View Javadoc
1   /*
2    *   Licensed to the Apache Software Foundation (ASF) under one
3    *   or more contributor license agreements.  See the NOTICE file
4    *   distributed with this work for additional information
5    *   regarding copyright ownership.  The ASF licenses this file
6    *   to you under the Apache License, Version 2.0 (the
7    *   "License"); you may not use this file except in compliance
8    *   with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   *   Unless required by applicable law or agreed to in writing,
13   *   software distributed under the License is distributed on an
14   *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *   KIND, either express or implied.  See the License for the
16   *   specific language governing permissions and limitations
17   *   under the License.
18   *
19   */
20  
21  package org.apache.directory.server.core.api.authn.ppolicy;
22  
23  
24  import org.apache.directory.api.ldap.model.constants.SchemaConstants;
25  import org.apache.directory.api.ldap.model.exception.LdapException;
26  
27  
28  /**
29   * A simple pojo holding the password policy configuration base on 
30   * <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">this draft</a>.
31   * 
32   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
33   */
34  public class PasswordPolicyConfiguration
35  {
36      /**
37       * The name of the attribute to which the password policy is applied. 
38       * The default value is "userPassword"
39       */
40      private String pwdAttribute = SchemaConstants.USER_PASSWORD_AT;
41  
42      /** 
43       * holds the number of seconds that must elapse between modifications to the password. 
44       * Default value is 0 
45       */
46      private int pwdMinAge = 0;
47  
48      /**
49       *  holds the number of seconds after which a modified password will expire.
50       *  Default value is 0, does not expire.  If not 0, the value must be greater than or equal
51       *  to the value of the pwdMinAge.
52       */
53      private int pwdMaxAge = 0;
54  
55      /**
56       *  specifies the maximum number of used passwords stored in the pwdHistory attribute.
57       *  Default value is 0, no password history maintained
58       */
59      private int pwdInHistory = 0;
60  
61      /** indicates how the password quality will be verified while being modified or added.
62       *  Default value NO_CHECK, do not check 
63       */
64      private CheckQualityEnum pwdCheckQuality = CheckQualityEnum.NO_CHECK;
65  
66      /** this attribute holds the minimum number of characters that must be used in a password. 
67       *  Default value 0, no minimum length enforced
68       */
69      private int pwdMinLength = 0;
70  
71      /**
72       * this attribute holds the maximum number of characters that may be used in a password.
73       * Default value 0, no maximum length enforced
74       */
75      private int pwdMaxLength = 0;
76  
77      /**
78       * the maximum number of seconds before a password is due to expire that expiration warning
79       * messages will be returned to an authenticating user.
80       * Default value is 0, never send a warning message.
81       */
82      private int pwdExpireWarning = 0;
83  
84      /** 
85       * the number of times an expired password can be used to authenticate.
86       * Default value is 0, do not allow a expired password for authentication.
87       */
88      private int pwdGraceAuthNLimit = 0;
89  
90      /** 
91       * specifies the number of seconds the grace authentications are valid
92       * Default value is 0, no limit.
93       */
94      private int pwdGraceExpire = 0;
95  
96      /**
97       * flag to indicate if the account needs to be locked after a specified number of
98       * consecutive failed bind attempts. The maximum number of consecutive
99       * failed bind attempts is specified in {@link #pwdMaxFailure}
100      */
101     private boolean pwdLockout = false;
102 
103     /**
104      * the number of seconds that the password cannot be used to authenticate due to 
105      * too many failed bind attempts.
106      * Default value is 300 seconds.
107      */
108     private int pwdLockoutDuration = 300;
109 
110     /**
111      * the number of consecutive failed bind attempts after which the password may not 
112      * be used to authenticate.
113      * Default value is 0, no limit on the number of authentication failures
114      */
115     private int pwdMaxFailure = 0;
116 
117     /**
118      * the number of seconds after which the password failures are purged from the failure counter.
119      * Default value is 0, reset all pwdFailureTimes after a successful authentication.
120      */
121     private int pwdFailureCountInterval = 0;
122 
123     /** 
124      * flag to indicate if the password must be changed by the user after they bind to the 
125      * directory after a password is set or reset by a password administrator.
126      * Default value is false, no need to change the password by user.
127      */
128     private boolean pwdMustChange = false;
129 
130     /** indicates whether users can change their own passwords. Default value is true, allow change */
131     private boolean pwdAllowUserChange = true;
132 
133     /**
134      *  flag to specify whether or not the existing password must be sent along with the
135      *  new password when being changed.
136      *  Default value is false.
137      */
138     private boolean pwdSafeModify = false;
139 
140     /** 
141      * the number of seconds to delay responding to the first failed authentication attempt
142      * Default value 0, no delay.
143      */
144     private int pwdMinDelay = 0;
145 
146     /** the maximum number of seconds to delay when responding to a failed authentication attempt.*/
147     private int pwdMaxDelay = 0;
148 
149     /** 
150      * the number of seconds an account may remain unused before it becomes locked
151      * Default value is 0, no check for idle time.
