001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
010 * or http://forgerock.org/license/CDDLv1.0.html.
011 * See the License for the specific language governing permissions
012 * and limitations under the License.
013 *
014 * When distributing Covered Code, include this CDDL HEADER in each
015 * file and include the License file at legal-notices/CDDLv1_0.txt.
016 * If applicable, add the following below this CDDL HEADER, with the
017 * fields enclosed by brackets "[]" replaced with your own identifying
018 * information:
019 *      Portions Copyright [yyyy] [name of copyright owner]
020 *
021 * CDDL HEADER END
022 *
023 *
024 *      Copyright 2006-2010 Sun Microsystems, Inc.
025 *      Portions Copyright 2013-2015 ForgeRock AS
026 */
027package org.opends.server.types;
028
029import org.forgerock.opendj.ldap.ByteString;
030import static org.forgerock.util.Reject.*;
031
032/**
033 * This class defines a data structure that may be used to store
034 * information about an authenticated user.  Note that structures in
035 * this class allow for multiple authentication types for the same
036 * user, which is not currently supported by LDAP but may be offered
037 * through some type of extension.
038 */
039@org.opends.server.types.PublicAPI(
040     stability=org.opends.server.types.StabilityLevel.UNCOMMITTED,
041     mayInstantiate=true,
042     mayExtend=false,
043     mayInvoke=true)
044public final class AuthenticationInfo
045{
046
047  /** Indicates whether this connection is currently authenticated. */
048  private boolean isAuthenticated;
049
050  /** Indicates whether this connection is authenticated as a root user. */
051  private boolean isRoot;
052
053  /**
054   * Indicates whether the user's password must be changed before any other
055   * operation will be allowed.
056   */
057  private boolean mustChangePassword;
058
059  /** The entry of the user that is currently authenticated. */
060  private Entry authenticationEntry;
061
062  /**
063   * The entry of the user that will be used as the default authorization
064   * identity.
065   */
066  private Entry authorizationEntry;
067
068  /** The type of authentication performed on this connection. */
069  private AuthenticationType authenticationType;
070
071  /** The SASL mechanism used to authenticate. */
072  private String saslMechanism;
073
074  /** The bind DN used to authenticate using simple authentication. */
075  private DN simpleBindDN;
076
077  /**
078   * Creates a new set of authentication information to be used for
079   * unauthenticated clients.
080   */
081  public AuthenticationInfo()
082  {
083    isAuthenticated     = false;
084    isRoot              = false;
085    mustChangePassword  = false;
086    authenticationType  = null;
087    authenticationEntry = null;
088    authorizationEntry  = null;
089    simpleBindDN        = null;
090    saslMechanism       = null;
091  }
092
093
094
095  /**
096   * Creates a new set of authentication information to be used for
097   * clients that are authenticated internally.
098   *
099   * @param  authenticationEntry  The entry of the user that has
100   *                              authenticated, or {@code null} to
101   *                              indicate an unauthenticated user.
102   * @param  isRoot               Indicates whether the authenticated
103   *                              user is a root user.
104   */
105  public AuthenticationInfo(Entry authenticationEntry, boolean isRoot)
106  {
107    this.authenticationEntry = authenticationEntry;
108    this.isRoot              = isRoot;
109
110    isAuthenticated     = authenticationEntry != null;
111    mustChangePassword  = false;
112    simpleBindDN        = authenticationEntry != null ?
113        authenticationEntry.getName() : null;
114    authorizationEntry  = authenticationEntry;
115    saslMechanism       = null;
116    authenticationType  = AuthenticationType.INTERNAL;
117  }
118
119  /**
120   * Creates a new set of authentication information to be used for
121   * clients that have successfully performed simple authentication.
122   *
123   * @param  authenticationEntry  The entry of the user that has
124   *                              authenticated.  It must not be
125   *                              {@code null}.
126   * @param  simpleBindDN         The bind DN that was used to
127   *                              perform the simple authentication.
128   * @param  isRoot               Indicates whether the authenticated
129   */
130  public AuthenticationInfo(Entry authenticationEntry, DN simpleBindDN,
131      boolean isRoot)
132  {
133    ifNull(authenticationEntry);
134
135    this.authenticationEntry = authenticationEntry;
136    this.simpleBindDN        = simpleBindDN;
137    this.isRoot              = isRoot;
138
139    this.isAuthenticated     = true;
140    this.mustChangePassword  = false;
141    this.authorizationEntry  = authenticationEntry;
142    this.saslMechanism       = null;
143    this.authenticationType  = AuthenticationType.SIMPLE;
144  }
145
146
147
148  /**
149   * Creates a new set of authentication information to be used for
150   * clients that have authenticated using a SASL mechanism.
151   *
152   * @param  authenticationEntry  The entry of the user that has
153   *                              authenticated.  It must not be
154   *                              {@code null}.
155   * @param  saslMechanism        The SASL mechanism used to
156   *                              authenticate.  This must be provided
157   *                              in all-uppercase characters and must
158   *                              not be {@code null}.
159   * @param  isRoot               Indicates whether the authenticated
160   *                              user is a root user.
