001/*
002 * Copyright 2008-2018 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright (C) 2015-2018 Ping Identity Corporation
007 *
008 * This program is free software; you can redistribute it and/or modify
009 * it under the terms of the GNU General Public License (GPLv2 only)
010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011 * as published by the Free Software Foundation.
012 *
013 * This program is distributed in the hope that it will be useful,
014 * but WITHOUT ANY WARRANTY; without even the implied warranty of
015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
016 * GNU General Public License for more details.
017 *
018 * You should have received a copy of the GNU General Public License
019 * along with this program; if not, see <http://www.gnu.org/licenses>.
020 */
021package com.unboundid.ldap.sdk.unboundidds.extensions;
022
023
024
025import java.io.Serializable;
026import java.text.ParseException;
027import java.util.ArrayList;
028import java.util.Date;
029
030import com.unboundid.asn1.ASN1Element;
031import com.unboundid.asn1.ASN1Enumerated;
032import com.unboundid.asn1.ASN1OctetString;
033import com.unboundid.asn1.ASN1Sequence;
034import com.unboundid.ldap.sdk.LDAPException;
035import com.unboundid.ldap.sdk.ResultCode;
036import com.unboundid.util.NotMutable;
037import com.unboundid.util.ThreadSafety;
038import com.unboundid.util.ThreadSafetyLevel;
039
040import static com.unboundid.ldap.sdk.unboundidds.extensions.ExtOpMessages.*;
041import static com.unboundid.util.Debug.*;
042import static com.unboundid.util.StaticUtils.*;
043
044
045
046/**
047 * This class defines an operation that may be used in conjunction with the
048 * password policy state extended operation.  A password policy state operation
049 * can be used to get or set various properties of the password policy state for
050 * a user.
051 * <BR>
052 * <BLOCKQUOTE>
053 *   <B>NOTE:</B>  This class, and other classes within the
054 *   {@code com.unboundid.ldap.sdk.unboundidds} package structure, are only
055 *   supported for use against Ping Identity, UnboundID, and Alcatel-Lucent 8661
056 *   server products.  These classes provide support for proprietary
057 *   functionality or for external specifications that are not considered stable
058 *   or mature enough to be guaranteed to work in an interoperable way with
059 *   other types of LDAP servers.
060 * </BLOCKQUOTE>
061 * <BR>
062 * Operations that are available for use with the password policy state
063 * operation include:
064 * <UL>
065 *   <LI>Get the DN of the password policy configuration entry for the target
066 *       user.</LI>
067 *   <LI>Determine whether an account is usable (may authenticate or be used as
068 *       an alternate authorization identity.</LI>
069 *   <LI>Retrieve the set of account usability notice, warning, and error
070 *       messages for a user.</LI>
071 *   <LI>Get, set, and clear the account disabled flag for the target user.</LI>
072 *   <LI>Get, set, and clear the account activation time for the target
073 *       user.</LI>
074 *   <LI>Get, set, and clear the account expiration time for the target
075 *       user.</LI>
076 *   <LI>Get the length of time in seconds until the target user account
077 *       expires.</LI>
078 *   <LI>Get the time that the target user's password was last changed.</LI>
079 *   <LI>Get and clear the time that the first password expiration warning was
080 *       sent to the user.</LI>
081 *   <LI>Get the length of time in seconds until the target user's password
082 *       expires and the password expiration time for the account.</LI>
083 *   <LI>Get the length of time in seconds until the user should receive the
084 *       first warning about an upcoming password expiration.</LI>
085 *   <LI>Determine whether the user's password is expired.</LI>
086 *   <LI>Determine whether the account is locked because of failed
087 *       authentication attempts, an idle lockout, or a password reset
088 *       lockout.</LI>
089 *   <LI>Get, update, set, and clear the list of times that the target user has
090 *       unsuccessfully tried to authenticate since the last successful
091 *       authentication.</LI>
092 *   <LI>Get the number of remaining failed authentication attempts for the
093 *       target user before the account is locked.</LI>
094 *   <LI>Get the length of time in seconds until the target user's account is
095 *       automatically unlocked after it was locked due to failed authentication
096 *       attempts.</LI>
097 *   <LI>Get, set, and clear the time that the user last authenticated to the
098 *       server.</LI>
099 *   <LI>Get, set, and clear the IP address of the client from which the user
100 *       last authenticated to the server.</LI>
101 *   <LI>Get the length of time in seconds until the user account may be locked
102 *       after remaining idle.</LI>
103 *   <LI>Get, set, and clear the flag that controls whether the target user must
104 *       change his/her password before being allowed to perform any other
105 *       operations.</LI>
106 *   <LI>Get the length of time in seconds until the user's account is locked
107 *       after failing to change the password after an administrative
108 *       reset.</LI>
109 *   <LI>Get, update, set, and clear the times that the target user has
110 *       authenticated using a grace login after the password had expired.</LI>
111 *   <LI>Retrieve the number of remaining grace logins for the user.</LI>
112 *   <LI>Get, set, and clear the required password change time for the target
113 *       user.</LI>
114 *   <LI>Retrieve the length of time in seconds until the target user's account
115 *       will be locked as a result of failing to comply with a password change
116 *       by required time.</LI>
117 *   <LI>Get the password history count for the target user.</LI>
118 *   <LI>Clear the password history for the target user.</LI>
119 *   <LI>Get information about or purge a user's retired password.</LI>
120 *   <LI>Get information about which SASL mechanisms are available for a
121 *       user.</LI>
122 *   <LI>Get information about which OTP delivery mechanisms are available for a
123 *       user.</LI>
124 *   <LI>Determine whether a user has any TOTP shared secrets and manipulate the
125 *       registered secrets.</LI>
126 *   <LI>Get, set, and clear the public IDs of any YubiKey OTP devices
127 *       registered for a user.</LI>
128 *   <LI>Determine whether the user has a static password.</LI>
129 * </UL>
130 * Note that many of these methods are dependent upon the password policy
131 * configuration for the target user and therefore some of them may not be
132 * applicable for some users.  For example, if password expiration is not
133 * enabled in the password policy associated with the target user, then
134 * operations that involve password expiration will have no effect and/or will
135 * have a return value that indicates that password expiration is not in effect.
136 */
137@NotMutable()
138@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
139public final class PasswordPolicyStateOperation
140       implements Serializable
141{
142  /**
143   * The operation type that may be used to retrieve the DN of the password
144   * policy to which the user is subject.
145   */
146  public static final int OP_TYPE_GET_PW_POLICY_DN = 0;
147
148
149
150  /**
151   * The operation type that may be used to determine whether the user account
152   * is disabled.
153   */
154  public static final int OP_TYPE_GET_ACCOUNT_DISABLED_STATE = 1;
155
156
157
158  /**
159   * The operation type that may be used to specify whether the user account is
160   * disabled.
161   */
162  public static final int OP_TYPE_SET_ACCOUNT_DISABLED_STATE = 2;
163
164
165
166  /**
167   * The operation type that may be used to clear the account disabled flag in
168   * the user's entry.
169   */
170  public static final int OP_TYPE_CLEAR_ACCOUNT_DISABLED_STATE = 3;
171
172
173
174  /**
175   * The operation type that may be used to get the time that the user's account
176   * will expire.
177   */
178  public static final int OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME = 4;
179
180
181
182  /**
183   * The operation type that may be used to set the time that the user's account
184   * will expire.
185   */
186  public static final int OP_TYPE_SET_ACCOUNT_EXPIRATION_TIME = 5;
187
188
189
190  /**
191   * The operation type that may be used to clear the user's account expiration
192   * time.
193   */
194  public static final int OP_TYPE_CLEAR_ACCOUNT_EXPIRATION_TIME = 6;
195
196
197
198  /**
199   * The operation type that may be used to retrieve the length of time in
200   * seconds until the user's account expires.
201   */
202  public static final int OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_EXPIRATION = 7;
203
204
205
206  /**
207   * The operation type that may be used to get the time that the user's
208   * password was last changed.
209   */
210  public static final int OP_TYPE_GET_PW_CHANGED_TIME = 8;
211
212
213
214  /**
215   * The operation type that may be used to set the time that the user's
216   * password was last changed.
217   */
218  public static final int OP_TYPE_SET_PW_CHANGED_TIME = 9;
219
220
221
222  /**
223   * The operation type that may be used to clear the password changed time in
224   * the user's account.
225   */
226  public static final int OP_TYPE_CLEAR_PW_CHANGED_TIME = 10;
227
228
229
230  /**
231   * The operation type that may be used to get the time that the user was
232   * first sent a password expiration warning.
233   */
234  public static final int OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME = 11;
235
236
237
238  /**
239   * The operation type that may be used to set the time that the user was
240   * first sent a password expiration warning.
241   */
242  public static final int OP_TYPE_SET_PW_EXPIRATION_WARNED_TIME = 12;
243
244
245
246  /**
247   * The operation type that may be used to clear the password expiration warned
248   * time from the user's entry.
249   */
250  public static final int OP_TYPE_CLEAR_PW_EXPIRATION_WARNED_TIME = 13;
251
252
253
254  /**
255   * The operation type that may be used to get the length of time in seconds
256   * until the user's password expires.
257   */
258  public static final int OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION = 14;
259
260
261
262  /**
263   * The operation type that may be used to get the length of time in seconds
264   * until the user will be eligible to receive a password expiration warning.
265   */
266  public static final int OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION_WARNING = 15;
267
268
269
270  /**
271   * The operation type that may be used to get the set of times that the user
272   * has unsuccessfully tried to authenticate since the last successful attempt.
273   */
274  public static final int OP_TYPE_GET_AUTH_FAILURE_TIMES = 16;
275
276
277
278  /**
279   * The operation type that may be used to add a new authentication failure
280   * time to the user's account.
281   */
282  public static final int OP_TYPE_ADD_AUTH_FAILURE_TIME = 17;
283
284
285
286  /**
287   * The operation type that may be used to set the set of times that the user
288   * has unsuccessfully tried to authenticate since the last successful attempt.
289   */
290  public static final int OP_TYPE_SET_AUTH_FAILURE_TIMES = 18;
291
292
293
294  /**
295   * The operation type that may be used to clear the authentication failure
296   * times in the user account.
297   */
298  public static final int OP_TYPE_CLEAR_AUTH_FAILURE_TIMES = 19;
299
300
301
302  /**
303   * The operation type that may be used to retrieve the length of time in
304   * seconds until the user's account is unlocked.
305   */
306  public static final int OP_TYPE_GET_SECONDS_UNTIL_AUTH_FAILURE_UNLOCK = 20;
307
308
309
310  /**
311   * The operation type that may be used to retrieve the number of failed
312   * authentication attempts that the user has before the account is locked.
313   */
314  public static final int OP_TYPE_GET_REMAINING_AUTH_FAILURE_COUNT = 21;
315
316
317
318  /**
319   * The operation type that may be used to retrieve the time that the user last
320   * authenticated to the server.
321   */
322  public static final int OP_TYPE_GET_LAST_LOGIN_TIME = 22;
323
324
325
326  /**
327   * The operation type that may be used to set the time that the user last
328   * authenticated to the server.
329   */
330  public static final int OP_TYPE_SET_LAST_LOGIN_TIME = 23;
331
332
333
334  /**
335   * The operation type that may be used to clear the last login time in the
336   * user's entry.
337   */
338  public static final int OP_TYPE_CLEAR_LAST_LOGIN_TIME = 24;
339
340
341
342  /**
343   * The operation type that may be used to get the length of time in seconds
344   * until the user account is locked due to inactivity.
345   */
346  public static final int OP_TYPE_GET_SECONDS_UNTIL_IDLE_LOCKOUT = 25;
347
348
349
350  /**
351   * The operation type that may be used to determine whether a user's password
352   * has been reset by an administrator and must be changed.
353   */
354  public static final int OP_TYPE_GET_PW_RESET_STATE = 26;
355
356
357
358  /**
359   * The operation type that may be used to set the flag to indicate whether a
360   * user's password has been reset by an administrator and must be changed.
361   */
362  public static final int OP_TYPE_SET_PW_RESET_STATE = 27;
363
364
365
366  /**
367   * The operation type that may be used to clear the password reset flag in the
368   * user's entry.
369   */
370  public static final int OP_TYPE_CLEAR_PW_RESET_STATE = 28;
371
372
373
374  /**
375   * The operation type that may be used to get the length of time in seconds
376   * until the user's account is locked due to failure to change the password
377   * after an administrative reset.
