package org.apache.directory.server.operations.extended;

import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyErrorEnum;
import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyResponse;
import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyResponseImpl;
import org.apache.directory.api.ldap.extras.extended.pwdModify.PasswordModifyRequestImpl;
import org.apache.directory.api.ldap.extras.extended.pwdModify.PasswordModifyResponse;
import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.message.AddRequestImpl;
import org.apache.directory.api.ldap.model.message.AddResponse;
import org.apache.directory.api.ldap.model.message.Control;
import org.apache.directory.api.ldap.model.message.Response;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.password.PasswordUtil;
import org.apache.directory.api.util.Strings;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.api.InterceptorEnum;
import org.apache.directory.server.core.api.authn.ppolicy.CheckQualityEnum;
import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyConfiguration;
import org.apache.directory.server.core.authn.ppolicy.PpolicyConfigContainer;
import org.apache.directory.server.core.hash.Sha512PasswordHashingInterceptor;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.integ.IntegrationUtils;
import org.apache.directory.server.ldap.handlers.extended.PwdModifyHandler;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")}, extendedOpHandlers = {PwdModifyHandler.class}, allowAnonymousAccess = true)
@RunWith(FrameworkRunner.class)
@CreateDS(enableChangeLog = false, name = "PasswordPolicyTest", additionalInterceptors = {Sha512PasswordHashingInterceptor.class})
/* loaded from: input_file:org/apache/directory/server/operations/extended/PwdModifyIT.class */
public class PwdModifyIT extends AbstractLdapTestUnit {
    private static final PasswordPolicyResponse PP_REQ_CTRL = new PasswordPolicyResponseImpl();
    private PasswordPolicyConfiguration policyConfig;

    private PasswordPolicyResponse getPwdRespCtrl(Response response) throws Exception {
        PasswordPolicyResponse passwordPolicyResponse = (Control) response.getControls().get(PP_REQ_CTRL.getOid());
        if (passwordPolicyResponse == null) {
            return null;
        }
        return passwordPolicyResponse;
    }

    private void addUser(LdapConnection ldapConnection, String str, Object obj) throws Exception {
        DefaultEntry defaultEntry = new DefaultEntry("cn=" + str + ",ou=system", new Object[]{"ObjectClass: top", "ObjectClass: person", "cn", str, "sn", str + "_sn", "userPassword", obj});
        AddRequestImpl addRequestImpl = new AddRequestImpl();
        addRequestImpl.setEntry(defaultEntry);
        addRequestImpl.addControl(PP_REQ_CTRL);
        AddResponse add = ldapConnection.add(addRequestImpl);
        Assert.assertEquals(ResultCodeEnum.SUCCESS, add.getLdapResult().getResultCode());
        Assert.assertNull(getPwdRespCtrl(add));
    }

    private void checkBind(LdapConnection ldapConnection, Dn dn, String str, int i, String str2) throws Exception {
        for (int i2 = 0; i2 < i; i2++) {
            try {
                ldapConnection.bind(dn, str);
            } catch (LdapAuthenticationException e) {
                Assert.assertEquals(str2, e.getMessage());
            }
        }
    }

    private void safeCloseConnections(LdapConnection... ldapConnectionArr) {
        for (LdapConnection ldapConnection : ldapConnectionArr) {
            if (ldapConnection != null) {
                try {
                    ldapConnection.close();
                } catch (Exception e) {
                }
            }
        }
    }

    @Before
    public void setPwdPolicy() throws LdapException {
        this.policyConfig = new PasswordPolicyConfiguration();
        this.policyConfig.setPwdMaxAge(110);
        this.policyConfig.setPwdFailureCountInterval(30);
        this.policyConfig.setPwdMaxFailure(3);
        this.policyConfig.setPwdLockout(true);
        this.policyConfig.setPwdLockoutDuration(0);
        this.policyConfig.setPwdMinLength(5);
        this.policyConfig.setPwdInHistory(5);
        this.policyConfig.setPwdExpireWarning(600);
        this.policyConfig.setPwdGraceAuthNLimit(5);
        this.policyConfig.setPwdCheckQuality(CheckQualityEnum.CHECK_REJECT);
        PpolicyConfigContainer ppolicyConfigContainer = new PpolicyConfigContainer();
        Dn dn = new Dn(ldapServer.getDirectoryService().getSchemaManager(), new String[]{"cn=default"});
        ppolicyConfigContainer.addPolicy(dn, this.policyConfig);
        ppolicyConfigContainer.setDefaultPolicyDn(dn);
        getService().getInterceptor(InterceptorEnum.AUTHENTICATION_INTERCEPTOR.getName()).setPwdPolicies(ppolicyConfigContainer);
    }

