/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* docs/licenses/cddl.txt
* or http://www.opensource.org/licenses/cddl1.php.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* docs/licenses/cddl.txt. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Portions Copyright 2010-2024 Ping Identity Corporation
*/
package com.unboundid.directory.sdk.examples.groovy;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Set;
import com.unboundid.directory.sdk.common.types.Entry;
import com.unboundid.directory.sdk.common.types.OperationContext;
import com.unboundid.directory.sdk.ds.config.PasswordValidatorConfig;
import com.unboundid.directory.sdk.ds.scripting.ScriptedPasswordValidator;
import com.unboundid.directory.sdk.ds.types.DirectoryServerContext;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.unboundidds.extensions.PasswordQualityRequirement;
import com.unboundid.util.ByteString;
import com.unboundid.util.args.ArgumentException;
import com.unboundid.util.args.ArgumentParser;
import com.unboundid.util.args.StringArgument;
/**
* This class provides a simple example of a scripted password validator that
* may be used to ensure that the proposed password does not match the value of
* a specified set of attributes in the user's entry. It has one configuration
* argument:
* <UL>
* <LI>attribute -- The name(s) of the attributes that should be checked.
* If multiple attributes should be checked, then this argument should be
* provided multiple times with different attribute names. If no
* attribute names are provided, then all user attributes in the entry
* will be checked.</LI>
* </UL>
*/
public final class ExampleScriptedPasswordValidator
extends ScriptedPasswordValidator
{
/**
* The name of the argument that will be used to specify the attribute(s) that
* will be checked.
*/
private static final String ARG_NAME_ATTRIBUTE = "attribute";
// The server context for the server in which this extension is running.
private DirectoryServerContext serverContext;
// The set of attributes to be checked.
private volatile List<String> attributes;
/**
* Creates a new instance of this password validator. All password validator
* implementations must include a default constructor, but any initialization
* should generally be done in the {@code initializePasswordValidator} method.
*/
public ExampleScriptedPasswordValidator()
{
// No implementation required.
}
/**
* Updates the provided argument parser to define any configuration arguments
* which may be used by this password generator. The argument parser may also
* be updated to define relationships between arguments (e.g., to specify
* required, exclusive, or dependent argument sets).
*
* @param parser The argument parser to be updated with the configuration
* arguments which may be used by this password generator.
*
* @throws ArgumentException If a problem is encountered while updating the
* provided argument parser.
*/
@Override()
public void defineConfigArguments(final ArgumentParser parser)
throws ArgumentException
{
// Add an argument that allows you to specify the set of target attributes.
Character shortIdentifier = null;
String longIdentifier = ARG_NAME_ATTRIBUTE;
boolean required = false;
int maxOccurrences = 0; // Unlimited.
String placeholder = "{attr}";
String description = "The name or OID of an attribute to check.";
parser.addArgument(new StringArgument(shortIdentifier, longIdentifier,
required, maxOccurrences, placeholder, description));
}
/**
* Initializes this password validator.
*
* @param serverContext A handle to the server context for the server in
* which this extension is running.
* @param config The general configuration for this password
* validator.
* @param parser The argument parser which has been initialized from
* the configuration for this password validator.
*
* @throws LDAPException If a problem occurs while initializing this
* password validator.
*/
@Override()
public void initializePasswordValidator(
final DirectoryServerContext serverContext,
final PasswordValidatorConfig config,
final ArgumentParser parser)
throws LDAPException
{
serverContext.debugInfo("Beginning password validator initialization");
this.serverContext = serverContext;
// The work we need to do is the same for the initial configuration as for
// a configuration change, so we'll just call the same method in both cases.
applyConfig(parser);
}
/**
* Indicates whether the configuration contained in the provided argument
* parser represents a valid configuration for this extension.
*
* @param config The general configuration for this password
* validator.
* @param parser The argument parser which has been initialized
* with the proposed configuration.
* @param unacceptableReasons A list that can be updated with reasons that
* the proposed configuration is not acceptable.
*
* @return {@code true} if the proposed configuration is acceptable, or
* {@code false} if not.
*/
@Override()
public boolean isConfigurationAcceptable(final PasswordValidatorConfig config,
final ArgumentParser parser,
final List<String> unacceptableReasons)
{
// No special validation is required.
return true;
}
/**
* Attempts to apply the configuration contained in the provided argument
* parser.
*
* @param config The general configuration for this password
* validator.
* @param parser The argument parser which has been
* initialized with the new configuration.
* @param adminActionsRequired A list that can be updated with information
* about any administrative actions that may be
* required before one or more of the
* configuration changes will be applied.
* @param messages A list that can be updated with information
* about the result of applying the new
* configuration.
*
* @return A result code that provides information about the result of
* attempting to apply the configuration change.
