package org.apache.directory.server.core.authn;

import java.io.IOException;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyErrorEnum;
import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyResponseImpl;
import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
import org.apache.directory.api.ldap.model.entry.DefaultModification;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Modification;
import org.apache.directory.api.ldap.model.entry.ModificationOperation;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapNoPermissionException;
import org.apache.directory.api.ldap.model.exception.LdapOperationException;
import org.apache.directory.api.ldap.model.exception.LdapOtherException;
import org.apache.directory.api.ldap.model.exception.LdapUnwillingToPerformException;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.password.PasswordUtil;
import org.apache.directory.api.ldap.model.schema.AttributeType;
import org.apache.directory.api.util.DateUtils;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.directory.server.core.api.CoreSession;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.InterceptorEnum;
import org.apache.directory.server.core.api.LdapPrincipal;
import org.apache.directory.server.core.api.authn.ppolicy.CheckQualityEnum;
import org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator;
import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyConfiguration;
import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyException;
import org.apache.directory.server.core.api.authn.ppolicy.PasswordValidator;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
import org.apache.directory.server.core.api.interceptor.context.AddOperationContext;
import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
import org.apache.directory.server.core.api.interceptor.context.CompareOperationContext;
import org.apache.directory.server.core.api.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.api.interceptor.context.GetRootDseOperationContext;
import org.apache.directory.server.core.api.interceptor.context.HasEntryOperationContext;
import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.api.interceptor.context.OperationContext;
import org.apache.directory.server.core.api.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.api.interceptor.context.UnbindOperationContext;
import org.apache.directory.server.core.api.partition.Partition;
import org.apache.directory.server.core.api.partition.PartitionWriteTxn;
import org.apache.directory.server.core.authn.ppolicy.PpolicyConfigContainer;
import org.apache.directory.server.core.shared.DefaultCoreSession;
import org.apache.directory.server.i18n.I18n;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/authn/AuthenticationInterceptor.class */
public class AuthenticationInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AuthenticationInterceptor.class);
    private static final boolean IS_DEBUG = LOG.isDebugEnabled();
    private Set<Authenticator> authenticators;
    private final EnumMap<AuthenticationLevel, Collection<Authenticator>> authenticatorsMapByType;
    private CoreSession adminSession;
    private AttributeType pwdResetAT;
    private AttributeType pwdChangedTimeAT;
    private AttributeType pwdHistoryAT;
    private AttributeType pwdFailurTimeAT;
    private AttributeType pwdAccountLockedTimeAT;
    private AttributeType pwdLastSuccessAT;
    private AttributeType pwdGraceUseTimeAT;
    private AttributeType pwdPolicySubentryAT;
    private AttributeType pwdStartTimeAT;
    private AttributeType pwdEndTimeAT;
    private PpolicyConfigContainer pwdPolicyContainer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/directory/server/core/authn/AuthenticationInterceptor$PwdModDetailsHolder.class */
    public static class PwdModDetailsHolder {
        private boolean pwdModPresent;
        private boolean isDelete;
        private boolean isAddOrReplace;
        private boolean otherModExists;
        private byte[] newPwd;

        private PwdModDetailsHolder() {
            this.pwdModPresent = false;
            this.isDelete = false;
            this.isAddOrReplace = false;
            this.otherModExists = false;
        }

        public boolean isPwdModPresent() {
            return this.pwdModPresent;
        }

        public void setPwdModPresent(boolean z) {
            this.pwdModPresent = z;
        }

        public boolean isDelete() {
            return this.isDelete;
        }

        public void setDelete(boolean z) {
            this.isDelete = z;
        }

        public boolean isAddOrReplace() {
            return this.isAddOrReplace;
        }

        public void setAddOrReplace(boolean z) {
            this.isAddOrReplace = z;
        }

        public boolean isOtherModExists() {
            return this.otherModExists;
        }

        public void setOtherModExists(boolean z) {
            this.otherModExists = z;
        }

        public byte[] getNewPwd() {
            return this.newPwd;
        }

        public void setNewPwd(byte[] bArr) {
            this.newPwd = bArr;
        }
    }

    public AuthenticationInterceptor() {
        super(InterceptorEnum.AUTHENTICATION_INTERCEPTOR);
        this.authenticators = new HashSet();
        this.authenticatorsMapByType = new EnumMap<>(AuthenticationLevel.class);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void init(DirectoryService directoryService) throws LdapException {
        super.init(directoryService);
        this.adminSession = directoryService.getAdminSession();
        if (this.authenticators == null || this.authenticators.isEmpty()) {
            setDefaultAuthenticators();
        }
        Iterator<Authenticator> it = this.authenticators.iterator();
        while (it.hasNext()) {
            register(it.next(), directoryService);
        }
        loadPwdPolicyStateAttributeTypes();
    }

    private void setDefaultAuthenticators() {
        if (this.authenticators == null) {
            this.authenticators = new HashSet();
        }
        this.authenticators.clear();
        this.authenticators.add(new AnonymousAuthenticator(Dn.ROOT_DSE));
        this.authenticators.add(new SimpleAuthenticator(Dn.ROOT_DSE));
        this.authenticators.add(new StrongAuthenticator(Dn.ROOT_DSE));
    }

    public Set<Authenticator> getAuthenticators() {
        return this.authenticators;
    }

    public void setAuthenticators(Set<Authenticator> set) {
        if (set == null) {
            this.authenticators.clear();
        } else {
            this.authenticators = set;
        }
    }

