1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package com.att.authz.org;
\r
25 import java.util.ArrayList;
\r
26 import java.util.Date;
\r
27 import java.util.GregorianCalendar;
\r
28 import java.util.HashSet;
\r
29 import java.util.List;
\r
30 import java.util.Set;
\r
32 import com.att.authz.env.AuthzTrans;
\r
37 * There is Organizational specific information required which we have extracted to a plugin
\r
39 * It supports using Company Specific User Directory lookups, as well as supporting an
\r
40 * Approval/Validation Process to simplify control of Roles and Permissions for large organizations
\r
41 * in lieu of direct manipulation by a set of Admins.
\r
45 public interface Organization {
\r
46 public static final String N_A = "n/a";
\r
48 public interface Identity {
\r
50 public String fullID(); // Fully Qualified ID (includes Domain of Organization)
\r
51 public String type(); // Must be one of "IdentityTypes", see below
\r
52 public String responsibleTo(); // Chain of Command, Comma Separated if required
\r
53 public List<String> delegate(); // Someone who has authority to act on behalf of Identity
\r
54 public String email();
\r
55 public String fullName();
\r
56 public boolean isResponsible(); // Is id passed belong to a person suitable to be Responsible for content Management
\r
57 public boolean isFound(); // Is Identity found in Identity stores
\r
58 public Identity owner() throws OrganizationException; // Identity is directly responsible for App ID
\r
59 public Organization org(); // Organization of Identity
\r
64 * Name of Organization, suitable for Logging
\r
67 public String getName();
\r
70 * Realm, for use in distinguishing IDs from different systems/Companies
\r
73 public String getRealm();
\r
78 * Get Identity information based on userID
\r
83 public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException;
\r
87 * Does the ID pass Organization Standards
\r
89 * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
\r
90 * reasons why it fails
\r
95 public String isValidID(String id);
\r
98 * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
\r
99 * reasons why it fails
\r
101 * Identity is passed in to allow policies regarding passwords that are the same as user ID
\r
103 * any entries for "prev" imply a reset
\r
109 public String isValidPassword(String user, String password, String ... prev);
\r
113 * Does your Company distinguish essential permission structures by kind of Identity?
\r
114 * i.e. Employee, Contractor, Vendor
\r
117 public Set<String> getIdentityTypes();
\r
119 public enum Notify {
\r
121 PasswordExpiration(2),
\r
125 Notify(int id) {this.id = id;}
\r
126 public int getValue() {return id;}
\r
127 public static Notify from(int type) {
\r
128 for(Notify t : Notify.values()) {
\r
137 public enum Response{
\r
139 ERR_NotImplemented,
\r
141 ERR_NotificationFailure,
\r
144 public enum Expiration {
\r
153 public enum Policy {
\r
157 CREATE_MECHID_BY_PERM_ONLY,
\r
160 MAY_EXTEND_CRED_EXPIRES
\r
164 * Notify a User of Action or Info
\r
168 * @param users (separated by commas)
\r
169 * @param ccs (separated by commas)
\r
173 public Response notify(AuthzTrans trans, Notify type, String url, String ids[], String ccs[], String summary, Boolean urgent);
\r
176 * (more) generic way to send an email
\r
185 public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body, Boolean urgent) throws OrganizationException;
\r
190 * Authz support services will ask the Organization Object at startup when it should
\r
191 * kickoff Validation processes given particular types.
\r
193 * This allows the Organization to express Policy
\r
195 * Turn off Validation behavior by returning "null"
\r
198 public Date whenToValidate(Notify type, Date lastValidated);
\r
204 * Given a Calendar item of Start (or now), set the Expiration Date based on the Policy
\r
207 * For instance, "Passwords expire in 3 months"
\r
209 * The Extra Parameter is used by certain Orgs.
\r
211 * For Password, the extra is UserID, so it can check the Identity Type
\r
217 public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String ... extra);
\r
220 * Get Email Warning timing policies
\r
223 public EmailWarnings emailWarningPolicy();
\r
231 public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException ;
\r
239 public Response notifyRequest(AuthzTrans trans, String user, Approval type, List<User> approvers);
\r
246 public String getApproverType();
\r
249 * startOfDay - define for company what hour of day business starts (specifically for password and other expiration which
\r
250 * were set by Date only.)
