Prep work for OPENDJ-3424 Replace RemoteConnection by SDK's Connection

Jean-Noël Rouvignac

15.34.2016 fc70f16d1ddd336812a78b4eaf873346c84aef1b

Prep work for OPENDJ-3424 Replace RemoteConnection by SDK's Connection

 opendj-server-legacy/src/test/java/org/opends/server/api/PasswordValidatorTestCase.java

@@ -19,26 +19,24 @@
import static org.forgerock.opendj.ldap.ModificationType.*;
import static org.forgerock.opendj.ldap.requests.Requests.*;
import static org.opends.server.TestCaseUtils.*;
import static org.opends.server.types.NullOutputStream.nullPrintStream;
import static org.testng.Assert.*;

import java.util.Set;

import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.ConstraintViolationException;
import org.forgerock.opendj.ldap.LDAPConnectionFactory;
import org.opends.server.TestCaseUtils;
import org.opends.server.extensions.TestPasswordValidator;
import org.opends.server.protocols.ldap.LDAPMessage;
import org.opends.server.protocols.ldap.ModifyResponseProtocolOp;
import com.forgerock.opendj.ldap.tools.LDAPPasswordModify;
import org.opends.server.tools.RemoteConnection;
import org.opends.server.types.NullOutputStream;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

/**
 * A set of generic test cases for password validators.
 */
import com.forgerock.opendj.ldap.tools.LDAPPasswordModify;

/** A set of generic test cases for password validators. */
public class PasswordValidatorTestCase
       extends APITestCase
{
@@ -48,25 +46,18 @@
   * @throws  Exception  If an unexpected problem occurs.
   */
  @BeforeClass
  public void startServer()
         throws Exception
  public void startServer() throws Exception
  {
    TestCaseUtils.restartServer();
    restartServer();
  }



  /**
   * Drops static references to allow garbage collection.
   */
  /** Drops static references to allow garbage collection. */
  @AfterClass
  public void shutdown()
  {
    TestPasswordValidator.clearInstanceAfterTests();
  }



  /**
   * Gets simple test coverage for the default
   * PasswordValidator.finalizePasswordValidator method.
@@ -77,8 +68,6 @@
    TestPasswordValidator.getInstance().finalizePasswordValidator();
  }



  /**
   * Performs a test to ensure that the password validation will be successful
   * under the base conditions for the password modify extended operation.
@@ -116,7 +105,7 @@
      "-c", "password",
      "-n", "newPassword"
    };
    assertEquals(LDAPPasswordModify.run(nullPrintStream(), nullPrintStream(), args), 0);
    assertEquals(runLDAPPasswordModify(args), 0);

    assertEquals(TestPasswordValidator.getLastNewPassword(),
                 ByteString.valueOfUtf8("newPassword"));
@@ -165,8 +154,7 @@
      "-n", "newPassword"
    };

    int returnCode = LDAPPasswordModify.run(nullPrintStream(), nullPrintStream(), args);
    assertNotEquals(returnCode, 0);
    assertNotEquals(runLDAPPasswordModify(args), 0);

    assertEquals(TestPasswordValidator.getLastNewPassword(),
                 ByteString.valueOfUtf8("newPassword"));
@@ -175,7 +163,10 @@
    TestPasswordValidator.setNextReturnValue(true);
  }


  private int runLDAPPasswordModify(String[] args)
  {
    return LDAPPasswordModify.run(NullOutputStream.nullPrintStream(), NullOutputStream.nullPrintStream(), args);
  }

  /**
   * Performs a test to make sure that the clear-text password will not be
@@ -213,7 +204,7 @@
      "-w", "password",
      "-n", "newPassword"
    };
    assertEquals(LDAPPasswordModify.run(nullPrintStream(), nullPrintStream(), args), 0);
    assertEquals(runLDAPPasswordModify(args), 0);

    Set<ByteString> currentPasswords =
         TestPasswordValidator.getLastCurrentPasswords();
@@ -260,7 +251,7 @@
      "-c", "password",
      "-n", "newPassword"
    };
    assertEquals(LDAPPasswordModify.run(nullPrintStream(), nullPrintStream(), args), 0);
    assertEquals(runLDAPPasswordModify(args), 0);