    public void setAuthenticators(Authenticator[] authenticatorArr) {
        if (authenticatorArr == null) {
            throw new IllegalArgumentException("The given authenticators set is null");
        }
        this.authenticators.clear();
        this.authenticatorsMapByType.clear();
        for (Authenticator authenticator : authenticatorArr) {
            try {
                register(authenticator, this.directoryService);
            } catch (LdapException e) {
                LOG.error("Cannot register authenticator {}", authenticator);
            }
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void destroy() {
        this.authenticatorsMapByType.clear();
        HashSet hashSet = new HashSet(this.authenticators);
        this.authenticators = new HashSet();
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            ((Authenticator) it.next()).destroy();
        }
    }

    private void register(Authenticator authenticator, DirectoryService directoryService) throws LdapException {
        authenticator.init(directoryService);
        this.authenticators.add(authenticator);
        Collection<Authenticator> authenticators = getAuthenticators(authenticator.getAuthenticatorType());
        if (authenticators == null) {
            authenticators = new ArrayList();
            this.authenticatorsMapByType.put((EnumMap<AuthenticationLevel, Collection<Authenticator>>) authenticator.getAuthenticatorType(), (AuthenticationLevel) authenticators);
        }
        if (authenticators.contains(authenticator)) {
            return;
        }
        authenticators.add(authenticator);
    }

    private Collection<Authenticator> getAuthenticators(AuthenticationLevel authenticationLevel) {
        Collection<Authenticator> collection = this.authenticatorsMapByType.get(authenticationLevel);
        if (collection == null || collection.isEmpty()) {
            return null;
        }
        return collection;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v24, types: [byte[], byte[][]] */
    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void add(AddOperationContext addOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", addOperationContext);
        }
        checkAuthenticated(addOperationContext);
        Entry entry = addOperationContext.getEntry();
        if (!this.directoryService.isPwdPolicyEnabled() || addOperationContext.isReplEvent()) {
            next(addOperationContext);
            return;
        }
        PasswordPolicyConfiguration pwdPolicy = getPwdPolicy(entry);
        boolean hasRequestControl = addOperationContext.hasRequestControl("1.3.6.1.4.1.42.2.27.8.5.1");
        checkPwdReset(addOperationContext);
        String str = SchemaConstants.USER_PASSWORD_AT;
        if (hasRequestControl) {
            str = pwdPolicy.getPwdAttribute();
        }
        Attribute attribute = entry.get(str);
        if (attribute != null) {
            Value value = attribute.get();
            try {
                check(addOperationContext, entry, value.getBytes(), pwdPolicy);
                String generalizedTime = DateUtils.getGeneralizedTime(this.directoryService.getTimeProvider());
                if ((pwdPolicy.getPwdMinAge() > 0 || pwdPolicy.getPwdMaxAge() > 0) && (!addOperationContext.getSession().isAnAdministrator() || entry.get(this.pwdChangedTimeAT) == null)) {
                    Attribute defaultAttribute = new DefaultAttribute(this.pwdChangedTimeAT);
                    defaultAttribute.add(generalizedTime);
                    entry.add(defaultAttribute);
                }
                if (pwdPolicy.isPwdMustChange() && addOperationContext.getSession().isAnAdministrator()) {
                    Attribute defaultAttribute2 = new DefaultAttribute(this.pwdResetAT);
                    defaultAttribute2.add("TRUE");
                    entry.add(defaultAttribute2);
                }
                if (pwdPolicy.getPwdInHistory() > 0) {
                    DefaultAttribute defaultAttribute3 = new DefaultAttribute(this.pwdHistoryAT);
                    defaultAttribute3.add((byte[][]) new byte[]{new PasswordHistory(generalizedTime, value.getBytes()).getHistoryValue()});
                    entry.add(defaultAttribute3);
                }
            } catch (PasswordPolicyException e) {
                if (hasRequestControl) {
                    PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
                    passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.get(e.getErrorCode()));
                    addOperationContext.addResponseControl(passwordPolicyResponseImpl);
                }
                throw new LdapOperationException(ResultCodeEnum.CONSTRAINT_VIOLATION, e.getMessage(), e);
            }
        }
        next(addOperationContext);
    }

    private Authenticator selectAuthenticator(Dn dn, AuthenticationLevel authenticationLevel) throws LdapUnwillingToPerformException, LdapAuthenticationException {
        Authenticator authenticator = null;
        Collection<Authenticator> collection = this.authenticatorsMapByType.get(authenticationLevel);
        if (collection == null || collection.isEmpty()) {
            throw new LdapAuthenticationException("Cannot Bind for Dn " + dn.getName() + ", no authenticator for the requested level " + authenticationLevel);
        }
        if (collection.size() == 1) {
            Iterator<Authenticator> it = collection.iterator();
            if (it.hasNext()) {
                Authenticator next = it.next();
                if (next.isValid(dn)) {
                    return next;
                }
                throw new LdapUnwillingToPerformException(ResultCodeEnum.UNWILLING_TO_PERFORM, "Cannot Bind for Dn " + dn.getName() + ", its not a descendant of the authenticator base DN '" + next.getBaseDn() + "'");
            }
        }
        Dn dn2 = Dn.ROOT_DSE;
        for (Authenticator authenticator2 : collection) {
            if (authenticator2.isValid(dn) && dn2.isAncestorOf(authenticator2.getBaseDn())) {
                dn2 = authenticator2.getBaseDn();
                authenticator = authenticator2;
            }
        }
        if (authenticator == null) {
            throw new LdapUnwillingToPerformException(ResultCodeEnum.UNWILLING_TO_PERFORM, "Cannot Bind for Dn " + dn.getName() + ", there is no authenticator for it");
        }
        return authenticator;
    }

