/*
* The contents of this file are subject to the terms of the Common Development and
* Distribution License (the License). You may not use this file except in compliance with the
* License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
* specific language governing permission and limitations under the License.
*
* When distributing Covered Software, include this CDDL Header Notice in each file and include
* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
* Header, with the fields enclosed by brackets [] replaced by your own identifying
* information: "Portions Copyright [year] [name of copyright owner]".
*
* Copyright 2006-2010 Sun Microsystems, Inc.
* Portions Copyright 2011-2016 ForgeRock AS.
*/
package org.opends.server.tools;
import static com.forgerock.opendj.cli.CliMessages.INFO_FILE_PLACEHOLDER;
import static com.forgerock.opendj.cli.CommonArguments.*;
import static com.forgerock.opendj.cli.Utils.*;
import static org.opends.messages.ToolMessages.*;
import static org.opends.messages.ToolMessages.INFO_CONFIGFILE_PLACEHOLDER;
import static org.opends.messages.ToolMessages.INFO_DESCRIPTION_CONFIG_FILE;
import static org.opends.server.protocols.ldap.LDAPResultCode.*;
import static org.opends.server.util.StaticUtils.*;
import java.io.Console;
import java.io.IOException;
import java.io.OutputStream;
import java.io.PrintStream;
import java.util.ArrayList;
import java.util.Collections;
import java.util.concurrent.ConcurrentHashMap;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.opendj.ldap.ByteString;
import org.opends.server.api.PasswordStorageScheme;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.DirectoryServer.DirectoryServerVersionHandler;
import org.opends.server.loggers.JDKLogging;
import org.opends.server.schema.AuthPasswordSyntax;
import org.opends.server.schema.UserPasswordSyntax;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.InitializationException;
import org.opends.server.types.NullOutputStream;
import org.opends.server.util.BuildVersion;
import com.forgerock.opendj.cli.ArgumentException;
import com.forgerock.opendj.cli.ArgumentParser;
import com.forgerock.opendj.cli.BooleanArgument;
import com.forgerock.opendj.cli.FileBasedArgument;
import com.forgerock.opendj.cli.StringArgument;
/**
* This program provides a utility that may be used to interact with the
* password storage schemes defined in the Directory Server. In particular,
* it can encode a clear-text password using a specified scheme, and it can also
* determine whether a given encoded password is the encoded representation of a
* given clear-text password. Alternately, it can be used to obtain a list of
* the available password storage scheme names.
*/
public class EncodePassword
{
/**
* Processes the command-line arguments and performs the requested action.
*
* @param args The command-line arguments provided to this program.
*/
public static void main(String[] args)
{
int returnCode = encodePassword(args, true, System.out, System.err);
if (returnCode != 0)
{
System.exit(filterExitCode(returnCode));
}
}
/**
* Processes the command-line arguments and performs the requested action.
*
* @param args The command-line arguments provided to this program.
*
* @return An integer value that indicates whether processing was successful.
*/
public static int encodePassword(String[] args)
{
return encodePassword(args, true, System.out, System.err);
}
/**
* Processes the command-line arguments and performs the requested action.
*
* @param args The command-line arguments provided to this
* program.
* @param initializeServer Indicates whether to initialize the server.
* @param outStream The output stream to use for standard output, or
* null if standard output is not
* needed.
* @param errStream The output stream to use for standard error, or
* null if standard error is not
* needed.
*
* @return An integer value that indicates whether processing was successful.
*/
public static int encodePassword(String[] args, boolean initializeServer,
OutputStream outStream,
OutputStream errStream)
{
PrintStream out = NullOutputStream.wrapOrNullStream(outStream);
PrintStream err = NullOutputStream.wrapOrNullStream(errStream);
JDKLogging.disableLogging();
// Define the command-line arguments that may be used with this program.
BooleanArgument authPasswordSyntax = null;
BooleanArgument useCompareResultCode = null;
BooleanArgument listSchemes = null;
BooleanArgument showUsage = null;
BooleanArgument interactivePassword = null;
StringArgument clearPassword = null;
FileBasedArgument clearPasswordFile = null;
StringArgument encodedPassword = null;
FileBasedArgument encodedPasswordFile = null;
StringArgument configFile = null;
StringArgument schemeName = null;
// Create the command-line argument parser for use with this program.
