* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/**
* Organization
- *
+ *
* There is Organizational specific information required which we have extracted to a plugin
- *
+ *
* It supports using Company Specific User Directory lookups, as well as supporting an
* Approval/Validation Process to simplify control of Roles and Permissions for large organizations
- * in lieu of direct manipulation by a set of Admins.
- *
+ * in lieu of direct manipulation by a set of Admins.
+ *
* @author Jonathan
*
*/
public String fullName();
public String firstName();
/**
- * If Responsible entity, then String returned is "null" meaning "no Objection".
+ * If Responsible entity, then String returned is "null" meaning "no Objection".
* If String exists, it is the Policy objection text setup by the entity.
* @return
*/
public boolean isPerson(); // Whether a Person or a Machine (App)
public Organization org(); // Organization of Identity
+
+ public static String mixedCase(String in) {
+ StringBuilder sb = new StringBuilder();
+ for(int i=0;i<in.length();++i) {
+ if(i==0) {
+ sb.append(Character.toUpperCase(in.charAt(i)));
+ } else {
+ sb.append(Character.toLowerCase(in.charAt(i)));
+ }
+ }
+ return sb.toString();
+ }
}
* @return
*/
public String getRealm();
-
+
public boolean supportsRealm(String user);
public void addSupportedRealm(String r);
+ /**
+ * If Supported, returns Realm, ex: org.onap
+ * ELSE returns null
+ *
+ * @param user
+ * @return
+ */
+ public String supportedDomain(String user);
-
- String getDomain();
+ public String getDomain();
/**
* Get Identity information based on userID
- *
+ *
* @param id
* @return
*/
public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException;
-
+
+ /**
+ * Is Revoked
+ *
+ * Deletion of an Identity that has been removed from an Organization can be dangerous. Mistakes may have been made
+ * in the Organization side, a Feed might be corrupted, an API might not be quite right.
+ *
+ * The implementation of this method can use a double check of some sort, such as comparison of missing ID in Organization
+ * feed with a "Deleted ID" feed.
+ *
+ */
+ public Date isRevoked(AuthzTrans trans, String id);
+
/**
* Does the ID pass Organization Standards
- *
- * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
+ *
+ * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
* reasons why it fails
- *
+ *
* @param id
* @return
*/
public String isValidID(AuthzTrans trans, String id);
/**
- * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
+ * Return a Blank (empty) String if empty, otherwise, return a "\n" separated list of
* reasons why it fails
- *
+ *
* Identity is passed in to allow policies regarding passwords that are the same as user ID
- *
+ *
* any entries for "prev" imply a reset
- *
+ *
* @param id
* @param password
* @return
public String[] getPasswordRules();
/**
- *
+ *
* @param id
* @return
*/
/**
* If response is Null, then it is valid. Otherwise, the Organization specific reason is returned.
- *
+ *
* @param trans
* @param policy
* @param executor
/**
* Does your Company distinguish essential permission structures by kind of Identity?
- * i.e. Employee, Contractor, Vendor
+ * i.e. Employee, Contractor, Vendor
* @return
*/
public Set<String> getIdentityTypes();
ERR_UserNotExist,
ERR_NotificationFailure,
};
-
+
public enum Expiration {
Password,
- TempPassword,
+ TempPassword,
Future,
UserInRole,
- UserDelegate,
- ExtendPassword
+ UserDelegate,
+ ExtendPassword,
+ RevokedGracePeriodEnds
}
-
+
public enum Policy {
- CHANGE_JOB,
- LEFT_COMPANY,
- CREATE_MECHID,
+ CHANGE_JOB,
+ LEFT_COMPANY,
+ CREATE_MECHID,
CREATE_MECHID_BY_PERM_ONLY,
OWNS_MECHID,
- AS_RESPONSIBLE,
+ AS_RESPONSIBLE,
MAY_EXTEND_CRED_EXPIRES,
MAY_APPLY_DEFAULT_REALM
}
-
+
/**
* Notify a User of Action or Info
- *
+ *
* @param type
* @param url
* @param users (separated by commas)
/**
* (more) generic way to send an email
- *
+ *
* @param toList
* @param ccList
* @param subject
/**
* whenToValidate
- *
+ *
* Authz support services will ask the Organization Object at startup when it should
- * kickoff Validation processes given particular types.
- *
+ * kickoff Validation processes given particular types.
+ *
* This allows the Organization to express Policy
- *
+ *
* Turn off Validation behavior by returning "null"
- *
+ *
*/
public Date whenToValidate(Notify type, Date lastValidated);
-
+
/**
* Expiration
- *
+ *
* Given a Calendar item of Start (or now), set the Expiration Date based on the Policy
* based on type.
- *
+ *
* For instance, "Passwords expire in 3 months"
- *
+ *
* The Extra Parameter is used by certain Orgs.
- *
+ *
* For Password, the extra is UserID, so it can check the User Type
- *
+ *
* @param gc
* @param exp
* @return
*/
public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String ... extra);
-
+
/**
* Get Email Warning timing policies
* @return
public EmailWarnings emailWarningPolicy();
/**
- *
+ *
* @param trans
* @param user
* @return
*/
public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException ;
-
+
+ /**
+ * Get Identities for Escalation Level
+ * 1 = self
+ * 2 = expects both self and immediate responsible party
+ * 3 = expects self, immediate report and any higher that the Organization wants to escalate to in the
+ * hierarchy.
