package org.opends.server.core;

import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import java.util.TreeMap;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageBuilder;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ConditionResult;
import org.forgerock.opendj.ldap.GeneralizedTime;
import org.forgerock.opendj.ldap.ModificationType;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.messages.CoreMessages;
import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn;
import org.opends.server.api.AccountStatusNotificationHandler;
import org.opends.server.api.AuthenticationPolicyState;
import org.opends.server.api.PasswordGenerator;
import org.opends.server.api.PasswordStorageScheme;
import org.opends.server.api.PasswordValidator;
import org.opends.server.config.ConfigConstants;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.ldap.LDAPAttribute;
import org.opends.server.schema.AuthPasswordSyntax;
import org.opends.server.schema.GeneralizedTimeSyntax;
import org.opends.server.schema.SchemaConstants;
import org.opends.server.schema.UserPasswordSyntax;
import org.opends.server.types.AccountStatusNotification;
import org.opends.server.types.AccountStatusNotificationProperty;
import org.opends.server.types.AccountStatusNotificationType;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeBuilder;
import org.opends.server.types.AttributeType;
import org.opends.server.types.Attributes;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.Modification;
import org.opends.server.types.Operation;
import org.opends.server.types.RawModification;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/core/PasswordPolicyState.class */
public final class PasswordPolicyState extends AuthenticationPolicyState {
    private static final LocalizedLogger logger;
    private final String userDNString;
    private final PasswordPolicy passwordPolicy;
    private final long currentTime;
    private long passwordChangedTime;
    private ConditionResult isAccountExpired;
    private ConditionResult isPasswordExpired;
    private ConditionResult isFirstWarning;
    private ConditionResult isIdleLocked;
    private ConditionResult mayUseGraceLogin;
    private ConditionResult mustChangePassword;
    private ConditionResult shouldWarn;
    private int secondsUntilUnlock;
    private List<Long> authFailureTimes;
    private List<Long> graceLoginTimes;
    private long accountExpirationTime;
    private long failureLockedTime;
    private long lastLoginTime;
    private long passwordExpirationTime;
    private long requiredChangeTime;
    private long warnedTime;
    private LinkedList<Modification> modifications;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PasswordPolicyState(PasswordPolicy passwordPolicy, Entry entry, long j) {
        super(entry);
        this.passwordChangedTime = Long.MIN_VALUE;
        this.isAccountExpired = ConditionResult.UNDEFINED;
        this.isPasswordExpired = ConditionResult.UNDEFINED;
        this.isFirstWarning = ConditionResult.UNDEFINED;
        this.isIdleLocked = ConditionResult.UNDEFINED;
        this.mayUseGraceLogin = ConditionResult.UNDEFINED;
        this.mustChangePassword = ConditionResult.UNDEFINED;
        this.shouldWarn = ConditionResult.UNDEFINED;
        this.secondsUntilUnlock = Integer.MIN_VALUE;
        this.accountExpirationTime = Long.MIN_VALUE;
        this.failureLockedTime = Long.MIN_VALUE;
        this.lastLoginTime = Long.MIN_VALUE;
        this.passwordExpirationTime = Long.MIN_VALUE;
        this.requiredChangeTime = Long.MIN_VALUE;
        this.warnedTime = Long.MIN_VALUE;
        this.modifications = new LinkedList<>();
        this.currentTime = j;
        this.userDNString = entry.getName().toString();
        this.passwordPolicy = passwordPolicy;
    }

    private String getValue(AttributeType attributeType) {
        Attribute firstAttributeNotEmpty = getFirstAttributeNotEmpty(attributeType);
        String byteString = firstAttributeNotEmpty != null ? firstAttributeNotEmpty.iterator().next().toString() : null;
        if (byteString == null) {
            if (logger.isTraceEnabled()) {
                logger.trace("Returning null because attribute %s does not exist in user entry %s", attributeType.getNameOrOID(), this.userDNString);
            }
        } else if (logger.isTraceEnabled()) {
            logger.trace("Returning value %s for user %s", byteString, this.userDNString);
        }
        return byteString;
    }

    private Attribute getFirstAttributeNotEmpty(AttributeType attributeType) {
        List<Attribute> attribute = this.userEntry.getAttribute(attributeType);
        if (attribute == null) {
            return null;
        }
        for (Attribute attribute2 : attribute) {
            if (!attribute2.isEmpty()) {
                return attribute2;
            }
        }
        return null;
    }

    private List<Long> getGeneralizedTimes(AttributeType attributeType) throws DirectoryException {
        ArrayList arrayList = new ArrayList();
        List<Attribute> attribute = this.userEntry.getAttribute(attributeType);
        if (attribute != null) {
            Iterator<Attribute> it = attribute.iterator();
            while (it.hasNext()) {
                for (ByteString byteString : it.next()) {
                    try {
                        arrayList.add(Long.valueOf(GeneralizedTime.valueOf(byteString.toString()).getTimeInMillis()));
                    } catch (Exception e) {
                        logger.traceException(e, "Unable to decode value %s for attribute %s in user entry %s", byteString, attributeType.getNameOrOID(), this.userDNString);
                        throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, CoreMessages.ERR_PWPSTATE_CANNOT_DECODE_GENERALIZED_TIME.get(byteString, attributeType.getNameOrOID(), this.userDNString, e), e);
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            logger.trace("Returning an empty list because attribute %s does not exist in user entry %s", attributeType.getNameOrOID(), this.userDNString);
        }
        return arrayList;
    }

    private PasswordStorageScheme<?> getPasswordStorageScheme(ByteString byteString) throws DirectoryException {
        return this.passwordPolicy.isAuthPasswordSyntax() ? DirectoryServer.getAuthPasswordStorageScheme(AuthPasswordSyntax.decodeAuthPassword(byteString.toString())[0].toString()) : DirectoryServer.getPasswordStorageScheme(UserPasswordSyntax.decodeUserPassword(byteString.toString())[0]);
    }

    @Override // org.opends.server.api.AuthenticationPolicyState
    public PasswordPolicy getAuthenticationPolicy() {
        return this.passwordPolicy;
    }

    public long getPasswordChangedTime() {
        if (this.passwordChangedTime < 0) {
            try {
                this.passwordChangedTime = getGeneralizedTime(this.userEntry, DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_TIME_LC));
            } catch (DirectoryException e) {
            }
            if (this.passwordChangedTime < 0) {
                try {
                    this.passwordChangedTime = getGeneralizedTime(this.userEntry, DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_CREATE_TIMESTAMP_LC));
                } catch (DirectoryException e2) {
                }
                if (this.passwordChangedTime < 0) {
                    this.passwordChangedTime = 0L;
                    if (logger.isTraceEnabled()) {
                        logger.trace("Could not determine password changed time for user %s.", this.userDNString);
                    }
                }
            }
        }
        return this.passwordChangedTime;
    }

    public long getCurrentTime() {
        return this.currentTime;
    }

    public Set<ByteString> getPasswordValues() {
        Attribute firstAttributeNotEmpty = getFirstAttributeNotEmpty(this.passwordPolicy.getPasswordAttribute());
        if (firstAttributeNotEmpty == null) {
            return Collections.emptySet();
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet(firstAttributeNotEmpty.size());
        Iterator<ByteString> it = firstAttributeNotEmpty.iterator();
        while (it.hasNext()) {
            linkedHashSet.add(it.next());
        }
        return Collections.unmodifiableSet(linkedHashSet);
    }

    public void setPasswordChangedTime() {
        setPasswordChangedTime(this.currentTime);
    }

    public void setPasswordChangedTime(long j) {
        if (logger.isTraceEnabled()) {
            logger.trace("Setting password changed time for user %s to current time of %d", this.userDNString, Long.valueOf(this.currentTime));
        }
        if (getPasswordChangedTime() != j) {
            this.passwordChangedTime = j;
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.create(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_TIME, GeneralizedTimeSyntax.format(j)), true));
        }
    }

    public void clearPasswordChangedTime() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing password changed time for user %s", this.userDNString);
        }
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_TIME_LC)), true));
        try {
            this.passwordChangedTime = getGeneralizedTime(this.userEntry, DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_CREATE_TIMESTAMP_LC));
            if (this.passwordChangedTime < 0) {
                this.passwordChangedTime = 0L;
            }
        } catch (Exception e) {
            this.passwordChangedTime = 0L;
        }
    }

