001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * trunk/ds/resource/legal-notices/cddl.txt
011 * or http://www.opensource.org/licenses/cddl1.php.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * trunk/ds/resource/legal-notices/cddl.txt.  If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 *      Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 *      Copyright 2016-2019 Ping Identity Corporation
026 */
027package com.unboundid.directory.sdk.broker.api;
028
029import com.unboundid.directory.sdk.broker.config.IdentityAuthenticatorConfig;
030import com.unboundid.directory.sdk.broker.internal.BrokerExtension;
031import com.unboundid.directory.sdk.broker.types.AuthenticationRequest;
032import com.unboundid.directory.sdk.broker.types.AuthenticationResult;
033import com.unboundid.directory.sdk.broker.types.BrokerContext;
034import com.unboundid.directory.sdk.broker.types.StatusRequest;
035import com.unboundid.directory.sdk.broker.types.StatusResult;
036import com.unboundid.directory.sdk.common.internal.Configurable;
037import com.unboundid.directory.sdk.common.internal.ExampleUsageProvider;
038import com.unboundid.directory.sdk.common.internal.UnboundIDExtension;
039import com.unboundid.util.Extensible;
040import com.unboundid.util.ThreadSafety;
041import com.unboundid.util.ThreadSafetyLevel;
042import com.unboundid.util.args.ArgumentException;
043import com.unboundid.util.args.ArgumentParser;
044
045import java.util.Collections;
046import java.util.List;
047import java.util.Map;
048
049
050
051/**
052 * This class defines an API that may be implemented by extensions that provide
053 * a way to authenticate a user or provide additional assurance about the
054 * identity of a user that has already been authenticated.
055 * This API is generic and can support a wide range of authentication and
056 * second-factor authentication methods.
057 *
058 * <H2>Configuring Identity Authenticators</H2>
059 * <p>
060 * In order to configure an Identity Authenticator created using this API, use
061 * a command like:
062 * </p>
063 * <PRE>
064 *      dsconfig create-identity-authenticator \
065 *           ---authenticator-name "<I>{name}</I>" \
066 *           --type third-party \
067 *           --set "extension-class:<I>{class-name}</I>" \
068 *           --set "extension-argument:<I>{name=value}</I>"
069 * </PRE>
070 * where "<I>{name}</I>" is the name to use for the Identity Authenticator
071 * instance, "<I>{class-name}</I>" is the fully-qualified name of the Java class
072 * that extends
073 * {@code com.unboundid.directory.sdk.broker.api.IdentityAuthenticator},
074 * and "<I>{name=value}</I>" represents name-value pairs for any arguments to
075 * provide to the Identity Authenticator. If multiple arguments should be
076 * provided to the extension, then the
077 * "<CODE>--set extension-argument:<I>{name=value}</I></CODE>" option should be
078 * provided multiple times.
079 */
080@Extensible()
081@BrokerExtension
082@ThreadSafety(level= ThreadSafetyLevel.INTERFACE_THREADSAFE)
083public abstract class IdentityAuthenticator implements UnboundIDExtension,
084        Configurable, ExampleUsageProvider
085{
086  /**
087   * Creates a new instance of this Identity Authenticator.  All
088   * implementations must include a default constructor, but any
089   * initialization should generally be done in the
090   * {@link #initializeAuthenticator} method.
091   */
092  public IdentityAuthenticator()
093  {
094    // No implementation is required.
095  }
096
097
098
099  /**
100   * {@inheritDoc}
101   */
102  @Override
103  public abstract String getExtensionName();
104
105
106
107  /**
108   * {@inheritDoc}
109   */
110  @Override
111  public abstract String[] getExtensionDescription();
112
113
114
115  /**
116   * {@inheritDoc}
117   */
118  @Override
119  public Map<List<String>,String> getExamplesArgumentSets()
120  {
121    return Collections.emptyMap();
122  }
123
124
125
126  /**
127   * {@inheritDoc}
128   */
129  @Override
130  public void defineConfigArguments(final ArgumentParser parser)
131         throws ArgumentException
132  {
133    // No arguments will be allowed by default.
134  }
135
136
137
138  /**
139   * Initializes this Identity Authenticator. Any initialization should be
140   * performed here. This method should generally store the
141   * {@link BrokerContext} in a class member so that it can be used elsewhere
142   * in the implementation.
143   * <p>
144   * The default implementation is empty.
145   *
146   * @param  serverContext  A handle to the server context for the server in
147   *                        which this extension is running. Extensions should
148   *                        typically store this in a class member.
149   * @param  config         The general configuration for this object.
150   * @param  parser         The argument parser which has been initialized from
151   *                        the configuration for this Identity Authenticator.
152   * @throws Exception      If a problem occurs while initializing this store
153   *                        adapter.
154   */
155  public void initializeAuthenticator(final BrokerContext serverContext,
156                                      final IdentityAuthenticatorConfig config,
157                                      final ArgumentParser parser)
158      throws Exception
159  {
160    // No initialization will be performed by default.
161  }
162
163
164
165  /**
166   * This hook is called when the Identity Authenticator is disabled or the
167   * server shuts down. Any clean-up of this Identity Authenticator should
168   * be performed here.
169   * <p>
170   * The default implementation is empty.
171   */
172  public void finalizeAuthenticator()
173  {
174    // No implementation is performed by default.
175  }
176
177  /**
178   * Process a status request. The current state of the authenticator for this
179   * flow should be returned in the response parameters.
180   * <p>
181   * The content of the response parameters is entirely up to the Identity
182   * Authenticator implementation, and should be documented by the
183   * implementation.
184   *
185   * @param request The status request details.
186   *
187   * @return  The results of the status request.
188   */
189  public abstract StatusResult getStatus(final StatusRequest request);
190
191  /**
192   * Process an authentication request. An authentication process, or flow,
193   * for a given Identity Authenticator may be composed of multiple steps
194   * (or interactions with the end user or user interface). This method call
195   * represents a single authentication step.
196   * <p>
197   * If the authentication flow requires further steps, then the result should
198   * contain response parameters that can be used to complete the flow.
199   * The result must also contain flow state parameters, which will be
200   * preserved and resubmitted in the request for the next step. The server
201   * encrypts the content of the returned flow state parameters in order to
202   * protect any sensitive information.
203   * <p>
204   * When the authentication flow is completed successfully, the result must
205   * contain the name of the authenticated principal. If authentication fails
206   * (e.g. invalid credentials), an unsuccessful result must be returned,
207   * rather than an exception.
208   * <p>
209   * An authenticator should only return success if the client provided the
210   * correct credentials. If additional info is needed or if the provided
211   * credentials are incorrect, it should return false. The authenticator
212   * should set the principal in the result if it can identify a user with
213   * the provided credentials. Otherwise, it should return the principal
214   * that was passed in.
215   * <p>
216   * The content of the request parameters and response parameters is entirely
217   * up to the Identity Authenticator implementation, and should be documented
218   * by the implementation.
219   *
220   * @param request The authentication request details.
221   *
222   * @return  The results of the authentication request.
223   */
224  public abstract AuthenticationResult authenticate(
225      final AuthenticationRequest request);
226}