package org.opends.server.workflowelement.localbackend;

import java.util.List;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageDescriptor;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.server.config.meta.PasswordPolicyCfgDefn;
import org.opends.messages.CoreMessages;
import org.opends.server.api.AuthenticationPolicyState;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.LocalBackend;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.config.ConfigConstants;
import org.opends.server.controls.AuthorizationIdentityResponseControl;
import org.opends.server.controls.PasswordExpiredControl;
import org.opends.server.controls.PasswordExpiringControl;
import org.opends.server.controls.PasswordPolicyErrorType;
import org.opends.server.controls.PasswordPolicyResponseControl;
import org.opends.server.controls.PasswordPolicyWarningType;
import org.opends.server.core.AccessControlConfigManager;
import org.opends.server.core.BindOperation;
import org.opends.server.core.BindOperationWrapper;
import org.opends.server.core.CoreConfigManager;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PasswordPolicy;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.core.PluginConfigManager;
import org.opends.server.types.AbstractOperation;
import org.opends.server.types.AccountStatusNotification;
import org.opends.server.types.AccountStatusNotificationType;
import org.opends.server.types.Attribute;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.Control;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.Privilege;
import org.opends.server.types.WritabilityMode;
import org.opends.server.types.operation.PostOperationBindOperation;
import org.opends.server.types.operation.PostResponseBindOperation;
import org.opends.server.types.operation.PreOperationBindOperation;
import org.opends.server.util.StaticUtils;

/* JADX WARN: Classes with same name are omitted:
  input_file:embedded-opendj/opendj.zip:opendj/lib/opendj.jar:org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.class
 */
/* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-server-legacy.jar:org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.class */
public class LocalBackendBindOperation extends BindOperationWrapper implements PreOperationBindOperation, PostOperationBindOperation, PostResponseBindOperation {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private LocalBackend<?> backend;
    private boolean isFirstWarning;
    private boolean isGraceLogin;
    private boolean mustChangePassword;
    private boolean pwPolicyControlRequested;
    private boolean returnAuthzID;
    private boolean executePostOpPlugins;
    private ClientConnection clientConnection;
    private DN bindDN;
    private int pwPolicyWarningValue;
    private int lookthroughLimit;
    private int sizeLimit;
    private int timeLimit;
    private long idleTimeLimit;
    private AuthenticationPolicyState authPolicyState;
    private PasswordPolicyErrorType pwPolicyErrorType;
    private PasswordPolicyWarningType pwPolicyWarningType;
    private PluginConfigManager pluginConfigManager;
    private String saslMechanism;

    /* JADX INFO: Access modifiers changed from: package-private */
    public LocalBackendBindOperation(BindOperation bindOperation) {
        super(bindOperation);
        LocalBackendWorkflowElement.attachLocalOperation(bindOperation, this);
    }

