001/*
002 * Copyright 2008-2020 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright 2008-2020 Ping Identity Corporation
007 *
008 * Licensed under the Apache License, Version 2.0 (the "License");
009 * you may not use this file except in compliance with the License.
010 * You may obtain a copy of the License at
011 *
012 *    http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing, software
015 * distributed under the License is distributed on an "AS IS" BASIS,
016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017 * See the License for the specific language governing permissions and
018 * limitations under the License.
019 */
020/*
021 * Copyright (C) 2015-2020 Ping Identity Corporation
022 *
023 * This program is free software; you can redistribute it and/or modify
024 * it under the terms of the GNU General Public License (GPLv2 only)
025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
026 * as published by the Free Software Foundation.
027 *
028 * This program is distributed in the hope that it will be useful,
029 * but WITHOUT ANY WARRANTY; without even the implied warranty of
030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
031 * GNU General Public License for more details.
032 *
033 * You should have received a copy of the GNU General Public License
034 * along with this program; if not, see <http://www.gnu.org/licenses>.
035 */
036package com.unboundid.ldap.sdk.unboundidds.extensions;
037
038
039
040import java.io.Serializable;
041import java.text.ParseException;
042import java.util.ArrayList;
043import java.util.Date;
044
045import com.unboundid.asn1.ASN1Element;
046import com.unboundid.asn1.ASN1Enumerated;
047import com.unboundid.asn1.ASN1OctetString;
048import com.unboundid.asn1.ASN1Sequence;
049import com.unboundid.ldap.sdk.LDAPException;
050import com.unboundid.ldap.sdk.ResultCode;
051import com.unboundid.util.Debug;
052import com.unboundid.util.NotMutable;
053import com.unboundid.util.StaticUtils;
054import com.unboundid.util.ThreadSafety;
055import com.unboundid.util.ThreadSafetyLevel;
056
057import static com.unboundid.ldap.sdk.unboundidds.extensions.ExtOpMessages.*;
058
059
060
061/**
062 * This class defines an operation that may be used in conjunction with the
063 * password policy state extended operation.  A password policy state operation
064 * can be used to get or set various properties of the password policy state for
065 * a user.
066 * <BR>
067 * <BLOCKQUOTE>
068 *   <B>NOTE:</B>  This class, and other classes within the
069 *   {@code com.unboundid.ldap.sdk.unboundidds} package structure, are only
070 *   supported for use against Ping Identity, UnboundID, and
071 *   Nokia/Alcatel-Lucent 8661 server products.  These classes provide support
072 *   for proprietary functionality or for external specifications that are not
073 *   considered stable or mature enough to be guaranteed to work in an
074 *   interoperable way with other types of LDAP servers.
075 * </BLOCKQUOTE>
076 * <BR>
077 * Operations that are available for use with the password policy state
078 * operation include:
079 * <UL>
080 *   <LI>Get the DN of the password policy configuration entry for the target
081 *       user.</LI>
082 *   <LI>Determine whether an account is usable (may authenticate or be used as
083 *       an alternate authorization identity.</LI>
084 *   <LI>Retrieve the set of account usability notice, warning, and error
085 *       messages for a user.</LI>
086 *   <LI>Get, set, and clear the account disabled flag for the target user.</LI>
087 *   <LI>Get, set, and clear the account activation time for the target
088 *       user.</LI>
089 *   <LI>Get, set, and clear the account expiration time for the target
090 *       user.</LI>
091 *   <LI>Get the length of time in seconds until the target user account
092 *       expires.</LI>
093 *   <LI>Get the time that the target user's password was last changed.</LI>
094 *   <LI>Get and clear the time that the first password expiration warning was
095 *       sent to the user.</LI>
096 *   <LI>Get the length of time in seconds until the target user's password
097 *       expires and the password expiration time for the account.</LI>
098 *   <LI>Get the length of time in seconds until the user should receive the
099 *       first warning about an upcoming password expiration.</LI>
100 *   <LI>Determine whether the user's password is expired.</LI>
101 *   <LI>Determine whether the account is locked because of failed
102 *       authentication attempts, an idle lockout, or a password reset
103 *       lockout.</LI>
104 *   <LI>Get, update, set, and clear the list of times that the target user has
105 *       unsuccessfully tried to authenticate since the last successful
106 *       authentication.</LI>
107 *   <LI>Get the number of remaining failed authentication attempts for the
108 *       target user before the account is locked.</LI>
109 *   <LI>Get the length of time in seconds until the target user's account is
110 *       automatically unlocked after it was locked due to failed authentication
111 *       attempts.</LI>
112 *   <LI>Get, set, and clear the time that the user last authenticated to the
113 *       server.</LI>
114 *   <LI>Get, set, and clear the IP address of the client from which the user
115 *       last authenticated to the server.</LI>
116 *   <LI>Get the length of time in seconds until the user account may be locked
117 *       after remaining idle.</LI>
118 *   <LI>Get, set, and clear the flag that controls whether the target user must
119 *       change his/her password before being allowed to perform any other
120 *       operations.</LI>
121 *   <LI>Get the length of time in seconds until the user's account is locked
122 *       after failing to change the password after an administrative
123 *       reset.</LI>
124 *   <LI>Get, update, set, and clear the times that the target user has
125 *       authenticated using a grace login after the password had expired.</LI>
126 *   <LI>Retrieve the number of remaining grace logins for the user.</LI>
127 *   <LI>Get, set, and clear the required password change time for the target
128 *       user.</LI>
129 *   <LI>Retrieve the length of time in seconds until the target user's account
130 *       will be locked as a result of failing to comply with a password change
131 *       by required time.</LI>
132 *   <LI>Get the password history count for the target user.</LI>
133 *   <LI>Clear the password history for the target user.</LI>
134 *   <LI>Get information about or purge a user's retired password.</LI>
135 *   <LI>Get information about which SASL mechanisms are available for a
136 *       user.</LI>
137 *   <LI>Get information about which OTP delivery mechanisms are available for a
138 *       user.</LI>
139 *   <LI>Determine whether a user has any TOTP shared secrets and manipulate the
140 *       registered secrets.</LI>
141 *   <LI>Get, set, and clear the public IDs of any YubiKey OTP devices
142 *       registered for a user.</LI>
143 *   <LI>Determine whether the user has a static password.</LI>
144 * </UL>
145 * Note that many of these methods are dependent upon the password policy
146 * configuration for the target user and therefore some of them may not be
147 * applicable for some users.  For example, if password expiration is not
148 * enabled in the password policy associated with the target user, then
149 * operations that involve password expiration will have no effect and/or will
150 * have a return value that indicates that password expiration is not in effect.
151 */
152@NotMutable()
153@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
154public final class PasswordPolicyStateOperation
155       implements Serializable
156{
157  /**
158   * The operation type that may be used to retrieve the DN of the password
159   * policy to which the user is subject.
160   */
161  public static final int OP_TYPE_GET_PW_POLICY_DN = 0;
162
163
164
165  /**
166   * The operation type that may be used to determine whether the user account
167   * is disabled.
168   */
169  public static final int OP_TYPE_GET_ACCOUNT_DISABLED_STATE = 1;
170
171
172
173  /**
174   * The operation type that may be used to specify whether the user account is
175   * disabled.
176   */
177  public static final int OP_TYPE_SET_ACCOUNT_DISABLED_STATE = 2;
178
179
180
181  /**
182   * The operation type that may be used to clear the account disabled flag in
183   * the user's entry.
184   */
185  public static final int OP_TYPE_CLEAR_ACCOUNT_DISABLED_STATE = 3;
186
187
188
189  /**
190   * The operation type that may be used to get the time that the user's account
191   * will expire.
192   */
193  public static final int OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME = 4;
194
195
196
197  /**
198   * The operation type that may be used to set the time that the user's account
199   * will expire.
200   */
201  public static final int OP_TYPE_SET_ACCOUNT_EXPIRATION_TIME = 5;
202
203
204
205  /**
206   * The operation type that may be used to clear the user's account expiration
207   * time.
208   */
209  public static final int OP_TYPE_CLEAR_ACCOUNT_EXPIRATION_TIME = 6;
210
211
212
213  /**
214   * The operation type that may be used to retrieve the length of time in
215   * seconds until the user's account expires.
216   */
217  public static final int OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_EXPIRATION = 7;
218
219
220
221  /**
222   * The operation type that may be used to get the time that the user's
223   * password was last changed.
224   */
225  public static final int OP_TYPE_GET_PW_CHANGED_TIME = 8;
226
227
228
229  /**
230   * The operation type that may be used to set the time that the user's
231   * password was last changed.
232   */
233  public static final int OP_TYPE_SET_PW_CHANGED_TIME = 9;
234
235
236
237  /**
238   * The operation type that may be used to clear the password changed time in
239   * the user's account.
240   */
241  public static final int OP_TYPE_CLEAR_PW_CHANGED_TIME = 10;
242
243
244
245  /**
246   * The operation type that may be used to get the time that the user was
247   * first sent a password expiration warning.
248   */
249  public static final int OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME = 11;
250
251
252
253  /**
254   * The operation type that may be used to set the time that the user was
255   * first sent a password expiration warning.
256   */
257  public static final int OP_TYPE_SET_PW_EXPIRATION_WARNED_TIME = 12;
258
259
260
261  /**
262   * The operation type that may be used to clear the password expiration warned
263   * time from the user's entry.
264   */
265  public static final int OP_TYPE_CLEAR_PW_EXPIRATION_WARNED_TIME = 13;
266
267
268
269  /**
270   * The operation type that may be used to get the length of time in seconds
271   * until the user's password expires.
272   */
273  public static final int OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION = 14;
274
275
276
277  /**
278   * The operation type that may be used to get the length of time in seconds
279   * until the user will be eligible to receive a password expiration warning.
280   */
281  public static final int OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION_WARNING = 15;
282
283
284
285  /**
286   * The operation type that may be used to get the set of times that the user
287   * has unsuccessfully tried to authenticate since the last successful attempt.
288   */
289  public static final int OP_TYPE_GET_AUTH_FAILURE_TIMES = 16;
290
291
292
293  /**
294   * The operation type that may be used to add a new authentication failure
295   * time to the user's account.
296   */
297  public static final int OP_TYPE_ADD_AUTH_FAILURE_TIME = 17;
298
299
300
301  /**
302   * The operation type that may be used to set the set of times that the user
303   * has unsuccessfully tried to authenticate since the last successful attempt.
304   */
305  public static final int OP_TYPE_SET_AUTH_FAILURE_TIMES = 18;
306
307
308
309  /**
310   * The operation type that may be used to clear the authentication failure
311   * times in the user account.
312   */
313  public static final int OP_TYPE_CLEAR_AUTH_FAILURE_TIMES = 19;
314
315
316
317  /**
318   * The operation type that may be used to retrieve the length of time in
319   * seconds until the user's account is unlocked.
320   */
321  public static final int OP_TYPE_GET_SECONDS_UNTIL_AUTH_FAILURE_UNLOCK = 20;
322
323
324
325  /**
326   * The operation type that may be used to retrieve the number of failed
327   * authentication attempts that the user has before the account is locked.
328   */
329  public static final int OP_TYPE_GET_REMAINING_AUTH_FAILURE_COUNT = 21;
330
331
332
333  /**
334   * The operation type that may be used to retrieve the time that the user last
335   * authenticated to the server.
336   */
337  public static final int OP_TYPE_GET_LAST_LOGIN_TIME = 22;
338
339
340
341  /**
342   * The operation type that may be used to set the time that the user last
343   * authenticated to the server.
344   */
345  public static final int OP_TYPE_SET_LAST_LOGIN_TIME = 23;
346
347
348
349  /**
350   * The operation type that may be used to clear the last login time in the
351   * user's entry.
352   */
353  public static final int OP_TYPE_CLEAR_LAST_LOGIN_TIME = 24;
354
355
356
357  /**
358   * The operation type that may be used to get the length of time in seconds
359   * until the user account is locked due to inactivity.
360   */
361  public static final int OP_TYPE_GET_SECONDS_UNTIL_IDLE_LOCKOUT = 25;
362
363
364
365  /**
366   * The operation type that may be used to determine whether a user's password
367   * has been reset by an administrator and must be changed.
368   */
369  public static final int OP_TYPE_GET_PW_RESET_STATE = 26;
370
371
372
373  /**
374   * The operation type that may be used to set the flag to indicate whether a
375   * user's password has been reset by an administrator and must be changed.
