001/* 002 * Copyright 2017-2020 Ping Identity Corporation 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright 2017-2020 Ping Identity Corporation 007 * 008 * Licensed under the Apache License, Version 2.0 (the "License"); 009 * you may not use this file except in compliance with the License. 010 * You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, software 015 * distributed under the License is distributed on an "AS IS" BASIS, 016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 017 * See the License for the specific language governing permissions and 018 * limitations under the License. 019 */ 020/* 021 * Copyright (C) 2017-2020 Ping Identity Corporation 022 * 023 * This program is free software; you can redistribute it and/or modify 024 * it under the terms of the GNU General Public License (GPLv2 only) 025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 026 * as published by the Free Software Foundation. 027 * 028 * This program is distributed in the hope that it will be useful, 029 * but WITHOUT ANY WARRANTY; without even the implied warranty of 030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 031 * GNU General Public License for more details. 032 * 033 * You should have received a copy of the GNU General Public License 034 * along with this program; if not, see <http://www.gnu.org/licenses>. 035 */ 036package com.unboundid.ldap.listener; 037 038 039 040import java.util.List; 041 042import com.unboundid.asn1.ASN1OctetString; 043import com.unboundid.ldap.matchingrules.OctetStringMatchingRule; 044import com.unboundid.ldap.sdk.LDAPException; 045import com.unboundid.ldap.sdk.ReadOnlyEntry; 046import com.unboundid.util.ThreadSafety; 047import com.unboundid.util.ThreadSafetyLevel; 048 049 050 051/** 052 * This class provides a data structure that encapsulates a password used by the 053 * in-memory directory server. It may be optionally associated with an 054 * {@link InMemoryPasswordEncoder}. 055 */ 056@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE) 057public final class InMemoryDirectoryServerPassword 058{ 059 // The password as it is (or has the potential to be) stored in the in-memory 060 // directory server. 061 private final ASN1OctetString storedPassword; 062 063 // The password encoder that should be used when interacting with the stored 064 // password. 065 private final InMemoryPasswordEncoder passwordEncoder; 066 067 // The user entry with which the stored password is associated. 068 private final ReadOnlyEntry userEntry; 069 070 // The name of the attribute with which the stored password is associated. 071 private final String attributeName; 072 073 074 075 /** 076 * Creates a new in-memory directory server password with the provided 077 * information. 078 * 079 * @param storedPassword The password as it is (or has the potential to 080 * be) stored in the in-memory directory server. It 081 * must not be {@code null}. 082 * @param userEntry The user entry with which the stored password is 083 * associated. It must not be {@code nulL}. 084 * @param attributeName The name of the attribute with which the stored 085 * password is associated. It must not be 086 * {@code null}. 087 * @param passwordEncoders The set of password encoders configured for the 088 * in-memory directory server. It must not be 089 * {@code null} but may be empty. 090 */ 091 InMemoryDirectoryServerPassword(final ASN1OctetString storedPassword, 092 final ReadOnlyEntry userEntry, final String attributeName, 093 final List<InMemoryPasswordEncoder> passwordEncoders) 094 { 095 this.storedPassword = storedPassword; 096 this.userEntry = userEntry; 097 this.attributeName = attributeName; 098 099 InMemoryPasswordEncoder encoder = null; 100 for (final InMemoryPasswordEncoder e : passwordEncoders) 101 { 102 if (e.passwordStartsWithPrefix(storedPassword)) 103 { 104 encoder = e; 105 break; 106 } 107 } 108 109 passwordEncoder = encoder; 110 } 111 112 113 114 /** 115 * Retrieves the password as it is (or has the potential to be) stored in the 116 * in-memory directory server. If the {@link #isEncoded()} method returns 117 * {@code true}, then the stored password will be treated as an encoded 118 * password. Otherwise, it will be treated as a clear-text password with 119 * no encoding or output formatting. 120 * 121 * @return The password as it is (or has the potential to be) stored in the 122 * in-memory directory server. 123 */ 124 public ASN1OctetString getStoredPassword() 125 { 126 return storedPassword; 127 } 128 129 130 131 /** 132 * Retrieves the name of the attribute with which the stored password is 133 * associated. 134 * 135 * @return The name of the attribute with which the stored password is 136 * associated. 137 */ 138 public String getAttributeName() 139 { 140 return attributeName; 141 } 142 143 144 145 /** 146 * Indicates whether the stored password is encoded or in the clear. 147 * 148 * @return {@code true} if the stored password is encoded, or {@code false} 149 * if it is the clear. 150 */ 151 public boolean isEncoded() 152 { 153 return (passwordEncoder != null); 154 } 155 156 157 158 /** 159 * Retrieves the password encoder that should be used to interact with the 160 * stored password. 161 * 162 * @return The password encoder that should be used to interact with the 163 * stored password, or {@code null} if the password is not encoded. 164 */ 165 public InMemoryPasswordEncoder getPasswordEncoder() 166 { 167 return passwordEncoder; 168 } 169 170 171 172 /** 173 * Retrieves the clear-text representation of the stored password, if it 174 * is possible to obtain it. If the password is not encoded, then the stored 175 * password will be returned as-is. If the stored password is encoded, then 176 * the {@link InMemoryPasswordEncoder#extractClearPasswordFromEncodedPassword} 177 * method will be used in an attempt to 178 * 179 * @return The clear-text representation of the stored password. 180 * 181 * @throws LDAPException If the stored password is encoded using a mechanism 182 * that does not permit extracting the clear-text 183 * password. 184 */ 185 public ASN1OctetString getClearPassword() 186 throws LDAPException 187 { 188 if (passwordEncoder == null) 189 { 190 return storedPassword; 191 } 192 else 193 { 194 return passwordEncoder.extractClearPasswordFromEncodedPassword( 195 storedPassword, userEntry); 196 } 197 } 198 199 200 201 /** 202 * Indicates whether this password matches the provided clear-text password. 203 * 204 * @param clearPassword The clear-text password for which to make the 205 * determination. 206 * 207 * @return {@code true} if this password matches the provided clear-text 208 * password, or {@code false} if not. 209 * 210 * @throws LDAPException If a problem is encountered while trying to make 211 * the determination. 212 */ 213 public boolean matchesClearPassword(final ASN1OctetString clearPassword) 214 throws LDAPException 215 { 216 if (passwordEncoder == null) 217 { 218 return OctetStringMatchingRule.getInstance().valuesMatch(clearPassword, 219 storedPassword); 220 } 221 else 222 { 223 return passwordEncoder.clearPasswordMatchesEncodedPassword(clearPassword, 224 storedPassword, userEntry); 225 } 226 } 227}