378   */
379  public static final int OP_TYPE_GET_SECONDS_UNTIL_PW_RESET_LOCKOUT = 29;
380
381
382
383  /**
384   * The operation type that may be used to retrieve the times that the user has
385   * authenticated using a grace login after his/her password has expired.
386   */
387  public static final int OP_TYPE_GET_GRACE_LOGIN_USE_TIMES = 30;
388
389
390
391  /**
392   * The operation type that may be used add a value to the set of times that
393   * the user has authenticated using a grace login after his/her password has
394   * expired.
395   */
396  public static final int OP_TYPE_ADD_GRACE_LOGIN_USE_TIME = 31;
397
398
399
400  /**
401   * The operation type that may be used to set the times that the user has
402   * authenticated using a grace login after his/her password has expired.
403   */
404  public static final int OP_TYPE_SET_GRACE_LOGIN_USE_TIMES = 32;
405
406
407
408  /**
409   * The operation type that may be used to clear the set of times that the user
410   * has authenticated using a grace login after his/her password has expired.
411   */
412  public static final int OP_TYPE_CLEAR_GRACE_LOGIN_USE_TIMES = 33;
413
414
415
416  /**
417   * The operation type that may be used to retrieve the number of grace logins
418   * available for the user.
419   */
420  public static final int OP_TYPE_GET_REMAINING_GRACE_LOGIN_COUNT = 34;
421
422
423
424  /**
425   * The operation type that may be used to retrieve the last time that the
426   * user's password was changed during a required change period.
427   */
428  public static final int OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME = 35;
429
430
431
432  /**
433   * The operation type that may be used to set the last time that the
434   * user's password was changed during a required change period.
435   */
436  public static final int OP_TYPE_SET_PW_CHANGED_BY_REQUIRED_TIME = 36;
437
438
439
440  /**
441   * The operation type that may be used to clear the last time that the
442   * user's password was changed during a required change period.
443   */
444  public static final int OP_TYPE_CLEAR_PW_CHANGED_BY_REQUIRED_TIME = 37;
445
446
447
448  /**
449   * The operation type that may be used to get the length of time in seconds
450   * until the user's account will be locked due to a failure to change the
451   * password by a required time.
452   */
453  public static final int OP_TYPE_GET_SECONDS_UNTIL_REQUIRED_CHANGE_TIME = 38;
454
455
456
457  /**
458   * The operation type that may be used to retrieve the stored password history
459   * values for a user.
460   *
461   * @deprecated  This operation type has been deprecated in favor of the
462   *              {@link #OP_TYPE_GET_PW_HISTORY_COUNT} operation type.
463   */
464  @Deprecated()
465  public static final int OP_TYPE_GET_PW_HISTORY = 39;
466
467
468
469  /**
470   * The operation type that may be used to clear the stored password history
471   * values for a user.
472   */
473  public static final int OP_TYPE_CLEAR_PW_HISTORY = 40;
474
475
476
477  /**
478   * The operation type that may be used to determine whether a user has a valid
479   * retired password.
480   */
481  public static final int OP_TYPE_HAS_RETIRED_PASSWORD = 41;
482
483
484
485  /**
486   * The operation type that may be used to retrieve the time that the user's
487   * former password was retired.
488   */
489  public static final int OP_TYPE_GET_PASSWORD_RETIRED_TIME = 42;
490
491
492
493  /**
494   * The operation type that may be used to retrieve the time that the user's
495   * retired password will expire.
496   */
497  public static final int OP_TYPE_GET_RETIRED_PASSWORD_EXPIRATION_TIME = 43;
498
499
500
501  /**
502   * The operation type that may be used to purge any retired password from the
503   * user's entry.
504   */
505  public static final int OP_TYPE_PURGE_RETIRED_PASSWORD = 44;
506
507
508
509  /**
510   * The operation type that may be used to get the time that the user's account
511   * will become active.
512   */
513  public static final int OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME = 45;
514
515
516
517  /**
518   * The operation type that may be used to set the time that the user's account
519   * will become active.
520   */
521  public static final int OP_TYPE_SET_ACCOUNT_ACTIVATION_TIME = 46;
522
523
524
525  /**
526   * The operation type that may be used to clear the user's account activation
527   * time.
528   */
529  public static final int OP_TYPE_CLEAR_ACCOUNT_ACTIVATION_TIME = 47;
530
531
532
533  /**
534   * The operation type that may be used to retrieve the length of time in
535   * seconds until the user's account will become active.
536   */
537  public static final int OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_ACTIVATION = 48;
538
539
540
541  /**
542   * The operation type that may be used to retrieve the IP address from which
543   * the user last authenticated to the server.
544   */
545  public static final int OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS = 49;
546
547
548
549  /**
550   * The operation type that may be used to set the IP address from which the
551   * user last authenticated to the server.
552   */
553  public static final int OP_TYPE_SET_LAST_LOGIN_IP_ADDRESS = 50;
554
555
556
557  /**
558   * The operation type that may be used to clear the last login IP address in
559   * the user's entry.
560   */
561  public static final int OP_TYPE_CLEAR_LAST_LOGIN_IP_ADDRESS = 51;
562
563
564
565  /**
566   * The operation type that may be used to retrieve a list of structured
567   * strings that provide information about notices pertaining to account
568   * usability.
569   */
570  public static final int OP_TYPE_GET_ACCOUNT_USABILITY_NOTICES = 52;
571
572
573
574  /**
575   * The operation type that may be used to retrieve a list of structured
576   * strings that provide information about warnings that may affect the account
577   * usability.
578   */
579  public static final int OP_TYPE_GET_ACCOUNT_USABILITY_WARNINGS = 53;
580
581
582
583  /**
584   * The operation type that may be used to retrieve a list of structured
585   * strings that provide information about errors that may affect the account
586   * usability.
587   */
588  public static final int OP_TYPE_GET_ACCOUNT_USABILITY_ERRORS = 54;
589
590
591
592  /**
593   * The operation type that may be used to determine whether an account is
594   * usable (i.e., the account may authenticate or be used as an alternate
595   * authorization identity).
596   */
597  public static final int OP_TYPE_GET_ACCOUNT_IS_USABLE = 55;
598
599
600
601  /**
602   * The operation type that may be used to determine whether an account is
603   * not yet active (because the account activation time is in the future).
604   */
605  public static final int OP_TYPE_GET_ACCOUNT_IS_NOT_YET_ACTIVE = 56;
606
607
608
609  /**
610   * The operation type that may be used to determine whether an account is
611   * expired (because the account expiration time is in the past).
612   */
613  public static final int OP_TYPE_GET_ACCOUNT_IS_EXPIRED = 57;
614
615
616
617  /**
618   * The operation type that may be used to determine when a user's password
619   * will expire.
620   */
621  public static final int OP_TYPE_GET_PW_EXPIRATION_TIME = 58;
622
623
624
625  /**
626   * The operation type that may be used to determine whether a user's account
627   * is locked because of too many authentication failures.
628   */
629  public static final int OP_TYPE_GET_ACCOUNT_IS_FAILURE_LOCKED = 59;
630
631
632
633  /**
634   * The operation type that may be used to specify whether a user's account
635   * is locked because of too many authentication failures.
636   */
637  public static final int OP_TYPE_SET_ACCOUNT_IS_FAILURE_LOCKED = 60;
638
639
640
641  /**
642   * The operation type that may be used to determine the failure lockout time
643   * for a user account.
644   */
645  public static final int OP_TYPE_GET_FAILURE_LOCKOUT_TIME = 61;
646
647
648
649  /**
650   * The operation type that may be used to determine whether a user's account
651   * is locked because it has been idle for too long.
652   */
653  public static final int OP_TYPE_GET_ACCOUNT_IS_IDLE_LOCKED = 62;
654
655
656
657  /**
658   * The operation type that may be used to determine the idle lockout time for
659   * a user account.
660   */
661  public static final int OP_TYPE_GET_IDLE_LOCKOUT_TIME = 63;
662
663
664
665  /**
666   * The operation type that may be used to determine whether a user's account
667   * is locked because the user did not change their password in a timely manner
668   * after an administrative reset.
669   */
670  public static final int OP_TYPE_GET_ACCOUNT_IS_RESET_LOCKED = 64;
671
672
673
674  /**
675   * The operation type that may be used to determine the reset lockout time for
676   * a user account.
677   */
678  public static final int OP_TYPE_GET_RESET_LOCKOUT_TIME = 65;
679
680
681
682  /**
683   * The operation type that may be used to retrieve the password history count
684   * for a user.
685   */
686  public static final int OP_TYPE_GET_PW_HISTORY_COUNT = 66;
687
688
689
690  /**
691   * The operation type that may be used to determine whether a user's password
692   * is expired.
693   */
694  public static final int OP_TYPE_GET_PW_IS_EXPIRED = 67;
695
696
697
698  /**
699   * The operation type that may be used to retrieve a list of the SASL
700   * mechanisms that are available for a user.
701   */
702  public static final int OP_TYPE_GET_AVAILABLE_SASL_MECHANISMS = 68;
703
704
705
706  /**
707   * The operation type that may be used to retrieve a list of the one-time
708   * password delivery mechanisms that are available for a user.
709   */
710  public static final int OP_TYPE_GET_AVAILABLE_OTP_DELIVERY_MECHANISMS = 69;
711
712
713
714  /**
715   * The operation type that may be used to determine whether a user has one or
716   * more TOTP shared secrets.
717   */
718  public static final int OP_TYPE_HAS_TOTP_SHARED_SECRET = 70;
719
720
721
722  /**
723   * The operation type that may be used to retrieve get the set of public IDs
724   * for the registered YubiKey OTP devices for a user.
725   */
726  public static final int OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS = 71;
727
728
729
730  /**
731   * The operation type that may be used to add a value to the set of registered
732   * YubiKey OTP device public IDs for a user.
733   */
734  public static final int OP_TYPE_ADD_REGISTERED_YUBIKEY_PUBLIC_ID = 72;
735
736
737
738  /**
739   * The operation type that may be used to remove a value from the set of
740   * registered YubiKey OTP device public IDs for a user.
741   */
742  public static final int OP_TYPE_REMOVE_REGISTERED_YUBIKEY_PUBLIC_ID = 73;
743
744
745
746  /**
747   * The operation type that may be used to replace the set of public IDs for
748   * the registered YubiKey OTP devices for a user.
749   */
750  public static final int OP_TYPE_SET_REGISTERED_YUBIKEY_PUBLIC_IDS = 74;
751
752
753
754  /**
755   * The operation type that may be used to clear the set of public IDs for
756   * the registered YubiKey OTP devices for a user.
757   */
758  public static final int OP_TYPE_CLEAR_REGISTERED_YUBIKEY_PUBLIC_IDS = 75;
759
760
761
762  /**
763   * The operation type that may be used to add a value to the set of registered
764   * TOTP shared secrets for a user.
765   */
766  public static final int OP_TYPE_ADD_TOTP_SHARED_SECRET = 76;
767
768
769
770  /**
771   * The operation type that may be used to remove a value from the set of
772   * registered TOTP shared secrets for a user.
773   */
774  public static final int OP_TYPE_REMOVE_TOTP_SHARED_SECRET = 77;
775
776
777
778  /**
779   * The operation type that may be used to replace the set of registered TOTP
780   * shared secrets for a user.
781   */
782  public static final int OP_TYPE_SET_TOTP_SHARED_SECRETS = 78;
783
784
785
786  /**
787   * The operation type that may be used to clear the set of TOTP shared secrets
788   * for a user.
789   */
790  public static final int OP_TYPE_CLEAR_TOTP_SHARED_SECRETS = 79;
791
792
793
794  /**
795   * The operation type that may be used to determine whether a user has one
796   * or more registered YubiKey OTP devices.
797   * shared secret.
798   */
799  public static final int OP_TYPE_HAS_REGISTERED_YUBIKEY_PUBLIC_ID = 80;
800
801
802
803  /**
804   * The operation type that may be used to determine whether a user has a
805   * static password.
806   */
807  public static final int OP_TYPE_HAS_STATIC_PASSWORD = 81;
808
809
810
811  /**
812   * The set of values that will be used if there are no values.
813   */
814  private static final ASN1OctetString[] NO_VALUES = new ASN1OctetString[0];
815
816
817
818  /**
819   * The serial version UID for this serializable class.
820   */
821  private static final long serialVersionUID = -7004621958353828598L;
822
823
824
825  // The set of values for this operation.
826  private final ASN1OctetString[] values;
827
828  // The operation type for this operation.
829  private final int opType;
830
831
832
833  /**
834   * Creates a new password policy state operation with the specified operation
835   * type and no values.