    private void internalModify(OperationContext operationContext, ModifyOperationContext modifyOperationContext) throws LdapException {
        Partition partition = operationContext.getPartition();
        modifyOperationContext.setPartition(partition);
        PartitionWriteTxn partitionWriteTxn = null;
        try {
            partitionWriteTxn = partition.beginWriteTransaction();
            modifyOperationContext.setTransaction(partitionWriteTxn);
            this.directoryService.getPartitionNexus().modify(modifyOperationContext);
            partitionWriteTxn.commit();
        } catch (IOException e) {
            try {
                partitionWriteTxn.abort();
                throw new LdapOtherException(e.getMessage(), e);
            } catch (IOException e2) {
                throw new LdapOtherException(e2.getMessage(), e2);
            }
        } catch (LdapException e3) {
            if (partitionWriteTxn != null) {
                try {
                    partitionWriteTxn.abort();
                } catch (IOException e4) {
                    throw new LdapOtherException(e4.getMessage(), e4);
                }
            }
            throw e3;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v99, types: [byte[], byte[][]] */
    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void bind(BindOperationContext bindOperationContext) throws LdapException {
        Attribute attribute;
        int pwdGraceAuthNLimit;
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", bindOperationContext);
        }
        CoreSession session = bindOperationContext.getSession();
        Dn dn = bindOperationContext.getDn();
        if (session != null && session.getEffectivePrincipal() != null && !session.isAnonymous() && !session.isAdministrator()) {
            bindOperationContext.setCredentials(null);
        }
        AuthenticationLevel authenticationLevel = bindOperationContext.getAuthenticationLevel();
        if (authenticationLevel == AuthenticationLevel.UNAUTHENT) {
            throw new LdapUnwillingToPerformException(ResultCodeEnum.UNWILLING_TO_PERFORM, "Cannot Bind for Dn " + dn.getName());
        }
        PasswordPolicyException passwordPolicyException = null;
        boolean hasRequestControl = bindOperationContext.hasRequestControl("1.3.6.1.4.1.42.2.27.8.5.1");
        PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
        boolean z = false;
        Authenticator selectAuthenticator = selectAuthenticator(dn, authenticationLevel);
        try {
            LdapPrincipal authenticate = selectAuthenticator.authenticate(bindOperationContext);
            if (authenticate != null) {
                LdapPrincipal ldapPrincipal = (LdapPrincipal) authenticate.clone();
                bindOperationContext.setCredentials(null);
                ldapPrincipal.setUserPassword(new byte[]{Strings.EMPTY_BYTES});
                bindOperationContext.setSession(new DefaultCoreSession(ldapPrincipal, this.directoryService));
                z = true;
            }
        } catch (LdapAuthenticationException e) {
            LOG.info("Authenticator {} failed to authenticate: {}", selectAuthenticator, bindOperationContext.getDn());
        } catch (PasswordPolicyException e2) {
            passwordPolicyException = e2;
        } catch (Exception e3) {
            LOG.info("Unexpected failure for Authenticator {} : {}", selectAuthenticator, bindOperationContext.getDn());
        }
        if (passwordPolicyException != null) {
            if (hasRequestControl) {
                passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.get(passwordPolicyException.getErrorCode()));
                bindOperationContext.addResponseControl(passwordPolicyResponseImpl);
            }
            throw passwordPolicyException;
        }
        Entry entry = bindOperationContext.getEntry();
        PasswordPolicyConfiguration pwdPolicy = getPwdPolicy(entry);
        if (pwdPolicy != null) {
            LookupOperationContext lookupOperationContext = new LookupOperationContext(this.adminSession, dn, SchemaConstants.ALL_ATTRIBUTES_ARRAY);
            lookupOperationContext.setPartition(bindOperationContext.getPartition());
            lookupOperationContext.setTransaction(bindOperationContext.getTransaction());
            entry = this.directoryService.getPartitionNexus().lookup(lookupOperationContext);
        }
        if (z && entry == null && this.directoryService.isAllowAnonymousAccess()) {
            return;
        }
        if (!z) {
            if (LOG.isInfoEnabled()) {
                LOG.info("Cannot bind to the server ");
            }
            if (pwdPolicy != null && entry != null) {
                Attribute attribute2 = entry.get(this.pwdFailurTimeAT);
                if (attribute2 == null) {
                    attribute2 = new DefaultAttribute(this.pwdFailurTimeAT);
                } else {
                    purgeFailureTimes(pwdPolicy, attribute2);
                }
                String generalizedTime = DateUtils.getGeneralizedTime(this.directoryService.getTimeProvider());
                attribute2.add(generalizedTime);
                DefaultModification defaultModification = new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, attribute2);
                ArrayList arrayList = new ArrayList();
                arrayList.add(defaultModification);
                int size = attribute2.size();
                if (!pwdPolicy.isPwdLockout() || size < pwdPolicy.getPwdMaxFailure()) {
                    if (pwdPolicy.getPwdMinDelay() > 0) {
                        int pwdMinDelay = size * pwdPolicy.getPwdMinDelay();
                        int pwdMaxDelay = pwdPolicy.getPwdMaxDelay();
                        if (pwdMinDelay > pwdMaxDelay) {
                            pwdMinDelay = pwdMaxDelay;
                        }
                        try {
                            Thread.sleep(pwdMinDelay * 1000);
                        } catch (InterruptedException e4) {
                            LOG.warn("Interrupted while delaying to send the failed authentication response for the user {}", dn, e4);
                        }
                    }
                } else if (!entry.getDn().equals(new Dn(this.schemaManager, ServerDNConstants.ADMIN_SYSTEM_DN))) {