    public void processLocalBind(LocalBackend<?> localBackend) {
        this.backend = localBackend;
        this.clientConnection = getClientConnection();
        this.returnAuthzID = false;
        this.executePostOpPlugins = false;
        CoreConfigManager coreConfigManager = DirectoryServer.getCoreConfigManager();
        this.sizeLimit = coreConfigManager.getSizeLimit();
        this.timeLimit = coreConfigManager.getTimeLimit();
        this.lookthroughLimit = coreConfigManager.getLookthroughLimit();
        this.idleTimeLimit = DirectoryServer.getIdleTimeLimit();
        this.bindDN = getBindDN();
        this.saslMechanism = getSASLMechanism();
        this.authPolicyState = null;
        this.pwPolicyErrorType = null;
        this.pwPolicyControlRequested = false;
        this.isGraceLogin = false;
        this.isFirstWarning = false;
        this.mustChangePassword = false;
        this.pwPolicyWarningType = null;
        this.pwPolicyWarningValue = -1;
        this.pluginConfigManager = DirectoryServer.getPluginConfigManager();
        processBind();
        try {
            if (this.authPolicyState != null) {
                this.authPolicyState.finalizeStateAfterBind();
            }
        } catch (DirectoryException e) {
            logger.traceException(e);
            setResponseData(e);
        }
        if (this.executePostOpPlugins) {
            AbstractOperation.processOperationResult(this, this.pluginConfigManager.invokePostOperationBindPlugins(this));
        }
        AuthenticationInfo authenticationInfo = getAuthenticationInfo();
        if (getResultCode() == ResultCode.SUCCESS && authenticationInfo != null) {
            this.clientConnection.setAuthenticationInfo(authenticationInfo);
            this.clientConnection.setSizeLimit(this.sizeLimit);
            this.clientConnection.setTimeLimit(this.timeLimit);
            this.clientConnection.setIdleTimeLimit(this.idleTimeLimit);
            this.clientConnection.setLookthroughLimit(this.lookthroughLimit);
            this.clientConnection.setMustChangePassword(this.mustChangePassword);
            if (this.returnAuthzID) {
                addResponseControl(new AuthorizationIdentityResponseControl(authenticationInfo.getAuthorizationDN()));
            }
        }
        if (this.pwPolicyControlRequested) {
            addResponseControl(new PasswordPolicyResponseControl(this.pwPolicyWarningType, this.pwPolicyWarningValue, this.pwPolicyErrorType));
            return;
        }
        if (getResultCode() != ResultCode.SUCCESS) {
            if (this.pwPolicyErrorType == PasswordPolicyErrorType.PASSWORD_EXPIRED) {
                addResponseControl(new PasswordExpiredControl());
            }
        } else if (this.pwPolicyErrorType == PasswordPolicyErrorType.PASSWORD_EXPIRED) {
            addResponseControl(new PasswordExpiredControl());
        } else if (this.pwPolicyWarningType == PasswordPolicyWarningType.TIME_BEFORE_EXPIRATION) {
            addResponseControl(new PasswordExpiringControl(this.pwPolicyWarningValue));
        } else if (this.mustChangePassword) {
            addResponseControl(new PasswordExpiredControl());
        }
    }

    private void processBind() {
        try {
            if (!AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this)) {
                setResultCode(ResultCode.INVALID_CREDENTIALS);
                setAuthFailureReason(CoreMessages.ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get());
                return;
            }
            try {
                handleRequestControls();
                try {
                    switch (getAuthenticationType()) {
                        case SIMPLE:
                            processSimpleBind();
                            break;
                        case SASL:
                            processSASLBind();
                            break;
                        default:
                            setResultCode(ResultCode.PROTOCOL_ERROR);
                            break;
                    }
                } catch (DirectoryException e) {
                    logger.traceException(e);
                    if (e.getResultCode() != ResultCode.INVALID_CREDENTIALS) {
                        setResponseData(e);
                    } else {
                        setResultCode(ResultCode.INVALID_CREDENTIALS);
                        setAuthFailureReason(e.getMessageObject());
                    }
                }
            } catch (DirectoryException e2) {
                logger.traceException(e2);
                setResponseData(e2);
            }
        } catch (DirectoryException e3) {
            setResultCode(e3.getResultCode());
            setAuthFailureReason(e3.getMessageObject());
        }
    }

    private void handleRequestControls() throws DirectoryException {
        LocalBackendWorkflowElement.removeAllDisallowedControls(this.bindDN, this);
        for (Control control : getRequestControls()) {
            String oid = control.getOID();
            if ("2.16.840.1.113730.3.4.16".equals(oid)) {
                this.returnAuthzID = true;
            } else if ("1.3.6.1.4.1.42.2.27.8.5.1".equals(oid)) {
                this.pwPolicyControlRequested = true;
            } else if (control.isCritical()) {
                throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION, CoreMessages.ERR_BIND_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
            }
        }
    }

