiedEntry, currentEntry);
}
}
});
}
}
private boolean invokePreModifyPlugins() throws CanceledOperationException
{
if (!isSynchronizationOperation())
{
preOperationPluginsExecuted = true;
if (!processOperationResult(this, getPluginConfigManager().invokePreOperationModifyPlugins(this)))
{
return false;
}
}
return true;
}
private void invokePostModifyPlugins()
{
if (isSynchronizationOperation())
{
if (getResultCode() == ResultCode.SUCCESS)
{
getPluginConfigManager().invokePostSynchronizationModifyPlugins(this);
}
}
else if (preOperationPluginsExecuted)
{
PostOperation result = getPluginConfigManager().invokePostOperationModifyPlugins(this);
if (!processOperationResult(this, result))
{
return;
}
}
}
private void processModify() throws CanceledOperationException
{
entryDN = getEntryDN();
if (entryDN == null)
{
return;
}
// Process the modifications to convert them from their raw form to the
// form required for the rest of the modify processing.
modifications = getModifications();
if (modifications == null)
{
return;
}
if (modifications.isEmpty())
{
setResultCode(ResultCode.CONSTRAINT_VIOLATION);
appendErrorMessage(ERR_MODIFY_NO_MODIFICATIONS.get(entryDN));
return;
}
checkIfCanceled(false);
// Acquire a write lock on the target entry.
final DNLock entryLock = DirectoryServer.getLockManager().tryWriteLockEntry(entryDN);
try
{
if (entryLock == null)
{
setResultCode(ResultCode.BUSY);
appendErrorMessage(ERR_MODIFY_CANNOT_LOCK_ENTRY.get(entryDN));
return;
}
checkIfCanceled(false);
currentEntry = backend.getEntry(entryDN);
if (currentEntry == null)
{
setResultCode(ResultCode.NO_SUCH_OBJECT);
appendErrorMessage(ERR_MODIFY_NO_SUCH_ENTRY.get(entryDN));
setMatchedDN(findMatchedDN(entryDN));
return;
}
processRequestControls();
// Get the password policy state object for the entry that can be used
// to perform any appropriate password policy processing. Also, see
// if the entry is being updated by the end user or an administrator.
final DN authzDN = getAuthorizationDN();
selfChange = entryDN.equals(authzDN);
// Should the authorizing account change its password?
if (mustChangePassword(selfChange, getAuthorizationEntry()))
{
pwpErrorType = PasswordPolicyErrorType.CHANGE_AFTER_RESET;
setResultCode(ResultCode.CONSTRAINT_VIOLATION);
appendErrorMessage(ERR_MODIFY_MUST_CHANGE_PASSWORD.get(authzDN != null ? authzDN : "anonymous"));
return;
}
// FIXME -- Need a way to enable debug mode.
pwPolicyState = createPasswordPolicyState(currentEntry);
// Create a duplicate of the entry and apply the changes to it.
modifiedEntry = currentEntry.duplicate(false);
if (!noOp && !handleConflictResolution())
{
return;
}
processNonPasswordModifications();
// Check to see if the client has permission to perform the modify.
// The access control check is not made any earlier because the handler
// needs access to the modified entry.
// FIXME: for now assume that this will check all permissions pertinent to the operation.
// This includes proxy authorization and any other controls specified.
// FIXME: earlier checks to see if the entry already exists may have
// already exposed sensitive information to the client.
if (!operationIsAllowed())
{
return;
}
if (isAuthnManagedLocally())
{
processPasswordPolicyModifications();
performAdditionalPasswordChangedProcessing();
if (currentUserMustChangePassword())
{
// The user did not attempt to change their password.
pwpErrorType = PasswordPolicyErrorType.CHANGE_AFTER_RESET;
setResultCode(ResultCode.CONSTRAINT_VIOLATION);
appendErrorMessage(ERR_MODIFY_MUST_CHANGE_PASSWORD.get(authzDN != null ? authzDN : "anonymous"));
return;
}
}
if (mustCheckSchema())
{
// make sure that the new entry is valid per the server schema.
LocalizableMessageBuilder invalidReason = new LocalizableMessageBuilder();
if (!modifiedEntry.conformsToSchema(null, false, false, false, invalidReason))
{
setResultCode(ResultCode.OBJECTCLASS_VIOLATION);
appendErrorMessage(ERR_MODIFY_VIOLATES_SCHEMA.get(entryDN, invalidReason));
return;
}
}
checkIfCanceled(false);
if (!invokePreModifyPlugins())
{
return;
}
// Actually perform the modify operation. This should also include
// taking care of any synchronization that might be needed.
if (backend == null)
{
setResultCode(ResultCode.NO_SUCH_OBJECT);
appendErrorMessage(ERR_MODIFY_NO_BACKEND_FOR_ENTRY.get(entryDN));
return;
}
LocalBackendWorkflowElement.checkIfBackendIsWritable(backend, this,
entryDN, ERR_MODIFY_SERVER_READONLY, ERR_MODIFY_BACKEND_READONLY);
if (noOp)
{
appendErrorMessage(INFO_MODIFY_NOOP.get());
setResultCode(ResultCode.NO_OPERATION);
}
else
{
if (!processPreOperation())
{
return;
}
backend.replaceEntry(currentEntry, modifiedEntry, this);
if (isAuthnManagedLocally())
{
generatePwpAccountStatusNotifications();
}
}
// Handle any processing that may be needed for the pre-read and/or post-read controls.
