From 3c855e81665e9da47244c585009add62bef735db Mon Sep 17 00:00:00 2001
From: Edward Valley <ed.valley@yandex.com>
Date: Tue, 5 Apr 2022 18:47:36 -0400
Subject: [PATCH] Make password expiration time attribute configurable

---
 .../main/java/password/pwm/config/PwmSetting.java  |  2 ++
 .../password/pwm/ldap/LdapOperationsHelper.java    | 14 ++++++++++++--
 .../java/password/pwm/ldap/UserInfoReader.java     |  2 +-
 .../password/pwm/svc/pwnotify/PwNotifyEngine.java  |  5 ++---
 .../resources/password/pwm/config/PwmSetting.xml   |  7 +++++++
 .../password/pwm/i18n/PwmSetting.properties        |  2 ++
 6 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/server/src/main/java/password/pwm/config/PwmSetting.java b/server/src/main/java/password/pwm/config/PwmSetting.java
index 994d6c8ac..0fef214d1 100644
--- a/server/src/main/java/password/pwm/config/PwmSetting.java
+++ b/server/src/main/java/password/pwm/config/PwmSetting.java
@@ -252,6 +252,8 @@ public enum PwmSetting
             "ldap.namingAttribute", PwmSettingSyntax.STRING, PwmSettingCategory.LDAP_ATTRIBUTES ),
     PASSWORD_LAST_UPDATE_ATTRIBUTE(
             "passwordLastUpdateAttribute", PwmSettingSyntax.STRING, PwmSettingCategory.LDAP_ATTRIBUTES ),
+    PASSWORD_EXPIRATION_TIME_ATTRIBUTE(
+            "passwordExpirationTimeAttribute", PwmSettingSyntax.STRING, PwmSettingCategory.LDAP_ATTRIBUTES ),
     LDAP_USER_GROUP_ATTRIBUTE(
             "ldap.user.group.attribute", PwmSettingSyntax.STRING, PwmSettingCategory.LDAP_ATTRIBUTES ),
     LDAP_GROUP_LABEL_ATTRIBUTE(
diff --git a/server/src/main/java/password/pwm/ldap/LdapOperationsHelper.java b/server/src/main/java/password/pwm/ldap/LdapOperationsHelper.java
index 3faf7b84f..66009b682 100644
--- a/server/src/main/java/password/pwm/ldap/LdapOperationsHelper.java
+++ b/server/src/main/java/password/pwm/ldap/LdapOperationsHelper.java
@@ -849,11 +849,21 @@ public static Map<String, List<String>> readAllEntryAttributeValues( final ChaiE
         return Collections.emptyMap();
     }
 
-    public static Instant readPasswordExpirationTime( final ChaiUser theUser )
+    public static Instant readPasswordExpirationTime(
+            final PwmDomain pwmDomain,
+            final SessionLabel sessionLabel,
+            final UserIdentity userIdentity
+    )
     {
         try
         {
-            Instant ldapPasswordExpirationTime = theUser.readPasswordExpirationDate();
+            final ChaiUser theUser = pwmDomain.getProxiedChaiUser( sessionLabel, userIdentity );
+
+            final LdapProfile ldapProfile = pwmDomain.getConfig().getLdapProfiles().get( userIdentity.getLdapProfileID() );
+            final String expirationTimeAttribute = ldapProfile.readSettingAsString( PwmSetting.PASSWORD_EXPIRATION_TIME_ATTRIBUTE );
+
+            Instant ldapPasswordExpirationTime = expirationTimeAttribute != null ? theUser.readDateAttribute( expirationTimeAttribute ) : theUser.readPasswordExpirationDate();
+
             if ( ldapPasswordExpirationTime != null && ldapPasswordExpirationTime.toEpochMilli() < 0 )
             {
                 // If ldapPasswordExpirationTime is less than 0, this may indicate an extremely late date, past the epoch.
diff --git a/server/src/main/java/password/pwm/ldap/UserInfoReader.java b/server/src/main/java/password/pwm/ldap/UserInfoReader.java
index 404f3765f..b2f764b31 100644
--- a/server/src/main/java/password/pwm/ldap/UserInfoReader.java
+++ b/server/src/main/java/password/pwm/ldap/UserInfoReader.java
@@ -203,7 +203,7 @@ public UserIdentity getUserIdentity( )
     @Override
     public Instant getPasswordExpirationTime( ) throws PwmUnrecoverableException
     {
-        return LdapOperationsHelper.readPasswordExpirationTime( chaiUser );
+        return LdapOperationsHelper.readPasswordExpirationTime( pwmDomain, sessionLabel, userIdentity );
     }
 
     @Override
diff --git a/server/src/main/java/password/pwm/svc/pwnotify/PwNotifyEngine.java b/server/src/main/java/password/pwm/svc/pwnotify/PwNotifyEngine.java
index 211e98b0f..ffbd8d56d 100644
--- a/server/src/main/java/password/pwm/svc/pwnotify/PwNotifyEngine.java
+++ b/server/src/main/java/password/pwm/svc/pwnotify/PwNotifyEngine.java
@@ -20,7 +20,6 @@
 
 package password.pwm.svc.pwnotify;
 