LocalizableMessage toolDescription = INFO_ENCPW_TOOL_DESCRIPTION.get();
ArgumentParser argParser =
new ArgumentParser("org.opends.server.tools.EncodePassword",
toolDescription, false);
argParser.setShortToolDescription(REF_SHORT_DESC_ENCODE_PASSWORD.get());
argParser.setVersionHandler(new DirectoryServerVersionHandler());
// Initialize all the command-line argument types and register them with the parser.
try
{
listSchemes =
BooleanArgument.builder("listSchemes")
.shortIdentifier('l')
.description(INFO_ENCPW_DESCRIPTION_LISTSCHEMES.get())
.buildAndAddToParser(argParser);
interactivePassword =
BooleanArgument.builder("interactivePassword")
.shortIdentifier('i')
.description(INFO_ENCPW_DESCRIPTION_INPUT_PW.get())
.buildAndAddToParser(argParser);
clearPassword =
StringArgument.builder("clearPassword")
.shortIdentifier('c')
.description(INFO_ENCPW_DESCRIPTION_CLEAR_PW.get())
.valuePlaceholder(INFO_CLEAR_PWD.get())
.buildAndAddToParser(argParser);
clearPasswordFile =
FileBasedArgument.builder("clearPasswordFile")
.shortIdentifier('f')
.description(INFO_ENCPW_DESCRIPTION_CLEAR_PW_FILE.get())
.valuePlaceholder(INFO_FILE_PLACEHOLDER.get())
.buildAndAddToParser(argParser);
encodedPassword =
StringArgument.builder("encodedPassword")
.shortIdentifier('e')
.description(INFO_ENCPW_DESCRIPTION_ENCODED_PW.get())
.valuePlaceholder(INFO_ENCODED_PWD_PLACEHOLDER.get())
.buildAndAddToParser(argParser);
encodedPasswordFile =
FileBasedArgument.builder("encodedPasswordFile")
.shortIdentifier('E')
.description(INFO_ENCPW_DESCRIPTION_ENCODED_PW_FILE.get())
.valuePlaceholder(INFO_FILE_PLACEHOLDER.get())
.buildAndAddToParser(argParser);
configFile =
StringArgument.builder("configFile")
.shortIdentifier('F')
.description(INFO_DESCRIPTION_CONFIG_FILE.get())
.hidden()
.required()
.valuePlaceholder(INFO_CONFIGFILE_PLACEHOLDER.get())
.buildAndAddToParser(argParser);
schemeName =
StringArgument.builder("storageScheme")
.shortIdentifier('s')
.description(INFO_ENCPW_DESCRIPTION_SCHEME.get())
.valuePlaceholder(INFO_STORAGE_SCHEME_PLACEHOLDER.get())
.buildAndAddToParser(argParser);
authPasswordSyntax =
BooleanArgument.builder("authPasswordSyntax")
.shortIdentifier('a')
.description(INFO_ENCPW_DESCRIPTION_AUTHPW.get())
.buildAndAddToParser(argParser);
useCompareResultCode =
BooleanArgument.builder("useCompareResultCode")
.shortIdentifier('r')
.description(INFO_ENCPW_DESCRIPTION_USE_COMPARE_RESULT.get())
.buildAndAddToParser(argParser);
showUsage = showUsageArgument();
argParser.addArgument(showUsage);
argParser.setUsageArgument(showUsage, out);
}
catch (ArgumentException ae)
{
printWrappedText(err, ERR_CANNOT_INITIALIZE_ARGS.get(ae.getMessage()));
return OPERATIONS_ERROR;
}
// Parse the command-line arguments provided to this program.
try
{
argParser.parseArguments(args);
}
catch (ArgumentException ae)
{
argParser.displayMessageAndUsageReference(err, ERR_ERROR_PARSING_ARGS.get(ae.getMessage()));
return OPERATIONS_ERROR;
}
// If we should just display usage or version information,
// then we've already done it so just return without doing anything else.
if (argParser.usageOrVersionDisplayed())
{
return SUCCESS;
}
// Checks the version - if upgrade required, the tool is unusable
try
{
BuildVersion.checkVersionMismatch();
}
catch (InitializationException e)
{
printWrappedText(err, e.getMessage());
return 1;
}
// Check for conflicting arguments.