836   *
837   * @param  opType  The operation type for this password policy state
838   *                 operation.
839   */
840  public PasswordPolicyStateOperation(final int opType)
841  {
842    this(opType, NO_VALUES);
843  }
844
845
846
847  /**
848   * Creates a new password policy state operation with the specified operation
849   * type and set of values.
850   *
851   * @param  opType  The operation type for this password policy state
852   *                 operation.
853   * @param  values  The set of values for this password policy state operation.
854   */
855  public PasswordPolicyStateOperation(final int opType,
856                                      final ASN1OctetString[] values)
857  {
858    this.opType = opType;
859
860    if (values == null)
861    {
862      this.values = NO_VALUES;
863    }
864    else
865    {
866      this.values = values;
867    }
868  }
869
870
871
872  /**
873   * Creates a new password policy state operation that may be used to request
874   * the DN of the password policy configuration entry for the user.  The result
875   * returned should include an operation of type
876   * {@link #OP_TYPE_GET_PW_POLICY_DN} with a single string value that is the
877   * DN of the password policy configuration entry.
878   *
879   * @return The created password policy state operation.
880   */
881  public static PasswordPolicyStateOperation
882                     createGetPasswordPolicyDNOperation()
883  {
884    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_POLICY_DN);
885  }
886
887
888
889  /**
890   * Creates a new password policy state operation that may be used to determine
891   * whether the user account is disabled.  The result returned should include
892   * an operation of type {@link #OP_TYPE_GET_ACCOUNT_DISABLED_STATE} with a
893   * single boolean value of {@code true} if the account is disabled, or
894   * {@code false} if the account is not disabled.
895   *
896   * @return The created password policy state operation.
897   */
898  public static PasswordPolicyStateOperation
899                     createGetAccountDisabledStateOperation()
900  {
901    return new PasswordPolicyStateOperation(OP_TYPE_GET_ACCOUNT_DISABLED_STATE);
902  }
903
904
905
906  /**
907   * Creates a new password policy state operation that may be used to specify
908   * whether the user account is disabled.  The result returned should include
909   * an operation of type {@link #OP_TYPE_GET_ACCOUNT_DISABLED_STATE} with a
910   * single boolean value of {@code true} if the account has been disabled, or
911   * {@code false} if the account is not disabled.
912   *
913   * @param  isDisabled  Indicates whether the user account should be disabled.
914   *
915   * @return The created password policy state operation.
916   */
917  public static PasswordPolicyStateOperation
918                     createSetAccountDisabledStateOperation(
919                          final boolean isDisabled)
920  {
921    final ASN1OctetString[] values =
922    {
923      new ASN1OctetString(String.valueOf(isDisabled))
924    };
925
926    return new PasswordPolicyStateOperation(OP_TYPE_SET_ACCOUNT_DISABLED_STATE,
927         values);
928  }
929
930
931
932  /**
933   * Creates a new password policy state operation that may be used to clear
934   * the user account disabled state in the user's entry.  The result returned
935   * should include an operation of type
936   * {@link #OP_TYPE_GET_ACCOUNT_DISABLED_STATE} with a single boolean value of
937   * {@code true} if the account is disabled, or {@code false} if the account is
938   * not disabled.
939   *
940   * @return The created password policy state operation.
941   */
942  public static PasswordPolicyStateOperation
943                     createClearAccountDisabledStateOperation()
944  {
945    return new PasswordPolicyStateOperation(
946         OP_TYPE_CLEAR_ACCOUNT_DISABLED_STATE);
947  }
948
949
950
951  /**
952   * Creates a new password policy state operation that may be used to retrieve
953   * the time that the user's account will become active.  The result returned
954   * should include an operation of type
955   * {@link #OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME} with a single string value
956   * that is the generalized time representation of the account activation time,
957   * or a {@code null} value if the account does not have an activation time.
958   *
959   * @return The created password policy state operation.
960   */
961  public static PasswordPolicyStateOperation
962                     createGetAccountActivationTimeOperation()
963  {
964    return new PasswordPolicyStateOperation(
965         OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME);
966  }
967
968
969
970  /**
971   * Creates a new password policy state operation that may be used to set the
972   * time that the user's account expires.  The result returned should include
973   * an operation of type {@link #OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME} with a
974   * single string value that is the generalized time representation of the
975   * account activation time, or a {@code null} value if the account does not
976   * have an activation time.
977   *
978   * @param  expirationTime  The time that the user's account should expire.  It
979   *                         may be {@code null} if the server should use the
980   *                         current time.
981   *
982   * @return The created password policy state operation.
983   */
984  public static PasswordPolicyStateOperation
985                     createSetAccountActivationTimeOperation(
986                          final Date expirationTime)
987  {
988    return new PasswordPolicyStateOperation(OP_TYPE_SET_ACCOUNT_ACTIVATION_TIME,
989         createValues(expirationTime));
990  }
991
992
993
994  /**
995   * Creates a new password policy state operation that may be used to clear
996   * the account expiration time in the user's entry.  The result returned
997   * should include an operation of type
998   * {@link #OP_TYPE_GET_ACCOUNT_ACTIVATION_TIME} with a single string value
999   * that is the generalized time representation of the account activation time,
1000   * or a {@code null} value if the account does not have an activation time.
1001   *
1002   * @return  The created password policy state operation.
1003   */
1004  public static PasswordPolicyStateOperation
1005                     createClearAccountActivationTimeOperation()
1006  {
1007    return new PasswordPolicyStateOperation(
1008                    OP_TYPE_CLEAR_ACCOUNT_ACTIVATION_TIME);
1009  }
1010
1011
1012
1013  /**
1014   * Creates a new password policy state operation that may be used to determine
1015   * the length of time in seconds until the user's account becomes active.  The
1016   * result returned should include an operation of type
1017   * {@link #OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_ACTIVATION} with a single integer
1018   * value representing the number of seconds until the account becomes active,
1019   * or a {@code null} value if the account does not have an activation time.
1020   *
1021   * @return  The created password policy state operation.
1022   */
1023  public static PasswordPolicyStateOperation
1024                     createGetSecondsUntilAccountActivationOperation()
1025  {
1026    return new PasswordPolicyStateOperation(
1027         OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_ACTIVATION);
1028  }
1029
1030
1031
1032  /**
1033   * Creates a new password policy state operation that may be used to retrieve
1034   * the time that the user's account expires.  The result returned should
1035   * include an operation of type {@link #OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME}
1036   * with a single string value that is the generalized time representation of
1037   * the account expiration time, or a {@code null} value if the account does
1038   * not have an expiration time.
1039   *
1040   * @return  The created password policy state operation.
1041   */
1042  public static PasswordPolicyStateOperation
1043                     createGetAccountExpirationTimeOperation()
1044  {
1045    return new PasswordPolicyStateOperation(
1046         OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME);
1047  }
1048
1049
1050
1051  /**
1052   * Creates a new password policy state operation that may be used to set the
1053   * time that the user's account expires.  The result returned should include
1054   * an operation of type {@link #OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME} with a
1055   * single string value that is the generalized time representation of the
1056   * account expiration time, or a {@code null} value if the account does not
1057   * have an expiration time.
1058   *
1059   * @param  expirationTime  The time that the user's account should expire.  It
1060   *                         may be {@code null} if the server should use the
1061   *                         current time.
1062   *
1063   * @return  The created password policy state operation.
1064   */
1065  public static PasswordPolicyStateOperation
1066                     createSetAccountExpirationTimeOperation(
1067                          final Date expirationTime)
1068  {
1069    return new PasswordPolicyStateOperation(OP_TYPE_SET_ACCOUNT_EXPIRATION_TIME,
1070         createValues(expirationTime));
1071  }
1072
1073
1074
1075  /**
1076   * Creates a new password policy state operation that may be used to clear
1077   * the account expiration time in the user's entry.  The result returned
1078   * should include an operation of type
1079   * {@link #OP_TYPE_GET_ACCOUNT_EXPIRATION_TIME} with a single string value
1080   * that is the generalized time representation of the account expiration time,
1081   * or a {@code null} value if the account does not have an expiration time.
1082   *
1083   * @return  The created password policy state operation.
1084   */
1085  public static PasswordPolicyStateOperation
1086                     createClearAccountExpirationTimeOperation()
1087  {
1088    return new PasswordPolicyStateOperation(
1089         OP_TYPE_CLEAR_ACCOUNT_EXPIRATION_TIME);
1090  }
1091
1092
1093
1094  /**
1095   * Creates a new password policy state operation that may be used to determine
1096   * the length of time in seconds until the user's account is expired.  The
1097   * result returned should include an operation of type
1098   * {@link #OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_EXPIRATION} with a single integer
1099   * value representing the number of seconds until the account will expire, or
1100   * a {@code null} value if the account does not have an expiration time.
1101   *
1102   * @return  The created password policy state operation.
1103   */
1104  public static PasswordPolicyStateOperation
1105                     createGetSecondsUntilAccountExpirationOperation()
1106  {
1107    return new PasswordPolicyStateOperation(
1108         OP_TYPE_GET_SECONDS_UNTIL_ACCOUNT_EXPIRATION);
1109  }
1110
1111
1112
1113  /**
1114   * Creates a new password policy state operation that may be used to determine
1115   * when the user's password was last changed.  The result returned should
1116   * include an operation of type {@link #OP_TYPE_GET_PW_CHANGED_TIME} with a
1117   * single string value that is the generalized time representation of the
1118   * time the password was last changed.
1119   *
1120   * @return  The created password policy state operation.
1121   */
1122  public static PasswordPolicyStateOperation
1123                     createGetPasswordChangedTimeOperation()
1124  {
1125    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_CHANGED_TIME);
1126  }
1127
1128
1129
1130  /**
1131   * Creates a new password policy state operation that may be used to specify
1132   * when the user's password was last changed.  The result returned should
1133   * include an operation of type {@link #OP_TYPE_GET_PW_CHANGED_TIME} with a
1134   * single string value that is the generalized time representation of the
1135   * time the password was last changed.
1136   *
1137   * @param  passwordChangedTime  The time the user's password was last changed.
1138   *                              It may be {@code null} if the server should
1139   *                              use the current time.
1140   *
1141   * @return  The created password policy state operation.
1142   */
1143  public static PasswordPolicyStateOperation
1144                     createSetPasswordChangedTimeOperation(
1145                          final Date passwordChangedTime)
1146  {
1147    return new PasswordPolicyStateOperation(OP_TYPE_SET_PW_CHANGED_TIME,
1148         createValues(passwordChangedTime));
1149  }
1150
1151
1152
1153  /**
1154   * Creates a new password policy state operation that may be used to clear
1155   * the password changed time from a user's entry.  The result returned should
1156   * include an operation of type {@link #OP_TYPE_GET_PW_CHANGED_TIME} with a
1157   * single string value that is the generalized time representation of the
1158   * time the password was last changed, or {@code null} if it can no longer be
1159   * determined.
1160   *
1161   * @return  The created password policy state operation.
1162   */
1163  public static PasswordPolicyStateOperation
1164                     createClearPasswordChangedTimeOperation()
1165  {
1166    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_PW_CHANGED_TIME);
1167  }
1168
1169
1170
1171  /**
1172   * Creates a new password policy state operation that may be used to determine
1173   * when the user first received a password expiration warning.  The result
1174   * returned should include an operation of type
1175   * {@link #OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME} with a single string value
1176   * that is the generalized time representation of the time the user received
1177   * the first expiration warning.
1178   *
1179   * @return  The created password policy state operation.
1180   */
1181  public static PasswordPolicyStateOperation
1182                     createGetPasswordExpirationWarnedTimeOperation()
1183  {
1184    return new PasswordPolicyStateOperation(
1185         OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME);
1186  }
1187
1188
1189
1190  /**
1191   * Creates a new password policy state operation that may be used to specify
1192   * when the user first received a password expiration warning.  The result
1193   * returned should include an operation of type
1194   * {@link #OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME} with a single string value
1195   * that is the generalized time representation of the time the user received
1196   * the first expiration warning.
1197   *
1198   * @param  passwordExpirationWarnedTime  The password expiration warned time
1199   *                                       for the user.  It may be {@code null}
1200   *                                       if the server should use the current
1201   *                                       time.
1202   *
1203   * @return  The created password policy state operation.
