001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * docs/licenses/cddl.txt
011 * or http://www.opensource.org/licenses/cddl1.php.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * docs/licenses/cddl.txt.  If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 *      Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 *      Portions Copyright 2010-2023 Ping Identity Corporation
026 */
027package com.unboundid.directory.sdk.ds.api;
028
029
030
031import java.security.cert.Certificate;
032import java.util.Collections;
033import java.util.List;
034import java.util.Map;
035
036import com.unboundid.directory.sdk.common.internal.ExampleUsageProvider;
037import com.unboundid.directory.sdk.common.internal.Reconfigurable;
038import com.unboundid.directory.sdk.common.internal.UnboundIDExtension;
039import com.unboundid.directory.sdk.ds.config.CertificateMapperConfig;
040import com.unboundid.directory.sdk.ds.types.DirectoryServerContext;
041import com.unboundid.directory.sdk.ds.internal.DirectoryServerExtension;
042import com.unboundid.directory.sdk.proxy.internal.DirectoryProxyServerExtension;
043import com.unboundid.directory.sdk.sync.internal.SynchronizationServerExtension;
044import com.unboundid.ldap.sdk.LDAPException;
045import com.unboundid.ldap.sdk.ResultCode;
046import com.unboundid.util.Extensible;
047import com.unboundid.util.ThreadSafety;
048import com.unboundid.util.ThreadSafetyLevel;
049import com.unboundid.util.args.ArgumentException;
050import com.unboundid.util.args.ArgumentParser;
051
052
053
054/**
055 * This class defines an API that must be implemented by extensions which
056 * attempt to map a certificate presented by a client (e.g., via SSL or
057 * StartTLS) to a user defined in the server.  This is primarily used during
058 * the course of SASL EXTERNAL bind processing when a client uses a certificate
059 * to authenticate to the server.  Any information contained in the provided
060 * certificate chain (including the subject, fingerprint, validity, extensions,
061 * etc. of the client certificate, as well as any information about any issuer
062 * certificates) may be used to map information in the provided certificate
063 * chain to exactly one user in the server.  If the certificate cannot be mapped
064 * to any user, or if it is mapped to multiple users, then the authentication
065 * attempt must fail.
066 * <BR>
067 * <H2>Configuring Certificate Mappers</H2>
068 * In order to configure a certificate mapper created using this API, use a
069 * command like:
070 * <PRE>
071 *      dsconfig create-certificate-mapper \
072 *           --mapper-name "<I>{mapper-name}</I>" \
073 *           --type third-party \
074 *           --set enabled:true \
075 *           --set "extension-class:<I>{class-name}</I>" \
076 *           --set "extension-argument:<I>{name=value}</I>"
077 * </PRE>
078 * where "<I>{mapper-name}</I>" is the name to use for the certificate mapper
079 * instance, "<I>{class-name}</I>" is the fully-qualified name of the Java class
080 * that extends {@code com.unboundid.directory.sdk.ds.api.CertificateMapper},
081 * and "<I>{name=value}</I>" represents name-value pairs for any arguments to
082 * provide to the certificate mapper.  If multiple arguments should be provided
083 * to the certificate mapper, then the
084 * "<CODE>--set extension-argument:<I>{name=value}</I></CODE>" option should be
085 * provided multiple times.
086 *
087 * @see  com.unboundid.directory.sdk.ds.scripting.ScriptedCertificateMapper
088 */
089@Extensible()
090@DirectoryServerExtension()
091@DirectoryProxyServerExtension(appliesToLocalContent=true,
092     appliesToRemoteContent=true)
093@SynchronizationServerExtension(appliesToLocalContent=true,
094     appliesToSynchronizedContent=false)
095@ThreadSafety(level=ThreadSafetyLevel.INTERFACE_THREADSAFE)
096public abstract class CertificateMapper
097       implements UnboundIDExtension, Reconfigurable<CertificateMapperConfig>,
098                  ExampleUsageProvider
099{
100  /**
101   * Creates a new instance of this certificate mapper.  All certificate mapper
102   * implementations must include a default constructor, but any initialization
103   * should generally be done in the {@code initializeCertificateMapper} method.
104   */
105  public CertificateMapper()
106  {
107    // No implementation is required.
108  }
109
110
111
112  /**
113   * {@inheritDoc}
114   */
115  public abstract String getExtensionName();
116
117
118
119  /**
120   * {@inheritDoc}
121   */
122  public abstract String[] getExtensionDescription();
123
124
125
126  /**
127   * {@inheritDoc}
128   */
129  public void defineConfigArguments(final ArgumentParser parser)
130         throws ArgumentException
131  {
132    // No arguments will be allowed by default.
133  }
134
135
136
137  /**
138   * Initializes this certificate mapper.
139   *
140   * @param  serverContext  A handle to the server context for the server in
141   *                        which this extension is running.
142   * @param  config         The general configuration for this certificate
143   *                        mapper.
144   * @param  parser         The argument parser which has been initialized from
145   *                        the configuration for this certificate mapper.
146   *
147   * @throws  LDAPException  If a problem occurs while initializing this
148   *                         certificate mapper.
149   */
150  public void initializeCertificateMapper(
151                   final DirectoryServerContext serverContext,
152                   final CertificateMapperConfig config,
153                   final ArgumentParser parser)
154         throws LDAPException
155  {
156    // No initialization will be performed by default.
157  }
158
159
160
161  /**
162   * {@inheritDoc}
163   */
164  public boolean isConfigurationAcceptable(final CertificateMapperConfig config,
165                      final ArgumentParser parser,
166                      final List<String> unacceptableReasons)
167  {
168    // No extended validation will be performed by default.
169    return true;
170  }
171
172
173
174  /**
175   * {@inheritDoc}
176   */
177  public ResultCode applyConfiguration(final CertificateMapperConfig config,
178                                       final ArgumentParser parser,
179                                       final List<String> adminActionsRequired,
180                                       final List<String> messages)
181  {
182    // By default, no configuration changes will be applied.  If there are any
183    // arguments, then add an admin action message indicating that the extension
184    // needs to be restarted for any changes to take effect.
185    if (! parser.getNamedArguments().isEmpty())
186    {
187      adminActionsRequired.add(
188           "No configuration change has actually been applied.  The new " +
189                "configuration will not take effect until this certificate " +
190                "mapper is disabled and re-enabled or until the server is " +
191                "restarted.");
192    }
193
194    return ResultCode.SUCCESS;
195  }
196
197
198
199  /**
200   * Performs any cleanup which may be necessary when this certificate mapper is
201   * to be taken out of service.
202   */
203  public void finalizeCertificateMapper()
204  {
205    // No implementation is required.
206  }
207
208
209
210  /**
211   * Performs any processing which may be necessary to map the provided
212   * certificate chain to a user within the server.
213   *
214   * @param  certChain  The certificate chain presented by the client.
215   *
216   * @return  The DN of the user within the server to which the provided
217   *          certificate corresponds.
218   *
219   * @throws  LDAPException  If the presented certificate cannot be mapped to
220   *                         exactly one user in the server.
221   */
222  public abstract String mapCertificate(final Certificate[] certChain)
223         throws LDAPException;
224
225
226
227  /**
228   * {@inheritDoc}
229   */
230  public Map<List<String>,String> getExamplesArgumentSets()
231  {
232    return Collections.emptyMap();
233  }
234}