1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.authz.org;
\r
26 import java.util.ArrayList;
\r
27 import java.util.Date;
\r
28 import java.util.GregorianCalendar;
\r
29 import java.util.HashSet;
\r
30 import java.util.List;
\r
31 import java.util.Set;
\r
33 import com.att.authz.env.AuthzTrans;
\r
38 * There is Organizational specific information required which we have extracted to a plugin
\r
40 * It supports using Company Specific User Directory lookups, as well as supporting an
\r
41 * Approval/Validation Process to simplify control of Roles and Permissions for large organizations
\r
42 * in lieu of direct manipulation by a set of Admins.
\r
46 public interface Organization {
\r
47 public static final String N_A = "n/a";
\r
49 public interface Identity {
\r
51 public String fullID(); // Fully Qualified ID (includes Domain of Organization)
\r
52 public String type(); // Must be one of "IdentityTypes", see below
\r
53 public String responsibleTo(); // Chain of Command, Comma Separated if required
\r
54 public List<String> delegate(); // Someone who has authority to act on behalf of Identity
\r
55 public String email();
\r
56 public String fullName();
\r
57 public boolean isResponsible(); // Is id passed belong to a person suitable to be Responsible for content Management
\r
58 public boolean isFound(); // Is Identity found in Identity stores
\r
59 public Identity owner() throws OrganizationException; // Identity is directly responsible for App ID
\r
60 public Organization org(); // Organization of Identity
\r
65 * Name of Organization, suitable for Logging
\r
68 public String getName();
\r
71 * Realm, for use in distinguishing IDs from different systems/Companies
\r
74 public String getRealm();
\r
79 * Get Identity information based on userID
\r
84 public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException;
\r
88 * Does the ID pass Organization Standards
\r
90 * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
\r
91 * reasons why it fails
\r
96 public String isValidID(String id);
\r
99 * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
\r
100 * reasons why it fails
\r
102 * Identity is passed in to allow policies regarding passwords that are the same as user ID
\r
104 * any entries for "prev" imply a reset
\r
110 public String isValidPassword(String user, String password, String ... prev);
\r
114 * Does your Company distinguish essential permission structures by kind of Identity?
\r
115 * i.e. Employee, Contractor, Vendor
\r
118 public Set<String> getIdentityTypes();
\r
120 public enum Notify {
\r
122 PasswordExpiration(2),
\r
126 Notify(int id) {this.id = id;}
\r
127 public int getValue() {return id;}
\r
128 public static Notify from(int type) {
\r
129 for(Notify t : Notify.values()) {
\r
138 public enum Response{
\r
140 ERR_NotImplemented,
\r
142 ERR_NotificationFailure,
\r
145 public enum Expiration {
\r
154 public enum Policy {
\r
158 CREATE_MECHID_BY_PERM_ONLY,
\r
161 MAY_EXTEND_CRED_EXPIRES
\r
165 * Notify a User of Action or Info
\r
169 * @param users (separated by commas)
\r
170 * @param ccs (separated by commas)
\r
174 public Response notify(AuthzTrans trans, Notify type, String url, String ids[], String ccs[], String summary, Boolean urgent);
\r
177 * (more) generic way to send an email
\r
186 public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body, Boolean urgent) throws OrganizationException;
\r
191 * Authz support services will ask the Organization Object at startup when it should
\r
192 * kickoff Validation processes given particular types.
\r
194 * This allows the Organization to express Policy
\r
196 * Turn off Validation behavior by returning "null"
\r
199 public Date whenToValidate(Notify type, Date lastValidated);
\r
205 * Given a Calendar item of Start (or now), set the Expiration Date based on the Policy
\r
208 * For instance, "Passwords expire in 3 months"
\r
210 * The Extra Parameter is used by certain Orgs.
\r
212 * For Password, the extra is UserID, so it can check the Identity Type
\r
218 public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String ... extra);
\r
221 * Get Email Warning timing policies
\r
224 public EmailWarnings emailWarningPolicy();
\r
232 public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException ;
\r
240 public Response notifyRequest(AuthzTrans trans, String user, Approval type, List<User> approvers);
\r
247 public String getApproverType();
\r
250 * startOfDay - define for company what hour of day business starts (specifically for password and other expiration which
\r
251 * were set by Date only.)
