001/* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt 010 * or http://forgerock.org/license/CDDLv1.0.html. 011 * See the License for the specific language governing permissions 012 * and limitations under the License. 013 * 014 * When distributing Covered Code, include this CDDL HEADER in each 015 * file and include the License file at legal-notices/CDDLv1_0.txt. 016 * If applicable, add the following below this CDDL HEADER, with the 017 * fields enclosed by brackets "[]" replaced with your own identifying 018 * information: 019 * Portions Copyright [yyyy] [name of copyright owner] 020 * 021 * CDDL HEADER END 022 * 023 * 024 * Copyright 2006-2010 Sun Microsystems, Inc. 025 * Portions Copyright 2013-2015 ForgeRock AS 026 */ 027package org.opends.server.types; 028 029import org.forgerock.opendj.ldap.ByteString; 030import static org.forgerock.util.Reject.*; 031 032/** 033 * This class defines a data structure that may be used to store 034 * information about an authenticated user. Note that structures in 035 * this class allow for multiple authentication types for the same 036 * user, which is not currently supported by LDAP but may be offered 037 * through some type of extension. 038 */ 039@org.opends.server.types.PublicAPI( 040 stability=org.opends.server.types.StabilityLevel.UNCOMMITTED, 041 mayInstantiate=true, 042 mayExtend=false, 043 mayInvoke=true) 044public final class AuthenticationInfo 045{ 046 047 /** Indicates whether this connection is currently authenticated. */ 048 private boolean isAuthenticated; 049 050 /** Indicates whether this connection is authenticated as a root user. */ 051 private boolean isRoot; 052 053 /** 054 * Indicates whether the user's password must be changed before any other 055 * operation will be allowed. 056 */ 057 private boolean mustChangePassword; 058 059 /** The entry of the user that is currently authenticated. */ 060 private Entry authenticationEntry; 061 062 /** 063 * The entry of the user that will be used as the default authorization 064 * identity. 065 */ 066 private Entry authorizationEntry; 067 068 /** The type of authentication performed on this connection. */ 069 private AuthenticationType authenticationType; 070 071 /** The SASL mechanism used to authenticate. */ 072 private String saslMechanism; 073 074 /** The bind DN used to authenticate using simple authentication. */ 075 private DN simpleBindDN; 076 077 /** 078 * Creates a new set of authentication information to be used for 079 * unauthenticated clients. 080 */ 081 public AuthenticationInfo() 082 { 083 isAuthenticated = false; 084 isRoot = false; 085 mustChangePassword = false; 086 authenticationType = null; 087 authenticationEntry = null; 088 authorizationEntry = null; 089 simpleBindDN = null; 090 saslMechanism = null; 091 } 092 093 094 095 /** 096 * Creates a new set of authentication information to be used for 097 * clients that are authenticated internally. 098 * 099 * @param authenticationEntry The entry of the user that has 100 * authenticated, or {@code null} to 101 * indicate an unauthenticated user. 102 * @param isRoot Indicates whether the authenticated 103 * user is a root user. 104 */ 105 public AuthenticationInfo(Entry authenticationEntry, boolean isRoot) 106 { 107 this.authenticationEntry = authenticationEntry; 108 this.isRoot = isRoot; 109 110 isAuthenticated = authenticationEntry != null; 111 mustChangePassword = false; 112 simpleBindDN = authenticationEntry != null ? 113 authenticationEntry.getName() : null; 114 authorizationEntry = authenticationEntry; 115 saslMechanism = null; 116 authenticationType = AuthenticationType.INTERNAL; 117 } 118 119 /** 120 * Creates a new set of authentication information to be used for 121 * clients that have successfully performed simple authentication. 122 * 123 * @param authenticationEntry The entry of the user that has 124 * authenticated. It must not be 125 * {@code null}. 126 * @param simpleBindDN The bind DN that was used to 127 * perform the simple authentication. 128 * @param isRoot Indicates whether the authenticated 129 */ 130 public AuthenticationInfo(Entry authenticationEntry, DN simpleBindDN, 131 boolean isRoot) 132 { 133 ifNull(authenticationEntry); 134 135 this.authenticationEntry = authenticationEntry; 136 this.simpleBindDN = simpleBindDN; 137 this.isRoot = isRoot; 138 139 this.isAuthenticated = true; 140 this.mustChangePassword = false; 141 this.authorizationEntry = authenticationEntry; 142 this.saslMechanism = null; 143 this.authenticationType = AuthenticationType.SIMPLE; 144 } 145 146 147 148 /** 149 * Creates a new set of authentication information to be used for 150 * clients that have authenticated using a SASL mechanism. 151 * 152 * @param authenticationEntry The entry of the user that has 153 * authenticated. It must not be 154 * {@code null}. 155 * @param saslMechanism The SASL mechanism used to 156 * authenticate. This must be provided 157 * in all-uppercase characters and must 158 * not be {@code null}. 