LocalBackendWorkflowElement.addPreReadResponse(this, preReadRequest, currentEntry);
LocalBackendWorkflowElement.addPostReadResponse(this, postReadRequest, modifiedEntry);
if (!noOp)
{
setResultCode(ResultCode.SUCCESS);
}
}
catch (DirectoryException de)
{
logger.traceException(de);
setResponseData(de);
}
finally
{
if (entryLock != null)
{
entryLock.unlock();
}
processSynchPostOperationPlugins();
}
}
private boolean operationIsAllowed()
{
try
{
if (!getAccessControlHandler().isAllowed(this))
{
setResultCodeAndMessageNoInfoDisclosure(modifiedEntry,
ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
ERR_MODIFY_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(entryDN));
return false;
}
return true;
}
catch (DirectoryException e)
{
setResultCode(e.getResultCode());
appendErrorMessage(e.getMessageObject());
return false;
}
}
private boolean currentUserMustChangePassword()
{
return !isInternalOperation() && selfChange && !passwordChanged && pwPolicyState.mustChangePassword();
}
private boolean mustChangePassword(boolean selfChange, Entry authzEntry) throws DirectoryException
{
return !isInternalOperation() && !selfChange && authzEntry != null && mustChangePassword(authzEntry);
}
private boolean mustChangePassword(Entry authzEntry) throws DirectoryException
{
PasswordPolicyState authzState = createPasswordPolicyState(authzEntry);
return authzState != null && authzState.mustChangePassword();
}
private PasswordPolicyState createPasswordPolicyState(Entry entry) throws DirectoryException
{
AuthenticationPolicy policy = AuthenticationPolicy.forUser(entry, true);
if (policy.isPasswordPolicy())
{
return (PasswordPolicyState) policy.createAuthenticationPolicyState(entry);
}
return null;
}
private AccessControlHandler<?> getAccessControlHandler()
{
return AccessControlConfigManager.getInstance().getAccessControlHandler();
}
private DirectoryException newDirectoryException(Entry entry,
ResultCode resultCode, LocalizableMessage message) throws DirectoryException
{
return LocalBackendWorkflowElement.newDirectoryException(this, entry,
entryDN, resultCode, message, ResultCode.NO_SUCH_OBJECT,
ERR_MODIFY_NO_SUCH_ENTRY.get(entryDN));
}
private void setResultCodeAndMessageNoInfoDisclosure(Entry entry,
ResultCode realResultCode, LocalizableMessage realMessage) throws DirectoryException
{
LocalBackendWorkflowElement.setResultCodeAndMessageNoInfoDisclosure(this,
entry, entryDN, realResultCode, realMessage, ResultCode.NO_SUCH_OBJECT,
ERR_MODIFY_NO_SUCH_ENTRY.get(entryDN));
}
private DN findMatchedDN(DN entryDN)
{
try
{
DN matchedDN = entryDN.getParentDNInSuffix();
while (matchedDN != null)
{
if (DirectoryServer.entryExists(matchedDN))
{
return matchedDN;
}
matchedDN = matchedDN.getParentDNInSuffix();
}
}
catch (Exception e)
{
logger.traceException(e);
}
return null;
}
/**
* Processes any controls contained in the modify request.
*
* @throws DirectoryException If a problem is encountered with any of the
* controls.
*/
private void processRequestControls() throws DirectoryException
{
LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);
List<Control> requestControls = getRequestControls();
if (requestControls != null && !requestControls.isEmpty())
{
for (ListIterator<Control> iter = requestControls.listIterator(); iter.hasNext();)
{
final Control c = iter.next();
final String oid = c.getOID();
if (OID_LDAP_ASSERTION.equals(oid))
{
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
SearchFilter filter;
try
{
filter = assertControl.getSearchFilter();
}
catch (DirectoryException de)
{
logger.traceException(de);
throw newDirectoryException(currentEntry, de.getResultCode(),
ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
entryDN, de.getMessageObject()));
}
// Check if the current user has permission to make this determination.
if (!getAccessControlHandler().isAllowed(this, currentEntry, filter))
{
throw new DirectoryException(
ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
}
try
{
if (!filter.matchesEntry(currentEntry))
{
throw newDirectoryException(currentEntry,
ResultCode.ASSERTION_FAILED,
ERR_MODIFY_ASSERTION_FAILED.get(entryDN));
}
}
catch (DirectoryException de)
{
if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
{
throw de;
}
logger.traceException(de);
throw newDirectoryException(currentEntry, de.getResultCode(),
ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
entryDN, de.getMessageObject()));
}
}
else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
{
noOp = true;
}
else if (OID_PERMISSIVE_MODIFY_CONTROL.equals(oid))
{
permissiveModify = true;
}
else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
{
preReadRequest = getRequestControl(LDAPPreReadRequestControl.DECODER);
}
else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
{
if (c instanceof LDAPPostReadRequestControl)
{
postReadRequest = (LDAPPostReadRequestControl) c;
}
else
{
postReadRequest = getRequestControl(LDAPPostReadRequestControl.DECODER);
iter.set(postReadRequest);
}
}
else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
{
continue;
}
else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
{
pwPolicyControlRequested = true;
}
// NYI -- Add support for additional controls.