-import com.novell.ldapchai.ChaiUser;
 import password.pwm.PwmDomain;
 import password.pwm.bean.EmailItemBean;
 import password.pwm.bean.UserIdentity;
@@ -238,8 +237,8 @@ private void processUserIdentity(
         }
 
         examinedCount.incrementAndGet();
-        final ChaiUser theUser = pwmDomain.getProxiedChaiUser( pwNotifyService.getSessionLabel(), userIdentity );
-        final Instant passwordExpirationTime = LdapOperationsHelper.readPasswordExpirationTime( theUser );
+
+        final Instant passwordExpirationTime = LdapOperationsHelper.readPasswordExpirationTime( pwmDomain, pwNotifyService.getSessionLabel(), userIdentity );
 
         if ( passwordExpirationTime == null )
         {
diff --git a/server/src/main/resources/password/pwm/config/PwmSetting.xml b/server/src/main/resources/password/pwm/config/PwmSetting.xml
index 764256f79..81afe05a6 100644
--- a/server/src/main/resources/password/pwm/config/PwmSetting.xml
+++ b/server/src/main/resources/password/pwm/config/PwmSetting.xml
@@ -623,6 +623,13 @@
             <value/>
         </default>
     </setting>
+    <setting hidden="false" key="passwordExpirationTimeAttribute" level="2">
+        <ldapPermission actor="proxy" access="write"/>
+        <regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
+        <default>
+            <value/>
+        </default>
+    </setting>
     <setting hidden="false" key="ldap.user.group.attribute" level="2">
         <regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
         <default>
diff --git a/server/src/main/resources/password/pwm/i18n/PwmSetting.properties b/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
index 980ccc027..6dd7032e7 100644
--- a/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
+++ b/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
@@ -576,6 +576,7 @@ Setting_Description_changePassword.enable=Enable or Disable the change password
 Setting_Description_password.allowChange.queryMatch=Specify the permissions used to detect if @PwmAppName@ permits users to change their passwords.
 Setting_Description_password.change.requireCurrent=Enable this option to require users to provide their current passwords on the Change Password page. You must enable this option if users are using a single sign-on service. In most cases, this is not required because the single sign-on service authenticates the users prior to accessing the Change Password page.
 Setting_Description_passwordLastUpdateAttribute=Specify the attribute that @PwmAppName@ uses to mark when the user updates password. Plus @PwmAppName@ uses it during replication checks and other processes.
+Setting_Description_passwordExpirationTimeAttribute=Specify the attribute that @PwmAppName@ uses to read the user password expiration time.
 Setting_Description_password.policy.ADComplexity=Enforce Microsoft Active Directory 2003 style password complexity rules\:<ul><li>Not contain the user's account name or parts of the user's full name that exceed two consecutive characters</li><li>Be at least six characters in length</li><li>Contain characters from three of the following four categories\:<ul><li>English uppercase characters (A through Z)</li><li>English lowercase characters (a through z)</li><li>Base 10 digits (0 through 9)</li><li>Non-alphabetic characters (for example, \!, $, \#, %)</li></ul></ul>
 Setting_Description_password.policy.ADComplexityLevel=Select the Microsoft Active Directory style password complexity rules. <p><code>AD 2003 Level Complexity\:</code></p> <ul> <li>Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters</li> <li>Minimum 6 characters</li> <li>Maximum 128 characters</li> <li> Must contain characters from three of the following four categories\: <ul> <li>English uppercase characters (A through Z)</li> <li>English lowercase characters (a through z)</li> <li>Base 10 digits (0 through 9)</li> <li>Non-alphabetic characters (For example, \!, $, \#, %)</li> </ul> </li> </ul> <p><code>AD 2008 Level Complexity\:</code></p> <ul> <li>Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters</li> <li>Minimum 6 characters</li> <li>Maximum 512 characters</li> <li> Must contain characters from several of the following categories. The setting <a data-gotoSettingLink\="password.policy.ADComplexityMaxViolations">@PwmSettingReference\:password.policy.ADComplexityMaxViolations@</a> specifies the exact number of catagories.<ul> <li>European language uppercase alphabetic characters</li> <li>European language lowercase alphabetic characters</li> <li>Base 10 digits (0 through 9)</li> <li>Non-alphabetic characters (for example, \!, $, \#, %)</li> <li>Other alphabetic characters not included in the other categories</li> </ul> </li> </ul>
 Setting_Description_password.policy.ADComplexityMaxViolations=Specify the maximum number of Active Directory 2008 Level Complexity category violations.  This setting has no effect unless the setting <a data-gotoSettingLink\="password.policy.ADComplexityLevel">@PwmSettingReference\:password.policy.ADComplexityLevel@</a> is set to <code>AD 2008 Level Complexity</code>.
@@ -1117,6 +1118,7 @@ Setting_Label_changePassword.enable=Enable Change Password Module
 Setting_Label_password.allowChange.queryMatch=Change Password Profile Match
 Setting_Label_password.change.requireCurrent=Require Current Password During Change
 Setting_Label_passwordLastUpdateAttribute=Last Password Update Attribute
+Setting_Label_passwordExpirationTimeAttribute=Password Expiration Time Attribute
 Setting_Label_password.policy.ADComplexity=DEPRECATED-Enforce Microsoft-AD 2003 Password Complexity
 Setting_Label_password.policy.ADComplexityLevel=Active Directory Password Complexity
 Setting_Label_password.policy.ADComplexityMaxViolations=Active Directory 2008 Password Complexity Maximum Violations