    public void setDisabled(boolean z) {
        if (logger.isTraceEnabled()) {
            logger.trace("Updating user %s to set the disabled flag to %b", this.userDNString, Boolean.valueOf(z));
        }
        if (z == isDisabled()) {
            return;
        }
        this.isDisabled = ConditionResult.not(this.isDisabled);
        AttributeType attributeTypeOrDefault = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_ACCOUNT_DISABLED);
        if (!z) {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeTypeOrDefault), true));
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.create(attributeTypeOrDefault, String.valueOf(true)), true));
        }
    }

    public boolean isAccountExpired() {
        if (this.isAccountExpired != ConditionResult.UNDEFINED) {
            if (logger.isTraceEnabled()) {
                logger.trace("Returning stored result of %b for user %s", Boolean.valueOf(this.isAccountExpired == ConditionResult.TRUE), this.userDNString);
            }
            return this.isAccountExpired == ConditionResult.TRUE;
        }
        try {
            this.accountExpirationTime = getGeneralizedTime(this.userEntry, DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_ACCOUNT_EXPIRATION_TIME));
            if (this.accountExpirationTime > this.currentTime) {
                this.isAccountExpired = ConditionResult.FALSE;
                logger.trace("The account for user %s is not expired because the expiration time has not yet arrived.", this.userDNString);
            } else if (this.accountExpirationTime >= 0) {
                this.isAccountExpired = ConditionResult.TRUE;
                logger.trace("The account for user %s is expired because the expiration time in that account has passed.", this.userDNString);
            } else {
                this.isAccountExpired = ConditionResult.FALSE;
                logger.trace("The account for user %s is not expired because there is no expiration time in the user's entry.", this.userDNString);
            }
            return this.isAccountExpired == ConditionResult.TRUE;
        } catch (Exception e) {
            logger.traceException(e, "User %s is considered to have an expired account because an error occurred while attempting to make the determination.", this.userDNString);
            this.isAccountExpired = ConditionResult.TRUE;
            return true;
        }
    }

    public long getAccountExpirationTime() {
        if (this.accountExpirationTime == Long.MIN_VALUE) {
            isAccountExpired();
        }
        return this.accountExpirationTime;
    }

    public void setAccountExpirationTime(long j) {
        if (j < 0) {
            clearAccountExpirationTime();
            return;
        }
        String format = GeneralizedTimeSyntax.format(j);
        if (logger.isTraceEnabled()) {
            logger.trace("Setting account expiration time for user %s to %s", this.userDNString, format);
        }
        this.accountExpirationTime = j;
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.create(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_ACCOUNT_EXPIRATION_TIME), format), true));
    }

    public void clearAccountExpirationTime() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing account expiration time for user %s", this.userDNString);
        }
        this.accountExpirationTime = -1L;
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_ACCOUNT_EXPIRATION_TIME)), true));
    }

    public List<Long> getAuthFailureTimes() {
        if (this.authFailureTimes != null) {
            if (logger.isTraceEnabled()) {
                logger.trace("Returning stored auth failure time list of %d elements for user %s", Integer.valueOf(this.authFailureTimes.size()), this.userDNString);
            }
            return this.authFailureTimes;
        }
        AttributeType attributeTypeOrDefault = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME);
        try {
            this.authFailureTimes = getGeneralizedTimes(attributeTypeOrDefault);
            if (this.authFailureTimes.isEmpty()) {
                if (logger.isTraceEnabled()) {
                    logger.trace("Returning an empty auth failure time list for user %s because the attribute is absent from the entry.", this.userDNString);
                }
                return this.authFailureTimes;
            }
            if (this.passwordPolicy.getLockoutFailureExpirationInterval() > 0) {
                LinkedHashSet<ByteString> linkedHashSet = null;
                long lockoutFailureExpirationInterval = this.currentTime - (this.passwordPolicy.getLockoutFailureExpirationInterval() * 1000);
                Iterator<Long> it = this.authFailureTimes.iterator();
                while (it.hasNext()) {
                    long longValue = it.next().longValue();
                    if (longValue < lockoutFailureExpirationInterval) {
                        if (logger.isTraceEnabled()) {
                            logger.trace("Removing expired auth failure time %d for user %s", Long.valueOf(longValue), this.userDNString);
                        }
                        it.remove();
                        if (linkedHashSet == null) {
                            linkedHashSet = new LinkedHashSet<>();
                        }
                        linkedHashSet.add(ByteString.valueOf(GeneralizedTimeSyntax.format(longValue)));
                    }
                }
                if (linkedHashSet != null) {
                    this.modifications.add(new Modification(ModificationType.DELETE, newAttribute(attributeTypeOrDefault, linkedHashSet), true));
                }
            }
            if (logger.isTraceEnabled()) {
                logger.trace("Returning auth failure time list of %d elements for user %s", Integer.valueOf(this.authFailureTimes.size()), this.userDNString);
            }
            return this.authFailureTimes;
        } catch (Exception e) {
            logger.traceException(e, "Error while processing auth failure times for user %s", this.userDNString);
            this.authFailureTimes = new ArrayList();
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeTypeOrDefault), true));
            return this.authFailureTimes;
        }
    }

    public void updateAuthFailureTimes() {
        if (this.passwordPolicy.getLockoutFailureCount() <= 0) {
            return;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("Updating authentication failure times for user %s", this.userDNString);
        }
        List<Long> authFailureTimes = getAuthFailureTimes();
        long computeHighestTime = computeHighestTime(authFailureTimes);
        authFailureTimes.add(Long.valueOf(computeHighestTime));
        this.modifications.add(new Modification(ModificationType.ADD, Attributes.create(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME), GeneralizedTimeSyntax.format(computeHighestTime)), true));
        int lockoutFailureCount = this.passwordPolicy.getLockoutFailureCount();
        if (lockoutFailureCount <= 0 || lockoutFailureCount > this.authFailureTimes.size()) {
            return;
        }
        setFailureLockedTime(computeHighestTime);
        if (logger.isTraceEnabled()) {
            logger.trace("Locking user account %s due to too many failures.", this.userDNString);
        }
    }

    public void setAuthFailureTimes(List<Long> list) {
        if (list == null || list.isEmpty()) {
            clearAuthFailureTimes();
            clearFailureLockedTime();
            return;
        }
        AttributeType attributeTypeOrDefault = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME_LC);
        this.authFailureTimes = list;
        AttributeBuilder attributeBuilder = new AttributeBuilder(attributeTypeOrDefault);
        long j = -1;
        Iterator<Long> it = list.iterator();
        while (it.hasNext()) {
            long longValue = it.next().longValue();
            j = Math.max(longValue, j);
            attributeBuilder.add(GeneralizedTimeSyntax.format(longValue));
        }
        this.modifications.add(new Modification(ModificationType.REPLACE, attributeBuilder.toAttribute(), true));
        int lockoutFailureCount = this.passwordPolicy.getLockoutFailureCount();
        if (lockoutFailureCount <= 0 || lockoutFailureCount > list.size()) {
            return;
        }
        setFailureLockedTime(j);
        if (logger.isTraceEnabled()) {
            logger.trace("Locking user account %s due to too many failures.", this.userDNString);
        }
    }

    private void clearAuthFailureTimes() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing authentication failure times for user %s", this.userDNString);
        }
        List<Long> authFailureTimes = getAuthFailureTimes();
        if (authFailureTimes.isEmpty()) {
            return;
        }
        authFailureTimes.clear();
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME)), true));
    }

    private long getFailureLockedTime() {
        if (this.failureLockedTime != Long.MIN_VALUE) {
            return this.failureLockedTime;
        }
        try {
            this.failureLockedTime = getGeneralizedTime(this.userEntry, DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME));
            return this.failureLockedTime;
        } catch (Exception e) {
            logger.traceException(e, "Returning current time for user %s because an error occurred", this.userDNString);
            this.failureLockedTime = this.currentTime;
            return this.failureLockedTime;
        }
    }

