external-software/github_OpenIdentityPlatform_OpenDJ.git

OPENDJ-2661 Fix checks for attribute types with passwords

Nicolas Capponi

04.53.2016 1596ccfcb23b1f5865560d9cb8e7ac79c3b30ddc

 opendj-server-legacy/src/main/java/org/opends/guitools/controlpanel/util/Utilities.java

@@ -119,8 +119,10 @@
import org.opends.server.schema.SomeSchemaElement;
import org.opends.server.types.OpenDsException;
import org.opends.server.types.Schema;
import org.opends.server.util.SchemaUtils;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;
import org.opends.server.util.SchemaUtils.PasswordType;

/**
 * A static class that provides miscellaneous functions.
@@ -134,7 +136,6 @@

  private static final String HTML_SPACE = "&nbsp;";
  private static final String[] attrsToObfuscate = { ServerConstants.ATTR_USER_PASSWORD };
  private static final String[] passwordSyntaxOIDs = { SchemaConstants.SYNTAX_USER_PASSWORD_OID };
  private static final String[] binarySyntaxOIDs = {
    SchemaConstants.SYNTAX_BINARY_OID,
    SchemaConstants.SYNTAX_JPEG_OID,
@@ -2126,7 +2127,17 @@
   */
  public static boolean hasPasswordSyntax(String attrName, Schema schema)
  {
    return hasAnySyntax(attrName, schema, passwordSyntaxOIDs);
    if (schema != null)
    {
      attrName = Utilities.getAttributeNameWithoutOptions(attrName).toLowerCase();
      if (schema.hasAttributeType(attrName))
      {
        AttributeType attr = schema.getAttributeType(attrName);
        PasswordType passwordType = SchemaUtils.checkPasswordType(attr);
        return passwordType.equals(PasswordType.USER_PASSWORD);
      }
    }
    return false;
  }

  private static boolean hasAnySyntax(String attrName, Schema schema, String[] oids)

 opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyFactory.java

@@ -18,7 +18,6 @@

import static org.opends.messages.ConfigMessages.*;
import static org.opends.messages.CoreMessages.*;
import static org.opends.server.schema.SchemaConstants.*;
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;

@@ -39,6 +38,8 @@
import org.opends.server.api.*;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.opends.server.types.*;
import org.opends.server.util.SchemaUtils;
import org.opends.server.util.SchemaUtils.PasswordType;

/**
 * This class is the interface between the password policy configurable
@@ -199,15 +200,13 @@

      // Get the password attribute. If specified, it must have either the
      // user password or auth password syntax.
      final AttributeType passwordAttribute = configuration
          .getPasswordAttribute();
      final String syntaxOID = passwordAttribute.getSyntax().getOID();
      final boolean authPasswordSyntax;
      if (syntaxOID.equals(SYNTAX_AUTH_PASSWORD_OID))
      final AttributeType passwordAttribute = configuration.getPasswordAttribute();
      final PasswordType passwordType = SchemaUtils.checkPasswordType(passwordAttribute);
      if (passwordType.equals(PasswordType.AUTH_PASSWORD))
      {
        authPasswordSyntax = true;
      }
      else if (syntaxOID.equals(SYNTAX_USER_PASSWORD_OID))
      else if (passwordType.equals(PasswordType.USER_PASSWORD))
      {
        authPasswordSyntax = false;
      }
@@ -216,7 +215,7 @@
        String syntax = passwordAttribute.getSyntax().getName();
        if (syntax == null || syntax.length() == 0)
        {
          syntax = syntaxOID;
          syntax = passwordAttribute.getSyntax().getOID();
        }

        throw new ConfigException(ERR_PWPOLICY_INVALID_PASSWORD_ATTRIBUTE_SYNTAX.get(

 opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyState.java

@@ -2431,11 +2431,15 @@
      String syntaxOID = toLowerCase(histStr.substring(hashPos1+1, hashPos2));
      if (SYNTAX_AUTH_PASSWORD_OID.equals(syntaxOID))
      {
        return logResult("auth", encodedAuthPasswordMatches(password, histStr.substring(hashPos2+1)));
        boolean passwordMatches = encodedAuthPasswordMatches(password, histStr.substring(hashPos2+1));
        logResult("auth", passwordMatches);
        return passwordMatches;
      }
      else if (SYNTAX_USER_PASSWORD_OID.equals(syntaxOID))
      else if (SYNTAX_USER_PASSWORD_OID.equals(syntaxOID) || SYNTAX_OCTET_STRING_OID.equals(syntaxOID))
      {
        return logResult("user", encodedUserPasswordMatches(password, histStr.substring(hashPos2+1)));
        boolean passwordMatches = encodedUserPasswordMatches(password, histStr.substring(hashPos2+1));
        logResult("user", passwordMatches);
        return passwordMatches;
      }
      else
      {
@@ -2474,17 +2478,15 @@
    return scheme.passwordMatches(password, ByteString.valueOfUtf8(userPWComponents[1]));
  }