    @Test
    public void testModifyOwnPasswordConnected() throws Exception {
        LdapConnection adminNetworkConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
        addUser(adminNetworkConnection, "User1", "secret1");
        LdapConnection networkConnectionAs = IntegrationUtils.getNetworkConnectionAs(getLdapServer(), "cn=user1,ou=system", "secret1");
        PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
        passwordModifyRequestImpl.setNewPassword(Strings.getBytesUtf8("secret1Bis"));
        Assert.assertEquals(ResultCodeEnum.SUCCESS, networkConnectionAs.extended(passwordModifyRequestImpl).getLdapResult().getResultCode());
        LdapConnection networkConnectionAs2 = IntegrationUtils.getNetworkConnectionAs(ldapServer, "cn=User1,ou=system", "secret1Bis");
        Assert.assertNotNull(networkConnectionAs2.lookup("cn=User1,ou=system"));
        networkConnectionAs2.close();
        adminNetworkConnection.close();
    }

    @Test
    public void testModifyUserPasswordAnonymous() throws Exception {
        LdapConnection adminNetworkConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
        addUser(adminNetworkConnection, "User2", "secret2");
        LdapConnection networkConnectionAs = IntegrationUtils.getNetworkConnectionAs(ldapServer, "cn=User2,ou=system", "secret2");
        Assert.assertNotNull(networkConnectionAs.lookup("cn=User2,ou=system"));
        networkConnectionAs.close();
        LdapConnection anonymousNetworkConnection = IntegrationUtils.getAnonymousNetworkConnection(getLdapServer());
        PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
        passwordModifyRequestImpl.setUserIdentity(Strings.getBytesUtf8("cn=User2,ou=system"));
        passwordModifyRequestImpl.setOldPassword(Strings.getBytesUtf8("secret2"));
        passwordModifyRequestImpl.setNewPassword(Strings.getBytesUtf8("secret2Bis"));
        Assert.assertEquals(ResultCodeEnum.SUCCESS, anonymousNetworkConnection.extended(passwordModifyRequestImpl).getLdapResult().getResultCode());
        LdapConnection networkConnectionAs2 = IntegrationUtils.getNetworkConnectionAs(ldapServer, "cn=User2,ou=system", "secret2Bis");
        Assert.assertNotNull(networkConnectionAs2.lookup("cn=User2,ou=system"));
        networkConnectionAs2.close();
        anonymousNetworkConnection.close();
        adminNetworkConnection.close();
    }

    @Test
    public void testModifyUserPasswordAnonymousPPActivated() throws Exception {
        this.policyConfig.setPwdCheckQuality(CheckQualityEnum.CHECK_ACCEPT);
        LdapConnection adminNetworkConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
        addUser(adminNetworkConnection, "User3", "secret3");
        Dn dn = new Dn(new String[]{"cn=User3,ou=system"});
        LdapConnection networkConnectionAs = IntegrationUtils.getNetworkConnectionAs(ldapServer, "cn=User3,ou=system", "secret3");
        Assert.assertNotNull(networkConnectionAs.lookup("cn=User3,ou=system"));
        networkConnectionAs.close();
        checkBind(networkConnectionAs, dn, "badPassword", 2, "INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user cn=User3,ou=system");
        LdapConnection anonymousNetworkConnection = IntegrationUtils.getAnonymousNetworkConnection(getLdapServer());
        PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
        passwordModifyRequestImpl.setUserIdentity(Strings.getBytesUtf8("cn=User3,ou=system"));
        passwordModifyRequestImpl.setOldPassword(Strings.getBytesUtf8("secret3"));
        passwordModifyRequestImpl.setNewPassword(Strings.getBytesUtf8("secret3Bis"));
        Assert.assertEquals(ResultCodeEnum.SUCCESS, anonymousNetworkConnection.extended(passwordModifyRequestImpl).getLdapResult().getResultCode());
        LdapConnection networkConnectionAs2 = IntegrationUtils.getNetworkConnectionAs(ldapServer, "cn=User3,ou=system", "secret3Bis");
        Assert.assertNotNull(networkConnectionAs2.lookup("cn=User3,ou=system"));
        checkBind(networkConnectionAs2, dn, "badPassword", 2, "INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user cn=User3,ou=system");
        networkConnectionAs2.close();
        anonymousNetworkConnection.close();
        adminNetworkConnection.close();
    }