    Set<ByteString> currentPasswords =
         TestPasswordValidator.getLastCurrentPasswords();
@@ -270,8 +261,6 @@
                 ByteString.valueOfUtf8("password"));
  }



  /**
   * Performs a test to make sure that the clear-text password will be provided
   * if the user has a reversible scheme and does not provide the current
@@ -311,7 +300,7 @@
      "-w", "password",
      "-n", "newPassword"
    };
    assertEquals(LDAPPasswordModify.run(nullPrintStream(), nullPrintStream(), args), 0);
    assertEquals(runLDAPPasswordModify(args), 0);

    Set<ByteString> currentPasswords =
         TestPasswordValidator.getLastCurrentPasswords();
@@ -363,7 +352,7 @@
      "-c", "password",
      "-n", "newPassword"
    };
    assertEquals(LDAPPasswordModify.run(nullPrintStream(), nullPrintStream(), args), 0);
    assertEquals(runLDAPPasswordModify(args), 0);

    Set<ByteString> currentPasswords =
         TestPasswordValidator.getLastCurrentPasswords();
@@ -402,9 +391,10 @@
         "ds-privilege-name: bypass-acl",
         "userPassword: password");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());
      conn.modify(newModifyRequest("uid=test.user,o=test")
          .addModification(REPLACE, "userPassword", "newPassword"));

@@ -443,17 +433,24 @@
         "userPassword: password");


    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      TestPasswordValidator.setNextReturnValue(false);
      LDAPMessage message = conn.modify(
          newModifyRequest("uid=test.user,o=test")
          .addModification(REPLACE, "userPassword", "newPassword"),
          false);
      ModifyResponseProtocolOp modifyResponse = message.getModifyResponseProtocolOp();
      assertNotEquals(modifyResponse.getResultCode(), ResultCode.SUCCESS.intValue());
      try
      {
        conn.modify(
            newModifyRequest("uid=test.user,o=test")
                .addModification(REPLACE, "userPassword", "newPassword"));
        fail("Expected ConstraintViolationException");
      }
      catch (ConstraintViolationException expected) {}
    }
    finally
    {
      TestPasswordValidator.setNextReturnValue(true);
    }


@@ -461,7 +458,6 @@
                 ByteString.valueOfUtf8("newPassword"));
    assertTrue(TestPasswordValidator.getLastCurrentPasswords().isEmpty());

    TestPasswordValidator.setNextReturnValue(true);
  }


@@ -494,9 +490,10 @@
         "ds-privilege-name: bypass-acl",
         "userPassword: password");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      conn.modify(
          newModifyRequest("uid=test.user,o=test")
@@ -544,9 +541,10 @@
         "ds-pwp-password-policy-dn: cn=Clear UserPassword Policy," +
              "cn=Password Policies,cn=config");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      conn.modify(
          newModifyRequest("uid=test.user,o=test")
@@ -594,9 +592,10 @@
              "cn=Password Policies,cn=config");


    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      conn.modify(
          newModifyRequest("uid=test.user,o=test")

 opendj-server-legacy/src/test/java/org/opends/server/controls/PasswordPolicyControlTestCase.java

@@ -18,7 +18,12 @@

import java.util.List;

