From 1596ccfcb23b1f5865560d9cb8e7ac79c3b30ddc Mon Sep 17 00:00:00 2001
From: Nicolas Capponi <nicolas.capponi@forgerock.com>
Date: Mon, 04 Apr 2016 13:38:34 +0000
Subject: [PATCH] OPENDJ-2661 Fix checks for attribute types with passwords
---
opendj-server-legacy/src/main/java/org/opends/server/schema/SchemaConstants.java | 2
opendj-server-legacy/src/main/java/org/opends/server/util/SchemaUtils.java | 63 +++++++++++++++++++++
opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyState.java | 14 ++--
opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyFactory.java | 15 ++--
opendj-server-legacy/src/main/java/org/opends/server/plugins/PasswordPolicyImportPlugin.java | 8 +-
opendj-server-legacy/src/main/java/org/opends/server/core/SubentryPasswordPolicy.java | 12 ++--
opendj-server-legacy/src/main/java/org/opends/server/schema/UserPasswordEqualityMatchingRuleFactory.java | 2
opendj-server-legacy/src/main/java/org/opends/guitools/controlpanel/util/Utilities.java | 15 ++++
8 files changed, 104 insertions(+), 27 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/guitools/controlpanel/util/Utilities.java b/opendj-server-legacy/src/main/java/org/opends/guitools/controlpanel/util/Utilities.java
index d1f39d7..e6c39c5 100644
--- a/opendj-server-legacy/src/main/java/org/opends/guitools/controlpanel/util/Utilities.java
+++ b/opendj-server-legacy/src/main/java/org/opends/guitools/controlpanel/util/Utilities.java
@@ -119,8 +119,10 @@
import org.opends.server.schema.SomeSchemaElement;
import org.opends.server.types.OpenDsException;
import org.opends.server.types.Schema;
+import org.opends.server.util.SchemaUtils;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;
+import org.opends.server.util.SchemaUtils.PasswordType;
/**
* A static class that provides miscellaneous functions.
@@ -134,7 +136,6 @@
private static final String HTML_SPACE = " ";
private static final String[] attrsToObfuscate = { ServerConstants.ATTR_USER_PASSWORD };
- private static final String[] passwordSyntaxOIDs = { SchemaConstants.SYNTAX_USER_PASSWORD_OID };
private static final String[] binarySyntaxOIDs = {
SchemaConstants.SYNTAX_BINARY_OID,
SchemaConstants.SYNTAX_JPEG_OID,
@@ -2126,7 +2127,17 @@
*/
public static boolean hasPasswordSyntax(String attrName, Schema schema)
{
- return hasAnySyntax(attrName, schema, passwordSyntaxOIDs);
+ if (schema != null)
+ {
+ attrName = Utilities.getAttributeNameWithoutOptions(attrName).toLowerCase();
+ if (schema.hasAttributeType(attrName))
+ {
+ AttributeType attr = schema.getAttributeType(attrName);
+ PasswordType passwordType = SchemaUtils.checkPasswordType(attr);
+ return passwordType.equals(PasswordType.USER_PASSWORD);
+ }
+ }
+ return false;
}
private static boolean hasAnySyntax(String attrName, Schema schema, String[] oids)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyFactory.java b/opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyFactory.java
index a1410d4..4053806 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyFactory.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyFactory.java
@@ -18,7 +18,6 @@
import static org.opends.messages.ConfigMessages.*;
import static org.opends.messages.CoreMessages.*;
-import static org.opends.server.schema.SchemaConstants.*;
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;
@@ -39,6 +38,8 @@
import org.opends.server.api.*;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.opends.server.types.*;
+import org.opends.server.util.SchemaUtils;
+import org.opends.server.util.SchemaUtils.PasswordType;
/**
* This class is the interface between the password policy configurable
@@ -199,15 +200,13 @@
// Get the password attribute. If specified, it must have either the
// user password or auth password syntax.
