- switch (exp) {
- case ExtendPassword:
- // Extending Password give 5 extra days, max 8 days from now
- rv.add(GregorianCalendar.DATE, 5);
- now.add(GregorianCalendar.DATE, 8);
- if(rv.after(now)) {
- rv = now;
- }
- break;
- case Future:
- // Future requests last 15 days.
- now.add(GregorianCalendar.DATE, 15);
- rv = now;
- break;
- case Password:
- // Passwords expire in 90 days
- now.add(GregorianCalendar.DATE, 90);
- rv = now;
- break;
- case TempPassword:
- // Temporary Passwords last for 12 hours.
- now.add(GregorianCalendar.DATE, 90);
- rv = now;
- break;
- case UserDelegate:
- // Delegations expire max in 2 months, renewable to 3
- rv.add(GregorianCalendar.MONTH, 2);
- now.add(GregorianCalendar.MONTH, 3);
- if(rv.after(now)) {
- rv = now;
- }
- break;
- case UserInRole:
- // Roles expire in 6 months
- now.add(GregorianCalendar.MONTH, 6);
- rv = now;
- break;
- default:
- // Unless other wise set, 6 months is default
- now.add(GregorianCalendar.MONTH, 6);
- rv = now;
- break;
- }
- return rv;
- }
-
- @Override
- public EmailWarnings emailWarningPolicy() {
- return emailWarnings;
- }
-
- /**
- * Assume the Supervisor is the Approver.
- */
- @Override
- public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException {
- Identity orgIdentity = getIdentity(trans, user);
- List<Identity> orgIdentitys = new ArrayList<Identity>();
- if(orgIdentity!=null) {
- Identity supervisor = orgIdentity.responsibleTo();
- if(supervisor!=null) {
- orgIdentitys.add(supervisor);
- }
- }
- return orgIdentitys;
- }
-
- @Override
- public String getApproverType() {
- return "supervisor";
- }
-
- @Override
- public int startOfDay() {
- // TODO Auto-generated method stub
- return 0;
- }
+ switch (exp) {
+ case ExtendPassword:
+ // Extending Password give 5 extra days, max 8 days from now
+ rv.add(GregorianCalendar.DATE, 5);
+ now.add(GregorianCalendar.DATE, 8);
+ if (rv.after(now)) {
+ rv = now;
+ }
+ break;
+ case Future:
+ // Future requests last 15 days.
+ now.add(GregorianCalendar.DATE, 15);
+ rv = now;
+ break;
+ case Password:
+ // Passwords expire in 90 days
+ now.add(GregorianCalendar.DATE, 90);
+ rv = now;
+ break;
+ case TempPassword:
+ // Temporary Passwords last for 12 hours.
+ now.add(GregorianCalendar.DATE, 90);
+ rv = now;
+ break;
+ case UserDelegate:
+ // Delegations expire max in 2 months, renewable to 3
+ rv.add(GregorianCalendar.MONTH, 2);
+ now.add(GregorianCalendar.MONTH, 3);
+ if (rv.after(now)) {
+ rv = now;
+ }
+ break;
+ case UserInRole:
+ // Roles expire in 6 months
+ now.add(GregorianCalendar.MONTH, 6);
+ rv = now;
+ break;
+ default:
+ // Unless other wise set, 6 months is default
+ now.add(GregorianCalendar.MONTH, 6);
+ rv = now;
+ break;
+ }
+ return rv;
+ }
+
+ @Override
+ public EmailWarnings emailWarningPolicy() {
+ return emailWarnings;
+ }
+
+ /**
+ * Assume the Supervisor is the Approver.
+ */
+ @Override
+ public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException {
+ Identity orgIdentity = getIdentity(trans, user);
+ List<Identity> orgIdentitys = new ArrayList<>();
+ if (orgIdentity!=null) {
+ Identity supervisor = orgIdentity.responsibleTo();
+ if (supervisor!=null) {
+ orgIdentitys.add(supervisor);
+ }
+ }
+ return orgIdentitys;
+ }
+
+ @Override
+ public String getApproverType() {
+ return "supervisor";
+ }
+
+ @Override
+ public int startOfDay() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public boolean canHaveMultipleCreds(String id) {
+ // External entities are likely mono-password... if you change it, it is a global change.
+ // This is great for people, but horrible for Applications.
+ //
+ // AAF's Password can have multiple Passwords, each with their own Expiration Date.
+ // For Default Org, we'll assume true for all, but when you add your external
+ // Identity stores, you need to return "false" if they cannot support multiple Passwords like AAF
+ return true;
+ }
+
+ @Override
+ public String validate(AuthzTrans trans, Policy policy, Executor executor, String... vars) throws OrganizationException {
+ String user;
+ switch(policy) {
+ case OWNS_MECHID:
+ case CREATE_MECHID:
+ if (vars.length>0) {
+ DefaultOrgIdentity thisID = getIdentity(trans,vars[0]);
+ if ("a".equals(thisID.identity.status)) { // MechID
+ DefaultOrgIdentity requestor = getIdentity(trans, trans.user());
+ if (requestor!=null) {
+ Identity mechid = getIdentity(trans, vars[0]);
+ if (mechid!=null) {
+ Identity sponsor = mechid.responsibleTo();
+ if (sponsor!=null && requestor.fullID().equals(sponsor.fullID())) {
+ return null;
+ } else {
+ return trans.user() + " is not the Sponsor of MechID " + vars[0];
+ }
+ }
+ }
+ }
+ }
+ return null;
+
+ case CREATE_MECHID_BY_PERM_ONLY:
+ return getName() + " only allows sponsors to create MechIDs";
+
+ case MAY_EXTEND_CRED_EXPIRES:
+ // If parm, use it, otherwise, trans
+ user = vars.length>1?vars[1]:trans.user();
+ return executor.hasPermission(user, root_ns,"password", root_ns , "extend")
+ ?null:user + " does not have permission to extend passwords at " + getName();
+
+ default:
+ return policy.name() + " is unsupported at " + getName();
+ }
+ }
+
+ @Override
+ public boolean isTestEnv() {
+ return false;
+ }
+
+ @Override
+ public void setTestMode(boolean dryRun) {
+ this.dryRun = dryRun;
+ }
+
+ private String extractRealm(final String r) {
+ int at;
+ if ((at=r.indexOf('@'))>=0) {
+ return FQI.reverseDomain(r.substring(at+1));
+ }
+ return r;
+ }
+ @Override
+ public boolean supportsRealm(final String r) {
+ if (r.endsWith(realm)) {
+ return true;
+ } else {
+ String erealm = extractRealm(r);
+ for (String sr : supportedRealms) {
+ if (erealm.startsWith(sr)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
+ @Override
+ public synchronized void addSupportedRealm(final String r) {
+ supportedRealms.add(extractRealm(r));
+ }
+
+ @Override
+ public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body,
+ Boolean urgent) throws OrganizationException {
+ if (mailer!=null) {
+ String mailFrom = mailer.mailFrom();
+ List<String> to = new ArrayList<>();
+ for (String em : toList) {
+ if (em.indexOf('@')<0) {
+ to.add(new DefaultOrgIdentity(trans, em, this).email());
+ } else {
+ to.add(em);
+ }
+ }