import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.LDAPConnectionFactory;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.controls.Control;
import org.forgerock.opendj.ldap.controls.PasswordPolicyRequestControl;
import org.forgerock.opendj.ldap.controls.ProxiedAuthV2RequestControl;
import org.forgerock.opendj.ldap.requests.AddRequest;
@@ -26,27 +31,21 @@
import org.forgerock.opendj.ldap.requests.DeleteRequest;
import org.forgerock.opendj.ldap.requests.ModifyDNRequest;
import org.forgerock.opendj.ldap.requests.ModifyRequest;
import org.forgerock.opendj.ldap.requests.Requests;
import org.forgerock.opendj.ldap.requests.SearchRequest;
import org.forgerock.opendj.ldap.requests.SimpleBindRequest;
import org.forgerock.opendj.ldap.responses.Result;
import org.forgerock.opendj.ldif.ConnectionEntryReader;
import org.opends.server.TestCaseUtils;
import org.opends.server.protocols.ldap.AddResponseProtocolOp;
import org.opends.server.protocols.ldap.CompareResponseProtocolOp;
import org.opends.server.protocols.ldap.DeleteResponseProtocolOp;
import org.opends.server.protocols.ldap.LDAPControl;
import org.opends.server.protocols.ldap.LDAPMessage;
import org.opends.server.protocols.ldap.LDAPResultCode;
import org.opends.server.protocols.ldap.ModifyDNResponseProtocolOp;
import org.opends.server.protocols.ldap.ModifyResponseProtocolOp;
import org.opends.server.protocols.ldap.SearchResultDoneProtocolOp;
import org.opends.server.tools.RemoteConnection;
import org.opends.server.types.Control;
import org.opends.server.types.DirectoryException;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;

import static org.assertj.core.api.Assertions.*;
import static org.forgerock.opendj.ldap.ModificationType.*;
import static org.forgerock.opendj.ldap.ResultCode.*;
import static org.forgerock.opendj.ldap.requests.Requests.*;
import static org.opends.server.TestCaseUtils.*;
import static org.opends.server.controls.PasswordPolicyErrorType.*;
@@ -104,22 +103,21 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      SimpleBindRequest bindRequest = newSimpleBindRequest("uid=test.user,o=test", "password".toCharArray())
          .addControl(newPasswordPolicyControl());
      LDAPMessage bindMessage = conn.bind(bindRequest, false);
      assertTrue(passwordPolicyControlExists(bindMessage.getControls(), CHANGE_AFTER_RESET));
      Result result = conn.bind(bindRequest);
      assertTrue(passwordPolicyControlExists(result.getControls(), CHANGE_AFTER_RESET));

      AddRequest addRequest = newAddRequest("ou=People,o=test")
          .addAttribute("objectClass", "organizationalUnit")
          .addAttribute("ou", "People")
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = conn.add(addRequest, false);

      AddResponseProtocolOp addResponse = message.getAddResponseProtocolOp();
      assertNotEquals(addResponse.getResultCode(), LDAPResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(message.getControls(), CHANGE_AFTER_RESET));
      result = addFails(conn, addRequest);
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), CHANGE_AFTER_RESET));
    }
    finally
    {
@@ -139,9 +137,11 @@
  {
    TestCaseUtils.initializeTestBackend(true);

    try (RemoteConnection c = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection c = factory.getConnection())
    {
      c.bind("cn=Directory Manager", "password", newPasswordPolicyControl());
      c.bind(Requests.newSimpleBindRequest("cn=Directory Manager", "password".toCharArray())
                     .addControl(newPasswordPolicyControl()));

      AddRequest addRequest = newAddRequest("ou=uid=test.user,o=test")
          .addAttribute("objectClass", "inetOrgPerson")
@@ -151,10 +151,9 @@
          .addAttribute("cn", "Test User")
          .addAttribute("userPassword", "{SSHA}0pZPpMIm6xSBIW4hGvR/72fjO4M9p3Ff1g7QFw==")
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = c.add(addRequest, false);
      AddResponseProtocolOp addResponse = message.getAddResponseProtocolOp();
      assertNotEquals(addResponse.getResultCode(), LDAPResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(message.getControls(), INSUFFICIENT_PASSWORD_QUALITY));
      Result result = addFails(c, addRequest);
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), INSUFFICIENT_PASSWORD_QUALITY));
    }
  }