    private boolean processSimpleBind() throws DirectoryException {
        ByteString simplePassword = getSimplePassword();
        if (simplePassword == null || simplePassword.length() == 0) {
            return processAnonymousSimpleBind();
        }
        DN actualRootBindDN = DirectoryServer.getActualRootBindDN(this.bindDN);
        if (actualRootBindDN != null) {
            this.bindDN = actualRootBindDN;
        }
        try {
            Entry entry = this.backend.getEntry(this.bindDN);
            if (entry == null) {
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_UNKNOWN_USER.get());
            }
            setUserEntryDN(entry.getName());
            this.authPolicyState = AuthenticationPolicyState.forUser(entry, false);
            if (!this.authPolicyState.isPasswordPolicy()) {
                if (this.authPolicyState.isDisabled()) {
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_ACCOUNT_DISABLED.get());
                }
                if (!invokePreOpPlugins()) {
                    return false;
                }
                if (!this.authPolicyState.passwordMatches(simplePassword)) {
                    setResultCode(ResultCode.INVALID_CREDENTIALS);
                    setAuthFailureReason(CoreMessages.ERR_BIND_OPERATION_WRONG_PASSWORD.get());
                    return true;
                }
                setResultCode(ResultCode.SUCCESS);
                if (DirectoryServer.lockdownMode() && !ClientConnection.hasPrivilege(entry, Privilege.BYPASS_LOCKDOWN)) {
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
                }
                setAuthenticationInfo(new AuthenticationInfo(entry, getBindDN(), DirectoryServer.isRootDN(entry.getName())));
                setResourceLimits(entry);
                return true;
            }
            PasswordPolicyState passwordPolicyState = (PasswordPolicyState) this.authPolicyState;
            PasswordPolicy authenticationPolicy = passwordPolicyState.getAuthenticationPolicy();
            if (entry.getAllAttributes(authenticationPolicy.getPasswordAttribute()).isEmpty()) {
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_NO_PASSWORD.get());
            }
            checkUnverifiedPasswordPolicyState(entry, null);
            if (!invokePreOpPlugins()) {
                return false;
            }
            if (!passwordPolicyState.passwordMatches(simplePassword)) {
                setResultCode(ResultCode.INVALID_CREDENTIALS);
                setAuthFailureReason(CoreMessages.ERR_BIND_OPERATION_WRONG_PASSWORD.get());
                if (authenticationPolicy.getLockoutFailureCount() <= 0) {
                    return true;
                }
                updateFailureCount(entry, passwordPolicyState);
                return true;
            }
            setResultCode(ResultCode.SUCCESS);
            checkVerifiedPasswordPolicyState(entry, null);
            if (DirectoryServer.lockdownMode() && !ClientConnection.hasPrivilege(entry, Privilege.BYPASS_LOCKDOWN)) {
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
            }
            setAuthenticationInfo(new AuthenticationInfo(entry, getBindDN(), DirectoryServer.isRootDN(entry.getName())));
            setResourceLimits(entry);
            passwordPolicyState.handleDeprecatedStorageSchemes(simplePassword);
            passwordPolicyState.clearFailureLockout();
            if (this.isFirstWarning) {
                passwordPolicyState.setWarnedTime();
                int secondsUntilExpiration = passwordPolicyState.getSecondsUntilExpiration();
                passwordPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.PASSWORD_EXPIRING, entry, CoreMessages.WARN_BIND_PASSWORD_EXPIRING.get(StaticUtils.secondsToTimeString(secondsUntilExpiration)), AccountStatusNotification.createProperties(passwordPolicyState, false, secondsUntilExpiration, null, null));
            }
            if (this.isGraceLogin) {
                passwordPolicyState.updateGraceLoginTimes();
            }
            passwordPolicyState.setLastLoginTime();
            return true;
        } catch (DirectoryException e) {
            logger.traceException(e);
            if (e.getResultCode() == ResultCode.REFERRAL) {
                throw e;
            }
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, e.getMessageObject());
        }
    }

    private boolean processAnonymousSimpleBind() throws DirectoryException {
        if (DirectoryServer.lockdownMode()) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
        }
        if (DirectoryServer.getCoreConfigManager().isBindWithDNRequiresPassword() && this.bindDN != null && !this.bindDN.isRootDN()) {
            throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM, CoreMessages.ERR_BIND_DN_BUT_NO_PASSWORD.get());
        }
        if (!invokePreOpPlugins()) {
            return false;
        }
        setResultCode(ResultCode.SUCCESS);
        setAuthenticationInfo(new AuthenticationInfo());
        return true;
    }

