package org.opends.server.core;

import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.concurrent.CopyOnWriteArrayList;
import org.opends.messages.CoreMessages;
import org.opends.messages.Message;
import org.opends.messages.MessageBuilder;
import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn;
import org.opends.server.api.AccountStatusNotificationHandler;
import org.opends.server.api.PasswordGenerator;
import org.opends.server.api.PasswordStorageScheme;
import org.opends.server.config.ConfigConstants;
import org.opends.server.loggers.ErrorLogger;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.ldap.LDAPAttribute;
import org.opends.server.schema.AuthPasswordSyntax;
import org.opends.server.schema.GeneralizedTimeSyntax;
import org.opends.server.schema.SchemaConstants;
import org.opends.server.schema.UserPasswordSyntax;
import org.opends.server.types.AccountStatusNotification;
import org.opends.server.types.AccountStatusNotificationProperty;
import org.opends.server.types.AccountStatusNotificationType;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeBuilder;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AttributeValue;
import org.opends.server.types.AttributeValues;
import org.opends.server.types.Attributes;
import org.opends.server.types.ByteString;
import org.opends.server.types.ConditionResult;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.Modification;
import org.opends.server.types.ModificationType;
import org.opends.server.types.Operation;
import org.opends.server.types.RawModification;
import org.opends.server.types.ResultCode;
import org.opends.server.types.SubEntry;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;
import org.opends.server.util.TimeThread;

/* loaded from: input_file:org/opends/server/core/PasswordPolicyState.class */
public class PasswordPolicyState {
    private static final DebugTracer TRACER;
    private final Entry userEntry;
    private final boolean updateEntry;
    private final String userDNString;
    private final PasswordPolicy passwordPolicy;
    private final long currentTime;
    private long passwordChangedTime;
    private ConditionResult isAccountExpired;
    private ConditionResult isDisabled;
    private ConditionResult isPasswordExpired;
    private ConditionResult isFirstWarning;
    private ConditionResult isIdleLocked;
    private ConditionResult mayUseGraceLogin;
    private ConditionResult mustChangePassword;
    private ConditionResult shouldWarn;
    private int secondsUntilUnlock;
    private List<Long> authFailureTimes;
    private List<Long> graceLoginTimes;
    private long accountExpirationTime;
    private long failureLockedTime;
    private long lastLoginTime;
    private long passwordExpirationTime;
    private long requiredChangeTime;
    private long warnedTime;
    private LinkedList<Modification> modifications;
    static final /* synthetic */ boolean $assertionsDisabled;

    public PasswordPolicyState(Entry entry, boolean z) throws DirectoryException {
        this(entry, z, TimeThread.getTime(), false);
    }

    public PasswordPolicyState(Entry entry, boolean z, long j, boolean z2) throws DirectoryException {
        this.passwordChangedTime = Long.MIN_VALUE;
        this.isAccountExpired = ConditionResult.UNDEFINED;
        this.isDisabled = ConditionResult.UNDEFINED;
        this.isPasswordExpired = ConditionResult.UNDEFINED;
        this.isFirstWarning = ConditionResult.UNDEFINED;
        this.isIdleLocked = ConditionResult.UNDEFINED;
        this.mayUseGraceLogin = ConditionResult.UNDEFINED;
        this.mustChangePassword = ConditionResult.UNDEFINED;
        this.shouldWarn = ConditionResult.UNDEFINED;
        this.secondsUntilUnlock = Integer.MIN_VALUE;
        this.authFailureTimes = null;
        this.graceLoginTimes = null;
        this.accountExpirationTime = Long.MIN_VALUE;
        this.failureLockedTime = Long.MIN_VALUE;
        this.lastLoginTime = Long.MIN_VALUE;
        this.passwordExpirationTime = Long.MIN_VALUE;
        this.requiredChangeTime = Long.MIN_VALUE;
        this.warnedTime = Long.MIN_VALUE;
        this.modifications = new LinkedList<>();
        this.userEntry = entry;
        this.updateEntry = z;
        this.currentTime = j;
        this.userDNString = entry.getDN().toString();
        this.passwordPolicy = getPasswordPolicy(this.userEntry, z2);
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_TIME_LC);
        this.passwordChangedTime = getGeneralizedTime(attributeType == null ? DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_TIME) : attributeType);
        if (this.passwordChangedTime <= 0) {
            AttributeType attributeType2 = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_CREATE_TIMESTAMP_LC);
            this.passwordChangedTime = getGeneralizedTime(attributeType2 == null ? DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_CREATE_TIMESTAMP) : attributeType2);
            if (this.passwordChangedTime <= 0) {
                this.passwordChangedTime = 0L;
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugWarning("Could not determine password changed time for user %s.", this.userDNString);
                }
            }
        }
    }

    public static PasswordPolicy getPasswordPolicy(Entry entry, boolean z) throws DirectoryException {
        String dn = entry.getDN().toString();
        List<Attribute> attribute = entry.getAttribute(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_POLICY_DN, true));
        if (attribute != null) {
            for (Attribute attribute2 : attribute) {
                if (!attribute2.isEmpty()) {
                    AttributeValue next = attribute2.iterator().next();
                    try {
                        DN decode = DN.decode(next.getValue());
                        PasswordPolicy passwordPolicy = DirectoryServer.getPasswordPolicy(decode);
                        if (passwordPolicy != null) {
                            if (DebugLogger.debugEnabled()) {
                                TRACER.debugInfo("Using password policy subentry %s for user %s.", String.valueOf(decode), dn);
                            }
                            return passwordPolicy;
                        }
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugError("Password policy subentry %s for user %s is not defined in the Directory Server.", String.valueOf(decode), dn);
                        }
                        Message message = CoreMessages.ERR_PWPSTATE_NO_SUCH_POLICY.get(dn, String.valueOf(decode));
                        if (!z) {
                            throw new DirectoryException(DirectoryServer.getServerErrorResultCode(), message);
                        }
                        ErrorLogger.logError(message);
                        return DirectoryServer.getDefaultPasswordPolicy();
                    } catch (Exception e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                        }
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugError("Could not parse password policy subentry DN %s for user %s: %s", next.getValue().toString(), dn, StaticUtils.stackTraceToSingleLineString(e));
                        }
                        Message message2 = CoreMessages.ERR_PWPSTATE_CANNOT_DECODE_SUBENTRY_VALUE_AS_DN.get(next.getValue().toString(), dn, e.getMessage());
                        if (!z) {
                            throw new DirectoryException(ResultCode.INVALID_DN_SYNTAX, message2, e);
                        }
                        ErrorLogger.logError(message2);
                        return DirectoryServer.getDefaultPasswordPolicy();
                    }
                }
            }
        }
        List<SubEntry> subentries = DirectoryServer.getSubentryManager().getSubentries(entry);
        if (subentries != null && !subentries.isEmpty()) {
            for (SubEntry subEntry : subentries) {
                try {
                } catch (Exception e2) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugError("Could not parse password policy subentry DN %s for user %s: %s", subEntry.getDN().toString(), dn, StaticUtils.stackTraceToSingleLineString(e2));
                    }
                }
                if (subEntry.getEntry().isPasswordPolicySubentry()) {
                    PasswordPolicy passwordPolicy2 = DirectoryServer.getPasswordPolicy(subEntry.getDN());
                    if (passwordPolicy2 != null) {
                        return passwordPolicy2;
                    }
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugError("Found unknown password policy subentry DN %s for user %s", subEntry.getDN().toString(), dn);
                    }
                    break;
                }
                continue;
            }
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Using the default password policy for user %s", dn);
        }
        return DirectoryServer.getDefaultPasswordPolicy();
    }

    private String getValue(AttributeType attributeType) {
        String str = null;
        List<Attribute> attribute = this.userEntry.getAttribute(attributeType);
        if (attribute != null) {
            Iterator<Attribute> it = attribute.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Attribute next = it.next();
                if (!next.isEmpty()) {
                    str = next.iterator().next().getValue().toString();
                    break;
                }
            }
        }
        if (str == null) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning null because attribute %s does not exist in user entry %s", attributeType.getNameOrOID(), this.userDNString);
            }
        } else if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning value %s for user %s", str, this.userDNString);
        }
        return str;
    }

    private long getGeneralizedTime(AttributeType attributeType) throws DirectoryException {
        long j = -1;
        List<Attribute> attribute = this.userEntry.getAttribute(attributeType);
        if (attribute != null) {
            Iterator<Attribute> it = attribute.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Attribute next = it.next();
                if (!next.isEmpty()) {
                    AttributeValue next2 = next.iterator().next();
                    try {
                        j = GeneralizedTimeSyntax.decodeGeneralizedTimeValue(next2.getNormalizedValue());
                        break;
                    } catch (Exception e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                            TRACER.debugWarning("Unable to decode value %s for attribute %s in user entry %s: %s", next2.getValue().toString(), attributeType.getNameOrOID(), this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
                        }
                        throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, CoreMessages.ERR_PWPSTATE_CANNOT_DECODE_GENERALIZED_TIME.get(next2.getValue().toString(), attributeType.getNameOrOID(), this.userDNString, String.valueOf(e)), e);
                    }
                }
            }
        }
        if (j == -1 && DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning -1 because attribute %s does not exist in user entry %s", attributeType.getNameOrOID(), this.userDNString);
        }
        return j;
    }

