001 /*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License"). You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * docs/licenses/cddl.txt
011 * or http://www.opensource.org/licenses/cddl1.php.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * docs/licenses/cddl.txt. If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 * Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 * Copyright 2010-2012 UnboundID Corp.
026 */
027 package com.unboundid.directory.sdk.ds.api;
028
029
030
031 import java.security.cert.Certificate;
032 import java.util.Collections;
033 import java.util.List;
034 import java.util.Map;
035
036 import com.unboundid.directory.sdk.common.internal.ExampleUsageProvider;
037 import com.unboundid.directory.sdk.common.internal.Reconfigurable;
038 import com.unboundid.directory.sdk.common.internal.UnboundIDExtension;
039 import com.unboundid.directory.sdk.ds.config.CertificateMapperConfig;
040 import com.unboundid.directory.sdk.ds.types.DirectoryServerContext;
041 import com.unboundid.directory.sdk.ds.internal.DirectoryServerExtension;
042 import com.unboundid.directory.sdk.proxy.internal.DirectoryProxyServerExtension;
043 import com.unboundid.directory.sdk.sync.internal.SynchronizationServerExtension;
044 import com.unboundid.ldap.sdk.LDAPException;
045 import com.unboundid.ldap.sdk.ResultCode;
046 import com.unboundid.util.Extensible;
047 import com.unboundid.util.ThreadSafety;
048 import com.unboundid.util.ThreadSafetyLevel;
049 import com.unboundid.util.args.ArgumentException;
050 import com.unboundid.util.args.ArgumentParser;
051
052
053
054 /**
055 * This class defines an API that must be implemented by extensions which
056 * attempt to map a certificate presented by a client (e.g., via SSL or
057 * StartTLS) to a user defined in the server. This is primarily used during
058 * the course of SASL EXTERNAL bind processing when a client uses a certificate
059 * to authenticate to the server. Any information contained in the provided
060 * certificate chain (including the subject, fingerprint, validity, extensions,
061 * etc. of the client certificate, as well as any information about any issuer
062 * certificates) may be used to map information in the provided certificate
063 * chain to exactly one user in the server. If the certificate cannot be mapped
064 * to any user, or if it is mapped to multiple users, then the authentication
065 * attempt must fail.
066 * <BR>
067 * <H2>Configuring Certificate Mappers</H2>
068 * In order to configure a certificate mapper created using this API, use a
069 * command like:
070 * <PRE>
071 * dsconfig create-certificate-mapper \
072 * --mapper-name "<I>{mapper-name}</I>" \
073 * --type third-party \
074 * --set enabled:true \
075 * --set "extension-class:<I>{class-name}</I>" \
076 * --set "extension-argument:<I>{name=value}</I>"
077 * </PRE>
078 * where "<I>{mapper-name}</I>" is the name to use for the certificate mapper
079 * instance, "<I>{class-name}</I>" is the fully-qualified name of the Java class
080 * that extends {@code com.unboundid.directory.sdk.ds.api.CertificateMapper},
081 * and "<I>{name=value}</I>" represents name-value pairs for any arguments to
082 * provide to the certificate mapper. If multiple arguments should be provided
083 * to the certificate mapper, then the
084 * "<CODE>--set extension-argument:<I>{name=value}</I></CODE>" option should be
085 * provided multiple times.
086 *
087 * @see com.unboundid.directory.sdk.ds.scripting.ScriptedCertificateMapper
088 */
089 @Extensible()
090 @DirectoryServerExtension()
091 @DirectoryProxyServerExtension(appliesToLocalContent=true,
092 appliesToRemoteContent=true)
093 @SynchronizationServerExtension(appliesToLocalContent=true,
094 appliesToSynchronizedContent=false)
095 @ThreadSafety(level=ThreadSafetyLevel.INTERFACE_THREADSAFE)
096 public abstract class CertificateMapper
097 implements UnboundIDExtension, Reconfigurable<CertificateMapperConfig>,
098 ExampleUsageProvider
099 {
100 /**
101 * Creates a new instance of this certificate mapper. All certificate mapper
102 * implementations must include a default constructor, but any initialization
103 * should generally be done in the {@code initializeCertificateMapper} method.
104 */
105 public CertificateMapper()
106 {
107 // No implementation is required.
108 }
109
110
111
112 /**
113 * {@inheritDoc}
114 */
115 public abstract String getExtensionName();
116
117
118
119 /**
120 * {@inheritDoc}
121 */
122 public abstract String[] getExtensionDescription();
123
124
125
126 /**
127 * {@inheritDoc}
128 */
129 public void defineConfigArguments(final ArgumentParser parser)
130 throws ArgumentException
131 {
132 // No arguments will be allowed by default.
133 }
134
135
136
137 /**
138 * Initializes this certificate mapper.
139 *
140 * @param serverContext A handle to the server context for the server in
141 * which this extension is running.
142 * @param config The general configuration for this certificate
143 * mapper.
144 * @param parser The argument parser which has been initialized from
145 * the configuration for this certificate mapper.
146 *
147 * @throws LDAPException If a problem occurs while initializing this
148 * certificate mapper.
149 */
150 public void initializeCertificateMapper(
151 final DirectoryServerContext serverContext,
152 final CertificateMapperConfig config,
153 final ArgumentParser parser)
154 throws LDAPException
155 {
156 // No initialization will be performed by default.
157 }
158
159
160
161 /**
162 * {@inheritDoc}
163 */
164 public boolean isConfigurationAcceptable(final CertificateMapperConfig config,
165 final ArgumentParser parser,
166 final List<String> unacceptableReasons)
167 {
168 // No extended validation will be performed by default.
169 return true;
170 }
171
172
173
174 /**
175 * {@inheritDoc}
176 */
177 public ResultCode applyConfiguration(final CertificateMapperConfig config,
178 final ArgumentParser parser,
179 final List<String> adminActionsRequired,
180 final List<String> messages)
181 {
182 // By default, no configuration changes will be applied. If there are any
183 // arguments, then add an admin action message indicating that the extension
184 // needs to be restarted for any changes to take effect.
185 if (! parser.getNamedArguments().isEmpty())
186 {
187 adminActionsRequired.add(
188 "No configuration change has actually been applied. The new " +
189 "configuration will not take effect until this certificate " +
190 "mapper is disabled and re-enabled or until the server is " +
191 "restarted.");
192 }
193
194 return ResultCode.SUCCESS;
195 }
196
197
198
199 /**
200 * Performs any cleanup which may be necessary when this certificate mapper is
201 * to be taken out of service.
202 */
203 public void finalizeCertificateMapper()
204 {
205 // No implementation is required.
206 }
207
208
209
210 /**
211 * Performs any processing which may be necessary to map the provided
212 * certificate chain to a user within the server.
213 *
214 * @param certChain The certificate chain presented by the client.
215 *
216 * @return The DN of the user within the server to which the provided
217 * certificate corresponds.
218 *
219 * @throws LDAPException If the presented certificate cannot be mapped to
220 * exactly one user in the server.
221 */
222 public abstract String mapCertificate(final Certificate[] certChain)
223 throws LDAPException;
224
225
226
227 /**
228 * {@inheritDoc}
229 */
230 public Map<List<String>,String> getExamplesArgumentSets()
231 {
232 return Collections.emptyMap();
233 }
234 }