/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
 * or http://forgerock.org/license/CDDLv1.0.html.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at legal-notices/CDDLv1_0.txt.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 *      Portions Copyright 2011-2015 ForgeRock AS
 */
package org.opends.server.extensions;

import static org.opends.messages.CoreMessages.*;
import static org.opends.messages.ExtensionMessages.*;
import static org.opends.server.controls.PasswordPolicyErrorType.*;
import static org.opends.server.extensions.ExtensionsConstants.*;
import static org.opends.server.protocols.internal.InternalClientConnection.*;
import static org.opends.server.types.AccountStatusNotificationType.*;
import static org.opends.server.util.CollectionUtils.*;
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;

import java.io.IOException;
import java.util.*;

import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageBuilder;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.server.ConfigChangeResult;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.io.ASN1;
import org.forgerock.opendj.io.ASN1Reader;
import org.forgerock.opendj.io.ASN1Writer;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ByteStringBuilder;
import org.forgerock.opendj.ldap.ModificationType;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.server.ExtendedOperationHandlerCfg;
import org.opends.server.admin.std.server.PasswordModifyExtendedOperationHandlerCfg;
import org.opends.server.api.*;
import org.opends.server.controls.PasswordPolicyErrorType;
import org.opends.server.controls.PasswordPolicyResponseControl;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ExtendedOperation;
import org.opends.server.core.ModifyOperation;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.schema.AuthPasswordSyntax;
import org.opends.server.schema.UserPasswordSyntax;
import org.opends.server.types.*;
import org.opends.server.types.LockManager.DNLock;

/**
 * This class implements the password modify extended operation defined in RFC
 * 3062.  It includes support for requiring the user's current password as well
 * as for generating a new password if none was provided.
 */
public class PasswordModifyExtendedOperation
       extends ExtendedOperationHandler<PasswordModifyExtendedOperationHandlerCfg>
       implements ConfigurationChangeListener<PasswordModifyExtendedOperationHandlerCfg>
{
  // The following attachments may be used by post-op plugins (e.g. Samba) in
  // order to avoid re-decoding the request parameters and also to enforce
  // atomicity.

  /** The name of the attachment which will be used to store the fully resolved target entry. */
  public static final String AUTHZ_DN_ATTACHMENT;
  /** The name of the attachment which will be used to store the password attribute. */
  public static final String PWD_ATTRIBUTE_ATTACHMENT;
  /** The clear text password, which may not be present if the provided password was pre-encoded. */
  public static final String CLEAR_PWD_ATTACHMENT;
  /** A list containing the encoded passwords: plugins can perform changes atomically via CAS. */
  public static final String ENCODED_PWD_ATTACHMENT;

  static
  {
    final String PREFIX = PasswordModifyExtendedOperation.class.getName();
    AUTHZ_DN_ATTACHMENT = PREFIX + ".AUTHZ_DN";
    PWD_ATTRIBUTE_ATTACHMENT = PREFIX + ".PWD_ATTRIBUTE";
    CLEAR_PWD_ATTACHMENT = PREFIX + ".CLEAR_PWD";
    ENCODED_PWD_ATTACHMENT = PREFIX + ".ENCODED_PWD";
  }
  private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();

  /** The current configuration state. */
  private PasswordModifyExtendedOperationHandlerCfg currentConfig;

  /** The DN of the identity mapper. */
  private DN identityMapperDN;

  /** The reference to the identity mapper. */
  private IdentityMapper<?> identityMapper;


  /**
   * Create an instance of this password modify extended operation.  All initialization should be performed in the
   * <CODE>initializeExtendedOperationHandler</CODE> method.
   */
  public PasswordModifyExtendedOperation()
  {
    super(newHashSet(OID_LDAP_NOOP_OPENLDAP_ASSIGNED, OID_PASSWORD_POLICY_CONTROL));
  }

  @Override
  public void initializeExtendedOperationHandler(PasswordModifyExtendedOperationHandlerCfg config)
         throws ConfigException, InitializationException
  {
    try
    {
      identityMapperDN = config.getIdentityMapperDN();
      identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
      if (identityMapper == null)
      {
        throw new ConfigException(ERR_EXTOP_PASSMOD_NO_SUCH_ID_MAPPER.get(identityMapperDN, config.dn()));
      }
    }
    catch (Exception e)
    {
      logger.traceException(e);
      LocalizableMessage message = ERR_EXTOP_PASSMOD_CANNOT_DETERMINE_ID_MAPPER
          .get(config.dn(), getExceptionMessage(e));
      throw new InitializationException(message, e);
    }