    private List<Long> getGeneralizedTimes(AttributeType attributeType) throws DirectoryException {
        ArrayList arrayList = new ArrayList();
        List<Attribute> attribute = this.userEntry.getAttribute(attributeType);
        if (attribute != null) {
            Iterator<Attribute> it = attribute.iterator();
            while (it.hasNext()) {
                for (AttributeValue attributeValue : it.next()) {
                    try {
                        arrayList.add(Long.valueOf(GeneralizedTimeSyntax.decodeGeneralizedTimeValue(attributeValue.getNormalizedValue())));
                    } catch (Exception e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                            TRACER.debugWarning("Unable to decode value %s for attribute %sin user entry %s: %s", attributeValue.getValue().toString(), attributeType.getNameOrOID(), this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
                        }
                        throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, CoreMessages.ERR_PWPSTATE_CANNOT_DECODE_GENERALIZED_TIME.get(attributeValue.getValue().toString(), attributeType.getNameOrOID(), this.userDNString, String.valueOf(e)), e);
                    }
                }
            }
        }
        if (arrayList.isEmpty() && DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning an empty list because attribute %s does not exist in user entry %s", attributeType.getNameOrOID(), this.userDNString);
        }
        return arrayList;
    }

    private ConditionResult getBoolean(AttributeType attributeType) throws DirectoryException {
        List<Attribute> attribute = this.userEntry.getAttribute(attributeType);
        if (attribute != null) {
            for (Attribute attribute2 : attribute) {
                if (!attribute2.isEmpty()) {
                    String lowerCase = StaticUtils.toLowerCase(attribute2.iterator().next().getValue().toString());
                    if (lowerCase.equals(ServerConstants.CONFIG_VALUE_TRUE) || lowerCase.equals("yes") || lowerCase.equals("on") || lowerCase.equals("1")) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugInfo("Attribute %s resolves to true for user entry %s", attributeType.getNameOrOID(), this.userDNString);
                        }
                        return ConditionResult.TRUE;
                    }
                    if (lowerCase.equals(ServerConstants.CONFIG_VALUE_FALSE) || lowerCase.equals("no") || lowerCase.equals("off") || lowerCase.equals("0")) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugInfo("Attribute %s resolves to false for user entry %s", attributeType.getNameOrOID(), this.userDNString);
                        }
                        return ConditionResult.FALSE;
                    }
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugError("Unable to resolve value %s for attribute %s in user entry %s as a Boolean.", lowerCase, attributeType.getNameOrOID(), this.userDNString);
                    }
                    throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, CoreMessages.ERR_PWPSTATE_CANNOT_DECODE_BOOLEAN.get(lowerCase, attributeType.getNameOrOID(), this.userDNString));
                }
            }
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning %s because attribute %s does not exist in user entry %s", ConditionResult.UNDEFINED.toString(), attributeType.getNameOrOID(), this.userDNString);
        }
        return ConditionResult.UNDEFINED;
    }

    public PasswordPolicy getPolicy() {
        return this.passwordPolicy;
    }

    public long getPasswordChangedTime() {
        return this.passwordChangedTime;
    }

    public long getCurrentTime() {
        return this.currentTime;
    }

    public Set<AttributeValue> getPasswordValues() {
        List<Attribute> attribute = this.userEntry.getAttribute(this.passwordPolicy.getPasswordAttribute());
        if (attribute != null) {
            for (Attribute attribute2 : attribute) {
                if (!attribute2.isEmpty()) {
                    LinkedHashSet linkedHashSet = new LinkedHashSet(attribute2.size());
                    Iterator<AttributeValue> it = attribute2.iterator();
                    while (it.hasNext()) {
                        linkedHashSet.add(it.next());
                    }
                    return Collections.unmodifiableSet(linkedHashSet);
                }
            }
        }
        return Collections.emptySet();
    }

    public void setPasswordChangedTime() {
        setPasswordChangedTime(this.currentTime);
    }

    public void setPasswordChangedTime(long j) {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Setting password changed time for user %s to current time of %d", this.userDNString, Long.valueOf(this.currentTime));
        }
        if (this.passwordChangedTime != j) {
            this.passwordChangedTime = j;
            Attribute create = Attributes.create(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_TIME, GeneralizedTimeSyntax.format(j));
            if (!this.updateEntry) {
                this.modifications.add(new Modification(ModificationType.REPLACE, create, true));
                return;
            }
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(create);
            this.userEntry.putAttribute(create.getAttributeType(), arrayList);
        }
    }

    public void clearPasswordChangedTime() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing password changed time for user %s", this.userDNString);
        }
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_TIME_LC, true);
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
        try {
            this.passwordChangedTime = getGeneralizedTime(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_CREATE_TIMESTAMP_LC, true));
            if (this.passwordChangedTime <= 0) {
                this.passwordChangedTime = 0L;
            }
        } catch (Exception e) {
            this.passwordChangedTime = 0L;
        }
    }

    public boolean isDisabled() {
        if (this.isDisabled != ConditionResult.UNDEFINED) {
            if (DebugLogger.debugEnabled()) {
                DebugTracer debugTracer = TRACER;
                Object[] objArr = new Object[2];
                objArr[0] = Boolean.valueOf(this.isDisabled == ConditionResult.TRUE);
                objArr[1] = this.userDNString;
                debugTracer.debugInfo("Returning stored result of %b for user %s", objArr);
            }
            return this.isDisabled == ConditionResult.TRUE;
        }
        try {
            this.isDisabled = getBoolean(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_ACCOUNT_DISABLED, true));
            if (this.isDisabled == ConditionResult.UNDEFINED) {
                this.isDisabled = ConditionResult.FALSE;
                if (!DebugLogger.debugEnabled()) {
                    return false;
                }
                TRACER.debugInfo("User %s is not administratively disabled since the attribute \"%s\" is not present in the entry.", this.userDNString, ConfigConstants.OP_ATTR_ACCOUNT_DISABLED);
                return false;
            }
            if (DebugLogger.debugEnabled()) {
                DebugTracer debugTracer2 = TRACER;
                Object[] objArr2 = new Object[2];
                objArr2[0] = this.userDNString;
                objArr2[1] = this.isDisabled == ConditionResult.TRUE ? " is" : " is not";
                debugTracer2.debugInfo("User %s %s administratively disabled.", objArr2);
            }
            return this.isDisabled == ConditionResult.TRUE;
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            this.isDisabled = ConditionResult.TRUE;
            if (!DebugLogger.debugEnabled()) {
                return true;
            }
            TRACER.debugWarning("User %s is considered administratively disabled because an error occurred while attempting to make the determination: %s.", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
            return true;
        }
    }

    public void setDisabled(boolean z) {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Updating user %s to set the disabled flag to %b", this.userDNString, Boolean.valueOf(z));
        }
        if (z == isDisabled()) {
            return;
        }
        this.isDisabled = ConditionResult.inverseOf(this.isDisabled);
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_ACCOUNT_DISABLED, true);
        if (!z) {
            if (this.updateEntry) {
                this.userEntry.removeAttribute(attributeType);
                return;
            } else {
                this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
                return;
            }
        }
        Attribute create = Attributes.create(attributeType, String.valueOf(true));
        if (!this.updateEntry) {
            this.modifications.add(new Modification(ModificationType.REPLACE, create, true));
            return;
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(create);
        this.userEntry.putAttribute(attributeType, arrayList);
    }

    public boolean isAccountExpired() {
        if (this.isAccountExpired != ConditionResult.UNDEFINED) {
            if (DebugLogger.debugEnabled()) {
                DebugTracer debugTracer = TRACER;
                Object[] objArr = new Object[2];
                objArr[0] = Boolean.valueOf(this.isAccountExpired == ConditionResult.TRUE);
                objArr[1] = this.userDNString;
                debugTracer.debugInfo("Returning stored result of %b for user %s", objArr);
            }
            return this.isAccountExpired == ConditionResult.TRUE;
        }
        try {
            this.accountExpirationTime = getGeneralizedTime(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_ACCOUNT_EXPIRATION_TIME, true));
            if (this.accountExpirationTime > this.currentTime) {
                this.isAccountExpired = ConditionResult.FALSE;
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugInfo("The account for user %s is not expired because the expiration time has not yet arrived.", this.userDNString);
                }
            } else if (this.accountExpirationTime >= 0) {
                this.isAccountExpired = ConditionResult.TRUE;
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugInfo("The account for user %s is expired because the expiration time in that account has passed.", this.userDNString);
                }
            } else {
                this.isAccountExpired = ConditionResult.FALSE;
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugInfo("The account for user %s is not expired because there is no expiration time in the user's entry.", this.userDNString);
                }
            }
            return this.isAccountExpired == ConditionResult.TRUE;
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            this.isAccountExpired = ConditionResult.TRUE;
            if (!DebugLogger.debugEnabled()) {
                return true;
            }
            TRACER.debugWarning("User %s is considered to have an expired account because an error occurred while attempting to make the determination: %s.", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
            return true;
        }
    }

    public long getAccountExpirationTime() {
        if (this.accountExpirationTime == Long.MIN_VALUE) {
            isAccountExpired();
        }
        return this.accountExpirationTime;
    }

    public void setAccountExpirationTime(long j) {
        if (j < 0) {
            clearAccountExpirationTime();
            return;
        }
        String format = GeneralizedTimeSyntax.format(j);
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Setting account expiration time for user %s to %s", this.userDNString, format);
        }
        this.accountExpirationTime = j;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_ACCOUNT_EXPIRATION_TIME, true);
        Attribute create = Attributes.create(attributeType, format);
        if (!this.updateEntry) {
            this.modifications.add(new Modification(ModificationType.REPLACE, create, true));
            return;
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(create);
        this.userEntry.putAttribute(attributeType, arrayList);
    }