                    DefaultAttribute defaultAttribute = new DefaultAttribute(this.pwdAccountLockedTimeAT);
                    if (pwdPolicy.getPwdLockoutDuration() == 0) {
                        defaultAttribute.add("000001010000Z");
                    } else {
                        defaultAttribute.add(generalizedTime);
                    }
                    arrayList.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, defaultAttribute));
                    passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.ACCOUNT_LOCKED);
                }
                if (!arrayList.isEmpty()) {
                    arrayList.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, this.directoryService.getAtProvider().getEntryCSN(), this.directoryService.getCSN().toString()));
                    ModifyOperationContext modifyOperationContext = new ModifyOperationContext(this.adminSession);
                    modifyOperationContext.setDn(dn);
                    modifyOperationContext.setEntry(entry);
                    modifyOperationContext.setModItems(arrayList);
                    modifyOperationContext.setPushToEvtInterceptor(true);
                    internalModify(bindOperationContext, modifyOperationContext);
                }
            }
            throw new LdapAuthenticationException(I18n.err(I18n.ERR_229, dn == null ? "" : dn.getName()));
        }
        if (pwdPolicy != null) {
            ArrayList arrayList2 = new ArrayList();
            if (pwdPolicy.getPwdMaxIdle() > 0) {
                DefaultAttribute defaultAttribute2 = new DefaultAttribute(this.pwdLastSuccessAT);
                defaultAttribute2.add(DateUtils.getGeneralizedTime(this.directoryService.getTimeProvider()));
                arrayList2.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, defaultAttribute2));
            }
            Attribute attribute3 = entry.get(this.pwdFailurTimeAT);
            if (attribute3 != null) {
                arrayList2.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute3));
            }
            Attribute attribute4 = entry.get(this.pwdAccountLockedTimeAT);
            if (attribute4 != null) {
                arrayList2.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute4));
            }
            if (pwdPolicy.getPwdMaxAge() > 0 && pwdPolicy.getPwdGraceAuthNLimit() > 0 && (attribute = entry.get(this.pwdChangedTimeAT)) != null && PasswordUtil.isPwdExpired(attribute.getString(), pwdPolicy.getPwdMaxAge(), this.directoryService.getTimeProvider())) {
                Attribute attribute5 = entry.get(this.pwdGraceUseTimeAT);
                if (attribute5 != null) {
                    pwdGraceAuthNLimit = pwdPolicy.getPwdGraceAuthNLimit() - (attribute5.size() + 1);
                } else {
                    attribute5 = new DefaultAttribute(this.pwdGraceUseTimeAT);
                    pwdGraceAuthNLimit = pwdPolicy.getPwdGraceAuthNLimit() - 1;
                }
                passwordPolicyResponseImpl.setGraceAuthNRemaining(pwdGraceAuthNLimit);
                attribute5.add(DateUtils.getGeneralizedTime(this.directoryService.getTimeProvider()));
                arrayList2.add(new DefaultModification(ModificationOperation.ADD_ATTRIBUTE, attribute5));
            }
            if (!arrayList2.isEmpty()) {
                arrayList2.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, this.directoryService.getAtProvider().getEntryCSN(), this.directoryService.getCSN().toString()));
                ModifyOperationContext modifyOperationContext2 = new ModifyOperationContext(this.adminSession);
                modifyOperationContext2.setDn(dn);
                modifyOperationContext2.setEntry(entry);
                modifyOperationContext2.setModItems(arrayList2);
                modifyOperationContext2.setPushToEvtInterceptor(true);
                internalModify(bindOperationContext, modifyOperationContext2);
            }
            if (hasRequestControl) {
                int pwdTimeBeforeExpiry = getPwdTimeBeforeExpiry(entry, pwdPolicy);
                if (pwdTimeBeforeExpiry > 0) {
                    passwordPolicyResponseImpl.setTimeBeforeExpiration(pwdTimeBeforeExpiry);
                }
                if (isPwdMustReset(entry)) {
                    passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.CHANGE_AFTER_RESET);
                    bindOperationContext.getSession().setPwdMustChange(true);
                }
                bindOperationContext.addResponseControl(passwordPolicyResponseImpl);
            }
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public boolean compare(CompareOperationContext compareOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", compareOperationContext);
        }
        checkAuthenticated(compareOperationContext);
        checkPwdReset(compareOperationContext);
        return next(compareOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void delete(DeleteOperationContext deleteOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", deleteOperationContext);
        }
        checkAuthenticated(deleteOperationContext);
        checkPwdReset(deleteOperationContext);
        next(deleteOperationContext);
        invalidateAuthenticatorCaches(deleteOperationContext.getDn());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public Entry getRootDse(GetRootDseOperationContext getRootDseOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", getRootDseOperationContext);
        }
        checkAuthenticated(getRootDseOperationContext);
        checkPwdReset(getRootDseOperationContext);
        return next(getRootDseOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public boolean hasEntry(HasEntryOperationContext hasEntryOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", hasEntryOperationContext);
        }
        checkAuthenticated(hasEntryOperationContext);
        checkPwdReset(hasEntryOperationContext);
        return next(hasEntryOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public Entry lookup(LookupOperationContext lookupOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", lookupOperationContext);
        }
        checkAuthenticated(lookupOperationContext);
        checkPwdReset(lookupOperationContext);
        return next(lookupOperationContext);
    }