    private boolean processSASLBind() throws DirectoryException {
        ResultCode resultCode;
        SASLMechanismHandler<?> sASLMechanismHandler = DirectoryServer.getSASLMechanismHandler(this.saslMechanism);
        if (sASLMechanismHandler == null) {
            throw new DirectoryException(ResultCode.AUTH_METHOD_NOT_SUPPORTED, CoreMessages.ERR_BIND_OPERATION_UNKNOWN_SASL_MECHANISM.get(this.saslMechanism));
        }
        if (!invokePreOpPlugins()) {
            return false;
        }
        sASLMechanismHandler.processSASLBind(this);
        Entry sASLAuthUserEntry = getSASLAuthUserEntry();
        if (DirectoryServer.lockdownMode() && (resultCode = getResultCode()) != ResultCode.SASL_BIND_IN_PROGRESS && (resultCode != ResultCode.SUCCESS || sASLAuthUserEntry == null || !ClientConnection.hasPrivilege(sASLAuthUserEntry, Privilege.BYPASS_LOCKDOWN))) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
        }
        if (sASLAuthUserEntry != null) {
            setUserEntryDN(sASLAuthUserEntry.getName());
            this.authPolicyState = AuthenticationPolicyState.forUser(sASLAuthUserEntry, false);
            if (this.authPolicyState.isPasswordPolicy()) {
                checkUnverifiedPasswordPolicyState(sASLAuthUserEntry, sASLMechanismHandler);
            }
        }
        ResultCode resultCode2 = getResultCode();
        if (resultCode2 != ResultCode.SUCCESS) {
            if (resultCode2 == ResultCode.SASL_BIND_IN_PROGRESS) {
                return false;
            }
            if (this.authPolicyState == null || !this.authPolicyState.isPasswordPolicy()) {
                return true;
            }
            PasswordPolicyState passwordPolicyState = (PasswordPolicyState) this.authPolicyState;
            if (!sASLMechanismHandler.isPasswordBased(this.saslMechanism) || passwordPolicyState.getAuthenticationPolicy().getLockoutFailureCount() <= 0) {
                return true;
            }
            updateFailureCount(sASLAuthUserEntry, passwordPolicyState);
            return true;
        }
        if (this.authPolicyState != null && this.authPolicyState.isPasswordPolicy()) {
            checkVerifiedPasswordPolicyState(sASLAuthUserEntry, sASLMechanismHandler);
            PasswordPolicyState passwordPolicyState2 = (PasswordPolicyState) this.authPolicyState;
            if (sASLMechanismHandler.isPasswordBased(this.saslMechanism) && passwordPolicyState2.mustChangePassword()) {
                this.mustChangePassword = true;
            }
            if (this.isFirstWarning) {
                passwordPolicyState2.setWarnedTime();
                int secondsUntilExpiration = passwordPolicyState2.getSecondsUntilExpiration();
                passwordPolicyState2.generateAccountStatusNotification(AccountStatusNotificationType.PASSWORD_EXPIRING, sASLAuthUserEntry, CoreMessages.WARN_BIND_PASSWORD_EXPIRING.get(StaticUtils.secondsToTimeString(secondsUntilExpiration)), AccountStatusNotification.createProperties(passwordPolicyState2, false, secondsUntilExpiration, null, null));
            }
            if (this.isGraceLogin) {
                passwordPolicyState2.updateGraceLoginTimes();
            }
            passwordPolicyState2.setLastLoginTime();
        }
        if (sASLAuthUserEntry == null) {
            return true;
        }
        setResourceLimits(sASLAuthUserEntry);
        return true;
    }

    private void updateFailureCount(Entry entry, PasswordPolicyState passwordPolicyState) {
        AccountStatusNotificationType accountStatusNotificationType;
        boolean z;
        LocalizableMessage localizableMessage;
        if (passwordPolicyState.lockedDueToFailures()) {
            return;
        }
        passwordPolicyState.updateAuthFailureTimes();
        if (passwordPolicyState.lockedDueToFailures()) {
            int secondsUntilUnlock = passwordPolicyState.getSecondsUntilUnlock();
            if (secondsUntilUnlock > -1) {
                accountStatusNotificationType = AccountStatusNotificationType.ACCOUNT_TEMPORARILY_LOCKED;
                z = true;
                localizableMessage = CoreMessages.ERR_BIND_ACCOUNT_TEMPORARILY_LOCKED.get(StaticUtils.secondsToTimeString(secondsUntilUnlock));
            } else {
                accountStatusNotificationType = AccountStatusNotificationType.ACCOUNT_PERMANENTLY_LOCKED;
                z = false;
                localizableMessage = CoreMessages.ERR_BIND_ACCOUNT_PERMANENTLY_LOCKED.get();
            }
            passwordPolicyState.generateAccountStatusNotification(accountStatusNotificationType, entry, localizableMessage, AccountStatusNotification.createProperties(passwordPolicyState, z, -1, null, null));
        }
    }

    private boolean invokePreOpPlugins() {
        this.executePostOpPlugins = true;
        return AbstractOperation.processOperationResult(this, this.pluginConfigManager.invokePreOperationBindPlugins(this));
    }