try
{
throwIfArgumentsConflict(clearPassword, clearPasswordFile);
throwIfArgumentsConflict(clearPassword, interactivePassword);
throwIfArgumentsConflict(clearPasswordFile, interactivePassword);
throwIfArgumentsConflict(encodedPassword, encodedPasswordFile);
}
catch (final ArgumentException conflict)
{
printWrappedText(err, conflict.getMessageObject());
return OPERATIONS_ERROR;
}
// If we are not going to just list the storage schemes, then the clear-text
// password must have been provided. If we're going to encode a password,
// then the scheme must have also been provided.
if (!listSchemes.isPresent()
&& !encodedPassword.isPresent()
&& !encodedPasswordFile.isPresent()
&& !schemeName.isPresent())
{
argParser.displayMessageAndUsageReference(err, ERR_ENCPW_NO_SCHEME.get(schemeName.getLongIdentifier()));
return OPERATIONS_ERROR;
}
// Determine whether we're encoding the clear-text password or comparing it
// against an already-encoded password.
boolean compareMode;
ByteString encodedPW = null;
if (encodedPassword.hasValue())
{
compareMode = true;
encodedPW = ByteString.valueOfUtf8(encodedPassword.getValue());
}
else if (encodedPasswordFile.hasValue())
{
compareMode = true;
encodedPW = ByteString.valueOfUtf8(encodedPasswordFile.getValue());
}
else
{
compareMode = false;
}
if (initializeServer)
{
try
{
new DirectoryServer.InitializationBuilder(configFile.getValue())
.requirePasswordStorageSchemes()
.initialize();
}
catch (InitializationException ie)
{
printWrappedText(err, ERR_CANNOT_INITIALIZE_SERVER_COMPONENTS.get(getExceptionMessage(ie)));
return OPERATIONS_ERROR;
}
}
// If we are only trying to list the available schemes, then do so and exit.
if (listSchemes.isPresent())
{
if (authPasswordSyntax.isPresent())
{
listPasswordStorageSchemes(out, err, DirectoryServer.getAuthPasswordStorageSchemes(), true);
}
else
{
listPasswordStorageSchemes(out, err, DirectoryServer.getPasswordStorageSchemes(), false);
}
return SUCCESS;
}
// Either encode the clear-text password using the provided scheme, or
// compare the clear-text password against the encoded password.
ByteString clearPW = null;
if (compareMode)
{
// Check to see if the provided password value was encoded. If so, then
// break it down into its component parts and use that to perform the
// comparison. Otherwise, the user must have provided the storage scheme.
if (authPasswordSyntax.isPresent())
{
String[] authPWElements;
try
{
authPWElements = AuthPasswordSyntax.decodeAuthPassword(encodedPW.toString());
}
catch (DirectoryException de)
{
printWrappedText(err, ERR_ENCPW_INVALID_ENCODED_AUTHPW.get(de.getMessageObject()));
return OPERATIONS_ERROR;
}
catch (Exception e)
{
printWrappedText(err, ERR_ENCPW_INVALID_ENCODED_AUTHPW.get(e));
return OPERATIONS_ERROR;
}
String scheme = authPWElements[0];
String authInfo = authPWElements[1];
String authValue = authPWElements[2];
PasswordStorageScheme storageScheme =
DirectoryServer.getAuthPasswordStorageScheme(scheme);
if (storageScheme == null)
{
printWrappedText(err, ERR_ENCPW_NO_SUCH_AUTH_SCHEME.get(scheme));
return OPERATIONS_ERROR;
}
if (clearPW == null)
{
clearPW = getClearPW(err, argParser, clearPassword, clearPasswordFile, interactivePassword);
if (clearPW == null)
{
return OPERATIONS_ERROR;
}
}
final boolean authPasswordMatches =
storageScheme.authPasswordMatches(clearPW, authInfo, authValue);
out.println(getOutputMessage(authPasswordMatches));
if (useCompareResultCode.isPresent())
{
return authPasswordMatches ? COMPARE_TRUE : COMPARE_FALSE;