    private void invalidateAuthenticatorCaches(Dn dn) {
        Iterator<AuthenticationLevel> it = this.authenticatorsMapByType.keySet().iterator();
        while (it.hasNext()) {
            Iterator<Authenticator> it2 = getAuthenticators(it.next()).iterator();
            while (it2.hasNext()) {
                it2.next().invalidateCache(dn);
            }
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void modify(ModifyOperationContext modifyOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", modifyOperationContext);
        }
        checkAuthenticated(modifyOperationContext);
        if (!this.directoryService.isPwdPolicyEnabled() || modifyOperationContext.isReplEvent()) {
            processStandardModify(modifyOperationContext);
        } else {
            processPasswordPolicydModify(modifyOperationContext);
        }
    }

    private void processStandardModify(ModifyOperationContext modifyOperationContext) throws LdapException {
        next(modifyOperationContext);
        Iterator<Modification> it = modifyOperationContext.getModItems().iterator();
        while (it.hasNext()) {
            if (this.directoryService.getAtProvider().getUserPassword().equals(it.next().getAttribute().getAttributeType())) {
                invalidateAuthenticatorCaches(modifyOperationContext.getDn());
                return;
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v54, types: [byte[], byte[][]] */
    private void processPasswordPolicydModify(ModifyOperationContext modifyOperationContext) throws LdapException {
        DefaultModification defaultModification;
        PasswordPolicyConfiguration pwdPolicy = getPwdPolicy(modifyOperationContext.getEntry());
        PwdModDetailsHolder pwdModDetails = getPwdModDetails(modifyOperationContext, pwdPolicy);
        if (!pwdModDetails.isPwdModPresent()) {
            next(modifyOperationContext);
            return;
        }
        CoreSession session = modifyOperationContext.getSession();
        boolean hasRequestControl = modifyOperationContext.hasRequestControl("1.3.6.1.4.1.42.2.27.8.5.1");
        checkPwdMustChange(modifyOperationContext, session, pwdModDetails, hasRequestControl);
        checkOldPwdRequired(modifyOperationContext, pwdPolicy, pwdModDetails, hasRequestControl);
        checkChangePwdAllowed(modifyOperationContext, pwdPolicy, hasRequestControl);
        Entry entry = modifyOperationContext.getEntry();
        boolean z = false;
        ArrayList arrayList = new ArrayList();
        if (pwdModDetails.isAddOrReplace()) {
            if (isPwdTooYoung(modifyOperationContext, entry, pwdPolicy)) {
                if (hasRequestControl) {
                    PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
                    passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG);
                    modifyOperationContext.addResponseControl(passwordPolicyResponseImpl);
                }
                throw new LdapOperationException(ResultCodeEnum.CONSTRAINT_VIOLATION, "password is too young to update");
            }
            byte[] newPwd = pwdModDetails.getNewPwd();
            try {
                check(modifyOperationContext, entry, newPwd, pwdPolicy);
                int pwdInHistory = pwdPolicy.getPwdInHistory();
                Modification modification = null;
                DefaultModification defaultModification2 = null;
                String generalizedTime = DateUtils.getGeneralizedTime(this.directoryService.getTimeProvider());
                if (pwdInHistory > 0) {
                    Attribute attribute = entry.get(this.pwdHistoryAT);
                    if (attribute == null) {
                        attribute = new DefaultAttribute(this.pwdHistoryAT);
                    }
                    modification = buildPwdHistory(modifyOperationContext, attribute, pwdInHistory, newPwd, hasRequestControl);
                    attribute.add((byte[][]) new byte[]{new PasswordHistory(generalizedTime, newPwd).getHistoryValue()});
                    defaultModification2 = new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, attribute);
                }
                next(modifyOperationContext);
                invalidateAuthenticatorCaches(modifyOperationContext.getDn());
                LookupOperationContext lookupOperationContext = new LookupOperationContext(this.adminSession, modifyOperationContext.getDn(), SchemaConstants.ALL_ATTRIBUTES_ARRAY);
                lookupOperationContext.setPartition(modifyOperationContext.getPartition());
                lookupOperationContext.setTransaction(modifyOperationContext.getTransaction());
                entry = this.directoryService.getPartitionNexus().lookup(lookupOperationContext);
                if (pwdPolicy.getPwdMinAge() > 0 || pwdPolicy.getPwdMaxAge() > 0) {
                    DefaultAttribute defaultAttribute = new DefaultAttribute(this.pwdChangedTimeAT);
                    defaultAttribute.add(generalizedTime);
                    arrayList.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, defaultAttribute));
                }
                if (defaultModification2 != null) {
                    arrayList.add(defaultModification2);
                }
                if (modification != null) {
                    arrayList.add(modification);
                }
                if (pwdPolicy.isPwdMustChange()) {
                    DefaultAttribute defaultAttribute2 = new DefaultAttribute(this.pwdResetAT);
                    if (modifyOperationContext.getSession().isAnAdministrator()) {
                        defaultAttribute2.add("TRUE");
                        defaultModification = new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, defaultAttribute2);
                    } else {
                        defaultModification = new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, defaultAttribute2);
                        z = true;
                    }
                    arrayList.add(defaultModification);
                }
            } catch (PasswordPolicyException e) {
                if (hasRequestControl) {
                    PasswordPolicyResponseImpl passwordPolicyResponseImpl2 = new PasswordPolicyResponseImpl();
                    passwordPolicyResponseImpl2.setPasswordPolicyError(PasswordPolicyErrorEnum.get(e.getErrorCode()));
                    modifyOperationContext.addResponseControl(passwordPolicyResponseImpl2);
                }
                throw new LdapOperationException(ResultCodeEnum.CONSTRAINT_VIOLATION, e.getMessage(), e);
            }
        }
        processModifyAddPwdAttributes(entry, arrayList, pwdModDetails);
        arrayList.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, this.directoryService.getAtProvider().getEntryCSN(), this.directoryService.getCSN().toString()));
        ModifyOperationContext modifyOperationContext2 = new ModifyOperationContext(this.adminSession);
        modifyOperationContext2.setPushToEvtInterceptor(true);
        modifyOperationContext2.setDn(modifyOperationContext.getDn());
        modifyOperationContext2.setEntry(entry);
        modifyOperationContext2.setModItems(arrayList);
        internalModify(modifyOperationContext, modifyOperationContext2);
        if (z || pwdModDetails.isDelete()) {
            session.setPwdMustChange(false);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v6, types: [byte[], byte[][]] */
    Modification buildPwdHistory(ModifyOperationContext modifyOperationContext, Attribute attribute, int i, byte[] bArr, boolean z) throws LdapOperationException {
        ArrayList arrayList = new ArrayList();
        Iterator<Value> it = attribute.iterator();
        while (it.hasNext()) {
            PasswordHistory passwordHistory = new PasswordHistory(Strings.utf8ToString(it.next().getBytes()));
            if (!modifyOperationContext.getSession().isAnAdministrator() && MessageDigest.isEqual(bArr, passwordHistory.getPassword())) {
                if (z) {
                    PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
                    passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.PASSWORD_IN_HISTORY);
                    modifyOperationContext.addResponseControl(passwordPolicyResponseImpl);
                }
                throw new LdapOperationException(ResultCodeEnum.CONSTRAINT_VIOLATION, "invalid reuse of password present in password history");
            }
            arrayList.add(passwordHistory);
        }
        DefaultModification defaultModification = null;
        if (arrayList.size() >= i) {
            Collections.sort(arrayList);
            PasswordHistory passwordHistory2 = (PasswordHistory) arrayList.toArray()[i - 1];
            DefaultAttribute defaultAttribute = new DefaultAttribute(this.pwdHistoryAT);
            defaultAttribute.add((byte[][]) new byte[]{passwordHistory2.getHistoryValue()});
            defaultModification = new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, defaultAttribute);
        }
        return defaultModification;
    }