\r
255 public int startOfDay();
\r
258 * implement this method to support any IDs that can have multiple entries in the cred table
\r
259 * NOTE: the combination of ID/expiration date/(encryption type when implemented) must be unique.
\r
260 * Since expiration date is based on startOfDay for your company, you cannot create many
\r
261 * creds for the same ID in the same day.
\r
265 public boolean canHaveMultipleCreds(String id);
\r
272 public boolean isValidCred(String id);
\r
275 * If response is Null, then it is valid. Otherwise, the Organization specific reason is returned.
\r
282 * @throws OrganizationException
\r
284 public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars) throws OrganizationException;
\r
286 boolean isTestEnv();
\r
288 public void setTestMode(boolean dryRun);
\r
290 public static final Organization NULL = new Organization()
\r
292 private final GregorianCalendar gc = new GregorianCalendar(1900, 1, 1);
\r
293 private final List<Identity> nullList = new ArrayList<Identity>();
\r
294 private final Set<String> nullStringSet = new HashSet<String>();
\r
295 private final Identity nullIdentity = new Identity() {
\r
296 List<String> nullIdentity = new ArrayList<String>();
\r
298 public String type() {
\r
302 public String responsibleTo() {
\r
306 public boolean isResponsible() {
\r
311 public boolean isFound() {
\r
316 public String id() {
\r
321 public String fullID() {
\r
326 public String email() {
\r
331 public List<String> delegate() {
\r
332 return nullIdentity;
\r
335 public String fullName() {
\r
339 public Identity owner() {
\r
343 public Organization org() {
\r
349 public String getName() {
\r
354 public String getRealm() {
\r
359 public String getDomain() {
\r
364 public Identity getIdentity(AuthzTrans trans, String id) {
\r
365 return nullIdentity;
\r
369 public String isValidID(String id) {
\r
374 public String isValidPassword(String user, String password,String... prev) {
\r
379 public Set<String> getIdentityTypes() {
\r
380 return nullStringSet;
\r
384 public Response notify(AuthzTrans trans, Notify type, String url,
\r
385 String[] users, String[] ccs, String summary, Boolean urgent) {
\r
386 return Response.ERR_NotImplemented;
\r
390 public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList,
\r
391 String subject, String body, Boolean urgent) throws OrganizationException {
\r
396 public Date whenToValidate(Notify type, Date lastValidated) {
\r
397 return gc.getTime();
\r
401 public GregorianCalendar expiration(GregorianCalendar gc,
\r
402 Expiration exp, String... extra) {
\r
403 return gc==null?new GregorianCalendar():gc;
\r
407 public List<Identity> getApprovers(AuthzTrans trans, String user)
\r
408 throws OrganizationException {
\r
413 public String getApproverType() {
\r
418 public int startOfDay() {
\r
423 public boolean canHaveMultipleCreds(String id) {
\r
428 public boolean isValidCred(String id) {
\r
433 public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars)
\r
434 throws OrganizationException {
\r
435 return "Null Organization rejects all Policies";
\r
439 public boolean isTestEnv() {
\r
444 public void setTestMode(boolean dryRun) {
\r
448 public EmailWarnings emailWarningPolicy() {
\r
449 return new EmailWarnings() {
\r
452 public long credEmailInterval()
\r
454 return 604800000L; // 7 days in millis 1000 * 86400 * 7
\r
458 public long roleEmailInterval()
\r
460 return 604800000L; // 7 days in millis 1000 * 86400 * 7
\r
464 public long apprEmailInterval() {
\r
465 return 259200000L; // 3 days in millis 1000 * 86400 * 3
\r
469 public long credExpirationWarning()
\r
471 return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds
\r
475 public long roleExpirationWarning()
\r
477 return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds
\r
481 public long emailUrgentWarning()
\r
483 return( 1209600000L ); // Two weeks, in milliseconds 1000 * 86400 * 14 in milliseconds
\r
Code Review / aaf / authz.git / blob