    private void setFailureLockedTime(long j) {
        if (j == getFailureLockedTime()) {
            return;
        }
        this.failureLockedTime = j;
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.create(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME), GeneralizedTimeSyntax.format(this.failureLockedTime)), true));
    }

    private void clearFailureLockedTime() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing failure lockout time for user %s.", this.userDNString);
        }
        if (-1 == getFailureLockedTime()) {
            return;
        }
        this.failureLockedTime = -1L;
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME)), true));
    }

    public boolean lockedDueToFailures() {
        int lockoutFailureCount = this.passwordPolicy.getLockoutFailureCount();
        if (lockoutFailureCount <= 0) {
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false for user %s because lockout due to failures is not enabled.", this.userDNString);
            return false;
        }
        if (getFailureLockedTime() < 0) {
            if (getAuthFailureTimes().size() < lockoutFailureCount) {
                if (!logger.isTraceEnabled()) {
                    return false;
                }
                logger.trace("Returning false for user %s because there is no locked time.", this.userDNString);
                return false;
            }
            setFailureLockedTime(this.currentTime);
            if (logger.isTraceEnabled()) {
                logger.trace("Locking user %s because there were enough existing failures even though there was no account locked time.", this.userDNString);
            }
        }
        if (this.passwordPolicy.getLockoutDuration() <= 0) {
            if (logger.isTraceEnabled()) {
                logger.trace("Returning true for user %s because there is a locked time and no lockout duration.", this.userDNString);
            }
            if ($assertionsDisabled || -1 <= getFailureLockedTime()) {
                return true;
            }
            throw new AssertionError();
        }
        long failureLockedTime = getFailureLockedTime() + (1000 * this.passwordPolicy.getLockoutDuration());
        if (failureLockedTime > this.currentTime) {
            this.secondsUntilUnlock = (int) ((failureLockedTime - this.currentTime) / 1000);
            if (!logger.isTraceEnabled()) {
                return true;
            }
            logger.trace("Returning true for user %s because there is a locked time and the lockout duration has not been reached.", this.userDNString);
            return true;
        }
        clearFailureLockout();
        if (logger.isTraceEnabled()) {
            logger.trace("Returning false for user %s because the existing lockout has expired.", this.userDNString);
        }
        if ($assertionsDisabled || -1 == getFailureLockedTime()) {
            return false;
        }
        throw new AssertionError();
    }

    public int getSecondsUntilUnlock() {
        if (!$assertionsDisabled && this.failureLockedTime == Long.MIN_VALUE) {
            throw new AssertionError();
        }
        if (this.secondsUntilUnlock < 0) {
            return -1;
        }
        return this.secondsUntilUnlock;
    }

    public void clearFailureLockout() {
        clearAuthFailureTimes();
        clearFailureLockedTime();
    }

    public long getLastLoginTime() {
        if (this.lastLoginTime != Long.MIN_VALUE) {
            if (logger.isTraceEnabled()) {
                logger.trace("Returning stored last login time of %d for user %s.", Long.valueOf(this.lastLoginTime), this.userDNString);
            }
            return this.lastLoginTime;
        }
        AttributeType lastLoginTimeAttribute = this.passwordPolicy.getLastLoginTimeAttribute();
        String lastLoginTimeFormat = this.passwordPolicy.getLastLoginTimeFormat();
        if (lastLoginTimeAttribute == null || lastLoginTimeFormat == null) {
            this.lastLoginTime = -1L;
            if (logger.isTraceEnabled()) {
                logger.trace("Returning -1 for user %s because no last login time will be maintained.", this.userDNString);
            }
            return this.lastLoginTime;
        }
        boolean equals = SchemaConstants.SYNTAX_GENERALIZED_TIME_NAME.equals(lastLoginTimeAttribute.getSyntax().getName());
        this.lastLoginTime = -1L;
        List<Attribute> attribute = this.userEntry.getAttribute(lastLoginTimeAttribute);
        if (attribute != null) {
            for (Attribute attribute2 : attribute) {
                if (!attribute2.isEmpty()) {
                    String byteString = attribute2.iterator().next().toString();
                    try {
                        this.lastLoginTime = parseTime(lastLoginTimeFormat, byteString, equals);
                        if (logger.isTraceEnabled()) {
                            logger.trace("Returning last login time of %d for user %s, decoded using current last login time format.", Long.valueOf(this.lastLoginTime), this.userDNString);
                        }
                        return this.lastLoginTime;
                    } catch (Exception e) {
                        logger.traceException(e);
                        for (String str : this.passwordPolicy.getPreviousLastLoginTimeFormats()) {
                            try {
                                this.lastLoginTime = parseTime(str, byteString, equals);
                                if (logger.isTraceEnabled()) {
                                    logger.trace("Returning last login time of %d for user %s decoded using previous last login time format of %s.", Long.valueOf(this.lastLoginTime), this.userDNString, str);
                                }
                                return this.lastLoginTime;
                            } catch (Exception e2) {
                                logger.traceException(e);
                            }
                        }
                        if (!$assertionsDisabled && this.lastLoginTime != -1) {
                            throw new AssertionError();
                        }
                        if (logger.isTraceEnabled()) {
                            logger.trace("Returning -1 for user %s because the last login time value %s could not be parsed using any known format.", this.userDNString, byteString);
                        }
                        return this.lastLoginTime;
                    }
                }
            }
        }
        if (!$assertionsDisabled && this.lastLoginTime != -1) {
            throw new AssertionError();
        }
        if (logger.isTraceEnabled()) {
            logger.trace("Returning %d for user %s because no last login time value exists.", Long.valueOf(this.lastLoginTime), this.userDNString);
        }
        return this.lastLoginTime;
    }

    private long parseTime(String str, String str2, boolean z) throws ParseException {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat(str);
        if (z) {
            simpleDateFormat.setTimeZone(TimeZone.getTimeZone(ServerConstants.TIME_ZONE_UTC));
        }
        return simpleDateFormat.parse(str2).getTime();
    }

    public void setLastLoginTime() {
        setLastLoginTime(this.currentTime);
    }

    public void setLastLoginTime(long j) {
        AttributeType lastLoginTimeAttribute = this.passwordPolicy.getLastLoginTimeAttribute();
        String lastLoginTimeFormat = this.passwordPolicy.getLastLoginTimeFormat();
        if (lastLoginTimeAttribute == null || lastLoginTimeFormat == null) {
            return;
        }
        try {
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat(lastLoginTimeFormat);
            if (SchemaConstants.SYNTAX_GENERALIZED_TIME_NAME.equals(lastLoginTimeAttribute.getSyntax().getName())) {
                simpleDateFormat.setTimeZone(TimeZone.getTimeZone(ServerConstants.TIME_ZONE_UTC));
            }
            String format = simpleDateFormat.format(new Date(j));
            this.lastLoginTime = simpleDateFormat.parse(format).getTime();
            String value = getValue(lastLoginTimeAttribute);
            if (value != null && format.equals(value)) {
                logger.trace("Not updating last login time for user %s because the new value matches the existing value.", this.userDNString);
                return;
            }
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.create(lastLoginTimeAttribute, format), true));
            logger.trace("Updated the last login time for user %s to %s", this.userDNString, format);
        } catch (Exception e) {
            logger.traceException(e, "Unable to set last login time for user %s because an error occurred", this.userDNString);
        }
    }

    public void clearLastLoginTime() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing last login time for user %s", this.userDNString);
        }
        this.lastLoginTime = -1L;
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_LAST_LOGIN_TIME)), true));
    }