    public void clearAccountExpirationTime() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing account expiration time for user %s", this.userDNString);
        }
        this.accountExpirationTime = -1L;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_ACCOUNT_EXPIRATION_TIME, true);
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
    }

    public List<Long> getAuthFailureTimes() {
        if (this.authFailureTimes != null) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning stored auth failure time list of %d elements for user %s" + this.authFailureTimes.size(), this.userDNString);
            }
            return this.authFailureTimes;
        }
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME);
        }
        try {
            this.authFailureTimes = getGeneralizedTimes(attributeType);
            if (this.authFailureTimes.isEmpty()) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugInfo("Returning an empty auth failure time list for user %s because the attribute is absent from the entry.", this.userDNString);
                }
                return this.authFailureTimes;
            }
            if (this.passwordPolicy.getLockoutFailureExpirationInterval() > 0) {
                LinkedHashSet linkedHashSet = null;
                long lockoutFailureExpirationInterval = this.currentTime - (this.passwordPolicy.getLockoutFailureExpirationInterval() * 1000);
                Iterator<Long> it = this.authFailureTimes.iterator();
                while (it.hasNext()) {
                    long longValue = it.next().longValue();
                    if (longValue < lockoutFailureExpirationInterval) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugInfo("Removing expired auth failure time %d for user %s", Long.valueOf(longValue), this.userDNString);
                        }
                        it.remove();
                        if (linkedHashSet == null) {
                            linkedHashSet = new LinkedHashSet();
                        }
                        linkedHashSet.add(AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(longValue)));
                    }
                }
                if (linkedHashSet != null) {
                    if (!this.updateEntry) {
                        AttributeBuilder attributeBuilder = new AttributeBuilder(attributeType);
                        attributeBuilder.addAll(linkedHashSet);
                        this.modifications.add(new Modification(ModificationType.DELETE, attributeBuilder.toAttribute(), true));
                    } else if (this.authFailureTimes.isEmpty()) {
                        this.userEntry.removeAttribute(attributeType);
                    } else {
                        AttributeBuilder attributeBuilder2 = new AttributeBuilder(attributeType);
                        Iterator<Long> it2 = this.authFailureTimes.iterator();
                        while (it2.hasNext()) {
                            attributeBuilder2.add(AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(it2.next().longValue())));
                        }
                        ArrayList arrayList = new ArrayList(1);
                        arrayList.add(attributeBuilder2.toAttribute());
                        this.userEntry.putAttribute(attributeType, arrayList);
                    }
                }
            }
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning auth failure time list of %d elements for user %s", Integer.valueOf(this.authFailureTimes.size()), this.userDNString);
            }
            return this.authFailureTimes;
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            if (DebugLogger.debugEnabled()) {
                TRACER.debugWarning("Error while processing auth failure times for user %s: %s", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
            }
            this.authFailureTimes = new ArrayList();
            if (this.updateEntry) {
                this.userEntry.removeAttribute(attributeType);
            } else {
                this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
            }
            return this.authFailureTimes;
        }
    }

    public void updateAuthFailureTimes() {
        if (this.passwordPolicy.getLockoutFailureCount() <= 0) {
            return;
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Updating authentication failure times for user %s", this.userDNString);
        }
        List<Long> authFailureTimes = getAuthFailureTimes();
        long j = -1;
        Iterator<Long> it = authFailureTimes.iterator();
        while (it.hasNext()) {
            j = Math.max(it.next().longValue(), j);
        }
        long j2 = j >= this.currentTime ? j + 1 : this.currentTime;
        authFailureTimes.add(Long.valueOf(j2));
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME);
        }
        AttributeBuilder attributeBuilder = new AttributeBuilder(attributeType);
        Iterator<Long> it2 = authFailureTimes.iterator();
        while (it2.hasNext()) {
            attributeBuilder.add(AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(it2.next().longValue())));
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(attributeBuilder.toAttribute());
        Attribute create = Attributes.create(attributeType, AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(j2)));
        if (this.updateEntry) {
            this.userEntry.putAttribute(attributeType, arrayList);
        } else {
            this.modifications.add(new Modification(ModificationType.ADD, create, true));
        }
        int lockoutFailureCount = this.passwordPolicy.getLockoutFailureCount();
        if (lockoutFailureCount <= 0 || lockoutFailureCount > this.authFailureTimes.size()) {
            return;
        }
        setFailureLockedTime(j2);
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Locking user account %s due to too many failures.", this.userDNString);
        }
    }

    public void setAuthFailureTimes(List<Long> list) {
        if (list == null || list.isEmpty()) {
            clearAuthFailureTimes();
            clearFailureLockedTime();
            return;
        }
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME_LC, true);
        this.authFailureTimes = list;
        AttributeBuilder attributeBuilder = new AttributeBuilder(attributeType);
        long j = -1;
        for (Long l : list) {
            j = Math.max(l.longValue(), j);
            attributeBuilder.add(AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(l.longValue())));
        }
        Attribute attribute = attributeBuilder.toAttribute();
        if (this.updateEntry) {
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(attribute);
            this.userEntry.putAttribute(attributeType, arrayList);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, attribute, true));
        }
        int lockoutFailureCount = this.passwordPolicy.getLockoutFailureCount();
        if (lockoutFailureCount <= 0 || lockoutFailureCount > list.size()) {
            return;
        }
        setFailureLockedTime(j);
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Locking user account %s due to too many failures.", this.userDNString);
        }
    }

    private void clearAuthFailureTimes() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing authentication failure times for user %s", this.userDNString);
        }
        List<Long> authFailureTimes = getAuthFailureTimes();
        if (authFailureTimes.isEmpty()) {
            return;
        }
        authFailureTimes.clear();
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_FAILURE_TIME);
        }
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
    }

    private long getFailureLockedTime() {
        if (this.failureLockedTime != Long.MIN_VALUE) {
            return this.failureLockedTime;
        }
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME);
        }
        try {
            this.failureLockedTime = getGeneralizedTime(attributeType);
            return this.failureLockedTime;
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            this.failureLockedTime = this.currentTime;
            if (DebugLogger.debugEnabled()) {
                TRACER.debugWarning("Returning current time for user %s because an error occurred: %s", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
            }
            return this.failureLockedTime;
        }
    }

    private void setFailureLockedTime(long j) {
        if (j == getFailureLockedTime()) {
            return;
        }
        this.failureLockedTime = j;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME);
        }
        Attribute create = Attributes.create(attributeType, AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(this.failureLockedTime)));
        if (!this.updateEntry) {
            this.modifications.add(new Modification(ModificationType.REPLACE, create, true));
            return;
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(create);
        this.userEntry.putAttribute(attributeType, arrayList);
    }

    private void clearFailureLockedTime() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing failure lockout time for user %s.", this.userDNString);
        }
        if (-1 == getFailureLockedTime()) {
            return;
        }
        this.failureLockedTime = -1L;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_LOCKED_TIME);
        }
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
    }

    public boolean lockedDueToFailures() {
        int lockoutFailureCount = this.passwordPolicy.getLockoutFailureCount();
        if (lockoutFailureCount <= 0) {
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false for user %s because lockout due to failures is not enabled.", this.userDNString);
            return false;
        }
        if (getFailureLockedTime() < 0) {
            if (getAuthFailureTimes().size() < lockoutFailureCount) {
                if (!DebugLogger.debugEnabled()) {
                    return false;
                }
                TRACER.debugInfo("Returning false for user %s because there is no locked time.", this.userDNString);
                return false;
            }
            setFailureLockedTime(this.currentTime);
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Locking user %s because there were enough existing failures even though there was no account locked time.", this.userDNString);
            }
        }
        if (this.passwordPolicy.getLockoutDuration() <= 0) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning true for user %s because there is a locked time and no lockout duration.", this.userDNString);
            }
            if ($assertionsDisabled || -1 <= getFailureLockedTime()) {
                return true;
            }
            throw new AssertionError();
        }
        long failureLockedTime = getFailureLockedTime() + (1000 * this.passwordPolicy.getLockoutDuration());
        if (failureLockedTime > this.currentTime) {
            this.secondsUntilUnlock = (int) ((failureLockedTime - this.currentTime) / 1000);
            if (!DebugLogger.debugEnabled()) {
                return true;
            }
            TRACER.debugInfo("Returning true for user %s because there is a locked time and the lockout duration has not been reached.", this.userDNString);
            return true;
        }
        clearFailureLockout();
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning false for user %s because the existing lockout has expired.", this.userDNString);
        }
        if ($assertionsDisabled || -1 == getFailureLockedTime()) {
            return false;
        }
        throw new AssertionError();
    }

    public int getSecondsUntilUnlock() {
        if (!$assertionsDisabled && this.failureLockedTime == Long.MIN_VALUE) {
            throw new AssertionError();
        }
        if (this.secondsUntilUnlock < 0) {
            return -1;
        }
        return this.secondsUntilUnlock;
    }

    public void clearFailureLockout() {
        clearAuthFailureTimes();
        clearFailureLockedTime();
    }