376   */
377  public static final int OP_TYPE_SET_PW_RESET_STATE = 27;
378
379
380
381  /**
382   * The operation type that may be used to clear the password reset flag in the
383   * user's entry.
384   */
385  public static final int OP_TYPE_CLEAR_PW_RESET_STATE = 28;
386
387
388
389  /**
390   * The operation type that may be used to get the length of time in seconds
391   * until the user's account is locked due to failure to change the password
392   * after an administrative reset.
393   */
394  public static final int OP_TYPE_GET_SECONDS_UNTIL_PW_RESET_LOCKOUT = 29;
395
396
397
398  /**
399   * The operation type that may be used to retrieve the times that the user has
400   * authenticated using a grace login after his/her password has expired.
401   */
402  public static final int OP_TYPE_GET_GRACE_LOGIN_USE_TIMES = 30;
403
404
405
406  /**
407   * The operation type that may be used add a value to the set of times that
408   * the user has authenticated using a grace login after his/her password has
409   * expired.
410   */
411  public static final int OP_TYPE_ADD_GRACE_LOGIN_USE_TIME = 31;
412
413
414
415  /**
416   * The operation type that may be used to set the times that the user has
417   * authenticated using a grace login after his/her password has expired.
418   */
419  public static final int OP_TYPE_SET_GRACE_LOGIN_USE_TIMES = 32;
420
421
422
423  /**
424   * The operation type that may be used to clear the set of times that the user
425   * has authenticated using a grace login after his/her password has expired.
426   */
427  public static final int OP_TYPE_CLEAR_GRACE_LOGIN_USE_TIMES = 33;
428
429
430
431  /**
432   * The operation type that may be used to retrieve the number of grace logins
433   * available for the user.
434   */
435  public static final int OP_TYPE_GET_REMAINING_GRACE_LOGIN_COUNT = 34;
436
437
438
439  /**
440   * The operation type that may be used to retrieve the last time that the
441   * user's password was changed during a required change period.
442   */
443  public static final int OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME = 35;
444
445
446
447  /**
448   * The operation type that may be used to set the last time that the
449   * user's password was changed during a required change period.
450   */
451  public static final int OP_TYPE_SET_PW_CHANGED_BY_REQUIRED_TIME = 36;
452
453
454
455  /**
456   * The operation type that may be used to clear the last time that the
457   * user's password was changed during a required change period.
458   */
459  public static final int OP_TYPE_CLEAR_PW_CHANGED_BY_REQUIRED_TIME = 37;
460
461
462
463  /**
464   * The operation type that may be used to get the length of time in seconds
465   * until the user's account will be locked due to a failure to change the
466   * password by a required time.
467   */
468  public static final int OP_TYPE_GET_SECONDS_UNTIL_REQUIRED_CHANGE_TIME = 38;
469
470
471
472  /**
473   * The operation type that may be used to retrieve the stored password history
474   * values for a user.
475   *
476   * @deprecated  This operation type has been deprecated in favor of the
477   *              {@link #OP_TYPE_GET_PW_HISTORY_COUNT} operation type.
478   */
479  @Deprecated()
480  public static final int OP_TYPE_GET_PW_HISTORY = 39;
481
482
483
484  /**
485   * The operation type that may be used to clear the stored password history
486   * values for a user.
487   */
488  public static final int OP_TYPE_CLEAR_PW_HISTORY = 40;
489
490
491
492  /**
493   * The operation type that may be used to determine whether a user has a valid
494   * retired password.
495   */
496  public static final int OP_TYPE_HAS_RETIRED_PASSWORD = 41;
497
498
499
500  /**
501   * The operation type that may be used to retrieve the time that the user's
502   * former password was retired.
503   */
504  public static final int OP_TYPE_GET_PASSWORD_RETIRED_TIME = 42;
505
506
507
508  /**
509   * The operation type that may be used to retrieve the time that the user's
510   * retired password will expire.
511   */
512  public static final int OP_TYPE_GET_RETIRED_PASSWORD_EXPIRATION_TIME = 43;
513
514
515
516  /**
517   * The operation type that may be used to purge any retired password from the
518   * user's entry.
519   */
520  public static final int OP_TYPE_PURGE_RETIRED_PASSWORD = 44;
521
522
523
524  /**
525   * The operation type that may be used to get the time that the user's account
526   * will become active.
527   */
528  public static final int OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME = 45;
529
530
531
532  /**
533   * The operation type that may be used to set the time that the user's account
534   * will become active.
535   */
536  public static final int OP_TYPE_SET_ACCOUNT_ACTIVATION_TIME = 46;
537
538
539
540  /**
541   * The operation type that may be used to clear the user's account activation
542   * time.
543   */
544  public static final int OP_TYPE_CLEAR_ACCOUNT_ACTIVATION_TIME = 47;
545
546
547
548  /**
549   * The operation type that may be used to retrieve the length of time in
550   * seconds until the user's account will become active.
551   */
552  public static final int OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_ACTIVATION = 48;
553
554
555
556  /**
557   * The operation type that may be used to retrieve the IP address from which
558   * the user last authenticated to the server.
559   */
560  public static final int OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS = 49;
561
562
563
564  /**
565   * The operation type that may be used to set the IP address from which the
566   * user last authenticated to the server.
567   */
568  public static final int OP_TYPE_SET_LAST_LOGIN_IP_ADDRESS = 50;
569
570
571
572  /**
573   * The operation type that may be used to clear the last login IP address in
574   * the user's entry.
575   */
576  public static final int OP_TYPE_CLEAR_LAST_LOGIN_IP_ADDRESS = 51;
577
578
579
580  /**
581   * The operation type that may be used to retrieve a list of structured
582   * strings that provide information about notices pertaining to account
583   * usability.
584   */
585  public static final int OP_TYPE_GET_ACCOUNT_USABILITY_NOTICES = 52;
586
587
588
589  /**
590   * The operation type that may be used to retrieve a list of structured
591   * strings that provide information about warnings that may affect the account
592   * usability.
593   */
594  public static final int OP_TYPE_GET_ACCOUNT_USABILITY_WARNINGS = 53;
595
596
597
598  /**
599   * The operation type that may be used to retrieve a list of structured
600   * strings that provide information about errors that may affect the account
601   * usability.
602   */
603  public static final int OP_TYPE_GET_ACCOUNT_USABILITY_ERRORS = 54;
604
605
606
607  /**
608   * The operation type that may be used to determine whether an account is
609   * usable (i.e., the account may authenticate or be used as an alternate
610   * authorization identity).
611   */
612  public static final int OP_TYPE_GET_ACCOUNT_IS_USABLE = 55;
613
614
615
616  /**
617   * The operation type that may be used to determine whether an account is
618   * not yet active (because the account activation time is in the future).
619   */
620  public static final int OP_TYPE_GET_ACCOUNT_IS_NOT_YET_ACTIVE = 56;
621
622
623
624  /**
625   * The operation type that may be used to determine whether an account is
626   * expired (because the account expiration time is in the past).
627   */
628  public static final int OP_TYPE_GET_ACCOUNT_IS_EXPIRED = 57;
629
630
631
632  /**
633   * The operation type that may be used to determine when a user's password
634   * will expire.
635   */
636  public static final int OP_TYPE_GET_PW_EXPIRATION_TIME = 58;
637
638
639
640  /**
641   * The operation type that may be used to determine whether a user's account
642   * is locked because of too many authentication failures.
643   */
644  public static final int OP_TYPE_GET_ACCOUNT_IS_FAILURE_LOCKED = 59;
645
646
647
648  /**
649   * The operation type that may be used to specify whether a user's account
650   * is locked because of too many authentication failures.
651   */
652  public static final int OP_TYPE_SET_ACCOUNT_IS_FAILURE_LOCKED = 60;
653
654
655
656  /**
657   * The operation type that may be used to determine the failure lockout time
658   * for a user account.
659   */
660  public static final int OP_TYPE_GET_FAILURE_LOCKOUT_TIME = 61;
661
662
663
664  /**
665   * The operation type that may be used to determine whether a user's account
666   * is locked because it has been idle for too long.
667   */
668  public static final int OP_TYPE_GET_ACCOUNT_IS_IDLE_LOCKED = 62;
669
670
671
672  /**
673   * The operation type that may be used to determine the idle lockout time for
674   * a user account.
675   */
676  public static final int OP_TYPE_GET_IDLE_LOCKOUT_TIME = 63;
677
678
679
680  /**
681   * The operation type that may be used to determine whether a user's account
682   * is locked because the user did not change their password in a timely manner
683   * after an administrative reset.
684   */
685  public static final int OP_TYPE_GET_ACCOUNT_IS_RESET_LOCKED = 64;
686
687
688
689  /**
690   * The operation type that may be used to determine the reset lockout time for
691   * a user account.
692   */
693  public static final int OP_TYPE_GET_RESET_LOCKOUT_TIME = 65;
694
695
696
697  /**
698   * The operation type that may be used to retrieve the password history count
699   * for a user.
700   */
701  public static final int OP_TYPE_GET_PW_HISTORY_COUNT = 66;
702
703
704
705  /**
706   * The operation type that may be used to determine whether a user's password
707   * is expired.
708   */
709  public static final int OP_TYPE_GET_PW_IS_EXPIRED = 67;
710
711
712
713  /**
714   * The operation type that may be used to retrieve a list of the SASL
715   * mechanisms that are available for a user.
716   */
717  public static final int OP_TYPE_GET_AVAILABLE_SASL_MECHANISMS = 68;
718
719
720
721  /**
722   * The operation type that may be used to retrieve a list of the one-time
723   * password delivery mechanisms that are available for a user.
724   */
725  public static final int OP_TYPE_GET_AVAILABLE_OTP_DELIVERY_MECHANISMS = 69;
726
727
728
729  /**
730   * The operation type that may be used to determine whether a user has one or
731   * more TOTP shared secrets.
732   */
733  public static final int OP_TYPE_HAS_TOTP_SHARED_SECRET = 70;
734
735
736
737  /**
738   * The operation type that may be used to retrieve get the set of public IDs
739   * for the registered YubiKey OTP devices for a user.
740   */
741  public static final int OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS = 71;
742
743
744
745  /**
746   * The operation type that may be used to add a value to the set of registered
747   * YubiKey OTP device public IDs for a user.
748   */
749  public static final int OP_TYPE_ADD_REGISTERED_YUBIKEY_PUBLIC_ID = 72;
750
751
752
753  /**
754   * The operation type that may be used to remove a value from the set of
755   * registered YubiKey OTP device public IDs for a user.
756   */
757  public static final int OP_TYPE_REMOVE_REGISTERED_YUBIKEY_PUBLIC_ID = 73;
758
759
760
761  /**
762   * The operation type that may be used to replace the set of public IDs for
763   * the registered YubiKey OTP devices for a user.
764   */
765  public static final int OP_TYPE_SET_REGISTERED_YUBIKEY_PUBLIC_IDS = 74;
766
767
768
769  /**
770   * The operation type that may be used to clear the set of public IDs for
771   * the registered YubiKey OTP devices for a user.
772   */
773  public static final int OP_TYPE_CLEAR_REGISTERED_YUBIKEY_PUBLIC_IDS = 75;
774
775
776
777  /**
778   * The operation type that may be used to add a value to the set of registered
779   * TOTP shared secrets for a user.
780   */
781  public static final int OP_TYPE_ADD_TOTP_SHARED_SECRET = 76;
782
783
784
785  /**
786   * The operation type that may be used to remove a value from the set of
787   * registered TOTP shared secrets for a user.
788   */
789  public static final int OP_TYPE_REMOVE_TOTP_SHARED_SECRET = 77;
790
791
792
793  /**
794   * The operation type that may be used to replace the set of registered TOTP
795   * shared secrets for a user.
796   */
797  public static final int OP_TYPE_SET_TOTP_SHARED_SECRETS = 78;
798
799
800
801  /**
802   * The operation type that may be used to clear the set of TOTP shared secrets
803   * for a user.
804   */
805  public static final int OP_TYPE_CLEAR_TOTP_SHARED_SECRETS = 79;
806
807
808
809  /**
810   * The operation type that may be used to determine whether a user has one
811   * or more registered YubiKey OTP devices.
812   * shared secret.
813   */
814  public static final int OP_TYPE_HAS_REGISTERED_YUBIKEY_PUBLIC_ID = 80;
815
816
817
818  /**
819   * The operation type that may be used to determine whether a user has a
820   * static password.
821   */
822  public static final int OP_TYPE_HAS_STATIC_PASSWORD = 81;
823
824
825
826  /**
827   * The set of values that will be used if there are no values.