    public boolean lockedDueToIdleInterval() {
        if (this.isIdleLocked != ConditionResult.UNDEFINED) {
            if (logger.isTraceEnabled()) {
                logger.trace("Returning stored result of %b for user %s", Boolean.valueOf(this.isIdleLocked == ConditionResult.TRUE), this.userDNString);
            }
            return this.isIdleLocked == ConditionResult.TRUE;
        }
        if (this.passwordPolicy.getIdleLockoutInterval() <= 0) {
            this.isIdleLocked = ConditionResult.FALSE;
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false for user %s because no idle lockout interval is defined.", this.userDNString);
            return false;
        }
        long idleLockoutInterval = this.currentTime - (1000 * this.passwordPolicy.getIdleLockoutInterval());
        if (idleLockoutInterval < 0) {
            idleLockoutInterval = 0;
        }
        long lastLoginTime = getLastLoginTime();
        if (lastLoginTime > idleLockoutInterval || getPasswordChangedTime() > idleLockoutInterval) {
            this.isIdleLocked = ConditionResult.FALSE;
            if (logger.isTraceEnabled()) {
                StringBuilder sb = new StringBuilder();
                if (lastLoginTime > idleLockoutInterval) {
                    sb.append("the last login time is in an acceptable window");
                } else {
                    if (lastLoginTime < 0) {
                        sb.append("there is no last login time, but ");
                    }
                    sb.append("the password changed time is in an acceptable window");
                }
                logger.trace("Returning false for user %s because %s.", this.userDNString, sb);
            }
        } else {
            this.isIdleLocked = ConditionResult.TRUE;
            if (logger.isTraceEnabled()) {
                logger.trace("Returning true for user %s because %s.", this.userDNString, lastLoginTime < 0 ? "there is no last login time and the password changed time is not in an acceptable window" : "neither last login time nor password changed time are in an acceptable window");
            }
        }
        return this.isIdleLocked == ConditionResult.TRUE;
    }

    public boolean mustChangePassword() {
        if (this.mustChangePassword != ConditionResult.UNDEFINED) {
            if (logger.isTraceEnabled()) {
                logger.trace("Returning stored result of %b for user %s.", Boolean.valueOf(this.mustChangePassword == ConditionResult.TRUE), this.userDNString);
            }
            return this.mustChangePassword == ConditionResult.TRUE;
        }
        if (!this.passwordPolicy.isAllowUserPasswordChanges() || (!this.passwordPolicy.isForceChangeOnAdd() && !this.passwordPolicy.isForceChangeOnReset())) {
            this.mustChangePassword = ConditionResult.FALSE;
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false for user %s because neither force change on add nor force change on reset is enabled, or users are not allowed to self-modify passwords.", this.userDNString);
            return false;
        }
        try {
            this.mustChangePassword = getBoolean(this.userEntry, DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED_LC, ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED));
            if (this.mustChangePassword == ConditionResult.UNDEFINED) {
                this.mustChangePassword = ConditionResult.FALSE;
                logger.trace("Returning %b for user since the attribute \"%s\" is not present in the entry.", false, this.userDNString, ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED);
                return false;
            }
            boolean z = this.mustChangePassword == ConditionResult.TRUE;
            logger.trace("Returning %b for user %s.", Boolean.valueOf(z), this.userDNString);
            return z;
        } catch (Exception e) {
            logger.traceException(e, "Returning true for user %s because an error occurred", this.userDNString);
            this.mustChangePassword = ConditionResult.TRUE;
            return true;
        }
    }

    public void setMustChangePassword(boolean z) {
        if (logger.isTraceEnabled()) {
            logger.trace("Updating user %s to set the reset flag to %b", this.userDNString, Boolean.valueOf(z));
        }
        if (z == mustChangePassword()) {
            return;
        }
        AttributeType attributeTypeOrDefault = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED_LC, ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED);
        this.mustChangePassword = ConditionResult.not(this.mustChangePassword);
        if (!z) {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeTypeOrDefault), true));
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.create(attributeTypeOrDefault, String.valueOf(true)), true));
        }
    }

    public boolean lockedDueToMaximumResetAge() {
        if (this.passwordPolicy.getMaxPasswordResetAge() <= 0) {
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false for user %s because there is no maximum reset age.", this.userDNString);
            return false;
        }
        if (mustChangePassword()) {
            boolean z = getPasswordChangedTime() + (1000 * this.passwordPolicy.getMaxPasswordResetAge()) < this.currentTime;
            if (logger.isTraceEnabled()) {
                logger.trace("Returning %b for user %s after comparing the current and max reset times.", Boolean.valueOf(z), this.userDNString);
            }
            return z;
        }
        if (!logger.isTraceEnabled()) {
            return false;
        }
        logger.trace("Returning false for user %s because the user's password has not been reset.", this.userDNString);
        return false;
    }

    public boolean isLocked() {
        return lockedDueToIdleInterval() || lockedDueToMaximumResetAge() || lockedDueToFailures();
    }

    public long getPasswordExpirationTime() {
        if (this.passwordExpirationTime == Long.MIN_VALUE) {
            this.passwordExpirationTime = Long.MAX_VALUE;
            boolean z = false;
            long maxPasswordAge = this.passwordPolicy.getMaxPasswordAge();
            if (maxPasswordAge > 0) {
                long passwordChangedTime = getPasswordChangedTime() + (1000 * maxPasswordAge);
                if (passwordChangedTime < this.passwordExpirationTime) {
                    this.passwordExpirationTime = passwordChangedTime;
                    z = true;
                }
            }
            long maxPasswordResetAge = this.passwordPolicy.getMaxPasswordResetAge();
            if (mustChangePassword() && maxPasswordResetAge > 0) {
                long passwordChangedTime2 = getPasswordChangedTime() + (1000 * maxPasswordResetAge);
                if (passwordChangedTime2 < this.passwordExpirationTime) {
                    this.passwordExpirationTime = passwordChangedTime2;
                    z = false;
                }
            }
            long requireChangeByTime = this.passwordPolicy.getRequireChangeByTime();
            if (requireChangeByTime > 0 && getRequiredChangeTime() != requireChangeByTime && requireChangeByTime < this.passwordExpirationTime) {
                this.passwordExpirationTime = requireChangeByTime;
                z = true;
            }
            if (this.passwordExpirationTime == Long.MAX_VALUE) {
                this.passwordExpirationTime = -1L;
                this.shouldWarn = ConditionResult.FALSE;
                this.isFirstWarning = ConditionResult.FALSE;
                this.isPasswordExpired = ConditionResult.FALSE;
                this.mayUseGraceLogin = ConditionResult.TRUE;
            } else if (z) {
                this.mayUseGraceLogin = ConditionResult.TRUE;
                long passwordExpirationWarningInterval = this.passwordPolicy.getPasswordExpirationWarningInterval();
                if (passwordExpirationWarningInterval <= 0) {
                    this.shouldWarn = ConditionResult.FALSE;
                    this.isFirstWarning = ConditionResult.FALSE;
                    if (this.currentTime > this.passwordExpirationTime) {
                        this.isPasswordExpired = ConditionResult.TRUE;
                    } else {
                        this.isPasswordExpired = ConditionResult.FALSE;
                    }
                } else if (this.passwordExpirationTime - (passwordExpirationWarningInterval * 1000) > this.currentTime) {
                    this.shouldWarn = ConditionResult.FALSE;
                    this.isFirstWarning = ConditionResult.FALSE;
                    this.isPasswordExpired = ConditionResult.FALSE;
                } else {
                    long warnedTime = getWarnedTime();
                    if (this.passwordExpirationTime > this.currentTime) {
                        this.shouldWarn = ConditionResult.TRUE;
                        this.isPasswordExpired = ConditionResult.FALSE;
                        if (warnedTime < 0) {
                            this.isFirstWarning = ConditionResult.TRUE;
                            setWarnedTime();
                            if (!this.passwordPolicy.isExpirePasswordsWithoutWarning()) {
                                this.passwordExpirationTime = this.currentTime + (passwordExpirationWarningInterval * 1000);
                            }
                        } else {
                            this.isFirstWarning = ConditionResult.FALSE;
                            if (!this.passwordPolicy.isExpirePasswordsWithoutWarning()) {
                                this.passwordExpirationTime = warnedTime + (passwordExpirationWarningInterval * 1000);
                            }
                        }
                    } else if (this.passwordPolicy.isExpirePasswordsWithoutWarning()) {
                        this.shouldWarn = ConditionResult.FALSE;
                        this.isFirstWarning = ConditionResult.FALSE;
                        this.isPasswordExpired = ConditionResult.TRUE;
                    } else if (warnedTime > 0) {
                        this.passwordExpirationTime = warnedTime + (passwordExpirationWarningInterval * 1000);
                        if (this.passwordExpirationTime > this.currentTime) {
                            this.shouldWarn = ConditionResult.TRUE;
                            this.isFirstWarning = ConditionResult.FALSE;
                            this.isPasswordExpired = ConditionResult.FALSE;
                        } else {
                            this.shouldWarn = ConditionResult.FALSE;
                            this.isFirstWarning = ConditionResult.FALSE;
                            this.isPasswordExpired = ConditionResult.TRUE;
                        }
                    } else {
                        this.shouldWarn = ConditionResult.TRUE;
                        this.isFirstWarning = ConditionResult.TRUE;
                        this.isPasswordExpired = ConditionResult.FALSE;
                        this.passwordExpirationTime = this.currentTime + (passwordExpirationWarningInterval * 1000);
                    }
                }
            } else {
                this.mayUseGraceLogin = ConditionResult.FALSE;
                this.shouldWarn = ConditionResult.FALSE;
                this.isFirstWarning = ConditionResult.FALSE;
                if (this.passwordExpirationTime < this.currentTime) {
                    this.isPasswordExpired = ConditionResult.TRUE;
                } else {
                    this.isPasswordExpired = ConditionResult.FALSE;
                }
            }
        }
        if (logger.isTraceEnabled()) {
            logger.trace("Returning password expiration time of %d for user %s.", Long.valueOf(this.passwordExpirationTime), this.userDNString);
        }
        return this.passwordExpirationTime;
    }