    public long getLastLoginTime() {
        if (this.lastLoginTime != Long.MIN_VALUE) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning stored last login time of %d for user %s.", Long.valueOf(this.lastLoginTime), this.userDNString);
            }
            return this.lastLoginTime;
        }
        AttributeType lastLoginTimeAttribute = this.passwordPolicy.getLastLoginTimeAttribute();
        String lastLoginTimeFormat = this.passwordPolicy.getLastLoginTimeFormat();
        if (lastLoginTimeAttribute == null || lastLoginTimeFormat == null) {
            this.lastLoginTime = -1L;
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning -1 for user %s because no last login time will be maintained.", this.userDNString);
            }
            return this.lastLoginTime;
        }
        this.lastLoginTime = -1L;
        List<Attribute> attribute = this.userEntry.getAttribute(lastLoginTimeAttribute);
        if (attribute != null) {
            for (Attribute attribute2 : attribute) {
                if (!attribute2.isEmpty()) {
                    String byteString = attribute2.iterator().next().getValue().toString();
                    try {
                        this.lastLoginTime = new SimpleDateFormat(lastLoginTimeFormat).parse(byteString).getTime();
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugInfo("Returning last login time of %d for user %sdecoded using current last login time format.", Long.valueOf(this.lastLoginTime), this.userDNString);
                        }
                        return this.lastLoginTime;
                    } catch (Exception e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                        }
                        Iterator<String> it = this.passwordPolicy.getPreviousLastLoginTimeFormats().iterator();
                        while (it.hasNext()) {
                            String next = it.next();
                            try {
                                this.lastLoginTime = new SimpleDateFormat(next).parse(byteString).getTime();
                                if (DebugLogger.debugEnabled()) {
                                    TRACER.debugInfo("Returning last login time of %d for user %s decoded using previous last login time format of %s.", Long.valueOf(this.lastLoginTime), this.userDNString, next);
                                }
                                return this.lastLoginTime;
                            } catch (Exception e2) {
                                if (DebugLogger.debugEnabled()) {
                                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                                }
                            }
                        }
                        if (!$assertionsDisabled && this.lastLoginTime != -1) {
                            throw new AssertionError();
                        }
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugWarning("Returning -1 for user %s because the last login time value %s could not be parsed using any known format.", this.userDNString, byteString);
                        }
                        return this.lastLoginTime;
                    }
                }
            }
        }
        if (!$assertionsDisabled && this.lastLoginTime != -1) {
            throw new AssertionError();
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning %d for user %s because no last login time value exists.", Long.valueOf(this.lastLoginTime), this.userDNString);
        }
        return this.lastLoginTime;
    }

    public void setLastLoginTime() {
        setLastLoginTime(this.currentTime);
    }

    public void setLastLoginTime(long j) {
        AttributeType lastLoginTimeAttribute = this.passwordPolicy.getLastLoginTimeAttribute();
        String lastLoginTimeFormat = this.passwordPolicy.getLastLoginTimeFormat();
        if (lastLoginTimeAttribute == null || lastLoginTimeFormat == null) {
            return;
        }
        try {
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat(lastLoginTimeFormat);
            String format = simpleDateFormat.format(new Date(j));
            this.lastLoginTime = simpleDateFormat.parse(format).getTime();
            String value = getValue(lastLoginTimeAttribute);
            if (value != null && format.equals(value)) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugInfo("Not updating last login time for user %s because the new value matches the existing value.", this.userDNString);
                    return;
                }
                return;
            }
            Attribute create = Attributes.create(lastLoginTimeAttribute, format);
            if (this.updateEntry) {
                ArrayList arrayList = new ArrayList(1);
                arrayList.add(create);
                this.userEntry.putAttribute(lastLoginTimeAttribute, arrayList);
            } else {
                this.modifications.add(new Modification(ModificationType.REPLACE, create, true));
            }
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Updated the last login time for user %s to %s", this.userDNString, format);
            }
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            if (DebugLogger.debugEnabled()) {
                TRACER.debugWarning("Unable to set last login time for user %s because an error occurred: %s", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
            }
        }
    }

    public void clearLastLoginTime() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing last login time for user %s", this.userDNString);
        }
        this.lastLoginTime = -1L;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_LAST_LOGIN_TIME, true);
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
    }

    public boolean lockedDueToIdleInterval() {
        if (this.isIdleLocked != ConditionResult.UNDEFINED) {
            if (DebugLogger.debugEnabled()) {
                DebugTracer debugTracer = TRACER;
                Object[] objArr = new Object[2];
                objArr[0] = Boolean.valueOf(this.isIdleLocked == ConditionResult.TRUE);
                objArr[1] = this.userDNString;
                debugTracer.debugInfo("Returning stored result of %b for user %s", objArr);
            }
            return this.isIdleLocked == ConditionResult.TRUE;
        }
        if (this.passwordPolicy.getIdleLockoutInterval() <= 0) {
            this.isIdleLocked = ConditionResult.FALSE;
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false for user %s because no idle lockout interval is defined.", this.userDNString);
            return false;
        }
        long idleLockoutInterval = this.currentTime - (1000 * this.passwordPolicy.getIdleLockoutInterval());
        if (idleLockoutInterval < 0) {
            idleLockoutInterval = 0;
        }
        long lastLoginTime = getLastLoginTime();
        if (lastLoginTime > idleLockoutInterval || this.passwordChangedTime > idleLockoutInterval) {
            this.isIdleLocked = ConditionResult.FALSE;
            if (DebugLogger.debugEnabled()) {
                StringBuilder sb = new StringBuilder();
                if (lastLoginTime > idleLockoutInterval) {
                    sb.append("the last login time is in an acceptable window");
                } else {
                    if (lastLoginTime < 0) {
                        sb.append("there is no last login time, but ");
                    }
                    sb.append("the password changed time is in an acceptable window");
                }
                TRACER.debugInfo("Returning false for user %s because %s.", this.userDNString, sb.toString());
            }
        } else {
            this.isIdleLocked = ConditionResult.TRUE;
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning true for user %s because %s.", this.userDNString, lastLoginTime < 0 ? "there is no last login time and the password changed time is not in an acceptable window" : "neither last login time nor password changed time are in an acceptable window");
            }
        }
        return this.isIdleLocked == ConditionResult.TRUE;
    }

    public boolean mustChangePassword() {
        if (this.mustChangePassword != ConditionResult.UNDEFINED) {
            if (DebugLogger.debugEnabled()) {
                DebugTracer debugTracer = TRACER;
                Object[] objArr = new Object[2];
                objArr[0] = Boolean.valueOf(this.mustChangePassword == ConditionResult.TRUE);
                objArr[1] = this.userDNString;
                debugTracer.debugInfo("Returning stored result of %b for user %s.", objArr);
            }
            return this.mustChangePassword == ConditionResult.TRUE;
        }
        if (!this.passwordPolicy.allowUserPasswordChanges() || (!this.passwordPolicy.forceChangeOnAdd() && !this.passwordPolicy.forceChangeOnReset())) {
            this.mustChangePassword = ConditionResult.FALSE;
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false for user %s because neither force change on add nor force change on reset is enabled, or users are not allowed to self-modify passwords.", this.userDNString);
            return false;
        }
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED);
        }
        try {
            this.mustChangePassword = getBoolean(attributeType);
            if (this.mustChangePassword == ConditionResult.UNDEFINED) {
                this.mustChangePassword = ConditionResult.FALSE;
                if (!DebugLogger.debugEnabled()) {
                    return false;
                }
                TRACER.debugInfo("Returning %b for user since the attribute \"%s\" is not present in the entry.", false, this.userDNString, ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED);
                return false;
            }
            if (DebugLogger.debugEnabled()) {
                DebugTracer debugTracer2 = TRACER;
                Object[] objArr2 = new Object[2];
                objArr2[0] = Boolean.valueOf(this.mustChangePassword == ConditionResult.TRUE);
                objArr2[1] = this.userDNString;
                debugTracer2.debugInfo("Returning %b for user %s.", objArr2);
            }
            return this.mustChangePassword == ConditionResult.TRUE;
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
                TRACER.debugWarning("Returning true for user %s because an error occurred: %s", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
            }
            this.mustChangePassword = ConditionResult.TRUE;
            return true;
        }
    }

    public void setMustChangePassword(boolean z) {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Updating user %s to set the reset flag to %b", this.userDNString, Boolean.valueOf(z));
        }
        if (z == mustChangePassword()) {
            return;
        }
        this.mustChangePassword = ConditionResult.inverseOf(this.mustChangePassword);
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_RESET_REQUIRED);
        }
        if (!z) {
            if (this.updateEntry) {
                this.userEntry.removeAttribute(attributeType);
                return;
            } else {
                this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
                return;
            }
        }
        Attribute create = Attributes.create(attributeType, String.valueOf(true));
        if (!this.updateEntry) {
            this.modifications.add(new Modification(ModificationType.REPLACE, create, true));
            return;
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(create);
        this.userEntry.putAttribute(attributeType, arrayList);
    }

    public boolean lockedDueToMaximumResetAge() {
        if (this.passwordPolicy.getMaximumPasswordResetAge() <= 0) {
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false for user %s because there is no maximum reset age.", this.userDNString);
            return false;
        }
        if (mustChangePassword()) {
            boolean z = this.passwordChangedTime + (1000 * ((long) this.passwordPolicy.getMaximumPasswordResetAge())) < this.currentTime;
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning %b for user %s after comparing the current and max reset times.", Boolean.valueOf(z), this.userDNString);
            }
            return z;
        }
        if (!DebugLogger.debugEnabled()) {
            return false;
        }
        TRACER.debugInfo("Returning false for user %s because the user's password has not been reset.", this.userDNString);
        return false;
    }

