2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.auth.org;
24 import java.util.ArrayList;
25 import java.util.Date;
26 import java.util.GregorianCalendar;
27 import java.util.HashSet;
28 import java.util.List;
31 import org.onap.aaf.auth.env.AuthzTrans;
36 * There is Organizational specific information required which we have extracted to a plugin
38 * It supports using Company Specific User Directory lookups, as well as supporting an
39 * Approval/Validation Process to simplify control of Roles and Permissions for large organizations
40 * in lieu of direct manipulation by a set of Admins.
45 public interface Organization {
46 public static final String N_A = "n/a";
48 public interface Identity {
50 public String fullID() throws OrganizationException; // Fully Qualified ID (includes Domain of Organization)
51 public String type(); // Must be one of "IdentityTypes", see below
52 public Identity responsibleTo() throws OrganizationException; // Chain of Command, or Application ID Sponsor
53 public List<String> delegate(); // Someone who has authority to act on behalf of Identity
54 public String email();
55 public String fullName();
56 public String firstName();
58 * If Responsible entity, then String returned is "null" meaning "no Objection".
59 * If String exists, it is the Policy objection text setup by the entity.
62 public String mayOwn(); // Is id passed belong to a person suitable to be Responsible for content Management
63 public boolean isFound(); // Is Identity found in Identity stores
64 public boolean isPerson(); // Whether a Person or a Machine (App)
65 public Organization org(); // Organization of Identity
68 public static String mixedCase(String in) {
69 StringBuilder sb = new StringBuilder();
70 for(int i=0;i<in.length();++i) {
72 sb.append(Character.toUpperCase(in.charAt(i)));
74 sb.append(Character.toLowerCase(in.charAt(i)));
83 * Name of Organization, suitable for Logging
86 public String getName();
89 * Realm, for use in distinguishing IDs from different systems/Companies
92 public String getRealm();
94 public boolean supportsRealm(String user);
96 public void addSupportedRealm(String r);
99 * If Supported, returns Realm, ex: org.onap
105 public String supportedDomain(String user);
107 public String getDomain();
110 * Get Identity information based on userID
115 public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException;
120 * Deletion of an Identity that has been removed from an Organization can be dangerous. Mistakes may have been made
121 * in the Organization side, a Feed might be corrupted, an API might not be quite right.
123 * The implementation of this method can use a double check of some sort, such as comparison of missing ID in Organization
124 * feed with a "Deleted ID" feed.
127 public boolean isRevoked(AuthzTrans trans, String id);
131 * Does the ID pass Organization Standards
133 * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
134 * reasons why it fails
139 public String isValidID(AuthzTrans trans, String id);
142 * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
143 * reasons why it fails
145 * Identity is passed in to allow policies regarding passwords that are the same as user ID
147 * any entries for "prev" imply a reset
153 public String isValidPassword(final AuthzTrans trans, final String id, final String password, final String ... prev);
156 * Return a list of Strings denoting Organization Password Rules, suitable for posting on a WebPage with <p>
158 public String[] getPasswordRules();
165 public boolean isValidCred(final AuthzTrans trans, final String id);
168 * If response is Null, then it is valid. Otherwise, the Organization specific reason is returned.
175 * @throws OrganizationException
177 public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars) throws OrganizationException;
180 * Does your Company distinguish essential permission structures by kind of Identity?
181 * i.e. Employee, Contractor, Vendor
184 public Set<String> getIdentityTypes();
188 PasswordExpiration(2),
192 Notify(int id) {this.id = id;}
193 public int getValue() {return id;}
194 public static Notify from(int type) {
195 for (Notify t : Notify.values()) {
204 public enum Response{
208 ERR_NotificationFailure,
211 public enum Expiration {
218 RevokedGracePeriodEnds
225 CREATE_MECHID_BY_PERM_ONLY,
228 MAY_EXTEND_CRED_EXPIRES,
229 MAY_APPLY_DEFAULT_REALM
233 * Notify a User of Action or Info
237 * @param users (separated by commas)
238 * @param ccs (separated by commas)
242 public Response notify(AuthzTrans trans, Notify type, String url, String ids[], String ccs[], String summary, Boolean urgent);
245 * (more) generic way to send an email
254 public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body, Boolean urgent) throws OrganizationException;
259 * Authz support services will ask the Organization Object at startup when it should
260 * kickoff Validation processes given particular types.
262 * This allows the Organization to express Policy
264 * Turn off Validation behavior by returning "null"
267 public Date whenToValidate(Notify type, Date lastValidated);
273 * Given a Calendar item of Start (or now), set the Expiration Date based on the Policy
276 * For instance, "Passwords expire in 3 months"
278 * The Extra Parameter is used by certain Orgs.