    public boolean isPasswordExpired() {
        refreshIfUndefined(this.isPasswordExpired);
        return this.isPasswordExpired == ConditionResult.TRUE;
    }

    private void refreshIfUndefined(ConditionResult conditionResult) {
        if (conditionResult == null || conditionResult == ConditionResult.UNDEFINED) {
            getPasswordExpirationTime();
        }
    }

    public boolean isWithinMinimumAge() {
        long minPasswordAge = this.passwordPolicy.getMinPasswordAge();
        if (minPasswordAge <= 0) {
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false because there is no minimum age.");
            return false;
        }
        if (getPasswordChangedTime() + (minPasswordAge * 1000) < this.currentTime) {
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false because the minimum age has expired.");
            return false;
        }
        if (mustChangePassword()) {
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false because the account is in a must-change state.");
            return false;
        }
        if (!logger.isTraceEnabled()) {
            return true;
        }
        logger.trace("Returning true.");
        return true;
    }

    public boolean mayUseGraceLogin() {
        refreshIfUndefined(this.mayUseGraceLogin);
        return this.mayUseGraceLogin == ConditionResult.TRUE;
    }

    public boolean shouldWarn() {
        refreshIfUndefined(this.shouldWarn);
        return this.shouldWarn == ConditionResult.TRUE;
    }

    public boolean isFirstWarning() {
        refreshIfUndefined(this.isFirstWarning);
        return this.isFirstWarning == ConditionResult.TRUE;
    }

    public int getSecondsUntilExpiration() {
        long passwordExpirationTime = getPasswordExpirationTime();
        if (passwordExpirationTime < 0) {
            return -1;
        }
        if (passwordExpirationTime < this.currentTime) {
            return 0;
        }
        return (int) ((passwordExpirationTime - this.currentTime) / 1000);
    }

    public long getRequiredChangeTime() {
        if (this.requiredChangeTime != Long.MIN_VALUE) {
            if (logger.isTraceEnabled()) {
                logger.trace("Returning stored required change time of %d for user %s", Long.valueOf(this.requiredChangeTime), this.userDNString);
            }
            return this.requiredChangeTime;
        }
        try {
            this.requiredChangeTime = getGeneralizedTime(this.userEntry, DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME));
            logger.trace("Returning required change time of %d for user %s", Long.valueOf(this.requiredChangeTime), this.userDNString);
            return this.requiredChangeTime;
        } catch (Exception e) {
            logger.traceException(e, "Returning %d for user %s because an error occurred", Long.valueOf(this.requiredChangeTime), this.userDNString);
            this.requiredChangeTime = -1L;
            return this.requiredChangeTime;
        }
    }

    public void setRequiredChangeTime() {
        long requireChangeByTime = this.passwordPolicy.getRequireChangeByTime();
        if (requireChangeByTime > 0) {
            setRequiredChangeTime(requireChangeByTime);
        }
    }

    public void setRequiredChangeTime(long j) {
        if (logger.isTraceEnabled()) {
            logger.trace("Updating required change time for user %s", this.userDNString);
        }
        if (getRequiredChangeTime() != j) {
            this.requiredChangeTime = j;
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.create(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME), GeneralizedTimeSyntax.format(j)), true));
        }
    }

    public void clearRequiredChangeTime() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing required change time for user %s", this.userDNString);
        }
        this.requiredChangeTime = Long.MIN_VALUE;
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME)), true));
    }

    public long getWarnedTime() {
        if (this.warnedTime == Long.MIN_VALUE) {
            try {
                this.warnedTime = getGeneralizedTime(this.userEntry, DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_WARNED_TIME));
            } catch (Exception e) {
                logger.traceException(e, "Unable to decode the warned time for user %s", this.userDNString);
                this.warnedTime = -1L;
            }
        }
        logger.trace("Returning a warned time of %d for user %s", Long.valueOf(this.warnedTime), this.userDNString);
        return this.warnedTime;
    }

    public void setWarnedTime() {
        setWarnedTime(this.currentTime);
    }

    public void setWarnedTime(long j) {
        if (getWarnedTime() == j) {
            if (logger.isTraceEnabled()) {
                logger.trace("Not updating warned time for user %s because the warned time is the same as the specified time.", this.userDNString);
            }
        } else {
            this.warnedTime = j;
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.create(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_WARNED_TIME), GeneralizedTimeSyntax.createGeneralizedTimeValue(this.currentTime)), true));
            if (logger.isTraceEnabled()) {
                logger.trace("Updated the warned time for user %s", this.userDNString);
            }
        }
    }

    public void clearWarnedTime() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing warned time for user %s", this.userDNString);
        }
        if (getWarnedTime() < 0) {
            return;
        }
        this.warnedTime = -1L;
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_WARNED_TIME)), true));
        if (logger.isTraceEnabled()) {
            logger.trace("Cleared the warned time for user %s", this.userDNString);
        }
    }

    public List<Long> getGraceLoginTimes() {
        if (this.graceLoginTimes == null) {
            AttributeType attributeTypeOrDefault = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME);
            try {
                this.graceLoginTimes = getGeneralizedTimes(attributeTypeOrDefault);
            } catch (Exception e) {
                logger.traceException(e, "Error while processing grace login times for user %s", this.userDNString);
                this.graceLoginTimes = new ArrayList();
                this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeTypeOrDefault), true));
            }
        }
        logger.trace("Returning grace login times for user %s", this.userDNString);
        return this.graceLoginTimes;
    }

    public int getGraceLoginsRemaining() {
        int graceLoginCount = this.passwordPolicy.getGraceLoginCount();
        if (graceLoginCount <= 0) {
            return -1;
        }
        return graceLoginCount - getGraceLoginTimes().size();
    }

    public void updateGraceLoginTimes() {
        if (logger.isTraceEnabled()) {
            logger.trace("Updating grace login times for user %s", this.userDNString);
        }
        List<Long> graceLoginTimes = getGraceLoginTimes();
        long computeHighestTime = computeHighestTime(graceLoginTimes);
        graceLoginTimes.add(Long.valueOf(computeHighestTime));
        this.modifications.add(new Modification(ModificationType.ADD, Attributes.create(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME), GeneralizedTimeSyntax.format(computeHighestTime)), true));
    }

    private long computeHighestTime(List<Long> list) {
        long j = -1;
        Iterator<Long> it = list.iterator();
        while (it.hasNext()) {
            j = Math.max(it.next().longValue(), j);
        }
        return j >= this.currentTime ? j + 1 : this.currentTime;
    }

    public void setGraceLoginTimes(List<Long> list) {
        if (list == null || list.isEmpty()) {
            clearGraceLoginTimes();
            return;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("Updating grace login times for user %s", this.userDNString);
        }
        this.graceLoginTimes = list;
        AttributeBuilder attributeBuilder = new AttributeBuilder(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME_LC));
        Iterator<Long> it = list.iterator();
        while (it.hasNext()) {
            attributeBuilder.add(GeneralizedTimeSyntax.format(it.next().longValue()));
        }
        this.modifications.add(new Modification(ModificationType.REPLACE, attributeBuilder.toAttribute(), true));
    }

