Package io.continual.iam.impl

Class MultiSourceDb<I extends Identity,G extends Group>

java.lang.Object

io.continual.iam.impl.MultiSourceDb<I,G>

All Implemented Interfaces:

AccessDb<G>, AccessManager<G>, AclUpdateListener, IamDb<I,G>, IdentityDb<I>, IdentityManager<I>, TagManager, MetricsSupplier, Closeable, AutoCloseable

public class MultiSourceDb<I extends Identity,G extends Group>
extends Object
implements IamDb<I,G>

Field Summary

Fields inherited from interface io.continual.iam.access.AccessDb

kCreateOperation, kDeleteOperation, kReadOperation, kWriteOperation

Constructor Summary

Constructors

Constructor	Description
MultiSourceDb(ServiceContainer sc, org.json.JSONObject rawConfig)

Method Summary

Modifier and Type	Method	Description
void	addAlias(String userId, String alias)	Add a username/alias for this user.
void	addJwtValidator(JwtValidator v)	Add a JWT validator to the identity manager.
void	addUserToGroup(String groupId, String userId)	Add a user to a given group
I	authenticate(ApiKeyCredential akc)	Authenticate with an API key and signature
I	authenticate(JwtCredential jwt)	Authenticate with a JWT token
I	authenticate(UsernamePasswordCredential upc)	Authenticate with a username and password
boolean	canUser(String id, Resource resource, String operation)	Can the given user perform the requested access?
boolean	completePasswordReset(String tag, String newPassword)	Complete a password reset by providing a tag and a new password.
I	createAnonymousUser()	Create a new anonymous user in the identity manager.
G	createGroup(String groupDesc)	Create a group
G	createGroup(String groupId, String groupDesc)	Create a group with a given group ID
String	createJwtToken(Identity ii)	Create a JWT token for the given identity.
String	createTag(String userId, String appTagType, long duration, TimeUnit durationTimeUnit, String nonce)	Create a tag for a given user id with a particular type and duration.
I	createUser(String userId)	Create a new user in the identity manager.
void	deleteUser(String userId)	Delete a user from the identity manager.
List<String>	findUsers(String startingWith)	Find users with a user ID that starts with the given string
AccessControlList	getAclFor(Resource resource)	load an ACL for a resource
Collection<String>	getAliasesFor(String userId)	Get the aliases for a userId.
Collection<String>	getAllGroups()	Get all group IDs in this db.
Collection<String>	getAllUsers()	Get all user IDs in this db.
String	getUserIdForTag(String tag)	Retrieves the userId associated with a tag.
Set<String>	getUsersGroups(String userId)	Find out which groups a user is a member of.
Set<String>	getUsersInGroup(String groupId)	Get the set of user IDs in a particular group.
void	invalidateJwtToken(String jwtToken)	Invalidate the given JWT token
Map<String,I>	loadAllUsers()	Load all users in this identity manager.
ApiKey	loadApiKeyRecord(String apiKey)	Load an API key record based on the API key ID.
G	loadGroup(String id)	Get a group by its identifier.
I	loadUser(String userId)	Load a user from the identity manager.
I	loadUserOrAlias(String userIdOrAlias)	Load a user from the identity manager.
void	onAclUpdate(AccessControlList accessControlList)
void	populateMetrics(MetricsCatalog metrics)
void	removeAlias(String alias)	Remove a username/alias from the database.
void	removeMatchingTag(String userId, String appTagType)	Remove any matching tag for the given user and type.
void	removeUserFromGroup(String groupId, String userId)	Remove a user from a given group
void	restoreApiKey(ApiKey key)	Restore an API key into the API key store
void	sweepExpiredTags()	Sweep any expired tags.
boolean	userExists(String userId)	Find out if a given user exists.
boolean	userOrAliasExists(String userIdOrAlias)	Find out if a given user or alias exists.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.continual.iam.IamDb

close, start

Constructor Details

MultiSourceDb

public MultiSourceDb(ServiceContainer sc,
 org.json.JSONObject rawConfig)
              throws Builder.BuildFailure

Throws:

Builder.BuildFailure

Method Details

userExists

public boolean userExists(String userId)
                   throws IamSvcException

Description copied from interface: IdentityDb

Find out if a given user exists.

