--- /dev/null
+/*******************************************************************************\r
+ * ============LICENSE_START====================================================\r
+ * * org.onap.aaf\r
+ * * ===========================================================================\r
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
+ * * ===========================================================================\r
+ * * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * * you may not use this file except in compliance with the License.\r
+ * * You may obtain a copy of the License at\r
+ * * \r
+ * * http://www.apache.org/licenses/LICENSE-2.0\r
+ * * \r
+ * * Unless required by applicable law or agreed to in writing, software\r
+ * * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * * See the License for the specific language governing permissions and\r
+ * * limitations under the License.\r
+ * * ============LICENSE_END====================================================\r
+ * *\r
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
+ * *\r
+ ******************************************************************************/\r
+package org.onap.aaf.authz.org;\r
+\r
+import java.util.ArrayList;\r
+import java.util.Date;\r
+import java.util.GregorianCalendar;\r
+import java.util.HashSet;\r
+import java.util.List;\r
+import java.util.Set;\r
+\r
+import org.onap.aaf.authz.env.AuthzTrans;\r
+\r
+/**\r
+ * Organization\r
+ * \r
+ * There is Organizational specific information required which we have extracted to a plugin\r
+ * \r
+ * It supports using Company Specific User Directory lookups, as well as supporting an\r
+ * Approval/Validation Process to simplify control of Roles and Permissions for large organizations\r
+ * in lieu of direct manipulation by a set of Admins. \r
+ * \r
+ *\r
+ */\r
+public interface Organization {\r
+ public static final String N_A = "n/a";\r
+\r
+ public interface Identity {\r
+ public String id();\r
+ public String fullID(); // Fully Qualified ID (includes Domain of Organization)\r
+ public String type(); // Must be one of "IdentityTypes", see below\r
+ public String responsibleTo(); // Chain of Command, Comma Separated if required\r
+ public List<String> delegate(); // Someone who has authority to act on behalf of Identity\r
+ public String email();\r
+ public String fullName();\r
+ public boolean isResponsible(); // Is id passed belong to a person suitable to be Responsible for content Management\r
+ public boolean isFound(); // Is Identity found in Identity stores\r
+ public Identity owner() throws OrganizationException; // Identity is directly responsible for App ID\r
+ public Organization org(); // Organization of Identity\r
+ }\r
+\r
+\r
+ /**\r
+ * Name of Organization, suitable for Logging\r
+ * @return\r
+ */\r
+ public String getName();\r
+\r
+ /**\r
+ * Realm, for use in distinguishing IDs from different systems/Companies\r
+ * @return\r
+ */\r
+ public String getRealm();\r
+\r
+ String getDomain();\r
+\r
+ /**\r
+ * Get Identity information based on userID\r
+ * \r
+ * @param id\r
+ * @return\r
+ */\r
+ public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException;\r
+ \r
+\r
+ /**\r
+ * Does the ID pass Organization Standards\r
+ * \r
+ * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of \r
+ * reasons why it fails\r
+ * \r
+ * @param id\r
+ * @return\r
+ */\r
+ public String isValidID(String id);\r
+\r
+ /**\r
+ * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of \r
+ * reasons why it fails\r
+ * \r
+ * Identity is passed in to allow policies regarding passwords that are the same as user ID\r
+ * \r
+ * any entries for "prev" imply a reset\r
+ * \r
+ * @param id\r
+ * @param password\r
+ * @return\r
+ */\r
+ public String isValidPassword(String user, String password, String ... prev);\r
+\r
+\r
+ /**\r
+ * Does your Company distinguish essential permission structures by kind of Identity?\r
+ * i.e. Employee, Contractor, Vendor \r
+ * @return\r
+ */\r
+ public Set<String> getIdentityTypes();\r
+\r
+ public enum Notify {\r
+ Approval(1),\r
+ PasswordExpiration(2),\r
+ RoleExpiration(3);\r