    public long getPasswordExpirationTime() {
        if (this.passwordExpirationTime == Long.MIN_VALUE) {
            this.passwordExpirationTime = Long.MAX_VALUE;
            boolean z = false;
            int maximumPasswordAge = this.passwordPolicy.getMaximumPasswordAge();
            if (maximumPasswordAge > 0) {
                long j = this.passwordChangedTime + (1000 * maximumPasswordAge);
                if (j < this.passwordExpirationTime) {
                    this.passwordExpirationTime = j;
                    z = true;
                }
            }
            int maximumPasswordResetAge = this.passwordPolicy.getMaximumPasswordResetAge();
            if (mustChangePassword() && maximumPasswordResetAge > 0) {
                long j2 = this.passwordChangedTime + (1000 * maximumPasswordResetAge);
                if (j2 < this.passwordExpirationTime) {
                    this.passwordExpirationTime = j2;
                    z = false;
                }
            }
            long requireChangeByTime = this.passwordPolicy.getRequireChangeByTime();
            if (requireChangeByTime > 0 && getRequiredChangeTime() != requireChangeByTime && requireChangeByTime < this.passwordExpirationTime) {
                this.passwordExpirationTime = requireChangeByTime;
                z = true;
            }
            if (this.passwordExpirationTime == Long.MAX_VALUE) {
                this.passwordExpirationTime = -1L;
                this.shouldWarn = ConditionResult.FALSE;
                this.isFirstWarning = ConditionResult.FALSE;
                this.isPasswordExpired = ConditionResult.FALSE;
                this.mayUseGraceLogin = ConditionResult.TRUE;
            } else if (z) {
                this.mayUseGraceLogin = ConditionResult.TRUE;
                int warningInterval = this.passwordPolicy.getWarningInterval();
                if (warningInterval <= 0) {
                    this.shouldWarn = ConditionResult.FALSE;
                    this.isFirstWarning = ConditionResult.FALSE;
                    if (this.currentTime > this.passwordExpirationTime) {
                        this.isPasswordExpired = ConditionResult.TRUE;
                    } else {
                        this.isPasswordExpired = ConditionResult.FALSE;
                    }
                } else if (this.passwordExpirationTime - (warningInterval * 1000) > this.currentTime) {
                    this.shouldWarn = ConditionResult.FALSE;
                    this.isFirstWarning = ConditionResult.FALSE;
                    this.isPasswordExpired = ConditionResult.FALSE;
                } else {
                    long warnedTime = getWarnedTime();
                    if (this.passwordExpirationTime > this.currentTime) {
                        this.shouldWarn = ConditionResult.TRUE;
                        this.isPasswordExpired = ConditionResult.FALSE;
                        if (warnedTime < 0) {
                            this.isFirstWarning = ConditionResult.TRUE;
                            setWarnedTime();
                            if (!this.passwordPolicy.expirePasswordsWithoutWarning()) {
                                this.passwordExpirationTime = this.currentTime + (warningInterval * 1000);
                            }
                        } else {
                            this.isFirstWarning = ConditionResult.FALSE;
                            if (!this.passwordPolicy.expirePasswordsWithoutWarning()) {
                                this.passwordExpirationTime = warnedTime + (warningInterval * 1000);
                            }
                        }
                    } else if (this.passwordPolicy.expirePasswordsWithoutWarning()) {
                        this.shouldWarn = ConditionResult.FALSE;
                        this.isFirstWarning = ConditionResult.FALSE;
                        this.isPasswordExpired = ConditionResult.TRUE;
                    } else if (warnedTime > 0) {
                        this.passwordExpirationTime = warnedTime + (warningInterval * 1000);
                        if (this.passwordExpirationTime > this.currentTime) {
                            this.shouldWarn = ConditionResult.TRUE;
                            this.isFirstWarning = ConditionResult.FALSE;
                            this.isPasswordExpired = ConditionResult.FALSE;
                        } else {
                            this.shouldWarn = ConditionResult.FALSE;
                            this.isFirstWarning = ConditionResult.FALSE;
                            this.isPasswordExpired = ConditionResult.TRUE;
                        }
                    } else {
                        this.shouldWarn = ConditionResult.TRUE;
                        this.isFirstWarning = ConditionResult.TRUE;
                        this.isPasswordExpired = ConditionResult.FALSE;
                        this.passwordExpirationTime = this.currentTime + (warningInterval * 1000);
                    }
                }
            } else {
                this.mayUseGraceLogin = ConditionResult.FALSE;
                this.shouldWarn = ConditionResult.FALSE;
                this.isFirstWarning = ConditionResult.FALSE;
                if (this.passwordExpirationTime < this.currentTime) {
                    this.isPasswordExpired = ConditionResult.TRUE;
                } else {
                    this.isPasswordExpired = ConditionResult.FALSE;
                }
            }
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning password expiration time of %d for user %s.", Long.valueOf(this.passwordExpirationTime), this.userDNString);
        }
        return this.passwordExpirationTime;
    }

    public boolean isPasswordExpired() {
        if (this.isPasswordExpired == null || this.isPasswordExpired == ConditionResult.UNDEFINED) {
            getPasswordExpirationTime();
        }
        return this.isPasswordExpired == ConditionResult.TRUE;
    }

    public boolean isWithinMinimumAge() {
        int minimumPasswordAge = this.passwordPolicy.getMinimumPasswordAge();
        if (minimumPasswordAge <= 0) {
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false because there is no minimum age.");
            return false;
        }
        if (this.passwordChangedTime + (minimumPasswordAge * 1000) < this.currentTime) {
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false because the minimum age has expired.");
            return false;
        }
        if (mustChangePassword()) {
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false because the account is in a must-change state.");
            return false;
        }
        if (!DebugLogger.debugEnabled()) {
            return true;
        }
        TRACER.debugInfo("Returning true.");
        return true;
    }

    public boolean mayUseGraceLogin() {
        if (this.mayUseGraceLogin == null || this.mayUseGraceLogin == ConditionResult.UNDEFINED) {
            getPasswordExpirationTime();
        }
        return this.mayUseGraceLogin == ConditionResult.TRUE;
    }

    public boolean shouldWarn() {
        if (this.shouldWarn == null || this.shouldWarn == ConditionResult.UNDEFINED) {
            getPasswordExpirationTime();
        }
        return this.shouldWarn == ConditionResult.TRUE;
    }

    public boolean isFirstWarning() {
        if (this.isFirstWarning == null || this.isFirstWarning == ConditionResult.UNDEFINED) {
            getPasswordExpirationTime();
        }
        return this.isFirstWarning == ConditionResult.TRUE;
    }

    public int getSecondsUntilExpiration() {
        long passwordExpirationTime = getPasswordExpirationTime();
        if (passwordExpirationTime < 0) {
            return -1;
        }
        if (passwordExpirationTime < this.currentTime) {
            return 0;
        }
        return (int) ((passwordExpirationTime - this.currentTime) / 1000);
    }

    public long getRequiredChangeTime() {
        if (this.requiredChangeTime != Long.MIN_VALUE) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning stored required change time of %d for user %s", Long.valueOf(this.requiredChangeTime), this.userDNString);
            }
            return this.requiredChangeTime;
        }
        try {
            this.requiredChangeTime = getGeneralizedTime(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME, true));
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Returning required change time of %d for user %s", Long.valueOf(this.requiredChangeTime), this.userDNString);
            }
            return this.requiredChangeTime;
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            this.requiredChangeTime = -1L;
            if (DebugLogger.debugEnabled()) {
                TRACER.debugWarning("Returning %d for user %s because an error occurred: %s", Long.valueOf(this.requiredChangeTime), this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
            }
            return this.requiredChangeTime;
        }
    }

    public void setRequiredChangeTime() {
        long requireChangeByTime = this.passwordPolicy.getRequireChangeByTime();
        if (requireChangeByTime > 0) {
            setRequiredChangeTime(requireChangeByTime);
        }
    }

    public void setRequiredChangeTime(long j) {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Updating required change time for user %s", this.userDNString);
        }
        if (getRequiredChangeTime() != j) {
            this.requiredChangeTime = j;
            AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME, true);
            Attribute create = Attributes.create(attributeType, GeneralizedTimeSyntax.format(j));
            if (!this.updateEntry) {
                this.modifications.add(new Modification(ModificationType.REPLACE, create, true));
                return;
            }
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(create);
            this.userEntry.putAttribute(attributeType, arrayList);
        }
    }

    public void clearRequiredChangeTime() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing required change time for user %s", this.userDNString);
        }
        this.requiredChangeTime = Long.MIN_VALUE;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_CHANGED_BY_REQUIRED_TIME, true);
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
    }

    public long getWarnedTime() {
        if (this.warnedTime == Long.MIN_VALUE) {
            try {
                this.warnedTime = getGeneralizedTime(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_WARNED_TIME, true));
            } catch (Exception e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugWarning("Unable to decode the warned time for user %s: %s", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
                }
                this.warnedTime = -1L;
            }
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning a warned time of %d for user %s", Long.valueOf(this.warnedTime), this.userDNString);
        }
        return this.warnedTime;
    }

    public void setWarnedTime() {
        setWarnedTime(this.currentTime);
    }

    public void setWarnedTime(long j) {
        if (getWarnedTime() == j) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Not updating warned time for user %s because the warned time is the same as the specified time.", this.userDNString);
                return;
            }
            return;
        }
        this.warnedTime = j;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_WARNED_TIME, true);
        Attribute create = Attributes.create(attributeType, GeneralizedTimeSyntax.createGeneralizedTimeValue(this.currentTime));
        if (this.updateEntry) {
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(create);
            this.userEntry.putAttribute(attributeType, arrayList);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, create, true));
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Updated the warned time for user %s", this.userDNString);
        }
    }

    public void clearWarnedTime() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing warned time for user %s", this.userDNString);
        }
        if (getWarnedTime() < 0) {
            return;
        }
        this.warnedTime = -1L;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_WARNED_TIME, true);
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Cleared the warned time for user %s", this.userDNString);
        }
    }