828   */
829  private static final ASN1OctetString[] NO_VALUES = new ASN1OctetString[0];
830
831
832
833  /**
834   * The serial version UID for this serializable class.
835   */
836  private static final long serialVersionUID = -7004621958353828598L;
837
838
839
840  // The set of values for this operation.
841  private final ASN1OctetString[] values;
842
843  // The operation type for this operation.
844  private final int opType;
845
846
847
848  /**
849   * Creates a new password policy state operation with the specified operation
850   * type and no values.
851   *
852   * @param  opType  The operation type for this password policy state
853   *                 operation.
854   */
855  public PasswordPolicyStateOperation(final int opType)
856  {
857    this(opType, NO_VALUES);
858  }
859
860
861
862  /**
863   * Creates a new password policy state operation with the specified operation
864   * type and set of values.
865   *
866   * @param  opType  The operation type for this password policy state
867   *                 operation.
868   * @param  values  The set of values for this password policy state operation.
869   */
870  public PasswordPolicyStateOperation(final int opType,
871                                      final ASN1OctetString[] values)
872  {
873    this.opType = opType;
874
875    if (values == null)
876    {
877      this.values = NO_VALUES;
878    }
879    else
880    {
881      this.values = values;
882    }
883  }
884
885
886
887  /**
888   * Creates a new password policy state operation that may be used to request
889   * the DN of the password policy configuration entry for the user.  The result
890   * returned should include an operation of type
891   * {@link #OP_TYPE_GET_PW_POLICY_DN} with a single string value that is the
892   * DN of the password policy configuration entry.
893   *
894   * @return The created password policy state operation.
895   */
896  public static PasswordPolicyStateOperation
897                     createGetPasswordPolicyDNOperation()
898  {
899    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_POLICY_DN);
900  }
901
902
903
904  /**
905   * Creates a new password policy state operation that may be used to determine
906   * whether the user account is disabled.  The result returned should include
907   * an operation of type {@link #OP_TYPE_GET_ACCOUNT_DISABLED_STATE} with a
908   * single boolean value of {@code true} if the account is disabled, or
909   * {@code false} if the account is not disabled.
910   *
911   * @return The created password policy state operation.
912   */
913  public static PasswordPolicyStateOperation
914                     createGetAccountDisabledStateOperation()
915  {
916    return new PasswordPolicyStateOperation(OP_TYPE_GET_ACCOUNT_DISABLED_STATE);
917  }
918
919
920
921  /**
922   * Creates a new password policy state operation that may be used to specify
923   * whether the user account is disabled.  The result returned should include
924   * an operation of type {@link #OP_TYPE_GET_ACCOUNT_DISABLED_STATE} with a
925   * single boolean value of {@code true} if the account has been disabled, or
926   * {@code false} if the account is not disabled.
927   *
928   * @param  isDisabled  Indicates whether the user account should be disabled.
929   *
930   * @return The created password policy state operation.
931   */
932  public static PasswordPolicyStateOperation
933                     createSetAccountDisabledStateOperation(
934                          final boolean isDisabled)
935  {
936    final ASN1OctetString[] values =
937    {
938      new ASN1OctetString(String.valueOf(isDisabled))
939    };
940
941    return new PasswordPolicyStateOperation(OP_TYPE_SET_ACCOUNT_DISABLED_STATE,
942         values);
943  }
944
945
946
947  /**
948   * Creates a new password policy state operation that may be used to clear
949   * the user account disabled state in the user's entry.  The result returned
950   * should include an operation of type
951   * {@link #OP_TYPE_GET_ACCOUNT_DISABLED_STATE} with a single boolean value of
952   * {@code true} if the account is disabled, or {@code false} if the account is
953   * not disabled.
954   *
955   * @return The created password policy state operation.
956   */
957  public static PasswordPolicyStateOperation
958                     createClearAccountDisabledStateOperation()
959  {
960    return new PasswordPolicyStateOperation(
961         OP_TYPE_CLEAR_ACCOUNT_DISABLED_STATE);
962  }
963
964
965
966  /**
967   * Creates a new password policy state operation that may be used to retrieve
968   * the time that the user's account will become active.  The result returned
969   * should include an operation of type
970   * {@link #OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME} with a single string value
971   * that is the generalized time representation of the account activation time,
972   * or a {@code null} value if the account does not have an activation time.
973   *
974   * @return The created password policy state operation.
975   */
976  public static PasswordPolicyStateOperation
977                     createGetAccountActivationTimeOperation()
978  {
979    return new PasswordPolicyStateOperation(
980         OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME);
981  }
982
983
984
985  /**
986   * Creates a new password policy state operation that may be used to set the
987   * time that the user's account expires.  The result returned should include
988   * an operation of type {@link #OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME} with a
989   * single string value that is the generalized time representation of the
990   * account activation time, or a {@code null} value if the account does not
991   * have an activation time.
992   *
993   * @param  expirationTime  The time that the user's account should expire.  It
994   *                         may be {@code null} if the server should use the
995   *                         current time.
996   *
997   * @return The created password policy state operation.
998   */
999  public static PasswordPolicyStateOperation
1000                     createSetAccountActivationTimeOperation(
1001                          final Date expirationTime)
1002  {
1003    return new PasswordPolicyStateOperation(OP_TYPE_SET_ACCOUNT_ACTIVATION_TIME,
1004         createValues(expirationTime));
1005  }
1006
1007
1008
1009  /**
1010   * Creates a new password policy state operation that may be used to clear
1011   * the account expiration time in the user's entry.  The result returned
1012   * should include an operation of type
1013   * {@link #OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME} with a single string value
1014   * that is the generalized time representation of the account activation time,
1015   * or a {@code null} value if the account does not have an activation time.
1016   *
1017   * @return  The created password policy state operation.
1018   */
1019  public static PasswordPolicyStateOperation
1020                     createClearAccountActivationTimeOperation()
1021  {
1022    return new PasswordPolicyStateOperation(
1023                    OP_TYPE_CLEAR_ACCOUNT_ACTIVATION_TIME);
1024  }
1025
1026
1027
1028  /**
1029   * Creates a new password policy state operation that may be used to determine
1030   * the length of time in seconds until the user's account becomes active.  The
1031   * result returned should include an operation of type
1032   * {@link #OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_ACTIVATION} with a single integer
1033   * value representing the number of seconds until the account becomes active,
1034   * or a {@code null} value if the account does not have an activation time.
1035   *
1036   * @return  The created password policy state operation.
1037   */
1038  public static PasswordPolicyStateOperation
1039                     createGetSecondsUntilAccountActivationOperation()
1040  {
1041    return new PasswordPolicyStateOperation(
1042         OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_ACTIVATION);
1043  }
1044
1045
1046
1047  /**
1048   * Creates a new password policy state operation that may be used to retrieve
1049   * the time that the user's account expires.  The result returned should
1050   * include an operation of type {@link #OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME}
1051   * with a single string value that is the generalized time representation of
1052   * the account expiration time, or a {@code null} value if the account does
1053   * not have an expiration time.
1054   *
1055   * @return  The created password policy state operation.
1056   */
1057  public static PasswordPolicyStateOperation
1058                     createGetAccountExpirationTimeOperation()
1059  {
1060    return new PasswordPolicyStateOperation(
1061         OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME);
1062  }
1063
1064
1065
1066  /**
1067   * Creates a new password policy state operation that may be used to set the
1068   * time that the user's account expires.  The result returned should include
1069   * an operation of type {@link #OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME} with a
1070   * single string value that is the generalized time representation of the
1071   * account expiration time, or a {@code null} value if the account does not
1072   * have an expiration time.
1073   *
1074   * @param  expirationTime  The time that the user's account should expire.  It
1075   *                         may be {@code null} if the server should use the
1076   *                         current time.
1077   *
1078   * @return  The created password policy state operation.
1079   */
1080  public static PasswordPolicyStateOperation
1081                     createSetAccountExpirationTimeOperation(
1082                          final Date expirationTime)
1083  {
1084    return new PasswordPolicyStateOperation(OP_TYPE_SET_ACCOUNT_EXPIRATION_TIME,
1085         createValues(expirationTime));
1086  }
1087
1088
1089
1090  /**
1091   * Creates a new password policy state operation that may be used to clear
1092   * the account expiration time in the user's entry.  The result returned
1093   * should include an operation of type
1094   * {@link #OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME} with a single string value
1095   * that is the generalized time representation of the account expiration time,
1096   * or a {@code null} value if the account does not have an expiration time.
1097   *
1098   * @return  The created password policy state operation.
1099   */
1100  public static PasswordPolicyStateOperation
1101                     createClearAccountExpirationTimeOperation()
1102  {
1103    return new PasswordPolicyStateOperation(
1104         OP_TYPE_CLEAR_ACCOUNT_EXPIRATION_TIME);
1105  }
1106
1107
1108
1109  /**
1110   * Creates a new password policy state operation that may be used to determine
1111   * the length of time in seconds until the user's account is expired.  The
1112   * result returned should include an operation of type
1113   * {@link #OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_EXPIRATION} with a single integer
1114   * value representing the number of seconds until the account will expire, or
1115   * a {@code null} value if the account does not have an expiration time.
1116   *
1117   * @return  The created password policy state operation.
1118   */
1119  public static PasswordPolicyStateOperation
1120                     createGetSecondsUntilAccountExpirationOperation()
1121  {
1122    return new PasswordPolicyStateOperation(
1123         OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_EXPIRATION);
1124  }
1125
1126
1127
1128  /**
1129   * Creates a new password policy state operation that may be used to determine
1130   * when the user's password was last changed.  The result returned should
1131   * include an operation of type {@link #OP_TYPE_GET_PW_CHANGED_TIME} with a
1132   * single string value that is the generalized time representation of the
1133   * time the password was last changed.
1134   *
1135   * @return  The created password policy state operation.
1136   */
1137  public static PasswordPolicyStateOperation
1138                     createGetPasswordChangedTimeOperation()
1139  {
1140    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_CHANGED_TIME);
1141  }
1142
1143
1144
1145  /**
1146   * Creates a new password policy state operation that may be used to specify
1147   * when the user's password was last changed.  The result returned should
1148   * include an operation of type {@link #OP_TYPE_GET_PW_CHANGED_TIME} with a
1149   * single string value that is the generalized time representation of the
1150   * time the password was last changed.
1151   *
1152   * @param  passwordChangedTime  The time the user's password was last changed.
1153   *                              It may be {@code null} if the server should
1154   *                              use the current time.
1155   *
1156   * @return  The created password policy state operation.
1157   */
1158  public static PasswordPolicyStateOperation
1159                     createSetPasswordChangedTimeOperation(
1160                          final Date passwordChangedTime)
1161  {
1162    return new PasswordPolicyStateOperation(OP_TYPE_SET_PW_CHANGED_TIME,
1163         createValues(passwordChangedTime));
1164  }
1165
1166
1167
1168  /**
1169   * Creates a new password policy state operation that may be used to clear
1170   * the password changed time from a user's entry.  The result returned should
1171   * include an operation of type {@link #OP_TYPE_GET_PW_CHANGED_TIME} with a
1172   * single string value that is the generalized time representation of the
1173   * time the password was last changed, or {@code null} if it can no longer be
1174   * determined.
1175   *
1176   * @return  The created password policy state operation.
1177   */
1178  public static PasswordPolicyStateOperation
1179                     createClearPasswordChangedTimeOperation()
1180  {
1181    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_PW_CHANGED_TIME);
1182  }
1183
1184
1185
1186  /**
1187   * Creates a new password policy state operation that may be used to determine
1188   * when the user first received a password expiration warning.  The result
1189   * returned should include an operation of type
1190   * {@link #OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME} with a single string value
1191   * that is the generalized time representation of the time the user received
1192   * the first expiration warning.
1193   *
1194   * @return  The created password policy state operation.
1195   */
1196  public static PasswordPolicyStateOperation
1197                     createGetPasswordExpirationWarnedTimeOperation()
1198  {
1199    return new PasswordPolicyStateOperation(
1200         OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME);
1201  }
1202
1203
1204
1205  /**
1206   * Creates a new password policy state operation that may be used to specify
1207   * when the user first received a password expiration warning.  The result
1208   * returned should include an operation of type
1209   * {@link #OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME} with a single string value
1210   * that is the generalized time representation of the time the user received
1211   * the first expiration warning.
1212   *
1213   * @param  passwordExpirationWarnedTime  The password expiration warned time
1214   *                                       for the user.  It may be {@code null}
1215   *                                       if the server should use the current
1216   *                                       time.
