package org.opends.server.workflowelement.localbackend;

import java.util.Iterator;
import java.util.List;
import java.util.concurrent.locks.Lock;
import org.opends.messages.CoreMessages;
import org.opends.messages.Message;
import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn;
import org.opends.server.api.Backend;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.api.plugin.PluginResult;
import org.opends.server.config.ConfigConstants;
import org.opends.server.controls.AuthorizationIdentityResponseControl;
import org.opends.server.controls.PasswordExpiredControl;
import org.opends.server.controls.PasswordExpiringControl;
import org.opends.server.controls.PasswordPolicyErrorType;
import org.opends.server.controls.PasswordPolicyResponseControl;
import org.opends.server.controls.PasswordPolicyWarningType;
import org.opends.server.core.AccessControlConfigManager;
import org.opends.server.core.BindOperation;
import org.opends.server.core.BindOperationWrapper;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PasswordPolicy;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.core.PluginConfigManager;
import org.opends.server.loggers.ErrorLogger;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.AccountStatusNotification;
import org.opends.server.types.AccountStatusNotificationType;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeValue;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.ByteString;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.LockManager;
import org.opends.server.types.Privilege;
import org.opends.server.types.ResultCode;
import org.opends.server.types.WritabilityMode;
import org.opends.server.types.operation.PostOperationBindOperation;
import org.opends.server.types.operation.PostResponseBindOperation;
import org.opends.server.types.operation.PreOperationBindOperation;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.class */
public class LocalBackendBindOperation extends BindOperationWrapper implements PreOperationBindOperation, PostOperationBindOperation, PostResponseBindOperation {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    protected Backend backend;
    protected boolean isFirstWarning;
    protected boolean isGraceLogin;
    private boolean mustChangePassword;
    private boolean pwPolicyControlRequested;
    private boolean returnAuthzID;
    protected boolean executePostOpPlugins;
    private ClientConnection clientConnection;
    protected DN bindDN;
    private int lookthroughLimit;
    private int pwPolicyWarningValue;
    private int sizeLimit;
    private int timeLimit;
    private long idleTimeLimit;
    protected PasswordPolicy policy;
    protected PasswordPolicyState pwPolicyState;
    private PasswordPolicyErrorType pwPolicyErrorType;
    private PasswordPolicyWarningType pwPolicyWarningType;
    protected PluginConfigManager pluginConfigManager;
    private String saslMechanism;

    public LocalBackendBindOperation(BindOperation bindOperation) {
        super(bindOperation);
        LocalBackendWorkflowElement.attachLocalOperation(bindOperation, this);
    }

    public void processLocalBind(LocalBackendWorkflowElement localBackendWorkflowElement) {
        this.backend = localBackendWorkflowElement.getBackend();
        this.clientConnection = getClientConnection();
        this.returnAuthzID = false;
        this.executePostOpPlugins = false;
        this.sizeLimit = DirectoryServer.getSizeLimit();
        this.timeLimit = DirectoryServer.getTimeLimit();
        this.lookthroughLimit = DirectoryServer.getLookthroughLimit();
        this.idleTimeLimit = DirectoryServer.getIdleTimeLimit();
        this.bindDN = getBindDN();
        this.saslMechanism = getSASLMechanism();
        this.pwPolicyState = null;
        this.pwPolicyErrorType = null;
        this.pwPolicyControlRequested = false;
        this.isGraceLogin = false;
        this.isFirstWarning = false;
        this.mustChangePassword = false;
        this.pwPolicyWarningType = null;
        this.pwPolicyWarningValue = -1;
        this.pluginConfigManager = DirectoryServer.getPluginConfigManager();
        try {
            if (AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this)) {
                try {
                    handleRequestControls();
                    switch (getAuthenticationType()) {
                        case SIMPLE:
                            try {
                                if (!processSimpleBind()) {
                                    break;
                                }
                            } catch (DirectoryException e) {