152      */
153     private int pwdMaxIdle = 0;
154 
155     /** validator used for checking the quality of password */
156     private PasswordValidator pwdValidator = DefaultPasswordValidator.INSTANCE;
157 
158 
159     /**
160      * @return The name of the attribute used to store the password
161      */
162     public String getPwdAttribute()
163     {
164         return pwdAttribute;
165     }
166 
167 
168     /**
169      * Set the name of the attribute storing the password
170      * @param pwdAttribute The attribute's name
171      */
172     public void setPwdAttribute( String pwdAttribute )
173     {
174         this.pwdAttribute = pwdAttribute;
175     }
176 
177 
178     /**
179      * @return The time that should elapse before we can change the password
180      */
181     public int getPwdMinAge()
182     {
183         return pwdMinAge;
184     }
185 
186 
187     public void setPwdMinAge( int pwdMinAge )
188     {
189         this.pwdMinAge = pwdMinAge;
190     }
191 
192 
193     public int getPwdMaxAge()
194     {
195         return pwdMaxAge;
196     }
197 
198 
199     public void setPwdMaxAge( int pwdMaxAge )
200     {
201         this.pwdMaxAge = pwdMaxAge;
202     }
203 
204 
205     public int getPwdInHistory()
206     {
207         return pwdInHistory;
208     }
209 
210 
211     public void setPwdInHistory( int pwdInHistory )
212     {
213         this.pwdInHistory = pwdInHistory;
214     }
215 
216 
217     /**
218      * @return The Password Check Quality 
219      */
220     public CheckQualityEnum getPwdCheckQuality()
221     {
222         return pwdCheckQuality;
223     }
224 
225 
226     public void setPwdCheckQuality( CheckQualityEnum pwdCheckQuality )
227     {
228         this.pwdCheckQuality = pwdCheckQuality;
229     }
230 
231 
232     public int getPwdMinLength()
233     {
234         return pwdMinLength;
235     }
236 
237 
238     public void setPwdMinLength( int pwdMinLength )
239     {
240         this.pwdMinLength = pwdMinLength;
241     }
242 
243 
244     public int getPwdMaxLength()
245     {
246         return pwdMaxLength;
247     }
248 
249 
250     public void setPwdMaxLength( int pwdMaxLength )
251     {
252         this.pwdMaxLength = pwdMaxLength;
253     }
254 
255 
256     public int getPwdExpireWarning()
257     {
258         return pwdExpireWarning;
259     }
260 
261 
262     public void setPwdExpireWarning( int pwdExpireWarning )
263     {
264         this.pwdExpireWarning = pwdExpireWarning;
265     }
266 
267 
268     public int getPwdGraceAuthNLimit()
269     {
270         return pwdGraceAuthNLimit;
271     }
272 
273 
274     public void setPwdGraceAuthNLimit( int pwdGraceAuthNLimit )
275     {
276         this.pwdGraceAuthNLimit = pwdGraceAuthNLimit;
277     }
278 
279 
280     public int getPwdGraceExpire()
281     {
282         return pwdGraceExpire;
283     }
284 
285 
286     public void setPwdGraceExpire( int pwdGraceExpire )
287     {
288         this.pwdGraceExpire = pwdGraceExpire;
289     }
290 
291 
292     public boolean isPwdLockout()
293     {
294         return pwdLockout;
295     }
296 
297 
298     public void setPwdLockout( boolean pwdLockout )
299     {
300         this.pwdLockout = pwdLockout;
301     }
302 
303 
304     public int getPwdLockoutDuration()
305     {
306         return pwdLockoutDuration;
307     }
308 
309 
310     public void setPwdLockoutDuration( int pwdLockoutDuration )
311     {
312         this.pwdLockoutDuration = pwdLockoutDuration;
313     }
314 
315 
316     public int getPwdMaxFailure()
317     {
318         return pwdMaxFailure;
319     }
320 
321 
322     public void setPwdMaxFailure( int pwdMaxFailure )
323     {
324         this.pwdMaxFailure = pwdMaxFailure;
325     }
326 
327 
328     public int getPwdFailureCountInterval()
329     {
330         return pwdFailureCountInterval;
331     }
332 
333 
334     public void setPwdFailureCountInterval( int pwdFailureCountInterval )
335     {
336         this.pwdFailureCountInterval = pwdFailureCountInterval;
337     }
338 
339 
340     public boolean isPwdMustChange()
341     {
342         return pwdMustChange;
343     }
344 
345 
346     public void setPwdMustChange( boolean pwdMustChange )
347     {
348         this.pwdMustChange = pwdMustChange;
349     }
350 
351 
352     public boolean isPwdAllowUserChange()
353     {
354         return pwdAllowUserChange;
355     }
356 
357 
358     public void setPwdAllowUserChange( boolean pwdAllowUserChange )
359     {
360         this.pwdAllowUserChange = pwdAllowUserChange;
361     }
362 
363 
364     public boolean isPwdSafeModify()
365     {
366         return pwdSafeModify;
367     }
368 
369 
370     public void setPwdSafeModify( boolean pwdSafeModify )
371     {
372         this.pwdSafeModify = pwdSafeModify;
373     }
374 
375 
376     public int getPwdMinDelay()
377     {
378         return pwdMinDelay;
379     }
380 
381 
382     public void setPwdMinDelay( int pwdMinDelay )
383     {
384         this.pwdMinDelay = pwdMinDelay;
385     }
386 