1217   *
1218   * @return  The created password policy state operation.
1219   */
1220  public static PasswordPolicyStateOperation
1221                     createSetPasswordExpirationWarnedTimeOperation(
1222                          final Date passwordExpirationWarnedTime)
1223  {
1224    return new PasswordPolicyStateOperation(
1225         OP_TYPE_SET_PW_EXPIRATION_WARNED_TIME,
1226         createValues(passwordExpirationWarnedTime));
1227  }
1228
1229
1230
1231  /**
1232   * Creates a new password policy state operation that may be used to clear the
1233   * password expiration warned time from the user's entry.  The result returned
1234   * should include an operation of type
1235   * {@link #OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME} with a single string value
1236   * that is the generalized time representation of the time the user received
1237   * the first expiration warning.
1238   *
1239   * @return  The created password policy state operation.
1240   */
1241  public static PasswordPolicyStateOperation
1242                     createClearPasswordExpirationWarnedTimeOperation()
1243  {
1244    return new PasswordPolicyStateOperation(
1245         OP_TYPE_CLEAR_PW_EXPIRATION_WARNED_TIME);
1246  }
1247
1248
1249
1250  /**
1251   * Creates a new password policy state operation that may be used to determine
1252   * the length of time in seconds until the user's password expires.  The
1253   * result returned should include an operation of type
1254   * {@link #OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION} with a single integer
1255   * value that is the number of seconds until the user's password expires, or
1256   * a {@code null} value if the user's password will not expire.
1257   *
1258   * @return  The created password policy state operation.
1259   */
1260  public static PasswordPolicyStateOperation
1261                     createGetSecondsUntilPasswordExpirationOperation()
1262  {
1263    return new PasswordPolicyStateOperation(
1264         OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION);
1265  }
1266
1267
1268
1269  /**
1270   * Creates a new password policy state operation that may be used to determine
1271   * the length of time in seconds until the user is eligible to start receiving
1272   * password expiration warnings.  The result returned should include an
1273   * operation of type {@link #OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION_WARNING}
1274   * with a single integer value that is the number of seconds until the user is
1275   * eligible to receive the first expiration warning, or a {@code null} value
1276   * if the user's password will not expire.
1277   *
1278   * @return  The created password policy state operation.
1279   */
1280  public static PasswordPolicyStateOperation
1281                     createGetSecondsUntilPasswordExpirationWarningOperation()
1282  {
1283    return new PasswordPolicyStateOperation(
1284         OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION_WARNING);
1285  }
1286
1287
1288
1289  /**
1290   * Creates a new password policy state operation that may be used to retrieve
1291   * the times that the user has unsuccessfully tried to authenticate since the
1292   * last successful authentication.  The result returned should include an
1293   * operation of type {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES} with an array of
1294   * string values representing the timestamps (in generalized time format) of
1295   * the authentication failures.
1296   *
1297   * @return  The created password policy state operation.
1298   */
1299  public static PasswordPolicyStateOperation
1300                     createGetAuthenticationFailureTimesOperation()
1301  {
1302    return new PasswordPolicyStateOperation(OP_TYPE_GET_AUTH_FAILURE_TIMES);
1303  }
1304
1305
1306
1307  /**
1308   * Creates a new password policy state operation that may be used to add the
1309   * current time to the set of times that the user has unsuccessfully tried to
1310   * authenticate since the last successful authentication.  The result returned
1311   * should include an operation of type {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES}
1312   * with an array of string values representing the timestamps (in generalized
1313   * time format) of the authentication failures.
1314   *
1315   * @return  The created password policy state operation.
1316   */
1317  public static PasswordPolicyStateOperation
1318                     createAddAuthenticationFailureTimeOperation()
1319  {
1320    return createAddAuthenticationFailureTimeOperation(null);
1321  }
1322
1323
1324
1325  /**
1326   * Creates a new password policy state operation that may be used to add the
1327   * specified values to the set of times that the user has unsuccessfully tried
1328   * to authenticate since the last successful authentication.  The result
1329   * returned should include an operation of type
1330   * {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES} with an array of string values
1331   * representing the timestamps (in generalized time format) of the
1332   * authentication failures.
1333   *
1334   * @param  authFailureTimes  The set of authentication failure time values to
1335   *                           add.  It may be {@code null} or empty if the
1336   *                           server should add the current time.
1337   *
1338   * @return  The created password policy state operation.
1339   */
1340  public static PasswordPolicyStateOperation
1341                     createAddAuthenticationFailureTimeOperation(
1342                          final Date[] authFailureTimes)
1343  {
1344    return new PasswordPolicyStateOperation(OP_TYPE_ADD_AUTH_FAILURE_TIME,
1345         createValues(authFailureTimes));
1346  }
1347
1348
1349
1350  /**
1351   * Creates a new password policy state operation that may be used to specify
1352   * the set of times that the user has unsuccessfully tried to authenticate
1353   * since the last successful authentication.  The result returned should
1354   * include an operation of type {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES} with
1355   * an array of string values representing the timestamps (in generalized time
1356   * format) of the authentication failures.
1357   *
1358   * @param  authFailureTimes  The set of times that the user has unsuccessfully
1359   *                           tried to authenticate since the last successful
1360   *                           authentication.  It may be {@code null} or empty
1361   *                           if the server should use the current time as the
1362   *                           only failure time.
1363   *
1364   * @return  The created password policy state operation.
1365   */
1366  public static PasswordPolicyStateOperation
1367                     createSetAuthenticationFailureTimesOperation(
1368                          final Date[] authFailureTimes)
1369  {
1370    return new PasswordPolicyStateOperation(OP_TYPE_SET_AUTH_FAILURE_TIMES,
1371         createValues(authFailureTimes));
1372  }
1373
1374
1375
1376  /**
1377   * Creates a new password policy state operation that may be used to clear the
1378   * set of times that the user has unsuccessfully tried to authenticate since
1379   * the last successful authentication.  The result returned should include an
1380   * operation of type {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES} with an array of
1381   * string values representing the timestamps (in generalized time format) of
1382   * the authentication failures.
1383   *
1384   * @return  The created password policy state operation.
1385   */
1386  public static PasswordPolicyStateOperation
1387                     createClearAuthenticationFailureTimesOperation()
1388  {
1389    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_AUTH_FAILURE_TIMES);
1390  }
1391
1392
1393
1394  /**
1395   * Creates a new password policy state operation that may be used to determine
1396   * the length of time in seconds until the user's account is automatically
1397   * unlocked after too many failed authentication attempts.  The result
1398   * returned should include an operation of type
1399   * {@link #OP_TYPE_GET_SECONDS_UNTIL_AUTH_FAILURE_UNLOCK} with a single
1400   * integer value that represents the number of seconds until the account
1401   * becomes unlocked, or a {@code null} value if the account is not temporarily
1402   * locked as a result of authentication failures.
1403   *
1404   * @return  The created password policy state operation.
1405   */
1406  public static PasswordPolicyStateOperation
1407                     createGetSecondsUntilAuthenticationFailureUnlockOperation()
1408  {
1409    return new PasswordPolicyStateOperation(
1410         OP_TYPE_GET_SECONDS_UNTIL_AUTH_FAILURE_UNLOCK);
1411  }
1412
1413
1414
1415  /**
1416   * Creates a new password policy state operation that may be used to determine
1417   * the number of authentication failures required to lock the user's account.
1418   * The result returned should include an operation of type
1419   * {@link #OP_TYPE_GET_REMAINING_AUTH_FAILURE_COUNT} with a single integer
1420   * value that represents the number of authentication failures that a user
1421   * will be permitted before the account is locked, or a {@code null} value if
1422   * the password policy is not configured to lock accounts as a result of too
1423   * many failed authentication attempts.
1424   *
1425   * @return  The created password policy state operation.
1426   */
1427  public static PasswordPolicyStateOperation
1428                     createGetRemainingAuthenticationFailureCountOperation()
1429  {
1430    return new PasswordPolicyStateOperation(
1431         OP_TYPE_GET_REMAINING_AUTH_FAILURE_COUNT);
1432  }
1433
1434
1435
1436  /**
1437   * Creates a new password policy state operation that may be used to determine
1438   * the time that the user last successfully authenticated to the server.  The
1439   * result returned should include an operation of type
1440   * {@link #OP_TYPE_GET_LAST_LOGIN_TIME} with a single string value that is
1441   * the generalized time representation of the user's last login time, or a
1442   * {@code null} value if no last login time is available.
1443   *
1444   * @return  The created password policy state operation.
1445   */
1446  public static PasswordPolicyStateOperation createGetLastLoginTimeOperation()
1447  {
1448    return new PasswordPolicyStateOperation(OP_TYPE_GET_LAST_LOGIN_TIME);
1449  }
1450
1451
1452
1453  /**
1454   * Creates a new password policy state operation that may be used to set
1455   * the time that the user last successfully authenticated to the server.  The
1456   * result returned should include an operation of type
1457   * {@link #OP_TYPE_GET_LAST_LOGIN_TIME} with a single string value that is
1458   * the generalized time representation of the user's last login time, or a
1459   * {@code null} value if no last login time is available.
1460   *
1461   * @param  lastLoginTime  The last login time to set in the user's entry.  It
1462   *                        may be {@code null} if the server should use the
1463   *                        current time.
1464   *
1465   * @return  The created password policy state operation.
1466   */
1467  public static PasswordPolicyStateOperation
1468                     createSetLastLoginTimeOperation(final Date lastLoginTime)
1469  {
1470    return new PasswordPolicyStateOperation(OP_TYPE_SET_LAST_LOGIN_TIME,
1471         createValues(lastLoginTime));
1472  }
1473
1474
1475
1476  /**
1477   * Creates a new password policy state operation that may be used to clear
1478   * the last login time from the user's entry.  The result returned should
1479   * include an operation of type {@link #OP_TYPE_GET_LAST_LOGIN_TIME} with a
1480   * single string value that is the generalized time representation of the
1481   * user's last login time, or a {@code null} value if no last login time is
1482   * available.
1483   *
1484   * @return  The created password policy state operation.
1485   */
1486  public static PasswordPolicyStateOperation createClearLastLoginTimeOperation()
1487  {
1488    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_LAST_LOGIN_TIME);
1489  }
1490
1491
1492
1493  /**
1494   * Creates a new password policy state operation that may be used to determine
1495   * the IP address from which the user last successfully authenticated to the
1496   * server.  The result returned should include an operation of type
1497   * {@link #OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS} with a single string value that
1498   * is the user's last login IP address, or a {@code null} value if no last
1499   * login IP address is available.
1500   *
1501   * @return  The created password policy state operation.
1502   */
1503  public static PasswordPolicyStateOperation
1504                     createGetLastLoginIPAddressOperation()
1505  {
1506    return new PasswordPolicyStateOperation(OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS);
1507  }
1508
1509
1510
1511  /**
1512   * Creates a new password policy state operation that may be used to set
1513   * the IP address from which the user last successfully authenticated to the
1514   * server.  The result returned should include an operation of type
1515   * {@link #OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS} with a single string value that
1516   * is the user's last login IP address, or a {@code null} value if no last
1517   * login IP address is available.
1518   *
1519   * @param  lastLoginIPAddress  The last login IP address to set in the user's
1520   *                             entry.  It must not be {@code null}.
1521   *
1522   * @return  The created password policy state operation.
1523   */
1524  public static PasswordPolicyStateOperation
1525                     createSetLastLoginIPAddressOperation(
1526                          final String lastLoginIPAddress)
1527  {
1528    final ASN1OctetString[] values =
1529    {
1530      new ASN1OctetString(lastLoginIPAddress)
1531    };
1532
1533    return new PasswordPolicyStateOperation(OP_TYPE_SET_LAST_LOGIN_IP_ADDRESS,
1534         values);
1535  }
1536
1537
1538
1539  /**
1540   * Creates a new password policy state operation that may be used to clear
1541   * the last login IP address from the user's entry.  The result returned
1542   * should include an operation of type
1543   * {@link #OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS} with a single string value that
1544   * is the user's last login IP address, or a {@code null} value if no last
1545   * login IP address is available.
1546   *
1547   * @return  The created password policy state operation.