    @Test
    public void testAdminModifyPassword() throws Exception {
        LdapConnection adminNetworkConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
        addUser(adminNetworkConnection, "User4", "secret4");
        PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
        passwordModifyRequestImpl.setUserIdentity(Strings.getBytesUtf8("cn=User4,ou=system"));
        passwordModifyRequestImpl.setNewPassword(Strings.getBytesUtf8("secret4Bis"));
        Assert.assertEquals(ResultCodeEnum.SUCCESS, adminNetworkConnection.extended(passwordModifyRequestImpl).getLdapResult().getResultCode());
        LdapConnection networkConnectionAs = IntegrationUtils.getNetworkConnectionAs(ldapServer, "cn=User4,ou=system", "secret4Bis");
        Assert.assertNotNull(networkConnectionAs.lookup("cn=User4,ou=system"));
        networkConnectionAs.close();
        adminNetworkConnection.close();
    }

    @Test
    public void testAdminModifyPasswordBadUser() throws Exception {
        LdapConnection adminNetworkConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
        addUser(adminNetworkConnection, "User5", "secret5");
        PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
        passwordModifyRequestImpl.setUserIdentity(Strings.getBytesUtf8("cn=baduser,ou=system"));
        passwordModifyRequestImpl.setNewPassword(Strings.getBytesUtf8("secret5Bis"));
        PasswordModifyResponse extended = adminNetworkConnection.extended(passwordModifyRequestImpl);
        Assert.assertEquals(ResultCodeEnum.NO_SUCH_OBJECT, extended.getLdapResult().getResultCode());
        Assert.assertEquals("The entry does not exist, we can't modify its password", extended.getLdapResult().getDiagnosticMessage());
        adminNetworkConnection.close();
    }

    @Test
    public void testAdminGenPassword() throws Exception {
        LdapConnection adminNetworkConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
        addUser(adminNetworkConnection, "User6", "secret6");
        PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
        passwordModifyRequestImpl.setUserIdentity(Strings.getBytesUtf8("cn=User6,ou=system"));
        Assert.assertEquals(ResultCodeEnum.UNWILLING_TO_PERFORM, adminNetworkConnection.extended(passwordModifyRequestImpl).getLdapResult().getResultCode());
        adminNetworkConnection.close();
    }

    @Test
    public void testModifyPasswordTooSoon() throws Exception {
        LdapConnection ldapConnection = null;
        LdapConnection ldapConnection2 = null;
        int pwdMinAge = this.policyConfig.getPwdMinAge();
        try {
            this.policyConfig.setPwdMinAge(1000);
            ldapConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
            addUser(ldapConnection, "User7", "secret7");
            Assert.assertEquals(1L, ldapConnection.lookup("cn=User7,ou=system", new String[]{"*", "+"}).get("pwdHistory").size());
            try {
                ldapConnection2 = IntegrationUtils.getNetworkConnectionAs(getLdapServer(), "cn=User7,ou=system", "secret7");
                PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
                passwordModifyRequestImpl.setUserIdentity(Strings.getBytesUtf8("cn=User7,ou=system"));
                passwordModifyRequestImpl.setNewPassword(Strings.getBytesUtf8("secret4Bis"));
                Assert.assertNotEquals(ResultCodeEnum.SUCCESS, ldapConnection2.extended(passwordModifyRequestImpl).getLdapResult().getResultCode());
                safeCloseConnections(ldapConnection2);
                PasswordModifyRequestImpl passwordModifyRequestImpl2 = new PasswordModifyRequestImpl();
                passwordModifyRequestImpl2.setUserIdentity(Strings.getBytesUtf8("cn=User7,ou=system"));
                passwordModifyRequestImpl2.setNewPassword(Strings.getBytesUtf8("secret4Bis"));
                Assert.assertEquals(ResultCodeEnum.SUCCESS, ldapConnection.extended(passwordModifyRequestImpl2).getLdapResult().getResultCode());
                Assert.assertEquals(2L, ldapConnection.lookup("cn=User7,ou=system", new String[]{"*", "+"}).get("pwdHistory").size());
                LdapConnection networkConnectionAs = IntegrationUtils.getNetworkConnectionAs(ldapServer, "cn=User7,ou=system", "secret4Bis");
                Assert.assertNotNull(networkConnectionAs.lookup("cn=User7,ou=system"));
                this.policyConfig.setPwdMinAge(pwdMinAge);
                safeCloseConnections(networkConnectionAs, ldapConnection);
            } catch (Throwable th) {
                safeCloseConnections(ldapConnection2);
                throw th;
            }
        } catch (Throwable th2) {
            this.policyConfig.setPwdMinAge(pwdMinAge);
            safeCloseConnections(ldapConnection2, ldapConnection);
            throw th2;
        }
    }