    private void processModifyAddPwdAttributes(Entry entry, List<Modification> list, PwdModDetailsHolder pwdModDetailsHolder) {
        Attribute attribute = entry.get(this.pwdFailurTimeAT);
        if (attribute != null) {
            list.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute));
        }
        Attribute attribute2 = entry.get(this.pwdGraceUseTimeAT);
        if (attribute2 != null) {
            list.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute2));
        }
        if (pwdModDetailsHolder.isDelete()) {
            Attribute attribute3 = entry.get(this.pwdHistoryAT);
            if (attribute3 != null) {
                list.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute3));
            }
            Attribute attribute4 = entry.get(this.pwdChangedTimeAT);
            if (attribute4 != null) {
                list.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute4));
            }
            Attribute attribute5 = entry.get(this.pwdResetAT);
            if (attribute5 != null) {
                list.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute5));
            }
            Attribute attribute6 = entry.get(this.pwdAccountLockedTimeAT);
            if (attribute6 != null) {
                list.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute6));
            }
        }
    }

    private void checkPwdMustChange(ModifyOperationContext modifyOperationContext, CoreSession coreSession, PwdModDetailsHolder pwdModDetailsHolder, boolean z) throws LdapNoPermissionException {
        if (coreSession.isPwdMustChange() && !pwdModDetailsHolder.isDelete() && pwdModDetailsHolder.isOtherModExists()) {
            if (z) {
                PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
                passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.CHANGE_AFTER_RESET);
                modifyOperationContext.addResponseControl(passwordPolicyResponseImpl);
            }
            throw new LdapNoPermissionException("Password should be reset before making any changes to this entry");
        }
    }

    private void checkOldPwdRequired(ModifyOperationContext modifyOperationContext, PasswordPolicyConfiguration passwordPolicyConfiguration, PwdModDetailsHolder pwdModDetailsHolder, boolean z) throws LdapNoPermissionException {
        if (passwordPolicyConfiguration.isPwdSafeModify() && !pwdModDetailsHolder.isDelete() && pwdModDetailsHolder.isAddOrReplace()) {
            LOG.debug("trying to update password attribute without the supplying the old password");
            if (z) {
                PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
                passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.MUST_SUPPLY_OLD_PASSWORD);
                modifyOperationContext.addResponseControl(passwordPolicyResponseImpl);
            }
            throw new LdapNoPermissionException("trying to update password attribute without the supplying the old password");
        }
    }

    private void checkChangePwdAllowed(ModifyOperationContext modifyOperationContext, PasswordPolicyConfiguration passwordPolicyConfiguration, boolean z) throws LdapNoPermissionException {
        if (passwordPolicyConfiguration.isPwdAllowUserChange() || modifyOperationContext.getSession().isAnAdministrator()) {
            return;
        }
        if (z) {
            PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
            passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.PASSWORD_MOD_NOT_ALLOWED);
            modifyOperationContext.addResponseControl(passwordPolicyResponseImpl);
        }
        throw new LdapNoPermissionException();
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void move(MoveOperationContext moveOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", moveOperationContext);
        }
        checkAuthenticated(moveOperationContext);
        checkPwdReset(moveOperationContext);
        next(moveOperationContext);
        invalidateAuthenticatorCaches(moveOperationContext.getDn());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void moveAndRename(MoveAndRenameOperationContext moveAndRenameOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", moveAndRenameOperationContext);
        }
        checkAuthenticated(moveAndRenameOperationContext);
        checkPwdReset(moveAndRenameOperationContext);
        next(moveAndRenameOperationContext);
        invalidateAuthenticatorCaches(moveAndRenameOperationContext.getDn());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void rename(RenameOperationContext renameOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", renameOperationContext);
        }
        checkAuthenticated(renameOperationContext);
        checkPwdReset(renameOperationContext);
        next(renameOperationContext);
        invalidateAuthenticatorCaches(renameOperationContext.getDn());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public EntryFilteringCursor search(SearchOperationContext searchOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", searchOperationContext);
        }
        checkAuthenticated(searchOperationContext);
        checkPwdReset(searchOperationContext);
        return next(searchOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void unbind(UnbindOperationContext unbindOperationContext) throws LdapException {
        next(unbindOperationContext);
    }