1548   */
1549  public static PasswordPolicyStateOperation
1550                     createClearLastLoginIPAddressOperation()
1551  {
1552    return new PasswordPolicyStateOperation(
1553         OP_TYPE_CLEAR_LAST_LOGIN_IP_ADDRESS);
1554  }
1555
1556
1557
1558  /**
1559   * Creates a new password policy state operation that may be used to determine
1560   * the length of time in seconds until the user's account is locked due to
1561   * inactivity.  The result returned should include an operation of type
1562   * {@link #OP_TYPE_GET_SECONDS_UNTIL_IDLE_LOCKOUT} with a single integer value
1563   * that represents the number of seconds until the user's account is locked as
1564   * a result of being idle for too long, or a {@code null} value if no idle
1565   * account lockout is configured.
1566   *
1567   * @return  The created password policy state operation.
1568   */
1569  public static PasswordPolicyStateOperation
1570                     createGetSecondsUntilIdleLockoutOperation()
1571  {
1572    return new PasswordPolicyStateOperation(
1573         OP_TYPE_GET_SECONDS_UNTIL_IDLE_LOCKOUT);
1574  }
1575
1576
1577
1578  /**
1579   * Creates a new password policy state operation that may be used to determine
1580   * whether the user's password has been reset by an administrator and must be
1581   * changed before performing any other operations.  The result returned should
1582   * include an operation of type {@link #OP_TYPE_GET_PW_RESET_STATE} with a
1583   * single boolean value of {@code true} if the user's password must be changed
1584   * before the account can be used, or {@code false} if not.
1585   *
1586   * @return  The created password policy state operation.
1587   */
1588  public static PasswordPolicyStateOperation
1589                     createGetPasswordResetStateOperation()
1590  {
1591    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_RESET_STATE);
1592  }
1593
1594
1595
1596  /**
1597   * Creates a new password policy state operation that may be used to specify
1598   * whether the user's password has been reset by an administrator and must be
1599   * changed before performing any other operations.  The result returned should
1600   * include an operation of type {@link #OP_TYPE_GET_PW_RESET_STATE} with a
1601   * single boolean value of {@code true} if the user's password must be changed
1602   * before the account can be used, or {@code false} if not.
1603   *
1604   * @param  isReset  Specifies whether the user's password must be changed
1605   *                  before performing any other operations.
1606   *
1607   * @return  The created password policy state operation.
1608   */
1609  public static PasswordPolicyStateOperation
1610                     createSetPasswordResetStateOperation(final boolean isReset)
1611  {
1612    final ASN1OctetString[] values =
1613    {
1614      new ASN1OctetString(String.valueOf(isReset))
1615    };
1616
1617    return new PasswordPolicyStateOperation(OP_TYPE_SET_PW_RESET_STATE, values);
1618  }
1619
1620
1621
1622  /**
1623   * Creates a new password policy state operation that may be used to clear the
1624   * password reset state information in the user's entry.  The result returned
1625   * should include an operation of type {@link #OP_TYPE_GET_PW_RESET_STATE}
1626   * with a single boolean value of {@code true} if the user's password must be
1627   * changed before the account can be used, or {@code false} if not.
1628   *
1629   * @return  The created password policy state operation.
1630   */
1631  public static PasswordPolicyStateOperation
1632                     createClearPasswordResetStateOperation()
1633  {
1634    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_PW_RESET_STATE);
1635  }
1636
1637
1638
1639  /**
1640   * Creates a new password policy state operation that may be used to determine
1641   * the length of time in seconds that the user has left to change his/her
1642   * password after an administrative reset before the account is locked.  The
1643   * result returned should include an operation of type
1644   * {@link #OP_TYPE_GET_SECONDS_UNTIL_PW_RESET_LOCKOUT} with a single integer
1645   * value that represents the number of seconds until the user's account will
1646   * be locked unless the password is reset, or a {@code null} value if the
1647   * user's password is not in a "must change" state.
1648   *
1649   * @return  The created password policy state operation.
1650   */
1651  public static PasswordPolicyStateOperation
1652                     createGetSecondsUntilPasswordResetLockoutOperation()
1653  {
1654    return new PasswordPolicyStateOperation(
1655         OP_TYPE_GET_SECONDS_UNTIL_PW_RESET_LOCKOUT);
1656  }
1657
1658
1659
1660  /**
1661   * Creates a new password policy state operation that may be used to retrieve
1662   * the set of times that the user has authenticated using grace logins since
1663   * his/her password expired.  The result returned should include an operation
1664   * of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES} with an array of string
1665   * values in generalized time format.
1666   *
1667   * @return  The created password policy state operation.
1668   */
1669  public static PasswordPolicyStateOperation
1670                     createGetGraceLoginUseTimesOperation()
1671  {
1672    return new PasswordPolicyStateOperation(OP_TYPE_GET_GRACE_LOGIN_USE_TIMES);
1673  }
1674
1675
1676
1677  /**
1678   * Creates a new password policy state operation that may be used to add the
1679   * current time to the set of times that the user has authenticated using
1680   * grace logins since his/her password expired.  The result returned should
1681   * include an operation of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES}
1682   * with an array of string values in generalized time format.
1683   *
1684   * @return  The created password policy state operation.
1685   */
1686  public static PasswordPolicyStateOperation
1687                     createAddGraceLoginUseTimeOperation()
1688  {
1689    return createAddGraceLoginUseTimeOperation(null);
1690  }
1691
1692
1693
1694  /**
1695   * Creates a new password policy state operation that may be used to add the
1696   * current time to the set of times that the user has authenticated using
1697   * grace logins since his/her password expired.  The result returned should
1698   * include an operation of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES}
1699   * with an array of string values in generalized time format.
1700   *
1701   * @param  graceLoginUseTimes  The set of grace login use times to add.  It
1702   *                             may be {@code null} or empty if the server
1703   *                             should add the current time to the set of grace
1704   *                             login times.
1705   *
1706   * @return  The created password policy state operation.
1707   */
1708  public static PasswordPolicyStateOperation
1709                     createAddGraceLoginUseTimeOperation(
1710                          final Date[] graceLoginUseTimes)
1711  {
1712    return new PasswordPolicyStateOperation(OP_TYPE_ADD_GRACE_LOGIN_USE_TIME,
1713         createValues(graceLoginUseTimes));
1714  }
1715
1716
1717
1718  /**
1719   * Creates a new password policy state operation that may be used to specify
1720   * the set of times that the user has authenticated using grace logins since
1721   * his/her password expired.  The result returned should include an operation
1722   * of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES} with an array of string
1723   * values in generalized time format.
1724   *
1725   * @param  graceLoginUseTimes  The set of times that the user has
1726   *                             authenticated using grace logins since his/her
1727   *                             password expired.  It amy be {@code null} or
1728   *                             empty if the server should use the current time
1729   *                             as the only grace login use time.
1730   *
1731   * @return  The created password policy state operation.
1732   */
1733  public static PasswordPolicyStateOperation
1734                     createSetGraceLoginUseTimesOperation(
1735                          final Date[] graceLoginUseTimes)
1736  {
1737    return new PasswordPolicyStateOperation(OP_TYPE_SET_GRACE_LOGIN_USE_TIMES,
1738         createValues(graceLoginUseTimes));
1739  }
1740
1741
1742
1743  /**
1744   * Creates a new password policy state operation that may be used to clear
1745   * the set of times that the user has authenticated using grace logins since
1746   * his/her password expired.  The result returned should include an operation
1747   * of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES} with an array of string
1748   * values in generalized time format.
1749   *
1750   * @return  The created password policy state operation.
1751   */
1752  public static PasswordPolicyStateOperation
1753                     createClearGraceLoginUseTimesOperation()
1754  {
1755    return new PasswordPolicyStateOperation(
1756         OP_TYPE_CLEAR_GRACE_LOGIN_USE_TIMES);
1757  }
1758
1759
1760
1761  /**
1762   * Creates a new password policy state operation that may be used to retrieve
1763   * the number of remaining grace logins available to the user.  The result
1764   * returned should include an operation of type
1765   * {@link #OP_TYPE_GET_REMAINING_GRACE_LOGIN_COUNT} with a single integer
1766   * value that represents the number of remaining grace logins, or a
1767   * {@code null} value if grace login functionality is not enabled for the
1768   * user.
1769   *
1770   * @return  The created password policy state operation.
1771   */
1772  public static PasswordPolicyStateOperation
1773                     createGetRemainingGraceLoginCountOperation()
1774  {
1775    return new PasswordPolicyStateOperation(
1776         OP_TYPE_GET_REMAINING_GRACE_LOGIN_COUNT);
1777  }
1778
1779
1780
1781  /**
1782   * Creates a new password policy state operation that may be used to retrieve
1783   * the last required password change time that with which the user has
1784   * complied.  The result returned should include an operation of type
1785   * {@link #OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME} with a single string
1786   * value that is the generalized time representation of the most recent
1787   * required password change time with which the user complied, or a
1788   * {@code null} value if this is not available for the user.
1789   *
1790   * @return  The created password policy state operation.
1791   */
1792  public static PasswordPolicyStateOperation
1793                     createGetPasswordChangedByRequiredTimeOperation()
1794  {
1795    return new PasswordPolicyStateOperation(
1796         OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME);
1797  }
1798
1799
1800
1801  /**
1802   * Creates a new password policy state operation that may be used to update
1803   * the user's entry to indicate that he/she has complied with the required
1804   * password change time.  The result returned should include an operation of
1805   * type {@link #OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME} with a single string
1806   * value that is the generalized time representation of the most recent
1807   * required password change time with which the user complied, or a
1808   * {@code null} value if this is not available for the user.
1809   *
1810   * @return  The created password policy state operation.
1811   */
1812  public static PasswordPolicyStateOperation
1813                     createSetPasswordChangedByRequiredTimeOperation()
1814  {
1815    return createSetPasswordChangedByRequiredTimeOperation(null);
1816  }
1817
1818
1819
1820  /**
1821   * Creates a new password policy state operation that may be used to update
1822   * the user's entry to indicate that he/she has complied with the required
1823   * password change time.  The result returned should include an operation of
1824   * type {@link #OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME} with a single string
1825   * value that is the generalized time representation of the most recent
1826   * required password change time with which the user complied, or a
1827   * {@code null} value if this is not available for the user.
1828   *
1829   * @param  requiredTime  The required password changed time with which the
1830   *                       user has complied.  It may be {@code null} if the
1831   *                       server should use the most recent required change
1832   *                       time.
1833   *
1834   * @return  The created password policy state operation.
1835   */
1836  public static PasswordPolicyStateOperation
1837                     createSetPasswordChangedByRequiredTimeOperation(
1838                          final Date requiredTime)
1839  {
1840    return new PasswordPolicyStateOperation(
1841         OP_TYPE_SET_PW_CHANGED_BY_REQUIRED_TIME, createValues(requiredTime));
1842  }
1843
1844
1845
1846  /**
1847   * Creates a new password policy state operation that may be used to clear
1848   * the last required password change time from the user's entry.  The result
1849   * returned should include an operation of type
1850   * {@link #OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME} with a single string value
1851   * that is the generalized time representation of the most recent required
1852   * password change time with which the user complied, or a {@code null} value
1853   * if this is not available for the user.
1854   *
1855   * @return  The created password policy state operation.
1856   */
1857  public static PasswordPolicyStateOperation
1858                     createClearPasswordChangedByRequiredTimeOperation()
1859  {
1860    return new PasswordPolicyStateOperation(
1861         OP_TYPE_CLEAR_PW_CHANGED_BY_REQUIRED_TIME);
1862  }
1863
1864
1865
1866  /**
1867   * Creates a new password policy state operation that may be used to retrieve
1868   * the length of time in seconds until the required password change time
1869   * arrives.  The result returned should include an operation of type
1870   * {@link #OP_TYPE_GET_SECONDS_UNTIL_REQUIRED_CHANGE_TIME} with a single
1871   * integer value that represents the number of seconds before the user will
1872   * be required to change his/her password as a result of the
1873   * require-change-by-time property, or a {@code null} value if the user is
1874   * not required to change their password for this reason.
1875   *
1876   * @return  The created password policy state operation.
1877   */
1878  public static PasswordPolicyStateOperation
1879                     createGetSecondsUntilRequiredChangeTimeOperation()
1880  {
1881    return new PasswordPolicyStateOperation(
1882         OP_TYPE_GET_SECONDS_UNTIL_REQUIRED_CHANGE_TIME);
1883  }
1884
1885
1886
1887  /**
1888   * Creates a new password policy state operation that may be used to retrieve
1889   * the password history values stored in the user's entry.  The result
1890   * returned should include an operation of type
1891   * {@link #OP_TYPE_GET_PW_HISTORY} with an array of strings representing the
1892   * user's password history content.
1893   *
1894   * @return  The created password policy state operation.
