/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at
 * trunk/ds/resource/legal-notices/cddl.txt
 * or http://www.opensource.org/licenses/cddl1.php.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at
 * trunk/ds/resource/legal-notices/cddl.txt.  If applicable,
 * add the following below this CDDL HEADER, with the fields enclosed
 * by brackets "[]" replaced with your own identifying information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Copyright 2016-2017 Ping Identity Corporation
 */
package com.unboundid.directory.sdk.broker.api;

import com.unboundid.directory.sdk.broker.config.IdentityAuthenticatorConfig;
import com.unboundid.directory.sdk.broker.internal.BrokerExtension;
import com.unboundid.directory.sdk.broker.types.AuthenticationRequest;
import com.unboundid.directory.sdk.broker.types.AuthenticationResult;
import com.unboundid.directory.sdk.broker.types.BrokerContext;
import com.unboundid.directory.sdk.broker.types.StatusRequest;
import com.unboundid.directory.sdk.broker.types.StatusResult;
import com.unboundid.directory.sdk.common.internal.Configurable;
import com.unboundid.directory.sdk.common.internal.ExampleUsageProvider;
import com.unboundid.directory.sdk.common.internal.UnboundIDExtension;
import com.unboundid.util.Extensible;
import com.unboundid.util.ThreadSafety;
import com.unboundid.util.ThreadSafetyLevel;
import com.unboundid.util.args.ArgumentException;
import com.unboundid.util.args.ArgumentParser;

import java.util.Collections;
import java.util.List;
import java.util.Map;



/**
 * This class defines an API that may be implemented by extensions that provide
 * a way to authenticate a user or provide additional assurance about the
 * identity of a user that has already been authenticated.
 * This API is generic and can support a wide range of authentication and
 * second-factor authentication methods.
 *
 * <H2>Configuring Identity Authenticators</H2>
 * <p>
 * In order to configure an Identity Authenticator created using this API, use
 * a command like:
 * </p>
 * <PRE>
 *      dsconfig create-identity-authenticator \
 *           ---authenticator-name "<I>{name}</I>" \
 *           --type third-party \
 *           --set "extension-class:<I>{class-name}</I>" \
 *           --set "extension-argument:<I>{name=value}</I>"
 * </PRE>
 * where "<I>{name}</I>" is the name to use for the Identity Authenticator
 * instance, "<I>{class-name}</I>" is the fully-qualified name of the Java class
 * that extends
 * {@code com.unboundid.directory.sdk.broker.api.IdentityAuthenticator},
 * and "<I>{name=value}</I>" represents name-value pairs for any arguments to
 * provide to the Identity Authenticator. If multiple arguments should be
 * provided to the extension, then the
 * "<CODE>--set extension-argument:<I>{name=value}</I></CODE>" option should be
 * provided multiple times.
 */
@Extensible()
@BrokerExtension
@ThreadSafety(level= ThreadSafetyLevel.INTERFACE_THREADSAFE)
public abstract class IdentityAuthenticator implements UnboundIDExtension,
        Configurable, ExampleUsageProvider
{
  /**
   * Creates a new instance of this Identity Authenticator.  All
   * implementations must include a default constructor, but any
   * initialization should generally be done in the
   * {@link #initializeAuthenticator} method.
   */
  public IdentityAuthenticator()
  {
    // No implementation is required.
  }



  /**
   * {@inheritDoc}
   */
  @Override
  public abstract String getExtensionName();



  /**
   * {@inheritDoc}
   */
  @Override
  public abstract String[] getExtensionDescription();



  /**
   * {@inheritDoc}
   */
  @Override
  public Map<List<String>,String> getExamplesArgumentSets()
  {
    return Collections.emptyMap();
  }



  /**
   * {@inheritDoc}
   */
  @Override
  public void defineConfigArguments(final ArgumentParser parser)
         throws ArgumentException
  {
    // No arguments will be allowed by default.
  }



  /**
   * Initializes this Identity Authenticator. Any initialization should be
   * performed here. This method should generally store the
   * {@link BrokerContext} in a class member so that it can be used elsewhere
   * in the implementation.
   * <p>
   * The default implementation is empty.
   *
   * @param  serverContext  A handle to the server context for the server in
   *                        which this extension is running. Extensions should
   *                        typically store this in a class member.
   * @param  config         The general configuration for this object.
   * @param  parser         The argument parser which has been initialized from
   *                        the configuration for this Identity Authenticator.
   * @throws Exception      If a problem occurs while initializing this store
   *                        adapter.
   */
  public void initializeAuthenticator(final BrokerContext serverContext,
                                      final IdentityAuthenticatorConfig config,
                                      final ArgumentParser parser)
      throws Exception
  {
    // No initialization will be performed by default.
  }



  /**
   * This hook is called when the Identity Authenticator is disabled or the
   * server shuts down. Any clean-up of this Identity Authenticator should
   * be performed here.
   * <p>
   * The default implementation is empty.
   */
  public void finalizeAuthenticator()
  {
    // No implementation is performed by default.
  }

  /**
   * Process a status request. The current state of the authenticator for this
   * flow should be returned in the response parameters.
   * <p>
   * The content of the response parameters is entirely up to the Identity
   * Authenticator implementation, and should be documented by the
   * implementation.
   *
   * @param request The status request details.
   *
   * @return  The results of the status request.
   */
  public abstract StatusResult getStatus(final StatusRequest request);

  /**
   * Process an authentication request. An authentication process, or flow,
   * for a given Identity Authenticator may be composed of multiple steps
   * (or interactions with the end user or user interface). This method call
   * represents a single authentication step.
   * <p>
   * If the authentication flow requires further steps, then the result should
   * contain response parameters that can be used to complete the flow.
   * The result must also contain flow state parameters, which will be
   * preserved and resubmitted in the request for the next step. The server
   * encrypts the content of the returned flow state parameters in order to
   * protect any sensitive information.
   * <p>
   * When the authentication flow is completed successfully, the result must
   * contain the name of the authenticated principal. If authentication fails
   * (e.g. invalid credentials), an unsuccessful result must be returned,
   * rather than an exception.
   * <p>
   * An authenticator should only return success if the client provided the
   * correct credentials. If additional info is needed or if the provided
   * credentials are incorrect, it should return false. The authenticator
   * should set the principal in the result if it can identify a user with
   * the provided credentials. Otherwise, it should return the principal
   * that was passed in.
   * <p>
   * The content of the request parameters and response parameters is entirely
   * up to the Identity Authenticator implementation, and should be documented
   * by the implementation.
   *
   * @param request The authentication request details.
   *
   * @return  The results of the authentication request.
   */
  public abstract AuthenticationResult authenticate(
      final AuthenticationRequest request);
}