}
return SUCCESS;
}
else
{
PasswordStorageScheme storageScheme;
String encodedPWString;
if (UserPasswordSyntax.isEncoded(encodedPW))
{
try
{
String[] userPWElements =
UserPasswordSyntax.decodeUserPassword(encodedPW.toString());
encodedPWString = userPWElements[1];
storageScheme =
DirectoryServer.getPasswordStorageScheme(userPWElements[0]);
if (storageScheme == null)
{
printWrappedText(err, ERR_ENCPW_NO_SUCH_SCHEME.get(userPWElements[0]));
return OPERATIONS_ERROR;
}
}
catch (DirectoryException de)
{
printWrappedText(err, ERR_ENCPW_INVALID_ENCODED_USERPW.get(de.getMessageObject()));
return OPERATIONS_ERROR;
}
catch (Exception e)
{
printWrappedText(err, ERR_ENCPW_INVALID_ENCODED_USERPW.get(e));
return OPERATIONS_ERROR;
}
}
else
{
if (! schemeName.isPresent())
{
printWrappedText(err, ERR_ENCPW_NO_SCHEME.get(schemeName.getLongIdentifier()));
return OPERATIONS_ERROR;
}
encodedPWString = encodedPW.toString();
String scheme = toLowerCase(schemeName.getValue());
storageScheme = DirectoryServer.getPasswordStorageScheme(scheme);
if (storageScheme == null)
{
printWrappedText(err, ERR_ENCPW_NO_SUCH_SCHEME.get(scheme));
return OPERATIONS_ERROR;
}
}
if (clearPW == null)
{
clearPW = getClearPW(err, argParser, clearPassword, clearPasswordFile, interactivePassword);
if (clearPW == null)
{
return OPERATIONS_ERROR;
}
}
boolean passwordMatches =
storageScheme.passwordMatches(clearPW, ByteString
.valueOfUtf8(encodedPWString));
out.println(getOutputMessage(passwordMatches));
if (useCompareResultCode.isPresent())
{
return passwordMatches ? COMPARE_TRUE : COMPARE_FALSE;
}
return SUCCESS;
}
}
else
{
// Try to get a reference to the requested password storage scheme.
PasswordStorageScheme storageScheme;
if (authPasswordSyntax.isPresent())
{
String scheme = schemeName.getValue();
storageScheme = DirectoryServer.getAuthPasswordStorageScheme(scheme);
if (storageScheme == null)
{
printWrappedText(err, ERR_ENCPW_NO_SUCH_AUTH_SCHEME.get(scheme));
return OPERATIONS_ERROR;
}
}
else
{
String scheme = toLowerCase(schemeName.getValue());
storageScheme = DirectoryServer.getPasswordStorageScheme(scheme);
if (storageScheme == null)
{
printWrappedText(err, ERR_ENCPW_NO_SUCH_SCHEME.get(scheme));
return OPERATIONS_ERROR;
}
}
if (authPasswordSyntax.isPresent())
{
try
{
if (clearPW == null)
{
clearPW = getClearPW(err, argParser, clearPassword, clearPasswordFile, interactivePassword);
if (clearPW == null)
{
return OPERATIONS_ERROR;
}
}
encodedPW = storageScheme.encodeAuthPassword(clearPW);
LocalizableMessage message = ERR_ENCPW_ENCODED_PASSWORD.get(encodedPW);
out.println(message);
}
catch (DirectoryException de)
{
printWrappedText(err, ERR_ENCPW_CANNOT_ENCODE.get(de.getMessageObject()));
return OPERATIONS_ERROR;
}
catch (Exception e)
{
printWrappedText(err, ERR_ENCPW_CANNOT_ENCODE.get(getExceptionMessage(e)));
return OPERATIONS_ERROR;
}
}
else
{
try
{
if (clearPW == null)
{
clearPW = getClearPW(err, argParser, clearPassword, clearPasswordFile, interactivePassword);
if (clearPW == null)
{
return OPERATIONS_ERROR;
}
}
encodedPW = storageScheme.encodePasswordWithScheme(clearPW);
out.println(ERR_ENCPW_ENCODED_PASSWORD.get(encodedPW));
}
catch (DirectoryException de)
{
printWrappedText(err, ERR_ENCPW_CANNOT_ENCODE.get(de.getMessageObject()));
return OPERATIONS_ERROR;
}
catch (Exception e)
{
printWrappedText(err, ERR_ENCPW_CANNOT_ENCODE.get(getExceptionMessage(e)));
return OPERATIONS_ERROR;
}
}
}
// If we've gotten here, then all processing completed successfully.
