001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
010 * or http://forgerock.org/license/CDDLv1.0.html.
011 * See the License for the specific language governing permissions
012 * and limitations under the License.
013 *
014 * When distributing Covered Code, include this CDDL HEADER in each
015 * file and include the License file at legal-notices/CDDLv1_0.txt.
016 * If applicable, add the following below this CDDL HEADER, with the
017 * fields enclosed by brackets "[]" replaced with your own identifying
018 * information:
019 *      Portions Copyright [yyyy] [name of copyright owner]
020 *
021 * CDDL HEADER END
022 *
023 *
024 *      Copyright 2006-2010 Sun Microsystems, Inc.
025 *      Portions copyright 2011-2015 ForgeRock AS.
026 */
027package org.opends.server.core;
028
029import java.util.Collection;
030import java.util.List;
031import java.util.Set;
032import java.util.SortedSet;
033
034import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.*;
035import org.opends.server.api.*;
036import org.opends.server.types.AttributeType;
037import org.opends.server.types.DN;
038import org.opends.server.types.DirectoryException;
039import org.opends.server.types.Entry;
040
041/**
042 * This class defines a data structure that holds information about a Directory
043 * Server password policy.
044 */
045public abstract class PasswordPolicy extends AuthenticationPolicy
046{
047
048  /** Creates a new password policy. */
049  protected PasswordPolicy()
050  {
051    // Nothing to do.
052  }
053
054
055
056  /** {@inheritDoc} */
057  public abstract DN getDN();
058
059
060
061  /**
062   * Indicates whether the associated password attribute uses the auth password
063   * syntax.
064   *
065   * @return <CODE>true</CODE> if the associated password attribute uses the
066   *         auth password syntax, or <CODE>false</CODE> if not.
067   */
068  public abstract boolean isAuthPasswordSyntax();
069
070
071
072  /**
073   * Retrieves the default set of password storage schemes that will be used for
074   * this password policy. The returned set should not be modified by the
075   * caller.
076   *
077   * @return The default set of password storage schemes that will be used for
078   *         this password policy.
079   */
080  public abstract List<PasswordStorageScheme<?>>
081    getDefaultPasswordStorageSchemes();
082
083
084
085  /**
086   * Gets the "deprecated-password-storage-scheme" property.
087   * <p>
088   * Specifies the names of the password storage schemes that are considered
089   * deprecated for this password policy.
090   * <p>
091   * If a user with this password policy authenticates to the server and
092   * his/her password is encoded with a deprecated scheme, those values are
093   * removed and replaced with values encoded using the default password
094   * storage scheme(s).
095   *
096   * @return Returns an unmodifiable set containing the values of the
097   *         "deprecated-password-storage-scheme" property.
098   */
099  public abstract Set<String> getDeprecatedPasswordStorageSchemes();
100
101
102
103  /**
104   * Indicates whether the specified storage scheme is a default scheme for this
105   * password policy.
106   *
107   * @param name
108   *          The name of the password storage scheme for which to make the
109   *          determination.
110   * @return <CODE>true</CODE> if the storage scheme is a default scheme for
111   *         this password policy, or <CODE>false</CODE> if not.
112   */
113  public abstract boolean isDefaultPasswordStorageScheme(String name);
114
115
116
117  /**
118   * Indicates whether the specified storage scheme is deprecated.
119   *
120   * @param name
121   *          The name of the password storage scheme for which to make the
122   *          determination.
123   * @return <CODE>true</CODE> if the storage scheme is deprecated, or
124   *         <CODE>false</CODE> if not.
125   */
126  public abstract boolean isDeprecatedPasswordStorageScheme(String name);
127
128
129
130  /**
131   * Retrieves the set of password validators for this password policy. The
132   * returned list should not be altered by the caller.
133   *
134   * @return The set of password validators for this password policy.
135   */
136  public abstract Collection<PasswordValidator<?>> getPasswordValidators();
137
138
139
140  /**
141   * Retrieves the set of account status notification handlers that should be
142   * used with this password policy. The returned list should not be altered by
143   * the caller.
144   *
145   * @return The set of account status notification handlers that should be used
146   *         with this password policy.
147   */
148  public abstract Collection<AccountStatusNotificationHandler<?>>
149    getAccountStatusNotificationHandlers();
150
151
152
153  /**
154   * Retrieves the password generator that will be used with this password
155   * policy.
156   *
157   * @return The password generator that will be used with this password policy,
158   *         or <CODE>null</CODE> if there is none.
159   */
160  public abstract PasswordGenerator<?> getPasswordGenerator();
161
162
163
164  /**
165   * Retrieves the time by which all users will be required to change their
166   * passwords, expressed in the number of milliseconds since midnight of
167   * January 1, 1970 (i.e., the zero time for
168   * <CODE>System.currentTimeMillis()</CODE>). Any passwords not changed before
169   * this time will automatically enter a state in which they must be changed
170   * before any other operation will be allowed.