                                if (DebugLogger.debugEnabled()) {
                                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                                }
                                if (e.getResultCode() != ResultCode.INVALID_CREDENTIALS) {
                                    setResponseData(e);
                                    break;
                                } else {
                                    setResultCode(ResultCode.INVALID_CREDENTIALS);
                                    setAuthFailureReason(e.getMessageObject());
                                    break;
                                }
                            }
                            break;
                        case SASL:
                            try {
                                if (!processSASLBind()) {
                                    break;
                                }
                            } catch (DirectoryException e2) {
                                if (DebugLogger.debugEnabled()) {
                                    TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                                }
                                if (e2.getResultCode() != ResultCode.INVALID_CREDENTIALS) {
                                    setResponseData(e2);
                                    break;
                                } else {
                                    setResultCode(ResultCode.INVALID_CREDENTIALS);
                                    setAuthFailureReason(e2.getMessageObject());
                                    break;
                                }
                            }
                            break;
                        default:
                            setResultCode(ResultCode.PROTOCOL_ERROR);
                            break;
                    }
                } catch (DirectoryException e3) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e3);
                    }
                    setResponseData(e3);
                }
            } else {
                setResultCode(ResultCode.INVALID_CREDENTIALS);
                setAuthFailureReason(CoreMessages.ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(String.valueOf(this.bindDN)));
            }
        } catch (DirectoryException e4) {
            setResultCode(e4.getResultCode());
            setAuthFailureReason(e4.getMessageObject());
        }
        try {
            if (this.pwPolicyState != null) {
                this.pwPolicyState.updateUserEntry();
            }
        } catch (DirectoryException e5) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e5);
            }
            setResponseData(e5);
        }
        if (this.executePostOpPlugins) {
            PluginResult.PostOperation invokePostOperationBindPlugins = this.pluginConfigManager.invokePostOperationBindPlugins(this);
            if (!invokePostOperationBindPlugins.continueProcessing()) {
                setResultCode(invokePostOperationBindPlugins.getResultCode());
                appendErrorMessage(invokePostOperationBindPlugins.getErrorMessage());
                setMatchedDN(invokePostOperationBindPlugins.getMatchedDN());
                setReferralURLs(invokePostOperationBindPlugins.getReferralURLs());
            }
        }
        AuthenticationInfo authenticationInfo = getAuthenticationInfo();
        if (getResultCode() == ResultCode.SUCCESS && authenticationInfo != null) {
            this.clientConnection.setAuthenticationInfo(authenticationInfo);
            this.clientConnection.setSizeLimit(this.sizeLimit);
            this.clientConnection.setTimeLimit(this.timeLimit);
            this.clientConnection.setIdleTimeLimit(this.idleTimeLimit);
            this.clientConnection.setLookthroughLimit(this.lookthroughLimit);
            this.clientConnection.setMustChangePassword(this.mustChangePassword);
            if (this.returnAuthzID) {
                addResponseControl(new AuthorizationIdentityResponseControl(authenticationInfo.getAuthorizationDN()));
            }
        }
        if (getResultCode() != ResultCode.SUCCESS) {
            if (this.pwPolicyControlRequested) {
                addResponseControl(new PasswordPolicyResponseControl(this.pwPolicyWarningType, this.pwPolicyWarningValue, this.pwPolicyErrorType));
                return;
            } else {
                if (this.pwPolicyErrorType == PasswordPolicyErrorType.PASSWORD_EXPIRED) {
                    addResponseControl(new PasswordExpiredControl());
                    return;
                }
                return;
            }