    // Save this configuration for future reference.
    currentConfig = config;

    // Register this as a change listener.
    config.addPasswordModifyChangeListener(this);

    super.initializeExtendedOperationHandler(config);
  }

  @Override
  public void finalizeExtendedOperationHandler()
  {
    currentConfig.removePasswordModifyChangeListener(this);

    super.finalizeExtendedOperationHandler();
  }

  @Override
  public void processExtendedOperation(ExtendedOperation operation)
  {
    // Initialize the variables associated with components that may be included in the request.
    ByteString userIdentity = null;
    ByteString oldPassword  = null;
    ByteString newPassword  = null;

    // Look at the set of controls included in the request, if there are any.
    boolean                   noOpRequested        = false;
    boolean                   pwPolicyRequested    = false;
    List<Control> controls = operation.getRequestControls();
    if (controls != null)
    {
      for (Control c : controls)
      {
        String oid = c.getOID();
        if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
        {
          noOpRequested = true;
        }
        else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
        {
          pwPolicyRequested = true;
        }
      }
    }

    // Parse the encoded request, if there is one.
    ByteString requestValue = operation.getRequestValue();
    if (requestValue != null)
    {
      try
      {
        ASN1Reader reader = ASN1.getReader(requestValue);
        reader.readStartSequence();
        if(reader.hasNextElement() && reader.peekType() == TYPE_PASSWORD_MODIFY_USER_ID)
        {
          userIdentity = reader.readOctetString();
        }
        if(reader.hasNextElement() && reader.peekType() == TYPE_PASSWORD_MODIFY_OLD_PASSWORD)
        {
          oldPassword = reader.readOctetString();
        }
        if(reader.hasNextElement() && reader.peekType() == TYPE_PASSWORD_MODIFY_NEW_PASSWORD)
        {
          newPassword = reader.readOctetString();
        }
        reader.readEndSequence();
      }
      catch (Exception ae)
      {
        logger.traceException(ae);

        operation.setResultCode(ResultCode.PROTOCOL_ERROR);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_CANNOT_DECODE_REQUEST.get(getExceptionMessage(ae)));
        return;
      }
    }

    // Get the entry for the user that issued the request.
    Entry requestorEntry = operation.getAuthorizationEntry();

    // See if a user identity was provided.  If so, then try to resolve it to an actual user.
    DN userDN = null;
    Entry userEntry = null;
    DNLock userLock = null;
    try
    {
      if (userIdentity == null)
      {
        // This request must be targeted at changing the password for the currently-authenticated user.
        // Make sure that the user actually is authenticated.
        ClientConnection   clientConnection = operation.getClientConnection();
        AuthenticationInfo authInfo = clientConnection.getAuthenticationInfo();
        if (!authInfo.isAuthenticated() || requestorEntry == null)
        {
          operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
          operation.appendErrorMessage(ERR_EXTOP_PASSMOD_NO_AUTH_OR_USERID.get());
          return;
        }

        userDN = requestorEntry.getName();
        userEntry = requestorEntry;
      }
      else
      {
        // There was a userIdentity field in the request.
        String authzIDStr      = userIdentity.toString();
        String lowerAuthzIDStr = toLowerCase(authzIDStr);
        if (lowerAuthzIDStr.startsWith("dn:"))
        {
          try
          {
            userDN = DN.valueOf(authzIDStr.substring(3));
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);

            operation.setResultCode(ResultCode.INVALID_DN_SYNTAX);
            operation.appendErrorMessage(ERR_EXTOP_PASSMOD_CANNOT_DECODE_AUTHZ_DN.get(authzIDStr));
            return;
          }

