Authenticator.java example

Explorer
tinkerpop-master
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.tinkerpop.gremlin.server.auth;

import org.apache.tinkerpop.gremlin.driver.message.RequestMessage;
import org.apache.tinkerpop.gremlin.driver.message.ResponseMessage;
import org.apache.tinkerpop.gremlin.driver.message.ResponseStatusCode;
import org.apache.tinkerpop.gremlin.server.Channelizer;

import java.net.InetAddress;
import java.util.Map;

/**
 * Provides methods related to authentication of a request.  Implementations should provide a SASL based
 * authentication method, but a handler can choose to use the {@link #authenticate(Map)} method directly if
 * required for protocols that don't easily support SASL.
 *
 * @author Stephen Mallette (http://stephen.genoprime.com)
 */
public interface Authenticator {
    /**
     * Whether or not the authenticator requires explicit login.
     * If false will instantiate user with AuthenticatedUser.ANONYMOUS_USER.
     */
    public boolean requireAuthentication();

    /**
     * Setup is called once upon system startup to initialize the {@code Authenticator}.
     */
    public void setup(final Map<String,Object> config);

    /**
     * Provide a SASL handler to perform authentication for an single connection. SASL is a stateful protocol, so
     * a new instance must be used for each authentication attempt.
     *
     * @param remoteAddress the IP address of the client to authenticate to authenticate or null if an internal
     *                      client (one not connected over the remote transport).
     */
    public SaslNegotiator newSaslNegotiator(final InetAddress remoteAddress);

    /**
     * A "standard" authentication implementation that can be used more generically without SASL support.  This
     * implementation is used when a particular {@link Channelizer} doesn't support SASL directly (like basic
     * HTTP authentication).
     */
    public AuthenticatedUser authenticate(final Map<String, String> credentials) throws AuthenticationException;

    /**
     * Performs the actual SASL negotiation for a single authentication attempt.
     * SASL is stateful, so a new instance should be used for each attempt.
     * Non-trivial implementations may delegate to an instance of {@link javax.security.sasl.SaslServer}
     */
    public interface SaslNegotiator
    {
        /**
         * Evaluates the client response data and generates a byte[] reply which may be a further challenge or purely
         * informational in the case that the negotiation is completed on this round.
         *
         * This method is called each time a {@link RequestMessage} with an "op" code of "authenticate" is received
         * from a client. After it is called, {@link #isComplete()} is checked to determine whether the negotiation has
         * finished. If so, an {@link AuthenticatedUser} is obtained by calling {@link #getAuthenticatedUser()} and
         * that user associated with the active connection. If the negotiation is not yet complete,
         * the byte[] is returned to the client as a further challenge in an
         * {@link ResponseMessage} with {@link ResponseStatusCode#AUTHENTICATE}. This continues until the negotiation
         * does complete or an error is encountered.
         */
        public byte[] evaluateResponse(final byte[] clientResponse) throws AuthenticationException;

        /**
         * Called after each invocation of {@link #evaluateResponse(byte[])} to determine whether the  authentication has
         * completed successfully or should be continued.
         *
         * @return true if the authentication exchange has completed; false otherwise.
         */
        public boolean isComplete();

        /**
         * Following a successful negotiation, get the AuthenticatedUser representing the logged in subject.
         * This method should only be called if {@link #isComplete()} returns true.
         * Should never return null - always throw AuthenticationException instead.
         * Returning AuthenticatedUser.ANONYMOUS_USER is an option if authentication is not required.
         */
        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException;
    }
}