171   *
172   * @return The time by which all users will be required to change their
173   *         passwords, or zero if no such constraint is in effect.
174   */
175  public abstract long getRequireChangeByTime();
176
177
178
179  /**
180   * Gets the "allow-expired-password-changes" property.
181   * <p>
182   * Indicates whether a user whose password is expired is still allowed to
183   * change that password using the password modify extended operation.
184   *
185   * @return Returns the value of the "allow-expired-password-changes" property.
186   */
187  public abstract boolean isAllowExpiredPasswordChanges();
188
189
190
191  /**
192   * Gets the "allow-multiple-password-values" property.
193   * <p>
194   * Indicates whether user entries can have multiple distinct values for the
195   * password attribute.
196   * <p>
197   * This is potentially dangerous because many mechanisms used to change the
198   * password do not work well with such a configuration. If multiple password
199   * values are allowed, then any of them can be used to authenticate, and they
200   * are all subject to the same policy constraints.
201   *
202   * @return Returns the value of the "allow-multiple-password-values" property.
203   */
204  public abstract boolean isAllowMultiplePasswordValues();
205
206
207
208  /**
209   * Gets the "allow-pre-encoded-passwords" property.
210   * <p>
211   * Indicates whether users can change their passwords by providing a
212   * pre-encoded value.
213   * <p>
214   * This can cause a security risk because the clear-text version of the
215   * password is not known and therefore validation checks cannot be applied to
216   * it.
217   *
218   * @return Returns the value of the "allow-pre-encoded-passwords" property.
219   */
220  public abstract boolean isAllowPreEncodedPasswords();
221
222
223
224  /**
225   * Gets the "allow-user-password-changes" property.
226   * <p>
227   * Indicates whether users can change their own passwords.
228   * <p>
229   * This check is made in addition to access control evaluation. Both must
230   * allow the password change for it to occur.
231   *
232   * @return Returns the value of the "allow-user-password-changes" property.
233   */
234  public abstract boolean isAllowUserPasswordChanges();
235
236
237
238  /**
239   * Gets the "expire-passwords-without-warning" property.
240   * <p>
241   * Indicates whether the directory server allows a user's password to expire
242   * even if that user has never seen an expiration warning notification.
243   * <p>
244   * If this property is true, accounts always expire when the expiration time
245   * arrives. If this property is false or disabled, the user always receives at
246   * least one warning notification, and the password expiration is set to the
247   * warning time plus the warning interval.
248   *
249   * @return Returns the value of the "expire-passwords-without-warning"
250   *         property.
251   */
252  public abstract boolean isExpirePasswordsWithoutWarning();
253
254
255
256  /**
257   * Gets the "force-change-on-add" property.
258   * <p>
259   * Indicates whether users are forced to change their passwords upon first
260   * authenticating to the directory server after their account has been
261   * created.
262   *
263   * @return Returns the value of the "force-change-on-add" property.
264   */
265  public abstract boolean isForceChangeOnAdd();
266
267
268
269  /**
270   * Gets the "force-change-on-reset" property.
271   * <p>
272   * Indicates whether users are forced to change their passwords if they are
273   * reset by an administrator.
274   * <p>
275   * For this purpose, anyone with permission to change a given user's password
276   * other than that user is considered an administrator.
277   *
278   * @return Returns the value of the "force-change-on-reset" property.
279   */
280  public abstract boolean isForceChangeOnReset();
281
282
283
284  /**
285   * Gets the "grace-login-count" property.
286   * <p>
287   * Specifies the number of grace logins that a user is allowed after the
288   * account has expired to allow that user to choose a new password.
289   * <p>
290   * A value of 0 indicates that no grace logins are allowed.
291   *
292   * @return Returns the value of the "grace-login-count" property.
293   */
294  public abstract int getGraceLoginCount();
295
296
297
298  /**
299   * Gets the "idle-lockout-interval" property.
300   * <p>
301   * Specifies the maximum length of time that an account may remain idle (that
302   * is, the associated user does not authenticate to the server) before that
303   * user is locked out.
304   * <p>
305   * The value of this attribute is an integer followed by a unit of seconds,
306   * minutes, hours, days, or weeks. A value of 0 seconds indicates that idle
307   * accounts are not automatically locked out. This feature is available only
308   * if the last login time is maintained.
309   *
310   * @return Returns the value of the "idle-lockout-interval" property.
311   */
312  public abstract long getIdleLockoutInterval();
313
314
315
316  /**
317   * Gets the "last-login-time-attribute" property.
318   * <p>
319   * Specifies the name or OID of the attribute type that is used to hold the
320   * last login time for users with the associated password policy.