\r
254 public int startOfDay();
\r
257 * implement this method to support any IDs that can have multiple entries in the cred table
\r
258 * NOTE: the combination of ID/expiration date/(encryption type when implemented) must be unique.
\r
259 * Since expiration date is based on startOfDay for your company, you cannot create many
\r
260 * creds for the same ID in the same day.
\r
264 public boolean canHaveMultipleCreds(String id);
\r
271 public boolean isValidCred(String id);
\r
274 * If response is Null, then it is valid. Otherwise, the Organization specific reason is returned.
\r
281 * @throws OrganizationException
\r
283 public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars) throws OrganizationException;
\r
285 boolean isTestEnv();
\r
287 public void setTestMode(boolean dryRun);
\r
289 public static final Organization NULL = new Organization()
\r
291 private final GregorianCalendar gc = new GregorianCalendar(1900, 1, 1);
\r
292 private final List<Identity> nullList = new ArrayList<Identity>();
\r
293 private final Set<String> nullStringSet = new HashSet<String>();
\r
294 private final Identity nullIdentity = new Identity() {
\r
295 List<String> nullIdentity = new ArrayList<String>();
\r
297 public String type() {
\r
301 public String responsibleTo() {
\r
305 public boolean isResponsible() {
\r
310 public boolean isFound() {
\r
315 public String id() {
\r
320 public String fullID() {
\r
325 public String email() {
\r
330 public List<String> delegate() {
\r
331 return nullIdentity;
\r
334 public String fullName() {
\r
338 public Identity owner() {
\r
342 public Organization org() {
\r
348 public String getName() {
\r
353 public String getRealm() {
\r
358 public String getDomain() {
\r
363 public Identity getIdentity(AuthzTrans trans, String id) {
\r
364 return nullIdentity;
\r
368 public String isValidID(String id) {
\r
373 public String isValidPassword(String user, String password,String... prev) {
\r
378 public Set<String> getIdentityTypes() {
\r
379 return nullStringSet;
\r
383 public Response notify(AuthzTrans trans, Notify type, String url,
\r
384 String[] users, String[] ccs, String summary, Boolean urgent) {
\r
385 return Response.ERR_NotImplemented;
\r
389 public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList,
\r
390 String subject, String body, Boolean urgent) throws OrganizationException {
\r
395 public Date whenToValidate(Notify type, Date lastValidated) {
\r
396 return gc.getTime();
\r
400 public GregorianCalendar expiration(GregorianCalendar gc,
\r
401 Expiration exp, String... extra) {
\r
402 return gc==null?new GregorianCalendar():gc;
\r
406 public List<Identity> getApprovers(AuthzTrans trans, String user)
\r
407 throws OrganizationException {
\r
412 public String getApproverType() {
\r
417 public int startOfDay() {
\r
422 public boolean canHaveMultipleCreds(String id) {
\r
427 public boolean isValidCred(String id) {
\r
432 public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars)
\r
433 throws OrganizationException {
\r
434 return "Null Organization rejects all Policies";
\r
438 public boolean isTestEnv() {
\r
443 public void setTestMode(boolean dryRun) {
\r
447 public EmailWarnings emailWarningPolicy() {
\r
448 return new EmailWarnings() {
\r
451 public long credEmailInterval()
\r
453 return 604800000L; // 7 days in millis 1000 * 86400 * 7
\r
457 public long roleEmailInterval()
\r
459 return 604800000L; // 7 days in millis 1000 * 86400 * 7
\r
463 public long apprEmailInterval() {
\r
464 return 259200000L; // 3 days in millis 1000 * 86400 * 3
\r
468 public long credExpirationWarning()
\r
470 return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds
\r
474 public long roleExpirationWarning()
\r
476 return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds
\r
480 public long emailUrgentWarning()
\r
482 return( 1209600000L ); // Two weeks, in milliseconds 1000 * 86400 * 14 in milliseconds
\r
Code Review / aaf / authz.git / blob