+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.authz.org;\r
-\r
-import java.util.ArrayList;\r
-import java.util.Date;\r
-import java.util.GregorianCalendar;\r
-import java.util.HashSet;\r
-import java.util.List;\r
-import java.util.Set;\r
-\r
-import org.onap.aaf.authz.env.AuthzTrans;\r
-\r
-/**\r
- * Organization\r
- * \r
- * There is Organizational specific information required which we have extracted to a plugin\r
- * \r
- * It supports using Company Specific User Directory lookups, as well as supporting an\r
- * Approval/Validation Process to simplify control of Roles and Permissions for large organizations\r
- * in lieu of direct manipulation by a set of Admins. \r
- * \r
- *\r
- */\r
-public interface Organization {\r
- public static final String N_A = "n/a";\r
-\r
- public interface Identity {\r
- public String id();\r
- public String fullID(); // Fully Qualified ID (includes Domain of Organization)\r
- public String type(); // Must be one of "IdentityTypes", see below\r
- public String responsibleTo(); // Chain of Command, Comma Separated if required\r
- public List<String> delegate(); // Someone who has authority to act on behalf of Identity\r
- public String email();\r
- public String fullName();\r
- public boolean isResponsible(); // Is id passed belong to a person suitable to be Responsible for content Management\r
- public boolean isFound(); // Is Identity found in Identity stores\r
- public Identity owner() throws OrganizationException; // Identity is directly responsible for App ID\r
- public Organization org(); // Organization of Identity\r
- }\r
-\r
-\r
- /**\r
- * Name of Organization, suitable for Logging\r
- * @return\r
- */\r
- public String getName();\r
-\r
- /**\r
- * Realm, for use in distinguishing IDs from different systems/Companies\r
- * @return\r
- */\r
- public String getRealm();\r
-\r
- String getDomain();\r
-\r
- /**\r
- * Get Identity information based on userID\r
- * \r
- * @param id\r
- * @return\r
- */\r
- public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException;\r
- \r
-\r
- /**\r
- * Does the ID pass Organization Standards\r
- * \r
- * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of \r
- * reasons why it fails\r
- * \r
- * @param id\r
- * @return\r
- */\r
- public String isValidID(String id);\r
-\r
- /**\r
- * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of \r
- * reasons why it fails\r
- * \r
- * Identity is passed in to allow policies regarding passwords that are the same as user ID\r
- * \r
- * any entries for "prev" imply a reset\r
- * \r
- * @param id\r
- * @param password\r
- * @return\r
- */\r
- public String isValidPassword(String user, String password, String ... prev);\r
-\r
-\r
- /**\r
- * Does your Company distinguish essential permission structures by kind of Identity?\r
- * i.e. Employee, Contractor, Vendor \r
- * @return\r
- */\r
- public Set<String> getIdentityTypes();\r
-\r
- public enum Notify {\r
- Approval(1),\r
- PasswordExpiration(2),\r
- RoleExpiration(3);\r
-\r
- final int id;\r
- Notify(int id) {this.id = id;}\r
- public int getValue() {return id;}\r
- public static Notify from(int type) {\r
- for(Notify t : Notify.values()) {\r
- if(t.id==type) {\r
- return t;\r
- }\r
- }\r
- return null;\r
- }\r
- }\r
-\r
- public enum Response{\r
- OK,\r
- ERR_NotImplemented,\r
- ERR_UserNotExist,\r
- ERR_NotificationFailure,\r
- };\r
- \r
- public enum Expiration {\r
- Password,\r
- TempPassword, \r
- Future,\r
- UserInRole,\r
- UserDelegate, \r
- ExtendPassword\r
- }\r
- \r
- public enum Policy {\r
- CHANGE_JOB, \r
- LEFT_COMPANY, \r
- CREATE_MECHID, \r
- CREATE_MECHID_BY_PERM_ONLY,\r
- OWNS_MECHID,\r
- AS_EMPLOYEE, \r
- MAY_EXTEND_CRED_EXPIRES\r
- }\r
- \r
- /**\r