1895   *
1896   * @deprecated  This method has been deprecated in favor of the
1897   *              {@link #createGetPasswordHistoryCountOperation} method.
1898   */
1899  @Deprecated()
1900  @SuppressWarnings("deprecation")
1901  public static PasswordPolicyStateOperation createGetPasswordHistoryOperation()
1902  {
1903    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_HISTORY);
1904  }
1905
1906
1907
1908  /**
1909   * Creates a new password policy state operation that may be used to clear the
1910   * password history values stored in the user's entry.  The result returned
1911   * should include an operation of type {@link #OP_TYPE_GET_PW_HISTORY} with an
1912   * array of strings representing the user's password history content.
1913   *
1914   * @return  The created password policy state operation.
1915   */
1916  public static PasswordPolicyStateOperation
1917                     createClearPasswordHistoryOperation()
1918  {
1919    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_PW_HISTORY);
1920  }
1921
1922
1923
1924  /**
1925   * Creates a new password policy state operation that may be used to determine
1926   * whether the user has a valid retired password.  The result returned should
1927   * include an operation of type {@link #OP_TYPE_HAS_RETIRED_PASSWORD} with a
1928   * single boolean value of {@code true} if the user has a valid retired
1929   * password, or {@code false} if not.
1930   *
1931   * @return  The created password policy state operation.
1932   */
1933  public static PasswordPolicyStateOperation createHasRetiredPasswordOperation()
1934  {
1935    return new PasswordPolicyStateOperation(OP_TYPE_HAS_RETIRED_PASSWORD);
1936  }
1937
1938
1939
1940  /**
1941   * Creates a new password policy state operation that may be used to determine
1942   * the time that the user's former password was retired.  The result returned
1943   * should include an operation of type
1944   * {@link #OP_TYPE_GET_PASSWORD_RETIRED_TIME} with a single string value that
1945   * is the generalized time representation of the time the user's former
1946   * password was retired, or a {@code null} value if the user does not have a
1947   * valid retired password.
1948   *
1949   * @return  The created password policy state operation.
1950   */
1951  public static PasswordPolicyStateOperation
1952                     createGetPasswordRetiredTimeOperation()
1953  {
1954    return new PasswordPolicyStateOperation(OP_TYPE_GET_PASSWORD_RETIRED_TIME);
1955  }
1956
1957
1958
1959  /**
1960   * Creates a new password policy state operation that may be used to determine
1961   * the length of time until the user's retired password expires.  The result
1962   * returned should include an operation of type
1963   * {@link #OP_TYPE_GET_RETIRED_PASSWORD_EXPIRATION_TIME} with a single string
1964   * value that is the generalized time representation of the time the user's
1965   * retired password will cease to be valid, or a {@code null} value if the
1966   * user does not have a valid retired password.
1967   *
1968   * @return  The created password policy state operation.
1969   */
1970  public static PasswordPolicyStateOperation
1971                     createGetRetiredPasswordExpirationTimeOperation()
1972  {
1973    return new PasswordPolicyStateOperation(
1974         OP_TYPE_GET_RETIRED_PASSWORD_EXPIRATION_TIME);
1975  }
1976
1977
1978
1979  /**
1980   * Creates a new password policy state operation that may be used to purge
1981   * any retired password from the user's entry.  The result returned should
1982   * include an operation of type {@link #OP_TYPE_HAS_RETIRED_PASSWORD} with a
1983   * single boolean value of {@code true} if the user has a valid retired
1984   * password, or {@code false} if not.
1985   *
1986   * @return  The created password policy state operation.
1987   */
1988  public static PasswordPolicyStateOperation
1989                     createPurgeRetiredPasswordOperation()
1990  {
1991    return new PasswordPolicyStateOperation(OP_TYPE_PURGE_RETIRED_PASSWORD);
1992  }
1993
1994
1995
1996  /**
1997   * Creates a new password policy state operation that may be used to retrieve
1998   * information about any password policy state notices pertaining to the
1999   * usability of the user's account.  The result returned should include an
2000   * operation of type {@link #OP_TYPE_GET_ACCOUNT_USABILITY_NOTICES} with an
2001   * array of strings that represent
2002   * {@link PasswordPolicyStateAccountUsabilityWarning} values.
2003   *
2004   * @return  The created password policy state operation.
2005   */
2006  public static PasswordPolicyStateOperation
2007                     createGetAccountUsabilityNoticesOperation()
2008  {
2009    return new PasswordPolicyStateOperation(
2010         OP_TYPE_GET_ACCOUNT_USABILITY_NOTICES);
2011  }
2012
2013
2014
2015  /**
2016   * Creates a new password policy state operation that may be used to retrieve
2017   * information about any password policy state warnings that may impact the
2018   * usability of the user's account.  The result returned should include an
2019   * operation of type {@link #OP_TYPE_GET_ACCOUNT_USABILITY_WARNINGS} with an
2020   * array of strings that represent
2021   * {@link PasswordPolicyStateAccountUsabilityWarning} values.
2022   *
2023   * @return  The created password policy state operation.
2024   */
2025  public static PasswordPolicyStateOperation
2026                     createGetAccountUsabilityWarningsOperation()
2027  {
2028    return new PasswordPolicyStateOperation(
2029         OP_TYPE_GET_ACCOUNT_USABILITY_WARNINGS);
2030  }
2031
2032
2033
2034  /**
2035   * Creates a new password policy state operation that may be used to retrieve
2036   * information about any password policy state errors that may impact the
2037   * usability of the user's account.  The result returned should include an
2038   * operation of type {@link #OP_TYPE_GET_ACCOUNT_USABILITY_ERRORS} with an
2039   * array of strings that represent
2040   * {@link PasswordPolicyStateAccountUsabilityError} values.
2041   *
2042   * @return  The created password policy state operation.
2043   */
2044  public static PasswordPolicyStateOperation
2045                     createGetAccountUsabilityErrorsOperation()
2046  {
2047    return new PasswordPolicyStateOperation(
2048         OP_TYPE_GET_ACCOUNT_USABILITY_ERRORS);
2049  }
2050
2051
2052
2053  /**
2054   * Creates a new password policy state operation that may be used to determine
2055   * whether an account is usable (i.e., the account will be allowed to
2056   * authenticate and/or be used as an alternate authorization identity.  The
2057   * result returned should include an operation of type
2058   * {@link #OP_TYPE_GET_ACCOUNT_IS_USABLE} with a single boolean value that
2059   * indicates whether the account is usable.
2060   *
2061   * @return  The created password policy state operation.
2062   */
2063  public static PasswordPolicyStateOperation
2064                     createGetAccountIsUsableOperation()
2065  {
2066    return new PasswordPolicyStateOperation(OP_TYPE_GET_ACCOUNT_IS_USABLE);
2067  }
2068
2069
2070
2071  /**
2072   * Creates a new password policy state operation that may be used to determine
2073   * whether an account has an activation time that is in the future.  The
2074   * result returned should include an operation of type
2075   * {@link #OP_TYPE_GET_ACCOUNT_IS_NOT_YET_ACTIVE} with a single boolean value
2076   * that indicates whether the account is not yet active.
2077   *
2078   * @return  The created password policy state operation.
2079   */
2080  public static PasswordPolicyStateOperation
2081                     createGetAccountIsNotYetActiveOperation()
2082  {
2083    return new PasswordPolicyStateOperation(
2084         OP_TYPE_GET_ACCOUNT_IS_NOT_YET_ACTIVE);
2085  }
2086
2087
2088
2089  /**
2090   * Creates a new password policy state operation that may be used to determine
2091   * whether an account has an expiration time that is in the past.  The result
2092   * returned should include an operation of type
2093   * {@link #OP_TYPE_GET_ACCOUNT_IS_EXPIRED} with a single boolean value that
2094   * indicates whether the account is expired.
2095   *
2096   * @return  The created password policy state operation.
2097   */
2098  public static PasswordPolicyStateOperation
2099                     createGetAccountIsExpiredOperation()
2100  {
2101    return new PasswordPolicyStateOperation(OP_TYPE_GET_ACCOUNT_IS_EXPIRED);
2102  }
2103
2104
2105
2106  /**
2107   * Creates a new password policy state operation that may be used to determine
2108   * when a user's password is expected to expire.  The result returned should
2109   * include an operation of type {@link #OP_TYPE_GET_PW_EXPIRATION_TIME} with a
2110   * single string value that is the generalized time representation of the
2111   * password expiration time.
2112   *
2113   * @return  The created password policy state operation.
2114   */
2115  public static PasswordPolicyStateOperation
2116                     createGetPasswordExpirationTimeOperation()
2117  {
2118    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_EXPIRATION_TIME);
2119  }
2120
2121
2122
2123  /**
2124   * Creates a new password policy state operation that may be used to determine
2125   * whether an account has been locked because of too many failed
2126   * authentication attempts.  The result returned should include an operation
2127   * of type {@link #OP_TYPE_GET_ACCOUNT_IS_FAILURE_LOCKED} with a single
2128   * boolean value that indicates whether the account is failure locked.
2129   *
2130   * @return  The created password policy state operation.
2131   */
2132  public static PasswordPolicyStateOperation
2133                     createGetAccountIsFailureLockedOperation()
2134  {
2135    return new PasswordPolicyStateOperation(
2136         OP_TYPE_GET_ACCOUNT_IS_FAILURE_LOCKED);
2137  }
2138
2139
2140
2141  /**
2142   * Creates a new password policy state operation that may be used to specify
2143   * whether an account should be locked because of too many failed
2144   * authentication attempts.  The result returned should include an operation
2145   * of type {@link #OP_TYPE_GET_ACCOUNT_IS_FAILURE_LOCKED} with a single
2146   * boolean value that indicates whether the account is failure locked.
2147   *
2148   * @param  isFailureLocked  Indicates whether the account should be locked
2149   *                          because of too many failed attempts.
2150   *
2151   * @return  The created password policy state operation.
2152   */
2153  public static PasswordPolicyStateOperation
2154                     createSetAccountIsFailureLockedOperation(
2155                          final boolean isFailureLocked)
2156  {
2157    final ASN1OctetString[] values =
2158    {
2159      new ASN1OctetString(String.valueOf(isFailureLocked))
2160    };
2161
2162    return new PasswordPolicyStateOperation(
2163         OP_TYPE_SET_ACCOUNT_IS_FAILURE_LOCKED, values);
2164  }
2165
2166
2167
2168  /**
2169   * Creates a new password policy state operation that may be used to determine
2170   * when a user's password is was locked because of too many failed
2171   * authentication attempts.  The result returned should include an operation
2172   * of type {@link #OP_TYPE_GET_FAILURE_LOCKOUT_TIME} with a single string
2173   * value that is the generalized time representation of the failure lockout
2174   * time.
2175   *
2176   * @return  The created password policy state operation.
2177   */
2178  public static PasswordPolicyStateOperation
2179                     createGetFailureLockoutTimeOperation()
2180  {
2181    return new PasswordPolicyStateOperation(OP_TYPE_GET_FAILURE_LOCKOUT_TIME);
2182  }
2183
2184
2185
2186  /**
2187   * Creates a new password policy state operation that may be used to determine
2188   * whether an account has been locked because it has remained idle for too
2189   * long.  The result returned should include an operation of type
2190   * {@link #OP_TYPE_GET_ACCOUNT_IS_IDLE_LOCKED} with a single boolean value
2191   * that indicates whether the account is idle locked.
2192   *
2193   * @return  The created password policy state operation.
2194   */
2195  public static PasswordPolicyStateOperation
2196                     createGetAccountIsIdleLockedOperation()
2197  {
2198    return new PasswordPolicyStateOperation(OP_TYPE_GET_ACCOUNT_IS_IDLE_LOCKED);
2199  }
2200
2201
2202
2203  /**
2204   * Creates a new password policy state operation that may be used to determine
2205   * when a user's password is was locked because of the idle account lockout.
2206   * The result returned should include an operation of type
2207   * {@link #OP_TYPE_GET_IDLE_LOCKOUT_TIME} with a single string value that is
2208   * the generalized time representation of the idle lockout time.
2209   *
2210   * @return  The created password policy state operation.
2211   */
2212  public static PasswordPolicyStateOperation
2213                     createGetIdleLockoutTimeOperation()
2214  {
2215    return new PasswordPolicyStateOperation(OP_TYPE_GET_IDLE_LOCKOUT_TIME);
2216  }
2217
2218
2219
2220  /**
2221   * Creates a new password policy state operation that may be used to determine
2222   * whether an account has been locked because the user failed to change their
2223   * password in a timely manner after an administrative reset.  The result
2224   * returned should include an operation of type
2225   * {@link #OP_TYPE_GET_ACCOUNT_IS_RESET_LOCKED} with a single boolean value
2226   * that indicates whether the account is reset locked.