321   * <p>
322   * This attribute type must be defined in the directory server schema and must
323   * either be defined as an operational attribute or must be allowed by the set
324   * of objectClasses for all users with the associated password policy.
325   *
326   * @return Returns the value of the "last-login-time-attribute" property.
327   */
328  public abstract AttributeType getLastLoginTimeAttribute();
329
330
331
332  /**
333   * Gets the "last-login-time-format" property.
334   * <p>
335   * Specifies the format string that is used to generate the last login time
336   * value for users with the associated password policy.
337   * <p>
338   * This format string conforms to the syntax described in the API
339   * documentation for the java.text.SimpleDateFormat class.
340   *
341   * @return Returns the value of the "last-login-time-format" property.
342   */
343  public abstract String getLastLoginTimeFormat();
344
345
346
347  /**
348   * Gets the "lockout-duration" property.
349   * <p>
350   * Specifies the length of time that an account is locked after too many
351   * authentication failures.
352   * <p>
353   * The value of this attribute is an integer followed by a unit of seconds,
354   * minutes, hours, days, or weeks. A value of 0 seconds indicates that the
355   * account must remain locked until an administrator resets the password.
356   *
357   * @return Returns the value of the "lockout-duration" property.
358   */
359  public abstract long getLockoutDuration();
360
361
362
363  /**
364   * Gets the "lockout-failure-count" property.
365   * <p>
366   * Specifies the maximum number of authentication failures that a user is
367   * allowed before the account is locked out.
368   * <p>
369   * A value of 0 indicates that accounts are never locked out due to failed
370   * attempts.
371   *
372   * @return Returns the value of the "lockout-failure-count" property.
373   */
374  public abstract int getLockoutFailureCount();
375
376
377
378  /**
379   * Gets the "lockout-failure-expiration-interval" property.
380   * <p>
381   * Specifies the length of time before an authentication failure is no longer
382   * counted against a user for the purposes of account lockout.
383   * <p>
384   * The value of this attribute is an integer followed by a unit of seconds,
385   * minutes, hours, days, or weeks. A value of 0 seconds indicates that the
386   * authentication failures must never expire. The failure count is always
387   * cleared upon a successful authentication.
388   *
389   * @return Returns the value of the "lockout-failure-expiration-interval"
390   *         property.
391   */
392  public abstract long getLockoutFailureExpirationInterval();
393
394
395
396  /**
397   * Gets the "max-password-age" property.
398   * <p>
399   * Specifies the maximum length of time that a user can continue using the
400   * same password before it must be changed (that is, the password expiration
401   * interval).
402   * <p>
403   * The value of this attribute is an integer followed by a unit of seconds,
404   * minutes, hours, days, or weeks. A value of 0 seconds disables password
405   * expiration.
406   *
407   * @return Returns the value of the "max-password-age" property.
408   */
409  public abstract long getMaxPasswordAge();
410
411
412
413  /**
414   * Gets the "max-password-reset-age" property.
415   * <p>
416   * Specifies the maximum length of time that users have to change passwords
417   * after they have been reset by an administrator before they become locked.
418   * <p>
419   * The value of this attribute is an integer followed by a unit of seconds,
420   * minutes, hours, days, or weeks. A value of 0 seconds disables this feature.
421   *
422   * @return Returns the value of the "max-password-reset-age" property.
423   */
424  public abstract long getMaxPasswordResetAge();
425
426
427
428  /**
429   * Gets the "min-password-age" property.
430   * <p>
431   * Specifies the minimum length of time after a password change before the
432   * user is allowed to change the password again.
433   * <p>
434   * The value of this attribute is an integer followed by a unit of seconds,
435   * minutes, hours, days, or weeks. This setting can be used to prevent users
436   * from changing their passwords repeatedly over a short period of time to
437   * flush an old password from the history so that it can be re-used.
438   *
439   * @return Returns the value of the "min-password-age" property.
440   */
441  public abstract long getMinPasswordAge();
442
443
444
445  /**
446   * Gets the "password-attribute" property.
447   * <p>
448   * Specifies the attribute type used to hold user passwords.
449   * <p>
450   * This attribute type must be defined in the server schema, and it must have
451   * either the user password or auth password syntax.
452   *
453   * @return Returns the value of the "password-attribute" property.
454   */
455  public abstract AttributeType getPasswordAttribute();
456
457
458
459  /**
460   * Gets the "password-change-requires-current-password" property.
461   * <p>
462   * Indicates whether user password changes must use the password modify
463   * extended operation and must include the user's current password before the
464   * change is allowed.
465   *
466   * @return Returns the value of the
467   *         "password-change-requires-current-password" property.
468   */
469  public abstract boolean isPasswordChangeRequiresCurrentPassword();
470
471
472
473  /**
474   * Gets the "password-expiration-warning-interval" property.