        }
        if (this.pwPolicyControlRequested) {
            addResponseControl(new PasswordPolicyResponseControl(this.pwPolicyWarningType, this.pwPolicyWarningValue, this.pwPolicyErrorType));
            return;
        }
        if (this.pwPolicyErrorType == PasswordPolicyErrorType.PASSWORD_EXPIRED) {
            addResponseControl(new PasswordExpiredControl());
        } else if (this.pwPolicyWarningType == PasswordPolicyWarningType.TIME_BEFORE_EXPIRATION) {
            addResponseControl(new PasswordExpiringControl(this.pwPolicyWarningValue));
        } else if (this.mustChangePassword) {
            addResponseControl(new PasswordExpiredControl());
        }
    }

    private void handleRequestControls() throws DirectoryException {
        List<Control> requestControls = getRequestControls();
        if (requestControls == null || requestControls.isEmpty()) {
            return;
        }
        for (int i = 0; i < requestControls.size(); i++) {
            Control control = requestControls.get(i);
            String oid = control.getOID();
            if (!AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this.bindDN, this, control)) {
                throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS, CoreMessages.ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
            }
            if (oid.equals(ServerConstants.OID_AUTHZID_REQUEST)) {
                this.returnAuthzID = true;
            } else if (oid.equals(ServerConstants.OID_PASSWORD_POLICY_CONTROL)) {
                this.pwPolicyControlRequested = true;
            } else if (control.isCritical()) {
                throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION, CoreMessages.ERR_BIND_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
            }
        }
    }

    protected boolean processSimpleBind() throws DirectoryException {
        AccountStatusNotificationType accountStatusNotificationType;
        boolean z;
        Message message;
        ByteString simplePassword = getSimplePassword();
        if (simplePassword == null || simplePassword.length() == 0) {
            return processAnonymousSimpleBind();
        }
        DN actualRootBindDN = DirectoryServer.getActualRootBindDN(this.bindDN);
        if (actualRootBindDN != null) {
            this.bindDN = actualRootBindDN;
        }
        Lock lock = null;
        for (int i = 0; i < 3; i++) {
            lock = LockManager.lockRead(this.bindDN);
            if (lock != null) {
                break;
            }
        }
        try {
            if (lock == null) {
                throw new DirectoryException(DirectoryServer.getServerErrorResultCode(), CoreMessages.ERR_BIND_OPERATION_CANNOT_LOCK_USER.get(String.valueOf(this.bindDN)));
            }
            try {
                Entry entry = this.backend.getEntry(this.bindDN);
                if (entry == null) {
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_UNKNOWN_USER.get(String.valueOf(this.bindDN)));
                }
                setUserEntryDN(entry.getDN());
                this.pwPolicyState = new PasswordPolicyState(entry, false);
                this.policy = this.pwPolicyState.getPolicy();
                List<Attribute> attribute = entry.getAttribute(this.policy.getPasswordAttribute());
                if (attribute == null || attribute.isEmpty()) {
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_NO_PASSWORD.get(String.valueOf(this.bindDN)));
                }
                checkPasswordPolicyState(entry, null);
                this.executePostOpPlugins = true;
                PluginResult.PreOperation invokePreOperationBindPlugins = this.pluginConfigManager.invokePreOperationBindPlugins(this);
                if (!invokePreOperationBindPlugins.continueProcessing()) {
                    setResultCode(invokePreOperationBindPlugins.getResultCode());
                    appendErrorMessage(invokePreOperationBindPlugins.getErrorMessage());
                    setMatchedDN(invokePreOperationBindPlugins.getMatchedDN());
                    setReferralURLs(invokePreOperationBindPlugins.getReferralURLs());
                    LockManager.unlock(this.bindDN, lock);
                    return false;
                }
                if (this.pwPolicyState.passwordMatches(simplePassword)) {
                    setResultCode(ResultCode.SUCCESS);
                    if (DirectoryServer.lockdownMode() && !ClientConnection.hasPrivilege(entry, Privilege.BYPASS_LOCKDOWN)) {
                        throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
                    }