@@ -167,15 +166,8 @@
    {
      if (c.getOID().equals(OID_PASSWORD_POLICY_CONTROL))
      {
        PasswordPolicyResponseControl pwpControl;
        if(c instanceof LDAPControl)
        {
          pwpControl = PasswordPolicyResponseControl.DECODER.decode(c.isCritical(), ((LDAPControl) c).getValue());
        }
        else
        {
          pwpControl = (PasswordPolicyResponseControl)c;
        }
        PasswordPolicyResponseControl pwpControl =
            PasswordPolicyResponseControl.DECODER.decode(c.isCritical(), c.getValue());
        assertEquals(pwpControl.getErrorType(), expectedErrorType);
        return true;
      }
@@ -198,9 +190,11 @@

    setPasswordPolicyProp("--add", "password-validator:Length-Based Password Validator");

    try (RemoteConnection c = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection c = factory.getConnection())
    {
      c.bind("cn=Directory Manager", "password", newPasswordPolicyControl());
      c.bind(Requests.newSimpleBindRequest("cn=Directory Manager", "password".toCharArray())
                     .addControl(newPasswordPolicyControl()));

      AddRequest addRequest = newAddRequest("ou=uid=test.user,o=test")
          .addAttribute("objectClass", "inetOrgPerson")
@@ -210,10 +204,9 @@
          .addAttribute("cn", "Test User")
          .addAttribute("userPassword", "short")
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = c.add(addRequest, false);
      AddResponseProtocolOp addResponse = message.getAddResponseProtocolOp();
      assertNotEquals(addResponse.getResultCode(), LDAPResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(message.getControls(), INSUFFICIENT_PASSWORD_QUALITY));
      Result result = addFails(c, addRequest);
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), INSUFFICIENT_PASSWORD_QUALITY));
    }
    finally
    {
@@ -221,7 +214,19 @@
    }
  }


  private Result addFails(Connection conn, AddRequest addRequest)
  {
    try
    {
      conn.add(addRequest);
      Assert.fail("LdapException expected");
      return null;
    }
    catch (LdapException expected)
    {
      return expected.getResult();
    }
  }

  /**
   * Tests that an appropriate password policy response control is returned for
@@ -251,24 +256,25 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection c = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection c = factory.getConnection())
    {
      for (int i=1; i <= 3; i++)
      {
        SimpleBindRequest request =
            newSimpleBindRequest("uid=test.user,o=test", "wrong".getBytes())
            .addControl(newPasswordPolicyControl());
        LDAPMessage message = c.bind(request, false);
        assertNotEquals(message.getBindResponseProtocolOp().getResultCode(), LDAPResultCode.SUCCESS);
        Result result = bindFails(c, request);
        assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      }

      SimpleBindRequest request =
          newSimpleBindRequest("uid=test.user,o=test", "password".getBytes())
          .addControl(newPasswordPolicyControl());

      LDAPMessage message = c.bind(request, false);
      assertNotEquals(message.getBindResponseProtocolOp().getResultCode(), LDAPResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(message.getControls(), ACCOUNT_LOCKED));
      Result result = bindFails(c, request);
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), ACCOUNT_LOCKED));
    }
    finally
    {
@@ -276,6 +282,19 @@
    }
  }

  private Result bindFails(Connection c, SimpleBindRequest request)
  {
    try
    {
      c.bind(request);
      Assert.fail("LdapException expected");
      return null;
    }
    catch (LdapException expected)
    {
      return expected.getResult();
    }
  }

  /**
   * Tests that an appropriate password policy response control is returned for
@@ -304,16 +323,24 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection c = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection c = factory.getConnection())
    {
      c.bind("uid=test.user,o=test", "password");
      c.bind("uid=test.user,o=test", "password".toCharArray());

      CompareRequest request = newCompareRequest("o=test", "o", "test").addControl(newPasswordPolicyControl());
      LDAPMessage message = c.compare(request, false);
      CompareResponseProtocolOp compareResponse = message.getCompareResponseProtocolOp();
      assertNotEquals(compareResponse.getResultCode(), LDAPResultCode.SUCCESS);

      assertTrue(passwordPolicyControlExists(message.getControls(), CHANGE_AFTER_RESET));
      Result result;
      try
      {
        result = c.compare(request);
        Assert.fail("LdapException expected");
      }
      catch (LdapException expected)
      {
        result = expected.getResult();
      }
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), CHANGE_AFTER_RESET));
    }
    finally
    {
@@ -326,8 +353,6 @@
    return PasswordPolicyRequestControl.newControl(true);
  }



