gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/auth/Authenticator.java - tinkerpop - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.tinkerpop.gremlin.server.auth;

 import org.apache.tinkerpop.gremlin.driver.message.RequestMessage;
 import org.apache.tinkerpop.gremlin.driver.message.ResponseMessage;
 import org.apache.tinkerpop.gremlin.driver.message.ResponseStatusCode;
 import org.apache.tinkerpop.gremlin.server.Channelizer;

 import java.net.InetAddress;
 import java.util.Map;

 /**
  * Provides methods related to authentication of a request.  Implementations should provide a SASL based
  * authentication method, but a handler can choose to use the {@link #authenticate(Map)} method directly if
  * required for protocols that don't easily support SASL.
  *
  * @author Stephen Mallette (http://stephen.genoprime.com)
  */
 public interface Authenticator {
     /**
      * Whether or not the authenticator requires explicit login.
      * If false will instantiate user with AuthenticatedUser.ANONYMOUS_USER.
      */
     public boolean requireAuthentication();

     /**
      * Setup is called once upon system startup to initialize the {@code Authenticator}.
      */
     public void setup(final Map<String,Object> config);

     /**
      * Provide a SASL handler to perform authentication for an single connection. SASL is a stateful protocol, so
      * a new instance must be used for each authentication attempt.
      *
      * @param remoteAddress the IP address of the client to authenticate to authenticate or null if an internal
      *                      client (one not connected over the remote transport).
      */
     public SaslNegotiator newSaslNegotiator(final InetAddress remoteAddress);

     /**
      * A "standard" authentication implementation that can be used more generically without SASL support.  This
      * implementation is used when a particular {@link Channelizer} doesn't support SASL directly (like basic
      * HTTP authentication).
      */
     public AuthenticatedUser authenticate(final Map<String, String> credentials) throws AuthenticationException;

     /**
      * Performs the actual SASL negotiation for a single authentication attempt.
      * SASL is stateful, so a new instance should be used for each attempt.
      * Non-trivial implementations may delegate to an instance of {@link javax.security.sasl.SaslServer}
      */
     public interface SaslNegotiator
     {
         /**
          * Evaluates the client response data and generates a byte[] reply which may be a further challenge or purely
          * informational in the case that the negotiation is completed on this round.
          *
          * This method is called each time a {@link RequestMessage} with an "op" code of "authenticate" is received
          * from a client. After it is called, {@link #isComplete()} is checked to determine whether the negotiation has
          * finished. If so, an {@link AuthenticatedUser} is obtained by calling {@link #getAuthenticatedUser()} and
          * that user associated with the active connection. If the negotiation is not yet complete,
          * the byte[] is returned to the client as a further challenge in an
          * {@link ResponseMessage} with {@link ResponseStatusCode#AUTHENTICATE}. This continues until the negotiation
          * does complete or an error is encountered.
          */
         public byte[] evaluateResponse(final byte[] clientResponse) throws AuthenticationException;

         /**
          * Called after each invocation of {@link #evaluateResponse(byte[])} to determine whether the  authentication has
          * completed successfully or should be continued.
          *
          * @return true if the authentication exchange has completed; false otherwise.
          */
         public boolean isComplete();

         /**
          * Following a successful negotiation, get the AuthenticatedUser representing the logged in subject.
          * This method should only be called if {@link #isComplete()} returns true.
          * Should never return null - always throw AuthenticationException instead.
          * Returning AuthenticatedUser.ANONYMOUS_USER is an option if authentication is not required.
          */
         public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.tinkerpop.gremlin.server.auth;

	import org.apache.tinkerpop.gremlin.driver.message.RequestMessage;
	import org.apache.tinkerpop.gremlin.driver.message.ResponseMessage;
	import org.apache.tinkerpop.gremlin.driver.message.ResponseStatusCode;
	import org.apache.tinkerpop.gremlin.server.Channelizer;

	import java.net.InetAddress;
	import java.util.Map;

	/**
	* Provides methods related to authentication of a request. Implementations should provide a SASL based
	* authentication method, but a handler can choose to use the {@link #authenticate(Map)} method directly if
	* required for protocols that don't easily support SASL.
	*
	* @author Stephen Mallette (http://stephen.genoprime.com)
	*/
	public interface Authenticator {
	/**
	* Whether or not the authenticator requires explicit login.
	* If false will instantiate user with AuthenticatedUser.ANONYMOUS_USER.
	*/
	public boolean requireAuthentication();

	/**
	* Setup is called once upon system startup to initialize the {@code Authenticator}.
	*/
	public void setup(final Map<String,Object> config);

	/**
	* Provide a SASL handler to perform authentication for an single connection. SASL is a stateful protocol, so
	* a new instance must be used for each authentication attempt.
	*
	* @param remoteAddress the IP address of the client to authenticate to authenticate or null if an internal
	* client (one not connected over the remote transport).
	*/
	public SaslNegotiator newSaslNegotiator(final InetAddress remoteAddress);

	/**
	* A "standard" authentication implementation that can be used more generically without SASL support. This
	* implementation is used when a particular {@link Channelizer} doesn't support SASL directly (like basic
	* HTTP authentication).
	*/
	public AuthenticatedUser authenticate(final Map<String, String> credentials) throws AuthenticationException;

	/**
	* Performs the actual SASL negotiation for a single authentication attempt.
	* SASL is stateful, so a new instance should be used for each attempt.
	* Non-trivial implementations may delegate to an instance of {@link javax.security.sasl.SaslServer}
	*/
	public interface SaslNegotiator
	{
	/**
	* Evaluates the client response data and generates a byte[] reply which may be a further challenge or purely
	* informational in the case that the negotiation is completed on this round.
	*
	* This method is called each time a {@link RequestMessage} with an "op" code of "authenticate" is received
	* from a client. After it is called, {@link #isComplete()} is checked to determine whether the negotiation has
	* finished. If so, an {@link AuthenticatedUser} is obtained by calling {@link #getAuthenticatedUser()} and
	* that user associated with the active connection. If the negotiation is not yet complete,
	* the byte[] is returned to the client as a further challenge in an
	* {@link ResponseMessage} with {@link ResponseStatusCode#AUTHENTICATE}. This continues until the negotiation
	* does complete or an error is encountered.
	*/
	public byte[] evaluateResponse(final byte[] clientResponse) throws AuthenticationException;

	/**
	* Called after each invocation of {@link #evaluateResponse(byte[])} to determine whether the authentication has
	* completed successfully or should be continued.
	*
	* @return true if the authentication exchange has completed; false otherwise.
	*/
	public boolean isComplete();

	/**
	* Following a successful negotiation, get the AuthenticatedUser representing the logged in subject.
	* This method should only be called if {@link #isComplete()} returns true.
	* Should never return null - always throw AuthenticationException instead.
	* Returning AuthenticatedUser.ANONYMOUS_USER is an option if authentication is not required.
	*/
	public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException;
	}
	}