else if (c.isCritical()
&& (backend == null || !backend.supportsControl(oid)))
{
throw newDirectoryException(currentEntry,
ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
ERR_MODIFY_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
}
}
}
}
private void processNonPasswordModifications() throws DirectoryException
{
for (Modification m : modifications)
{
Attribute a = m.getAttribute();
AttributeType t = a.getAttributeType();
// If the attribute type is marked "NO-USER-MODIFICATION" then fail unless
// this is an internal operation or is related to synchronization in some way.
final boolean isInternalOrSynchro = isInternalOrSynchro(m);
if (t.isNoUserModification() && !isInternalOrSynchro)
{
throw newDirectoryException(currentEntry,
ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_ATTR_IS_NO_USER_MOD.get(entryDN, a.getName()));
}
// If the attribute type is marked "OBSOLETE" and the modification is
// setting new values, then fail unless this is an internal operation or
// is related to synchronization in some way.
if (t.isObsolete()
&& !a.isEmpty()
&& m.getModificationType() != ModificationType.DELETE
&& !isInternalOrSynchro)
{
throw newDirectoryException(currentEntry,
ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_ATTR_IS_OBSOLETE.get(entryDN, a.getName()));
}
// See if the attribute is one which controls the privileges available for a user.
// If it is, then the client must have the PRIVILEGE_CHANGE privilege.
if (t.hasName(OP_ATTR_PRIVILEGE_NAME)
&& !clientConnection.hasPrivilege(Privilege.PRIVILEGE_CHANGE, this))
{
throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
ERR_MODIFY_CHANGE_PRIVILEGE_INSUFFICIENT_PRIVILEGES.get());
}
// If the modification is not updating the password attribute,
// then perform any schema processing.
if (!isPassword(t))
{
processModification(m);
}
}
}
private boolean isInternalOrSynchro(Modification m)
{
return isInternalOperation() || m.isInternal() || isSynchronizationOperation();
}
private boolean isPassword(AttributeType t)
{
return pwPolicyState != null
&& t.equals(pwPolicyState.getAuthenticationPolicy().getPasswordAttribute());
}
/** Processes the modifications related to password policy for this modify operation. */
private void processPasswordPolicyModifications() throws DirectoryException
{
// Declare variables used for password policy state processing.
currentPasswordProvided = false;
isEnabled = true;
enabledStateChanged = false;
final PasswordPolicy authPolicy = pwPolicyState.getAuthenticationPolicy();
if (currentEntry.hasAttribute(authPolicy.getPasswordAttribute()))
{
// It may actually have more than one, but we can't tell the difference if
// the values are encoded, and its enough for our purposes just to know
// that there is at least one.
numPasswords = 1;
}
else
{
numPasswords = 0;
}
passwordChanged = !isInternalOperation() && !isSynchronizationOperation() && isModifyingPassword();
for (Modification m : modifications)
{
AttributeType t = m.getAttribute().getAttributeType();
// If the modification is updating the password attribute, then perform
// any necessary password policy processing. This processing should be
// skipped for synchronization operations.
if (isPassword(t))
{
if (!isSynchronizationOperation())
{
// If the attribute contains any options and new values are going to
// be added, then reject it. Passwords will not be allowed to have options.
if (!isInternalOperation())
{
validatePasswordModification(m, authPolicy);
}
preProcessPasswordModification(m);
}
processModification(m);
}
else if (!isInternalOrSynchro(m)
&& t.equals(getAttributeTypeOrDefault(OP_ATTR_ACCOUNT_DISABLED)))
{
enabledStateChanged = true;
isEnabled = !pwPolicyState.isDisabled();
}
}
}
/** Adds the appropriate state changes for the provided modification. */
private void preProcessPasswordModification(Modification m) throws DirectoryException
{
switch (m.getModificationType().asEnum())
{
case ADD:
case REPLACE:
preProcessPasswordAddOrReplace(m);
break;
case DELETE:
preProcessPasswordDelete(m);
break;
// case INCREMENT does not make any sense for passwords
default:
Attribute a = m.getAttribute();
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_INVALID_MOD_TYPE_FOR_PASSWORD.get(m.getModificationType(), a.getName()));
}
}
private boolean isModifyingPassword() throws DirectoryException
{
for (Modification m : modifications)
{
if (isPassword(m.getAttribute().getAttributeType()))
{
if (!selfChange && !clientConnection.hasPrivilege(Privilege.PASSWORD_RESET, this))
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED;
throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
ERR_MODIFY_PWRESET_INSUFFICIENT_PRIVILEGES.get());
}
return true;
}
}
return false;
}
private void validatePasswordModification(Modification m, PasswordPolicy authPolicy) throws DirectoryException
{
Attribute a = m.getAttribute();
if (a.hasOptions())
{
switch (m.getModificationType().asEnum())
{
case REPLACE:
if (!a.isEmpty())
{
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_PASSWORDS_CANNOT_HAVE_OPTIONS.get());
}
// Allow delete operations to clean up after import.