  private boolean logResult(String passwordType, boolean passwordMatches)
  private void logResult(String passwordType, boolean passwordMatches)
  {
    if (passwordMatches)
    {
      logger.trace("Returning true because the %s password history value matched.", passwordType);
      return true;
    }
    else
    {
      logger.trace("Returning false because the %s password history value did not match.", passwordType);
      return false;
    }
  }


 opendj-server-legacy/src/main/java/org/opends/server/core/SubentryPasswordPolicy.java

@@ -18,7 +18,6 @@

import static org.opends.messages.ConfigMessages.*;
import static org.opends.messages.CoreMessages.*;
import static org.opends.server.schema.SchemaConstants.*;

import java.util.Collection;
import java.util.HashSet;
@@ -49,6 +48,8 @@
import org.opends.server.types.ObjectClass;
import org.opends.server.types.Operation;
import org.opends.server.types.SubEntry;
import org.opends.server.util.SchemaUtils;
import org.opends.server.util.SchemaUtils.PasswordType;

/**
 * This class represents subentry password policy based on Password Policy for
@@ -183,13 +184,12 @@
            ERR_PWPOLICY_UNDEFINED_PASSWORD_ATTRIBUTE.get(this.passwordPolicySubentryDN, value));
      }

      // Check the syntax.
      final String syntaxOID = pPasswordAttribute.getSyntax().getOID();
      if (SYNTAX_AUTH_PASSWORD_OID.equals(syntaxOID))
      final PasswordType passwordType = SchemaUtils.checkPasswordType(pPasswordAttribute);
      if (passwordType.equals(PasswordType.AUTH_PASSWORD))
      {
        pAuthPasswordSyntax = true;
      }
      else if (SYNTAX_USER_PASSWORD_OID.equals(syntaxOID))
      else if (passwordType.equals(PasswordType.USER_PASSWORD))
      {
        pAuthPasswordSyntax = false;
      }
@@ -198,7 +198,7 @@
        String syntax = pPasswordAttribute.getSyntax().getName();
        if (syntax == null || syntax.length() == 0)
        {
          syntax = syntaxOID;
          syntax = pPasswordAttribute.getSyntax().getOID();
        }

        LocalizableMessage message = ERR_PWPOLICY_INVALID_PASSWORD_ATTRIBUTE_SYNTAX.get(

 opendj-server-legacy/src/main/java/org/opends/server/plugins/PasswordPolicyImportPlugin.java

@@ -19,7 +19,6 @@
import static org.opends.messages.PluginMessages.*;
import static org.opends.server.config.ConfigConstants.*;
import static org.opends.server.extensions.ExtensionsConstants.*;
import static org.opends.server.schema.SchemaConstants.*;
import static org.opends.server.util.StaticUtils.*;

import java.util.HashMap;
@@ -59,6 +58,8 @@
import org.opends.server.types.Entry;
import org.opends.server.types.LDIFImportConfig;
import org.opends.server.types.SubEntry;
import org.opends.server.util.SchemaUtils;
import org.opends.server.util.SchemaUtils.PasswordType;

/**
 * This class implements a Directory Server plugin that performs various
@@ -229,11 +230,12 @@
    HashSet<AttributeType> userPWTypes = new HashSet<>();
    for (AttributeType t : DirectoryServer.getAttributeTypes())
    {
      if (SYNTAX_AUTH_PASSWORD_OID.equals(t.getSyntax().getOID()))
      final PasswordType passwordType = SchemaUtils.checkPasswordType(t);
      if (passwordType.equals(PasswordType.AUTH_PASSWORD))
      {
        authPWTypes.add(t);
      }
      else if (SYNTAX_USER_PASSWORD_OID.equals(t.getSyntax().getOID()))
      else if (passwordType.equals(PasswordType.USER_PASSWORD))
      {
        userPWTypes.add(t);
      }

 opendj-server-legacy/src/main/java/org/opends/server/schema/SchemaConstants.java

@@ -1894,7 +1894,7 @@
  /**
   * The OID for the user password attribute syntax.
   */
  public static final String SYNTAX_USER_PASSWORD_OID = "1.3.6.1.4.1.1466.115.121.1.40";
  public static final String SYNTAX_USER_PASSWORD_OID = OID_OPENDS_SERVER_ATTRIBUTE_SYNTAX_BASE + ".1";




 opendj-server-legacy/src/main/java/org/opends/server/schema/UserPasswordEqualityMatchingRuleFactory.java