    private void checkUnverifiedPasswordPolicyState(Entry entry, SASLMechanismHandler<?> sASLMechanismHandler) throws DirectoryException {
        PasswordPolicy authenticationPolicy = ((PasswordPolicyState) this.authPolicyState).getAuthenticationPolicy();
        if (authenticationPolicy.getStateUpdateFailurePolicy() == PasswordPolicyCfgDefn.StateUpdateFailurePolicy.PROACTIVE && ((authenticationPolicy.getLockoutFailureCount() > 0 || (authenticationPolicy.getLastLoginTimeAttribute() != null && authenticationPolicy.getLastLoginTimeFormat() != null)) && ((DirectoryServer.getCoreConfigManager().getWritabilityMode() == WritabilityMode.DISABLED || this.backend.getWritabilityMode() == WritabilityMode.DISABLED) && !DirectoryServer.isRootDN(entry.getName())))) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_WRITABILITY_DISABLED.get(entry.getName()));
        }
        if (!authenticationPolicy.isRequireSecureAuthentication() || this.clientConnection.isSecure()) {
            return;
        }
        if (!(sASLMechanismHandler != null)) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_INSECURE_SIMPLE_BIND.get());
        }
        if (!sASLMechanismHandler.isSecure(this.saslMechanism)) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_INSECURE_SASL_BIND.get(this.saslMechanism, entry.getName()));
        }
    }

    private void checkVerifiedPasswordPolicyState(Entry entry, SASLMechanismHandler<?> sASLMechanismHandler) throws DirectoryException {
        PasswordPolicyState passwordPolicyState = (PasswordPolicyState) this.authPolicyState;
        PasswordPolicy authenticationPolicy = passwordPolicyState.getAuthenticationPolicy();
        if (passwordPolicyState.isDisabled()) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_ACCOUNT_DISABLED.get());
        }
        if (passwordPolicyState.isAccountExpired()) {
            LocalizableMessage localizableMessage = CoreMessages.ERR_BIND_OPERATION_ACCOUNT_EXPIRED.get();
            passwordPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.ACCOUNT_EXPIRED, entry, localizableMessage, AccountStatusNotification.createProperties(passwordPolicyState, false, -1, null, null));
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, localizableMessage);
        }
        if (passwordPolicyState.lockedDueToFailures()) {
            if (this.pwPolicyErrorType == null) {
                this.pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
            }
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, CoreMessages.ERR_BIND_OPERATION_ACCOUNT_FAILURE_LOCKED.get());
        }
        if (passwordPolicyState.lockedDueToIdleInterval()) {
            if (this.pwPolicyErrorType == null) {
                this.pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
            }
            LocalizableMessage localizableMessage2 = CoreMessages.ERR_BIND_OPERATION_ACCOUNT_IDLE_LOCKED.get();
            passwordPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.ACCOUNT_IDLE_LOCKED, entry, localizableMessage2, AccountStatusNotification.createProperties(passwordPolicyState, false, -1, null, null));
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, localizableMessage2);
        }
        if (!(sASLMechanismHandler != null) || sASLMechanismHandler.isPasswordBased(this.saslMechanism)) {
            if (passwordPolicyState.lockedDueToMaximumResetAge()) {
                if (this.pwPolicyErrorType == null) {
                    this.pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
                }
                LocalizableMessage localizableMessage3 = CoreMessages.ERR_BIND_OPERATION_ACCOUNT_RESET_LOCKED.get();
                passwordPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.ACCOUNT_RESET_LOCKED, entry, localizableMessage3, AccountStatusNotification.createProperties(passwordPolicyState, false, -1, null, null));
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, localizableMessage3);
            }
            if (passwordPolicyState.isPasswordExpired()) {
                if (this.pwPolicyErrorType == null) {
                    this.pwPolicyErrorType = PasswordPolicyErrorType.PASSWORD_EXPIRED;
                }
                int graceLoginCount = authenticationPolicy.getGraceLoginCount();
                if (graceLoginCount <= 0 || !passwordPolicyState.mayUseGraceLogin()) {
                    LocalizableMessage localizableMessage4 = CoreMessages.ERR_BIND_OPERATION_PASSWORD_EXPIRED.get();
                    passwordPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.PASSWORD_EXPIRED, entry, localizableMessage4, AccountStatusNotification.createProperties(passwordPolicyState, false, -1, null, null));
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, localizableMessage4);
                }
                List<Long> graceLoginTimes = passwordPolicyState.getGraceLoginTimes();
                if (graceLoginTimes != null && graceLoginTimes.size() >= graceLoginCount) {
                    LocalizableMessage localizableMessage5 = CoreMessages.ERR_BIND_OPERATION_PASSWORD_EXPIRED.get();
                    passwordPolicyState.generateAccountStatusNotification(AccountStatusNotificationType.PASSWORD_EXPIRED, entry, localizableMessage5, AccountStatusNotification.createProperties(passwordPolicyState, false, -1, null, null));
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, localizableMessage5);
                }
                this.isGraceLogin = true;
                this.mustChangePassword = true;
                if (this.pwPolicyWarningType == null) {
                    this.pwPolicyWarningType = PasswordPolicyWarningType.GRACE_LOGINS_REMAINING;
                    this.pwPolicyWarningValue = graceLoginCount - (graceLoginTimes.size() + 1);
                }
            } else if (passwordPolicyState.shouldWarn()) {
                int secondsUntilExpiration = passwordPolicyState.getSecondsUntilExpiration();
                if (this.pwPolicyWarningType == null) {
                    this.pwPolicyWarningType = PasswordPolicyWarningType.TIME_BEFORE_EXPIRATION;
                    this.pwPolicyWarningValue = secondsUntilExpiration;
                }
                this.isFirstWarning = passwordPolicyState.isFirstWarning();
            }
            if (passwordPolicyState.mustChangePassword()) {
                this.mustChangePassword = true;
                if (this.pwPolicyErrorType == null) {
                    this.pwPolicyErrorType = PasswordPolicyErrorType.CHANGE_AFTER_RESET;
                }
            }
        }
    }

