Revert to revision 8555 of this file.

Jean-Noel Rouvignac

06.54.2013 1f9d1fb1c32824d909519549ec18315396896504

Revert to revision 8555 of this file.

 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java

@@ -29,12 +29,11 @@



import java.util.Iterator;
import java.util.List;
import java.util.concurrent.locks.Lock;

import org.opends.messages.Message;
import org.opends.messages.MessageDescriptor.Arg1;
import org.opends.messages.MessageDescriptor.Arg2;
import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn;
import org.opends.server.api.*;
import org.opends.server.api.plugin.PluginResult;
@@ -520,7 +519,8 @@
      if (userEntry == null)
      {
        throw new DirectoryException(ResultCode.INVALID_CREDENTIALS,
            ERR_BIND_OPERATION_UNKNOWN_USER.get());
                                     ERR_BIND_OPERATION_UNKNOWN_USER.get(
                                          String.valueOf(bindDN)));
      }
      else
      {
@@ -544,7 +544,7 @@
        if ((pwAttr == null) || (pwAttr.isEmpty()))
        {
          throw new DirectoryException(ResultCode.INVALID_CREDENTIALS,
              ERR_BIND_OPERATION_NO_PASSWORD.get());
              ERR_BIND_OPERATION_NO_PASSWORD.get(String.valueOf(bindDN)));
        }

        // Perform a number of password policy state checks for the user.
@@ -608,7 +608,36 @@

          if (policy.getLockoutFailureCount() > 0)
          {
            lockBindAccount(userEntry, pwPolicyState);
            pwPolicyState.updateAuthFailureTimes();
            if (pwPolicyState.lockedDueToFailures())
            {
              AccountStatusNotificationType notificationType;
              Message m;

              boolean tempLocked;
              int lockoutDuration = pwPolicyState.getSecondsUntilUnlock();
              if (lockoutDuration > -1)
              {
                notificationType =
                  AccountStatusNotificationType.ACCOUNT_TEMPORARILY_LOCKED;
                tempLocked = true;

                m = ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED
                    .get(secondsToTimeString(lockoutDuration));
              }
              else
              {
                notificationType =
                  AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
                tempLocked = false;

                m = ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
              }

              pwPolicyState.generateAccountStatusNotification(notificationType,
                  userEntry, m, AccountStatusNotification.createProperties(
                      pwPolicyState, tempLocked, -1, null, null));
            }
          }
        }
      }
@@ -662,6 +691,7 @@
  }



  /**
   * Performs the processing necessary for an anonymous simple bind.
   *
@@ -841,7 +871,35 @@
          if (pwPolicyState.getAuthenticationPolicy()
              .getLockoutFailureCount() > 0)
          {
            lockBindAccount(saslAuthUserEntry, pwPolicyState);
            pwPolicyState.updateAuthFailureTimes();
            if (pwPolicyState.lockedDueToFailures())
            {
              AccountStatusNotificationType notificationType;
              boolean tempLocked;
              Message m;

              int lockoutDuration = pwPolicyState.getSecondsUntilUnlock();
              if (lockoutDuration > -1)
              {
                notificationType = AccountStatusNotificationType.
                                        ACCOUNT_TEMPORARILY_LOCKED;
                tempLocked = true;
                m = ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED.get(
                         secondsToTimeString(lockoutDuration));
              }
              else
              {
                notificationType =
                     AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
                tempLocked = false;
                m = ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
              }

              pwPolicyState.generateAccountStatusNotification(
                   notificationType, saslAuthUserEntry, m,
                   AccountStatusNotification.createProperties(
                        pwPolicyState, tempLocked, -1, null, null));
            }
          }
        }
      }
@@ -852,41 +910,6 @@



  private void lockBindAccount(Entry userEntry,
      PasswordPolicyState pwPolicyState)
  {
    pwPolicyState.updateAuthFailureTimes();
    if (pwPolicyState.lockedDueToFailures())
    {
      AccountStatusNotificationType notificationType;
      boolean tempLocked;
      Message m;