161   */
162  public AuthenticationInfo(Entry authenticationEntry,
163                            String saslMechanism,
164                            boolean isRoot)
165  {
166    ifNull(authenticationEntry, saslMechanism);
167
168    this.authenticationEntry = authenticationEntry;
169    this.isRoot              = isRoot;
170
171    this.isAuthenticated    = true;
172    this.mustChangePassword = false;
173    this.authorizationEntry = authenticationEntry;
174    this.simpleBindDN       = null;
175    this.authenticationType = AuthenticationType.SASL;
176    this.saslMechanism      = saslMechanism;
177  }
178
179
180
181  /**
182   * Creates a new set of authentication information to be used for
183   * clients that have authenticated using a SASL mechanism.
184   *
185   * @param  authenticationEntry  The entry of the user that has
186   *                              authenticated.  It must not be
187   *                              {@code null}.
188   * @param  authorizationEntry   The entry of the user that will be
189   *                              used as the default authorization
190   *                              identity, or {@code null} to
191   *                              indicate that the authorization
192   *                              identity should be the
193   *                              unauthenticated user.
194   * @param  saslMechanism        The SASL mechanism used to
195   *                              authenticate.  This must be provided
196   *                              in all-uppercase characters and must
197   *                              not be {@code null}.
198   * @param  saslCredentials      The SASL credentials used to
199   *                              authenticate.
200   *                              It must not be {@code null}.
201   * @param  isRoot               Indicates whether the authenticated
202   *                              user is a root user.
203   */
204  public AuthenticationInfo(Entry authenticationEntry,
205                            Entry authorizationEntry,
206                            String saslMechanism,
207                            ByteString saslCredentials,
208                            boolean isRoot)
209  {
210    ifNull(authenticationEntry, saslMechanism);
211
212    this.authenticationEntry = authenticationEntry;
213    this.authorizationEntry  = authorizationEntry;
214    this.isRoot              = isRoot;
215
216    this.isAuthenticated    = true;
217    this.mustChangePassword = false;
218    this.simpleBindDN       = null;
219    this.authenticationType = AuthenticationType.SASL;
220    this.saslMechanism      = saslMechanism;
221  }
222
223
224
225  /**
226   * Indicates whether this client has successfully authenticated to
227   * the server.
228   *
229   * @return  {@code true} if this client has successfully
230   *          authenticated to the server, or {@code false} if not.
231   */
232  public boolean isAuthenticated()
233  {
234    return isAuthenticated;
235  }
236
237
238
239  /**
240   * Indicates whether this client should be considered a root user.
241   *
242   * @return  {@code true} if this client should be considered a root
243   *          user, or {@code false} if not.
244   */
245  public boolean isRoot()
246  {
247    return isRoot;
248  }
249
250
251
252  /**
253   * Indicates whether the authenticated user must change his/her
254   * password before any other operation will be allowed.
255   *
256   * @return  {@code true} if the user must change his/her password
257   *          before any other operation will be allowed, or
258   *          {@code false} if not.
259   */
260  public boolean mustChangePassword()
261  {
262    return mustChangePassword;
263  }
264
265
266
267  /**
268   * Specifies whether the authenticated user must change his/her
269   * password before any other operation will be allowed.
270   *
271   * @param  mustChangePassword  Specifies whether the authenticated
272   *                             user must change his/her password
273   *                             before any other operation will be
274   *                             allowed.
275   */
276  public void setMustChangePassword(boolean mustChangePassword)
277  {
278    this.mustChangePassword = mustChangePassword;
279  }
280
281
282
283  /**
284   * Indicates whether this client has authenticated using the
285   * specified authentication type.
286   *
287   * @param  authenticationType  The authentication type for which to
288   *                             make the determination.
289   *
290   * @return  {@code true} if the client has authenticated using the
291   *          specified authentication type, or {@code false} if not.
292   */
293  public boolean hasAuthenticationType(AuthenticationType
294                                            authenticationType)
295  {
296    return this.authenticationType == authenticationType;
297  }
298
299
300
301  /**
302   * Retrieves the entry for the user as whom the client is
303   * authenticated.
304   *
305   * @return  The entry for the user as whom the client is
306   *          authenticated, or {@code null} if the client is
307   *          unauthenticated.
308   */
309  public Entry getAuthenticationEntry()
310  {
311    return authenticationEntry;
312  }
313
314
315
316  /**
317   * Retrieves the DN of the user as whom the client is authenticated.
318   *
319   * @return  The DN of the user as whom the client is authenticated,
320   *          or {@code null} if the client is unauthenticated.
321   */
322  public DN getAuthenticationDN()
323  {
324    if (authenticationEntry != null)
325    {
326      return authenticationEntry.getName();
327    }
328    return null;
329  }
330
331
332
333  /**
334   * Sets the DN of the user as whom the client is authenticated,
335   * does nothing if the client is unauthenticated.
336   *
337   * @param dn authentication identity DN.
