UnboundID Server SDK

Ping Identity
UnboundID Server SDK Documentation

ExampleMultiStageSASLMechanismHandler.java

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at
 * docs/licenses/cddl.txt
 * or http://www.opensource.org/licenses/cddl1.php.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at
 * docs/licenses/cddl.txt.  If applicable,
 * add the following below this CDDL HEADER, with the fields enclosed
 * by brackets "[]" replaced with your own identifying information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Portions Copyright 2012-2023 Ping Identity Corporation
 */
package com.unboundid.directory.sdk.examples;



import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;

import com.unboundid.asn1.ASN1OctetString;
import com.unboundid.directory.sdk.common.operation.SASLBindRequest;
import com.unboundid.directory.sdk.common.types.ClientContext;
import com.unboundid.directory.sdk.common.types.Entry;
import com.unboundid.directory.sdk.common.types.OperationContext;
import com.unboundid.directory.sdk.ds.api.SASLMechanismHandler;
import com.unboundid.directory.sdk.ds.config.SASLMechanismHandlerConfig;
import com.unboundid.directory.sdk.ds.types.SASLBindResult;
import com.unboundid.directory.sdk.ds.types.SASLBindResultFactory;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.args.ArgumentParser;



/**
 * This class provides an implementation of a SASL mechanism handler that may be
 * used to test multi-stage bind processing.  The bind should be processed in
 * three stages:
 * <OL>
 *   <LI>The client sends a SASL bind request with no credentials.  The server
 *       returns a response with a result code of SASL_BIND_IN_PROGRESS and
 *       credentials that are a prompt for the username.</LI>
 *   <LI>The client sends a SASL bind request in which the credentials are the
 *       string representation of the username for the user to authenticate.
 *       The server returns a response with a result code of
 *       SASL_BIND_IN_PROGRESS and credentials that are a prompt for the
 *       password.</LI>
 *   <LI>The client sends a SASL bind request in which the credentials are the
 *       password for the specified user.  The server then verifies the username
 *       and password and returns either a success or failure result.</LI>
 * </OL>
 */
public final class ExampleMultiStageSASLMechanismHandler
       extends SASLMechanismHandler
{
  /**
   * Creates a new instance of this SASL mechanism handler.  All SASL mechanism
   * handler implementations must include a default constructor, but any
   * initialization should generally be done in the
   * {@code initializeSASLMechanismHandler} method.
   */
  public ExampleMultiStageSASLMechanismHandler()
  {
    // No implementation is required.
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public String getExtensionName()
  {
    return "Multi-Stage SASL Mechanism Handler";
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public String[] getExtensionDescription()
  {
    return new String[]
    {
      "Tests the ability to perform multi-stage SASL authentication."
    };
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public boolean isConfigurationAcceptable(
                      final SASLMechanismHandlerConfig config,
                      final ArgumentParser parser,
                      final List<String> unacceptableReasons)
  {
    // Make sure that an identity mapper is included in the configuration.
    if (config.getIdentityMapperConfigEntryDN() == null)
    {
      unacceptableReasons.add("The EXAMPLE-MULTI-STAGE-USERNAME-AND-PASSWORD " +
           "SASL mechanism handler must be configured with an identity " +
           "mapper.");
      return false;
    }

    return true;
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public ResultCode applyConfiguration(final SASLMechanismHandlerConfig config,
                                       final ArgumentParser parser,
                                       final List<String> adminActionsRequired,
                                       final List<String> messages)
  {
    return ResultCode.SUCCESS;
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public List<String> getSASLMechanismNames()
  {
    return Arrays.asList("EXAMPLE-MULTI-STAGE-USERNAME-AND-PASSWORD");
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public boolean isSecure(final String mechanism)
  {
    // This mechanism does not make any attempt to protect the credentials, so
    // it is not inherently secure.
    return false;
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public boolean isPasswordBased(final String mechanism)
  {
    // This mechanism does rely on a password.
    return true;
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public SASLBindResult processSASLBind(final OperationContext operationContext,
                             final SASLBindRequest bindRequest,
                             final SASLBindResultFactory resultFactory)
  {
    // Get the client context, since we'll need to use it to get and set state
    // information.
    final ClientContext clientContext = operationContext.getClientContext();


