001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * docs/licenses/cddl.txt
011 * or http://www.opensource.org/licenses/cddl1.php.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * docs/licenses/cddl.txt.  If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 *      Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 *      Portions Copyright 2010-2024 Ping Identity Corporation
026 */
027package com.unboundid.directory.sdk.ds.api;
028
029
030
031import java.util.Collections;
032import java.util.List;
033import java.util.Map;
034
035import com.unboundid.directory.sdk.common.internal.ExampleUsageProvider;
036import com.unboundid.directory.sdk.common.internal.Reconfigurable;
037import com.unboundid.directory.sdk.common.internal.UnboundIDExtension;
038import com.unboundid.directory.sdk.ds.config.IdentityMapperConfig;
039import com.unboundid.directory.sdk.ds.internal.DirectoryServerExtension;
040import com.unboundid.directory.sdk.ds.types.DirectoryServerContext;
041import com.unboundid.directory.sdk.proxy.internal.DirectoryProxyServerExtension;
042import com.unboundid.directory.sdk.sync.internal.SynchronizationServerExtension;
043import com.unboundid.ldap.sdk.LDAPException;
044import com.unboundid.ldap.sdk.ResultCode;
045import com.unboundid.util.Extensible;
046import com.unboundid.util.ThreadSafety;
047import com.unboundid.util.ThreadSafetyLevel;
048import com.unboundid.util.args.ArgumentException;
049import com.unboundid.util.args.ArgumentParser;
050
051
052
053/**
054 * This class defines an API that must be implemented by extensions which
055 * attempt to map a username to a user defined in the server.  This is generally
056 * used when processing an authorization ID, as might be provided when
057 * performing SASL authentication or in a control like the proxied authorization
058 * or intermediate client controls.  In order for the mapping to be established,
059 * the identity mapper must locate exactly one entry in the server corresponding
060 * to the provided username.  If no entries are found, or if multiple entries
061 * are found, then the mapping attempt must fail.
062 * <BR>
063 * <H2>Configuring Identity Mappers</H2>
064 * In order to configure an identity mapper created using this API, use a
065 * command like:
066 * <PRE>
067 *      dsconfig create-identity-mapper \
068 *           --mapper-name "<I>{mapper-name}</I>" \
069 *           --type third-party \
070 *           --set enabled:true \
071 *           --set "extension-class:<I>{class-name}</I>" \
072 *           --set "extension-argument:<I>{name=value}</I>"
073 * </PRE>
074 * where "<I>{mapper-name}</I>" is the name to use for the identity mapper
075 * instance, "<I>{class-name}</I>" is the fully-qualified name of the Java class
076 * that extends {@code com.unboundid.directory.sdk.ds.api.IdentityMapper},
077 * and "<I>{name=value}</I>" represents name-value pairs for any arguments to
078 * provide to the identity mapper.  If multiple arguments should be provided to
079 * the identity mapper, then the
080 * "<CODE>--set extension-argument:<I>{name=value}</I></CODE>" option should be
081 * provided multiple times.
082 *
083 * @see  com.unboundid.directory.sdk.ds.scripting.ScriptedIdentityMapper
084 */
085@Extensible()
086@DirectoryServerExtension()
087@DirectoryProxyServerExtension(appliesToLocalContent=true,
088     appliesToRemoteContent=true,
089     notes="Identity mappers may only apply in certain contexts for proxied " +
090          "operations (e.g., when used in the context of SASL authentication " +
091          "but not in the value of the proxied authorization control).")
092@SynchronizationServerExtension(appliesToLocalContent=true,
093     appliesToSynchronizedContent=false)
094@ThreadSafety(level=ThreadSafetyLevel.INTERFACE_THREADSAFE)
095public abstract class IdentityMapper
096       implements UnboundIDExtension, Reconfigurable<IdentityMapperConfig>,
097                  ExampleUsageProvider
098{
099  /**
100   * Creates a new instance of this identity mapper.  All identity mapper
101   * implementations must include a default constructor, but any initialization
102   * should generally be done in the {@code initializeIdentityMapper} method.
103   */
104  public IdentityMapper()
105  {
106    // No implementation is required.
107  }
108
109
110
111  /**
112   * {@inheritDoc}
113   */
114  public abstract String getExtensionName();
115
116
117
118  /**
119   * {@inheritDoc}
120   */
121  public abstract String[] getExtensionDescription();
122
123
124
125  /**
126   * {@inheritDoc}
127   */
128  public void defineConfigArguments(final ArgumentParser parser)
129         throws ArgumentException
130  {
131    // No arguments will be allowed by default.
132  }
133
134
135
136  /**
137   * Initializes this identity mapper.
138   *
139   * @param  serverContext  A handle to the server context for the server in
140   *                        which this extension is running.
141   * @param  config         The general configuration for this identity mapper.
142   * @param  parser         The argument parser which has been initialized from
143   *                        the configuration for this identity mapper.
144   *
145   * @throws  LDAPException  If a problem occurs while initializing this
146   *                         identity mapper.
147   */
148  public void initializeIdentityMapper(
149                   final DirectoryServerContext serverContext,
150                   final IdentityMapperConfig config,
151                   final ArgumentParser parser)
152         throws LDAPException
153  {
154    // No initialization will be performed by default.
155  }
156
157
158
159  /**
160   * {@inheritDoc}
161   */
162  public boolean isConfigurationAcceptable(final IdentityMapperConfig config,
163                      final ArgumentParser parser,
164                      final List<String> unacceptableReasons)
165  {
166    // No extended validation will be performed by default.
167    return true;
168  }
169
170
171
172  /**
173   * {@inheritDoc}
174   */
175  public ResultCode applyConfiguration(final IdentityMapperConfig config,
176                                       final ArgumentParser parser,
177                                       final List<String> adminActionsRequired,
178                                       final List<String> messages)
179  {
180    // By default, no configuration changes will be applied.  If there are any
181    // arguments, then add an admin action message indicating that the extension
182    // needs to be restarted for any changes to take effect.
183    if (! parser.getNamedArguments().isEmpty())
184    {
185      adminActionsRequired.add(
186           "No configuration change has actually been applied.  The new " +
187                "configuration will not take effect until this identity " +
188                "mapper is disabled and re-enabled or until the server is " +
189                "restarted.");
190    }
191
192    return ResultCode.SUCCESS;
193  }
194
195
196
197  /**
198   * Performs any cleanup which may be necessary when this identity mapper is to
199   * be taken out of service.
200   */
201  public void finalizeIdentityMapper()
202  {
203    // No implementation is required.
204  }
205
206
207
208  /**
209   * Performs any processing which may be necessary to map the provided username
210   * to a user within the server.
211   *
212   * @param  username  The username to be mapped to a user within the server.
213   *
214   * @return  The DN of the user within the server to which the provided
215   *          username corresponds.
216   *
217   * @throws  LDAPException  If the provided username cannot be mapped to
218   *                         exactly one user in the server.
219   */
220  public abstract String mapUsername(final String username)
221         throws LDAPException;
222
223
224
225  /**
226   * {@inheritDoc}
227   */
228  public Map<List<String>,String> getExamplesArgumentSets()
229  {
230    return Collections.emptyMap();
231  }
232}