    public List<Long> getGraceLoginTimes() {
        if (this.graceLoginTimes == null) {
            AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME_LC);
            if (attributeType == null) {
                attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME);
            }
            try {
                this.graceLoginTimes = getGeneralizedTimes(attributeType);
            } catch (Exception e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugWarning("Error while processing grace login times for user %s: %s", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
                }
                this.graceLoginTimes = new ArrayList();
                if (this.updateEntry) {
                    this.userEntry.removeAttribute(attributeType);
                } else {
                    this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
                }
            }
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Returning grace login times for user %s", this.userDNString);
        }
        return this.graceLoginTimes;
    }

    public int getGraceLoginsRemaining() {
        int graceLoginCount = this.passwordPolicy.getGraceLoginCount();
        if (graceLoginCount <= 0) {
            return -1;
        }
        return graceLoginCount - getGraceLoginTimes().size();
    }

    public void updateGraceLoginTimes() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Updating grace login times for user %s", this.userDNString);
        }
        List<Long> graceLoginTimes = getGraceLoginTimes();
        long j = -1;
        Iterator<Long> it = graceLoginTimes.iterator();
        while (it.hasNext()) {
            j = Math.max(it.next().longValue(), j);
        }
        long j2 = j >= this.currentTime ? j + 1 : this.currentTime;
        graceLoginTimes.add(Long.valueOf(j2));
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME);
        }
        if (!this.updateEntry) {
            this.modifications.add(new Modification(ModificationType.ADD, Attributes.create(attributeType, AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(j2))), true));
            return;
        }
        AttributeBuilder attributeBuilder = new AttributeBuilder(attributeType);
        Iterator<Long> it2 = graceLoginTimes.iterator();
        while (it2.hasNext()) {
            attributeBuilder.add(AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(it2.next().longValue())));
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(attributeBuilder.toAttribute());
        this.userEntry.putAttribute(attributeType, arrayList);
    }

    public void setGraceLoginTimes(List<Long> list) {
        if (list == null || list.isEmpty()) {
            clearGraceLoginTimes();
            return;
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Updating grace login times for user %s", this.userDNString);
        }
        this.graceLoginTimes = list;
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME_LC, true);
        AttributeBuilder attributeBuilder = new AttributeBuilder(attributeType);
        Iterator<Long> it = list.iterator();
        while (it.hasNext()) {
            attributeBuilder.add(AttributeValues.create(attributeType, GeneralizedTimeSyntax.format(it.next().longValue())));
        }
        Attribute attribute = attributeBuilder.toAttribute();
        if (!this.updateEntry) {
            this.modifications.add(new Modification(ModificationType.REPLACE, attribute, true));
            return;
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(attribute);
        this.userEntry.putAttribute(attributeType, arrayList);
    }

    public void clearGraceLoginTimes() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing grace login times for user %s", this.userDNString);
        }
        List<Long> graceLoginTimes = getGraceLoginTimes();
        if (graceLoginTimes.isEmpty()) {
            return;
        }
        graceLoginTimes.clear();
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME_LC);
        if (attributeType == null) {
            attributeType = DirectoryServer.getDefaultAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_GRACE_LOGIN_TIME);
        }
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
    }

    public List<ByteString> getClearPasswords() {
        StringBuilder[] decodeAuthPassword;
        LinkedList linkedList = new LinkedList();
        List<Attribute> attribute = this.userEntry.getAttribute(this.passwordPolicy.getPasswordAttribute());
        if (attribute == null) {
            return linkedList;
        }
        for (Attribute attribute2 : attribute) {
            boolean usesAuthPasswordSyntax = this.passwordPolicy.usesAuthPasswordSyntax();
            for (AttributeValue attributeValue : attribute2) {
                if (usesAuthPasswordSyntax) {
                    try {
                        decodeAuthPassword = AuthPasswordSyntax.decodeAuthPassword(attributeValue.getValue().toString());
                    } catch (Exception e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                        }
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugWarning("Cannot get clear password value foruser %s: %s", this.userDNString, e);
                        }
                    }
                } else {
                    String[] decodeUserPassword = UserPasswordSyntax.decodeUserPassword(attributeValue.getValue().toString());
                    decodeAuthPassword = new StringBuilder[decodeUserPassword.length];
                    for (int i = 0; i < decodeUserPassword.length; i++) {
                        decodeAuthPassword[i] = new StringBuilder(decodeUserPassword[i]);
                    }
                }
                String sb = decodeAuthPassword[0].toString();
                PasswordStorageScheme authPasswordStorageScheme = usesAuthPasswordSyntax ? DirectoryServer.getAuthPasswordStorageScheme(sb) : DirectoryServer.getPasswordStorageScheme(sb);
                if (authPasswordStorageScheme == null) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugWarning("User entry %s contains a password with scheme %s that is not defined in the server.", this.userDNString, sb);
                    }
                } else if (authPasswordStorageScheme.isReversible()) {
                    linkedList.add(usesAuthPasswordSyntax ? authPasswordStorageScheme.getAuthPasswordPlaintextValue(decodeAuthPassword[1].toString(), decodeAuthPassword[2].toString()) : authPasswordStorageScheme.getPlaintextValue(ByteString.valueOf(decodeAuthPassword[1].toString())));
                }
            }
        }
        return linkedList;
    }

    public boolean passwordMatches(ByteString byteString) {
        StringBuilder[] decodeAuthPassword;
        List<Attribute> attribute = this.userEntry.getAttribute(this.passwordPolicy.getPasswordAttribute());
        if (attribute == null || attribute.isEmpty()) {
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false because user %s does not have any values for password attribute %s", this.userDNString, this.passwordPolicy.getPasswordAttribute().getNameOrOID());
            return false;
        }
        for (Attribute attribute2 : attribute) {
            boolean usesAuthPasswordSyntax = this.passwordPolicy.usesAuthPasswordSyntax();
            for (AttributeValue attributeValue : attribute2) {
                if (usesAuthPasswordSyntax) {
                    try {
                        decodeAuthPassword = AuthPasswordSyntax.decodeAuthPassword(attributeValue.getValue().toString());
                    } catch (Exception e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                        }
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugWarning("An error occurred while attempting to process a password value for user %s: %s", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
                        }
                    }
                } else {
                    String[] decodeUserPassword = UserPasswordSyntax.decodeUserPassword(attributeValue.getValue().toString());
                    decodeAuthPassword = new StringBuilder[decodeUserPassword.length];
                    for (int i = 0; i < decodeUserPassword.length; i++) {
                        decodeAuthPassword[i] = new StringBuilder(decodeUserPassword[i]);
                    }
                }
                String sb = decodeAuthPassword[0].toString();
                PasswordStorageScheme authPasswordStorageScheme = usesAuthPasswordSyntax ? DirectoryServer.getAuthPasswordStorageScheme(sb) : DirectoryServer.getPasswordStorageScheme(sb);
                if (authPasswordStorageScheme != null) {
                    if (usesAuthPasswordSyntax ? authPasswordStorageScheme.authPasswordMatches(byteString, decodeAuthPassword[1].toString(), decodeAuthPassword[2].toString()) : authPasswordStorageScheme.passwordMatches(byteString, ByteString.valueOf(decodeAuthPassword[1].toString()))) {
                        if (!DebugLogger.debugEnabled()) {
                            return true;
                        }
                        TRACER.debugInfo("Returning true for user %s because the provided password matches a value encoded with scheme %s", this.userDNString, sb);
                        return true;
                    }
                    continue;
                } else if (DebugLogger.debugEnabled()) {
                    TRACER.debugWarning("User entry %s contains a password with scheme %s that is not defined in the server.", this.userDNString, sb);
                }
            }
        }
        if (!DebugLogger.debugEnabled()) {
            return false;
        }
        TRACER.debugInfo("Returning false because the provided password does not match any of the stored password values for user %s", this.userDNString);
        return false;
    }

    public boolean passwordIsPreEncoded(ByteString byteString) {
        return this.passwordPolicy.usesAuthPasswordSyntax() ? AuthPasswordSyntax.isEncoded(byteString) : UserPasswordSyntax.isEncoded(byteString);
    }

    public List<ByteString> encodePassword(ByteString byteString) throws DirectoryException {
        CopyOnWriteArrayList<PasswordStorageScheme<?>> defaultStorageSchemes = this.passwordPolicy.getDefaultStorageSchemes();
        ArrayList arrayList = new ArrayList(defaultStorageSchemes.size());
        if (this.passwordPolicy.usesAuthPasswordSyntax()) {
            Iterator<PasswordStorageScheme<?>> it = defaultStorageSchemes.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().encodeAuthPassword(byteString));
            }
        } else {
            Iterator<PasswordStorageScheme<?>> it2 = defaultStorageSchemes.iterator();
            while (it2.hasNext()) {
                arrayList.add(it2.next().encodePasswordWithScheme(byteString));
            }
        }
        return arrayList;
    }

    public boolean passwordIsAcceptable(Operation operation, Entry entry, ByteString byteString, Set<ByteString> set, MessageBuilder messageBuilder) {
        for (DN dn : this.passwordPolicy.getPasswordValidators().keySet()) {
            if (!this.passwordPolicy.getPasswordValidators().get(dn).passwordIsAcceptable(byteString, set, operation, entry, messageBuilder)) {
                if (!DebugLogger.debugEnabled()) {
                    return false;
                }
                TRACER.debugInfo("The password provided for user %s failed the %s password validator.", this.userDNString, dn.toString());
                return false;
            }
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("The password provided for user %s passed the %s password validator.", this.userDNString, dn.toString());
            }
        }
        return true;
    }