- * Notify a User of Action or Info\r
- * \r
- * @param type\r
- * @param url\r
- * @param users (separated by commas)\r
- * @param ccs (separated by commas)\r
- * @param summary\r
- */\r
-\r
- public Response notify(AuthzTrans trans, Notify type, String url, String ids[], String ccs[], String summary, Boolean urgent);\r
-\r
- /**\r
- * (more) generic way to send an email\r
- * \r
- * @param toList\r
- * @param ccList\r
- * @param subject\r
- * @param body\r
- * @param urgent\r
- */\r
-\r
- public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body, Boolean urgent) throws OrganizationException;\r
-\r
- /**\r
- * whenToValidate\r
- * \r
- * Authz support services will ask the Organization Object at startup when it should\r
- * kickoff Validation processes given particular types. \r
- * \r
- * This allows the Organization to express Policy\r
- * \r
- * Turn off Validation behavior by returning "null"\r
- * \r
- */\r
- public Date whenToValidate(Notify type, Date lastValidated);\r
-\r
- \r
- /**\r
- * Expiration\r
- * \r
- * Given a Calendar item of Start (or now), set the Expiration Date based on the Policy\r
- * based on type.\r
- * \r
- * For instance, "Passwords expire in 3 months"\r
- * \r
- * The Extra Parameter is used by certain Orgs.\r
- * \r
- * For Password, the extra is UserID, so it can check the Identity Type\r
- * \r
- * @param gc\r
- * @param exp\r
- * @return\r
- */\r
- public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String ... extra);\r
- \r
- /**\r
- * Get Email Warning timing policies\r
- * @return\r
- */\r
- public EmailWarnings emailWarningPolicy();\r
-\r
- /**\r
- * \r
- * @param trans\r
- * @param user\r
- * @return\r
- */\r
- public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException ;\r
- \r
- /*\r
- * \r
- * @param user\r
- * @param type\r
- * @param users\r
- * @return\r
- public Response notifyRequest(AuthzTrans trans, String user, Approval type, List<User> approvers);\r
- */\r
- \r
- /**\r
- * \r
- * @return\r
- */\r
- public String getApproverType();\r
-\r
- /*\r
- * startOfDay - define for company what hour of day business starts (specifically for password and other expiration which\r
- * were set by Date only.)\r
- * \r
- * @return\r
- */\r
- public int startOfDay();\r
-\r
- /**\r
- * implement this method to support any IDs that can have multiple entries in the cred table\r
- * NOTE: the combination of ID/expiration date/(encryption type when implemented) must be unique.\r
- * Since expiration date is based on startOfDay for your company, you cannot create many\r
- * creds for the same ID in the same day.\r
- * @param id\r
- * @return\r
- */\r
- public boolean canHaveMultipleCreds(String id);\r
- \r
- /**\r
- * \r
- * @param id\r
- * @return\r
- */\r
- public boolean isValidCred(String id);\r
- \r
- /**\r
- * If response is Null, then it is valid. Otherwise, the Organization specific reason is returned.\r
- * \r
- * @param trans\r
- * @param policy\r
- * @param executor\r
- * @param vars\r
- * @return\r
- * @throws OrganizationException\r
- */\r
- public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars) throws OrganizationException;\r
-\r
- boolean isTestEnv();\r
-\r
- public void setTestMode(boolean dryRun);\r
-\r
- public static final Organization NULL = new Organization() \r
- {\r
- private final GregorianCalendar gc = new GregorianCalendar(1900, 1, 1);\r
- private final List<Identity> nullList = new ArrayList<Identity>();\r
- private final Set<String> nullStringSet = new HashSet<String>();\r
- private final Identity nullIdentity = new Identity() {\r
- List<String> nullIdentity = new ArrayList<String>();\r
- @Override\r
- public String type() {\r
- return N_A;\r
- }\r
- @Override\r
- public String responsibleTo() {\r