1204   */
1205  public static PasswordPolicyStateOperation
1206                     createSetPasswordExpirationWarnedTimeOperation(
1207                          final Date passwordExpirationWarnedTime)
1208  {
1209    return new PasswordPolicyStateOperation(
1210         OP_TYPE_SET_PW_EXPIRATION_WARNED_TIME,
1211         createValues(passwordExpirationWarnedTime));
1212  }
1213
1214
1215
1216  /**
1217   * Creates a new password policy state operation that may be used to clear the
1218   * password expiration warned time from the user's entry.  The result returned
1219   * should include an operation of type
1220   * {@link #OP_TYPE_GET_PW_EXPIRATION_WARNED_TIME} with a single string value
1221   * that is the generalized time representation of the time the user received
1222   * the first expiration warning.
1223   *
1224   * @return  The created password policy state operation.
1225   */
1226  public static PasswordPolicyStateOperation
1227                     createClearPasswordExpirationWarnedTimeOperation()
1228  {
1229    return new PasswordPolicyStateOperation(
1230         OP_TYPE_CLEAR_PW_EXPIRATION_WARNED_TIME);
1231  }
1232
1233
1234
1235  /**
1236   * Creates a new password policy state operation that may be used to determine
1237   * the length of time in seconds until the user's password expires.  The
1238   * result returned should include an operation of type
1239   * {@link #OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION} with a single integer
1240   * value that is the number of seconds until the user's password expires, or
1241   * a {@code null} value if the user's password will not expire.
1242   *
1243   * @return  The created password policy state operation.
1244   */
1245  public static PasswordPolicyStateOperation
1246                     createGetSecondsUntilPasswordExpirationOperation()
1247  {
1248    return new PasswordPolicyStateOperation(
1249         OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION);
1250  }
1251
1252
1253
1254  /**
1255   * Creates a new password policy state operation that may be used to determine
1256   * the length of time in seconds until the user is eligible to start receiving
1257   * password expiration warnings.  The result returned should include an
1258   * operation of type {@link #OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION_WARNING}
1259   * with a single integer value that is the number of seconds until the user is
1260   * eligible to receive the first expiration warning, or a {@code null} value
1261   * if the user's password will not expire.
1262   *
1263   * @return  The created password policy state operation.
1264   */
1265  public static PasswordPolicyStateOperation
1266                     createGetSecondsUntilPasswordExpirationWarningOperation()
1267  {
1268    return new PasswordPolicyStateOperation(
1269         OP_TYPE_GET_SECONDS_UNTIL_PW_EXPIRATION_WARNING);
1270  }
1271
1272
1273
1274  /**
1275   * Creates a new password policy state operation that may be used to retrieve
1276   * the times that the user has unsuccessfully tried to authenticate since the
1277   * last successful authentication.  The result returned should include an
1278   * operation of type {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES} with an array of
1279   * string values representing the timestamps (in generalized time format) of
1280   * the authentication failures.
1281   *
1282   * @return  The created password policy state operation.
1283   */
1284  public static PasswordPolicyStateOperation
1285                     createGetAuthenticationFailureTimesOperation()
1286  {
1287    return new PasswordPolicyStateOperation(OP_TYPE_GET_AUTH_FAILURE_TIMES);
1288  }
1289
1290
1291
1292  /**
1293   * Creates a new password policy state operation that may be used to add the
1294   * current time to the set of times that the user has unsuccessfully tried to
1295   * authenticate since the last successful authentication.  The result returned
1296   * should include an operation of type {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES}
1297   * with an array of string values representing the timestamps (in generalized
1298   * time format) of the authentication failures.
1299   *
1300   * @return  The created password policy state operation.
1301   */
1302  public static PasswordPolicyStateOperation
1303                     createAddAuthenticationFailureTimeOperation()
1304  {
1305    return createAddAuthenticationFailureTimeOperation(null);
1306  }
1307
1308
1309
1310  /**
1311   * Creates a new password policy state operation that may be used to add the
1312   * specified values to the set of times that the user has unsuccessfully tried
1313   * to authenticate since the last successful authentication.  The result
1314   * returned should include an operation of type
1315   * {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES} with an array of string values
1316   * representing the timestamps (in generalized time format) of the
1317   * authentication failures.
1318   *
1319   * @param  authFailureTimes  The set of authentication failure time values to
1320   *                           add.  It may be {@code null} or empty if the
1321   *                           server should add the current time.
1322   *
1323   * @return  The created password policy state operation.
1324   */
1325  public static PasswordPolicyStateOperation
1326                     createAddAuthenticationFailureTimeOperation(
1327                          final Date[] authFailureTimes)
1328  {
1329    return new PasswordPolicyStateOperation(OP_TYPE_ADD_AUTH_FAILURE_TIME,
1330         createValues(authFailureTimes));
1331  }
1332
1333
1334
1335  /**
1336   * Creates a new password policy state operation that may be used to specify
1337   * the set of times that the user has unsuccessfully tried to authenticate
1338   * since the last successful authentication.  The result returned should
1339   * include an operation of type {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES} with
1340   * an array of string values representing the timestamps (in generalized time
1341   * format) of the authentication failures.
1342   *
1343   * @param  authFailureTimes  The set of times that the user has unsuccessfully
1344   *                           tried to authenticate since the last successful
1345   *                           authentication.  It may be {@code null} or empty
1346   *                           if the server should use the current time as the
1347   *                           only failure time.
1348   *
1349   * @return  The created password policy state operation.
1350   */
1351  public static PasswordPolicyStateOperation
1352                     createSetAuthenticationFailureTimesOperation(
1353                          final Date[] authFailureTimes)
1354  {
1355    return new PasswordPolicyStateOperation(OP_TYPE_SET_AUTH_FAILURE_TIMES,
1356         createValues(authFailureTimes));
1357  }
1358
1359
1360
1361  /**
1362   * Creates a new password policy state operation that may be used to clear the
1363   * set of times that the user has unsuccessfully tried to authenticate since
1364   * the last successful authentication.  The result returned should include an
1365   * operation of type {@link #OP_TYPE_GET_AUTH_FAILURE_TIMES} with an array of
1366   * string values representing the timestamps (in generalized time format) of
1367   * the authentication failures.
1368   *
1369   * @return  The created password policy state operation.
1370   */
1371  public static PasswordPolicyStateOperation
1372                     createClearAuthenticationFailureTimesOperation()
1373  {
1374    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_AUTH_FAILURE_TIMES);
1375  }
1376
1377
1378
1379  /**
1380   * Creates a new password policy state operation that may be used to determine
1381   * the length of time in seconds until the user's account is automatically
1382   * unlocked after too many failed authentication attempts.  The result
1383   * returned should include an operation of type
1384   * {@link #OP_TYPE_GET_SECONDS_UNTIL_AUTH_FAILURE_UNLOCK} with a single
1385   * integer value that represents the number of seconds until the account
1386   * becomes unlocked, or a {@code null} value if the account is not temporarily
1387   * locked as a result of authentication failures.
1388   *
1389   * @return  The created password policy state operation.
1390   */
1391  public static PasswordPolicyStateOperation
1392                     createGetSecondsUntilAuthenticationFailureUnlockOperation()
1393  {
1394    return new PasswordPolicyStateOperation(
1395         OP_TYPE_GET_SECONDS_UNTIL_AUTH_FAILURE_UNLOCK);
1396  }
1397
1398
1399
1400  /**
1401   * Creates a new password policy state operation that may be used to determine
1402   * the number of authentication failures required to lock the user's account.
1403   * The result returned should include an operation of type
1404   * {@link #OP_TYPE_GET_REMAINING_AUTH_FAILURE_COUNT} with a single integer
1405   * value that represents the number of authentication failures that a user
1406   * will be permitted before the account is locked, or a {@code null} value if
1407   * the password policy is not configured to lock accounts as a result of too
1408   * many failed authentication attempts.
1409   *
1410   * @return  The created password policy state operation.
1411   */
1412  public static PasswordPolicyStateOperation
1413                     createGetRemainingAuthenticationFailureCountOperation()
1414  {
1415    return new PasswordPolicyStateOperation(
1416         OP_TYPE_GET_REMAINING_AUTH_FAILURE_COUNT);
1417  }
1418
1419
1420
1421  /**
1422   * Creates a new password policy state operation that may be used to determine
1423   * the time that the user last successfully authenticated to the server.  The
1424   * result returned should include an operation of type
1425   * {@link #OP_TYPE_GET_LAST_LOGIN_TIME} with a single string value that is
1426   * the generalized time representation of the user's last login time, or a
1427   * {@code null} value if no last login time is available.
1428   *
1429   * @return  The created password policy state operation.
1430   */
1431  public static PasswordPolicyStateOperation createGetLastLoginTimeOperation()
1432  {
1433    return new PasswordPolicyStateOperation(OP_TYPE_GET_LAST_LOGIN_TIME);
1434  }
1435
1436
1437
1438  /**
1439   * Creates a new password policy state operation that may be used to set
1440   * the time that the user last successfully authenticated to the server.  The
1441   * result returned should include an operation of type
1442   * {@link #OP_TYPE_GET_LAST_LOGIN_TIME} with a single string value that is
1443   * the generalized time representation of the user's last login time, or a
1444   * {@code null} value if no last login time is available.
1445   *
1446   * @param  lastLoginTime  The last login time to set in the user's entry.  It
1447   *                        may be {@code null} if the server should use the
1448   *                        current time.
1449   *
1450   * @return  The created password policy state operation.
1451   */
1452  public static PasswordPolicyStateOperation
1453                     createSetLastLoginTimeOperation(final Date lastLoginTime)
1454  {
1455    return new PasswordPolicyStateOperation(OP_TYPE_SET_LAST_LOGIN_TIME,
1456         createValues(lastLoginTime));
1457  }
1458
1459
1460
1461  /**
1462   * Creates a new password policy state operation that may be used to clear
1463   * the last login time from the user's entry.  The result returned should
1464   * include an operation of type {@link #OP_TYPE_GET_LAST_LOGIN_TIME} with a
1465   * single string value that is the generalized time representation of the
1466   * user's last login time, or a {@code null} value if no last login time is
1467   * available.
1468   *
1469   * @return  The created password policy state operation.
1470   */
1471  public static PasswordPolicyStateOperation createClearLastLoginTimeOperation()
1472  {
1473    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_LAST_LOGIN_TIME);
1474  }
1475
1476
1477
1478  /**
1479   * Creates a new password policy state operation that may be used to determine
1480   * the IP address from which the user last successfully authenticated to the
1481   * server.  The result returned should include an operation of type
1482   * {@link #OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS} with a single string value that
1483   * is the user's last login IP address, or a {@code null} value if no last
1484   * login IP address is available.
1485   *
1486   * @return  The created password policy state operation.
1487   */
1488  public static PasswordPolicyStateOperation
1489                     createGetLastLoginIPAddressOperation()
1490  {
1491    return new PasswordPolicyStateOperation(OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS);
1492  }
1493
1494
1495
1496  /**
1497   * Creates a new password policy state operation that may be used to set
1498   * the IP address from which the user last successfully authenticated to the
1499   * server.  The result returned should include an operation of type
1500   * {@link #OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS} with a single string value that
1501   * is the user's last login IP address, or a {@code null} value if no last
1502   * login IP address is available.
1503   *
1504   * @param  lastLoginIPAddress  The last login IP address to set in the user's
1505   *                             entry.  It must not be {@code null}.
1506   *
1507   * @return  The created password policy state operation.
1508   */
1509  public static PasswordPolicyStateOperation
1510                     createSetLastLoginIPAddressOperation(
1511                          final String lastLoginIPAddress)
1512  {
1513    final ASN1OctetString[] values =
1514    {
1515      new ASN1OctetString(lastLoginIPAddress)
1516    };
1517
1518    return new PasswordPolicyStateOperation(OP_TYPE_SET_LAST_LOGIN_IP_ADDRESS,
1519         values);
1520  }
1521
1522
1523
1524  /**
1525   * Creates a new password policy state operation that may be used to clear
1526   * the last login IP address from the user's entry.  The result returned
1527   * should include an operation of type
1528   * {@link #OP_TYPE_GET_LAST_LOGIN_IP_ADDRESS} with a single string value that
1529   * is the user's last login IP address, or a {@code null} value if no last
1530   * login IP address is available.
1531   *
1532   * @return  The created password policy state operation.
1533   */
1534  public static PasswordPolicyStateOperation
1535                     createClearLastLoginIPAddressOperation()
1536  {
1537    return new PasswordPolicyStateOperation(
1538         OP_TYPE_CLEAR_LAST_LOGIN_IP_ADDRESS);
1539  }
1540
1541
1542
1543  /**
1544   * Creates a new password policy state operation that may be used to determine
1545   * the length of time in seconds until the user's account is locked due to
1546   * inactivity.  The result returned should include an operation of type
1547   * {@link #OP_TYPE_GET_SECONDS_UNTIL_IDLE_LOCKOUT} with a single integer value
1548   * that represents the number of seconds until the user's account is locked as
1549   * a result of being idle for too long, or a {@code null} value if no idle
1550   * account lockout is configured.