      int lockoutDuration = pwPolicyState.getSecondsUntilUnlock();
      if (lockoutDuration > -1)
      {
        notificationType =
            AccountStatusNotificationType.ACCOUNT_TEMPORARILY_LOCKED;
        tempLocked = true;
        m =
            ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED
                .get(secondsToTimeString(lockoutDuration));
      }
      else
      {
        notificationType =
            AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
        tempLocked = false;
        m = ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
      }

      pwPolicyState.generateAccountStatusNotification(notificationType,
          userEntry, m, AccountStatusNotification.createProperties(
              pwPolicyState, tempLocked, -1, null, null));
    }
  }


  private boolean invokePreOpPlugins()
  {
    executePostOpPlugins = true;
@@ -968,7 +991,8 @@
      else
      {
        throw new DirectoryException(ResultCode.INVALID_CREDENTIALS,
                       ERR_BIND_OPERATION_INSECURE_SIMPLE_BIND.get());
                       ERR_BIND_OPERATION_INSECURE_SIMPLE_BIND.get(
                            String.valueOf(userEntry.getDN())));
      }
    }

@@ -982,7 +1006,8 @@
    }
    else if (pwPolicyState.isAccountExpired())
    {
      Message m = ERR_BIND_OPERATION_ACCOUNT_EXPIRED.get();
      Message m = ERR_BIND_OPERATION_ACCOUNT_EXPIRED.get(
                       String.valueOf(userEntry.getDN()));
      pwPolicyState.generateAccountStatusNotification(
           AccountStatusNotificationType.ACCOUNT_EXPIRED, userEntry, m,
           AccountStatusNotification.createProperties(pwPolicyState,
@@ -998,16 +1023,19 @@
      }

      throw new DirectoryException(ResultCode.INVALID_CREDENTIALS,
                     ERR_BIND_OPERATION_ACCOUNT_FAILURE_LOCKED.get());
                     ERR_BIND_OPERATION_ACCOUNT_FAILURE_LOCKED.get(
                          String.valueOf(userEntry.getDN())));
    }
    else if (pwPolicyState.lockedDueToIdleInterval())
    {
      Message m = ERR_BIND_OPERATION_ACCOUNT_IDLE_LOCKED.get(
              String.valueOf(userEntry.getDN()));

      if (pwPolicyErrorType == null)
      {
        pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
      }

      Message m = ERR_BIND_OPERATION_ACCOUNT_IDLE_LOCKED.get();
      pwPolicyState.generateAccountStatusNotification(
           AccountStatusNotificationType.ACCOUNT_IDLE_LOCKED, userEntry, m,
           AccountStatusNotification.createProperties(pwPolicyState, false, -1,
@@ -1024,12 +1052,14 @@
      // Check to see if the account is locked due to the maximum reset age.
      if (pwPolicyState.lockedDueToMaximumResetAge())
      {
        Message m = ERR_BIND_OPERATION_ACCOUNT_RESET_LOCKED.get(
                         String.valueOf(userEntry.getDN()));

        if (pwPolicyErrorType == null)
        {
          pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
        }

        Message m = ERR_BIND_OPERATION_ACCOUNT_RESET_LOCKED.get();
        pwPolicyState.generateAccountStatusNotification(
             AccountStatusNotificationType.ACCOUNT_RESET_LOCKED, userEntry, m,
             AccountStatusNotification.createProperties(pwPolicyState, false,
@@ -1068,7 +1098,9 @@
          }
          else
          {
            Message m = ERR_BIND_OPERATION_PASSWORD_EXPIRED.get();
            Message m = ERR_BIND_OPERATION_PASSWORD_EXPIRED.get(
                             String.valueOf(userEntry.getDN()));