  /**
   * Tests that an appropriate password policy response control is returned for
   * a delete operation when the user's password is in a "must change" state.
@@ -360,16 +385,25 @@
        "objectClass: organizationalUnit",
        "ou: People");

    try (RemoteConnection c = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection c = factory.getConnection())
    {
      c.bind("uid=test.user,o=test", "password");
      c.bind("uid=test.user,o=test", "password".toCharArray());

      DeleteRequest deleteRequest = newDeleteRequest("ou=People,o=test").addControl(newPasswordPolicyControl());
      LDAPMessage message = c.delete(deleteRequest, false);
      DeleteResponseProtocolOp deleteResponse = message.getDeleteResponseProtocolOp();
      assertNotEquals(deleteResponse.getResultCode(), LDAPResultCode.SUCCESS);
      Result result;
      try
      {
        result = c.delete(deleteRequest);
        Assert.fail("LdapException expected");
      }
      catch (LdapException expected)
      {
        result = expected.getResult();
      }

      assertTrue(passwordPolicyControlExists(message.getControls(), CHANGE_AFTER_RESET));
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), CHANGE_AFTER_RESET));
    }
    finally
    {
@@ -453,51 +487,26 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind(userDN, "password");
      conn.bind(userDN, "password".toCharArray());

      ModifyRequest modifyRequest =
          newModifyRequest(entryDN).addModification(REPLACE, "description", "foo")
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = conn.modify(modifyRequest, false);
      ModifyResponseProtocolOp modifyResponse = message.getModifyResponseProtocolOp();
      if (changeAfterReset)
      Result result;
      try
      {
        assertEquals(modifyResponse.getResultCode(), LDAPResultCode.CONSTRAINT_VIOLATION);
        result = conn.modify(modifyRequest);
      }
      else
      catch (LdapException expected)
      {
        assertEquals(modifyResponse.getResultCode(), LDAPResultCode.SUCCESS);
        result = expected.getResult();
      }

      List<Control> controls = message.getControls();
      assertThat(controls).isNotEmpty();

      boolean found = false;
      for(Control c : controls)
      {
        if (c.getOID().equals(OID_PASSWORD_POLICY_CONTROL))
        {
          PasswordPolicyResponseControl pwpControl;
          if(c instanceof LDAPControl)
          {
            pwpControl =
                PasswordPolicyResponseControl.DECODER.decode(c.isCritical(), ((LDAPControl)c).getValue());
          }
          else
          {
            pwpControl = (PasswordPolicyResponseControl)c;
          }
          if (changeAfterReset) {
            assertEquals(pwpControl.getErrorType(), CHANGE_AFTER_RESET);
          } else {
            assertNull(pwpControl.getErrorType());
          }
          found = true;
        }
      }
      assertTrue(found);
      assertEquals(result.getResultCode(), changeAfterReset ? CONSTRAINT_VIOLATION : SUCCESS);
      PasswordPolicyErrorType expectedErrorType = changeAfterReset ? CHANGE_AFTER_RESET : null;
      assertTrue(passwordPolicyControlExists(result.getControls(), expectedErrorType));
    }
    finally
    {
@@ -567,19 +576,18 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind(userDN, "password");
      conn.bind(userDN, "password".toCharArray());

      ModifyRequest modifyRequest = newModifyRequest(entryDN)
          .addModification(REPLACE, "description", "foo")
          .addControl(newPasswordPolicyControl())
          .addControl(ProxiedAuthV2RequestControl.newControl("dn:" + authzDN));
      LDAPMessage message = conn.modify(modifyRequest, false);
      ModifyResponseProtocolOp modifyResponse = message.getModifyResponseProtocolOp();
      assertEquals(modifyResponse.getResultCode(), LDAPResultCode.CONSTRAINT_VIOLATION);

      assertTrue(passwordPolicyControlExists(message.getControls(), CHANGE_AFTER_RESET));
      Result result = modifyFails(conn, modifyRequest);
      assertEquals(result.getResultCode(), ResultCode.CONSTRAINT_VIOLATION);
      assertTrue(passwordPolicyControlExists(result.getControls(), CHANGE_AFTER_RESET));
    }
    finally
    {
@@ -587,7 +595,19 @@
    }
  }


  private Result modifyFails(Connection conn, ModifyRequest modifyRequest)
  {
    try
    {
      conn.modify(modifyRequest);
      Assert.fail("LdapException expected");
      return null;
    }
    catch (LdapException expected)
    {
      return expected.getResult();
    }
  }