Specified by:

userExists in interface IdentityDb<I extends Identity>

Parameters:

userId - a user ID

Returns:

true if the user exists in the identity manager.

Throws:

IamSvcException - when the call cannot be completed due to a service error

userOrAliasExists

public boolean userOrAliasExists(String userIdOrAlias)
                          throws IamSvcException

Description copied from interface: IdentityDb

Find out if a given user or alias exists.

Specified by:

userOrAliasExists in interface IdentityDb<I extends Identity>

Parameters:

userIdOrAlias - the user ID or an alias

Returns:

true if the user exists by userId or alias in the identity manager.

Throws:

IamSvcException - when the call cannot be completed due to a service error

loadUser

public I loadUser(String userId)
           throws IamSvcException

Description copied from interface: IdentityDb

Load a user from the identity manager.

Specified by:

loadUser in interface IdentityDb<I extends Identity>

Parameters:

userId - a user ID

Returns:

a user or null if the user doesn't exist

Throws:

IamSvcException - when the call cannot be completed due to a service error

loadUserOrAlias

public I loadUserOrAlias(String userIdOrAlias)
                  throws IamSvcException

Description copied from interface: IdentityDb

Load a user from the identity manager.

Specified by:

loadUserOrAlias in interface IdentityDb<I extends Identity>

Parameters:

userIdOrAlias - the actual userId or an alias

Returns:

a user or null if the user doesn't exist

Throws:

IamSvcException - when the call cannot be completed due to a service error

findUsers

public List<String> findUsers(String startingWith)
                       throws IamSvcException

Description copied from interface: IdentityManager

Find users with a user ID that starts with the given string

Specified by:

findUsers in interface IdentityManager<I extends Identity>

Parameters:

startingWith - a prefix for users

Returns:

a list of 0 or more matching user IDs

Throws:

IamSvcException - when the call cannot be completed due to a service error

createUser

public I createUser(String userId)
             throws IamIdentityExists,
IamSvcException

Description copied from interface: IdentityManager

Create a new user in the identity manager. The username for this user defaults to the userId value provided here.

Specified by:

createUser in interface IdentityManager<I extends Identity>

Parameters:

userId - a user ID

Returns:

the new user

Throws:

IamIdentityExists - if the user exists

IamSvcException - when the call cannot be completed due to a service error

createAnonymousUser

public I createAnonymousUser()
                      throws IamSvcException

Description copied from interface: IdentityManager

Create a new anonymous user in the identity manager.

Specified by:

createAnonymousUser in interface IdentityManager<I extends Identity>

Returns:

a new anonymous user

Throws:

IamSvcException - when the call cannot be completed due to a service error

deleteUser

public void deleteUser(String userId)
                throws IamSvcException

Description copied from interface: IdentityManager

Delete a user from the identity manager.

Specified by:

deleteUser in interface IdentityManager<I extends Identity>

Parameters:

userId - a user ID

Throws:

IamSvcException - when the call cannot be completed due to a service error

addAlias

public void addAlias(String userId,
 String alias)
              throws IamSvcException,
IamBadRequestException

Description copied from interface: IdentityManager

Add a username/alias for this user. Identity DBs should normally support multiple aliases (username, email, mobile phone, etc.). Tracking them beyond being references to an identity record is done at the application level.

Specified by:

addAlias in interface IdentityManager<I extends Identity>

Parameters:

userId - a user ID

alias - an alias

Throws:

IamSvcException - when the call cannot be completed due to a service error

IamBadRequestException - if the request is illegal

removeAlias

public void removeAlias(String alias)
                 throws IamBadRequestException,
IamSvcException

Description copied from interface: IdentityManager

Remove a username/alias from the database. A userId may not be removed (disable the user instead).