    private void checkAuthenticated(OperationContext operationContext) throws LdapException {
        if (!operationContext.getSession().isAnonymous() || this.directoryService.isAllowAnonymousAccess() || operationContext.getDn().isEmpty()) {
            return;
        }
        String err = I18n.err(I18n.ERR_5, operationContext.getName());
        LOG.error(err);
        throw new LdapNoPermissionException(err);
    }

    public void loadPwdPolicyStateAttributeTypes() throws LdapException {
        this.pwdResetAT = this.schemaManager.lookupAttributeTypeRegistry("pwdReset");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdResetAT);
        this.pwdChangedTimeAT = this.schemaManager.lookupAttributeTypeRegistry("pwdChangedTime");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdChangedTimeAT);
        this.pwdHistoryAT = this.schemaManager.lookupAttributeTypeRegistry("pwdHistory");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdHistoryAT);
        this.pwdFailurTimeAT = this.schemaManager.lookupAttributeTypeRegistry("pwdFailureTime");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdFailurTimeAT);
        this.pwdAccountLockedTimeAT = this.schemaManager.lookupAttributeTypeRegistry("pwdAccountLockedTime");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdAccountLockedTimeAT);
        this.pwdLastSuccessAT = this.schemaManager.lookupAttributeTypeRegistry("pwdLastSuccess");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdLastSuccessAT);
        this.pwdGraceUseTimeAT = this.schemaManager.lookupAttributeTypeRegistry("pwdGraceUseTime");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdGraceUseTimeAT);
        this.pwdPolicySubentryAT = this.schemaManager.lookupAttributeTypeRegistry("pwdPolicySubentry");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdPolicySubentryAT);
        this.pwdStartTimeAT = this.schemaManager.lookupAttributeTypeRegistry("pwdStartTime");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdStartTimeAT);
        this.pwdEndTimeAT = this.schemaManager.lookupAttributeTypeRegistry("pwdEndTime");
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.pwdEndTimeAT);
    }

    private void check(OperationContext operationContext, Entry entry, byte[] bArr, PasswordPolicyConfiguration passwordPolicyConfiguration) throws LdapException {
        CheckQualityEnum pwdCheckQuality;
        if (operationContext.getSession().isAnAdministrator() || (pwdCheckQuality = passwordPolicyConfiguration.getPwdCheckQuality()) == CheckQualityEnum.NO_CHECK) {
            return;
        }
        if (PasswordUtil.findAlgorithm(bArr) != null) {
            if (pwdCheckQuality != CheckQualityEnum.CHECK_ACCEPT) {
                throw new PasswordPolicyException("cannot verify the quality of the non-cleartext passwords", PasswordPolicyErrorEnum.INSUFFICIENT_PASSWORD_QUALITY.getValue());
            }
            return;
        }
        String utf8ToString = Strings.utf8ToString(bArr);
        validatePasswordLength(utf8ToString, passwordPolicyConfiguration);
        PasswordValidator pwdValidator = passwordPolicyConfiguration.getPwdValidator();
        if (pwdValidator == null) {
            pwdValidator = new DefaultPasswordValidator();
        }
        pwdValidator.validate(utf8ToString, entry);
    }

    private void validatePasswordLength(String str, PasswordPolicyConfiguration passwordPolicyConfiguration) throws PasswordPolicyException {
        int pwdMaxLength = passwordPolicyConfiguration.getPwdMaxLength();
        int pwdMinLength = passwordPolicyConfiguration.getPwdMinLength();
        int length = str.length();
        if (pwdMaxLength > 0 && length > pwdMaxLength) {
            throw new PasswordPolicyException("Password should not have more than " + pwdMaxLength + " characters", PasswordPolicyErrorEnum.INSUFFICIENT_PASSWORD_QUALITY.getValue());
        }
        if (pwdMinLength > 0 && length < pwdMinLength) {
            throw new PasswordPolicyException("Password should have a minimum of " + pwdMinLength + " characters", PasswordPolicyErrorEnum.PASSWORD_TOO_SHORT.getValue());
        }
    }

    private int getPwdTimeBeforeExpiry(Entry entry, PasswordPolicyConfiguration passwordPolicyConfiguration) throws LdapException {
        int pwdExpireWarning;
        if (passwordPolicyConfiguration.getPwdMaxAge() == 0 || (pwdExpireWarning = passwordPolicyConfiguration.getPwdExpireWarning()) <= 0) {
            return 0;
        }
        Attribute attribute = entry.get(this.pwdChangedTimeAT);
        if (attribute == null) {
            attribute = entry.get(this.directoryService.getAtProvider().getCreateTimestamp());
        }
        long currentIimeMillis = (this.directoryService.getTimeProvider().currentIimeMillis() - DateUtils.getDate(attribute.getString()).getTime()) / 1000;
        if (currentIimeMillis > passwordPolicyConfiguration.getPwdMaxAge() || currentIimeMillis < passwordPolicyConfiguration.getPwdMaxAge() - pwdExpireWarning) {
            return 0;
        }
        long pwdMaxAge = passwordPolicyConfiguration.getPwdMaxAge() - currentIimeMillis;
        if (pwdMaxAge > 2147483647L) {
            pwdMaxAge = 2147483647L;
        }
        return (int) pwdMaxAge;
    }