+\r
+ final int id;\r
+ Notify(int id) {this.id = id;}\r
+ public int getValue() {return id;}\r
+ public static Notify from(int type) {\r
+ for(Notify t : Notify.values()) {\r
+ if(t.id==type) {\r
+ return t;\r
+ }\r
+ }\r
+ return null;\r
+ }\r
+ }\r
+\r
+ public enum Response{\r
+ OK,\r
+ ERR_NotImplemented,\r
+ ERR_UserNotExist,\r
+ ERR_NotificationFailure,\r
+ };\r
+ \r
+ public enum Expiration {\r
+ Password,\r
+ TempPassword, \r
+ Future,\r
+ UserInRole,\r
+ UserDelegate, \r
+ ExtendPassword\r
+ }\r
+ \r
+ public enum Policy {\r
+ CHANGE_JOB, \r
+ LEFT_COMPANY, \r
+ CREATE_MECHID, \r
+ CREATE_MECHID_BY_PERM_ONLY,\r
+ OWNS_MECHID,\r
+ AS_EMPLOYEE, \r
+ MAY_EXTEND_CRED_EXPIRES\r
+ }\r
+ \r
+ /**\r
+ * Notify a User of Action or Info\r
+ * \r
+ * @param type\r
+ * @param url\r
+ * @param users (separated by commas)\r
+ * @param ccs (separated by commas)\r
+ * @param summary\r
+ */\r
+\r
+ public Response notify(AuthzTrans trans, Notify type, String url, String ids[], String ccs[], String summary, Boolean urgent);\r
+\r
+ /**\r
+ * (more) generic way to send an email\r
+ * \r
+ * @param toList\r
+ * @param ccList\r
+ * @param subject\r
+ * @param body\r
+ * @param urgent\r
+ */\r
+\r
+ public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body, Boolean urgent) throws OrganizationException;\r
+\r
+ /**\r
+ * whenToValidate\r
+ * \r
+ * Authz support services will ask the Organization Object at startup when it should\r
+ * kickoff Validation processes given particular types. \r
+ * \r
+ * This allows the Organization to express Policy\r
+ * \r
+ * Turn off Validation behavior by returning "null"\r
+ * \r
+ */\r
+ public Date whenToValidate(Notify type, Date lastValidated);\r
+\r
+ \r
+ /**\r
+ * Expiration\r
+ * \r
+ * Given a Calendar item of Start (or now), set the Expiration Date based on the Policy\r
+ * based on type.\r
+ * \r
+ * For instance, "Passwords expire in 3 months"\r
+ * \r
+ * The Extra Parameter is used by certain Orgs.\r
+ * \r
+ * For Password, the extra is UserID, so it can check the Identity Type\r
+ * \r
+ * @param gc\r
+ * @param exp\r
+ * @return\r
+ */\r
+ public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String ... extra);\r
+ \r
+ /**\r
+ * Get Email Warning timing policies\r
+ * @return\r
+ */\r
+ public EmailWarnings emailWarningPolicy();\r
+\r
+ /**\r
+ * \r
+ * @param trans\r
+ * @param user\r
+ * @return\r
+ */\r
+ public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException ;\r
+ \r
+ /*\r
+ * \r
+ * @param user\r
+ * @param type\r
+ * @param users\r
+ * @return\r
+ public Response notifyRequest(AuthzTrans trans, String user, Approval type, List<User> approvers);\r
+ */\r
+ \r
+ /**\r
+ * \r
+ * @return\r
+ */\r
+ public String getApproverType();\r
+\r
+ /*\r
+ * startOfDay - define for company what hour of day business starts (specifically for password and other expiration which\r
+ * were set by Date only.)\r
+ * \r
+ * @return\r
+ */\r
+ public int startOfDay();\r
+\r
+ /**\r
+ * implement this method to support any IDs that can have multiple entries in the cred table\r
+ * NOTE: the combination of ID/expiration date/(encryption type when implemented) must be unique.\r
+ * Since expiration date is based on startOfDay for your company, you cannot create many\r
+ * creds for the same ID in the same day.\r
+ * @param id\r
+ * @return\r
+ */\r
+ public boolean canHaveMultipleCreds(String id);\r
+ \r
+ /**\r
+ * \r
+ * @param id\r
+ * @return\r
+ */\r
+ public boolean isValidCred(String id);\r
+ \r
+ /**\r
+ * If response is Null, then it is valid. Otherwise, the Organization specific reason is returned.\r
+ * \r
+ * @param trans\r
+ * @param policy\r
+ * @param executor\r
+ * @param vars\r
+ * @return\r
+ * @throws OrganizationException\r
+ */\r
+ public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars) throws OrganizationException;\r
+\r
+ boolean isTestEnv();\r
+\r
+ public void setTestMode(boolean dryRun);\r
+\r
+ public static final Organization NULL = new Organization() \r
+ {\r
+ private final GregorianCalendar gc = new GregorianCalendar(1900, 1, 1);\r