          // If the provided DN is an alternate DN for a root user, then replace it with the actual root DN.
          DN actualRootDN = DirectoryServer.getActualRootBindDN(userDN);
          if (actualRootDN != null)
          {
            userDN = actualRootDN;
          }

          userEntry = getEntryByDN(operation, userDN);
          if (userEntry == null)
          {
            return;
          }
        }
        else if (lowerAuthzIDStr.startsWith("u:"))
        {
          try
          {
            userEntry = identityMapper.getEntryForID(authzIDStr.substring(2));
            if (userEntry == null)
            {
              operation.setResultCode(ResultCode.NO_SUCH_OBJECT);
              operation.appendErrorMessage(ERR_EXTOP_PASSMOD_CANNOT_MAP_USER.get(authzIDStr));
              return;
            }

            userDN = userEntry.getName();
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);

            //Encountered an exception while resolving identity.
            operation.setResultCode(de.getResultCode());
            operation.appendErrorMessage(ERR_EXTOP_PASSMOD_ERROR_MAPPING_USER.get(authzIDStr, de.getMessageObject()));
            return;
          }
        }
        else
        {
          /*
           * the userIdentity provided does not follow Authorization Identity form. RFC3062
           * declaration "may or may not be an LDAPDN" allows for pretty much anything in that
           * field. we gonna try to parse it as DN first then if that fails as user ID.
           */
          try
          {
            userDN = DN.valueOf(authzIDStr);
          }
          catch (DirectoryException ignored)
          {
            logger.traceException(ignored);
          }

          if (userDN != null && !userDN.isRootDN()) {
            // If the provided DN is an alternate DN for a root user, then replace it with the actual root DN.
            DN actualRootDN = DirectoryServer.getActualRootBindDN(userDN);
            if (actualRootDN != null) {
              userDN = actualRootDN;
            }
            userEntry = getEntryByDN(operation, userDN);
          } else {
            try
            {
              userEntry = identityMapper.getEntryForID(authzIDStr);
            }
            catch (DirectoryException ignored)
            {
              logger.traceException(ignored);
            }
          }

          if (userEntry == null) {
            // The userIdentity was invalid.
            operation.setResultCode(ResultCode.PROTOCOL_ERROR);
            operation.appendErrorMessage(ERR_EXTOP_PASSMOD_INVALID_AUTHZID_STRING.get(authzIDStr));
            return;
          }

          userDN = userEntry.getName();
        }
      }

      userLock = DirectoryServer.getLockManager().tryWriteLockEntry(userDN);
      if (userLock == null)
      {
        operation.setResultCode(ResultCode.BUSY);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_CANNOT_LOCK_USER_ENTRY.get(userDN));
        return;
      }

      // At this point, we should have the user entry.  Get the associated password policy.
      PasswordPolicyState pwPolicyState;
      try
      {
        AuthenticationPolicy policy = AuthenticationPolicy.forUser(userEntry, false);
        if (!policy.isPasswordPolicy())
        {
          operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
          operation.appendErrorMessage(ERR_EXTOP_PASSMOD_ACCOUNT_NOT_LOCAL.get(userDN));
          return;
        }
        pwPolicyState = (PasswordPolicyState) policy.createAuthenticationPolicyState(userEntry);
      }
      catch (DirectoryException de)
      {
        logger.traceException(de);

        operation.setResultCode(DirectoryServer.getServerErrorResultCode());
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_CANNOT_GET_PW_POLICY.get(userDN, de.getMessageObject()));
        return;
      }

      // Determine whether the user is changing his own password or if it's an administrative reset.
      // If it's an administrative reset, then the requester must have the PASSWORD_RESET privilege.
      boolean selfChange = isSelfChange(userIdentity, requestorEntry, userDN, oldPassword);

      if (! selfChange)
      {
        ClientConnection clientConnection = operation.getClientConnection();
        if (! clientConnection.hasPrivilege(Privilege.PASSWORD_RESET, operation))
        {
          operation.appendErrorMessage(ERR_EXTOP_PASSMOD_INSUFFICIENT_PRIVILEGES.get());
          operation.setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
          return;
        }
      }

      // See if the account is locked.  If so, then reject the request.
      if (pwPolicyState.isDisabled())
      {
        addPwPolicyErrorResponseControl(operation, pwPolicyRequested, ACCOUNT_LOCKED);

        operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_ACCOUNT_DISABLED.get());
        return;
      }
      else if (selfChange && pwPolicyState.isLocked())
      {
        addPwPolicyErrorResponseControl(operation, pwPolicyRequested, ACCOUNT_LOCKED);

        operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_ACCOUNT_LOCKED.get());
        return;
      }