    public void clearGraceLoginTimes() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing grace login times for user %s", this.userDNString);
        }
        List<Long> graceLoginTimes = getGraceLoginTimes();
        if (graceLoginTimes.isEmpty()) {
            return;
        }
        graceLoginTimes.clear();
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME_LC, ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME)), true));
    }

    public List<ByteString> getClearPasswords() {
        LinkedList linkedList = new LinkedList();
        List<Attribute> attribute = this.userEntry.getAttribute(this.passwordPolicy.getPasswordAttribute());
        if (attribute == null) {
            return linkedList;
        }
        for (Attribute attribute2 : attribute) {
            boolean isAuthPasswordSyntax = this.passwordPolicy.isAuthPasswordSyntax();
            Iterator<ByteString> it = attribute2.iterator();
            while (it.hasNext()) {
                try {
                    StringBuilder[] pwComponents = getPwComponents(isAuthPasswordSyntax, it.next());
                    String sb = pwComponents[0].toString();
                    PasswordStorageScheme authPasswordStorageScheme = isAuthPasswordSyntax ? DirectoryServer.getAuthPasswordStorageScheme(sb) : DirectoryServer.getPasswordStorageScheme(sb);
                    if (authPasswordStorageScheme == null) {
                        if (logger.isTraceEnabled()) {
                            logger.trace("User entry %s contains a password with scheme %s that is not defined in the server.", this.userDNString, sb);
                        }
                    } else if (authPasswordStorageScheme.isReversible()) {
                        linkedList.add(isAuthPasswordSyntax ? authPasswordStorageScheme.getAuthPasswordPlaintextValue(pwComponents[1].toString(), pwComponents[2].toString()) : authPasswordStorageScheme.getPlaintextValue(ByteString.valueOf(pwComponents[1].toString())));
                    }
                } catch (Exception e) {
                    logger.traceException(e);
                    if (logger.isTraceEnabled()) {
                        logger.trace("Cannot get clear password value for user %s: %s", this.userDNString, e);
                    }
                }
            }
        }
        return linkedList;
    }

    @Override // org.opends.server.api.AuthenticationPolicyState
    public boolean passwordMatches(ByteString byteString) {
        List<Attribute> attribute = this.userEntry.getAttribute(this.passwordPolicy.getPasswordAttribute());
        if (attribute == null || attribute.isEmpty()) {
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false because user %s does not have any values for password attribute %s", this.userDNString, this.passwordPolicy.getPasswordAttribute().getNameOrOID());
            return false;
        }
        for (Attribute attribute2 : attribute) {
            boolean isAuthPasswordSyntax = this.passwordPolicy.isAuthPasswordSyntax();
            Iterator<ByteString> it = attribute2.iterator();
            while (it.hasNext()) {
                try {
                    StringBuilder[] pwComponents = getPwComponents(isAuthPasswordSyntax, it.next());
                    String sb = pwComponents[0].toString();
                    PasswordStorageScheme authPasswordStorageScheme = isAuthPasswordSyntax ? DirectoryServer.getAuthPasswordStorageScheme(sb) : DirectoryServer.getPasswordStorageScheme(sb);
                    if (authPasswordStorageScheme != null) {
                        if (isAuthPasswordSyntax ? authPasswordStorageScheme.authPasswordMatches(byteString, pwComponents[1].toString(), pwComponents[2].toString()) : authPasswordStorageScheme.passwordMatches(byteString, ByteString.valueOf(pwComponents[1].toString()))) {
                            if (!logger.isTraceEnabled()) {
                                return true;
                            }
                            logger.trace("Returning true for user %s because the provided password matches a value encoded with scheme %s", this.userDNString, sb);
                            return true;
                        }
                        continue;
                    } else if (logger.isTraceEnabled()) {
                        logger.trace("User entry %s contains a password with scheme %s that is not defined in the server.", this.userDNString, sb);
                    }
                } catch (Exception e) {
                    logger.traceException(e, "An error occurred while attempting to process a password value for user %s", this.userDNString);
                }
            }
        }
        logger.trace("Returning false because the provided password does not match any of the stored password values for user %s", this.userDNString);
        return false;
    }

    private StringBuilder[] getPwComponents(boolean z, ByteString byteString) throws DirectoryException {
        if (z) {
            return AuthPasswordSyntax.decodeAuthPassword(byteString.toString());
        }
        String[] decodeUserPassword = UserPasswordSyntax.decodeUserPassword(byteString.toString());
        StringBuilder[] sbArr = new StringBuilder[decodeUserPassword.length];
        for (int i = 0; i < decodeUserPassword.length; i++) {
            sbArr[i] = new StringBuilder(decodeUserPassword[i]);
        }
        return sbArr;
    }

    public boolean passwordIsPreEncoded(ByteString byteString) {
        return this.passwordPolicy.isAuthPasswordSyntax() ? AuthPasswordSyntax.isEncoded(byteString) : UserPasswordSyntax.isEncoded(byteString);
    }

    public List<ByteString> encodePassword(ByteString byteString) throws DirectoryException {
        List<PasswordStorageScheme<?>> defaultPasswordStorageSchemes = this.passwordPolicy.getDefaultPasswordStorageSchemes();
        ArrayList arrayList = new ArrayList(defaultPasswordStorageSchemes.size());
        if (this.passwordPolicy.isAuthPasswordSyntax()) {
            Iterator<PasswordStorageScheme<?>> it = defaultPasswordStorageSchemes.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().encodeAuthPassword(byteString));
            }
        } else {
            Iterator<PasswordStorageScheme<?>> it2 = defaultPasswordStorageSchemes.iterator();
            while (it2.hasNext()) {
                arrayList.add(it2.next().encodePasswordWithScheme(byteString));
            }
        }
        return arrayList;
    }

    public boolean passwordIsAcceptable(Operation operation, Entry entry, ByteString byteString, Set<ByteString> set, LocalizableMessageBuilder localizableMessageBuilder) {
        Iterator<PasswordValidator<?>> it = this.passwordPolicy.getPasswordValidators().iterator();
        while (it.hasNext()) {
            if (!it.next().passwordIsAcceptable(byteString, set, operation, entry, localizableMessageBuilder)) {
                if (!logger.isTraceEnabled()) {
                    return false;
                }
                logger.trace("The password provided for user %s failed validation: %s", this.userDNString, localizableMessageBuilder);
                return false;
            }
        }
        return true;
    }

