001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * docs/licenses/cddl.txt
011 * or http://www.opensource.org/licenses/cddl1.php.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * docs/licenses/cddl.txt.  If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 *      Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 *      Portions Copyright 2010-2023 Ping Identity Corporation
026 */
027package com.unboundid.directory.sdk.ds.scripting;
028
029
030
031import java.util.List;
032
033import com.unboundid.directory.sdk.common.internal.Reconfigurable;
034import com.unboundid.directory.sdk.ds.config.IdentityMapperConfig;
035import com.unboundid.directory.sdk.ds.internal.DirectoryServerExtension;
036import com.unboundid.directory.sdk.ds.types.DirectoryServerContext;
037import com.unboundid.directory.sdk.proxy.internal.DirectoryProxyServerExtension;
038import com.unboundid.directory.sdk.sync.internal.SynchronizationServerExtension;
039import com.unboundid.ldap.sdk.LDAPException;
040import com.unboundid.ldap.sdk.ResultCode;
041import com.unboundid.util.Extensible;
042import com.unboundid.util.ThreadSafety;
043import com.unboundid.util.ThreadSafetyLevel;
044import com.unboundid.util.args.ArgumentException;
045import com.unboundid.util.args.ArgumentParser;
046
047
048
049/**
050 * This class defines an API that must be implemented by scripted extensions
051 * which attempt to map a username to a user defined in the server.  This is
052 * generally used when processing an authorization ID, as might be provided when
053 * performing SASL authentication or in a control like the proxied authorization
054 * or intermediate client controls.  In order for the mapping to be established,
055 * the identity mapper must locate exactly one entry in the server corresponding
056 * to the provided username.  If no entries are found, or if multiple entries
057 * are found, then the mapping attempt must fail.
058 * <BR>
059 * <H2>Configuring Groovy-Scripted Identity Mappers</H2>
060 * In order to configure a scripted identity mapper based on this API and
061 * written in the Groovy scripting language, use a command like:
062 * <PRE>
063 *      dsconfig create-identity-mapper \
064 *           --mapper-name "<I>{mapper-name}</I>" \
065 *           --type groovy-scripted \
066 *           --set enabled:true \
067 *           --set "script-class:<I>{class-name}</I>" \
068 *           --set "script-argument:<I>{name=value}</I>"
069 * </PRE>
070 * where "<I>{mapper-name}</I>" is the name to use for the identity mapper
071 * instance, "<I>{class-name}</I>" is the fully-qualified name of the Groovy
072 * class written using this API, and "<I>{name=value}</I>" represents name-value
073 * pairs for any arguments to provide to the identity mapper.  If multiple
074 * arguments should be provided to the identity mapper, then the
075 * "<CODE>--set script-argument:<I>{name=value}</I></CODE>" option should be
076 * provided multiple times.
077 *
078 * @see  com.unboundid.directory.sdk.ds.api.IdentityMapper
079 */
080@Extensible()
081@DirectoryServerExtension()
082@DirectoryProxyServerExtension(appliesToLocalContent=true,
083     appliesToRemoteContent=false)
084@SynchronizationServerExtension(appliesToLocalContent=true,
085     appliesToSynchronizedContent=false)
086@ThreadSafety(level=ThreadSafetyLevel.INTERFACE_THREADSAFE)
087public abstract class ScriptedIdentityMapper
088       implements Reconfigurable<IdentityMapperConfig>
089{
090  /**
091   * Creates a new instance of this identity mapper.  All identity mapper
092   * implementations must include a default constructor, but any initialization
093   * should generally be done in the {@code initializeIdentityMapper} method.
094   */
095  public ScriptedIdentityMapper()
096  {
097    // No implementation is required.
098  }
099
100
101
102  /**
103   * {@inheritDoc}
104   */
105  public void defineConfigArguments(final ArgumentParser parser)
106         throws ArgumentException
107  {
108    // No arguments will be allowed by default.
109  }
110
111
112
113  /**
114   * Initializes this identity mapper.
115   *
116   * @param  serverContext  A handle to the server context for the server in
117   *                        which this extension is running.
118   * @param  config         The general configuration for this identity mapper.
119   * @param  parser         The argument parser which has been initialized from
120   *                        the configuration for this identity mapper.
121   *
122   * @throws  LDAPException  If a problem occurs while initializing this
123   *                         identity mapper.
124   */
125  public void initializeIdentityMapper(
126                   final DirectoryServerContext serverContext,
127                   final IdentityMapperConfig config,
128                   final ArgumentParser parser)
129         throws LDAPException
130  {
131    // No initialization will be performed by default.
132  }
133
134
135
136  /**
137   * Performs any cleanup which may be necessary when this identity mapper is
138   * to be taken out of service.
139   */
140  public void finalizeIdentityMapper()
141  {
142    // No implementation is required.
143  }
144
145
146
147  /**
148   * {@inheritDoc}
149   */
150  public boolean isConfigurationAcceptable(final IdentityMapperConfig config,
151                      final ArgumentParser parser,
152                      final List<String> unacceptableReasons)
153  {
154    // No extended validation will be performed.
155    return true;
156  }
157
158
159
160  /**
161   * {@inheritDoc}
162   */
163  public ResultCode applyConfiguration(final IdentityMapperConfig config,
164                                       final ArgumentParser parser,
165                                       final List<String> adminActionsRequired,
166                                       final List<String> messages)
167  {
168    // By default, no configuration changes will be applied.  If there are any
169    // arguments, then add an admin action message indicating that the extension
170    // needs to be restarted for any changes to take effect.
171    if (! parser.getNamedArguments().isEmpty())
172    {
173      adminActionsRequired.add(
174           "No configuration change has actually been applied.  The new " +
175                "configuration will not take effect until this identity " +
176                "mapper is disabled and re-enabled or until the server is " +
177                "restarted.");
178    }
179
180    return ResultCode.SUCCESS;
181  }
182
183
184
185  /**
186   * Performs any processing which may be necessary to map the provided username
187   * to a user within the server.
188   *
189   * @param  username  The username to be mapped to a user within the server.
190   *
191   * @return  The DN of the user within the server to which the provided
192   *          username corresponds.
193   *
194   * @throws  LDAPException  If the provided username cannot be mapped to
195   *                         exactly one user in the server.
196   */
197  public abstract String mapUsername(final String username)
198         throws LDAPException;
199}