1551   *
1552   * @return  The created password policy state operation.
1553   */
1554  public static PasswordPolicyStateOperation
1555                     createGetSecondsUntilIdleLockoutOperation()
1556  {
1557    return new PasswordPolicyStateOperation(
1558         OP_TYPE_GET_SECONDS_UNTIL_IDLE_LOCKOUT);
1559  }
1560
1561
1562
1563  /**
1564   * Creates a new password policy state operation that may be used to determine
1565   * whether the user's password has been reset by an administrator and must be
1566   * changed before performing any other operations.  The result returned should
1567   * include an operation of type {@link #OP_TYPE_GET_PW_RESET_STATE} with a
1568   * single boolean value of {@code true} if the user's password must be changed
1569   * before the account can be used, or {@code false} if not.
1570   *
1571   * @return  The created password policy state operation.
1572   */
1573  public static PasswordPolicyStateOperation
1574                     createGetPasswordResetStateOperation()
1575  {
1576    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_RESET_STATE);
1577  }
1578
1579
1580
1581  /**
1582   * Creates a new password policy state operation that may be used to specify
1583   * whether the user's password has been reset by an administrator and must be
1584   * changed before performing any other operations.  The result returned should
1585   * include an operation of type {@link #OP_TYPE_GET_PW_RESET_STATE} with a
1586   * single boolean value of {@code true} if the user's password must be changed
1587   * before the account can be used, or {@code false} if not.
1588   *
1589   * @param  isReset  Specifies whether the user's password must be changed
1590   *                  before performing any other operations.
1591   *
1592   * @return  The created password policy state operation.
1593   */
1594  public static PasswordPolicyStateOperation
1595                     createSetPasswordResetStateOperation(final boolean isReset)
1596  {
1597    final ASN1OctetString[] values =
1598    {
1599      new ASN1OctetString(String.valueOf(isReset))
1600    };
1601
1602    return new PasswordPolicyStateOperation(OP_TYPE_SET_PW_RESET_STATE, values);
1603  }
1604
1605
1606
1607  /**
1608   * Creates a new password policy state operation that may be used to clear the
1609   * password reset state information in the user's entry.  The result returned
1610   * should include an operation of type {@link #OP_TYPE_GET_PW_RESET_STATE}
1611   * with a single boolean value of {@code true} if the user's password must be
1612   * changed before the account can be used, or {@code false} if not.
1613   *
1614   * @return  The created password policy state operation.
1615   */
1616  public static PasswordPolicyStateOperation
1617                     createClearPasswordResetStateOperation()
1618  {
1619    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_PW_RESET_STATE);
1620  }
1621
1622
1623
1624  /**
1625   * Creates a new password policy state operation that may be used to determine
1626   * the length of time in seconds that the user has left to change his/her
1627   * password after an administrative reset before the account is locked.  The
1628   * result returned should include an operation of type
1629   * {@link #OP_TYPE_GET_SECONDS_UNTIL_PW_RESET_LOCKOUT} with a single integer
1630   * value that represents the number of seconds until the user's account will
1631   * be locked unless the password is reset, or a {@code null} value if the
1632   * user's password is not in a "must change" state.
1633   *
1634   * @return  The created password policy state operation.
1635   */
1636  public static PasswordPolicyStateOperation
1637                     createGetSecondsUntilPasswordResetLockoutOperation()
1638  {
1639    return new PasswordPolicyStateOperation(
1640         OP_TYPE_GET_SECONDS_UNTIL_PW_RESET_LOCKOUT);
1641  }
1642
1643
1644
1645  /**
1646   * Creates a new password policy state operation that may be used to retrieve
1647   * the set of times that the user has authenticated using grace logins since
1648   * his/her password expired.  The result returned should include an operation
1649   * of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES} with an array of string
1650   * values in generalized time format.
1651   *
1652   * @return  The created password policy state operation.
1653   */
1654  public static PasswordPolicyStateOperation
1655                     createGetGraceLoginUseTimesOperation()
1656  {
1657    return new PasswordPolicyStateOperation(OP_TYPE_GET_GRACE_LOGIN_USE_TIMES);
1658  }
1659
1660
1661
1662  /**
1663   * Creates a new password policy state operation that may be used to add the
1664   * current time to the set of times that the user has authenticated using
1665   * grace logins since his/her password expired.  The result returned should
1666   * include an operation of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES}
1667   * with an array of string values in generalized time format.
1668   *
1669   * @return  The created password policy state operation.
1670   */
1671  public static PasswordPolicyStateOperation
1672                     createAddGraceLoginUseTimeOperation()
1673  {
1674    return createAddGraceLoginUseTimeOperation(null);
1675  }
1676
1677
1678
1679  /**
1680   * Creates a new password policy state operation that may be used to add the
1681   * current time to the set of times that the user has authenticated using
1682   * grace logins since his/her password expired.  The result returned should
1683   * include an operation of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES}
1684   * with an array of string values in generalized time format.
1685   *
1686   * @param  graceLoginUseTimes  The set of grace login use times to add.  It
1687   *                             may be {@code null} or empty if the server
1688   *                             should add the current time to the set of grace
1689   *                             login times.
1690   *
1691   * @return  The created password policy state operation.
1692   */
1693  public static PasswordPolicyStateOperation
1694                     createAddGraceLoginUseTimeOperation(
1695                          final Date[] graceLoginUseTimes)
1696  {
1697    return new PasswordPolicyStateOperation(OP_TYPE_ADD_GRACE_LOGIN_USE_TIME,
1698         createValues(graceLoginUseTimes));
1699  }
1700
1701
1702
1703  /**
1704   * Creates a new password policy state operation that may be used to specify
1705   * the set of times that the user has authenticated using grace logins since
1706   * his/her password expired.  The result returned should include an operation
1707   * of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES} with an array of string
1708   * values in generalized time format.
1709   *
1710   * @param  graceLoginUseTimes  The set of times that the user has
1711   *                             authenticated using grace logins since his/her
1712   *                             password expired.  It amy be {@code null} or
1713   *                             empty if the server should use the current time
1714   *                             as the only grace login use time.
1715   *
1716   * @return  The created password policy state operation.
1717   */
1718  public static PasswordPolicyStateOperation
1719                     createSetGraceLoginUseTimesOperation(
1720                          final Date[] graceLoginUseTimes)
1721  {
1722    return new PasswordPolicyStateOperation(OP_TYPE_SET_GRACE_LOGIN_USE_TIMES,
1723         createValues(graceLoginUseTimes));
1724  }
1725
1726
1727
1728  /**
1729   * Creates a new password policy state operation that may be used to clear
1730   * the set of times that the user has authenticated using grace logins since
1731   * his/her password expired.  The result returned should include an operation
1732   * of type {@link #OP_TYPE_GET_GRACE_LOGIN_USE_TIMES} with an array of string
1733   * values in generalized time format.
1734   *
1735   * @return  The created password policy state operation.
1736   */
1737  public static PasswordPolicyStateOperation
1738                     createClearGraceLoginUseTimesOperation()
1739  {
1740    return new PasswordPolicyStateOperation(
1741         OP_TYPE_CLEAR_GRACE_LOGIN_USE_TIMES);
1742  }
1743
1744
1745
1746  /**
1747   * Creates a new password policy state operation that may be used to retrieve
1748   * the number of remaining grace logins available to the user.  The result
1749   * returned should include an operation of type
1750   * {@link #OP_TYPE_GET_REMAINING_GRACE_LOGIN_COUNT} with a single integer
1751   * value that represents the number of remaining grace logins, or a
1752   * {@code null} value if grace login functionality is not enabled for the
1753   * user.
1754   *
1755   * @return  The created password policy state operation.
1756   */
1757  public static PasswordPolicyStateOperation
1758                     createGetRemainingGraceLoginCountOperation()
1759  {
1760    return new PasswordPolicyStateOperation(
1761         OP_TYPE_GET_REMAINING_GRACE_LOGIN_COUNT);
1762  }
1763
1764
1765
1766  /**
1767   * Creates a new password policy state operation that may be used to retrieve
1768   * the last required password change time that with which the user has
1769   * complied.  The result returned should include an operation of type
1770   * {@link #OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME} with a single string
1771   * value that is the generalized time representation of the most recent
1772   * required password change time with which the user complied, or a
1773   * {@code null} value if this is not available for the user.
1774   *
1775   * @return  The created password policy state operation.
1776   */
1777  public static PasswordPolicyStateOperation
1778                     createGetPasswordChangedByRequiredTimeOperation()
1779  {
1780    return new PasswordPolicyStateOperation(
1781         OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME);
1782  }
1783
1784
1785
1786  /**
1787   * Creates a new password policy state operation that may be used to update
1788   * the user's entry to indicate that he/she has complied with the required
1789   * password change time.  The result returned should include an operation of
1790   * type {@link #OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME} with a single string
1791   * value that is the generalized time representation of the most recent
1792   * required password change time with which the user complied, or a
1793   * {@code null} value if this is not available for the user.
1794   *
1795   * @return  The created password policy state operation.
1796   */
1797  public static PasswordPolicyStateOperation
1798                     createSetPasswordChangedByRequiredTimeOperation()
1799  {
1800    return createSetPasswordChangedByRequiredTimeOperation(null);
1801  }
1802
1803
1804
1805  /**
1806   * Creates a new password policy state operation that may be used to update
1807   * the user's entry to indicate that he/she has complied with the required
1808   * password change time.  The result returned should include an operation of
1809   * type {@link #OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME} with a single string
1810   * value that is the generalized time representation of the most recent
1811   * required password change time with which the user complied, or a
1812   * {@code null} value if this is not available for the user.
1813   *
1814   * @param  requiredTime  The required password changed time with which the
1815   *                       user has complied.  It may be {@code null} if the
1816   *                       server should use the most recent required change
1817   *                       time.
1818   *
1819   * @return  The created password policy state operation.
1820   */
1821  public static PasswordPolicyStateOperation
1822                     createSetPasswordChangedByRequiredTimeOperation(
1823                          final Date requiredTime)
1824  {
1825    return new PasswordPolicyStateOperation(
1826         OP_TYPE_SET_PW_CHANGED_BY_REQUIRED_TIME, createValues(requiredTime));
1827  }
1828
1829
1830
1831  /**
1832   * Creates a new password policy state operation that may be used to clear
1833   * the last required password change time from the user's entry.  The result
1834   * returned should include an operation of type
1835   * {@link #OP_TYPE_GET_PW_CHANGED_BY_REQUIRED_TIME} with a single string value
1836   * that is the generalized time representation of the most recent required
1837   * password change time with which the user complied, or a {@code null} value
1838   * if this is not available for the user.
1839   *
1840   * @return  The created password policy state operation.
1841   */
1842  public static PasswordPolicyStateOperation
1843                     createClearPasswordChangedByRequiredTimeOperation()
1844  {
1845    return new PasswordPolicyStateOperation(
1846         OP_TYPE_CLEAR_PW_CHANGED_BY_REQUIRED_TIME);
1847  }
1848
1849
1850
1851  /**
1852   * Creates a new password policy state operation that may be used to retrieve
1853   * the length of time in seconds until the required password change time
1854   * arrives.  The result returned should include an operation of type
1855   * {@link #OP_TYPE_GET_SECONDS_UNTIL_REQUIRED_CHANGE_TIME} with a single
1856   * integer value that represents the number of seconds before the user will
1857   * be required to change his/her password as a result of the
1858   * require-change-by-time property, or a {@code null} value if the user is
1859   * not required to change their password for this reason.
1860   *
1861   * @return  The created password policy state operation.
1862   */
1863  public static PasswordPolicyStateOperation
1864                     createGetSecondsUntilRequiredChangeTimeOperation()
1865  {
1866    return new PasswordPolicyStateOperation(
1867         OP_TYPE_GET_SECONDS_UNTIL_REQUIRED_CHANGE_TIME);
1868  }
1869
1870
1871
1872  /**
1873   * Creates a new password policy state operation that may be used to retrieve
1874   * the password history values stored in the user's entry.  The result
1875   * returned should include an operation of type
1876   * {@link #OP_TYPE_GET_PW_HISTORY} with an array of strings representing the
1877   * user's password history content.
1878   *
1879   * @return  The created password policy state operation.