      // If the current password was provided, then we'll need to verify whether it was correct.
      // If it wasn't provided but this is a self change, then make sure that's OK.
      if (oldPassword == null)
      {
        if (selfChange
            && pwPolicyState.getAuthenticationPolicy().isPasswordChangeRequiresCurrentPassword())
        {
          addPwPolicyErrorResponseControl(operation, pwPolicyRequested, MUST_SUPPLY_OLD_PASSWORD);

          operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
          operation.appendErrorMessage(ERR_EXTOP_PASSMOD_REQUIRE_CURRENT_PW.get());
          return;
        }
      }
      else
      {
        if (pwPolicyState.getAuthenticationPolicy().isRequireSecureAuthentication()
            && !operation.getClientConnection().isSecure())
        {
          operation.setResultCode(ResultCode.CONFIDENTIALITY_REQUIRED);
          operation.addAdditionalLogItem(AdditionalLogItem.quotedKeyValue(getClass(), "additionalInfo",
              ERR_EXTOP_PASSMOD_SECURE_AUTH_REQUIRED.get()));
          return;
        }

        if (pwPolicyState.passwordMatches(oldPassword))
        {
          pwPolicyState.setLastLoginTime();
        }
        else
        {
          operation.setResultCode(ResultCode.INVALID_CREDENTIALS);
          operation.addAdditionalLogItem(AdditionalLogItem.quotedKeyValue(getClass(), "additionalInfo",
              ERR_EXTOP_PASSMOD_INVALID_OLD_PASSWORD.get()));

          pwPolicyState.updateAuthFailureTimes();
          List<Modification> mods = pwPolicyState.getModifications();
          if (! mods.isEmpty())
          {
            getRootConnection().processModify(userDN, mods);
          }

          return;
        }
      }

      // If it is a self password change and we don't allow that, then reject the request.
      if (selfChange
          && !pwPolicyState.getAuthenticationPolicy().isAllowUserPasswordChanges())
      {
        addPwPolicyErrorResponseControl(operation, pwPolicyRequested, PASSWORD_MOD_NOT_ALLOWED);

        operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_USER_PW_CHANGES_NOT_ALLOWED.get());
        return;
      }

      // If we require secure password changes and the connection isn't secure, then reject the request.
      if (pwPolicyState.getAuthenticationPolicy().isRequireSecurePasswordChanges()
          && !operation.getClientConnection().isSecure())
      {
        operation.setResultCode(ResultCode.CONFIDENTIALITY_REQUIRED);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_SECURE_CHANGES_REQUIRED.get());
        return;
      }

      // If it's a self-change request and the user is within the minimum age, then reject it.
      if (selfChange && pwPolicyState.isWithinMinimumAge())
      {
        addPwPolicyErrorResponseControl(operation, pwPolicyRequested, PASSWORD_TOO_YOUNG);

        operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_IN_MIN_AGE.get());
        return;
      }

      // If the user's password is expired and it's a self-change request, then see if that's OK.
      if (selfChange
          && pwPolicyState.isPasswordExpired()
          && !pwPolicyState.getAuthenticationPolicy().isAllowExpiredPasswordChanges())
      {
        addPwPolicyErrorResponseControl(operation, pwPolicyRequested, PasswordPolicyErrorType.PASSWORD_EXPIRED);

        operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_PASSWORD_IS_EXPIRED.get());
        return;
      }

      // If the a new password was provided, then perform any appropriate validation on it.
      // If not, then see if we can generate one.
      boolean generatedPassword = false;
      boolean isPreEncoded      = false;
      if (newPassword == null)
      {
        try
        {
          newPassword = pwPolicyState.generatePassword();
          if (newPassword == null)
          {
            operation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);
            operation.appendErrorMessage(ERR_EXTOP_PASSMOD_NO_PW_GENERATOR.get());
            return;
          }