    private boolean isPwdTooYoung(OperationContext operationContext, Entry entry, PasswordPolicyConfiguration passwordPolicyConfiguration) throws LdapException {
        Attribute attribute;
        if (operationContext.getSession().isAnAdministrator() || passwordPolicyConfiguration.getPwdMinAge() == 0) {
            return false;
        }
        return ((passwordPolicyConfiguration.isPwdMustChange() && operationContext.getSession().isPwdMustChange()) || (attribute = entry.get(this.pwdChangedTimeAT)) == null || DateUtils.getDate(attribute.getString()).getTime() + (((long) passwordPolicyConfiguration.getPwdMinAge()) * 1000) <= this.directoryService.getTimeProvider().currentIimeMillis()) ? false : true;
    }

    private boolean isPwdMustReset(Entry entry) throws LdapException {
        boolean z = false;
        Attribute attribute = entry.get(this.pwdResetAT);
        if (attribute != null) {
            z = Boolean.parseBoolean(attribute.getString());
        }
        return z;
    }

    private PwdModDetailsHolder getPwdModDetails(ModifyOperationContext modifyOperationContext, PasswordPolicyConfiguration passwordPolicyConfiguration) throws LdapException {
        PwdModDetailsHolder pwdModDetailsHolder = new PwdModDetailsHolder();
        for (Modification modification : modifyOperationContext.getModItems()) {
            Attribute attribute = modification.getAttribute();
            if (attribute.getAttributeType().equals(this.schemaManager.lookupAttributeTypeRegistry(passwordPolicyConfiguration.getPwdAttribute()))) {
                pwdModDetailsHolder.setPwdModPresent(true);
                ModificationOperation operation = modification.getOperation();
                if (operation == ModificationOperation.REMOVE_ATTRIBUTE) {
                    pwdModDetailsHolder.setDelete(true);
                } else if (operation == ModificationOperation.REPLACE_ATTRIBUTE || operation == ModificationOperation.ADD_ATTRIBUTE) {
                    pwdModDetailsHolder.setAddOrReplace(true);
                    pwdModDetailsHolder.setNewPwd(attribute.getBytes());
                }
            } else {
                pwdModDetailsHolder.setOtherModExists(true);
            }
        }
        return pwdModDetailsHolder;
    }

    private void checkPwdReset(OperationContext operationContext) throws LdapException {
        if (this.directoryService.isPwdPolicyEnabled() && operationContext.getSession().isPwdMustChange()) {
            if (operationContext.hasRequestControl("1.3.6.1.4.1.42.2.27.8.5.1")) {
                PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
                passwordPolicyResponseImpl.setPasswordPolicyError(PasswordPolicyErrorEnum.CHANGE_AFTER_RESET);
                operationContext.addResponseControl(passwordPolicyResponseImpl);
            }
            throw new LdapNoPermissionException("password needs to be reset before performing this operation");
        }
    }

    public PasswordPolicyConfiguration getPwdPolicy(Entry entry) throws LdapException {
        Attribute attribute;
        if (this.pwdPolicyContainer == null) {
            return null;
        }
        if (entry == null) {
            return this.pwdPolicyContainer.getDefaultPolicy();
        }
        if (this.pwdPolicyContainer.hasCustomConfigs() && (attribute = entry.get(this.pwdPolicySubentryAT)) != null) {
            PasswordPolicyConfiguration policyConfig = this.pwdPolicyContainer.getPolicyConfig(this.dnFactory.create(attribute.getString()));
            if (policyConfig != null) {
                return policyConfig;
            }
            LOG.warn("The custom password policy for the user entry {} is not found, returning default policy configuration", entry.getDn());
        }
        return this.pwdPolicyContainer.getDefaultPolicy();
    }

    public void setPwdPolicies(PpolicyConfigContainer ppolicyConfigContainer) {
        this.pwdPolicyContainer = ppolicyConfigContainer;
    }

    public boolean isPwdPolicyEnabled() {
        return this.pwdPolicyContainer != null && (this.pwdPolicyContainer.getDefaultPolicy() != null || this.pwdPolicyContainer.hasCustomConfigs());
    }

    public PpolicyConfigContainer getPwdPolicyContainer() {
        return this.pwdPolicyContainer;
    }

    public void setPwdPolicyContainer(PpolicyConfigContainer ppolicyConfigContainer) {
        this.pwdPolicyContainer = ppolicyConfigContainer;
    }

    private void purgeFailureTimes(PasswordPolicyConfiguration passwordPolicyConfiguration, Attribute attribute) {
        long pwdFailureCountInterval = passwordPolicyConfiguration.getPwdFailureCountInterval();
        if (pwdFailureCountInterval == 0) {
            return;
        }
        long j = pwdFailureCountInterval * 1000;
        long currentIimeMillis = this.directoryService.getTimeProvider().currentIimeMillis();
        Iterator<Value> it = attribute.iterator();
        while (it.hasNext()) {
            if (currentIimeMillis >= DateUtils.getDate(it.next().getString()).getTime() + j) {
                it.remove();
            }
        }
    }
}