            pwPolicyState.generateAccountStatusNotification(
                 AccountStatusNotificationType.PASSWORD_EXPIRED, userEntry, m,
                 AccountStatusNotification.createProperties(pwPolicyState,
@@ -1080,7 +1112,9 @@
        }
        else
        {
          Message m = ERR_BIND_OPERATION_PASSWORD_EXPIRED.get();
          Message m = ERR_BIND_OPERATION_PASSWORD_EXPIRED.get(
                           String.valueOf(userEntry.getDN()));

          pwPolicyState.generateAccountStatusNotification(
               AccountStatusNotificationType.PASSWORD_EXPIRED, userEntry, m,
               AccountStatusNotification.createProperties(pwPolicyState, false,
@@ -1127,83 +1161,154 @@
  protected void setResourceLimits(Entry userEntry)
  {
    // See if the user's entry contains a custom size limit.
    Integer customSizeLimit =
        getIntegerUserAttribute(userEntry, OP_ATTR_USER_SIZE_LIMIT,
            WARN_BIND_MULTIPLE_USER_SIZE_LIMITS,
            WARN_BIND_CANNOT_PROCESS_USER_SIZE_LIMIT);
    if (customSizeLimit != null)
    {
      sizeLimit = customSizeLimit;
    }

    // See if the user's entry contains a custom time limit.
    Integer customTimeLimit =
        getIntegerUserAttribute(userEntry, OP_ATTR_USER_TIME_LIMIT,
            WARN_BIND_MULTIPLE_USER_TIME_LIMITS,
            WARN_BIND_CANNOT_PROCESS_USER_TIME_LIMIT);
    if (customTimeLimit != null)
    {
      timeLimit = customTimeLimit;
    }

    // See if the user's entry contains a custom idle time limit.
    // idleTimeLimit = 1000L * Long.parseLong(v.getValue().toString());
    Integer customIdleTimeLimitInSec =
        getIntegerUserAttribute(userEntry, OP_ATTR_USER_IDLE_TIME_LIMIT,
            WARN_BIND_MULTIPLE_USER_IDLE_TIME_LIMITS,
            WARN_BIND_CANNOT_PROCESS_USER_IDLE_TIME_LIMIT);
    if (customIdleTimeLimitInSec != null)
    {
      idleTimeLimit = 1000L * customIdleTimeLimitInSec;
    }

    // See if the user's entry contains a custom lookthrough limit.
    Integer customLookthroughLimit =
        getIntegerUserAttribute(userEntry, OP_ATTR_USER_LOOKTHROUGH_LIMIT,
            WARN_BIND_MULTIPLE_USER_LOOKTHROUGH_LIMITS,
            WARN_BIND_CANNOT_PROCESS_USER_LOOKTHROUGH_LIMIT);
    if (customLookthroughLimit != null)
    {
      lookthroughLimit = customLookthroughLimit;
    }
  }

  private Integer getIntegerUserAttribute(Entry userEntry,
      String attributeTypeName,
      Arg1<CharSequence> nonUniqueAttributeMessage,
      Arg2<CharSequence, CharSequence> cannotProcessAttributeMessage)
  {
    AttributeType attrType =
        DirectoryServer.getAttributeType(attributeTypeName, true);
         DirectoryServer.getAttributeType(OP_ATTR_USER_SIZE_LIMIT, true);
    List<Attribute> attrList = userEntry.getAttribute(attrType);
    if ((attrList != null) && (attrList.size() == 1))
    {
      Attribute a = attrList.get(0);
      if (a.size() == 1)
      Iterator<AttributeValue> iterator = a.iterator();
      if (iterator.hasNext())
      {
        AttributeValue v = a.iterator().next();
        try
        AttributeValue v = iterator.next();
        if (iterator.hasNext())
        {
          return Integer.valueOf(v.getValue().toString());
          logError(WARN_BIND_MULTIPLE_USER_SIZE_LIMITS.get(
                        String.valueOf(userEntry.getDN())));
        }
        catch (Exception e)
        else
        {
          if (debugEnabled())
          try
          {
            TRACER.debugCaught(DebugLogLevel.ERROR, e);
            sizeLimit = Integer.parseInt(v.getValue().toString());
          }
          catch (Exception e)
          {
            if (debugEnabled())
            {
              TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }

          logError(cannotProcessAttributeMessage.get(v.getValue().toString(),
              String.valueOf(userEntry.getDN())));
            logError(WARN_BIND_CANNOT_PROCESS_USER_SIZE_LIMIT.get(
                          v.getValue().toString(),
                          String.valueOf(userEntry.getDN())));
          }
        }
      }
      else if (a.size() > 1)
      {
        logError(nonUniqueAttributeMessage.get(String
            .valueOf(userEntry.getDN())));
      }
    }
    return null;


    // See if the user's entry contains a custom time limit.
    attrType = DirectoryServer.getAttributeType(OP_ATTR_USER_TIME_LIMIT, true);
    attrList = userEntry.getAttribute(attrType);
    if ((attrList != null) && (attrList.size() == 1))
    {
      Attribute a = attrList.get(0);
      Iterator<AttributeValue> iterator = a.iterator();
      if (iterator.hasNext())
      {
        AttributeValue v = iterator.next();
        if (iterator.hasNext())
        {
          logError(WARN_BIND_MULTIPLE_USER_TIME_LIMITS.get(
                        String.valueOf(userEntry.getDN())));
        }
        else
        {
          try
          {
            timeLimit = Integer.parseInt(v.getValue().toString());
          }
          catch (Exception e)
          {
            if (debugEnabled())
            {
              TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }

            logError(WARN_BIND_CANNOT_PROCESS_USER_TIME_LIMIT.get(
                          v.getValue().toString(),
                          String.valueOf(userEntry.getDN())));
          }
        }
      }
    }


    // See if the user's entry contains a custom idle time limit.
    attrType = DirectoryServer.getAttributeType(OP_ATTR_USER_IDLE_TIME_LIMIT,
                                                true);
    attrList = userEntry.getAttribute(attrType);
    if ((attrList != null) && (attrList.size() == 1))
    {
      Attribute a = attrList.get(0);
      Iterator<AttributeValue> iterator = a.iterator();
      if (iterator.hasNext())
      {
        AttributeValue v = iterator.next();
        if (iterator.hasNext())
        {
          logError(WARN_BIND_MULTIPLE_USER_IDLE_TIME_LIMITS.get(
                        String.valueOf(userEntry.getDN())));
        }
        else
        {
          try
          {
            idleTimeLimit = 1000L * Long.parseLong(v.getValue().toString());
          }
          catch (Exception e)
          {
            if (debugEnabled())
            {
              TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }

            logError(WARN_BIND_CANNOT_PROCESS_USER_IDLE_TIME_LIMIT.get(
                          v.getValue().toString(),
                          String.valueOf(userEntry.getDN())));
          }
        }
      }
    }


    // See if the user's entry contains a custom lookthrough limit.
    attrType = DirectoryServer.getAttributeType(OP_ATTR_USER_LOOKTHROUGH_LIMIT,
                                                true);
    attrList = userEntry.getAttribute(attrType);
    if ((attrList != null) && (attrList.size() == 1))
    {
      Attribute a = attrList.get(0);
      Iterator<AttributeValue> iterator = a.iterator();
      if (iterator.hasNext())
      {
        AttributeValue v = iterator.next();
        if (iterator.hasNext())
        {
          logError(WARN_BIND_MULTIPLE_USER_LOOKTHROUGH_LIMITS.get(
                        String.valueOf(userEntry.getDN())));
        }
        else
        {
          try
          {
            lookthroughLimit = Integer.parseInt(v.getValue().toString());
          }
          catch (Exception e)
          {
            if (debugEnabled())
            {
              TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }

            logError(WARN_BIND_CANNOT_PROCESS_USER_LOOKTHROUGH_LIMIT.get(
                          v.getValue().toString(),
                          String.valueOf(userEntry.getDN())));
          }
        }
      }
    }
  }
}