001/*
002 * Copyright 2017-2020 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright 2017-2020 Ping Identity Corporation
007 *
008 * Licensed under the Apache License, Version 2.0 (the "License");
009 * you may not use this file except in compliance with the License.
010 * You may obtain a copy of the License at
011 *
012 *    http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing, software
015 * distributed under the License is distributed on an "AS IS" BASIS,
016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017 * See the License for the specific language governing permissions and
018 * limitations under the License.
019 */
020/*
021 * Copyright (C) 2017-2020 Ping Identity Corporation
022 *
023 * This program is free software; you can redistribute it and/or modify
024 * it under the terms of the GNU General Public License (GPLv2 only)
025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
026 * as published by the Free Software Foundation.
027 *
028 * This program is distributed in the hope that it will be useful,
029 * but WITHOUT ANY WARRANTY; without even the implied warranty of
030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
031 * GNU General Public License for more details.
032 *
033 * You should have received a copy of the GNU General Public License
034 * along with this program; if not, see <http://www.gnu.org/licenses>.
035 */
036package com.unboundid.ldap.listener;
037
038
039
040import java.util.List;
041
042import com.unboundid.asn1.ASN1OctetString;
043import com.unboundid.ldap.matchingrules.OctetStringMatchingRule;
044import com.unboundid.ldap.sdk.LDAPException;
045import com.unboundid.ldap.sdk.ReadOnlyEntry;
046import com.unboundid.util.ThreadSafety;
047import com.unboundid.util.ThreadSafetyLevel;
048
049
050
051/**
052 * This class provides a data structure that encapsulates a password used by the
053 * in-memory directory server.  It may be optionally associated with an
054 * {@link InMemoryPasswordEncoder}.
055 */
056@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
057public final class InMemoryDirectoryServerPassword
058{
059  // The password as it is (or has the potential to be) stored in the in-memory
060  // directory server.
061  private final ASN1OctetString storedPassword;
062
063  // The password encoder that should be used when interacting with the stored
064  // password.
065  private final InMemoryPasswordEncoder passwordEncoder;
066
067  // The user entry with which the stored password is associated.
068  private final ReadOnlyEntry userEntry;
069
070  // The name of the attribute with which the stored password is associated.
071  private final String attributeName;
072
073
074
075  /**
076   * Creates a new in-memory directory server password with the provided
077   * information.
078   *
079   * @param  storedPassword    The password as it is (or has the potential to
080   *                           be) stored in the in-memory directory server.  It
081   *                           must not be {@code null}.
082   * @param  userEntry         The user entry with which the stored password is
083   *                           associated.  It must not be {@code nulL}.
084   * @param  attributeName     The name of the attribute with which the stored
085   *                           password is associated.  It must not be
086   *                           {@code null}.
087   * @param  passwordEncoders  The set of password encoders configured for the
088   *                           in-memory directory server.  It must not be
089   *                           {@code null} but may be empty.
090   */
091  InMemoryDirectoryServerPassword(final ASN1OctetString storedPassword,
092       final ReadOnlyEntry userEntry, final String attributeName,
093       final List<InMemoryPasswordEncoder> passwordEncoders)
094  {
095    this.storedPassword = storedPassword;
096    this.userEntry = userEntry;
097    this.attributeName = attributeName;
098
099    InMemoryPasswordEncoder encoder = null;
100    for (final InMemoryPasswordEncoder e : passwordEncoders)
101    {
102      if (e.passwordStartsWithPrefix(storedPassword))
103      {
104        encoder = e;
105        break;
106      }
107    }
108
109    passwordEncoder = encoder;
110  }
111
112
113
114  /**
115   * Retrieves the password as it is (or has the potential to be) stored in the
116   * in-memory directory server.  If the {@link #isEncoded()} method returns
117   * {@code true}, then the stored password will be treated as an encoded
118   * password.  Otherwise, it will be treated as a clear-text password with
119   * no encoding or output formatting.
120   *
121   * @return  The password as it is (or has the potential to be) stored in the
122   *          in-memory directory server.
123   */
124  public ASN1OctetString getStoredPassword()
125  {
126    return storedPassword;
127  }
128
129
130
131  /**
132   * Retrieves the name of the attribute with which the stored password is
133   * associated.
134   *
135   * @return  The name of the attribute with which the stored password is
136   *          associated.
137   */
138  public String getAttributeName()
139  {
140    return attributeName;
141  }
142
143
144
145  /**
146   * Indicates whether the stored password is encoded or in the clear.
147   *
148   * @return  {@code true} if the stored password is encoded, or {@code false}
149   *          if it is the clear.
150   */
151  public boolean isEncoded()
152  {
153    return (passwordEncoder != null);
154  }
155
156
157
158  /**
159   * Retrieves the password encoder that should be used to interact with the
160   * stored password.
161   *
162   * @return  The password encoder that should be used to interact with the
163   *          stored password, or {@code null} if the password is not encoded.
164   */
165  public InMemoryPasswordEncoder getPasswordEncoder()
166  {
167    return passwordEncoder;
168  }
169
170
171
172  /**
173   * Retrieves the clear-text representation of the stored password, if it
174   * is possible to obtain it.  If the password is not encoded, then the stored
175   * password will be returned as-is.  If the stored password is encoded, then
176   * the {@link InMemoryPasswordEncoder#extractClearPasswordFromEncodedPassword}
177   * method will be used in an attempt to
178   *
179   * @return  The clear-text representation of the stored password.
180   *
181   * @throws  LDAPException  If the stored password is encoded using a mechanism
182   *                         that does not permit extracting the clear-text
183   *                         password.
184   */
185  public ASN1OctetString getClearPassword()
186         throws LDAPException
187  {
188    if (passwordEncoder == null)
189    {
190      return storedPassword;
191    }
192    else
193    {
194      return passwordEncoder.extractClearPasswordFromEncodedPassword(
195           storedPassword, userEntry);
196    }
197  }
198
199
200
201  /**
202   * Indicates whether this password matches the provided clear-text password.
203   *
204   * @param  clearPassword  The clear-text password for which to make the
205   *                        determination.
206   *
207   * @return  {@code true} if this password matches the provided clear-text
208   *          password, or {@code false} if not.
209   *
210   * @throws  LDAPException  If a problem is encountered while trying to make
211   *                         the determination.
212   */
213  public boolean matchesClearPassword(final ASN1OctetString clearPassword)
214         throws LDAPException
215  {
216    if (passwordEncoder == null)
217    {
218      return OctetStringMatchingRule.getInstance().valuesMatch(clearPassword,
219           storedPassword);
220    }
221    else
222    {
223      return passwordEncoder.clearPasswordMatchesEncodedPassword(clearPassword,
224           storedPassword, userEntry);
225    }
226  }
227}