- final AttributeType passwordAttribute = configuration
- .getPasswordAttribute();
- final String syntaxOID = passwordAttribute.getSyntax().getOID();
- final boolean authPasswordSyntax;
- if (syntaxOID.equals(SYNTAX_AUTH_PASSWORD_OID))
+ final AttributeType passwordAttribute = configuration.getPasswordAttribute();
+ final PasswordType passwordType = SchemaUtils.checkPasswordType(passwordAttribute);
+ if (passwordType.equals(PasswordType.AUTH_PASSWORD))
{
authPasswordSyntax = true;
}
- else if (syntaxOID.equals(SYNTAX_USER_PASSWORD_OID))
+ else if (passwordType.equals(PasswordType.USER_PASSWORD))
{
authPasswordSyntax = false;
}
@@ -216,7 +215,7 @@
String syntax = passwordAttribute.getSyntax().getName();
if (syntax == null || syntax.length() == 0)
{
- syntax = syntaxOID;
+ syntax = passwordAttribute.getSyntax().getOID();
}
throw new ConfigException(ERR_PWPOLICY_INVALID_PASSWORD_ATTRIBUTE_SYNTAX.get(
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyState.java b/opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyState.java
index 2278e1c..a90e9ac 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyState.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/core/PasswordPolicyState.java
@@ -2431,11 +2431,15 @@
String syntaxOID = toLowerCase(histStr.substring(hashPos1+1, hashPos2));
if (SYNTAX_AUTH_PASSWORD_OID.equals(syntaxOID))
{
- return logResult("auth", encodedAuthPasswordMatches(password, histStr.substring(hashPos2+1)));
+ boolean passwordMatches = encodedAuthPasswordMatches(password, histStr.substring(hashPos2+1));
+ logResult("auth", passwordMatches);
+ return passwordMatches;
}
- else if (SYNTAX_USER_PASSWORD_OID.equals(syntaxOID))
+ else if (SYNTAX_USER_PASSWORD_OID.equals(syntaxOID) || SYNTAX_OCTET_STRING_OID.equals(syntaxOID))
{
- return logResult("user", encodedUserPasswordMatches(password, histStr.substring(hashPos2+1)));
+ boolean passwordMatches = encodedUserPasswordMatches(password, histStr.substring(hashPos2+1));
+ logResult("user", passwordMatches);
+ return passwordMatches;
}
else
{
@@ -2474,17 +2478,15 @@
return scheme.passwordMatches(password, ByteString.valueOfUtf8(userPWComponents[1]));
}
- private boolean logResult(String passwordType, boolean passwordMatches)
+ private void logResult(String passwordType, boolean passwordMatches)
{
if (passwordMatches)
{
logger.trace("Returning true because the %s password history value matched.", passwordType);
- return true;
}
else
{
logger.trace("Returning false because the %s password history value did not match.", passwordType);
- return false;
}
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/core/SubentryPasswordPolicy.java b/opendj-server-legacy/src/main/java/org/opends/server/core/SubentryPasswordPolicy.java
index 60f3136..dc99930 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/core/SubentryPasswordPolicy.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/core/SubentryPasswordPolicy.java
@@ -18,7 +18,6 @@
import static org.opends.messages.ConfigMessages.*;
import static org.opends.messages.CoreMessages.*;
-import static org.opends.server.schema.SchemaConstants.*;
import java.util.Collection;
import java.util.HashSet;
@@ -49,6 +48,8 @@
import org.opends.server.types.ObjectClass;
import org.opends.server.types.Operation;
import org.opends.server.types.SubEntry;
+import org.opends.server.util.SchemaUtils;
+import org.opends.server.util.SchemaUtils.PasswordType;
/**
* This class represents subentry password policy based on Password Policy for
@@ -183,13 +184,12 @@
ERR_PWPOLICY_UNDEFINED_PASSWORD_ATTRIBUTE.get(this.passwordPolicySubentryDN, value));
}
- // Check the syntax.
- final String syntaxOID = pPasswordAttribute.getSyntax().getOID();
- if (SYNTAX_AUTH_PASSWORD_OID.equals(syntaxOID))
+ final PasswordType passwordType = SchemaUtils.checkPasswordType(pPasswordAttribute);
+ if (passwordType.equals(PasswordType.AUTH_PASSWORD))
{
pAuthPasswordSyntax = true;
}
- else if (SYNTAX_USER_PASSWORD_OID.equals(syntaxOID))
+ else if (passwordType.equals(PasswordType.USER_PASSWORD))
{
pAuthPasswordSyntax = false;
}
@@ -198,7 +198,7 @@
String syntax = pPasswordAttribute.getSyntax().getName();
if (syntax == null || syntax.length() == 0)
{
- syntax = syntaxOID;
+ syntax = pPasswordAttribute.getSyntax().getOID();
}
LocalizableMessage message = ERR_PWPOLICY_INVALID_PASSWORD_ATTRIBUTE_SYNTAX.get(
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/plugins/PasswordPolicyImportPlugin.java b/opendj-server-legacy/src/main/java/org/opends/server/plugins/PasswordPolicyImportPlugin.java
index 0eae274..79b2f4f 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/plugins/PasswordPolicyImportPlugin.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/plugins/PasswordPolicyImportPlugin.java
@@ -19,7 +19,6 @@
import static org.opends.messages.PluginMessages.*;
import static org.opends.server.config.ConfigConstants.*;
import static org.opends.server.extensions.ExtensionsConstants.*;
-import static org.opends.server.schema.SchemaConstants.*;
import static org.opends.server.util.StaticUtils.*;
import java.util.HashMap;
@@ -59,6 +58,8 @@
import org.opends.server.types.Entry;
import org.opends.server.types.LDIFImportConfig;
import org.opends.server.types.SubEntry;
+import org.opends.server.util.SchemaUtils;
+import org.opends.server.util.SchemaUtils.PasswordType;
/**
* This class implements a Directory Server plugin that performs various
@@ -229,11 +230,12 @@
HashSet<AttributeType> userPWTypes = new HashSet<>();
for (AttributeType t : DirectoryServer.getAttributeTypes())
{
- if (SYNTAX_AUTH_PASSWORD_OID.equals(t.getSyntax().getOID()))
+ final PasswordType passwordType = SchemaUtils.checkPasswordType(t);
+ if (passwordType.equals(PasswordType.AUTH_PASSWORD))
{
authPWTypes.add(t);
}
- else if (SYNTAX_USER_PASSWORD_OID.equals(t.getSyntax().getOID()))
+ else if (passwordType.equals(PasswordType.USER_PASSWORD))
{
userPWTypes.add(t);
}
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/schema/SchemaConstants.java b/opendj-server-legacy/src/main/java/org/opends/server/schema/SchemaConstants.java
index 7062e41..743ec11 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/schema/SchemaConstants.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/schema/SchemaConstants.java
@@ -1894,7 +1894,7 @@
/**
* The OID for the user password attribute syntax.