280 * For Password, the extra is UserID, so it can check the User Type
286 public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String ... extra);
289 * Get Email Warning timing policies
292 public EmailWarnings emailWarningPolicy();
300 public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException ;
303 * Get Identities for Escalation Level
305 * 2 = expects both self and immediate responsible party
306 * 3 = expects self, immediate report and any higher that the Organization wants to escalate to in the
309 * Note: this is used to notify of imminent danger of Application's Cred or Role expirations.
311 public List<Identity> getIDs(AuthzTrans trans, String user, int escalate) throws OrganizationException ;
320 public Response notifyRequest(AuthzTrans trans, String user, Approval type, List<User> approvers);
327 public String getApproverType();
330 * startOfDay - define for company what hour of day business starts (specifically for password and other expiration which
331 * were set by Date only.)
335 public int startOfDay();
338 * implement this method to support any IDs that can have multiple entries in the cred table
339 * NOTE: the combination of ID/expiration date/(encryption type when implemented) must be unique.
340 * Since expiration date is based on startOfDay for your company, you cannot create many
341 * creds for the same ID in the same day.
345 public boolean canHaveMultipleCreds(String id);
349 public void setTestMode(boolean dryRun);
351 public static final Organization NULL = new Organization()
353 private final GregorianCalendar gc = new GregorianCalendar(1900, 1, 1);
354 private final List<Identity> nullList = new ArrayList<>();
355 private final Set<String> nullStringSet = new HashSet<>();
356 private String[] nullStringArray = new String[0];
357 private final Identity nullIdentity = new Identity() {
358 List<String> nullUser = new ArrayList<>();
360 public String type() {
365 public String mayOwn() {
366 return N_A; // negative case
370 public boolean isFound() {
380 public String fullID() {
385 public String email() {
390 public List<String> delegate() {
394 public String fullName() {
398 public Organization org() {
402 public String firstName() {
406 public boolean isPerson() {
411 public Identity responsibleTo() {
416 public String getName() {
421 public String getRealm() {
426 public boolean supportsRealm(String r) {
431 public void addSupportedRealm(String r) {
435 public String supportedDomain(String r) {
440 public String getDomain() {
445 public Identity getIdentity(AuthzTrans trans, String id) {
450 public String isValidID(final AuthzTrans trans, String id) {
455 public String isValidPassword(final AuthzTrans trans, final String user, final String password, final String... prev) {
460 public Set<String> getIdentityTypes() {
461 return nullStringSet;
465 public Response notify(AuthzTrans trans, Notify type, String url,
466 String[] users, String[] ccs, String summary, Boolean urgent) {
467 return Response.ERR_NotImplemented;
471 public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList,
472 String subject, String body, Boolean urgent) throws OrganizationException {
477 public Date whenToValidate(Notify type, Date lastValidated) {
482 public GregorianCalendar expiration(GregorianCalendar gc,
483 Expiration exp, String... extra) {
488 public List<Identity> getApprovers(AuthzTrans trans, String user)
489 throws OrganizationException {
494 public String getApproverType() {
499 public int startOfDay() {
504 public boolean canHaveMultipleCreds(String id) {
509 public boolean isValidCred(final AuthzTrans trans, final String id) {
514 public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars)
515 throws OrganizationException {
516 return "Null Organization rejects all Policies";
520 public boolean isTestEnv() {
525 public void setTestMode(boolean dryRun) {
529 public EmailWarnings emailWarningPolicy() {
530 return new EmailWarnings() {
533 public long credEmailInterval()
535 return 604800000L; // 7 days in millis 1000 * 86400 * 7
539 public long roleEmailInterval()
541 return 604800000L; // 7 days in millis 1000 * 86400 * 7
545 public long apprEmailInterval() {
546 return 259200000L; // 3 days in millis 1000 * 86400 * 3
550 public long credExpirationWarning()
552 return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds
556 public long roleExpirationWarning()
558 return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds
562 public long emailUrgentWarning()
564 return( 1209600000L ); // Two weeks, in milliseconds 1000 * 86400 * 14 in milliseconds
573 public String[] getPasswordRules() {
574 return nullStringArray;
578 public boolean isRevoked(AuthzTrans trans, String id) {
579 // provide a corresponding feed that indicates that an ID has been intentionally removed from identities.dat table.
584 public List<Identity> getIDs(AuthzTrans trans, String user, int escalate) throws OrganizationException {
585 // TODO Auto-generated method stub