2227   *
2228   * @return  The created password policy state operation.
2229   */
2230  public static PasswordPolicyStateOperation
2231                     createGetAccountIsResetLockedOperation()
2232  {
2233    return new PasswordPolicyStateOperation(
2234         OP_TYPE_GET_ACCOUNT_IS_RESET_LOCKED);
2235  }
2236
2237
2238
2239  /**
2240   * Creates a new password policy state operation that may be used to determine
2241   * when a user's password is was locked because the user failed to change
2242   * their password in a timely manner after an administrative reset.  The
2243   * result returned should include an operation of type
2244   * {@link #OP_TYPE_GET_RESET_LOCKOUT_TIME} with a single string value that is
2245   * the generalized time representation of the reset lockout time.
2246   *
2247   * @return  The created password policy state operation.
2248   */
2249  public static PasswordPolicyStateOperation
2250                     createGetResetLockoutTimeOperation()
2251  {
2252    return new PasswordPolicyStateOperation(OP_TYPE_GET_RESET_LOCKOUT_TIME);
2253  }
2254
2255
2256
2257  /**
2258   * Creates a new password policy state operation that may be used to retrieve
2259   * the number of passwords currently held in a user's password history.  The
2260   * result returned should include an operation of type
2261   * {@link #OP_TYPE_GET_PW_HISTORY_COUNT} with a single integer value that
2262   * represents the number of passwords in the history, or a {@code null} value
2263   * if a password history is not enabled for the user.
2264   *
2265   * @return  The created password policy state operation.
2266   */
2267  public static PasswordPolicyStateOperation
2268                     createGetPasswordHistoryCountOperation()
2269  {
2270    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_HISTORY_COUNT);
2271  }
2272
2273
2274
2275  /**
2276   * Creates a new password policy state operation that may be used to determine
2277   * whether a user's password is expired.  The result returned should include
2278   * an operation of type {@link #OP_TYPE_GET_PW_IS_EXPIRED} with a single
2279   * Boolean value that indicates whether the password is expired, or a
2280   * {@code null} value if password expiration is not enabled for the user.
2281   *
2282   * @return  The created password policy state operation.
2283   */
2284  public static PasswordPolicyStateOperation
2285                     createGetPasswordIsExpiredOperation()
2286  {
2287    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_IS_EXPIRED);
2288  }
2289
2290
2291
2292  /**
2293   * Creates a new password policy state operation that may be used to retrieve
2294   * a list of the SASL mechanisms that are available for a user.  This will
2295   * take into consideration the server's configuration, the types of
2296   * credentials that a user has, and per-user constraints and preferences.
2297   *
2298   * @return  The created password policy state operation.
2299   */
2300  public static PasswordPolicyStateOperation
2301                     createGetAvailableSASLMechanismsOperation()
2302  {
2303    return new PasswordPolicyStateOperation(
2304         OP_TYPE_GET_AVAILABLE_SASL_MECHANISMS);
2305  }
2306
2307
2308
2309  /**
2310   * Creates a new password policy state operation that may be used to retrieve
2311   * a list of the one-time password delivery mechanisms that are available for
2312   * a user.  If the user's entry includes information about which OTP delivery
2313   * mechanisms are preferred, the list will be ordered from most preferred to
2314   * least preferred.
2315   *
2316   * @return  The created password policy state operation.
2317   */
2318  public static PasswordPolicyStateOperation
2319                     createGetAvailableOTPDeliveryMechanismsOperation()
2320  {
2321    return new PasswordPolicyStateOperation(
2322         OP_TYPE_GET_AVAILABLE_OTP_DELIVERY_MECHANISMS);
2323  }
2324
2325
2326
2327  /**
2328   * Creates a new password policy state operation that may be used to determine
2329   * whether the user has at least one TOTP shared secret.  The result returned
2330   * should include an operation of type {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET}
2331   * with a single boolean value of {@code true} if the user has one or more
2332   * TOTP shared secrets, or {@code false} if not.
2333   *
2334   * @return  The created password policy state operation.
2335   */
2336  public static PasswordPolicyStateOperation createHasTOTPSharedSecret()
2337  {
2338    return new PasswordPolicyStateOperation(OP_TYPE_HAS_TOTP_SHARED_SECRET);
2339  }
2340
2341
2342
2343  /**
2344   * Creates a new password policy state operation that may be used to add one
2345   * or more values to the set of TOTP shared secrets for a user.  The result
2346   * returned should include an operation of type
2347   * {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET} with a single boolean value of
2348   * {@code true} if the user has one or more TOTP shared secrets, or
2349   * {@code false} if not.
2350   *
2351   * @param  totpSharedSecrets  The base32-encoded representations of the TOTP
2352   *                            shared secrets to add to the user.  It must not
2353   *                            be {@code null} or empty.
2354   *
2355   * @return  The created password policy state operation.
2356   */
2357  public static PasswordPolicyStateOperation
2358                     createAddTOTPSharedSecretOperation(
2359                          final String... totpSharedSecrets)
2360  {
2361    final ASN1OctetString[] values =
2362         new ASN1OctetString[totpSharedSecrets.length];
2363    for (int i=0; i < totpSharedSecrets.length; i++)
2364    {
2365      values[i] = new ASN1OctetString(totpSharedSecrets[i]);
2366    }
2367
2368    return new PasswordPolicyStateOperation(OP_TYPE_ADD_TOTP_SHARED_SECRET,
2369         values);
2370  }
2371
2372
2373
2374  /**
2375   * Creates a new password policy state operation that may be used to remove
2376   * one or more values from the set of TOTP shared secrets for a user.  The
2377   * result returned should include an operation of type
2378   * {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET} with a single boolean value of
2379   * {@code true} if the user has one or more TOTP shared secrets, or
2380   * {@code false} if not.
2381   *
2382   * @param  totpSharedSecrets  The base32-encoded representations of the TOTP
2383   *                            shared secrets to remove from the user.  It must
2384   *                            not be {@code null} or empty.
2385   *
2386   * @return  The created password policy state operation.
2387   */
2388  public static PasswordPolicyStateOperation
2389                     createRemoveTOTPSharedSecretOperation(
2390                          final String... totpSharedSecrets)
2391  {
2392    final ASN1OctetString[] values =
2393         new ASN1OctetString[totpSharedSecrets.length];
2394    for (int i=0; i < totpSharedSecrets.length; i++)
2395    {
2396      values[i] = new ASN1OctetString(totpSharedSecrets[i]);
2397    }
2398
2399    return new PasswordPolicyStateOperation(OP_TYPE_REMOVE_TOTP_SHARED_SECRET,
2400         values);
2401  }
2402
2403
2404
2405  /**
2406   * Creates a new password policy state operation that may be used to replace
2407   * the set of TOTP shared secrets for a user.  The result returned should
2408   * include an operation of type {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET} with a
2409   * single boolean value of {@code true} if the user has one or more TOTP
2410   * shared secrets, or {@code false} if not.
2411   *
2412   * @param  totpSharedSecrets  The base32-encoded representations of the TOTP
2413   *                            shared secrets for the user.  It must not be
2414   *                            {@code null} but may be empty.
2415   *
2416   * @return  The created password policy state operation.
2417   */
2418  public static PasswordPolicyStateOperation
2419                     createSetTOTPSharedSecretsOperation(
2420                          final String... totpSharedSecrets)
2421  {
2422    final ASN1OctetString[] values =
2423         new ASN1OctetString[totpSharedSecrets.length];
2424    for (int i=0; i < totpSharedSecrets.length; i++)
2425    {
2426      values[i] = new ASN1OctetString(totpSharedSecrets[i]);
2427    }
2428
2429    return new PasswordPolicyStateOperation(OP_TYPE_SET_TOTP_SHARED_SECRETS,
2430         values);
2431  }
2432
2433
2434
2435  /**
2436   * Creates a new password policy state operation that may be used to clear
2437   * the set of TOTP shared secrets for a user.  The result returned should
2438   * include an operation of type {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET} with a
2439   * single boolean value of {@code true} if the user has one or more TOTP
2440   * shared secrets, or {@code false} if not.
2441   *
2442   * @return  The created password policy state operation.
2443   */
2444  public static PasswordPolicyStateOperation
2445                     createClearTOTPSharedSecretsOperation()
2446  {
2447    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_TOTP_SHARED_SECRETS);
2448  }
2449
2450
2451
2452  /**
2453   * Creates a new password policy state operation that may be used to determine
2454   * whether the user has at least one registered YubiKey OTP device.  The
2455   * result returned should include an operation of type
2456   * {@link #OP_TYPE_HAS_REGISTERED_YUBIKEY_PUBLIC_ID}
2457   * with a single boolean value of {@code true} if the user has one or more
2458   * registered devices, or {@code false} if not.
2459   *
2460   * @return  The created password policy state operation.
2461   */
2462  public static PasswordPolicyStateOperation createHasYubiKeyPublicIDOperation()
2463  {
2464    return new PasswordPolicyStateOperation(
2465         OP_TYPE_HAS_REGISTERED_YUBIKEY_PUBLIC_ID);
2466  }
2467
2468
2469
2470  /**
2471   * Creates a new password policy state operation that may be used to retrieve
2472   * the public IDs of the YubiKey OTP devices registered for a user.  The
2473   * result returned should include an operation of type
2474   * {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with an array of string
2475   * values that represent the public IDs of the registered YubiKey OTP devices.
2476   *
2477   * @return  The created password policy state operation.
2478   */
2479  public static PasswordPolicyStateOperation
2480                     createGetRegisteredYubiKeyPublicIDsOperation()
2481  {
2482    return new PasswordPolicyStateOperation(
2483         OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS);
2484  }
2485
2486
2487
2488  /**
2489   * Creates a new password policy state operation that may be used to add one
2490   * or more values to the set of the public IDs of the YubiKey OTP devices
2491   * registered for a user.  The result returned should include an operation of
2492   * type {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with an array of
2493   * string values that represent the public IDs of the registered YubiKey OTP
2494   * devices.
2495   *
2496   * @param  publicIDs  The set of public IDs to add to the set of YubiKey OTP
2497   *                    devices registered for the user.  It must not be
2498   *                    {@code null} or empty.
2499   *
2500   * @return  The created password policy state operation.
2501   */
2502  public static PasswordPolicyStateOperation
2503                     createAddRegisteredYubiKeyPublicIDOperation(
2504                          final String... publicIDs)
2505  {
2506    final ASN1OctetString[] values = new ASN1OctetString[publicIDs.length];
2507    for (int i=0; i < publicIDs.length; i++)
2508    {
2509      values[i] = new ASN1OctetString(publicIDs[i]);
2510    }
2511
2512    return new PasswordPolicyStateOperation(
2513         OP_TYPE_ADD_REGISTERED_YUBIKEY_PUBLIC_ID, values);
2514  }
2515
2516
2517
2518  /**
2519   * Creates a new password policy state operation that may be used to remove
2520   * one or more values from the set of the public IDs of the YubiKey OTP
2521   * devices registered for a user.  The result returned should include an
2522   * operation of type {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with
2523   * an array of string values that represent the public IDs of the registered
2524   * YubiKey OTP devices.
2525   *
2526   * @param  publicIDs  The set of public IDs to remove from the set of YubiKey
2527   *                    OTP devices registered for the user.  It must not be
2528   *                    {@code null} or empty.
2529   *
2530   * @return  The created password policy state operation.
2531   */
2532  public static PasswordPolicyStateOperation
2533                     createRemoveRegisteredYubiKeyPublicIDOperation(
2534                          final String... publicIDs)
2535  {
2536    final ASN1OctetString[] values = new ASN1OctetString[publicIDs.length];
2537    for (int i=0; i < publicIDs.length; i++)
2538    {
2539      values[i] = new ASN1OctetString(publicIDs[i]);
2540    }
2541
2542    return new PasswordPolicyStateOperation(
2543         OP_TYPE_REMOVE_REGISTERED_YUBIKEY_PUBLIC_ID, values);
2544  }
2545
2546
2547
2548  /**
2549   * Creates a new password policy state operation that may be used to replace
2550   * the set of the public IDs of the YubiKey OTP devices registered for a user.
2551   * The result returned should include an operation of type
2552   * {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with an array of string
2553   * values that represent the public IDs of the registered YubiKey OTP devices.