338   */
339  public void setAuthenticationDN(DN dn)
340  {
341    if (authenticationEntry != null)
342    {
343      authenticationEntry.setDN(dn);
344    }
345  }
346
347
348
349  /**
350   * Retrieves the entry for the user that should be used as the
351   * default authorization identity.
352   *
353   * @return  The entry for the user that should be used as the
354   *          default authorization identity, or {@code null} if the
355   *          authorization identity should be the unauthenticated
356   *          user.
357   */
358  public Entry getAuthorizationEntry()
359  {
360    return authorizationEntry;
361  }
362
363
364
365  /**
366   * Retrieves the DN for the user that should be used as the default
367   * authorization identity.
368   *
369   * @return  The DN for the user that should be used as the default
370   *          authorization identity, or {@code null} if the
371   *          authorization identity should be the unauthenticated
372   *          user.
373   */
374  public DN getAuthorizationDN()
375  {
376    if (authorizationEntry != null)
377    {
378      return authorizationEntry.getName();
379    }
380    return null;
381  }
382
383
384
385  /**
386   * Sets the DN for the user that should be used as the default
387   * authorization identity, does nothing if the client is
388   * unauthorized.
389   *
390   * @param dn authorization identity DN.
391   */
392  public void setAuthorizationDN(DN dn)
393  {
394    if (authorizationEntry != null)
395    {
396      authorizationEntry.setDN(dn);
397    }
398  }
399
400
401
402  /**
403   * Retrieves the bind DN that the client used for simple
404   * authentication.
405   *
406   * @return  The bind DN that the client used for simple
407   *          authentication, or {@code null} if the client is not
408   *          authenticated using simple authentication.
409   */
410  public DN getSimpleBindDN()
411  {
412    return simpleBindDN;
413  }
414
415
416
417  /**
418   * Indicates whether the client is currently authenticated using the
419   * specified SASL mechanism.
420   *
421   * @param  saslMechanism  The SASL mechanism for which to make the
422   *                        determination.  Note that this must be
423   *                        provided in all uppercase characters.
424   *
425   * @return  {@code true} if the client is authenticated using the
426   *          specified SASL mechanism, or {@code false} if not.
427   */
428  public boolean hasSASLMechanism(String saslMechanism)
429  {
430    return this.saslMechanism.equals(saslMechanism);
431  }
432
433  /**
434   * Retrieves a string representation of this authentication info
435   * structure.
436   *
437   * @return  A string representation of this authentication info
438   *          structure.
439   */
440  @Override
441  public String toString()
442  {
443    StringBuilder buffer = new StringBuilder();
444    toString(buffer);
445
446    return buffer.toString();
447  }
448
449
450
451  /**
452   * Appends a string representation of this authentication info
453   * structure to the provided buffer.
454   *
455   * @param  buffer  The buffer to which the information is to be
456   *                 appended.
457   */
458  public void toString(StringBuilder buffer)
459  {
460    buffer.append("AuthenticationInfo(isAuthenticated=");
461    buffer.append(isAuthenticated);
462    buffer.append(",isRoot=");
463    buffer.append(isRoot);
464    buffer.append(",mustChangePassword=");
465    buffer.append(mustChangePassword);
466    buffer.append(",authenticationDN=\"");
467
468    if (authenticationEntry != null)
469    {
470      authenticationEntry.getName().toString(buffer);
471    }
472
473    if (authorizationEntry == null)
474    {
475      buffer.append("\",authorizationDN=\"\"");
476    }
477    else
478    {
479      buffer.append("\",authorizationDN=\"");
480      authorizationEntry.getName().toString(buffer);
481      buffer.append("\"");
482    }
483
484    if (authenticationType != null)
485    {
486      buffer.append(",authType=");
487      buffer.append(authenticationType);
488    }
489
490    if (saslMechanism != null)
491    {
492      buffer.append(",saslMechanism=");
493      buffer.append(saslMechanism);
494    }
495
496    buffer.append(")");
497  }
498
499
500
501  /**
502   * Creates a duplicate of this {@code AuthenticationInfo} object
503   * with the new authentication and authorization entries.
504   *
505   * @param  newAuthenticationEntry  The updated entry for the user
506   *                                 as whom the associated client
507   *                                 connection is authenticated.
508   * @param  newAuthorizationEntry   The updated entry for the default
509   *                                 authorization identity for the
510   *                                 associated client connection.
511   *
512   * @return  The duplicate of this {@code AuthenticationInfo} object
513   *          with the specified authentication and authorization
514   *          entries.
515   */
516  public AuthenticationInfo duplicate(Entry newAuthenticationEntry,
517                                      Entry newAuthorizationEntry)
518  {
519    AuthenticationInfo authInfo = new AuthenticationInfo();
520
521    authInfo.isAuthenticated     = isAuthenticated;
522    authInfo.isRoot              = isRoot;
523    authInfo.mustChangePassword  = mustChangePassword;
524    authInfo.authenticationEntry = newAuthenticationEntry;
525    authInfo.authorizationEntry  = newAuthorizationEntry;
526
527    authInfo.authenticationType  = authenticationType;
528    authInfo.saslMechanism       = saslMechanism;
529
530    return authInfo;
531  }
532}
533