          generatedPassword = true;
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);
          operation.setResultCode(de.getResultCode());
          operation.appendErrorMessage(ERR_EXTOP_PASSMOD_CANNOT_GENERATE_PW.get(de.getMessageObject()));
          return;
        }
        // Prepare to update the password history, if necessary.
        if (pwPolicyState.maintainHistory())
        {
          if (pwPolicyState.isPasswordInHistory(newPassword))
          {
            operation.setResultCode(ResultCode.CONSTRAINT_VIOLATION);
            operation.appendErrorMessage(ERR_EXTOP_PASSMOD_PW_IN_HISTORY.get());
            return;
          }
          else
          {
            pwPolicyState.updatePasswordHistory();
          }
        }
      }
      else if (pwPolicyState.passwordIsPreEncoded(newPassword))
      {
        // The password modify extended operation isn't intended to be invoked
        // by an internal operation or during synchronization, so we don't
        // need to check for those cases.
        isPreEncoded = true;
        if (!pwPolicyState.getAuthenticationPolicy().isAllowPreEncodedPasswords())
        {
          operation.setResultCode(ResultCode.CONSTRAINT_VIOLATION);
          operation.appendErrorMessage(ERR_EXTOP_PASSMOD_PRE_ENCODED_NOT_ALLOWED.get());
          return;
        }
      }
      else
      {
        // Run the new password through the set of password validators.
        if (selfChange || !pwPolicyState.getAuthenticationPolicy().isSkipValidationForAdministrators())
        {
          Set<ByteString> clearPasswords = new HashSet<>(pwPolicyState.getClearPasswords());
          if (oldPassword != null)
          {
            clearPasswords.add(oldPassword);
          }

          LocalizableMessageBuilder invalidReason = new LocalizableMessageBuilder();
          if (!pwPolicyState.passwordIsAcceptable(operation, userEntry, newPassword, clearPasswords, invalidReason))
          {
            addPwPolicyErrorResponseControl(operation, pwPolicyRequested, INSUFFICIENT_PASSWORD_QUALITY);

            operation.setResultCode(ResultCode.CONSTRAINT_VIOLATION);
            operation.appendErrorMessage(ERR_EXTOP_PASSMOD_UNACCEPTABLE_PW.get(invalidReason));
            return;
          }
        }

        // Prepare to update the password history, if necessary.
        if (pwPolicyState.maintainHistory())
        {
          if (pwPolicyState.isPasswordInHistory(newPassword))
          {
            if (selfChange || !pwPolicyState.getAuthenticationPolicy().isSkipValidationForAdministrators())
            {
              operation.setResultCode(ResultCode.CONSTRAINT_VIOLATION);
              operation.appendErrorMessage(ERR_EXTOP_PASSMOD_PW_IN_HISTORY.get());
              return;
            }
          }
          else
          {
            pwPolicyState.updatePasswordHistory();
          }
        }
      }

      // Get the encoded forms of the new password.
      List<ByteString> encodedPasswords;
      if (isPreEncoded)
      {
        encodedPasswords = newArrayList(newPassword);
      }
      else
      {
        try
        {
          encodedPasswords = pwPolicyState.encodePassword(newPassword);
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);

          operation.setResultCode(de.getResultCode());
          operation.appendErrorMessage(ERR_EXTOP_PASSMOD_CANNOT_ENCODE_PASSWORD.get(de.getMessageObject()));
          return;
        }
      }

      // If the current password was provided, then remove all matching values from the user's entry
      // and replace them with the new password.  Otherwise replace all password values.
      AttributeType attrType = pwPolicyState.getAuthenticationPolicy().getPasswordAttribute();
      List<Modification> modList = new ArrayList<>();
      if (oldPassword != null)
      {
        // Remove all existing encoded values that match the old password.
        Set<ByteString> existingValues = pwPolicyState.getPasswordValues();
        Set<ByteString> deleteValues = new LinkedHashSet<>(existingValues.size());

        for (ByteString v : existingValues)
        {
          try
          {
            String[] components = decodePassword(pwPolicyState, v.toString());
            PasswordStorageScheme<?> scheme = getPasswordStorageScheme(pwPolicyState, components[0]);
            if (// The password is encoded using an unknown scheme.  Remove it from the user's entry.
                scheme == null
                || passwordMatches(pwPolicyState, scheme, oldPassword, components))
            {
              deleteValues.add(v);
            }
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);

            // We couldn't decode the provided password value, so remove it from the user's entry.
            deleteValues.add(v);
          }
        }

        modList.add(newModification(ModificationType.DELETE, attrType, deleteValues));
        modList.add(newModification(ModificationType.ADD, attrType, encodedPasswords));
      }
      else
      {
        modList.add(newModification(ModificationType.REPLACE, attrType, encodedPasswords));
      }