break;
case ADD:
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_PASSWORDS_CANNOT_HAVE_OPTIONS.get());
default:
// Allow delete operations to clean up after import.
break;
}
}
// If it's a self change, then see if that's allowed.
if (selfChange && !authPolicy.isAllowUserPasswordChanges())
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED;
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
ERR_MODIFY_NO_USER_PW_CHANGES.get());
}
// If we require secure password changes, then makes sure it's a
// secure communication channel.
if (authPolicy.isRequireSecurePasswordChanges()
&& !clientConnection.isSecure())
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED;
throw new DirectoryException(ResultCode.CONFIDENTIALITY_REQUIRED,
ERR_MODIFY_REQUIRE_SECURE_CHANGES.get());
}
// If it's a self change and it's not been long enough since the
// previous change, then reject it.
if (selfChange && pwPolicyState.isWithinMinimumAge())
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_TOO_YOUNG;
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
ERR_MODIFY_WITHIN_MINIMUM_AGE.get());
}
}
/**
* Process the provided modification and updates the entry appropriately.
*
* @param m
* The modification to perform
* @throws DirectoryException
* If a problem occurs that should cause the modify operation to fail.
*/
private void processModification(Modification m) throws DirectoryException
{
Attribute attr = m.getAttribute();
switch (m.getModificationType().asEnum())
{
case ADD:
processAddModification(attr);
break;
case DELETE:
processDeleteModification(attr);
break;
case REPLACE:
processReplaceModification(attr);
break;
case INCREMENT:
processIncrementModification(attr);
break;
}
}
private void preProcessPasswordAddOrReplace(Modification m) throws DirectoryException
{
Attribute pwAttr = m.getAttribute();
int passwordsToAdd = pwAttr.size();
if (m.getModificationType() == ModificationType.ADD)
{
numPasswords += passwordsToAdd;
}
else
{
numPasswords = passwordsToAdd;
}
// If there were multiple password values, then make sure that's OK.
final PasswordPolicy authPolicy = pwPolicyState.getAuthenticationPolicy();
if (!isInternalOperation()
&& !authPolicy.isAllowMultiplePasswordValues()
&& passwordsToAdd > 1)
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED;
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_MULTIPLE_VALUES_NOT_ALLOWED.get());
}
// Iterate through the password values and see if any of them are
// pre-encoded. If so, then check to see if we'll allow it.
// Otherwise, store the clear-text values for later validation
// and update the attribute with the encoded values.
AttributeBuilder builder = new AttributeBuilder(pwAttr, true);
for (ByteString v : pwAttr)
{
if (pwPolicyState.passwordIsPreEncoded(v))
{
if (!isInternalOperation()
&& !authPolicy.isAllowPreEncodedPasswords())
{
pwpErrorType = PasswordPolicyErrorType.INSUFFICIENT_PASSWORD_QUALITY;
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_NO_PREENCODED_PASSWORDS.get());
}
builder.add(v);
}
else
{
if (m.getModificationType() == ModificationType.ADD
// Make sure that the password value does not already exist.
&& pwPolicyState.passwordMatches(v))
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_IN_HISTORY;
throw new DirectoryException(ResultCode.ATTRIBUTE_OR_VALUE_EXISTS,
ERR_MODIFY_PASSWORD_EXISTS.get());
}
if (newPasswords == null)
{
newPasswords = new LinkedList<>();
}
newPasswords.add(v);
builder.addAll(pwPolicyState.encodePassword(v));
}
}
m.setAttribute(builder.toAttribute());
}
private void preProcessPasswordDelete(Modification m) throws DirectoryException
{
// Iterate through the password values and see if any of them are pre-encoded.
// We will never allow pre-encoded passwords for user password changes,
// but we will allow them for administrators.
// For each clear-text value, verify that at least one value in the entry matches
// and replace the clear-text value with the appropriate encoded forms.
Attribute pwAttr = m.getAttribute();
if (pwAttr.isEmpty())
{
// Removing all current password values.
numPasswords = 0;
}
AttributeBuilder builder = new AttributeBuilder(pwAttr, true);
for (ByteString v : pwAttr)
{
if (pwPolicyState.passwordIsPreEncoded(v))
{
if (!isInternalOperation() && selfChange)
{
pwpErrorType = PasswordPolicyErrorType.INSUFFICIENT_PASSWORD_QUALITY;
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_NO_PREENCODED_PASSWORDS.get());
}
// We still need to check if the pre-encoded password matches
// an existing value, to decrease the number of passwords.