    public void handleDeprecatedStorageSchemes(ByteString byteString) {
        ByteString encodeAuthPassword;
        StringBuilder[] decodeAuthPassword;
        if (this.passwordPolicy.getDefaultStorageSchemes().isEmpty()) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Doing nothing for user %s because no deprecated storage schemes have been defined.", this.userDNString);
                return;
            }
            return;
        }
        AttributeType passwordAttribute = this.passwordPolicy.getPasswordAttribute();
        List<Attribute> attribute = this.userEntry.getAttribute(passwordAttribute);
        if (attribute == null || attribute.isEmpty()) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Doing nothing for entry %s because no password values were found.", this.userDNString);
                return;
            }
            return;
        }
        HashSet hashSet = new HashSet();
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        boolean usesAuthPasswordSyntax = this.passwordPolicy.usesAuthPasswordSyntax();
        Iterator<Attribute> it = attribute.iterator();
        while (it.hasNext()) {
            Iterator<AttributeValue> it2 = it.next().iterator();
            while (it2.hasNext()) {
                AttributeValue next = it2.next();
                if (usesAuthPasswordSyntax) {
                    try {
                        decodeAuthPassword = AuthPasswordSyntax.decodeAuthPassword(next.getValue().toString());
                    } catch (Exception e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                            TRACER.debugWarning("Skipping password value for user %s because an error occurred while attempting to decode it based on the user password syntax: %s", this.userDNString, StaticUtils.stackTraceToSingleLineString(e));
                        }
                    }
                } else {
                    String[] decodeUserPassword = UserPasswordSyntax.decodeUserPassword(next.getValue().toString());
                    decodeAuthPassword = new StringBuilder[decodeUserPassword.length];
                    for (int i = 0; i < decodeUserPassword.length; i++) {
                        decodeAuthPassword[i] = new StringBuilder(decodeUserPassword[i]);
                    }
                }
                String sb = decodeAuthPassword[0].toString();
                PasswordStorageScheme authPasswordStorageScheme = usesAuthPasswordSyntax ? DirectoryServer.getAuthPasswordStorageScheme(sb) : DirectoryServer.getPasswordStorageScheme(sb);
                if (authPasswordStorageScheme != null) {
                    if (usesAuthPasswordSyntax ? authPasswordStorageScheme.authPasswordMatches(byteString, decodeAuthPassword[1].toString(), decodeAuthPassword[2].toString()) : authPasswordStorageScheme.passwordMatches(byteString, ByteString.valueOf(decodeAuthPassword[1].toString()))) {
                        if (this.passwordPolicy.isDefaultStorageScheme(sb)) {
                            hashSet.add(sb);
                            linkedHashSet2.add(next);
                        } else if (this.passwordPolicy.isDeprecatedStorageScheme(sb)) {
                            if (DebugLogger.debugEnabled()) {
                                TRACER.debugInfo("Marking password with scheme %s for removal from user entry %s.", sb, this.userDNString);
                            }
                            it2.remove();
                            linkedHashSet.add(next);
                        } else {
                            linkedHashSet2.add(next);
                        }
                    }
                } else if (DebugLogger.debugEnabled()) {
                    TRACER.debugWarning("Skipping password value for user %s because the associated storage scheme %s is not configured for use.", this.userDNString, sb);
                }
            }
        }
        if (linkedHashSet.isEmpty()) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("User entry %s does not have any password values encoded using deprecated schemes.", this.userDNString);
                return;
            }
            return;
        }
        LinkedHashSet linkedHashSet3 = new LinkedHashSet();
        Iterator<PasswordStorageScheme<?>> it3 = this.passwordPolicy.getDefaultStorageSchemes().iterator();
        while (it3.hasNext()) {
            PasswordStorageScheme<?> next2 = it3.next();
            if (!hashSet.contains(StaticUtils.toLowerCase(next2.getStorageSchemeName()))) {
                if (usesAuthPasswordSyntax) {
                    try {
                        encodeAuthPassword = next2.encodeAuthPassword(byteString);
                    } catch (Exception e2) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                        }
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugWarning("Unable to encode password for user %s using default scheme %s: %s", this.userDNString, next2.getStorageSchemeName(), StaticUtils.stackTraceToSingleLineString(e2));
                        }
                    }
                } else {
                    encodeAuthPassword = next2.encodePasswordWithScheme(byteString);
                }
                AttributeValue create = AttributeValues.create(passwordAttribute, encodeAuthPassword);
                linkedHashSet3.add(create);
                linkedHashSet2.add(create);
            }
        }
        if (linkedHashSet2.isEmpty()) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugWarning("Not updating user entry %s because removing deprecated schemes would leave the user without a password.", this.userDNString);
                return;
            }
            return;
        }
        if (this.updateEntry) {
            AttributeBuilder attributeBuilder = new AttributeBuilder(passwordAttribute);
            attributeBuilder.addAll(linkedHashSet2);
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(attributeBuilder.toAttribute());
            this.userEntry.putAttribute(passwordAttribute, arrayList);
        } else {
            AttributeBuilder attributeBuilder2 = new AttributeBuilder(passwordAttribute);
            attributeBuilder2.addAll(linkedHashSet);
            this.modifications.add(new Modification(ModificationType.DELETE, attributeBuilder2.toAttribute(), true));
            if (!linkedHashSet3.isEmpty()) {
                AttributeBuilder attributeBuilder3 = new AttributeBuilder(passwordAttribute);
                attributeBuilder3.addAll(linkedHashSet3);
                this.modifications.add(new Modification(ModificationType.ADD, attributeBuilder3.toAttribute(), true));
            }
        }
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Updating user entry %s to replace password values encoded with deprecated schemes with values encoded with the default schemes.", this.userDNString);
        }
    }

    public boolean maintainHistory() {
        return this.passwordPolicy.getPasswordHistoryCount() > 0 || this.passwordPolicy.getPasswordHistoryDuration() > 0;
    }

    public boolean isPasswordInHistory(ByteString byteString) {
        if (!maintainHistory()) {
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false because password history checking is disabled.");
            return false;
        }
        if (passwordMatches(byteString)) {
            if (!DebugLogger.debugEnabled()) {
                return true;
            }
            TRACER.debugInfo("Returning true because the provided password is currently in use.");
            return true;
        }
        TreeMap<Long, AttributeValue> sortedHistoryValues = getSortedHistoryValues(null);
        int passwordHistoryCount = this.passwordPolicy.getPasswordHistoryCount();
        if (passwordHistoryCount > 0 && sortedHistoryValues.size() > passwordHistoryCount) {
            Iterator<Long> it = sortedHistoryValues.keySet().iterator();
            for (int size = sortedHistoryValues.size() - passwordHistoryCount; it.hasNext() && size > 0; size--) {
                it.next();
                it.remove();
            }
        }
        if (this.passwordPolicy.getPasswordHistoryDuration() > 0) {
            long j = this.currentTime - (ConfigConstants.DEFAULT_SIZE_LIMIT * r0);
            Iterator<Long> it2 = sortedHistoryValues.keySet().iterator();
            while (it2.hasNext() && it2.next().longValue() < j) {
                it2.remove();
            }
        }
        Iterator<AttributeValue> it3 = sortedHistoryValues.values().iterator();
        while (it3.hasNext()) {
            if (historyValueMatches(byteString, it3.next())) {
                if (!DebugLogger.debugEnabled()) {
                    return true;
                }
                TRACER.debugInfo("Returning true because the password is in the history.");
                return true;
            }
        }
        if (!DebugLogger.debugEnabled()) {
            return false;
        }
        TRACER.debugInfo("Returning false because the password isn't in the history.");
        return false;
    }

    private TreeMap<Long, AttributeValue> getSortedHistoryValues(List<Attribute> list) {
        TreeMap<Long, AttributeValue> treeMap = new TreeMap<>();
        List<Attribute> attribute = this.userEntry.getAttribute(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_HISTORY_LC, true));
        if (attribute != null) {
            for (Attribute attribute2 : attribute) {
                for (AttributeValue attributeValue : attribute2) {
                    String byteString = attributeValue.getValue().toString();
                    int indexOf = byteString.indexOf(35);
                    if (indexOf <= 0) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugInfo("Found value " + byteString + " in the history with no timestamp.  Marking it for removal.");
                        }
                        if (list != null) {
                            list.add(Attributes.create(attribute2.getAttributeType(), attributeValue));
                        }
                    } else {
                        try {
                            treeMap.put(Long.valueOf(GeneralizedTimeSyntax.decodeGeneralizedTimeValue(ByteString.valueOf(byteString.substring(0, indexOf)))), attributeValue);
                        } catch (Exception e) {
                            if (DebugLogger.debugEnabled()) {
                                TRACER.debugCaught(DebugLogLevel.ERROR, e);
                                TRACER.debugInfo("Could not decode the timestamp in history value " + byteString + " -- " + e + ".  Marking it for removal.");
                            }
                            if (list != null) {
                                list.add(Attributes.create(attribute2.getAttributeType(), attributeValue));
                            }
                        }
                    }
                }
            }
        }
        return treeMap;
    }