  /**
   * Tests that an appropriate password policy response control is returned for
@@ -617,18 +637,17 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      ModifyRequest modifyRequest = newModifyRequest("uid=test.user,o=test")
          .addModification(REPLACE, "userPassword", "newpassword")
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = conn.modify(modifyRequest, false);
      ModifyResponseProtocolOp modifyResponse = message.getModifyResponseProtocolOp();
      assertNotEquals(modifyResponse.getResultCode(), LDAPResultCode.SUCCESS);

      assertTrue(passwordPolicyControlExists(message.getControls(), PASSWORD_MOD_NOT_ALLOWED));
      Result result = modifyFails(conn, modifyRequest);
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), PASSWORD_MOD_NOT_ALLOWED));
    }
    finally
    {
@@ -664,18 +683,18 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      ModifyRequest modifyRequest = newModifyRequest("uid=test.user,o=test")
          .addModification(REPLACE, "userPassword", "password")
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = conn.modify(modifyRequest, false);
      ModifyResponseProtocolOp modifyResponse = message.getModifyResponseProtocolOp();
      assertNotEquals(modifyResponse.getResultCode(), LDAPResultCode.SUCCESS);
      Result result = modifyFails(conn, modifyRequest);

      assertTrue(passwordPolicyControlExists(message.getControls(), PASSWORD_IN_HISTORY));
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), PASSWORD_IN_HISTORY));
    }
    finally
    {
@@ -713,18 +732,17 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      ModifyRequest modifyRequest = newModifyRequest("uid=test.user,o=test")
          .addModification(REPLACE, "userPassword", "newpassword")
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = conn.modify(modifyRequest, false);
      ModifyResponseProtocolOp modifyResponse = message.getModifyResponseProtocolOp();
      assertNotEquals(modifyResponse.getResultCode(), LDAPResultCode.SUCCESS);

      assertTrue(passwordPolicyControlExists(message.getControls(), MUST_SUPPLY_OLD_PASSWORD));
      Result result = modifyFails(conn, modifyRequest);
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), MUST_SUPPLY_OLD_PASSWORD));
    }
    finally
    {
@@ -762,18 +780,17 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      ModifyRequest modifyRequest = newModifyRequest("uid=test.user,o=test")
          .addModification(REPLACE, "userPassword", "newpassword")
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = conn.modify(modifyRequest, false);
      ModifyResponseProtocolOp modifyResponse = message.getModifyResponseProtocolOp();
      assertNotEquals(modifyResponse.getResultCode(), LDAPResultCode.SUCCESS);

      assertTrue(passwordPolicyControlExists(message.getControls(), PASSWORD_TOO_YOUNG));
      Result result = modifyFails(conn, modifyRequest);
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), PASSWORD_TOO_YOUNG));
    }
    finally
    {
@@ -815,18 +832,26 @@
        "objectClass: organizationalUnit",
        "ou: People");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      ModifyDNRequest modifyDNRequest = newModifyDNRequest("ou=People,o=test", "ou=Users")
          .setDeleteOldRDN(true)
          .addControl(newPasswordPolicyControl());
      LDAPMessage message = conn.modifyDN(modifyDNRequest, false);
      ModifyDNResponseProtocolOp modifyDNResponse = message.getModifyDNResponseProtocolOp();
      assertNotEquals(modifyDNResponse.getResultCode(), LDAPResultCode.SUCCESS);

      assertTrue(passwordPolicyControlExists(message.getControls(), CHANGE_AFTER_RESET));
      Result result;
      try
      {
        result = conn.modifyDN(modifyDNRequest);
        Assert.fail("LdapException expected");
      }
      catch (LdapException expected)
      {
        result = expected.getResult();
      }
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), CHANGE_AFTER_RESET));
    }
    finally
    {
@@ -861,18 +886,27 @@
        "userPassword: password",
        "ds-privilege-name: bypass-acl");