List<Attribute> attrList = currentEntry.getAttribute(pwAttr.getAttributeType());
if (attrList == null || attrList.isEmpty())
{
throw new DirectoryException(ResultCode.NO_SUCH_ATTRIBUTE, ERR_MODIFY_NO_EXISTING_VALUES.get());
}
if (addIfAttributeValueExistsPreEncodedPassword(builder, attrList, v))
{
numPasswords--;
}
}
else
{
List<Attribute> attrList = currentEntry.getAttribute(pwAttr.getAttributeType());
if (attrList == null || attrList.isEmpty())
{
throw new DirectoryException(ResultCode.NO_SUCH_ATTRIBUTE,
ERR_MODIFY_NO_EXISTING_VALUES.get());
}
if (addIfAttributeValueExistsNoPreEncodedPassword(builder, attrList, v))
{
if (currentPasswords == null)
{
currentPasswords = new LinkedList<>();
}
currentPasswords.add(v);
numPasswords--;
}
else
{
throw new DirectoryException(ResultCode.NO_SUCH_ATTRIBUTE,
ERR_MODIFY_INVALID_PASSWORD.get());
}
currentPasswordProvided = true;
}
}
m.setAttribute(builder.toAttribute());
}
private boolean addIfAttributeValueExistsPreEncodedPassword(AttributeBuilder builder, List<Attribute> attrList,
ByteString val)
{
for (Attribute attr : attrList)
{
for (ByteString av : attr)
{
if (av.equals(val))
{
builder.add(val);
return true;
}
}
}
return false;
}
private boolean addIfAttributeValueExistsNoPreEncodedPassword(AttributeBuilder builder, List<Attribute> attrList,
ByteString val) throws DirectoryException
{
boolean found = false;
for (Attribute attr : attrList)
{
for (ByteString av : attr)
{
if (pwPolicyState.passwordIsPreEncoded(av))
{
if (passwordMatches(val, av))
{
builder.add(av);
found = true;
}
}
else if (av.equals(val))
{
builder.add(val);
found = true;
}
}
}
return found;
}
private boolean passwordMatches(ByteString val, ByteString av) throws DirectoryException
{
if (pwPolicyState.getAuthenticationPolicy().isAuthPasswordSyntax())
{
String[] components = AuthPasswordSyntax.decodeAuthPassword(av.toString());
PasswordStorageScheme<?> scheme = DirectoryServer.getAuthPasswordStorageScheme(components[0]);
return scheme != null && scheme.authPasswordMatches(val, components[1], components[2]);
} else {
String[] components = UserPasswordSyntax.decodeUserPassword(av.toString());
PasswordStorageScheme<?> scheme = DirectoryServer.getPasswordStorageScheme(toLowerCase(components[0]));
return scheme != null && scheme.passwordMatches(val, ByteString.valueOfUtf8(components[1]));
}
}
/**
* Process an add modification and updates the entry appropriately.
*
* @param attr
* The attribute being added.
* @throws DirectoryException
* If a problem occurs that should cause the modify operation to fail.
*/
private void processAddModification(Attribute attr) throws DirectoryException
{
// Make sure that one or more values have been provided for the attribute.
if (attr.isEmpty())
{
throw newDirectoryException(currentEntry, ResultCode.PROTOCOL_ERROR,
ERR_MODIFY_ADD_NO_VALUES.get(entryDN, attr.getName()));
}
if (mustCheckSchema())
{
// make sure that all the new values are valid according to the associated syntax.
checkSchema(attr, ERR_MODIFY_ADD_INVALID_SYNTAX, ERR_MODIFY_ADD_INVALID_SYNTAX_NO_VALUE);
}
// If the attribute to be added is the object class attribute
// then make sure that all the object classes are known and not obsoleted.
if (attr.getAttributeType().isObjectClass())
{
validateObjectClasses(attr);
}
// Add the provided attribute or merge an existing attribute with
// the values of the new attribute. If there are any duplicates, then fail.
List<ByteString> duplicateValues = new LinkedList<>();
modifiedEntry.addAttribute(attr, duplicateValues);
if (!duplicateValues.isEmpty() && !permissiveModify)
{
String duplicateValuesStr = Utils.joinAsString(", ", duplicateValues);
throw newDirectoryException(currentEntry,
ResultCode.ATTRIBUTE_OR_VALUE_EXISTS,
ERR_MODIFY_ADD_DUPLICATE_VALUE.get(entryDN, attr.getName(), duplicateValuesStr));
}
}
private boolean mustCheckSchema()
{
return !isSynchronizationOperation() && DirectoryServer.checkSchema();
}
/**
* Verifies that all the new values are valid according to the associated syntax.
*
* @throws DirectoryException
* If any of the new values violate the server schema configuration and server is
* configured to reject violations.