    @Test
    public void testModifyUserPasswordWithPasswordPolicyControl() throws Exception {
        this.policyConfig.setPwdCheckQuality(CheckQualityEnum.CHECK_ACCEPT);
        this.policyConfig.setPwdMinLength(5);
        this.policyConfig.setPwdMinAge(5);
        LdapConnection ldapConnection = null;
        LdapConnection ldapConnection2 = null;
        try {
            ldapConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
            addUser(ldapConnection, "UserXY", "secret3");
            Dn dn = new Dn(new String[]{"cn=UserXY,ou=system"});
            ldapConnection2 = IntegrationUtils.getNetworkConnectionAs(ldapServer, dn.toString(), "secret3");
            PasswordPolicyResponseImpl passwordPolicyResponseImpl = new PasswordPolicyResponseImpl();
            PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
            passwordModifyRequestImpl.setUserIdentity(Strings.getBytesUtf8(dn.getNormName()));
            passwordModifyRequestImpl.setOldPassword(Strings.getBytesUtf8("secret3"));
            passwordModifyRequestImpl.setNewPassword(Strings.getBytesUtf8("1234567"));
            passwordModifyRequestImpl.addControl(passwordPolicyResponseImpl);
            PasswordModifyResponse extended = ldapConnection2.extended(passwordModifyRequestImpl);
            Assert.assertEquals(ResultCodeEnum.CONSTRAINT_VIOLATION, extended.getLdapResult().getResultCode());
            PasswordPolicyResponse control = extended.getControl(passwordPolicyResponseImpl.getOid());
            Assert.assertNotNull(control);
            Assert.assertEquals(PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG, control.getPasswordPolicyError());
            addUser(ldapConnection, "UserZZ", "secret4");
            Dn dn2 = new Dn(new String[]{"cn=UserZZ,ou=system"});
            PasswordModifyRequestImpl passwordModifyRequestImpl2 = new PasswordModifyRequestImpl();
            passwordModifyRequestImpl2.setUserIdentity(Strings.getBytesUtf8(dn2.getNormName()));
            passwordModifyRequestImpl2.setOldPassword(Strings.getBytesUtf8("secret4"));
            passwordModifyRequestImpl2.setNewPassword(Strings.getBytesUtf8("1234567"));
            Assert.assertEquals(ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS, ldapConnection2.extended(passwordModifyRequestImpl2).getLdapResult().getResultCode());
            ldapConnection.close();
            ldapConnection2.close();
        } catch (Throwable th) {
            ldapConnection.close();
            ldapConnection2.close();
            throw th;
        }
    }

    @Test
    public void testModifyPasswordStoredAsHash() throws Exception {
        LdapConnection adminNetworkConnection = IntegrationUtils.getAdminNetworkConnection(getLdapServer());
        byte[] bytesUtf8 = Strings.getBytesUtf8("secret1");
        addUser(adminNetworkConnection, "User11", PasswordUtil.createStoragePassword(bytesUtf8, LdapSecurityConstants.HASH_METHOD_SHA256));
        LdapConnection networkConnectionAs = IntegrationUtils.getNetworkConnectionAs(getLdapServer(), "cn=user11,ou=system", "secret1");
        PasswordModifyRequestImpl passwordModifyRequestImpl = new PasswordModifyRequestImpl();
        passwordModifyRequestImpl.setOldPassword(bytesUtf8);
        passwordModifyRequestImpl.setNewPassword(Strings.getBytesUtf8("secret1Bis"));
        Assert.assertEquals(ResultCodeEnum.SUCCESS, networkConnectionAs.extended(passwordModifyRequestImpl).getLdapResult().getResultCode());
        LdapConnection networkConnectionAs2 = IntegrationUtils.getNetworkConnectionAs(ldapServer, "cn=User11,ou=system", "secret1Bis");
        networkConnectionAs2.loadSchema();
        Entry lookup = networkConnectionAs2.lookup("cn=User11,ou=system", SchemaConstants.ALL_ATTRIBUTES_ARRAY);
        Assert.assertNotNull(lookup);
        Assert.assertEquals(LdapSecurityConstants.HASH_METHOD_SHA512, PasswordUtil.findAlgorithm(lookup.get("userPassword").getBytes()));
        networkConnectionAs2.close();
        adminNetworkConnection.close();
    }
}