*/
- public static final String SYNTAX_USER_PASSWORD_OID = "1.3.6.1.4.1.1466.115.121.1.40";
+ public static final String SYNTAX_USER_PASSWORD_OID = OID_OPENDS_SERVER_ATTRIBUTE_SYNTAX_BASE + ".1";
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/schema/UserPasswordEqualityMatchingRuleFactory.java b/opendj-server-legacy/src/main/java/org/opends/server/schema/UserPasswordEqualityMatchingRuleFactory.java
index f43996f..920124e 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/schema/UserPasswordEqualityMatchingRuleFactory.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/schema/UserPasswordEqualityMatchingRuleFactory.java
@@ -44,7 +44,7 @@
matchingRule = new SchemaBuilder(CoreSchema.getInstance())
.buildMatchingRule(EMR_USER_PASSWORD_OID)
.names(EMR_USER_PASSWORD_NAME)
- .syntaxOID(SYNTAX_USER_PASSWORD_OID).description(EMR_USER_PASSWORD_DESCRIPTION)
+ .syntaxOID(SYNTAX_OCTET_STRING_OID).description(EMR_USER_PASSWORD_DESCRIPTION)
.implementation(new UserPasswordEqualityMatchingRule())
.addToSchema()
.toSchema().getMatchingRule(EMR_USER_PASSWORD_OID);
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/util/SchemaUtils.java b/opendj-server-legacy/src/main/java/org/opends/server/util/SchemaUtils.java
new file mode 100644
index 0000000..7a7dea9
--- /dev/null
+++ b/opendj-server-legacy/src/main/java/org/opends/server/util/SchemaUtils.java
@@ -0,0 +1,63 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions Copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2016 ForgeRock AS.
+ */
+package org.opends.server.util;
+
+import org.forgerock.opendj.ldap.schema.AttributeType;
+
+import static org.opends.server.schema.SchemaConstants.SYNTAX_AUTH_PASSWORD_OID;
+import static org.opends.server.schema.SchemaConstants.SYNTAX_USER_PASSWORD_OID;
+
+/** Utility methods related to schema. */
+public class SchemaUtils
+{
+
+ /** Private constructor to prevent instantiation. */
+ private SchemaUtils() {
+ // No implementation required.
+ }
+
+ /** Represents a password type, including a "not a password" value. */
+ public enum PasswordType
+ {
+ /** Auth Password. */
+ AUTH_PASSWORD,
+ /** User Password. */
+ USER_PASSWORD,
+ /** Not a password. */
+ NOT_A_PASSWORD
+ }
+
+ /**
+ * Checks if the provided attribute type contains a password.
+ *
+ * @param attrType
+ * The attribute type to check.
+ * @return a PasswordTypeCheck result
+ */
+ public static PasswordType checkPasswordType(AttributeType attrType)
+ {
+ final String syntaxOID = attrType.getSyntax().getOID();
+ if (syntaxOID.equals(SYNTAX_AUTH_PASSWORD_OID))
+ {
+ return PasswordType.AUTH_PASSWORD;
+ }
+ else if (attrType.hasName("userPassword") || syntaxOID.equals(SYNTAX_USER_PASSWORD_OID))
+ {
+ return PasswordType.USER_PASSWORD;
+ }
+ return PasswordType.NOT_A_PASSWORD;
+ }
+}
--
Gitblit v1.10.0