      // Update the password changed time for the user entry.
      pwPolicyState.setPasswordChangedTime();

      // If the password was changed by an end user, then clear any reset flag that might exist.
      // If the password was changed by an administrator, then see if we need to set the reset flag.
      pwPolicyState.setMustChangePassword(
          !selfChange && pwPolicyState.getAuthenticationPolicy().isForceChangeOnReset());

      // Clear any record of grace logins, auth failures, and expiration warnings.
      pwPolicyState.clearFailureLockout();
      pwPolicyState.clearGraceLoginTimes();
      pwPolicyState.clearWarnedTime();

      // If the LDAP no-op control was included in the request, then set the
      // appropriate response.  Otherwise, process the operation.
      if (noOpRequested)
      {
        operation.appendErrorMessage(WARN_EXTOP_PASSMOD_NOOP.get());
        operation.setResultCode(ResultCode.NO_OPERATION);
        return;
      }

      if (selfChange && requestorEntry == null)
      {
        requestorEntry = userEntry;
      }

      // Get an internal connection and use it to perform the modification.
      boolean isRoot = DirectoryServer.isRootDN(requestorEntry.getName());
      AuthenticationInfo authInfo = new AuthenticationInfo(requestorEntry, isRoot);
      InternalClientConnection internalConnection = new InternalClientConnection(authInfo);

      ModifyOperation modifyOperation = internalConnection.processModify(userDN, modList);
      ResultCode resultCode = modifyOperation.getResultCode();
      if (resultCode != ResultCode.SUCCESS)
      {
        operation.setResultCode(resultCode);
        operation.setErrorMessage(modifyOperation.getErrorMessage());
        // FIXME should it also call setMatchedDN()
        operation.setReferralURLs(modifyOperation.getReferralURLs());
        return;
      }

      // If there were any password policy state changes, we need to apply
      // them using a root connection because the end user may not have
      // sufficient access to apply them.  This is less efficient than
      // doing them all in the same modification, but it's safer.
      List<Modification> pwPolicyMods = pwPolicyState.getModifications();
      if (! pwPolicyMods.isEmpty())
      {
        ModifyOperation modOp = getRootConnection().processModify(userDN, pwPolicyMods);
        if (modOp.getResultCode() != ResultCode.SUCCESS)
        {
          // At this point, the user's password is already changed so there's
          // not much point in returning a non-success result.  However, we
          // should at least log that something went wrong.
          logger.warn(WARN_EXTOP_PASSMOD_CANNOT_UPDATE_PWP_STATE, userDN, modOp.getResultCode(),
              modOp.getErrorMessage());
        }
      }

      // If we've gotten here, then everything is OK, so indicate that the operation was successful.
      operation.setResultCode(ResultCode.SUCCESS);

      // Save attachments for post-op plugins (e.g. Samba password plugin).
      operation.setAttachment(AUTHZ_DN_ATTACHMENT, userDN);
      operation.setAttachment(PWD_ATTRIBUTE_ATTACHMENT, pwPolicyState.getAuthenticationPolicy().getPasswordAttribute());
      if (!isPreEncoded)
      {
        operation.setAttachment(CLEAR_PWD_ATTACHMENT, newPassword);
      }
      operation.setAttachment(ENCODED_PWD_ATTACHMENT, encodedPasswords);

      // If a password was generated, then include it in the response.
      if (generatedPassword)
      {
        ByteStringBuilder builder = new ByteStringBuilder();
        ASN1Writer writer = ASN1.getWriter(builder);

        try
        {
          writer.writeStartSequence();
          writer.writeOctetString(TYPE_PASSWORD_MODIFY_GENERATED_PASSWORD, newPassword);
          writer.writeEndSequence();
        }
        catch (IOException e)
        {
          logger.traceException(e);
        }

        operation.setResponseValue(builder.toByteString());
      }


      // If this was a self password change, and the client is authenticated as the user whose password was changed,
      // then clear the "must change password" flag in the client connection.  Note that we're using the
      // authentication DN rather than the authorization DN in this case to avoid mistakenly clearing the flag
      // for the wrong user.
      if (selfChange
          && authInfo.getAuthenticationDN() != null
          && authInfo.getAuthenticationDN().equals(userDN))
      {
        operation.getClientConnection().setMustChangePassword(false);
      }