159 * @param isRoot Indicates whether the authenticated 160 * user is a root user. 161 */ 162 public AuthenticationInfo(Entry authenticationEntry, 163 String saslMechanism, 164 boolean isRoot) 165 { 166 ifNull(authenticationEntry, saslMechanism); 167 168 this.authenticationEntry = authenticationEntry; 169 this.isRoot = isRoot; 170 171 this.isAuthenticated = true; 172 this.mustChangePassword = false; 173 this.authorizationEntry = authenticationEntry; 174 this.simpleBindDN = null; 175 this.authenticationType = AuthenticationType.SASL; 176 this.saslMechanism = saslMechanism; 177 } 178 179 180 181 /** 182 * Creates a new set of authentication information to be used for 183 * clients that have authenticated using a SASL mechanism. 184 * 185 * @param authenticationEntry The entry of the user that has 186 * authenticated. It must not be 187 * {@code null}. 188 * @param authorizationEntry The entry of the user that will be 189 * used as the default authorization 190 * identity, or {@code null} to 191 * indicate that the authorization 192 * identity should be the 193 * unauthenticated user. 194 * @param saslMechanism The SASL mechanism used to 195 * authenticate. This must be provided 196 * in all-uppercase characters and must 197 * not be {@code null}. 198 * @param saslCredentials The SASL credentials used to 199 * authenticate. 200 * It must not be {@code null}. 201 * @param isRoot Indicates whether the authenticated 202 * user is a root user. 203 */ 204 public AuthenticationInfo(Entry authenticationEntry, 205 Entry authorizationEntry, 206 String saslMechanism, 207 ByteString saslCredentials, 208 boolean isRoot) 209 { 210 ifNull(authenticationEntry, saslMechanism); 211 212 this.authenticationEntry = authenticationEntry; 213 this.authorizationEntry = authorizationEntry; 214 this.isRoot = isRoot; 215 216 this.isAuthenticated = true; 217 this.mustChangePassword = false; 218 this.simpleBindDN = null; 219 this.authenticationType = AuthenticationType.SASL; 220 this.saslMechanism = saslMechanism; 221 } 222 223 224 225 /** 226 * Indicates whether this client has successfully authenticated to 227 * the server. 228 * 229 * @return {@code true} if this client has successfully 230 * authenticated to the server, or {@code false} if not. 231 */ 232 public boolean isAuthenticated() 233 { 234 return isAuthenticated; 235 } 236 237 238 239 /** 240 * Indicates whether this client should be considered a root user. 241 * 242 * @return {@code true} if this client should be considered a root 243 * user, or {@code false} if not. 244 */ 245 public boolean isRoot() 246 { 247 return isRoot; 248 } 249 250 251 252 /** 253 * Indicates whether the authenticated user must change his/her 254 * password before any other operation will be allowed. 255 * 256 * @return {@code true} if the user must change his/her password 257 * before any other operation will be allowed, or 258 * {@code false} if not. 259 */ 260 public boolean mustChangePassword() 261 { 262 return mustChangePassword; 263 } 264 265 266 267 /** 268 * Specifies whether the authenticated user must change his/her 269 * password before any other operation will be allowed. 270 * 271 * @param mustChangePassword Specifies whether the authenticated 272 * user must change his/her password 273 * before any other operation will be 274 * allowed. 275 */ 276 public void setMustChangePassword(boolean mustChangePassword) 277 { 278 this.mustChangePassword = mustChangePassword; 279 } 280 281 282 283 /** 284 * Indicates whether this client has authenticated using the 285 * specified authentication type. 286 * 287 * @param authenticationType The authentication type for which to 288 * make the determination. 289 * 290 * @return {@code true} if the client has authenticated using the 291 * specified authentication type, or {@code false} if not. 292 */ 293 public boolean hasAuthenticationType(AuthenticationType 294 authenticationType) 295 { 296 return this.authenticationType == authenticationType; 297 } 298 299 300 301 /** 302 * Retrieves the entry for the user as whom the client is 303 * authenticated. 304 * 305 * @return The entry for the user as whom the client is 306 * authenticated, or {@code null} if the client is 307 * unauthenticated. 308 */ 309 public Entry getAuthenticationEntry() 310 { 311 return authenticationEntry; 312 } 313 314 315 316 /** 317 * Retrieves the DN of the user as whom the client is authenticated. 318 * 319 * @return The DN of the user as whom the client is authenticated, 320 * or {@code null} if the client is unauthenticated. 321 */ 322 public DN getAuthenticationDN() 323 { 324 if (authenticationEntry != null) 325 { 326 return authenticationEntry.getName(); 327 } 328 return null; 329 } 330 331 332 333 /** 334 * Sets the DN of the user as whom the client is authenticated, 335 * does nothing if the client is unauthenticated. 