    public void handleDeprecatedStorageSchemes(ByteString byteString) {
        ByteString encodeAuthPassword;
        if (this.passwordPolicy.getDeprecatedPasswordStorageSchemes().isEmpty()) {
            if (logger.isTraceEnabled()) {
                logger.trace("Doing nothing for user %s because no deprecated storage schemes have been defined.", this.userDNString);
                return;
            }
            return;
        }
        AttributeType passwordAttribute = this.passwordPolicy.getPasswordAttribute();
        List<Attribute> attribute = this.userEntry.getAttribute(passwordAttribute);
        if (attribute == null || attribute.isEmpty()) {
            if (logger.isTraceEnabled()) {
                logger.trace("Doing nothing for entry %s because no password values were found.", this.userDNString);
                return;
            }
            return;
        }
        HashSet hashSet = new HashSet();
        LinkedHashSet<ByteString> linkedHashSet = new LinkedHashSet<>();
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        boolean isAuthPasswordSyntax = this.passwordPolicy.isAuthPasswordSyntax();
        Iterator<Attribute> it = attribute.iterator();
        while (it.hasNext()) {
            for (ByteString byteString2 : it.next()) {
                try {
                    StringBuilder[] pwComponents = getPwComponents(isAuthPasswordSyntax, byteString2);
                    String sb = pwComponents[0].toString();
                    PasswordStorageScheme authPasswordStorageScheme = isAuthPasswordSyntax ? DirectoryServer.getAuthPasswordStorageScheme(sb) : DirectoryServer.getPasswordStorageScheme(sb);
                    if (authPasswordStorageScheme != null) {
                        if (isAuthPasswordSyntax ? authPasswordStorageScheme.authPasswordMatches(byteString, pwComponents[1].toString(), pwComponents[2].toString()) : authPasswordStorageScheme.passwordMatches(byteString, ByteString.valueOf(pwComponents[1].toString()))) {
                            if (this.passwordPolicy.isDefaultPasswordStorageScheme(sb)) {
                                hashSet.add(sb);
                                linkedHashSet2.add(byteString2);
                            } else if (this.passwordPolicy.isDeprecatedPasswordStorageScheme(sb)) {
                                if (logger.isTraceEnabled()) {
                                    logger.trace("Marking password with scheme %s for removal from user entry %s.", sb, this.userDNString);
                                }
                                linkedHashSet.add(byteString2);
                            } else {
                                linkedHashSet2.add(byteString2);
                            }
                        }
                    } else if (logger.isTraceEnabled()) {
                        logger.trace("Skipping password value for user %s because the associated storage scheme %s is not configured for use.", this.userDNString, sb);
                    }
                } catch (Exception e) {
                    logger.traceException(e, "Skipping password value for user %s because an error occurred while attempting to decode it based on the user password syntax", this.userDNString);
                }
            }
        }
        if (linkedHashSet.isEmpty()) {
            logger.trace("User entry %s does not have any password values encoded using deprecated schemes.", this.userDNString);
            return;
        }
        LinkedHashSet<ByteString> linkedHashSet3 = new LinkedHashSet<>();
        for (PasswordStorageScheme<?> passwordStorageScheme : this.passwordPolicy.getDefaultPasswordStorageSchemes()) {
            if (!hashSet.contains(StaticUtils.toLowerCase(passwordStorageScheme.getStorageSchemeName()))) {
                if (isAuthPasswordSyntax) {
                    try {
                        encodeAuthPassword = passwordStorageScheme.encodeAuthPassword(byteString);
                    } catch (Exception e2) {
                        logger.traceException(e2);
                        if (logger.isTraceEnabled()) {
                            logger.traceException(e2, "Unable to encode password for user %s using default scheme %s", this.userDNString, passwordStorageScheme.getStorageSchemeName());
                        }
                    }
                } else {
                    encodeAuthPassword = passwordStorageScheme.encodePasswordWithScheme(byteString);
                }
                ByteString byteString3 = encodeAuthPassword;
                linkedHashSet3.add(byteString3);
                linkedHashSet2.add(byteString3);
            }
        }
        if (linkedHashSet2.isEmpty()) {
            logger.trace("Not updating user entry %s because removing deprecated schemes would leave the user without a password.", this.userDNString);
            return;
        }
        this.modifications.add(new Modification(ModificationType.DELETE, newAttribute(passwordAttribute, linkedHashSet), true));
        if (!linkedHashSet3.isEmpty()) {
            this.modifications.add(new Modification(ModificationType.ADD, newAttribute(passwordAttribute, linkedHashSet3), true));
        }
        if (logger.isTraceEnabled()) {
            logger.trace("Updating user entry %s to replace password values encoded with deprecated schemes with values encoded with the default schemes.", this.userDNString);
        }
    }

    public boolean maintainHistory() {
        return this.passwordPolicy.getPasswordHistoryCount() > 0 || this.passwordPolicy.getPasswordHistoryDuration() > 0;
    }

    public boolean isPasswordInHistory(ByteString byteString) {
        if (!maintainHistory()) {
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false because password history checking is disabled.");
            return false;
        }
        if (passwordMatches(byteString)) {
            if (!logger.isTraceEnabled()) {
                return true;
            }
            logger.trace("Returning true because the provided password is currently in use.");
            return true;
        }
        TreeMap<Long, ByteString> sortedHistoryValues = getSortedHistoryValues(null);
        int passwordHistoryCount = this.passwordPolicy.getPasswordHistoryCount();
        if (passwordHistoryCount > 0 && sortedHistoryValues.size() > passwordHistoryCount) {
            Iterator<Long> it = sortedHistoryValues.keySet().iterator();
            for (int size = sortedHistoryValues.size() - passwordHistoryCount; it.hasNext() && size > 0; size--) {
                it.next();
                it.remove();
            }
        }
        long passwordHistoryDuration = this.passwordPolicy.getPasswordHistoryDuration();
        if (passwordHistoryDuration > 0) {
            long j = this.currentTime - (1000 * passwordHistoryDuration);
            Iterator<Long> it2 = sortedHistoryValues.keySet().iterator();
            while (it2.hasNext() && it2.next().longValue() < j) {
                it2.remove();
            }
        }
        Iterator<ByteString> it3 = sortedHistoryValues.values().iterator();
        while (it3.hasNext()) {
            if (historyValueMatches(byteString, it3.next())) {
                if (!logger.isTraceEnabled()) {
                    return true;
                }
                logger.trace("Returning true because the password is in the history.");
                return true;
            }
        }
        if (!logger.isTraceEnabled()) {
            return false;
        }
        logger.trace("Returning false because the password isn't in the history.");
        return false;
    }

    private TreeMap<Long, ByteString> getSortedHistoryValues(List<Attribute> list) {
        TreeMap<Long, ByteString> treeMap = new TreeMap<>();
        List<Attribute> attribute = this.userEntry.getAttribute(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_HISTORY_LC));
        if (attribute != null) {
            for (Attribute attribute2 : attribute) {
                for (ByteString byteString : attribute2) {
                    String byteString2 = byteString.toString();
                    int indexOf = byteString2.indexOf(35);
                    if (indexOf <= 0) {
                        if (logger.isTraceEnabled()) {
                            logger.trace("Found value " + byteString2 + " in the history with no timestamp.  Marking it for removal.");
                        }
                        if (list != null) {
                            list.add(Attributes.create(attribute2.getAttributeType(), byteString));
                        }
                    } else {
                        try {
                            treeMap.put(Long.valueOf(GeneralizedTimeSyntax.decodeGeneralizedTimeValue(ByteString.valueOf(byteString2.substring(0, indexOf)))), byteString);
                        } catch (Exception e) {
                            if (logger.isTraceEnabled()) {
                                logger.traceException(e);
                                logger.trace("Could not decode the timestamp in history value " + byteString2 + " -- " + e + ".  Marking it for removal.");
                            }
                            if (list != null) {
                                list.add(Attributes.create(attribute2.getAttributeType(), byteString));
                            }
                        }
                    }
                }
            }
        }
        return treeMap;
    }

    private boolean historyValueMatches(ByteString byteString, ByteString byteString2) {
        try {
            String byteString3 = byteString2.toString();
            int indexOf = byteString3.indexOf(35);
            if (indexOf <= 0) {
                if (!logger.isTraceEnabled()) {
                    return false;
                }
                logger.trace("Returning false because the password history value didn't include any hash characters.");
                return false;
            }
            int indexOf2 = byteString3.indexOf(35, indexOf + 1);
            if (indexOf2 < 0) {
                if (!logger.isTraceEnabled()) {
                    return false;
                }
                logger.trace("Returning false because the password history value only had one hash character.");
                return false;
            }
            String lowerCase = StaticUtils.toLowerCase(byteString3.substring(indexOf + 1, indexOf2));
            if (SchemaConstants.SYNTAX_AUTH_PASSWORD_OID.equals(lowerCase)) {
                return logResult("auth", encodedAuthPasswordMatches(byteString, byteString3.substring(indexOf2 + 1)));
            }
            if (SchemaConstants.SYNTAX_USER_PASSWORD_OID.equals(lowerCase)) {
                return logResult("user", encodedUserPasswordMatches(byteString, byteString3.substring(indexOf2 + 1)));
            }
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.trace("Returning false because the syntax OID " + lowerCase + " didn't match for either the auth or user password syntax.");
            return false;
        } catch (Exception e) {
            if (!logger.isTraceEnabled()) {
                return false;
            }
            logger.traceException(e);
            logger.trace("Returning false because of an exception:  " + StaticUtils.stackTraceToSingleLineString(e));
            return false;
        }
    }

    private boolean encodedAuthPasswordMatches(ByteString byteString, String str) throws DirectoryException {
        StringBuilder[] decodeAuthPassword = AuthPasswordSyntax.decodeAuthPassword(str);
        return DirectoryServer.getAuthPasswordStorageScheme(decodeAuthPassword[0].toString()).authPasswordMatches(byteString, decodeAuthPassword[1].toString(), decodeAuthPassword[2].toString());
    }

