Source code

001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * docs/licenses/cddl.txt
011 * or http://www.opensource.org/licenses/cddl1.php.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * docs/licenses/cddl.txt.  If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 *      Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 *      Copyright 2010-2015 UnboundID Corp.
026 */
027package com.unboundid.directory.sdk.ds.scripting;
028
029
030
031import java.util.List;
032import java.util.Set;
033
034import com.unboundid.directory.sdk.common.internal.Reconfigurable;
035import com.unboundid.directory.sdk.common.types.Entry;
036import com.unboundid.directory.sdk.common.types.OperationContext;
037import com.unboundid.directory.sdk.ds.config.PasswordValidatorConfig;
038import com.unboundid.directory.sdk.ds.internal.DirectoryServerExtension;
039import com.unboundid.directory.sdk.ds.types.DirectoryServerContext;
040import com.unboundid.directory.sdk.proxy.internal.DirectoryProxyServerExtension;
041import com.unboundid.directory.sdk.sync.internal.SynchronizationServerExtension;
042import com.unboundid.ldap.sdk.LDAPException;
043import com.unboundid.ldap.sdk.ResultCode;
044import com.unboundid.util.ByteString;
045import com.unboundid.util.Extensible;
046import com.unboundid.util.ThreadSafety;
047import com.unboundid.util.ThreadSafetyLevel;
048import com.unboundid.util.args.ArgumentException;
049import com.unboundid.util.args.ArgumentParser;
050
051
052
053/**
054 * This class defines an API that must be implemented by scripted extensions
055 * which attempt to determine whether a proposed user password is acceptable.
056 * Each server password policy may be configured with zero or more password
057 * validators, and whenever a user changes his or her password (and optionally
058 * whenever an administrator resets the password for another user), then each of
059 * the password validators configured in the password policy for the target user
060 * will be given access to the clear-text password in order to determine whether
061 * that password will be allowed.  Password validators will also have access to
062 * the rest of the user entry, and may also have access to a clear-text version
063 * of the user's current password(s) if they were provided in the request.
064 * <BR>
065 * <H2>Configuring Groovy-Scripted Password Validators</H2>
066 * In order to configure a scripted password validator based on this API and
067 * written in the Groovy scripting language, use a command like:
068 * <PRE>
069 *      dsconfig create-password-validator \
070 *           --validator-name "<I>{validator-name}</I>" \
071 *           --type groovy-scripted \
072 *           --set enabled:true \
073 *           --set "script-class:<I>{class-name}</I>" \
074 *           --set "script-argument:<I>{name=value}</I>"
075 * </PRE>
076 * where "<I>{validator-name}</I>" is the name to use for the password validator
077 * instance, "<I>{class-name}</I>" is the fully-qualified name of the Groovy
078 * class written using this API, and "<I>{name=value}</I>" represents name-value
079 * pairs for any arguments to provide to the password validator.  If multiple
080 * arguments should be provided to the password validator, then the
081 * "<CODE>--set script-argument:<I>{name=value}</I></CODE>" option should be
082 * provided multiple times.
083 *
084 * @see  com.unboundid.directory.sdk.ds.api.PasswordValidator
085 */
086@Extensible()
087@DirectoryServerExtension()
088@DirectoryProxyServerExtension(appliesToLocalContent=true,
089     appliesToRemoteContent=false)
090@SynchronizationServerExtension(appliesToLocalContent=true,
091     appliesToSynchronizedContent=false)
092@ThreadSafety(level=ThreadSafetyLevel.INTERFACE_THREADSAFE)
093public abstract class ScriptedPasswordValidator
094       implements Reconfigurable<PasswordValidatorConfig>
095{
096  /**
097   * Creates a new instance of this password validator.  All password validator
098   * implementations must include a default constructor, but any initialization
099   * should generally be done in the {@code initializePasswordValidator} method.
100   */
101  public ScriptedPasswordValidator()
102  {
103    // No implementation is required.
104  }
105
106
107
108  /**
109   * {@inheritDoc}
110   */
111  public void defineConfigArguments(final ArgumentParser parser)
112         throws ArgumentException
113  {
114    // No arguments will be allowed by default.
115  }
116
117
118
119  /**
120   * Initializes this password validator.
121   *
122   * @param  serverContext  A handle to the server context for the server in
123   *                        which this extension is running.
124   * @param  config         The general configuration for this password
125   *                        validator.
126   * @param  parser         The argument parser which has been initialized from
127   *                        the configuration for this password validator.
128   *
129   * @throws  LDAPException  If a problem occurs while initializing this
130   *                         password validator.
131   */
132  public void initializePasswordValidator(
133                   final DirectoryServerContext serverContext,
134                   final PasswordValidatorConfig config,
135                   final ArgumentParser parser)
136         throws LDAPException
137  {
138    // No initialization will be performed by default.
139  }
140
141
142
143  /**
144   * Performs any cleanup which may be necessary when this password validator is
145   * to be taken out of service.
146   */
147  public void finalizePasswordValidator()
148  {
149    // No implementation is required.
150  }
151
152
153
154  /**
155   * {@inheritDoc}
156   */
157  public boolean isConfigurationAcceptable(
158                      final PasswordValidatorConfig config,
159                      final ArgumentParser parser,
160                      final List<String> unacceptableReasons)
161  {
162    // No extended validation will be performed.
163    return true;
164  }
165
166
167
168  /**
169   * {@inheritDoc}
170   */
171  public ResultCode applyConfiguration(final PasswordValidatorConfig config,
172                                       final ArgumentParser parser,
173                                       final List<String> adminActionsRequired,
174                                       final List<String> messages)
175  {
176    // By default, no configuration changes will be applied.  If there are any
177    // arguments, then add an admin action message indicating that the extension
178    // needs to be restarted for any changes to take effect.
179    if (! parser.getNamedArguments().isEmpty())
180    {
181      adminActionsRequired.add(
182           "No configuration change has actually been applied.  The new " +
183                "configuration will not take effect until this password " +
184                "validator is disabled and re-enabled or until the server is " +
185                "restarted.");
186    }
187
188    return ResultCode.SUCCESS;
189  }
190
191
192
193  /**
194   * Indicates whether the proposed password is acceptable for the specified
195   * user.
196   *
197   * @param  operationContext  The operation context for the associated request.
198   *                           It may be associated with an add, modify, or
199   *                           password modify operation.
200   * @param  newPassword       The proposed new password for the user that
201   *                           should be validated.  It will not be encoded or
202   *                           obscured in any way.
203   * @param  currentPasswords  The current set of passwords for the user, if
204   *                           available.  It may be {@code null} if this is
205   *                           not available.  Note that even if one or more
206   *                           current passwords are available, it may not
207   *                           constitute the complete set of passwords for the
208   *                           user.
209   * @param  userEntry         The entry for the user whose password is being
210   *                           changed.
211   * @param  invalidReason     A buffer to which a message may be appended to
212   *                           indicate why the proposed password is not
213   *                           acceptable.
214   *
215   * @return  {@code true} if the proposed new password is acceptable, or
216   *          {@code false} if not.
217   */
218  public abstract boolean isPasswordAcceptable(
219                               final OperationContext operationContext,
220                               final ByteString newPassword,
221                               final Set<ByteString> currentPasswords,
222                               final Entry userEntry,
223                               final StringBuilder invalidReason);
224}