@@ -44,7 +44,7 @@
   matchingRule = new SchemaBuilder(CoreSchema.getInstance())
       .buildMatchingRule(EMR_USER_PASSWORD_OID)
         .names(EMR_USER_PASSWORD_NAME)
         .syntaxOID(SYNTAX_USER_PASSWORD_OID).description(EMR_USER_PASSWORD_DESCRIPTION)
         .syntaxOID(SYNTAX_OCTET_STRING_OID).description(EMR_USER_PASSWORD_DESCRIPTION)
         .implementation(new UserPasswordEqualityMatchingRule())
         .addToSchema()
       .toSchema().getMatchingRule(EMR_USER_PASSWORD_OID);

 opendj-server-legacy/src/main/java/org/opends/server/util/SchemaUtils.java

New file
@@ -0,0 +1,63 @@
/*
 * The contents of this file are subject to the terms of the Common Development and
 * Distribution License (the License). You may not use this file except in compliance with the
 * License.
 *
 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
 * specific language governing permission and limitations under the License.
 *
 * When distributing Covered Software, include this CDDL Header Notice in each file and include
 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
 * Header, with the fields enclosed by brackets [] replaced by your own identifying
 * information: "Portions Copyright [year] [name of copyright owner]".
 *
 * Copyright 2016 ForgeRock AS.
 */
package org.opends.server.util;

import org.forgerock.opendj.ldap.schema.AttributeType;

import static org.opends.server.schema.SchemaConstants.SYNTAX_AUTH_PASSWORD_OID;
import static org.opends.server.schema.SchemaConstants.SYNTAX_USER_PASSWORD_OID;

/** Utility methods related to schema. */
public class SchemaUtils
{

  /** Private constructor to prevent instantiation. */
  private SchemaUtils() {
    // No implementation required.
  }

  /** Represents a password type, including a "not a password" value. */
  public enum PasswordType
  {
    /** Auth Password. */
    AUTH_PASSWORD,
    /** User Password. */
    USER_PASSWORD,
    /** Not a password. */
    NOT_A_PASSWORD
  }

  /**
   * Checks if the provided attribute type contains a password.
   *
   * @param attrType
   *            The attribute type to check.
   * @return a PasswordTypeCheck result
   */
  public static PasswordType checkPasswordType(AttributeType attrType)
  {
    final String syntaxOID = attrType.getSyntax().getOID();
    if (syntaxOID.equals(SYNTAX_AUTH_PASSWORD_OID))
    {
      return PasswordType.AUTH_PASSWORD;
    }
    else if (attrType.hasName("userPassword") || syntaxOID.equals(SYNTAX_USER_PASSWORD_OID))
    {
      return PasswordType.USER_PASSWORD;
    }
    return PasswordType.NOT_A_PASSWORD;
  }
}

			@@ -119,8 +119,10 @@
			import org.opends.server.schema.SomeSchemaElement;
			import org.opends.server.types.OpenDsException;
			import org.opends.server.types.Schema;
			import org.opends.server.util.SchemaUtils;
			import org.opends.server.util.ServerConstants;
			import org.opends.server.util.StaticUtils;
			import org.opends.server.util.SchemaUtils.PasswordType;