- return N_A;\r
- }\r
- @Override\r
- public boolean isResponsible() {\r
- return false;\r
- }\r
- \r
- @Override\r
- public boolean isFound() {\r
- return false;\r
- }\r
- \r
- @Override\r
- public String id() {\r
- return N_A;\r
- }\r
- \r
- @Override\r
- public String fullID() {\r
- return N_A;\r
- }\r
- \r
- @Override\r
- public String email() {\r
- return N_A;\r
- }\r
- \r
- @Override\r
- public List<String> delegate() {\r
- return nullIdentity;\r
- }\r
- @Override\r
- public String fullName() {\r
- return N_A;\r
- }\r
- @Override\r
- public Identity owner() {\r
- return null;\r
- }\r
- @Override\r
- public Organization org() {\r
- return NULL;\r
- }\r
- };\r
-\r
- @Override\r
- public String getName() {\r
- return N_A;\r
- }\r
- \r
- @Override\r
- public String getRealm() {\r
- return N_A;\r
- }\r
- \r
- @Override\r
- public String getDomain() {\r
- return N_A;\r
- }\r
- \r
- @Override\r
- public Identity getIdentity(AuthzTrans trans, String id) {\r
- return nullIdentity;\r
- }\r
- \r
- @Override\r
- public String isValidID(String id) {\r
- return N_A;\r
- }\r
- \r
- @Override\r
- public String isValidPassword(String user, String password,String... prev) {\r
- return N_A;\r
- }\r
- \r
- @Override\r
- public Set<String> getIdentityTypes() {\r
- return nullStringSet;\r
- }\r
- \r
- @Override\r
- public Response notify(AuthzTrans trans, Notify type, String url,\r
- String[] users, String[] ccs, String summary, Boolean urgent) {\r
- return Response.ERR_NotImplemented;\r
- }\r
- \r
- @Override\r
- public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList,\r
- String subject, String body, Boolean urgent) throws OrganizationException {\r
- return 0;\r
- }\r
- \r
- @Override\r
- public Date whenToValidate(Notify type, Date lastValidated) {\r
- return gc.getTime();\r
- }\r
- \r
- @Override\r
- public GregorianCalendar expiration(GregorianCalendar gc,\r
- Expiration exp, String... extra) {\r
- return gc==null?new GregorianCalendar():gc;\r
- }\r
- \r
- @Override\r
- public List<Identity> getApprovers(AuthzTrans trans, String user)\r
- throws OrganizationException {\r
- return nullList;\r
- }\r
- \r
- @Override\r
- public String getApproverType() {\r
- return "";\r
- }\r
- \r
- @Override\r
- public int startOfDay() {\r
- return 0;\r
- }\r
- \r
- @Override\r
- public boolean canHaveMultipleCreds(String id) {\r
- return false;\r
- }\r
- \r
- @Override\r
- public boolean isValidCred(String id) {\r
- return false;\r
- }\r
- \r
- @Override\r
- public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars)\r
- throws OrganizationException {\r
- return "Null Organization rejects all Policies";\r
- }\r
- \r
- @Override\r
- public boolean isTestEnv() {\r
- return false;\r
- }\r
- \r
- @Override\r
- public void setTestMode(boolean dryRun) {\r
- }\r
-\r
- @Override\r
- public EmailWarnings emailWarningPolicy() {\r
- return new EmailWarnings() {\r
-\r
- @Override\r
- public long credEmailInterval()\r
- {\r
- return 604800000L; // 7 days in millis 1000 * 86400 * 7\r
- }\r
- \r
- @Override\r
- public long roleEmailInterval()\r
- {\r
- return 604800000L; // 7 days in millis 1000 * 86400 * 7\r
- }\r
- \r
- @Override\r
- public long apprEmailInterval() {\r
- return 259200000L; // 3 days in millis 1000 * 86400 * 3\r
- }\r
- \r
- @Override\r
- public long credExpirationWarning()\r
- {\r
- return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds\r
- }\r
- \r
- @Override\r
- public long roleExpirationWarning()\r
- {\r
- return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds\r
- }\r
-\r
- @Override\r
- public long emailUrgentWarning()\r
- {\r
- return( 1209600000L ); // Two weeks, in milliseconds 1000 * 86400 * 14 in milliseconds\r
- }\r
-\r
- };\r
- }\r
- };\r
-}\r
-\r
-\r