+ private final List<Identity> nullList = new ArrayList<Identity>();\r
+ private final Set<String> nullStringSet = new HashSet<String>();\r
+ private final Identity nullIdentity = new Identity() {\r
+ List<String> nullIdentity = new ArrayList<String>();\r
+ @Override\r
+ public String type() {\r
+ return N_A;\r
+ }\r
+ @Override\r
+ public String responsibleTo() {\r
+ return N_A;\r
+ }\r
+ @Override\r
+ public boolean isResponsible() {\r
+ return false;\r
+ }\r
+ \r
+ @Override\r
+ public boolean isFound() {\r
+ return false;\r
+ }\r
+ \r
+ @Override\r
+ public String id() {\r
+ return N_A;\r
+ }\r
+ \r
+ @Override\r
+ public String fullID() {\r
+ return N_A;\r
+ }\r
+ \r
+ @Override\r
+ public String email() {\r
+ return N_A;\r
+ }\r
+ \r
+ @Override\r
+ public List<String> delegate() {\r
+ return nullIdentity;\r
+ }\r
+ @Override\r
+ public String fullName() {\r
+ return N_A;\r
+ }\r
+ @Override\r
+ public Identity owner() {\r
+ return null;\r
+ }\r
+ @Override\r
+ public Organization org() {\r
+ return NULL;\r
+ }\r
+ };\r
+\r
+ @Override\r
+ public String getName() {\r
+ return N_A;\r
+ }\r
+ \r
+ @Override\r
+ public String getRealm() {\r
+ return N_A;\r
+ }\r
+ \r
+ @Override\r
+ public String getDomain() {\r
+ return N_A;\r
+ }\r
+ \r
+ @Override\r
+ public Identity getIdentity(AuthzTrans trans, String id) {\r
+ return nullIdentity;\r
+ }\r
+ \r
+ @Override\r
+ public String isValidID(String id) {\r
+ return N_A;\r
+ }\r
+ \r
+ @Override\r
+ public String isValidPassword(String user, String password,String... prev) {\r
+ return N_A;\r
+ }\r
+ \r
+ @Override\r
+ public Set<String> getIdentityTypes() {\r
+ return nullStringSet;\r
+ }\r
+ \r
+ @Override\r
+ public Response notify(AuthzTrans trans, Notify type, String url,\r
+ String[] users, String[] ccs, String summary, Boolean urgent) {\r
+ return Response.ERR_NotImplemented;\r
+ }\r
+ \r
+ @Override\r
+ public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList,\r
+ String subject, String body, Boolean urgent) throws OrganizationException {\r
+ return 0;\r
+ }\r
+ \r
+ @Override\r
+ public Date whenToValidate(Notify type, Date lastValidated) {\r
+ return gc.getTime();\r
+ }\r
+ \r
+ @Override\r
+ public GregorianCalendar expiration(GregorianCalendar gc,\r
+ Expiration exp, String... extra) {\r
+ return gc==null?new GregorianCalendar():gc;\r
+ }\r
+ \r
+ @Override\r
+ public List<Identity> getApprovers(AuthzTrans trans, String user)\r
+ throws OrganizationException {\r
+ return nullList;\r
+ }\r
+ \r
+ @Override\r
+ public String getApproverType() {\r
+ return "";\r
+ }\r
+ \r
+ @Override\r
+ public int startOfDay() {\r
+ return 0;\r
+ }\r
+ \r
+ @Override\r
+ public boolean canHaveMultipleCreds(String id) {\r
+ return false;\r
+ }\r
+ \r
+ @Override\r
+ public boolean isValidCred(String id) {\r
+ return false;\r
+ }\r
+ \r
+ @Override\r
+ public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars)\r
+ throws OrganizationException {\r
+ return "Null Organization rejects all Policies";\r
+ }\r
+ \r
+ @Override\r
+ public boolean isTestEnv() {\r
+ return false;\r
+ }\r
+ \r
+ @Override\r
+ public void setTestMode(boolean dryRun) {\r
+ }\r
+\r
+ @Override\r
+ public EmailWarnings emailWarningPolicy() {\r
+ return new EmailWarnings() {\r
+\r
+ @Override\r
+ public long credEmailInterval()\r
+ {\r
+ return 604800000L; // 7 days in millis 1000 * 86400 * 7\r
+ }\r
+ \r
+ @Override\r
+ public long roleEmailInterval()\r
+ {\r
+ return 604800000L; // 7 days in millis 1000 * 86400 * 7\r
+ }\r
+ \r
+ @Override\r
+ public long apprEmailInterval() {\r
+ return 259200000L; // 3 days in millis 1000 * 86400 * 3\r
+ }\r
+ \r
+ @Override\r
+ public long credExpirationWarning()\r
+ {\r
+ return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds\r
+ }\r
+ \r
+ @Override\r
+ public long roleExpirationWarning()\r
+ {\r
+ return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds\r
+ }\r
+\r
+ @Override\r
+ public long emailUrgentWarning()\r
+ {\r
+ return( 1209600000L ); // Two weeks, in milliseconds 1000 * 86400 * 14 in milliseconds\r
+ }\r
+\r
+ };\r
+ }\r
+ };\r
+}\r
+\r
+\r
Code Review / aaf / authz.git / blobdiff