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.bind("uid=test.user,o=test", "password");
      conn.bind("uid=test.user,o=test", "password".toCharArray());

      SearchRequest searchRequest = newSearchRequest("o=test", SearchScope.BASE_OBJECT, "(objectclass=*)")
          .addControl(newPasswordPolicyControl());
      conn.search(searchRequest);
      LDAPMessage message = conn.readMessage();
      SearchResultDoneProtocolOp searchDone = message.getSearchResultDoneProtocolOp();
      assertNotEquals(searchDone.getResultCode(), LDAPResultCode.SUCCESS);

      assertTrue(passwordPolicyControlExists(message.getControls(), CHANGE_AFTER_RESET));
      Result result;
      try
      {
        ConnectionEntryReader entryReader = conn.search(searchRequest);
        entryReader.hasNext();
        Assert.fail("LdapException expected");
        result = null;
      }
      catch (LdapException expected)
      {
        result = expected.getResult();
      }
      assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
      assertTrue(passwordPolicyControlExists(result.getControls(), CHANGE_AFTER_RESET));
    }
    finally
    {

 opendj-server-legacy/src/test/java/org/opends/server/crypto/CryptoManagerTestCase.java

@@ -23,26 +23,30 @@
import java.io.OutputStream;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;

import javax.crypto.Mac;

import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.opendj.ldap.Attribute;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.LDAPConnectionFactory;
import org.forgerock.opendj.ldap.SSLContextBuilder;
import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.responses.SearchResultEntry;
import org.forgerock.opendj.ldif.ConnectionEntryReader;
import org.forgerock.util.Options;
import org.opends.admin.ads.ADSContext;
import org.opends.admin.ads.util.BlindTrustManager;
import org.opends.server.TestCaseUtils;
import org.opends.server.core.DirectoryServer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.protocols.internal.SearchRequest;
import org.opends.server.protocols.ldap.LDAPAttribute;
import org.opends.server.protocols.ldap.SearchResultEntryProtocolOp;
import org.opends.server.tools.RemoteConnection;
import org.opends.server.types.CryptoManager;
import org.opends.server.types.CryptoManagerException;
import org.forgerock.opendj.ldap.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.Modification;
@@ -54,11 +58,14 @@
import org.testng.annotations.Test;

import static org.assertj.core.api.Assertions.*;
import static org.forgerock.opendj.ldap.LDAPConnectionFactory.*;
import static org.forgerock.opendj.ldap.ModificationType.*;
import static org.forgerock.opendj.ldap.SearchScope.*;
import static org.opends.server.TestCaseUtils.*;
import static org.opends.server.config.ConfigConstants.*;
import static org.opends.server.protocols.internal.InternalClientConnection.*;
import static org.opends.server.protocols.internal.Requests.*;
import static org.opends.server.types.Attributes.create;
import static org.opends.server.types.Attributes.*;
import static org.testng.Assert.*;

/**
@@ -114,26 +121,29 @@

    // The certificate should now be accessible in the truststore backend via LDAP.
    ByteString ldapCert;
    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerAdminPort(), true))
    Options options = Options.defaultOptions()
        .set(SSL_CONTEXT, new SSLContextBuilder()
                          .setTrustManager(new BlindTrustManager())
                          .getSSLContext());
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", getServerAdminPort(), options);
        Connection conn = factory.getConnection())
    {
      conn.bind("cn=Directory Manager", "password");
      conn.bind("cn=Directory Manager", "password".toCharArray());