+ *
+ * Note: this is used to notify of imminent danger of Application's Cred or Role expirations.
+ */
+ public List<Identity> getIDs(AuthzTrans trans, String user, int escalate) throws OrganizationException ;
+
+
/*
- *
+ *
* @param user
* @param type
* @param users
* @return
public Response notifyRequest(AuthzTrans trans, String user, Approval type, List<User> approvers);
*/
-
+
/**
- *
+ *
* @return
*/
public String getApproverType();
/*
* startOfDay - define for company what hour of day business starts (specifically for password and other expiration which
* were set by Date only.)
- *
+ *
* @return
*/
public int startOfDay();
* @return
*/
public boolean canHaveMultipleCreds(String id);
-
+
boolean isTestEnv();
public void setTestMode(boolean dryRun);
- public static final Organization NULL = new Organization()
+ /**
+ * Evaluates a user to determine if they are exempt from role and cred expiration.
+ * Returns true if true, false if false. Default implementation is always false.
+ *
+ * @param user
+ * @param expires
+ * @return
+ */
+ public boolean isUserExpireExempt(String user, Date expires);
+
+ public static final Organization NULL = new Organization()
{
private final GregorianCalendar gc = new GregorianCalendar(1900, 1, 1);
private final List<Identity> nullList = new ArrayList<>();
public String mayOwn() {
return N_A; // negative case
}
-
+
@Override
public boolean isFound() {
return false;
}
-
+
@Override
public String id() {
return N_A;
}
-
+
@Override
public String fullID() {
return N_A;
}
-
+
@Override
public String email() {
return N_A;
}
-
+
@Override
public List<String> delegate() {
return nullUser;
public String getName() {
return N_A;
}
-
+
@Override
public String getRealm() {
return N_A;
}
-
+
@Override
public boolean supportsRealm(String r) {
return false;
@Override
public void addSupportedRealm(String r) {
}
+
+ @Override
+ public String supportedDomain(String r) {
+ return null;
+ }
@Override
public String getDomain() {
return N_A;
}
-
+
@Override
public Identity getIdentity(AuthzTrans trans, String id) {
return nullIdentity;
}
-
+
@Override
public String isValidID(final AuthzTrans trans, String id) {
return N_A;
}
-
+
@Override
public String isValidPassword(final AuthzTrans trans, final String user, final String password, final String... prev) {
return N_A;
}
-
+
@Override
public Set<String> getIdentityTypes() {
return nullStringSet;
}
-
+
@Override
public Response notify(AuthzTrans trans, Notify type, String url,
String[] users, String[] ccs, String summary, Boolean urgent) {
return Response.ERR_NotImplemented;
}
-
+
@Override
public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList,
String subject, String body, Boolean urgent) throws OrganizationException {
return 0;
}
-
+
@Override
public Date whenToValidate(Notify type, Date lastValidated) {
return gc.getTime();
}
-
+
@Override
public GregorianCalendar expiration(GregorianCalendar gc,
Expiration exp, String... extra) {
return gc;
}
-
+
@Override
public List<Identity> getApprovers(AuthzTrans trans, String user)
throws OrganizationException {
return nullList;
}
-
+
@Override
public String getApproverType() {
return "";
}
-
+
@Override
public int startOfDay() {
return 0;
}
-
+
@Override
public boolean canHaveMultipleCreds(String id) {
return false;
}
-
+
@Override
public boolean isValidCred(final AuthzTrans trans, final String id) {
return false;
}
-
+
@Override
public String validate(AuthzTrans trans, Policy policy, Executor executor, String ... vars)
throws OrganizationException {
return "Null Organization rejects all Policies";
}
-
+
@Override
public boolean isTestEnv() {
return false;
}
-
+
@Override
public void setTestMode(boolean dryRun) {
}
{
return 604800000L; // 7 days in millis 1000 * 86400 * 7
}
-
+
@Override
public long roleEmailInterval()
{
return 604800000L; // 7 days in millis 1000 * 86400 * 7
}
-
+
@Override
public long apprEmailInterval() {
return 259200000L; // 3 days in millis 1000 * 86400 * 3
}
-
+
@Override
public long credExpirationWarning()
{
return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30 in milliseconds
}
-
+
@Override
public long roleExpirationWarning()
{
}
};
+
+
}
@Override
public String[] getPasswordRules() {
- return nullStringArray;
+ return nullStringArray;
}
- };
+ @Override
+ public Date isRevoked(AuthzTrans trans, String id) {
+ // provide a corresponding feed that indicates that an ID has been intentionally removed from identities.dat table.
+ return null;
+ }
+
+ @Override
+ public List<Identity> getIDs(AuthzTrans trans, String user, int escalate) throws OrganizationException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public boolean isUserExpireExempt(String user, Date expires) {
+ return false;
+ }
+ };
}
Code Review / aaf / authz.git / blobdiff