                    setAuthenticationInfo(new AuthenticationInfo(entry, getBindDN(), simplePassword, DirectoryServer.isRootDN(entry.getDN())));
                    setResourceLimits(entry);
                    this.pwPolicyState.handleDeprecatedStorageSchemes(simplePassword);
                    this.pwPolicyState.clearFailureLockout();
                    if (this.isFirstWarning) {
                        this.pwPolicyState.setWarnedTime();
                        int secondsUntilExpiration = this.pwPolicyState.getSecondsUntilExpiration();
                        this.pwPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.PASSWORD_EXPIRING, entry, CoreMessages.WARN_BIND_PASSWORD_EXPIRING.get(StaticUtils.secondsToTimeString(secondsUntilExpiration)), AccountStatusNotification.createProperties(this.pwPolicyState, false, secondsUntilExpiration, null, null));
                    }
                    if (this.isGraceLogin) {
                        this.pwPolicyState.updateGraceLoginTimes();
                    }
                    this.pwPolicyState.setLastLoginTime();
                } else {
                    setResultCode(ResultCode.INVALID_CREDENTIALS);
                    setAuthFailureReason(CoreMessages.ERR_BIND_OPERATION_WRONG_PASSWORD.get());
                    if (this.policy.getLockoutFailureCount() > 0) {
                        this.pwPolicyState.updateAuthFailureTimes();
                        if (this.pwPolicyState.lockedDueToFailures()) {
                            int secondsUntilUnlock = this.pwPolicyState.getSecondsUntilUnlock();
                            if (secondsUntilUnlock > -1) {
                                accountStatusNotificationType = AccountStatusNotificationType.ACCOUNT_TEMPORARILY_LOCKED;
                                z = true;
                                message = CoreMessages.ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED.get(StaticUtils.secondsToTimeString(secondsUntilUnlock));
                            } else {
                                accountStatusNotificationType = AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
                                z = false;
                                message = CoreMessages.ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
                            }
                            this.pwPolicyState.generateAccountStatusNotification(accountStatusNotificationType, entry, message, AccountStatusNotification.createProperties(this.pwPolicyState, z, -1, null, null));
                        }
                    }
                }
                return true;
            } catch (DirectoryException e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                if (e.getResultCode() == ResultCode.REFERRAL) {
                    throw e;
                }
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, e.getMessageObject());
            }
        } finally {
            LockManager.unlock(this.bindDN, lock);
        }
    }

    protected boolean processAnonymousSimpleBind() throws DirectoryException {
        if (DirectoryServer.lockdownMode()) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
        }
        if (DirectoryServer.bindWithDNRequiresPassword() && this.bindDN != null && !this.bindDN.isNullDN()) {
            throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM, CoreMessages.ERR_BIND_DN_BUT_NO_PASSWORD.get());
        }
        this.executePostOpPlugins = true;
        PluginResult.PreOperation invokePreOperationBindPlugins = this.pluginConfigManager.invokePreOperationBindPlugins(this);
        if (invokePreOperationBindPlugins.continueProcessing()) {
            setResultCode(ResultCode.SUCCESS);
            setAuthenticationInfo(new AuthenticationInfo());
            return true;
        }
        setResultCode(invokePreOperationBindPlugins.getResultCode());
        appendErrorMessage(invokePreOperationBindPlugins.getErrorMessage());
        setMatchedDN(invokePreOperationBindPlugins.getMatchedDN());
        setReferralURLs(invokePreOperationBindPlugins.getReferralURLs());
        return false;
    }

    private boolean processSASLBind() throws DirectoryException {
        AccountStatusNotificationType accountStatusNotificationType;
        boolean z;
        Message message;
        ResultCode resultCode;
        SASLMechanismHandler<?> sASLMechanismHandler = DirectoryServer.getSASLMechanismHandler(this.saslMechanism);
        if (sASLMechanismHandler == null) {
            throw new DirectoryException(ResultCode.AUTH_METHOD_NOT_SUPPORTED, CoreMessages.ERR_BIND_OPERATION_UNKNOWN_SASL_MECHANISM.get(this.saslMechanism));