			/**
			* A static class that provides miscellaneous functions.
			@@ -134,7 +136,6 @@

			private static final String HTML_SPACE = " ";
			private static final String[] attrsToObfuscate = { ServerConstants.ATTR_USER_PASSWORD };
			private static final String[] passwordSyntaxOIDs = { SchemaConstants.SYNTAX_USER_PASSWORD_OID };
			private static final String[] binarySyntaxOIDs = {
			SchemaConstants.SYNTAX_BINARY_OID,
			SchemaConstants.SYNTAX_JPEG_OID,
			@@ -2126,7 +2127,17 @@
			*/
			public static boolean hasPasswordSyntax(String attrName, Schema schema)
			{
			return hasAnySyntax(attrName, schema, passwordSyntaxOIDs);
			if (schema != null)
			{
			attrName = Utilities.getAttributeNameWithoutOptions(attrName).toLowerCase();
			if (schema.hasAttributeType(attrName))
			{
			AttributeType attr = schema.getAttributeType(attrName);
			PasswordType passwordType = SchemaUtils.checkPasswordType(attr);
			return passwordType.equals(PasswordType.USER_PASSWORD);
			}
			}
			return false;
			}

			private static boolean hasAnySyntax(String attrName, Schema schema, String[] oids)

			@@ -18,7 +18,6 @@

			import static org.opends.messages.ConfigMessages.*;
			import static org.opends.messages.CoreMessages.*;
			import static org.opends.server.schema.SchemaConstants.*;
			import static org.opends.server.util.ServerConstants.*;
			import static org.opends.server.util.StaticUtils.*;

			@@ -39,6 +38,8 @@
			import org.opends.server.api.*;
			import org.forgerock.opendj.ldap.schema.AttributeType;
			import org.opends.server.types.*;
			import org.opends.server.util.SchemaUtils;
			import org.opends.server.util.SchemaUtils.PasswordType;

			/**
			* This class is the interface between the password policy configurable
			@@ -199,15 +200,13 @@

			// Get the password attribute. If specified, it must have either the
			// user password or auth password syntax.
			final AttributeType passwordAttribute = configuration
			.getPasswordAttribute();
			final String syntaxOID = passwordAttribute.getSyntax().getOID();
			final boolean authPasswordSyntax;
			if (syntaxOID.equals(SYNTAX_AUTH_PASSWORD_OID))
			final AttributeType passwordAttribute = configuration.getPasswordAttribute();
			final PasswordType passwordType = SchemaUtils.checkPasswordType(passwordAttribute);
			if (passwordType.equals(PasswordType.AUTH_PASSWORD))
			{
			authPasswordSyntax = true;
			}
			else if (syntaxOID.equals(SYNTAX_USER_PASSWORD_OID))
			else if (passwordType.equals(PasswordType.USER_PASSWORD))
			{
			authPasswordSyntax = false;
			}
			@@ -216,7 +215,7 @@
			String syntax = passwordAttribute.getSyntax().getName();
			if (syntax == null \|\| syntax.length() == 0)
			{
			syntax = syntaxOID;
			syntax = passwordAttribute.getSyntax().getOID();
			}

			throw new ConfigException(ERR_PWPOLICY_INVALID_PASSWORD_ATTRIBUTE_SYNTAX.get(

			@@ -2431,11 +2431,15 @@
			String syntaxOID = toLowerCase(histStr.substring(hashPos1+1, hashPos2));
			if (SYNTAX_AUTH_PASSWORD_OID.equals(syntaxOID))
			{
			return logResult("auth", encodedAuthPasswordMatches(password, histStr.substring(hashPos2+1)));
			boolean passwordMatches = encodedAuthPasswordMatches(password, histStr.substring(hashPos2+1));
			logResult("auth", passwordMatches);
			return passwordMatches;
			}
			else if (SYNTAX_USER_PASSWORD_OID.equals(syntaxOID))
			else if (SYNTAX_USER_PASSWORD_OID.equals(syntaxOID) \|\| SYNTAX_OCTET_STRING_OID.equals(syntaxOID))
			{
			return logResult("user", encodedUserPasswordMatches(password, histStr.substring(hashPos2+1)));
			boolean passwordMatches = encodedUserPasswordMatches(password, histStr.substring(hashPos2+1));
			logResult("user", passwordMatches);
			return passwordMatches;
			}
			else
			{
			@@ -2474,17 +2478,15 @@
			return scheme.passwordMatches(password, ByteString.valueOfUtf8(userPWComponents[1]));
			}

			private boolean logResult(String passwordType, boolean passwordMatches)
			private void logResult(String passwordType, boolean passwordMatches)
			{
			if (passwordMatches)
			{
			logger.trace("Returning true because the %s password history value matched.", passwordType);
			return true;
			}
			else
			{
			logger.trace("Returning false because the %s password history value did not match.", passwordType);
			return false;
			}
			}