336 * 337 * @param dn authentication identity DN. 338 */ 339 public void setAuthenticationDN(DN dn) 340 { 341 if (authenticationEntry != null) 342 { 343 authenticationEntry.setDN(dn); 344 } 345 } 346 347 348 349 /** 350 * Retrieves the entry for the user that should be used as the 351 * default authorization identity. 352 * 353 * @return The entry for the user that should be used as the 354 * default authorization identity, or {@code null} if the 355 * authorization identity should be the unauthenticated 356 * user. 357 */ 358 public Entry getAuthorizationEntry() 359 { 360 return authorizationEntry; 361 } 362 363 364 365 /** 366 * Retrieves the DN for the user that should be used as the default 367 * authorization identity. 368 * 369 * @return The DN for the user that should be used as the default 370 * authorization identity, or {@code null} if the 371 * authorization identity should be the unauthenticated 372 * user. 373 */ 374 public DN getAuthorizationDN() 375 { 376 if (authorizationEntry != null) 377 { 378 return authorizationEntry.getName(); 379 } 380 return null; 381 } 382 383 384 385 /** 386 * Sets the DN for the user that should be used as the default 387 * authorization identity, does nothing if the client is 388 * unauthorized. 389 * 390 * @param dn authorization identity DN. 391 */ 392 public void setAuthorizationDN(DN dn) 393 { 394 if (authorizationEntry != null) 395 { 396 authorizationEntry.setDN(dn); 397 } 398 } 399 400 401 402 /** 403 * Retrieves the bind DN that the client used for simple 404 * authentication. 405 * 406 * @return The bind DN that the client used for simple 407 * authentication, or {@code null} if the client is not 408 * authenticated using simple authentication. 409 */ 410 public DN getSimpleBindDN() 411 { 412 return simpleBindDN; 413 } 414 415 416 417 /** 418 * Indicates whether the client is currently authenticated using the 419 * specified SASL mechanism. 420 * 421 * @param saslMechanism The SASL mechanism for which to make the 422 * determination. Note that this must be 423 * provided in all uppercase characters. 424 * 425 * @return {@code true} if the client is authenticated using the 426 * specified SASL mechanism, or {@code false} if not. 427 */ 428 public boolean hasSASLMechanism(String saslMechanism) 429 { 430 return this.saslMechanism.equals(saslMechanism); 431 } 432 433 /** 434 * Retrieves a string representation of this authentication info 435 * structure. 436 * 437 * @return A string representation of this authentication info 438 * structure. 439 */ 440 @Override 441 public String toString() 442 { 443 StringBuilder buffer = new StringBuilder(); 444 toString(buffer); 445 446 return buffer.toString(); 447 } 448 449 450 451 /** 452 * Appends a string representation of this authentication info 453 * structure to the provided buffer. 454 * 455 * @param buffer The buffer to which the information is to be 456 * appended. 457 */ 458 public void toString(StringBuilder buffer) 459 { 460 buffer.append("AuthenticationInfo(isAuthenticated="); 461 buffer.append(isAuthenticated); 462 buffer.append(",isRoot="); 463 buffer.append(isRoot); 464 buffer.append(",mustChangePassword="); 465 buffer.append(mustChangePassword); 466 buffer.append(",authenticationDN=\""); 467 468 if (authenticationEntry != null) 469 { 470 authenticationEntry.getName().toString(buffer); 471 } 472 473 if (authorizationEntry == null) 474 { 475 buffer.append("\",authorizationDN=\"\""); 476 } 477 else 478 { 479 buffer.append("\",authorizationDN=\""); 480 authorizationEntry.getName().toString(buffer); 481 buffer.append("\""); 482 } 483 484 if (authenticationType != null) 485 { 486 buffer.append(",authType="); 487 buffer.append(authenticationType); 488 } 489 490 if (saslMechanism != null) 491 { 492 buffer.append(",saslMechanism="); 493 buffer.append(saslMechanism); 494 } 495 496 buffer.append(")"); 497 } 498 499 500 501 /** 502 * Creates a duplicate of this {@code AuthenticationInfo} object 503 * with the new authentication and authorization entries. 504 * 505 * @param newAuthenticationEntry The updated entry for the user 506 * as whom the associated client 507 * connection is authenticated. 508 * @param newAuthorizationEntry The updated entry for the default 509 * authorization identity for the 510 * associated client connection. 511 * 512 * @return The duplicate of this {@code AuthenticationInfo} object 513 * with the specified authentication and authorization 514 * entries. 515 */ 516 public AuthenticationInfo duplicate(Entry newAuthenticationEntry, 517 Entry newAuthorizationEntry) 518 { 519 AuthenticationInfo authInfo = new AuthenticationInfo(); 520 521 authInfo.isAuthenticated = isAuthenticated; 522 authInfo.isRoot = isRoot; 523 authInfo.mustChangePassword = mustChangePassword; 524 authInfo.authenticationEntry = newAuthenticationEntry; 525 authInfo.authorizationEntry = newAuthorizationEntry; 526 527 authInfo.authenticationType = authenticationType; 528 authInfo.saslMechanism = saslMechanism; 529 530 return authInfo; 531 } 532} 533