        }
        PluginResult.PreOperation invokePreOperationBindPlugins = this.pluginConfigManager.invokePreOperationBindPlugins(this);
        if (!invokePreOperationBindPlugins.continueProcessing()) {
            setResultCode(invokePreOperationBindPlugins.getResultCode());
            appendErrorMessage(invokePreOperationBindPlugins.getErrorMessage());
            setMatchedDN(invokePreOperationBindPlugins.getMatchedDN());
            setReferralURLs(invokePreOperationBindPlugins.getReferralURLs());
            return false;
        }
        sASLMechanismHandler.processSASLBind(this);
        Entry sASLAuthUserEntry = getSASLAuthUserEntry();
        if (DirectoryServer.lockdownMode() && (resultCode = getResultCode()) != ResultCode.SASL_BIND_IN_PROGRESS && (resultCode != ResultCode.SUCCESS || sASLAuthUserEntry == null || !ClientConnection.hasPrivilege(sASLAuthUserEntry, Privilege.BYPASS_LOCKDOWN))) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
        }
        if (sASLAuthUserEntry == null) {
            this.pwPolicyState = null;
        } else {
            this.pwPolicyState = new PasswordPolicyState(sASLAuthUserEntry, false);
            this.policy = this.pwPolicyState.getPolicy();
            setUserEntryDN(sASLAuthUserEntry.getDN());
            checkPasswordPolicyState(sASLAuthUserEntry, sASLMechanismHandler);
        }
        ResultCode resultCode2 = getResultCode();
        if (resultCode2 == ResultCode.SUCCESS) {
            if (this.pwPolicyState == null) {
                return true;
            }
            if (sASLMechanismHandler.isPasswordBased(this.saslMechanism) && this.pwPolicyState.mustChangePassword()) {
                this.mustChangePassword = true;
            }
            if (this.isFirstWarning) {
                this.pwPolicyState.setWarnedTime();
                int secondsUntilExpiration = this.pwPolicyState.getSecondsUntilExpiration();
                this.pwPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.PASSWORD_EXPIRING, sASLAuthUserEntry, CoreMessages.WARN_BIND_PASSWORD_EXPIRING.get(StaticUtils.secondsToTimeString(secondsUntilExpiration)), AccountStatusNotification.createProperties(this.pwPolicyState, false, secondsUntilExpiration, null, null));
            }
            if (this.isGraceLogin) {
                this.pwPolicyState.updateGraceLoginTimes();
            }
            this.pwPolicyState.setLastLoginTime();
            setResourceLimits(sASLAuthUserEntry);
            return true;
        }
        if (resultCode2 == ResultCode.SASL_BIND_IN_PROGRESS) {
            return false;
        }
        if (this.pwPolicyState == null || !sASLMechanismHandler.isPasswordBased(this.saslMechanism) || this.pwPolicyState.getPolicy().getLockoutFailureCount() <= 0) {
            return true;
        }
        this.pwPolicyState.updateAuthFailureTimes();
        if (!this.pwPolicyState.lockedDueToFailures()) {
            return true;
        }
        int secondsUntilUnlock = this.pwPolicyState.getSecondsUntilUnlock();
        if (secondsUntilUnlock > -1) {
            accountStatusNotificationType = AccountStatusNotificationType.ACCOUNT_TEMPORARILY_LOCKED;
            z = true;
            message = CoreMessages.ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED.get(StaticUtils.secondsToTimeString(secondsUntilUnlock));
        } else {
            accountStatusNotificationType = AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
            z = false;
            message = CoreMessages.ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
        }
        this.pwPolicyState.generateAccountStatusNotification(accountStatusNotificationType, sASLAuthUserEntry, message, AccountStatusNotification.createProperties(this.pwPolicyState, z, -1, null, null));
        return true;
    }

    protected void checkPasswordPolicyState(Entry entry, SASLMechanismHandler<?> sASLMechanismHandler) throws DirectoryException {
        boolean z = sASLMechanismHandler != null;
        if (this.policy.getStateUpdateFailurePolicy() == PasswordPolicyCfgDefn.StateUpdateFailurePolicy.PROACTIVE && ((this.policy.getLockoutFailureCount() > 0 || (this.policy.getLastLoginTimeAttribute() != null && this.policy.getLastLoginTimeFormat() != null)) && ((DirectoryServer.getWritabilityMode() == WritabilityMode.DISABLED || this.backend.getWritabilityMode() == WritabilityMode.DISABLED) && !DirectoryServer.isRootDN(entry.getDN())))) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_WRITABILITY_DISABLED.get(String.valueOf(entry.getDN())));
        }