      addPwPolicyErrorResponseControl(operation, pwPolicyRequested, null);

      generateAccountStatusNotification(oldPassword, newPassword, userEntry, pwPolicyState, selfChange);
    }
    finally
    {
      if (userLock != null)
      {
        userLock.unlock();
      }
    }
  }

  private void addPwPolicyErrorResponseControl(ExtendedOperation operation, boolean pwPolicyRequested,
      PasswordPolicyErrorType pwPolicyErrorType)
  {
    if (pwPolicyRequested)
    {
      operation.addResponseControl(new PasswordPolicyResponseControl(null, 0, pwPolicyErrorType));
    }
  }

  private void generateAccountStatusNotification(ByteString oldPassword, ByteString newPassword, Entry userEntry,
      PasswordPolicyState pwPolicyState, boolean selfChange)
  {
    List<ByteString> currentPasswords = null;
    if (oldPassword != null)
    {
      currentPasswords = newArrayList(oldPassword);
    }
    List<ByteString> newPasswords = newArrayList(newPassword);

    Map<AccountStatusNotificationProperty, List<String>> notifProperties =
        AccountStatusNotification.createProperties(pwPolicyState, false, -1, currentPasswords, newPasswords);
    if (selfChange)
    {
      pwPolicyState.generateAccountStatusNotification(
          PASSWORD_CHANGED, userEntry, INFO_MODIFY_PASSWORD_CHANGED.get(), notifProperties);
    }
    else
    {
      pwPolicyState.generateAccountStatusNotification(
          PASSWORD_RESET, userEntry, INFO_MODIFY_PASSWORD_RESET.get(), notifProperties);
    }
  }

  private String[] decodePassword(PasswordPolicyState pwPolicyState, String encodedPassword) throws DirectoryException
  {
    return pwPolicyState.getAuthenticationPolicy().isAuthPasswordSyntax()
        ? AuthPasswordSyntax.decodeAuthPassword(encodedPassword)
        : UserPasswordSyntax.decodeUserPassword(encodedPassword);
  }

  private PasswordStorageScheme<?> getPasswordStorageScheme(PasswordPolicyState pwPolicyState, String scheme)
  {
    return pwPolicyState.getAuthenticationPolicy().isAuthPasswordSyntax()
        ? DirectoryServer.getAuthPasswordStorageScheme(scheme)
        : DirectoryServer.getPasswordStorageScheme(toLowerCase(scheme));
  }

  private boolean passwordMatches(
      PasswordPolicyState pwPolicyState, PasswordStorageScheme<?> scheme, ByteString oldPassword, String[] components)
  {
    return pwPolicyState.getAuthenticationPolicy().isAuthPasswordSyntax()
        ? scheme.authPasswordMatches(oldPassword, components[1], components[2])
        : scheme.passwordMatches(oldPassword, ByteString.valueOfUtf8(components[1]));
  }

  private boolean isSelfChange(ByteString userIdentity, Entry requestorEntry, DN userDN, ByteString oldPassword)
  {
    if (userIdentity == null)
    {
      return true;
    }
    else if (requestorEntry != null)
    {
      return userDN.equals(requestorEntry.getName());
    }
    else
    {
      return oldPassword != null;
    }
  }

  private Modification newModification(ModificationType modType, AttributeType attrType, Collection<ByteString> value)
  {
    AttributeBuilder builder = new AttributeBuilder(attrType);
    builder.addAll(value);
    return new Modification(modType, builder.toAttribute());
  }


  /**
   * Retrieves the entry for the specified user based on the provided DN.  If any problem is encountered or
   * the requested entry does not exist, then the provided operation will be updated with appropriate result
   * information and this method will return <CODE>null</CODE>.
   * The caller must hold a write lock on the specified entry.
   *
   * @param  operation  The extended operation being processed.
   * @param  entryDN    The DN of the user entry to retrieve.
   *
   * @return  The requested entry, or <CODE>null</CODE> if there was no such entry or it could not be retrieved.
   */
  private Entry getEntryByDN(ExtendedOperation operation, DN entryDN)
  {
    // Retrieve the user's entry from the directory.  If it does not exist, then fail.
    try
    {
      Entry userEntry = DirectoryServer.getEntry(entryDN);

      if (userEntry == null)
      {
        operation.setResultCode(ResultCode.NO_SUCH_OBJECT);
        operation.appendErrorMessage(ERR_EXTOP_PASSMOD_NO_USER_ENTRY_BY_AUTHZID.get(entryDN));