return SUCCESS;
}
private static void listPasswordStorageSchemes(PrintStream out, PrintStream err,
ConcurrentHashMap storageSchemes, boolean authPasswordSchemeName)
{
if (storageSchemes.isEmpty())
{
printWrappedText(err, ERR_ENCPW_NO_STORAGE_SCHEMES.get());
}
else
{
ArrayList nameList = new ArrayList<>(storageSchemes.size());
for (PasswordStorageScheme s : storageSchemes.values())
{
if (authPasswordSchemeName)
{
nameList.add(s.getAuthPasswordSchemeName());
}
else
{
nameList.add(s.getStorageSchemeName());
}
}
Collections.sort(nameList);
for (String storageSchemeName : nameList)
{
out.println(storageSchemeName);
}
}
}
private static LocalizableMessage getOutputMessage(boolean passwordMatches)
{
if (passwordMatches)
{
return INFO_ENCPW_PASSWORDS_MATCH.get();
}
return INFO_ENCPW_PASSWORDS_DO_NOT_MATCH.get();
}
/**
* Get the clear password.
* @param err The error output.
* @param argParser The argument parser.
* @param clearPassword the clear password
* @param clearPasswordFile the file in which the password in stored
* @param interactivePassword indicate if the password should be asked
* interactively.
* @return the password or null if an error occurs.
*/
private static ByteString getClearPW(PrintStream err,
ArgumentParser argParser, StringArgument clearPassword,
FileBasedArgument clearPasswordFile, BooleanArgument interactivePassword)
{
if (clearPassword.hasValue())
{
return ByteString.valueOfUtf8(clearPassword.getValue());
}
else if (clearPasswordFile.hasValue())
{
return ByteString.valueOfUtf8(clearPasswordFile.getValue());
}
else if (interactivePassword.isPresent())
{
try
{
EncodePassword encodePassword = new EncodePassword();
String pwd1 = encodePassword.getPassword(INFO_ENCPW_INPUT_PWD_1.get().toString());
String pwd2 = encodePassword.getPassword(INFO_ENCPW_INPUT_PWD_2.get().toString());
if (pwd1.equals(pwd2))
{
return ByteString.valueOfUtf8(pwd1);
}
else
{
printWrappedText(err, ERR_ENCPW_NOT_SAME_PW.get());
return null;
}
}
catch (IOException e)
{
printWrappedText(err, ERR_ENCPW_CANNOT_READ_PW.get(e.getMessage()));
return null;
}
}
else
{
argParser.displayMessageAndUsageReference(err, ERR_ENCPW_NO_CLEAR_PW.get(clearPassword.getLongIdentifier(),
clearPasswordFile.getLongIdentifier(), interactivePassword.getLongIdentifier()));
return null;
}
}
/**
* Get the password from JDK6 console or from masked password.
* @param prompt The message to print out.
* @return the password
* @throws IOException if an issue occurs when reading the password
* from the input
*/
private String getPassword(String prompt) throws IOException
{
String password;
try
{
Console console = System.console();
if (console == null)
{
throw new IOException("No console");
}
password = new String(console.readPassword(prompt));
}
catch (Exception e)
{
// Try the fallback to the old trick method.
// Create the thread that will erase chars
ErasingThread erasingThread = new ErasingThread(prompt);
erasingThread.start();
password = "";
// block until enter is pressed
while (true)
{
char c = (char) System.in.read();
// assume enter pressed, stop masking
erasingThread.stopMasking();
if (c == '\r')
{
c = (char) System.in.read();
if (c == '\n')
{
break;
}
}
else if (c == '\n')
{
break;
}
else
{
// store the password
password += c;
}
}
}
return password;
}
/**
* Thread that mask user input.
*/
private class ErasingThread extends Thread
{
private boolean stop;
private String prompt;
/**
* The class will mask the user input.
* @param prompt
* The prompt displayed to the user
*/
public ErasingThread(String prompt)
{
this.prompt = prompt;
}
/**
* Begin masking until asked to stop.
*/
@Override
public void run()
{
while (!stop)
{
try
{
// attempt masking at this rate
Thread.sleep(1);
}
catch (InterruptedException iex)
{
iex.printStackTrace();
}
if (!stop)
{
System.out.print("\r" + prompt + " \r" + prompt);
}
System.out.flush();
}
}
/**
* Instruct the thread to stop masking.
*/
public void stopMasking()
{
this.stop = true;
}
}
}