        if (this.policy.requireSecureAuthentication() && !this.clientConnection.isSecure()) {
            if (!z) {
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_INSECURE_SIMPLE_BIND.get(String.valueOf(entry.getDN())));
            }
            if (!sASLMechanismHandler.isSecure(this.saslMechanism)) {
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_INSECURE_SASL_BIND.get(this.saslMechanism, String.valueOf(entry.getDN())));
            }
        }
        if (this.pwPolicyState.isDisabled()) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_ACCOUNT_DISABLED.get(String.valueOf(entry.getDN())));
        }
        if (this.pwPolicyState.isAccountExpired()) {
            Message message = CoreMessages.ERR_BIND_OPERATION_ACCOUNT_EXPIRED.get(String.valueOf(entry.getDN()));
            this.pwPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.ACCOUNT_EXPIRED, entry, message, AccountStatusNotification.createProperties(this.pwPolicyState, false, -1, null, null));
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, message);
        }
        if (this.pwPolicyState.lockedDueToFailures()) {
            if (this.pwPolicyErrorType == null) {
                this.pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
            }
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_ACCOUNT_FAILURE_LOCKED.get(String.valueOf(entry.getDN())));
        }
        if (this.pwPolicyState.lockedDueToIdleInterval()) {
            Message message2 = CoreMessages.ERR_BIND_OPERATION_ACCOUNT_IDLE_LOCKED.get(String.valueOf(entry.getDN()));
            if (this.pwPolicyErrorType == null) {
                this.pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
            }
            this.pwPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.ACCOUNT_IDLE_LOCKED, entry, message2, AccountStatusNotification.createProperties(this.pwPolicyState, false, -1, null, null));
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, message2);
        }
        if (!z || sASLMechanismHandler.isPasswordBased(this.saslMechanism)) {
            if (this.pwPolicyState.lockedDueToMaximumResetAge()) {
                Message message3 = CoreMessages.ERR_BIND_OPERATION_ACCOUNT_RESET_LOCKED.get(String.valueOf(entry.getDN()));
                if (this.pwPolicyErrorType == null) {
                    this.pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
                }
                this.pwPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.ACCOUNT_RESET_LOCKED, entry, message3, AccountStatusNotification.createProperties(this.pwPolicyState, false, -1, null, null));
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, message3);
            }
            if (this.pwPolicyState.isPasswordExpired()) {
                if (this.pwPolicyErrorType == null) {
                    this.pwPolicyErrorType = PasswordPolicyErrorType.PASSWORD_EXPIRED;
                }
                int graceLoginCount = this.policy.getGraceLoginCount();
                if (graceLoginCount <= 0 || !this.pwPolicyState.mayUseGraceLogin()) {
                    Message message4 = CoreMessages.ERR_BIND_OPERATION_PASSWORD_EXPIRED.get(String.valueOf(entry.getDN()));
                    this.pwPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.PASSWORD_EXPIRED, entry, message4, AccountStatusNotification.createProperties(this.pwPolicyState, false, -1, null, null));
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, message4);
                }
                List<Long> graceLoginTimes = this.pwPolicyState.getGraceLoginTimes();
                if (graceLoginTimes != null && graceLoginTimes.size() >= graceLoginCount) {
                    Message message5 = CoreMessages.ERR_BIND_OPERATION_PASSWORD_EXPIRED.get(String.valueOf(entry.getDN()));
                    this.pwPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.PASSWORD_EXPIRED, entry, message5, AccountStatusNotification.createProperties(this.pwPolicyState, false, -1, null, null));
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, message5);
                }
                this.isGraceLogin = true;
                this.mustChangePassword = true;
                if (this.pwPolicyWarningType == null) {
                    this.pwPolicyWarningType = PasswordPolicyWarningType.GRACE_LOGINS_REMAINING;
                    this.pwPolicyWarningValue = graceLoginCount - (graceLoginTimes.size() + 1);
                }
            } else if (this.pwPolicyState.shouldWarn()) {
                int secondsUntilExpiration = this.pwPolicyState.getSecondsUntilExpiration();
                if (this.pwPolicyWarningType == null) {