        // See if one of the entry's ancestors exists.
        operation.setMatchedDN(findMatchedDN(entryDN));
        return null;
      }

      return userEntry;
    }
    catch (DirectoryException de)
    {
      logger.traceException(de);

      operation.setResultCode(de.getResultCode());
      operation.appendErrorMessage(de.getMessageObject());
      operation.setMatchedDN(de.getMatchedDN());
      operation.setReferralURLs(de.getReferralURLs());
      return null;
    }
  }

  private DN findMatchedDN(DN entryDN)
  {
    try
    {
      DN matchedDN = entryDN.getParentDNInSuffix();
      while (matchedDN != null)
      {
        if (DirectoryServer.entryExists(matchedDN))
        {
          return matchedDN;
        }

        matchedDN = matchedDN.getParentDNInSuffix();
      }
    }
    catch (Exception e)
    {
      logger.traceException(e);
    }
    return null;
  }

  @Override
  public boolean isConfigurationAcceptable(ExtendedOperationHandlerCfg configuration,
                                           List<LocalizableMessage> unacceptableReasons)
  {
    PasswordModifyExtendedOperationHandlerCfg config = (PasswordModifyExtendedOperationHandlerCfg) configuration;
    return isConfigurationChangeAcceptable(config, unacceptableReasons);
  }

  @Override
  public boolean isConfigurationChangeAcceptable(PasswordModifyExtendedOperationHandlerCfg config,
                                                 List<LocalizableMessage> unacceptableReasons)
  {
    try
    {
      // Make sure that the specified identity mapper is OK.
      DN mapperDN = config.getIdentityMapperDN();
      IdentityMapper<?> mapper = DirectoryServer.getIdentityMapper(mapperDN);
      if (mapper == null)
      {
        unacceptableReasons.add(ERR_EXTOP_PASSMOD_NO_SUCH_ID_MAPPER.get(mapperDN, config.dn()));
        return false;
      }
      return true;
    }
    catch (Exception e)
    {
      logger.traceException(e);

      unacceptableReasons.add(ERR_EXTOP_PASSMOD_CANNOT_DETERMINE_ID_MAPPER.get(config.dn(), getExceptionMessage(e)));
      return false;
    }
  }

  @Override
  public ConfigChangeResult applyConfigurationChange(PasswordModifyExtendedOperationHandlerCfg config)
  {
    final ConfigChangeResult ccr = new ConfigChangeResult();

    // Make sure that the specified identity mapper is OK.
    DN             mapperDN = null;
    IdentityMapper<?> mapper   = null;
    try
    {
      mapperDN = config.getIdentityMapperDN();
      mapper   = DirectoryServer.getIdentityMapper(mapperDN);
      if (mapper == null)
      {
        ccr.setResultCode(ResultCode.CONSTRAINT_VIOLATION);
        ccr.addMessage(ERR_EXTOP_PASSMOD_NO_SUCH_ID_MAPPER.get(mapperDN, config.dn()));
      }
    }
    catch (Exception e)
    {
      logger.traceException(e);

      ccr.setResultCode(DirectoryServer.getServerErrorResultCode());
      ccr.addMessage(ERR_EXTOP_PASSMOD_CANNOT_DETERMINE_ID_MAPPER.get(config.dn(), getExceptionMessage(e)));
    }

    // If all of the changes were acceptable, then apply them.
    if (ccr.getResultCode() == ResultCode.SUCCESS
        && ! identityMapperDN.equals(mapperDN))
    {
      identityMapper   = mapper;
      identityMapperDN = mapperDN;
    }

    // Save this configuration for future reference.
    currentConfig = config;

    return ccr;
  }

  @Override
  public String getExtendedOperationOID()
  {
    return OID_PASSWORD_MODIFY_REQUEST;
  }

  @Override
  public String getExtendedOperationName()
  {
    return "Password Modify";
  }
}