1880   *
1881   * @deprecated  This method has been deprecated in favor of the
1882   *              {@link #createGetPasswordHistoryCountOperation} method.
1883   */
1884  @Deprecated()
1885  @SuppressWarnings("deprecation")
1886  public static PasswordPolicyStateOperation createGetPasswordHistoryOperation()
1887  {
1888    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_HISTORY);
1889  }
1890
1891
1892
1893  /**
1894   * Creates a new password policy state operation that may be used to clear the
1895   * password history values stored in the user's entry.  The result returned
1896   * should include an operation of type {@link #OP_TYPE_GET_PW_HISTORY} with an
1897   * array of strings representing the user's password history content.
1898   *
1899   * @return  The created password policy state operation.
1900   */
1901  public static PasswordPolicyStateOperation
1902                     createClearPasswordHistoryOperation()
1903  {
1904    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_PW_HISTORY);
1905  }
1906
1907
1908
1909  /**
1910   * Creates a new password policy state operation that may be used to determine
1911   * whether the user has a valid retired password.  The result returned should
1912   * include an operation of type {@link #OP_TYPE_HAS_RETIRED_PASSWORD} with a
1913   * single boolean value of {@code true} if the user has a valid retired
1914   * password, or {@code false} if not.
1915   *
1916   * @return  The created password policy state operation.
1917   */
1918  public static PasswordPolicyStateOperation createHasRetiredPasswordOperation()
1919  {
1920    return new PasswordPolicyStateOperation(OP_TYPE_HAS_RETIRED_PASSWORD);
1921  }
1922
1923
1924
1925  /**
1926   * Creates a new password policy state operation that may be used to determine
1927   * the time that the user's former password was retired.  The result returned
1928   * should include an operation of type
1929   * {@link #OP_TYPE_GET_PASSWORD_RETIRED_TIME} with a single string value that
1930   * is the generalized time representation of the time the user's former
1931   * password was retired, or a {@code null} value if the user does not have a
1932   * valid retired password.
1933   *
1934   * @return  The created password policy state operation.
1935   */
1936  public static PasswordPolicyStateOperation
1937                     createGetPasswordRetiredTimeOperation()
1938  {
1939    return new PasswordPolicyStateOperation(OP_TYPE_GET_PASSWORD_RETIRED_TIME);
1940  }
1941
1942
1943
1944  /**
1945   * Creates a new password policy state operation that may be used to determine
1946   * the length of time until the user's retired password expires.  The result
1947   * returned should include an operation of type
1948   * {@link #OP_TYPE_GET_RETIRED_PASSWORD_EXPIRATION_TIME} with a single string
1949   * value that is the generalized time representation of the time the user's
1950   * retired password will cease to be valid, or a {@code null} value if the
1951   * user does not have a valid retired password.
1952   *
1953   * @return  The created password policy state operation.
1954   */
1955  public static PasswordPolicyStateOperation
1956                     createGetRetiredPasswordExpirationTimeOperation()
1957  {
1958    return new PasswordPolicyStateOperation(
1959         OP_TYPE_GET_RETIRED_PASSWORD_EXPIRATION_TIME);
1960  }
1961
1962
1963
1964  /**
1965   * Creates a new password policy state operation that may be used to purge
1966   * any retired password from the user's entry.  The result returned should
1967   * include an operation of type {@link #OP_TYPE_HAS_RETIRED_PASSWORD} with a
1968   * single boolean value of {@code true} if the user has a valid retired
1969   * password, or {@code false} if not.
1970   *
1971   * @return  The created password policy state operation.
1972   */
1973  public static PasswordPolicyStateOperation
1974                     createPurgeRetiredPasswordOperation()
1975  {
1976    return new PasswordPolicyStateOperation(OP_TYPE_PURGE_RETIRED_PASSWORD);
1977  }
1978
1979
1980
1981  /**
1982   * Creates a new password policy state operation that may be used to retrieve
1983   * information about any password policy state notices pertaining to the
1984   * usability of the user's account.  The result returned should include an
1985   * operation of type {@link #OP_TYPE_GET_ACCOUNT_USABILITY_NOTICES} with an
1986   * array of strings that represent
1987   * {@link PasswordPolicyStateAccountUsabilityWarning} values.
1988   *
1989   * @return  The created password policy state operation.
1990   */
1991  public static PasswordPolicyStateOperation
1992                     createGetAccountUsabilityNoticesOperation()
1993  {
1994    return new PasswordPolicyStateOperation(
1995         OP_TYPE_GET_ACCOUNT_USABILITY_NOTICES);
1996  }
1997
1998
1999
2000  /**
2001   * Creates a new password policy state operation that may be used to retrieve
2002   * information about any password policy state warnings that may impact the
2003   * usability of the user's account.  The result returned should include an
2004   * operation of type {@link #OP_TYPE_GET_ACCOUNT_USABILITY_WARNINGS} with an
2005   * array of strings that represent
2006   * {@link PasswordPolicyStateAccountUsabilityWarning} values.
2007   *
2008   * @return  The created password policy state operation.
2009   */
2010  public static PasswordPolicyStateOperation
2011                     createGetAccountUsabilityWarningsOperation()
2012  {
2013    return new PasswordPolicyStateOperation(
2014         OP_TYPE_GET_ACCOUNT_USABILITY_WARNINGS);
2015  }
2016
2017
2018
2019  /**
2020   * Creates a new password policy state operation that may be used to retrieve
2021   * information about any password policy state errors that may impact the
2022   * usability of the user's account.  The result returned should include an
2023   * operation of type {@link #OP_TYPE_GET_ACCOUNT_USABILITY_ERRORS} with an
2024   * array of strings that represent
2025   * {@link PasswordPolicyStateAccountUsabilityError} values.
2026   *
2027   * @return  The created password policy state operation.
2028   */
2029  public static PasswordPolicyStateOperation
2030                     createGetAccountUsabilityErrorsOperation()
2031  {
2032    return new PasswordPolicyStateOperation(
2033         OP_TYPE_GET_ACCOUNT_USABILITY_ERRORS);
2034  }
2035
2036
2037
2038  /**
2039   * Creates a new password policy state operation that may be used to determine
2040   * whether an account is usable (i.e., the account will be allowed to
2041   * authenticate and/or be used as an alternate authorization identity.  The
2042   * result returned should include an operation of type
2043   * {@link #OP_TYPE_GET_ACCOUNT_IS_USABLE} with a single boolean value that
2044   * indicates whether the account is usable.
2045   *
2046   * @return  The created password policy state operation.
2047   */
2048  public static PasswordPolicyStateOperation
2049                     createGetAccountIsUsableOperation()
2050  {
2051    return new PasswordPolicyStateOperation(OP_TYPE_GET_ACCOUNT_IS_USABLE);
2052  }
2053
2054
2055
2056  /**
2057   * Creates a new password policy state operation that may be used to determine
2058   * whether an account has an activation time that is in the future.  The
2059   * result returned should include an operation of type
2060   * {@link #OP_TYPE_GET_ACCOUNT_IS_NOT_YET_ACTIVE} with a single boolean value
2061   * that indicates whether the account is not yet active.
2062   *
2063   * @return  The created password policy state operation.
2064   */
2065  public static PasswordPolicyStateOperation
2066                     createGetAccountIsNotYetActiveOperation()
2067  {
2068    return new PasswordPolicyStateOperation(
2069         OP_TYPE_GET_ACCOUNT_IS_NOT_YET_ACTIVE);
2070  }
2071
2072
2073
2074  /**
2075   * Creates a new password policy state operation that may be used to determine
2076   * whether an account has an expiration time that is in the past.  The result
2077   * returned should include an operation of type
2078   * {@link #OP_TYPE_GET_ACCOUNT_IS_EXPIRED} with a single boolean value that
2079   * indicates whether the account is expired.
2080   *
2081   * @return  The created password policy state operation.
2082   */
2083  public static PasswordPolicyStateOperation
2084                     createGetAccountIsExpiredOperation()
2085  {
2086    return new PasswordPolicyStateOperation(OP_TYPE_GET_ACCOUNT_IS_EXPIRED);
2087  }
2088
2089
2090
2091  /**
2092   * Creates a new password policy state operation that may be used to determine
2093   * when a user's password is expected to expire.  The result returned should
2094   * include an operation of type {@link #OP_TYPE_GET_PW_EXPIRATION_TIME} with a
2095   * single string value that is the generalized time representation of the
2096   * password expiration time.
2097   *
2098   * @return  The created password policy state operation.
2099   */
2100  public static PasswordPolicyStateOperation
2101                     createGetPasswordExpirationTimeOperation()
2102  {
2103    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_EXPIRATION_TIME);
2104  }
2105
2106
2107
2108  /**
2109   * Creates a new password policy state operation that may be used to determine
2110   * whether an account has been locked because of too many failed
2111   * authentication attempts.  The result returned should include an operation
2112   * of type {@link #OP_TYPE_GET_ACCOUNT_IS_FAILURE_LOCKED} with a single
2113   * boolean value that indicates whether the account is failure locked.
2114   *
2115   * @return  The created password policy state operation.
2116   */
2117  public static PasswordPolicyStateOperation
2118                     createGetAccountIsFailureLockedOperation()
2119  {
2120    return new PasswordPolicyStateOperation(
2121         OP_TYPE_GET_ACCOUNT_IS_FAILURE_LOCKED);
2122  }
2123
2124
2125
2126  /**
2127   * Creates a new password policy state operation that may be used to specify
2128   * whether an account should be locked because of too many failed
2129   * authentication attempts.  The result returned should include an operation
2130   * of type {@link #OP_TYPE_GET_ACCOUNT_IS_FAILURE_LOCKED} with a single
2131   * boolean value that indicates whether the account is failure locked.
2132   *
2133   * @param  isFailureLocked  Indicates whether the account should be locked
2134   *                          because of too many failed attempts.
2135   *
2136   * @return  The created password policy state operation.
2137   */
2138  public static PasswordPolicyStateOperation
2139                     createSetAccountIsFailureLockedOperation(
2140                          final boolean isFailureLocked)
2141  {
2142    final ASN1OctetString[] values =
2143    {
2144      new ASN1OctetString(String.valueOf(isFailureLocked))
2145    };
2146
2147    return new PasswordPolicyStateOperation(
2148         OP_TYPE_SET_ACCOUNT_IS_FAILURE_LOCKED, values);
2149  }
2150
2151
2152
2153  /**
2154   * Creates a new password policy state operation that may be used to determine
2155   * when a user's password is was locked because of too many failed
2156   * authentication attempts.  The result returned should include an operation
2157   * of type {@link #OP_TYPE_GET_FAILURE_LOCKOUT_TIME} with a single string
2158   * value that is the generalized time representation of the failure lockout
2159   * time.
2160   *
2161   * @return  The created password policy state operation.
2162   */
2163  public static PasswordPolicyStateOperation
2164                     createGetFailureLockoutTimeOperation()
2165  {
2166    return new PasswordPolicyStateOperation(OP_TYPE_GET_FAILURE_LOCKOUT_TIME);
2167  }
2168
2169
2170
2171  /**
2172   * Creates a new password policy state operation that may be used to determine
2173   * whether an account has been locked because it has remained idle for too
2174   * long.  The result returned should include an operation of type
2175   * {@link #OP_TYPE_GET_ACCOUNT_IS_IDLE_LOCKED} with a single boolean value
2176   * that indicates whether the account is idle locked.
2177   *
2178   * @return  The created password policy state operation.
2179   */
2180  public static PasswordPolicyStateOperation
2181                     createGetAccountIsIdleLockedOperation()
2182  {
2183    return new PasswordPolicyStateOperation(OP_TYPE_GET_ACCOUNT_IS_IDLE_LOCKED);
2184  }
2185
2186
2187
2188  /**
2189   * Creates a new password policy state operation that may be used to determine
2190   * when a user's password is was locked because of the idle account lockout.
2191   * The result returned should include an operation of type
2192   * {@link #OP_TYPE_GET_IDLE_LOCKOUT_TIME} with a single string value that is
2193   * the generalized time representation of the idle lockout time.
2194   *
2195   * @return  The created password policy state operation.
2196   */
2197  public static PasswordPolicyStateOperation
2198                     createGetIdleLockoutTimeOperation()
2199  {
2200    return new PasswordPolicyStateOperation(OP_TYPE_GET_IDLE_LOCKOUT_TIME);
2201  }
2202
2203
2204
2205  /**
2206   * Creates a new password policy state operation that may be used to determine
2207   * whether an account has been locked because the user failed to change their
2208   * password in a timely manner after an administrative reset.  The result
2209   * returned should include an operation of type
2210   * {@link #OP_TYPE_GET_ACCOUNT_IS_RESET_LOCKED} with a single boolean value
2211   * that indicates whether the account is reset locked.