    private boolean encodedUserPasswordMatches(ByteString byteString, String str) throws DirectoryException {
        String[] decodeUserPassword = UserPasswordSyntax.decodeUserPassword(str);
        return DirectoryServer.getPasswordStorageScheme(decodeUserPassword[0]).passwordMatches(byteString, ByteString.valueOf(decodeUserPassword[1]));
    }

    private boolean logResult(String str, boolean z) {
        if (z) {
            logger.trace("Returning true because the %s password history value matched.", str);
            return true;
        }
        logger.trace("Returning false because the %s password history value did not match.", str);
        return false;
    }

    public void updatePasswordHistory() {
        List<Attribute> attribute = this.userEntry.getAttribute(this.passwordPolicy.getPasswordAttribute());
        if (attribute != null) {
            Iterator<Attribute> it = attribute.iterator();
            while (it.hasNext()) {
                ByteString byteString = null;
                Iterator<ByteString> it2 = it.next().iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    ByteString next = it2.next();
                    try {
                    } catch (DirectoryException e) {
                        if (logger.isTraceEnabled()) {
                            logger.trace("Encoded password " + next + " cannot be decoded and cannot be added to history.");
                        }
                    }
                    if (getPasswordStorageScheme(next).isStorageSchemeSecure()) {
                        addPasswordToHistory(next.toString());
                        byteString = null;
                        break;
                    } else if (byteString == null) {
                        byteString = next;
                    }
                }
                if (byteString != null) {
                    addPasswordToHistory(byteString.toString());
                }
            }
        }
    }

    private void addPasswordToHistory(String str) {
        long j;
        if (!maintainHistory()) {
            if (logger.isTraceEnabled()) {
                logger.trace("Not doing anything because password history maintenance is disabled.");
                return;
            }
            return;
        }
        LinkedList linkedList = new LinkedList();
        TreeMap<Long, ByteString> sortedHistoryValues = getSortedHistoryValues(linkedList);
        AttributeType attributeTypeOrDefault = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_HISTORY_LC);
        int passwordHistoryCount = this.passwordPolicy.getPasswordHistoryCount();
        if (passwordHistoryCount > 0 && sortedHistoryValues.size() >= passwordHistoryCount) {
            int size = (sortedHistoryValues.size() - passwordHistoryCount) + 1;
            LinkedHashSet<ByteString> linkedHashSet = new LinkedHashSet<>(size);
            Iterator<ByteString> it = sortedHistoryValues.values().iterator();
            while (it.hasNext() && size > 0) {
                ByteString next = it.next();
                linkedHashSet.add(next);
                it.remove();
                size--;
                if (logger.isTraceEnabled()) {
                    logger.trace("Removing history value %s to preserve the history count.", next);
                }
            }
            if (!linkedHashSet.isEmpty()) {
                linkedList.add(newAttribute(attributeTypeOrDefault, linkedHashSet));
            }
        }
        long passwordHistoryDuration = this.passwordPolicy.getPasswordHistoryDuration();
        if (passwordHistoryDuration > 0) {
            long j2 = this.currentTime - (1000 * passwordHistoryDuration);
            Iterator<Long> it2 = sortedHistoryValues.keySet().iterator();
            LinkedHashSet<ByteString> linkedHashSet2 = new LinkedHashSet<>();
            while (it2.hasNext()) {
                long longValue = it2.next().longValue();
                if (longValue >= j2) {
                    break;
                }
                ByteString byteString = sortedHistoryValues.get(Long.valueOf(longValue));
                linkedHashSet2.add(byteString);
                it2.remove();
                if (logger.isTraceEnabled()) {
                    logger.trace("Removing history value %s to preserve the history duration.", byteString);
                }
            }
            if (!linkedHashSet2.isEmpty()) {
                linkedList.add(newAttribute(attributeTypeOrDefault, linkedHashSet2));
            }
        }
        long j3 = this.currentTime;
        while (true) {
            j = j3;
            if (!sortedHistoryValues.containsKey(Long.valueOf(j))) {
                break;
            } else {
                j3 = j + 1;
            }
        }
        String str2 = GeneralizedTimeSyntax.format(j) + "#" + this.passwordPolicy.getPasswordAttribute().getSyntax().getOID() + "#" + str;
        Attribute create = Attributes.create(attributeTypeOrDefault, str2);
        if (logger.isTraceEnabled()) {
            logger.trace("Going to add history value " + str2);
        }
        Iterator it3 = linkedList.iterator();
        while (it3.hasNext()) {
            this.modifications.add(new Modification(ModificationType.DELETE, (Attribute) it3.next(), true));
        }
        this.modifications.add(new Modification(ModificationType.ADD, create, true));
    }

    private Attribute newAttribute(AttributeType attributeType, LinkedHashSet<ByteString> linkedHashSet) {
        AttributeBuilder attributeBuilder = new AttributeBuilder(attributeType);
        attributeBuilder.addAll(linkedHashSet);
        return attributeBuilder.toAttribute();
    }

    public String[] getPasswordHistoryValues() {
        ArrayList arrayList = new ArrayList();
        List<Attribute> attribute = this.userEntry.getAttribute(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_HISTORY_LC));
        if (attribute != null) {
            Iterator<Attribute> it = attribute.iterator();
            while (it.hasNext()) {
                Iterator<ByteString> it2 = it.next().iterator();
                while (it2.hasNext()) {
                    arrayList.add(it2.next().toString());
                }
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    public void clearPasswordHistory() {
        if (logger.isTraceEnabled()) {
            logger.trace("Clearing password history for user %s", this.userDNString);
        }
        this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.OP_ATTR_PWPOLICY_HISTORY_LC)), true));
    }

    public ByteString generatePassword() throws DirectoryException {
        PasswordGenerator<?> passwordGenerator = this.passwordPolicy.getPasswordGenerator();
        if (passwordGenerator != null) {
            return passwordGenerator.generatePassword(this.userEntry);
        }
        if (!logger.isTraceEnabled()) {
            return null;
        }
        logger.trace("Unable to generate a new password for user %s because no password generator has been definedin the associated password policy.", this.userDNString);
        return null;
    }

    public void generateAccountStatusNotification(AccountStatusNotificationType accountStatusNotificationType, Entry entry, LocalizableMessage localizableMessage, Map<AccountStatusNotificationProperty, List<String>> map) {
        generateAccountStatusNotification(new AccountStatusNotification(accountStatusNotificationType, entry, localizableMessage, map));
    }

    public void generateAccountStatusNotification(AccountStatusNotification accountStatusNotification) {
        Iterator<AccountStatusNotificationHandler<?>> it = this.passwordPolicy.getAccountStatusNotificationHandlers().iterator();
        while (it.hasNext()) {
            it.next().handleStatusNotification(accountStatusNotification);
        }
    }

    public List<Modification> getModifications() {
        return this.modifications;
    }

    @Override // org.opends.server.api.AuthenticationPolicyState
    public void finalizeStateAfterBind() throws DirectoryException {
        if (this.modifications.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<Modification> it = this.modifications.iterator();
        while (it.hasNext()) {
            Modification next = it.next();
            arrayList.add(RawModification.create(next.getModificationType(), new LDAPAttribute(next.getAttribute())));
        }
        ModifyOperation processModify = InternalClientConnection.getRootConnection().processModify(ByteString.valueOf(this.userDNString), arrayList);
        ResultCode resultCode = processModify.getResultCode();
        if (resultCode != ResultCode.SUCCESS) {
            LocalizableMessage localizableMessage = CoreMessages.ERR_PWPSTATE_CANNOT_UPDATE_USER_ENTRY.get(this.userDNString, processModify.getErrorMessage());
            if (!DirectoryServer.isRootDN(this.userEntry.getName()) && this.passwordPolicy.getStateUpdateFailurePolicy() != PasswordPolicyCfgDefn.StateUpdateFailurePolicy.IGNORE) {
                throw new DirectoryException(resultCode, localizableMessage);
            }
            logger.error(localizableMessage);
        }
    }

    static {
        $assertionsDisabled = !PasswordPolicyState.class.desiredAssertionStatus();
        logger = LocalizedLogger.getLoggerForThisClass();
    }
}