387 
388     public int getPwdMaxDelay()
389     {
390         return pwdMaxDelay;
391     }
392 
393 
394     public void setPwdMaxDelay( int pwdMaxDelay )
395     {
396         this.pwdMaxDelay = pwdMaxDelay;
397     }
398 
399 
400     public int getPwdMaxIdle()
401     {
402         return pwdMaxIdle;
403     }
404 
405 
406     public void setPwdMaxIdle( int pwdMaxIdle )
407     {
408         this.pwdMaxIdle = pwdMaxIdle;
409     }
410 
411 
412     /**
413      * @return the pwdValidator
414      */
415     public PasswordValidator getPwdValidator()
416     {
417         return pwdValidator;
418     }
419 
420 
421     /**
422      * @param pwdValidator the pwdValidator to set
423      */
424     public void setPwdValidator( PasswordValidator pwdValidator )
425     {
426         this.pwdValidator = pwdValidator;
427     }
428 
429 
430     /**
431      * validates the policy configuration and throws a LdapException if there are any errors
432      * 
433      * @throws LdapException if there are any errors in the configuration
434      */
435     public void validate() throws LdapException
436     {
437         StringBuilder sb = new StringBuilder();
438 
439         int errCount = 0;
440 
441         if ( pwdMinAge < 0 )
442         {
443             sb.append( ++errCount ).append( ". password minimum age cannot be negative\n" );
444         }
445 
446         if ( pwdMaxAge < 0 )
447         {
448             sb.append( ++errCount ).append( ". password maximum age cannot be negative\n" );
449         }
450 
451         if ( ( pwdMaxAge > 0 ) && ( pwdMaxAge < pwdMinAge ) )
452         {
453             sb.append( ++errCount ).append( ". password maximum age should be greater than the minimum age\n" );
454         }
455 
456         if ( pwdInHistory < 0 )
457         {
458             sb.append( ++errCount ).append( ". password history count cannot be negative\n" );
459         }
460 
461         if ( pwdCheckQuality == CheckQualityEnum.UNKNOW )
462         {
463             sb.append( ++errCount ).append( ". invalid password quality check value, valid values are 0, 1 and 2 \n" );
464         }
465 
466         if ( pwdMinLength < 0 )
467         {
468             sb.append( ++errCount ).append( ". password minimum length cannot be negative\n" );
469         }
470 
471         if ( pwdMaxLength < 0 )
472         {
473             sb.append( ++errCount ).append( ". password maximum length cannot be negative\n" );
474         }
475 
476         if ( ( pwdMaxLength > 0 ) && ( pwdMaxLength < pwdMinLength ) )
477         {
478             sb.append( ++errCount ).append( ". password maximum length should be greater than minimum length\n" );
479         }
480 
481         if ( pwdExpireWarning < 0 )
482         {
483             sb.append( ++errCount ).append( ". password expire warning time cannot be negative\n" );
484         }
485 
486         if ( pwdGraceAuthNLimit < 0 )
487         {
488             sb.append( ++errCount ).append( ". password grace authentication limits cannot be negative\n" );
489         }
490 
491         if ( pwdGraceExpire < 0 )
492         {
493             sb.append( ++errCount ).append( ". password grace expiration time cannot be negative\n" );
494         }
495 
496         if ( pwdLockoutDuration < 0 )
497         {
498             sb.append( ++errCount ).append( ". password lockout duration time cannot be negative\n" );
499         }
500 
501         if ( pwdMaxFailure < 0 )
502         {
503             sb.append( ++errCount ).append( ". password maximum failure count cannot be negative\n" );
504         }
505 
506         if ( pwdFailureCountInterval < 0 )
507         {
508             sb.append( ++errCount ).append( ". password failure count interval time cannot be negative\n" );
509         }
510 
511         if ( ( ( pwdMinDelay > 0 ) && ( pwdMaxDelay <= 0 ) )
512             || ( ( pwdMaxDelay > 0 ) && ( pwdMinDelay <= 0 ) ) )
513         {
514             sb
515                 .append( ++errCount )
516                 .append(
517                     ". if password minimum or maximum delay time is specified then the correspomding maximu or minimum delay time should also be specified\n" );
518         }
519         else
520         // just to avoid both warnings
521         {
522             if ( pwdMinDelay < 0 )
523             {
524                 sb.append( ++errCount ).append( ". password minimum delay time cannot be negative\n" );
525             }
526 
527             if ( pwdMaxDelay < 0 )
528             {
529                 sb.append( ++errCount ).append( ". password maximum delay time cannot be negative\n" );
530             }
531         }
532 
533         if ( pwdMaxIdle < 0 )
534         {
535             sb.append( ++errCount ).append( ". password maximum idle time cannot be negative\n" );
536         }
537 
538         if ( errCount > 0 )
539         {
540             throw new LdapException( "There are errors in password policy configuration\n" + sb.toString() );
541         }
542     }
543 }