*/
@Override()
public ResultCode applyConfiguration(final PasswordValidatorConfig config,
final ArgumentParser parser,
final List<String> adminActionsRequired,
final List<String> messages)
{
// The work we need to do is the same for the initial configuration as for
// a configuration change, so we'll just call the same method in both cases.
applyConfig(parser);
return ResultCode.SUCCESS;
}
/**
* Applies the configuration contained in the provided argument parser.
*
* @param parser The argument parser with the configuration to apply.
*/
private void applyConfig(final ArgumentParser parser)
{
List<String> attrs = null;
final StringArgument attrArg =
(StringArgument) parser.getNamedArgument(ARG_NAME_ATTRIBUTE);
if (attrArg != null)
{
attrs = attrArg.getValues();
}
if ((attrs == null) || attrs.isEmpty())
{
attributes = null;
}
else
{
attributes = attrs;
}
serverContext.debugInfo("Set the target attribute set to " + attributes);
}
/**
* Performs any cleanup which may be necessary when this password validator is
* to be taken out of service.
*/
@Override()
public void finalizePasswordValidator()
{
// No finalization is required.
}
/**
* Indicates whether this password validator should be invoked for add
* operations that attempt to create an entry containing one or more
* password values.
*
* @return {@code true} if this password validator should be invoked for
* add operations that include one or more passwords, or
* {@code false} if not.
*/
@Override()
public boolean invokeForAdd()
{
return true;
}
/**
* Indicates whether this password validator should be invoked for modify or
* password modify operations that represent a user's attempt to change
* his/her own password.
*
* @return {@code true} if this password validator should be invoked for
* self password change operations, or {@code false} if not.
*/
@Override()
public boolean invokeForSelfChange()
{
return true;
}
/**
* Indicates whether this password validator should be invoked for modify or
* password modify operations that represent one user's attempt to change the
* password for another user.
*
* @return {@code true} if this password validator should be invoked for
* administrative password reset operations, or {@code false} if not.
*/
@Override()
public boolean invokeForAdministrativeReset()
{
return true;
}
/**
* Retrieves the password quality requirement for this password validator, if
* available.
*
* @return The password quality requirement for this password validator, or
* {@code null} if no requirement information is available.
*/
@Override()
public PasswordQualityRequirement getPasswordQualityRequirement()
{
String description;
final LinkedHashMap<String,String> clientSideValidationProperties =
new LinkedHashMap<String,String>(10);
if ((attributes == null) || attributes.isEmpty())
{
description = "The password must not match the value of any attribute " +
"in the user's entry.";
}
else
{
int attrIdentifier = 1;
final StringBuilder attrList = new StringBuilder();
final Iterator<String> iterator = attributes.iterator();
while (iterator.hasNext())
{
final String attrName = iterator.next();
clientSideValidationProperties.put("attribute-" + attrIdentifier,
attrName);
attrIdentifier++;
attrList.append(attrName);
if (iterator.hasNext())
{
attrList.append(", ");
}
}
description = "The password must not match the value of any of the " +
"following attributes in the user's entry: " + attrList + '.';
}
final String clientSideValidationType =
"example-groovy-scripted-attribute-value-validator";
return new PasswordQualityRequirement(description, clientSideValidationType,
clientSideValidationProperties);
}
/**
* Indicates whether the proposed password is acceptable for the specified
* user.
*
* @param operationContext The operation context for the associated request.
* It may be associated with an add, modify, or
* password modify operation.
* @param newPassword The proposed new password for the user that
* should be validated. It will not be encoded or
* obscured in any way.
* @param currentPasswords The current set of passwords for the user, if
* available. It may be {@code null} if this is
* not available. Note that even if one or more
* current passwords are available, it may not
* constitute the complete set of passwords for the
* user.
* @param userEntry The entry for the user whose password is being
* changed.
* @param invalidReason A buffer to which a message may be appended to
* indicate why the proposed password is not
* acceptable.
*
* @return {@code true} if the proposed new password is acceptable, or
* {@code false} if not.
*/
@Override()
public boolean isPasswordAcceptable(final OperationContext operationContext,
final ByteString newPassword,
final Set<ByteString> currentPasswords,
final Entry userEntry,
final StringBuilder invalidReason)
{
// Create a local copy for the attribute set to protect against
// configuration changes while performing the validation.
final List<String> attrs = attributes;
final byte[] newPW = newPassword.getValue();
if (attrs == null)
{
// We should check all attributes in the user entry.
for (final Attribute a : userEntry.getAttributes())
{
if (a.getBaseName().equalsIgnoreCase("userPassword") ||
a.getBaseName().equalsIgnoreCase("authPassword"))
{
// Don't check the password attribute.
continue;
}
if (a.hasValue(newPW))
{
invalidReason.append("The password matches the value of another " +
"attribute in the user entry.");
return false;
}
}
}
else
{
// We should check only the specified set of attributes.
for (final String attrName : attrs)
{
if (userEntry.hasAttributeValue(attrName, newPW))
{
invalidReason.append("The password matches the value of another " +
"attribute in the user entry.");
return false;
}
}
}
return true;
}
}