*/
private void checkSchema(Attribute attr,
Arg4<Object, Object, Object, Object> invalidSyntaxErrorMsg,
Arg3<Object, Object, Object> invalidSyntaxNoValueErrorMsg) throws DirectoryException
{
AcceptRejectWarn syntaxPolicy = DirectoryServer.getSyntaxEnforcementPolicy();
Syntax syntax = attr.getAttributeType().getSyntax();
LocalizableMessageBuilder invalidReason = new LocalizableMessageBuilder();
for (ByteString v : attr)
{
if (!syntax.valueIsAcceptable(v, invalidReason))
{
LocalizableMessage msg = isHumanReadable(syntax)
? invalidSyntaxErrorMsg.get(entryDN, attr.getName(), v, invalidReason)
: invalidSyntaxNoValueErrorMsg.get(entryDN, attr.getName(), invalidReason);
switch (syntaxPolicy)
{
case REJECT:
throw newDirectoryException(currentEntry, ResultCode.INVALID_ATTRIBUTE_SYNTAX, msg);
case WARN:
// FIXME remove next line of code. According to Matt, since this is
// just a warning, the code should not set the resultCode
setResultCode(ResultCode.INVALID_ATTRIBUTE_SYNTAX);
logger.error(msg);
invalidReason = new LocalizableMessageBuilder();
break;
}
}
}
}
private boolean isHumanReadable(Syntax syntax)
{
return syntax.isHumanReadable() && !syntax.isBEREncodingRequired();
}
/**
* Ensures that the provided object class attribute contains known
* non-obsolete object classes.
*
* @param attr
* The object class attribute to validate.
* @throws DirectoryException
* If the attribute contained unknown or obsolete object
* classes.
*/
private void validateObjectClasses(Attribute attr) throws DirectoryException
{
final AttributeType attrType = attr.getAttributeType();
Reject.ifFalse(attrType.isObjectClass());
final MatchingRule eqRule = attrType.getEqualityMatchingRule();
for (ByteString v : attr)
{
String name = v.toString();
String lowerName;
try
{
lowerName = eqRule.normalizeAttributeValue(v).toString();
}
catch (Exception e)
{
logger.traceException(e);
lowerName = toLowerCase(name);
}
ObjectClass oc = DirectoryServer.getObjectClass(lowerName);
if (oc == null)
{
throw newDirectoryException(currentEntry,
ResultCode.OBJECTCLASS_VIOLATION,
ERR_ENTRY_ADD_UNKNOWN_OC.get(name, entryDN));
}
else if (oc.isObsolete())
{
throw newDirectoryException(currentEntry,
ResultCode.CONSTRAINT_VIOLATION,
ERR_ENTRY_ADD_OBSOLETE_OC.get(name, entryDN));
}
}
}
/**
* Process a delete modification and updates the entry appropriately.
*
* @param attr
* The attribute being deleted.
* @throws DirectoryException
* If a problem occurs that should cause the modify operation to fail.
*/
private void processDeleteModification(Attribute attr) throws DirectoryException
{
// Remove the specified attribute values or the entire attribute from the value.
// If there are any specified values that were not present, then fail.
// If the RDN attribute value would be removed, then fail.
List<ByteString> missingValues = new LinkedList<>();
boolean attrExists = modifiedEntry.removeAttribute(attr, missingValues);
if (attrExists)
{
if (missingValues.isEmpty())
{
AttributeType t = attr.getAttributeType();
RDN rdn = modifiedEntry.getName().rdn();
if (rdn != null
&& rdn.hasAttributeType(t)
&& !modifiedEntry.hasValue(t, attr.getOptions(), rdn.getAttributeValue(t)))
{
throw newDirectoryException(currentEntry,
ResultCode.NOT_ALLOWED_ON_RDN,
ERR_MODIFY_DELETE_RDN_ATTR.get(entryDN, attr.getName()));
}
}
else if (!permissiveModify)
{
String missingValuesStr = Utils.joinAsString(", ", missingValues);
throw newDirectoryException(currentEntry, ResultCode.NO_SUCH_ATTRIBUTE,
ERR_MODIFY_DELETE_MISSING_VALUES.get(entryDN, attr.getName(), missingValuesStr));
}
}
else if (!permissiveModify)
{
throw newDirectoryException(currentEntry, ResultCode.NO_SUCH_ATTRIBUTE,
ERR_MODIFY_DELETE_NO_SUCH_ATTR.get(entryDN, attr.getName()));
}
}
/**
* Process a replace modification and updates the entry appropriately.
*
* @param attr
* The attribute being replaced.
* @throws DirectoryException
* If a problem occurs that should cause the modify operation to fail.
*/
private void processReplaceModification(Attribute attr) throws DirectoryException
{
if (mustCheckSchema())
{
// make sure that all the new values are valid according to the associated syntax.
checkSchema(attr, ERR_MODIFY_REPLACE_INVALID_SYNTAX, ERR_MODIFY_REPLACE_INVALID_SYNTAX_NO_VALUE);
}
// If the attribute to be replaced is the object class attribute
// then make sure that all the object classes are known and not obsoleted.
if (attr.getAttributeType().isObjectClass())
{
validateObjectClasses(attr);
}
// Replace the provided attribute.
modifiedEntry.replaceAttribute(attr);
// Make sure that the RDN attribute value(s) has not been removed.
AttributeType t = attr.getAttributeType();
RDN rdn = modifiedEntry.getName().rdn();
if (rdn != null
&& rdn.hasAttributeType(t)
&& !modifiedEntry.hasValue(t, attr.getOptions(), rdn.getAttributeValue(t)))
{
throw newDirectoryException(modifiedEntry, ResultCode.NOT_ALLOWED_ON_RDN,
ERR_MODIFY_DELETE_RDN_ATTR.get(entryDN, attr.getName()));
}
}
/**
* Process an increment modification and updates the entry appropriately.
