public void checkPwdPolicy()

in interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java [263:399]

• 108 lines of code
• 19 McCabe index (conditional complexity)

    public void checkPwdPolicy( Entry userEntry ) throws LdapException
    {
        if ( !directoryService.isPwdPolicyEnabled() )
        {
            return;
        }

        AuthenticationInterceptor authenticationInterceptor = ( AuthenticationInterceptor ) directoryService
            .getInterceptor(
            InterceptorEnum.AUTHENTICATION_INTERCEPTOR.getName() );
        PasswordPolicyConfiguration pPolicyConfig = authenticationInterceptor.getPwdPolicy( userEntry );

        // check for locked out account
        if ( pPolicyConfig.isPwdLockout() )
        {
            LOG.debug( "checking if account with the Dn {} is locked", userEntry.getDn() );

            Attribute accountLockAttr = userEntry.get( PWD_ACCOUNT_LOCKED_TIME_AT );

            if ( accountLockAttr != null )
            {
                String lockedTime = accountLockAttr.getString();
                
                if ( "000001010000Z".equals( lockedTime ) )
                {
                    throw new PasswordPolicyException( "account was permanently locked", ACCOUNT_LOCKED.getValue() );
                }
                else
                {
                    Date lockedDate = DateUtils.getDate( lockedTime );
                    long unlockTime = pPolicyConfig.getPwdLockoutDuration() * 1000L;
                    unlockTime += lockedDate.getTime();

                    Date unlockDate = new Date( unlockTime );
                    Date now = new Date( directoryService.getTimeProvider().currentIimeMillis() );

                    if ( unlockDate.after( now ) )
                    {
                        throw new PasswordPolicyException( "account will remain locked till " + unlockDate,
                            ACCOUNT_LOCKED.getValue() );
                    }
                    else
                    {
                        // remove pwdAccountLockedTime attribute
                        Modification pwdAccountLockMod = new DefaultModification(
                            ModificationOperation.REMOVE_ATTRIBUTE, accountLockAttr );
                        ModifyOperationContext modContext = new ModifyOperationContext(
                            directoryService.getAdminSession() );
                        modContext.setDn( userEntry.getDn() );
                        modContext.setModItems( Collections.singletonList( pwdAccountLockMod ) );

                        internalModify( modContext );
                    }
                }
            }
        }

        Attribute pwdStartTimeAttr = userEntry.get( PWD_START_TIME_AT );

        if ( pwdStartTimeAttr != null )
        {
            Date pwdStartTime = DateUtils.getDate( pwdStartTimeAttr.getString() );

            if ( System.currentTimeMillis() < pwdStartTime.getTime() )
            {
                throw new PasswordPolicyException( "account is locked, will be activated after " + pwdStartTime,
                    ACCOUNT_LOCKED.getValue() );
            }
        }

        Attribute pwdEndTimeAttr = userEntry.get( PWD_END_TIME_AT );

        if ( pwdEndTimeAttr != null )
        {
            Date pwdEndTime = DateUtils.getDate( pwdEndTimeAttr.getString() );

            if ( System.currentTimeMillis() >= pwdEndTime.getTime() )
            {
                throw new PasswordPolicyException(
                    "password end time reached, will be locked till administrator activates it",
                    ACCOUNT_LOCKED.getValue() );
            }
        }

        if ( pPolicyConfig.getPwdMaxIdle() > 0 )
        {
            Attribute pwdLastSuccessTimeAttr = userEntry.get( PWD_LAST_SUCCESS_AT );

            // Let's be sure that the user has already logged in
            if ( pwdLastSuccessTimeAttr != null )
            {
                long time = pPolicyConfig.getPwdMaxIdle() * 1000L;
                time += DateUtils.getDate( pwdLastSuccessTimeAttr.getString() ).getTime();

                if ( directoryService.getTimeProvider().currentIimeMillis() >= time )
                {
                    throw new PasswordPolicyException(
                        "account locked due to the max idle time of the password was exceeded",
                        ACCOUNT_LOCKED.getValue() );
                }
            }
        }

        // Check that the password is not too old and need to be disabled
        if ( pPolicyConfig.getPwdMaxAge() > 0 )
        {
            // In case we have a grace number of attempts
            if ( pPolicyConfig.getPwdGraceAuthNLimit() > 0 )
            {
                Attribute pwdGraceUseAttr = userEntry.get( PWD_GRACE_USE_TIME_AT );

                // check for grace authentication count
                if ( ( pwdGraceUseAttr != null ) && ( pwdGraceUseAttr.size() >= pPolicyConfig.getPwdGraceAuthNLimit() ) )
                {
                    throw new PasswordPolicyException( "password expired and max grace logins were used",
                        PASSWORD_EXPIRED.getValue() );
                }
            }
            else
            {
                // No grace attempt : check if the password has expired or not
                Attribute pwdChangeTimeAttr = userEntry.get( PWD_CHANGED_TIME_AT );

                // If the attr is null, this is the admin user. We don't block it
                if ( pwdChangeTimeAttr != null )
                {
                    boolean expired = PasswordUtil.isPwdExpired( pwdChangeTimeAttr.getString(),
                        pPolicyConfig.getPwdMaxAge(), directoryService.getTimeProvider() );

                    if ( expired )
                    {
                        throw new PasswordPolicyException( "password expired", PASSWORD_EXPIRED.getValue() );
                    }
                }
            }
        }
    }