                    this.pwPolicyWarningType = PasswordPolicyWarningType.TIME_BEFORE_EXPIRATION;
                    this.pwPolicyWarningValue = secondsUntilExpiration;
                }
                this.isFirstWarning = this.pwPolicyState.isFirstWarning();
            }
            if (this.pwPolicyState.mustChangePassword()) {
                this.mustChangePassword = true;
                if (this.pwPolicyErrorType == null) {
                    this.pwPolicyErrorType = PasswordPolicyErrorType.CHANGE_AFTER_RESET;
                }
            }
        }
    }

    protected void setResourceLimits(Entry entry) {
        List<Attribute> attribute = entry.getAttribute(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_USER_SIZE_LIMIT, true));
        if (attribute != null && attribute.size() == 1) {
            Iterator<AttributeValue> it = attribute.get(0).iterator();
            if (it.hasNext()) {
                AttributeValue next = it.next();
                if (it.hasNext()) {
                    ErrorLogger.logError(CoreMessages.WARN_BIND_MULTIPLE_USER_SIZE_LIMITS.get(String.valueOf(entry.getDN())));
                } else {
                    try {
                        this.sizeLimit = Integer.parseInt(next.getValue().toString());
                    } catch (Exception e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                        }
                        ErrorLogger.logError(CoreMessages.WARN_BIND_CANNOT_PROCESS_USER_SIZE_LIMIT.get(next.getValue().toString(), String.valueOf(entry.getDN())));
                    }
                }
            }
        }
        List<Attribute> attribute2 = entry.getAttribute(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_USER_TIME_LIMIT, true));
        if (attribute2 != null && attribute2.size() == 1) {
            Iterator<AttributeValue> it2 = attribute2.get(0).iterator();
            if (it2.hasNext()) {
                AttributeValue next2 = it2.next();
                if (it2.hasNext()) {
                    ErrorLogger.logError(CoreMessages.WARN_BIND_MULTIPLE_USER_TIME_LIMITS.get(String.valueOf(entry.getDN())));
                } else {
                    try {
                        this.timeLimit = Integer.parseInt(next2.getValue().toString());
                    } catch (Exception e2) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                        }
                        ErrorLogger.logError(CoreMessages.WARN_BIND_CANNOT_PROCESS_USER_TIME_LIMIT.get(next2.getValue().toString(), String.valueOf(entry.getDN())));
                    }
                }
            }
        }
        List<Attribute> attribute3 = entry.getAttribute(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_USER_IDLE_TIME_LIMIT, true));
        if (attribute3 != null && attribute3.size() == 1) {
            Iterator<AttributeValue> it3 = attribute3.get(0).iterator();
            if (it3.hasNext()) {
                AttributeValue next3 = it3.next();
                if (it3.hasNext()) {
                    ErrorLogger.logError(CoreMessages.WARN_BIND_MULTIPLE_USER_IDLE_TIME_LIMITS.get(String.valueOf(entry.getDN())));
                } else {
                    try {
                        this.idleTimeLimit = 1000 * Long.parseLong(next3.getValue().toString());
                    } catch (Exception e3) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e3);
                        }
                        ErrorLogger.logError(CoreMessages.WARN_BIND_CANNOT_PROCESS_USER_IDLE_TIME_LIMIT.get(next3.getValue().toString(), String.valueOf(entry.getDN())));
                    }
                }
            }
        }
        List<Attribute> attribute4 = entry.getAttribute(DirectoryServer.getAttributeType(ConfigConstants.OP_ATTR_USER_LOOKTHROUGH_LIMIT, true));
        if (attribute4 == null || attribute4.size() != 1) {
            return;
        }
        Iterator<AttributeValue> it4 = attribute4.get(0).iterator();
        if (it4.hasNext()) {
            AttributeValue next4 = it4.next();
            if (it4.hasNext()) {
                ErrorLogger.logError(CoreMessages.WARN_BIND_MULTIPLE_USER_LOOKTHROUGH_LIMITS.get(String.valueOf(entry.getDN())));
                return;
            }
            try {
                this.lookthroughLimit = Integer.parseInt(next4.getValue().toString());
            } catch (Exception e4) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e4);
                }
                ErrorLogger.logError(CoreMessages.WARN_BIND_CANNOT_PROCESS_USER_LOOKTHROUGH_LIMIT.get(next4.getValue().toString(), String.valueOf(entry.getDN())));
            }
        }
    }
}