      // TODO: should the below dn be in ConfigConstants?
      final String dnStr = "ds-cfg-key-id=ads-certificate,cn=ads-truststore";
      conn.search(dnStr, SearchScope.BASE_OBJECT, "(objectclass=ds-cfg-instance-key)",
      ConnectionEntryReader entryReader = conn.search(dnStr, BASE_OBJECT, "(objectclass=ds-cfg-instance-key)",
          "ds-cfg-public-key-certificate;binary");
      List<SearchResultEntryProtocolOp> searchEntries = conn.readEntries();
      assertThat(searchEntries).hasSize(1);
      SearchResultEntryProtocolOp searchEntry = searchEntries.get(0);
      List<LDAPAttribute> attributes = searchEntry.getAttributes();
      assertThat(attributes).hasSize(1);
      LDAPAttribute certAttr = attributes.get(0);
      /* attribute ds-cfg-public-key-certificate is a MUST in the schema */
      assertNotNull(certAttr);
      List<ByteString> values = certAttr.getValues();
      assertThat(values).hasSize(1);
      ldapCert = values.get(0);
      // Compare the certificate values.

      assertThat(entryReader.hasNext()).isTrue();
      SearchResultEntry searchEntry = entryReader.readEntry();
      assertThat(entryReader.hasNext()).isFalse();
      assertThat(searchEntry.getAttributeCount()).isEqualTo(1);

      final Attribute certAttr = searchEntry.getAllAttributes().iterator().next();
      // attribute ds-cfg-public-key-certificate is a MUST in the schema
      assertThat(certAttr).hasSize(1);
      ldapCert = certAttr.iterator().next();
      assertEquals(ldapCert.toByteArray(), cert);
    }


 opendj-server-legacy/src/test/java/org/opends/server/extensions/ExternalSASLMechanismHandlerTestCase.java

@@ -23,22 +23,21 @@
import java.util.List;

import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.ldap.AuthenticationException;
import org.forgerock.opendj.ldap.Base64;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.LDAPConnectionFactory;
import org.forgerock.opendj.ldap.ModificationType;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.server.TestCaseUtils;
import org.forgerock.opendj.ldap.requests.Requests;
import org.forgerock.opendj.ldap.responses.BindResult;
import org.forgerock.opendj.server.config.meta.ExternalSASLMechanismHandlerCfgDefn;
import org.opends.server.TestCaseUtils;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ModifyOperation;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.ldap.BindRequestProtocolOp;
import org.opends.server.protocols.ldap.BindResponseProtocolOp;
import org.opends.server.protocols.ldap.LDAPMessage;
import com.forgerock.opendj.ldap.tools.LDAPSearch;
import org.opends.server.tools.RemoteConnection;
import org.opends.server.types.Attributes;
import org.forgerock.opendj.ldap.DN;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.Modification;
@@ -46,6 +45,8 @@
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;

import com.forgerock.opendj.ldap.tools.LDAPSearch;

import static org.forgerock.opendj.ldap.ModificationType.*;
import static org.opends.server.TestCaseUtils.runLdapSearchTrustCertificateForSession;
import static org.opends.server.protocols.internal.InternalClientConnection.*;
@@ -268,19 +269,16 @@
   *
   * @throws  Exception  If an unexpected problem occurs.
   */
  @Test
  public void testFailEXTERNALInsecureConnection()
         throws Exception
  @Test(expectedExceptions = AuthenticationException.class)
  public void testFailEXTERNALInsecureConnection() throws Exception
  {
    TestCaseUtils.initializeTestBackend(true);

    try (RemoteConnection conn = new RemoteConnection("localhost", TestCaseUtils.getServerLdapPort()))
    try (LDAPConnectionFactory factory = new LDAPConnectionFactory("localhost", TestCaseUtils.getServerLdapPort());
        Connection conn = factory.getConnection())
    {
      conn.writeMessage(new BindRequestProtocolOp(ByteString.empty(), "EXTERNAL", null));

      LDAPMessage message = conn.readMessage();
      BindResponseProtocolOp bindResponse = message.getBindResponseProtocolOp();
      assertFalse(bindResponse.getResultCode() == 0);
      BindResult result = conn.bind(Requests.newExternalSASLBindRequest());
      TestCaseUtils.assertNotEquals(result.getResultCode(), ResultCode.SUCCESS);
    }
 }