    // Get the SASL credentials from the bind request.  If there are none, then
    // this must be the first stage of the multi-stage bind, and we should send
    // back a continuation result with server SASL credentials requesting the
    // username.
    final ASN1OctetString saslCredentials = bindRequest.getSASLCredentials();
    if (saslCredentials == null)
    {
      clientContext.setSASLAuthStateInfo(null);
      return resultFactory.createContinuationResult(null, null,
           new ASN1OctetString("Username"));
    }


    // The request included SASL credentials, so it's either the username or
    // the password.  If there is no stored state, then it should be the
    // username, and we should store that as the state and send back another
    // continuation result with server SASL credentials requesting the password.
    final Object saslState = clientContext.getSASLAuthStateInfo();
    if (saslState == null)
    {
      clientContext.setSASLAuthStateInfo(saslCredentials.stringValue());
      return resultFactory.createContinuationResult(null, null,
           new ASN1OctetString("Password"));
    }


    // If we have stored state, then the stored state should be the username,
    // and the new SASL credentials should be the password.  Clear the SASL
    // state and do the bind processing.
    final String username = (String) saslState;
    final ASN1OctetString password = saslCredentials;
    clientContext.setSASLAuthStateInfo(null);

    final Entry userEntry;
    try
    {
      userEntry = resultFactory.mapUsernameToEntry(username);
    }
    catch (final LDAPException le)
    {
      operationContext.getServerContext().debugCaught(le);
      return resultFactory.createFailureResult(
           "Cannot map username '" + username + "' to a user entry:  " +
                StaticUtils.getExceptionMessage(le),
           null, null, null, null, null);
    }

    try
    {
      if (resultFactory.isUserPasswordValid(userEntry.getDN(), password))
      {
        return resultFactory.createSuccessResult(userEntry.getDN());
      }
      else
      {
        return resultFactory.createFailureResult(
             "The provided password was not valid for user '" +
                  userEntry.getDN() + "'.",
             null, null, null, null, userEntry.getDN());
      }
    }
    catch (final LDAPException le)
    {
      operationContext.getServerContext().debugCaught(le);
      return resultFactory.createFailureResult(
           "Unable to determine whether the provided password is valid for " +
                "user '" + userEntry.getDN() + "':  " +
                StaticUtils.getExceptionMessage(le),
           null, null, null, null, userEntry.getDN());
    }
  }



  /**
   * Retrieves a map containing examples of configurations that may be used for
   * this extension.  The map key should be a list of sample arguments, and the
   * corresponding value should be a description of the behavior that will be
   * exhibited by the extension when used with that configuration.
   *
   * @return  A map containing examples of configurations that may be used for
   *          this extension.  It may be {@code null} or empty if there should
   *          not be any example argument sets.
   */
  @Override()
  public Map<List<String>,String> getExamplesArgumentSets()
  {
    // This SASL mechanism handler doesn't take any arguments.
    final LinkedHashMap<List<String>,String> exampleArgs =
         new LinkedHashMap<List<String>,String>(1);

    exampleArgs.put(
         new ArrayList<String>(0),
         "Configure the SASL mechanism handler without any arguments, as " +
              "none are needed for this implementation.");

    return exampleArgs;
  }



  /**
   * Indicates whether the specified SASL mechanism, which is listed as
   * supported by this handler, is available for use by the given user.
   *
   * @param  mechanism          The name of the SASL mechanism for which to make
   *                            the determination.  It will be one of the
   *                            mechanisms for which this handler is registered.
   * @param  passwordAttribute  The name of the attribute used to hold the
   *                            password for the user.
   * @param  userEntry          The entry for the user for whom to make the
   *                            determination.
   *
   * @return  {@code true} if the SASL mechanism is supported for the user,
   *          {@code false} if not, or {@code null} if it could not be
   *          determined.
   */
  @Override()
  public Boolean isMechanismAvailableForUser(final String mechanism,
                                             final String passwordAttribute,
                                             final Entry userEntry)
  {
    // Make sure that the user has a password.
    return userEntry.hasAttribute(passwordAttribute);
  }
}