    private boolean historyValueMatches(ByteString byteString, AttributeValue attributeValue) {
        try {
            String byteString2 = attributeValue.getValue().toString();
            int indexOf = byteString2.indexOf(35);
            if (indexOf <= 0) {
                if (!DebugLogger.debugEnabled()) {
                    return false;
                }
                TRACER.debugInfo("Returning false because the password history value didn't include any hash characters.");
                return false;
            }
            int indexOf2 = byteString2.indexOf(35, indexOf + 1);
            if (indexOf2 < 0) {
                if (!DebugLogger.debugEnabled()) {
                    return false;
                }
                TRACER.debugInfo("Returning false because the password history value only had one hash character.");
                return false;
            }
            String lowerCase = StaticUtils.toLowerCase(byteString2.substring(indexOf + 1, indexOf2));
            if (lowerCase.equals(SchemaConstants.SYNTAX_AUTH_PASSWORD_OID)) {
                StringBuilder[] decodeAuthPassword = AuthPasswordSyntax.decodeAuthPassword(byteString2.substring(indexOf2 + 1));
                if (DirectoryServer.getAuthPasswordStorageScheme(decodeAuthPassword[0].toString()).authPasswordMatches(byteString, decodeAuthPassword[1].toString(), decodeAuthPassword[2].toString())) {
                    if (!DebugLogger.debugEnabled()) {
                        return true;
                    }
                    TRACER.debugInfo("Returning true because the auth password history value matched.");
                    return true;
                }
                if (!DebugLogger.debugEnabled()) {
                    return false;
                }
                TRACER.debugInfo("Returning false because the auth password history value did not match.");
                return false;
            }
            if (!lowerCase.equals(SchemaConstants.SYNTAX_USER_PASSWORD_OID)) {
                if (!DebugLogger.debugEnabled()) {
                    return false;
                }
                TRACER.debugInfo("Returning false because the syntax OID " + lowerCase + " didn't match for either the auth or user password syntax.");
                return false;
            }
            String[] decodeUserPassword = UserPasswordSyntax.decodeUserPassword(byteString2.substring(indexOf2 + 1));
            if (DirectoryServer.getPasswordStorageScheme(decodeUserPassword[0]).passwordMatches(byteString, ByteString.valueOf(decodeUserPassword[1]))) {
                if (!DebugLogger.debugEnabled()) {
                    return true;
                }
                TRACER.debugInfo("Returning true because the user password history value matched.");
                return true;
            }
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false because the user password history value did not match.");
            return false;
        } catch (Exception e) {
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugCaught(DebugLogLevel.ERROR, e);
            if (!DebugLogger.debugEnabled()) {
                return false;
            }
            TRACER.debugInfo("Returning false because of an exception:  " + StaticUtils.stackTraceToSingleLineString(e));
            return false;
        }
    }

    public void updatePasswordHistory() {
        List<Attribute> attribute = this.userEntry.getAttribute(this.passwordPolicy.getPasswordAttribute());
        if (attribute != null) {
            Iterator<Attribute> it = attribute.iterator();
            while (it.hasNext()) {
                Iterator<AttributeValue> it2 = it.next().iterator();
                while (it2.hasNext()) {
                    addPasswordToHistory(it2.next().getValue().toString());
                }
            }
        }
    }

    private void addPasswordToHistory(String str) {
        long j;
        if (!maintainHistory()) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugInfo("Not doing anything because password history maintenance is disabled.");
                return;
            }
            return;
        }
        LinkedList linkedList = new LinkedList();
        TreeMap<Long, AttributeValue> sortedHistoryValues = getSortedHistoryValues(linkedList);
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_HISTORY_LC, true);
        int passwordHistoryCount = this.passwordPolicy.getPasswordHistoryCount();
        if (passwordHistoryCount > 0 && sortedHistoryValues.size() >= passwordHistoryCount) {
            int size = (sortedHistoryValues.size() - passwordHistoryCount) + 1;
            LinkedHashSet linkedHashSet = new LinkedHashSet(size);
            Iterator<AttributeValue> it = sortedHistoryValues.values().iterator();
            while (it.hasNext() && size > 0) {
                AttributeValue next = it.next();
                linkedHashSet.add(next);
                it.remove();
                size--;
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugInfo("Removing history value " + next.getValue().toString() + " to preserve the history count.");
                }
            }
            if (!linkedHashSet.isEmpty()) {
                AttributeBuilder attributeBuilder = new AttributeBuilder(attributeType);
                attributeBuilder.addAll(linkedHashSet);
                linkedList.add(attributeBuilder.toAttribute());
            }
        }
        int passwordHistoryDuration = this.passwordPolicy.getPasswordHistoryDuration();
        if (passwordHistoryDuration > 0) {
            long j2 = this.currentTime - (1000 * passwordHistoryDuration);
            Iterator<Long> it2 = sortedHistoryValues.keySet().iterator();
            LinkedHashSet linkedHashSet2 = new LinkedHashSet();
            while (it2.hasNext()) {
                long longValue = it2.next().longValue();
                if (longValue >= j2) {
                    break;
                }
                AttributeValue attributeValue = sortedHistoryValues.get(Long.valueOf(longValue));
                linkedHashSet2.add(attributeValue);
                it2.remove();
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugInfo("Removing history value " + attributeValue.getValue().toString() + " to preserve the history duration.");
                }
            }
            if (!linkedHashSet2.isEmpty()) {
                AttributeBuilder attributeBuilder2 = new AttributeBuilder(attributeType);
                attributeBuilder2.addAll(linkedHashSet2);
                linkedList.add(attributeBuilder2.toAttribute());
            }
        }
        long j3 = this.currentTime;
        while (true) {
            j = j3;
            if (!sortedHistoryValues.containsKey(Long.valueOf(j))) {
                break;
            } else {
                j3 = j + 1;
            }
        }
        String str2 = GeneralizedTimeSyntax.format(j) + "#" + this.passwordPolicy.getPasswordAttribute().getSyntaxOID() + "#" + str;
        Attribute create = Attributes.create(attributeType, str2);
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Going to add history value " + str2);
        }
        if (!this.updateEntry) {
            Iterator it3 = linkedList.iterator();
            while (it3.hasNext()) {
                this.modifications.add(new Modification(ModificationType.DELETE, (Attribute) it3.next(), true));
            }
            this.modifications.add(new Modification(ModificationType.ADD, create, true));
            return;
        }
        LinkedList linkedList2 = new LinkedList();
        Iterator it4 = linkedList.iterator();
        while (it4.hasNext()) {
            this.userEntry.removeAttribute((Attribute) it4.next(), linkedList2);
        }
        this.userEntry.addAttribute(create, linkedList2);
    }

    public String[] getPasswordHistoryValues() {
        ArrayList arrayList = new ArrayList();
        List<Attribute> attribute = this.userEntry.getAttribute(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_HISTORY_LC, true));
        if (attribute != null) {
            Iterator<Attribute> it = attribute.iterator();
            while (it.hasNext()) {
                Iterator<AttributeValue> it2 = it.next().iterator();
                while (it2.hasNext()) {
                    arrayList.add(it2.next().getValue().toString());
                }
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    public void clearPasswordHistory() {
        if (DebugLogger.debugEnabled()) {
            TRACER.debugInfo("Clearing password history for user %s", this.userDNString);
        }
        AttributeType attributeType = DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_PWPOLICY_HISTORY_LC, true);
        if (this.updateEntry) {
            this.userEntry.removeAttribute(attributeType);
        } else {
            this.modifications.add(new Modification(ModificationType.REPLACE, Attributes.empty(attributeType), true));
        }
    }

    public ByteString generatePassword() throws DirectoryException {
        PasswordGenerator<?> passwordGenerator = this.passwordPolicy.getPasswordGenerator();
        if (passwordGenerator != null) {
            return passwordGenerator.generatePassword(this.userEntry);
        }
        if (!DebugLogger.debugEnabled()) {
            return null;
        }
        TRACER.debugWarning("Unable to generate a new password for user %s because no password generator has been defined in the associated password policy.", this.userDNString);
        return null;
    }

    public void generateAccountStatusNotification(AccountStatusNotificationType accountStatusNotificationType, Entry entry, Message message, Map<AccountStatusNotificationProperty, List<String>> map) {
        generateAccountStatusNotification(new AccountStatusNotification(accountStatusNotificationType, entry, message, map));
    }

    public void generateAccountStatusNotification(AccountStatusNotification accountStatusNotification) {
        Collection<AccountStatusNotificationHandler<?>> values = this.passwordPolicy.getAccountStatusNotificationHandlers().values();
        if (values == null || values.isEmpty()) {
            return;
        }
        Iterator<AccountStatusNotificationHandler<?>> it = values.iterator();
        while (it.hasNext()) {
            it.next().handleStatusNotification(accountStatusNotification);
        }
    }

    public List<Modification> getModifications() {
        return this.modifications;
    }

    public void updateUserEntry() throws DirectoryException {
        if (this.modifications.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<Modification> it = this.modifications.iterator();
        while (it.hasNext()) {
            Modification next = it.next();
            arrayList.add(RawModification.create(next.getModificationType(), new LDAPAttribute(next.getAttribute())));
        }
        ModifyOperation processModify = InternalClientConnection.getRootConnection().processModify(ByteString.valueOf(this.userDNString), arrayList);
        ResultCode resultCode = processModify.getResultCode();
        if (resultCode != ResultCode.SUCCESS) {
            Message message = CoreMessages.ERR_PWPSTATE_CANNOT_UPDATE_USER_ENTRY.get(this.userDNString, String.valueOf(processModify.getErrorMessage()));
            if (!DirectoryServer.isRootDN(this.userEntry.getDN()) && this.passwordPolicy.getStateUpdateFailurePolicy() != PasswordPolicyCfgDefn.StateUpdateFailurePolicy.IGNORE) {
                throw new DirectoryException(resultCode, message);
            }
            ErrorLogger.logError(message);
        }
    }

    static {
        $assertionsDisabled = !PasswordPolicyState.class.desiredAssertionStatus();
        TRACER = DebugLogger.getTracer();
    }
}