*
* @param attr
* The attribute being incremented.
* @throws DirectoryException
* If a problem occurs that should cause the modify operation to fail.
*/
private void processIncrementModification(Attribute attr) throws DirectoryException
{
// The specified attribute type must not be an RDN attribute.
AttributeType t = attr.getAttributeType();
RDN rdn = modifiedEntry.getName().rdn();
if (rdn != null && rdn.hasAttributeType(t))
{
throw newDirectoryException(modifiedEntry, ResultCode.NOT_ALLOWED_ON_RDN,
ERR_MODIFY_INCREMENT_RDN.get(entryDN, attr.getName()));
}
// The provided attribute must have a single value, and it must be an integer
if (attr.isEmpty())
{
throw newDirectoryException(modifiedEntry, ResultCode.PROTOCOL_ERROR,
ERR_MODIFY_INCREMENT_REQUIRES_VALUE.get(entryDN, attr.getName()));
}
else if (attr.size() > 1)
{
throw newDirectoryException(modifiedEntry, ResultCode.PROTOCOL_ERROR,
ERR_MODIFY_INCREMENT_REQUIRES_SINGLE_VALUE.get(entryDN, attr.getName()));
}
MatchingRule eqRule = attr.getAttributeType().getEqualityMatchingRule();
ByteString v = attr.iterator().next();
long incrementValue;
try
{
String nv = eqRule.normalizeAttributeValue(v).toString();
incrementValue = Long.parseLong(nv);
}
catch (Exception e)
{
logger.traceException(e);
throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX,
ERR_MODIFY_INCREMENT_PROVIDED_VALUE_NOT_INTEGER.get(entryDN, attr.getName(), v), e);
}
// Get the attribute that is to be incremented.
Attribute a = modifiedEntry.getExactAttribute(t, attr.getOptions());
if (a == null)
{
throw newDirectoryException(modifiedEntry,
ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_INCREMENT_REQUIRES_EXISTING_VALUE.get(entryDN, attr.getName()));
}
// Increment each attribute value by the specified amount.
AttributeBuilder builder = new AttributeBuilder(a, true);
for (ByteString existingValue : a)
{
long currentValue;
try
{
currentValue = Long.parseLong(existingValue.toString());
}
catch (Exception e)
{
logger.traceException(e);
throw new DirectoryException(
ResultCode.INVALID_ATTRIBUTE_SYNTAX,
ERR_MODIFY_INCREMENT_REQUIRES_INTEGER_VALUE.get(entryDN, a.getName(), existingValue),
e);
}
long newValue = currentValue + incrementValue;
builder.add(String.valueOf(newValue));
}
// Replace the existing attribute with the incremented version.
modifiedEntry.replaceAttribute(builder.toAttribute());
}
/**
* Performs additional preliminary processing that is required for a password change.
*
* @throws DirectoryException
* If a problem occurs that should cause the modify operation to fail.
*/
private void performAdditionalPasswordChangedProcessing() throws DirectoryException
{
if (!passwordChanged)
{
// Nothing to do.
return;
}
// If it was a self change, then see if the current password was provided
// and handle accordingly.
final PasswordPolicy authPolicy = pwPolicyState.getAuthenticationPolicy();
if (selfChange
&& authPolicy.isPasswordChangeRequiresCurrentPassword()
&& !currentPasswordProvided)
{
pwpErrorType = PasswordPolicyErrorType.MUST_SUPPLY_OLD_PASSWORD;
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
ERR_MODIFY_PW_CHANGE_REQUIRES_CURRENT_PW.get());
}
// If this change would result in multiple password values, then see if that's OK.
if (numPasswords > 1 && !authPolicy.isAllowMultiplePasswordValues())
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED;
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_MULTIPLE_PASSWORDS_NOT_ALLOWED.get());
}
// If any of the password values should be validated, then do so now.
if (newPasswords != null
&& (selfChange || !authPolicy.isSkipValidationForAdministrators()))
{
HashSet<ByteString> clearPasswords = new HashSet<>(pwPolicyState.getClearPasswords());
if (currentPasswords != null)
{
clearPasswords.addAll(currentPasswords);
}
for (ByteString v : newPasswords)
{
LocalizableMessageBuilder invalidReason = new LocalizableMessageBuilder();
if (! pwPolicyState.passwordIsAcceptable(this, modifiedEntry,
v, clearPasswords, invalidReason))
{
pwpErrorType = PasswordPolicyErrorType.INSUFFICIENT_PASSWORD_QUALITY;
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_PW_VALIDATION_FAILED.get(invalidReason));
}
}
}
// If we should check the password history, then do so now.