    private void setResourceLimits(Entry entry) {
        Integer integerUserAttribute = getIntegerUserAttribute(entry, ConfigConstants.OP_ATTR_USER_SIZE_LIMIT, CoreMessages.WARN_BIND_MULTIPLE_USER_SIZE_LIMITS, CoreMessages.WARN_BIND_CANNOT_PROCESS_USER_SIZE_LIMIT);
        if (integerUserAttribute != null) {
            this.sizeLimit = integerUserAttribute.intValue();
        }
        Integer integerUserAttribute2 = getIntegerUserAttribute(entry, ConfigConstants.OP_ATTR_USER_TIME_LIMIT, CoreMessages.WARN_BIND_MULTIPLE_USER_TIME_LIMITS, CoreMessages.WARN_BIND_CANNOT_PROCESS_USER_TIME_LIMIT);
        if (integerUserAttribute2 != null) {
            this.timeLimit = integerUserAttribute2.intValue();
        }
        if (getIntegerUserAttribute(entry, ConfigConstants.OP_ATTR_USER_IDLE_TIME_LIMIT, CoreMessages.WARN_BIND_MULTIPLE_USER_IDLE_TIME_LIMITS, CoreMessages.WARN_BIND_CANNOT_PROCESS_USER_IDLE_TIME_LIMIT) != null) {
            this.idleTimeLimit = 1000 * r0.intValue();
        }
        Integer integerUserAttribute3 = getIntegerUserAttribute(entry, ConfigConstants.OP_ATTR_USER_LOOKTHROUGH_LIMIT, CoreMessages.WARN_BIND_MULTIPLE_USER_LOOKTHROUGH_LIMITS, CoreMessages.WARN_BIND_CANNOT_PROCESS_USER_LOOKTHROUGH_LIMIT);
        if (integerUserAttribute3 != null) {
            this.lookthroughLimit = integerUserAttribute3.intValue();
        }
    }

    private Integer getIntegerUserAttribute(Entry entry, String str, LocalizableMessageDescriptor.Arg1<Object> arg1, LocalizableMessageDescriptor.Arg2<Object, Object> arg2) {
        List<Attribute> allAttributes = entry.getAllAttributes(DirectoryServer.getInstance().getServerContext().getSchema().getAttributeType(str));
        if (allAttributes.size() != 1) {
            return null;
        }
        Attribute attribute = allAttributes.get(0);
        if (attribute.size() != 1) {
            if (attribute.size() <= 1) {
                return null;
            }
            logger.error(arg1.get(entry.getName()));
            return null;
        }
        ByteString next = attribute.iterator().next();
        try {
            return Integer.valueOf(next.toString());
        } catch (Exception e) {
            logger.traceException(e);
            logger.error(arg2.get(next, entry.getName()));
            return null;
        }
    }
}