2212   *
2213   * @return  The created password policy state operation.
2214   */
2215  public static PasswordPolicyStateOperation
2216                     createGetAccountIsResetLockedOperation()
2217  {
2218    return new PasswordPolicyStateOperation(
2219         OP_TYPE_GET_ACCOUNT_IS_RESET_LOCKED);
2220  }
2221
2222
2223
2224  /**
2225   * Creates a new password policy state operation that may be used to determine
2226   * when a user's password is was locked because the user failed to change
2227   * their password in a timely manner after an administrative reset.  The
2228   * result returned should include an operation of type
2229   * {@link #OP_TYPE_GET_RESET_LOCKOUT_TIME} with a single string value that is
2230   * the generalized time representation of the reset lockout time.
2231   *
2232   * @return  The created password policy state operation.
2233   */
2234  public static PasswordPolicyStateOperation
2235                     createGetResetLockoutTimeOperation()
2236  {
2237    return new PasswordPolicyStateOperation(OP_TYPE_GET_RESET_LOCKOUT_TIME);
2238  }
2239
2240
2241
2242  /**
2243   * Creates a new password policy state operation that may be used to retrieve
2244   * the number of passwords currently held in a user's password history.  The
2245   * result returned should include an operation of type
2246   * {@link #OP_TYPE_GET_PW_HISTORY_COUNT} with a single integer value that
2247   * represents the number of passwords in the history, or a {@code null} value
2248   * if a password history is not enabled for the user.
2249   *
2250   * @return  The created password policy state operation.
2251   */
2252  public static PasswordPolicyStateOperation
2253                     createGetPasswordHistoryCountOperation()
2254  {
2255    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_HISTORY_COUNT);
2256  }
2257
2258
2259
2260  /**
2261   * Creates a new password policy state operation that may be used to determine
2262   * whether a user's password is expired.  The result returned should include
2263   * an operation of type {@link #OP_TYPE_GET_PW_IS_EXPIRED} with a single
2264   * Boolean value that indicates whether the password is expired, or a
2265   * {@code null} value if password expiration is not enabled for the user.
2266   *
2267   * @return  The created password policy state operation.
2268   */
2269  public static PasswordPolicyStateOperation
2270                     createGetPasswordIsExpiredOperation()
2271  {
2272    return new PasswordPolicyStateOperation(OP_TYPE_GET_PW_IS_EXPIRED);
2273  }
2274
2275
2276
2277  /**
2278   * Creates a new password policy state operation that may be used to retrieve
2279   * a list of the SASL mechanisms that are available for a user.  This will
2280   * take into consideration the server's configuration, the types of
2281   * credentials that a user has, and per-user constraints and preferences.
2282   *
2283   * @return  The created password policy state operation.
2284   */
2285  public static PasswordPolicyStateOperation
2286                     createGetAvailableSASLMechanismsOperation()
2287  {
2288    return new PasswordPolicyStateOperation(
2289         OP_TYPE_GET_AVAILABLE_SASL_MECHANISMS);
2290  }
2291
2292
2293
2294  /**
2295   * Creates a new password policy state operation that may be used to retrieve
2296   * a list of the one-time password delivery mechanisms that are available for
2297   * a user.  If the user's entry includes information about which OTP delivery
2298   * mechanisms are preferred, the list will be ordered from most preferred to
2299   * least preferred.
2300   *
2301   * @return  The created password policy state operation.
2302   */
2303  public static PasswordPolicyStateOperation
2304                     createGetAvailableOTPDeliveryMechanismsOperation()
2305  {
2306    return new PasswordPolicyStateOperation(
2307         OP_TYPE_GET_AVAILABLE_OTP_DELIVERY_MECHANISMS);
2308  }
2309
2310
2311
2312  /**
2313   * Creates a new password policy state operation that may be used to determine
2314   * whether the user has at least one TOTP shared secret.  The result returned
2315   * should include an operation of type {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET}
2316   * with a single boolean value of {@code true} if the user has one or more
2317   * TOTP shared secrets, or {@code false} if not.
2318   *
2319   * @return  The created password policy state operation.
2320   */
2321  public static PasswordPolicyStateOperation createHasTOTPSharedSecret()
2322  {
2323    return new PasswordPolicyStateOperation(OP_TYPE_HAS_TOTP_SHARED_SECRET);
2324  }
2325
2326
2327
2328  /**
2329   * Creates a new password policy state operation that may be used to add one
2330   * or more values to the set of TOTP shared secrets for a user.  The result
2331   * returned should include an operation of type
2332   * {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET} with a single boolean value of
2333   * {@code true} if the user has one or more TOTP shared secrets, or
2334   * {@code false} if not.
2335   *
2336   * @param  totpSharedSecrets  The base32-encoded representations of the TOTP
2337   *                            shared secrets to add to the user.  It must not
2338   *                            be {@code null} or empty.
2339   *
2340   * @return  The created password policy state operation.
2341   */
2342  public static PasswordPolicyStateOperation
2343                     createAddTOTPSharedSecretOperation(
2344                          final String... totpSharedSecrets)
2345  {
2346    final ASN1OctetString[] values =
2347         new ASN1OctetString[totpSharedSecrets.length];
2348    for (int i=0; i < totpSharedSecrets.length; i++)
2349    {
2350      values[i] = new ASN1OctetString(totpSharedSecrets[i]);
2351    }
2352
2353    return new PasswordPolicyStateOperation(OP_TYPE_ADD_TOTP_SHARED_SECRET,
2354         values);
2355  }
2356
2357
2358
2359  /**
2360   * Creates a new password policy state operation that may be used to remove
2361   * one or more values from the set of TOTP shared secrets for a user.  The
2362   * result returned should include an operation of type
2363   * {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET} with a single boolean value of
2364   * {@code true} if the user has one or more TOTP shared secrets, or
2365   * {@code false} if not.
2366   *
2367   * @param  totpSharedSecrets  The base32-encoded representations of the TOTP
2368   *                            shared secrets to remove from the user.  It must
2369   *                            not be {@code null} or empty.
2370   *
2371   * @return  The created password policy state operation.
2372   */
2373  public static PasswordPolicyStateOperation
2374                     createRemoveTOTPSharedSecretOperation(
2375                          final String... totpSharedSecrets)
2376  {
2377    final ASN1OctetString[] values =
2378         new ASN1OctetString[totpSharedSecrets.length];
2379    for (int i=0; i < totpSharedSecrets.length; i++)
2380    {
2381      values[i] = new ASN1OctetString(totpSharedSecrets[i]);
2382    }
2383
2384    return new PasswordPolicyStateOperation(OP_TYPE_REMOVE_TOTP_SHARED_SECRET,
2385         values);
2386  }
2387
2388
2389
2390  /**
2391   * Creates a new password policy state operation that may be used to replace
2392   * the set of TOTP shared secrets for a user.  The result returned should
2393   * include an operation of type {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET} with a
2394   * single boolean value of {@code true} if the user has one or more TOTP
2395   * shared secrets, or {@code false} if not.
2396   *
2397   * @param  totpSharedSecrets  The base32-encoded representations of the TOTP
2398   *                            shared secrets for the user.  It must not be
2399   *                            {@code null} but may be empty.
2400   *
2401   * @return  The created password policy state operation.
2402   */
2403  public static PasswordPolicyStateOperation
2404                     createSetTOTPSharedSecretsOperation(
2405                          final String... totpSharedSecrets)
2406  {
2407    final ASN1OctetString[] values =
2408         new ASN1OctetString[totpSharedSecrets.length];
2409    for (int i=0; i < totpSharedSecrets.length; i++)
2410    {
2411      values[i] = new ASN1OctetString(totpSharedSecrets[i]);
2412    }
2413
2414    return new PasswordPolicyStateOperation(OP_TYPE_SET_TOTP_SHARED_SECRETS,
2415         values);
2416  }
2417
2418
2419
2420  /**
2421   * Creates a new password policy state operation that may be used to clear
2422   * the set of TOTP shared secrets for a user.  The result returned should
2423   * include an operation of type {@link #OP_TYPE_HAS_TOTP_SHARED_SECRET} with a
2424   * single boolean value of {@code true} if the user has one or more TOTP
2425   * shared secrets, or {@code false} if not.
2426   *
2427   * @return  The created password policy state operation.
2428   */
2429  public static PasswordPolicyStateOperation
2430                     createClearTOTPSharedSecretsOperation()
2431  {
2432    return new PasswordPolicyStateOperation(OP_TYPE_CLEAR_TOTP_SHARED_SECRETS);
2433  }
2434
2435
2436
2437  /**
2438   * Creates a new password policy state operation that may be used to determine
2439   * whether the user has at least one registered YubiKey OTP device.  The
2440   * result returned should include an operation of type
2441   * {@link #OP_TYPE_HAS_REGISTERED_YUBIKEY_PUBLIC_ID}
2442   * with a single boolean value of {@code true} if the user has one or more
2443   * registered devices, or {@code false} if not.
2444   *
2445   * @return  The created password policy state operation.
2446   */
2447  public static PasswordPolicyStateOperation createHasYubiKeyPublicIDOperation()
2448  {
2449    return new PasswordPolicyStateOperation(
2450         OP_TYPE_HAS_REGISTERED_YUBIKEY_PUBLIC_ID);
2451  }
2452
2453
2454
2455  /**
2456   * Creates a new password policy state operation that may be used to retrieve
2457   * the public IDs of the YubiKey OTP devices registered for a user.  The
2458   * result returned should include an operation of type
2459   * {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with an array of string
2460   * values that represent the public IDs of the registered YubiKey OTP devices.
2461   *
2462   * @return  The created password policy state operation.
2463   */
2464  public static PasswordPolicyStateOperation
2465                     createGetRegisteredYubiKeyPublicIDsOperation()
2466  {
2467    return new PasswordPolicyStateOperation(
2468         OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS);
2469  }
2470
2471
2472
2473  /**
2474   * Creates a new password policy state operation that may be used to add one
2475   * or more values to the set of the public IDs of the YubiKey OTP devices
2476   * registered for a user.  The result returned should include an operation of
2477   * type {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with an array of
2478   * string values that represent the public IDs of the registered YubiKey OTP
2479   * devices.
2480   *
2481   * @param  publicIDs  The set of public IDs to add to the set of YubiKey OTP
2482   *                    devices registered for the user.  It must not be
2483   *                    {@code null} or empty.
2484   *
2485   * @return  The created password policy state operation.
2486   */
2487  public static PasswordPolicyStateOperation
2488                     createAddRegisteredYubiKeyPublicIDOperation(
2489                          final String... publicIDs)
2490  {
2491    final ASN1OctetString[] values = new ASN1OctetString[publicIDs.length];
2492    for (int i=0; i < publicIDs.length; i++)
2493    {
2494      values[i] = new ASN1OctetString(publicIDs[i]);
2495    }
2496
2497    return new PasswordPolicyStateOperation(
2498         OP_TYPE_ADD_REGISTERED_YUBIKEY_PUBLIC_ID, values);
2499  }
2500
2501
2502
2503  /**
2504   * Creates a new password policy state operation that may be used to remove
2505   * one or more values from the set of the public IDs of the YubiKey OTP
2506   * devices registered for a user.  The result returned should include an
2507   * operation of type {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with
2508   * an array of string values that represent the public IDs of the registered
2509   * YubiKey OTP devices.
2510   *
2511   * @param  publicIDs  The set of public IDs to remove from the set of YubiKey
2512   *                    OTP devices registered for the user.  It must not be
2513   *                    {@code null} or empty.
2514   *
2515   * @return  The created password policy state operation.
2516   */
2517  public static PasswordPolicyStateOperation
2518                     createRemoveRegisteredYubiKeyPublicIDOperation(
2519                          final String... publicIDs)
2520  {
2521    final ASN1OctetString[] values = new ASN1OctetString[publicIDs.length];
2522    for (int i=0; i < publicIDs.length; i++)
2523    {
2524      values[i] = new ASN1OctetString(publicIDs[i]);
2525    }
2526
2527    return new PasswordPolicyStateOperation(
2528         OP_TYPE_REMOVE_REGISTERED_YUBIKEY_PUBLIC_ID, values);
2529  }
2530
2531
2532
2533  /**
2534   * Creates a new password policy state operation that may be used to replace
2535   * the set of the public IDs of the YubiKey OTP devices registered for a user.
2536   * The result returned should include an operation of type
2537   * {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with an array of string
2538   * values that represent the public IDs of the registered YubiKey OTP devices.