			@@ -19,7 +19,6 @@
			import static org.opends.messages.PluginMessages.*;
			import static org.opends.server.config.ConfigConstants.*;
			import static org.opends.server.extensions.ExtensionsConstants.*;
			import static org.opends.server.schema.SchemaConstants.*;
			import static org.opends.server.util.StaticUtils.*;

			import java.util.HashMap;
			@@ -59,6 +58,8 @@
			import org.opends.server.types.Entry;
			import org.opends.server.types.LDIFImportConfig;
			import org.opends.server.types.SubEntry;
			import org.opends.server.util.SchemaUtils;
			import org.opends.server.util.SchemaUtils.PasswordType;

			/**
			* This class implements a Directory Server plugin that performs various
			@@ -229,11 +230,12 @@
			HashSet<AttributeType> userPWTypes = new HashSet<>();
			for (AttributeType t : DirectoryServer.getAttributeTypes())
			{
			if (SYNTAX_AUTH_PASSWORD_OID.equals(t.getSyntax().getOID()))
			final PasswordType passwordType = SchemaUtils.checkPasswordType(t);
			if (passwordType.equals(PasswordType.AUTH_PASSWORD))
			{
			authPWTypes.add(t);
			}
			else if (SYNTAX_USER_PASSWORD_OID.equals(t.getSyntax().getOID()))
			else if (passwordType.equals(PasswordType.USER_PASSWORD))
			{
			userPWTypes.add(t);
			}

			@@ -1894,7 +1894,7 @@
			/**
			* The OID for the user password attribute syntax.
			*/
			public static final String SYNTAX_USER_PASSWORD_OID = "1.3.6.1.4.1.1466.115.121.1.40";
			public static final String SYNTAX_USER_PASSWORD_OID = OID_OPENDS_SERVER_ATTRIBUTE_SYNTAX_BASE + ".1";

			@@ -44,7 +44,7 @@
			matchingRule = new SchemaBuilder(CoreSchema.getInstance())
			.buildMatchingRule(EMR_USER_PASSWORD_OID)
			.names(EMR_USER_PASSWORD_NAME)
			.syntaxOID(SYNTAX_USER_PASSWORD_OID).description(EMR_USER_PASSWORD_DESCRIPTION)
			.syntaxOID(SYNTAX_OCTET_STRING_OID).description(EMR_USER_PASSWORD_DESCRIPTION)
			.implementation(new UserPasswordEqualityMatchingRule())
			.addToSchema()
			.toSchema().getMatchingRule(EMR_USER_PASSWORD_OID);

New file
			@@ -0,0 +1,63 @@
			/*
			* The contents of this file are subject to the terms of the Common Development and
			* Distribution License (the License). You may not use this file except in compliance with the
			* License.
			*
			* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
			* specific language governing permission and limitations under the License.
			*
			* When distributing Covered Software, include this CDDL Header Notice in each file and include
			* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
			* Header, with the fields enclosed by brackets [] replaced by your own identifying
			* information: "Portions Copyright [year] [name of copyright owner]".
			*
			* Copyright 2016 ForgeRock AS.
			*/
			package org.opends.server.util;

			import org.forgerock.opendj.ldap.schema.AttributeType;

			import static org.opends.server.schema.SchemaConstants.SYNTAX_AUTH_PASSWORD_OID;
			import static org.opends.server.schema.SchemaConstants.SYNTAX_USER_PASSWORD_OID;

			/** Utility methods related to schema. */
			public class SchemaUtils
			{

			/** Private constructor to prevent instantiation. */
			private SchemaUtils() {
			// No implementation required.
			}

			/** Represents a password type, including a "not a password" value. */
			public enum PasswordType
			{
			/** Auth Password. */
			AUTH_PASSWORD,
			/** User Password. */
			USER_PASSWORD,
			/** Not a password. */
			NOT_A_PASSWORD
			}

			/**
			* Checks if the provided attribute type contains a password.
			*
			* @param attrType
			* The attribute type to check.
			* @return a PasswordTypeCheck result
			*/
			public static PasswordType checkPasswordType(AttributeType attrType)
			{
			final String syntaxOID = attrType.getSyntax().getOID();
			if (syntaxOID.equals(SYNTAX_AUTH_PASSWORD_OID))
			{
			return PasswordType.AUTH_PASSWORD;
			}
			else if (attrType.hasName("userPassword") \|\| syntaxOID.equals(SYNTAX_USER_PASSWORD_OID))
			{
			return PasswordType.USER_PASSWORD;
			}
			return PasswordType.NOT_A_PASSWORD;
			}
			}