475   * <p>
476   * Specifies the maximum length of time before a user's password actually
477   * expires that the server begins to include warning notifications in bind
478   * responses for that user.
479   * <p>
480   * The value of this attribute is an integer followed by a unit of seconds,
481   * minutes, hours, days, or weeks. A value of 0 seconds disables the warning
482   * interval.
483   *
484   * @return Returns the value of the "password-expiration-warning-interval"
485   *         property.
486   */
487  public abstract long getPasswordExpirationWarningInterval();
488
489
490
491  /**
492   * Gets the "password-history-count" property.
493   * <p>
494   * Specifies the maximum number of former passwords to maintain in the
495   * password history.
496   * <p>
497   * When choosing a new password, the proposed password is checked to ensure
498   * that it does not match the current password, nor any other password in the
499   * history list. A value of zero indicates that either no password history is
500   * to be maintained (if the password history duration has a value of zero
501   * seconds), or that there is no maximum number of passwords to maintain in
502   * the history (if the password history duration has a value greater than zero
503   * seconds).
504   *
505   * @return Returns the value of the "password-history-count" property.
506   */
507  public abstract int getPasswordHistoryCount();
508
509
510
511  /**
512   * Gets the "password-history-duration" property.
513   * <p>
514   * Specifies the maximum length of time that passwords remain in the password
515   * history.
516   * <p>
517   * When choosing a new password, the proposed password is checked to ensure
518   * that it does not match the current password, nor any other password in the
519   * history list. A value of zero seconds indicates that either no password
520   * history is to be maintained (if the password history count has a value of
521   * zero), or that there is no maximum duration for passwords in the history
522   * (if the password history count has a value greater than zero).
523   *
524   * @return Returns the value of the "password-history-duration" property.
525   */
526  public abstract long getPasswordHistoryDuration();
527
528
529
530  /**
531   * Gets the "previous-last-login-time-format" property.
532   * <p>
533   * Specifies the format string(s) that might have been used with the last
534   * login time at any point in the past for users associated with the password
535   * policy.
536   * <p>
537   * These values are used to make it possible to parse previous values, but are
538   * not used to set new values. The format strings conform to the syntax
539   * described in the API documentation for the java.text.SimpleDateFormat
540   * class.
541   *
542   * @return Returns an unmodifiable set containing the values of the
543   *         "previous-last-login-time-format" property.
544   */
545  public abstract SortedSet<String> getPreviousLastLoginTimeFormats();
546
547
548
549  /**
550   * Gets the "require-secure-authentication" property.
551   * <p>
552   * Indicates whether users with the associated password policy are required to
553   * authenticate in a secure manner.
554   * <p>
555   * This might mean either using a secure communication channel between the
556   * client and the server, or using a SASL mechanism that does not expose the
557   * credentials.
558   *
559   * @return Returns the value of the "require-secure-authentication" property.
560   */
561  public abstract boolean isRequireSecureAuthentication();
562
563
564
565  /**
566   * Gets the "require-secure-password-changes" property.
567   * <p>
568   * Indicates whether users with the associated password policy are required to
569   * change their password in a secure manner that does not expose the
570   * credentials.
571   *
572   * @return Returns the value of the "require-secure-password-changes"
573   *         property.
574   */
575  public abstract boolean isRequireSecurePasswordChanges();
576
577
578
579  /**
580   * Gets the "skip-validation-for-administrators" property.
581   * <p>
582   * Indicates whether passwords set by administrators are allowed to bypass the
583   * password validation process that is required for user password changes.
584   *
585   * @return Returns the value of the "skip-validation-for-administrators"
586   *         property.
587   */
588  public abstract boolean isSkipValidationForAdministrators();
589
590
591
592  /**
593   * Gets the "state-update-failure-policy" property.
594   * <p>
595   * Specifies how the server deals with the inability to update password policy
596   * state information during an authentication attempt.
597   * <p>
598   * In particular, this property can be used to control whether an otherwise
599   * successful bind operation fails if a failure occurs while attempting to
600   * update password policy state information (for example, to clear a record of
601   * previous authentication failures or to update the last login time). It can
602   * also be used to control whether to reject a bind request if it is known
603   * ahead of time that it will not be possible to update the authentication
604   * failure times in the event of an unsuccessful bind attempt (for example, if
605   * the backend writability mode is disabled).
606   *
607   * @return Returns the value of the "state-update-failure-policy" property.
608   */
609  public abstract StateUpdateFailurePolicy getStateUpdateFailurePolicy();
610
611
612
613  /** {@inheritDoc} */
614  public boolean isPasswordPolicy()
615  {
616    return true;
617  }
618
619
620
621  /** {@inheritDoc} */
622  public PasswordPolicyState createAuthenticationPolicyState(Entry userEntry,
623      long time) throws DirectoryException
624  {
625    return new PasswordPolicyState(this, userEntry, time);
626  }
627}