if (newPasswords != null && pwPolicyState.maintainHistory())
{
for (ByteString v : newPasswords)
{
if (pwPolicyState.isPasswordInHistory(v)
&& (selfChange || !authPolicy.isSkipValidationForAdministrators()))
{
pwpErrorType = PasswordPolicyErrorType.PASSWORD_IN_HISTORY;
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
ERR_MODIFY_PW_IN_HISTORY.get());
}
}
pwPolicyState.updatePasswordHistory();
}
wasLocked = pwPolicyState.isLocked();
// Update the password policy state attributes in the user's entry. If the
// modification fails, then these changes won't be applied.
pwPolicyState.setPasswordChangedTime();
pwPolicyState.clearFailureLockout();
pwPolicyState.clearGraceLoginTimes();
pwPolicyState.clearWarnedTime();
if (authPolicy.isForceChangeOnAdd() || authPolicy.isForceChangeOnReset())
{
if (selfChange)
{
pwPolicyState.setMustChangePassword(false);
}
else
{
if (pwpErrorType == null && authPolicy.isForceChangeOnReset())
{
pwpErrorType = PasswordPolicyErrorType.CHANGE_AFTER_RESET;
}
pwPolicyState.setMustChangePassword(authPolicy.isForceChangeOnReset());
}
}
if (authPolicy.getRequireChangeByTime() > 0)
{
pwPolicyState.setRequiredChangeTime();
}
modifications.addAll(pwPolicyState.getModifications());
modifiedEntry.applyModifications(pwPolicyState.getModifications());
}
/** Generate any password policy account status notifications as a result of modify processing. */
private void generatePwpAccountStatusNotifications()
{
if (passwordChanged)
{
if (selfChange)
{
AuthenticationInfo authInfo = clientConnection.getAuthenticationInfo();
if (authInfo.getAuthenticationDN().equals(modifiedEntry.getName()))
{
clientConnection.setMustChangePassword(false);
}
generateAccountStatusNotificationForPwds(PASSWORD_CHANGED, INFO_MODIFY_PASSWORD_CHANGED.get());
}
else
{
generateAccountStatusNotificationForPwds(PASSWORD_RESET, INFO_MODIFY_PASSWORD_RESET.get());
}
}
if (enabledStateChanged)
{
if (isEnabled)
{
generateAccountStatusNotificationNoPwds(ACCOUNT_ENABLED, INFO_MODIFY_ACCOUNT_ENABLED.get());
}
else
{
generateAccountStatusNotificationNoPwds(ACCOUNT_DISABLED, INFO_MODIFY_ACCOUNT_DISABLED.get());
}
}
if (wasLocked)
{
generateAccountStatusNotificationNoPwds(ACCOUNT_UNLOCKED, INFO_MODIFY_ACCOUNT_UNLOCKED.get());
}
}
private void generateAccountStatusNotificationNoPwds(
AccountStatusNotificationType notificationType, LocalizableMessage message)
{
pwPolicyState.generateAccountStatusNotification(notificationType, modifiedEntry, message,
AccountStatusNotification.createProperties(pwPolicyState, false, -1, null, null));
}
private void generateAccountStatusNotificationForPwds(
AccountStatusNotificationType notificationType, LocalizableMessage message)
{
pwPolicyState.generateAccountStatusNotification(notificationType, modifiedEntry, message,
AccountStatusNotification.createProperties(pwPolicyState, false, -1, currentPasswords, newPasswords));
}
/**
* Handle conflict resolution.
*
* @return {@code true} if processing should continue for the operation, or {@code false} if not.
*/
private boolean handleConflictResolution() {
for (SynchronizationProvider<?> provider : getSynchronizationProviders()) {
try {
SynchronizationProviderResult result =
provider.handleConflictResolution(this);
if (! result.continueProcessing()) {
setResultCodeAndMessageNoInfoDisclosure(modifiedEntry,
result.getResultCode(), result.getErrorMessage());
setMatchedDN(result.getMatchedDN());
setReferralURLs(result.getReferralURLs());
return false;
}
} catch (DirectoryException de) {
logger.traceException(de);
logger.error(ERR_MODIFY_SYNCH_CONFLICT_RESOLUTION_FAILED,
getConnectionID(), getOperationID(), getExceptionMessage(de));
setResponseData(de);
return false;
}
}
return true;
}
/**
* Process pre operation.
* @return {@code true} if processing should continue for the operation, or
* {@code false} if not.
*/
private boolean processPreOperation() {
for (SynchronizationProvider<?> provider : getSynchronizationProviders()) {
try {
if (!processOperationResult(this, provider.doPreOperation(this))) {
return false;
}
} catch (DirectoryException de) {
logger.traceException(de);
logger.error(ERR_MODIFY_SYNCH_PREOP_FAILED, getConnectionID(),
getOperationID(), getExceptionMessage(de));
setResponseData(de);
return false;
}
}
return true;
}
/** Invoke post operation synchronization providers. */
private void processSynchPostOperationPlugins() {
for (SynchronizationProvider<?> provider : getSynchronizationProviders()) {
try {
provider.doPostOperation(this);
} catch (DirectoryException de) {
logger.traceException(de);
logger.error(ERR_MODIFY_SYNCH_POSTOP_FAILED, getConnectionID(),
getOperationID(), getExceptionMessage(de));
setResponseData(de);
return;
}
}
}
}