2539   *
2540   * @param  publicIDs  The set of public IDs for the YubiKey OTP devices
2541   *                    registered for the user.  It must not be {@code null}
2542   *                    but may be empty.
2543   *
2544   * @return  The created password policy state operation.
2545   */
2546  public static PasswordPolicyStateOperation
2547                     createSetRegisteredYubiKeyPublicIDsOperation(
2548                          final String... publicIDs)
2549  {
2550    final ASN1OctetString[] values = new ASN1OctetString[publicIDs.length];
2551    for (int i=0; i < publicIDs.length; i++)
2552    {
2553      values[i] = new ASN1OctetString(publicIDs[i]);
2554    }
2555
2556    return new PasswordPolicyStateOperation(
2557         OP_TYPE_SET_REGISTERED_YUBIKEY_PUBLIC_IDS, values);
2558  }
2559
2560
2561
2562  /**
2563   * Creates a new password policy state operation that may be used to clear
2564   * the set of the public IDs of the YubiKey OTP devices registered for a user.
2565   * The result returned should include an operation of type
2566   * {@link #OP_TYPE_GET_REGISTERED_YUBIKEY_PUBLIC_IDS} with an array of string
2567   * values that represent the public IDs of the registered YubiKey OTP devices.
2568   *
2569   * @return  The created password policy state operation.
2570   */
2571  public static PasswordPolicyStateOperation
2572                     createClearRegisteredYubiKeyPublicIDsOperation()
2573  {
2574    return new PasswordPolicyStateOperation(
2575         OP_TYPE_CLEAR_REGISTERED_YUBIKEY_PUBLIC_IDS);
2576  }
2577
2578
2579
2580  /**
2581   * Creates a new password policy state operation that may be used to determine
2582   * whether the user has a static password.  The result should include an
2583   * operation of type {@link #OP_TYPE_HAS_STATIC_PASSWORD} with a single
2584   * boolean value of {@code true} if the user has a static password, or
2585   * {@code false} if not.
2586   *
2587   * @return  The created password policy state operation.
2588   */
2589  public static PasswordPolicyStateOperation createHasStaticPasswordOperation()
2590  {
2591    return new PasswordPolicyStateOperation(OP_TYPE_HAS_STATIC_PASSWORD);
2592  }
2593
2594
2595
2596  /**
2597   * Retrieves the operation type for this password policy state operation.
2598   *
2599   * @return  The operation type for this password policy state operation.
2600   */
2601  public int getOperationType()
2602  {
2603    return opType;
2604  }
2605
2606
2607
2608  /**
2609   * Retrieves the set of raw values for this password policy state operation.
2610   *
2611   * @return  The set of raw values for this password policy state operation.
2612   */
2613  public ASN1OctetString[] getRawValues()
2614  {
2615    return values;
2616  }
2617
2618
2619
2620  /**
2621   * Retrieves the string representation of the value for this password policy
2622   * state operation.  If there are multiple values, then the first will be
2623   * returned.
2624   *
2625   * @return  The string representation of the value for this password policy
2626   *          state operation, or {@code null} if there are no values.
2627   */
2628  public String getStringValue()
2629  {
2630    if (values.length == 0)
2631    {
2632      return null;
2633    }
2634    else
2635    {
2636      return values[0].stringValue();
2637    }
2638  }
2639
2640
2641
2642  /**
2643   * Retrieves the string representations of the values for this password policy
2644   * state operation.
2645   *
2646   * @return  The string representations of the values for this password policy
2647   *          state operation.
2648   */
2649  public String[] getStringValues()
2650  {
2651    final String[] stringValues = new String[values.length];
2652    for (int i=0; i < values.length; i++)
2653    {
2654      stringValues[i] = values[i].stringValue();
2655    }
2656
2657    return stringValues;
2658  }
2659
2660
2661
2662  /**
2663   * Retrieves the boolean representation of the value for this password policy
2664   * state operation.
2665   *
2666   * @return  The boolean representation of the value for this password policy
2667   *          state operation.
2668   *
2669   * @throws  IllegalStateException  If this operation does not have exactly one
2670   *                                 value, or if the value cannot be decoded as
2671   *                                 a boolean value.
2672   */
2673  public boolean getBooleanValue()
2674         throws IllegalStateException
2675  {
2676    if (values.length != 1)
2677    {
2678      throw new IllegalStateException(
2679           ERR_PWP_STATE_INVALID_BOOLEAN_VALUE_COUNT.get(values.length));
2680    }
2681
2682    final String valueString = toLowerCase(values[0].stringValue());
2683    if (valueString.equals("true"))
2684    {
2685      return true;
2686    }
2687    else if (valueString.equals("false"))
2688    {
2689      return false;
2690    }
2691    else
2692    {
2693      throw new IllegalStateException(
2694           ERR_PWP_STATE_VALUE_NOT_BOOLEAN.get(values[0].stringValue()));
2695    }
2696  }
2697
2698
2699
2700  /**
2701   * Retrieves the integer representation of the value for this password policy
2702   * state operation.  If there are multiple values, then the first will be
2703   * returned.
2704   *
2705   * @return  The integer representation of the value for this password policy
2706   *          operation.
2707   *
2708   * @throws  IllegalStateException  If this operation does not have any values.
2709   *
2710   * @throws  NumberFormatException  If the value cannot be parsed as an
2711   *                                 integer.
2712   */
2713  public int getIntValue()
2714         throws IllegalStateException, NumberFormatException
2715  {
2716    if (values.length == 0)
2717    {
2718      throw new IllegalStateException(ERR_PWP_STATE_NO_VALUES.get());
2719    }
2720
2721    return Integer.parseInt(values[0].stringValue());
2722  }
2723
2724
2725
2726  /**
2727   * Retrieves the {@code Date} object represented by the value for this
2728   * password policy state operation treated as a timestamp in generalized time
2729   * form.  If there are multiple values, then the first will be returned.
2730   *
2731   * @return  The {@code Date} object represented by the value for this password
2732   *          policy state operation treated as a timestamp in generalized time
2733   *          form, or {@code null} if this operation does not have any values.
2734   *
2735   * @throws  ParseException  If the value cannot be decoded as a timestamp in
2736   *                          generalized time form.
2737   */
2738  public Date getGeneralizedTimeValue()
2739         throws ParseException
2740  {
2741    if (values.length == 0)
2742    {
2743      return null;
2744    }
2745
2746    return decodeGeneralizedTime(values[0].stringValue());
2747  }
2748
2749
2750
2751  /**
2752   * Retrieves the {@code Date} objects represented by the values for this
2753   * password policy state operation treated as timestamps in generalized time
2754   * form.
2755   *
2756   * @return  The {@code Date} objects represented by the values for this
2757   *          password policy state operation treated as timestamps in
2758   *          generalized time form.
2759   *
2760   * @throws  ParseException  If any of the values cannot be decoded as a
2761   *                          timestamp in generalized time form.
2762   */
2763  public Date[] getGeneralizedTimeValues()
2764         throws ParseException
2765  {
2766    final Date[] dateValues = new Date[values.length];
2767    for (int i=0; i < values.length; i++)
2768    {
2769      dateValues[i] = decodeGeneralizedTime(values[i].stringValue());
2770    }
2771
2772    return dateValues;
2773  }
2774
2775
2776
2777  /**
2778   * Creates an array of ASN.1 octet strings with the provided set of values.
2779   *
2780   * @param  dates  The dates from which to create the values.  It may be
2781   *                {@code null} or empty if there should be no values.
2782   *
2783   * @return  The array of ASN.1 octet strings.
2784   */
2785  private static ASN1OctetString[] createValues(final Date... dates)
2786  {
2787    if ((dates == null) || (dates.length == 0))
2788    {
2789      return NO_VALUES;
2790    }
2791
2792    final ArrayList<ASN1OctetString> valueList =
2793         new ArrayList<ASN1OctetString>(dates.length);
2794    for (final Date d : dates)
2795    {
2796      if (d != null)
2797      {
2798        valueList.add(new ASN1OctetString(encodeGeneralizedTime(d)));
2799      }
2800    }
2801
2802    return valueList.toArray(NO_VALUES);
2803  }
2804
2805
2806
2807  /**
2808   * Encodes this password policy state operation for use in the extended
2809   * request or response.
2810   *
2811   * @return  An ASN.1 element containing an encoded representation of this
2812   *          password policy state operation.
2813   */
2814  public ASN1Element encode()
2815  {
2816    final ASN1Element[] elements;
2817    if (values.length > 0)
2818    {
2819      elements = new ASN1Element[]
2820      {
2821        new ASN1Enumerated(opType),
2822        new ASN1Sequence(values)
2823      };
2824    }
2825    else
2826    {
2827      elements = new ASN1Element[]
2828      {
2829        new ASN1Enumerated(opType),
2830      };
2831    }
2832
2833    return new ASN1Sequence(elements);
2834  }
2835
2836
2837
2838  /**
2839   * Decodes the provided ASN.1 element as a password policy state operation.
2840   *
2841   * @param  element  The ASN.1 element to be decoded.
2842   *
2843   * @return  The decoded password policy state operation.
2844   *
2845   * @throws  LDAPException  If a problem occurs while attempting to decode the
2846   *                         provided ASN.1 element as a password policy state
2847   *                         operation.
2848   */
2849  public static PasswordPolicyStateOperation decode(final ASN1Element element)
2850         throws LDAPException
2851  {
2852    final ASN1Element[] elements;
2853    try
2854    {
2855      elements = ASN1Sequence.decodeAsSequence(element).elements();
2856    }
2857    catch (final Exception e)
2858    {
2859      debugException(e);
2860      throw new LDAPException(ResultCode.DECODING_ERROR,
2861                              ERR_PWP_STATE_ELEMENT_NOT_SEQUENCE.get(e), e);
2862    }
2863
2864    if ((elements.length < 1) || (elements.length > 2))
2865    {
2866      throw new LDAPException(ResultCode.DECODING_ERROR,
2867                              ERR_PWP_STATE_INVALID_ELEMENT_COUNT.get(
2868                                   elements.length));
2869    }
2870
2871    final int opType;
2872    try
2873    {
2874      opType = ASN1Enumerated.decodeAsEnumerated(elements[0]).intValue();
2875    }
2876    catch (final Exception e)
2877    {
2878      debugException(e);
2879      throw new LDAPException(ResultCode.DECODING_ERROR,
2880                              ERR_PWP_STATE_OP_TYPE_NOT_INTEGER.get(e), e);
2881    }
2882
2883    final ASN1OctetString[] values;
2884    if (elements.length == 2)
2885    {
2886      try
2887      {
2888        final ASN1Element[] valueElements =
2889             ASN1Sequence.decodeAsSequence(elements[1]).elements();
2890        values = new ASN1OctetString[valueElements.length];
2891        for (int i=0; i < valueElements.length; i++)
2892        {
2893          values[i] = ASN1OctetString.decodeAsOctetString(valueElements[i]);
2894        }
2895      }
2896      catch (final Exception e)
2897      {
2898        debugException(e);
2899        throw new LDAPException(ResultCode.DECODING_ERROR,
2900                                ERR_PWP_STATE_CANNOT_DECODE_VALUES.get(e), e);
2901      }
2902    }
2903    else
2904    {
2905      values = NO_VALUES;
2906    }
2907
2908    return new PasswordPolicyStateOperation(opType, values);
2909  }
2910
2911
2912
2913  /**
2914   * Retrieves a string representation of this password policy state operation.
2915   *
2916   * @return  A string representation of this password policy state operation.
2917   */
2918  @Override()
2919  public String toString()
2920  {
2921    final StringBuilder buffer = new StringBuilder();
2922    toString(buffer);
2923    return buffer.toString();
2924  }
2925
2926
2927
2928  /**
2929   * Appends a string representation of this password policy state operation to
2930   * the provided buffer.
2931   *
2932   * @param  buffer  The buffer to which the information should be appended.
2933   */
2934  public void toString(final StringBuilder buffer)
2935  {
2936    buffer.append("PasswordPolicyStateOperation(opType=");
2937    buffer.append(opType);
2938
2939    if (values.length > 0)
2940    {
2941      buffer.append(", values={");
2942      for (int i=0; i < values.length; i++)
2943      {
2944        if (i > 0)
2945        {
2946          buffer.append(", ");
2947        }
2948
2949        buffer.append('\'');
2950        buffer.append(values[i].stringValue());
2951        buffer.append('\'');
2952      }
2953      buffer.append('}');
2954    }
2955
2956    buffer.append(')');
2957  }
2958}