2554   *
2555   * @param  publicIDs  The set of public IDs for the YubiKey OTP devices
2556   *                    registered for the user.  It must not be {@code null}
2557   *                    but may be empty.
2558   *
2559   * @return  The created password policy state operation.
2560   */
2561  public static PasswordPolicyStateOperation
2562                     createSetRegisteredYubiKeyPublicIDsOperation(
2563                          final String... publicIDs)
2564  {
2565    final ASN1OctetString[] values = new ASN1OctetString[publicIDs.length];
2566    for (int i=0; i < publicIDs.length; i++)
2567    {
2568      values[i] = new ASN1OctetString(publicIDs[i]);
2569    }
2570
2571    return new PasswordPolicyStateOperation(
2572         OP_TYPE_SET_REGISTERED_YUBIKEY_PUBLIC_IDS, values);
2573  }
2574
2575
2576
2577  /**
2578   * Creates a new password policy state operation that may be used to clear
2579   * the set of the public IDs of the YubiKey OTP devices registered for a user.
2580   * The result returned should include an operation of type
2581   * {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with an array of string
2582   * values that represent the public IDs of the registered YubiKey OTP devices.
2583   *
2584   * @return  The created password policy state operation.
2585   */
2586  public static PasswordPolicyStateOperation
2587                     createClearRegisteredYubiKeyPublicIDsOperation()
2588  {
2589    return new PasswordPolicyStateOperation(
2590         OP_TYPE_CLEAR_REGISTERED_YUBIKEY_PUBLIC_IDS);
2591  }
2592
2593
2594
2595  /**
2596   * Creates a new password policy state operation that may be used to determine
2597   * whether the user has a static password.  The result should include an
2598   * operation of type {@link #OP_TYPE_HAS_STATIC_PASSWORD} with a single
2599   * boolean value of {@code true} if the user has a static password, or
2600   * {@code false} if not.
2601   *
2602   * @return  The created password policy state operation.
2603   */
2604  public static PasswordPolicyStateOperation createHasStaticPasswordOperation()
2605  {
2606    return new PasswordPolicyStateOperation(OP_TYPE_HAS_STATIC_PASSWORD);
2607  }
2608
2609
2610
2611  /**
2612   * Retrieves the operation type for this password policy state operation.
2613   *
2614   * @return  The operation type for this password policy state operation.
2615   */
2616  public int getOperationType()
2617  {
2618    return opType;
2619  }
2620
2621
2622
2623  /**
2624   * Retrieves the set of raw values for this password policy state operation.
2625   *
2626   * @return  The set of raw values for this password policy state operation.
2627   */
2628  public ASN1OctetString[] getRawValues()
2629  {
2630    return values;
2631  }
2632
2633
2634
2635  /**
2636   * Retrieves the string representation of the value for this password policy
2637   * state operation.  If there are multiple values, then the first will be
2638   * returned.
2639   *
2640   * @return  The string representation of the value for this password policy
2641   *          state operation, or {@code null} if there are no values.
2642   */
2643  public String getStringValue()
2644  {
2645    if (values.length == 0)
2646    {
2647      return null;
2648    }
2649    else
2650    {
2651      return values[0].stringValue();
2652    }
2653  }
2654
2655
2656
2657  /**
2658   * Retrieves the string representations of the values for this password policy
2659   * state operation.
2660   *
2661   * @return  The string representations of the values for this password policy
2662   *          state operation.
2663   */
2664  public String[] getStringValues()
2665  {
2666    final String[] stringValues = new String[values.length];
2667    for (int i=0; i < values.length; i++)
2668    {
2669      stringValues[i] = values[i].stringValue();
2670    }
2671
2672    return stringValues;
2673  }
2674
2675
2676
2677  /**
2678   * Retrieves the boolean representation of the value for this password policy
2679   * state operation.
2680   *
2681   * @return  The boolean representation of the value for this password policy
2682   *          state operation.
2683   *
2684   * @throws  IllegalStateException  If this operation does not have exactly one
2685   *                                 value, or if the value cannot be decoded as
2686   *                                 a boolean value.
2687   */
2688  public boolean getBooleanValue()
2689         throws IllegalStateException
2690  {
2691    if (values.length != 1)
2692    {
2693      throw new IllegalStateException(
2694           ERR_PWP_STATE_INVALID_BOOLEAN_VALUE_COUNT.get(values.length));
2695    }
2696
2697    final String valueString = StaticUtils.toLowerCase(values[0].stringValue());
2698    if (valueString.equals("true"))
2699    {
2700      return true;
2701    }
2702    else if (valueString.equals("false"))
2703    {
2704      return false;
2705    }
2706    else
2707    {
2708      throw new IllegalStateException(
2709           ERR_PWP_STATE_VALUE_NOT_BOOLEAN.get(values[0].stringValue()));
2710    }
2711  }
2712
2713
2714
2715  /**
2716   * Retrieves the integer representation of the value for this password policy
2717   * state operation.  If there are multiple values, then the first will be
2718   * returned.
2719   *
2720   * @return  The integer representation of the value for this password policy
2721   *          operation.
2722   *
2723   * @throws  IllegalStateException  If this operation does not have any values.
2724   *
2725   * @throws  NumberFormatException  If the value cannot be parsed as an
2726   *                                 integer.
2727   */
2728  public int getIntValue()
2729         throws IllegalStateException, NumberFormatException
2730  {
2731    if (values.length == 0)
2732    {
2733      throw new IllegalStateException(ERR_PWP_STATE_NO_VALUES.get());
2734    }
2735
2736    return Integer.parseInt(values[0].stringValue());
2737  }
2738
2739
2740
2741  /**
2742   * Retrieves the {@code Date} object represented by the value for this
2743   * password policy state operation treated as a timestamp in generalized time
2744   * form.  If there are multiple values, then the first will be returned.
2745   *
2746   * @return  The {@code Date} object represented by the value for this password
2747   *          policy state operation treated as a timestamp in generalized time
2748   *          form, or {@code null} if this operation does not have any values.
2749   *
2750   * @throws  ParseException  If the value cannot be decoded as a timestamp in
2751   *                          generalized time form.
2752   */
2753  public Date getGeneralizedTimeValue()
2754         throws ParseException
2755  {
2756    if (values.length == 0)
2757    {
2758      return null;
2759    }
2760
2761    return StaticUtils.decodeGeneralizedTime(values[0].stringValue());
2762  }
2763
2764
2765
2766  /**
2767   * Retrieves the {@code Date} objects represented by the values for this
2768   * password policy state operation treated as timestamps in generalized time
2769   * form.
2770   *
2771   * @return  The {@code Date} objects represented by the values for this
2772   *          password policy state operation treated as timestamps in
2773   *          generalized time form.
2774   *
2775   * @throws  ParseException  If any of the values cannot be decoded as a
2776   *                          timestamp in generalized time form.
2777   */
2778  public Date[] getGeneralizedTimeValues()
2779         throws ParseException
2780  {
2781    final Date[] dateValues = new Date[values.length];
2782    for (int i=0; i < values.length; i++)
2783    {
2784      dateValues[i] =
2785           StaticUtils.decodeGeneralizedTime(values[i].stringValue());
2786    }
2787
2788    return dateValues;
2789  }
2790
2791
2792
2793  /**
2794   * Creates an array of ASN.1 octet strings with the provided set of values.
2795   *
2796   * @param  dates  The dates from which to create the values.  It may be
2797   *                {@code null} or empty if there should be no values.
2798   *
2799   * @return  The array of ASN.1 octet strings.
2800   */
2801  private static ASN1OctetString[] createValues(final Date... dates)
2802  {
2803    if ((dates == null) || (dates.length == 0))
2804    {
2805      return NO_VALUES;
2806    }
2807
2808    final ArrayList<ASN1OctetString> valueList =
2809         new ArrayList<ASN1OctetString>(dates.length);
2810    for (final Date d : dates)
2811    {
2812      if (d != null)
2813      {
2814        valueList.add(new ASN1OctetString(
2815             StaticUtils.encodeGeneralizedTime(d)));
2816      }
2817    }
2818
2819    return valueList.toArray(NO_VALUES);
2820  }
2821
2822
2823
2824  /**
2825   * Encodes this password policy state operation for use in the extended
2826   * request or response.
2827   *
2828   * @return  An ASN.1 element containing an encoded representation of this
2829   *          password policy state operation.
2830   */
2831  public ASN1Element encode()
2832  {
2833    final ASN1Element[] elements;
2834    if (values.length > 0)
2835    {
2836      elements = new ASN1Element[]
2837      {
2838        new ASN1Enumerated(opType),
2839        new ASN1Sequence(values)
2840      };
2841    }
2842    else
2843    {
2844      elements = new ASN1Element[]
2845      {
2846        new ASN1Enumerated(opType),
2847      };
2848    }
2849
2850    return new ASN1Sequence(elements);
2851  }
2852
2853
2854
2855  /**
2856   * Decodes the provided ASN.1 element as a password policy state operation.
2857   *
2858   * @param  element  The ASN.1 element to be decoded.
2859   *
2860   * @return  The decoded password policy state operation.
2861   *
2862   * @throws  LDAPException  If a problem occurs while attempting to decode the
2863   *                         provided ASN.1 element as a password policy state
2864   *                         operation.
2865   */
2866  public static PasswordPolicyStateOperation decode(final ASN1Element element)
2867         throws LDAPException
2868  {
2869    final ASN1Element[] elements;
2870    try
2871    {
2872      elements = ASN1Sequence.decodeAsSequence(element).elements();
2873    }
2874    catch (final Exception e)
2875    {
2876      Debug.debugException(e);
2877      throw new LDAPException(ResultCode.DECODING_ERROR,
2878           ERR_PWP_STATE_ELEMENT_NOT_SEQUENCE.get(e), e);
2879    }
2880
2881    if ((elements.length < 1) || (elements.length > 2))
2882    {
2883      throw new LDAPException(ResultCode.DECODING_ERROR,
2884                              ERR_PWP_STATE_INVALID_ELEMENT_COUNT.get(
2885                                   elements.length));
2886    }
2887
2888    final int opType;
2889    try
2890    {
2891      opType = ASN1Enumerated.decodeAsEnumerated(elements[0]).intValue();
2892    }
2893    catch (final Exception e)
2894    {
2895      Debug.debugException(e);
2896      throw new LDAPException(ResultCode.DECODING_ERROR,
2897           ERR_PWP_STATE_OP_TYPE_NOT_INTEGER.get(e), e);
2898    }
2899
2900    final ASN1OctetString[] values;
2901    if (elements.length == 2)
2902    {
2903      try
2904      {
2905        final ASN1Element[] valueElements =
2906             ASN1Sequence.decodeAsSequence(elements[1]).elements();
2907        values = new ASN1OctetString[valueElements.length];
2908        for (int i=0; i < valueElements.length; i++)
2909        {
2910          values[i] = ASN1OctetString.decodeAsOctetString(valueElements[i]);
2911        }
2912      }
2913      catch (final Exception e)
2914      {
2915        Debug.debugException(e);
2916        throw new LDAPException(ResultCode.DECODING_ERROR,
2917             ERR_PWP_STATE_CANNOT_DECODE_VALUES.get(e), e);
2918      }
2919    }
2920    else
2921    {
2922      values = NO_VALUES;
2923    }
2924
2925    return new PasswordPolicyStateOperation(opType, values);
2926  }
2927
2928
2929
2930  /**
2931   * Retrieves a string representation of this password policy state operation.
2932   *
2933   * @return  A string representation of this password policy state operation.
2934   */
2935  @Override()
2936  public String toString()
2937  {
2938    final StringBuilder buffer = new StringBuilder();
2939    toString(buffer);
2940    return buffer.toString();
2941  }
2942
2943
2944
2945  /**
2946   * Appends a string representation of this password policy state operation to
2947   * the provided buffer.
2948   *
2949   * @param  buffer  The buffer to which the information should be appended.
2950   */
2951  public void toString(final StringBuilder buffer)
2952  {
2953    buffer.append("PasswordPolicyStateOperation(opType=");
2954    buffer.append(opType);
2955
2956    if (values.length > 0)
2957    {
2958      buffer.append(", values={");
2959      for (int i=0; i < values.length; i++)
2960      {
2961        if (i > 0)
2962        {
2963          buffer.append(", ");
2964        }
2965
2966        buffer.append('\'');
2967        buffer.append(values[i].stringValue());
2968        buffer.append('\'');
2969      }
2970      buffer.append('}');
2971    }
2972
2973    buffer.append(')');
2974  }
2975}