Specified by:

removeAlias in interface IdentityManager<I extends Identity>

Parameters:

alias - an alias

Throws:

IamBadRequestException - If a userId is provided.

IamSvcException - when the call cannot be completed due to a service error

getAliasesFor

public Collection<String> getAliasesFor(String userId)
                                 throws IamSvcException,
IamIdentityDoesNotExist

Description copied from interface: IdentityManager

Get the aliases for a userId. The result must be non-null but may be empty. The userId is not included in the list.

Specified by:

getAliasesFor in interface IdentityManager<I extends Identity>

Parameters:

userId - a user ID

Returns:

a collection of 0 or more aliases for a userId

Throws:

IamSvcException - when the call cannot be completed due to a service error

IamIdentityDoesNotExist - if the identity does not exist

completePasswordReset

public boolean completePasswordReset(String tag,
 String newPassword)
                              throws IamSvcException

Description copied from interface: IdentityManager

Complete a password reset by providing a tag and a new password. The update will fail if the tag is unknown or has expired. See requestPasswordReset for details on creating a password reset tag.

Specified by:

completePasswordReset in interface IdentityManager<I extends Identity>

Parameters:

tag - a tag

newPassword - a new password

Returns:

true if the password was updated successfully.

Throws:

IamSvcException - when the call cannot be completed due to a service error

loadApiKeyRecord

public ApiKey loadApiKeyRecord(String apiKey)
                        throws IamSvcException

Description copied from interface: IdentityManager

Load an API key record based on the API key ID.

Specified by:

loadApiKeyRecord in interface IdentityManager<I extends Identity>

Parameters:

apiKey - an API key

Returns:

an API key or null if it doesn't exist

Throws:

IamSvcException - when the call cannot be completed due to a service error

restoreApiKey

public void restoreApiKey(ApiKey key)
                   throws IamIdentityDoesNotExist,
IamBadRequestException,
IamSvcException

Description copied from interface: IdentityManager

Restore an API key into the API key store

Specified by:

restoreApiKey in interface IdentityManager<I extends Identity>

Parameters:

key -

Throws:

IamIdentityDoesNotExist

IamBadRequestException

IamSvcException

addJwtValidator

public void addJwtValidator(JwtValidator v)

Description copied from interface: IdentityManager

Add a JWT validator to the identity manager.

Specified by:

addJwtValidator in interface IdentityManager<I extends Identity>

Parameters:

v - a validator

getAllUsers

public Collection<String> getAllUsers()
                               throws IamSvcException

Description copied from interface: IdentityManager

Get all user IDs in this db. Clearly not suitable for systems beyond a few thousand users. For larger scale, this call may throw an IamSvcException signaling that the underlying database won't return a user list.

Specified by:

getAllUsers in interface IdentityManager<I extends Identity>

Returns:

a collection of user Ids

Throws:

IamSvcException - when the call cannot be completed due to a service error

loadAllUsers

public Map<String,I> loadAllUsers()
                           throws IamSvcException

Description copied from interface: IdentityManager

Load all users in this identity manager. Clearly not suitable for systems beyond a few thousand users. For larger scale, this call may throw an IamSvcException signaling that the underlying database won't return a user list.

Specified by:

loadAllUsers in interface IdentityManager<I extends Identity>

Returns:

a map of user ID to identity

Throws:

IamSvcException - when the call cannot be completed due to a service error

authenticate

public I authenticate(UsernamePasswordCredential upc)
               throws IamSvcException

Description copied from interface: IdentityDb

Authenticate with a username and password

Specified by:

authenticate in interface IdentityDb<I extends Identity>

Parameters:

upc - the username/password credential

Returns:

an authenticated identity or null

Throws:

IamSvcException - when the call cannot be completed due to a service error

authenticate

public I authenticate(ApiKeyCredential akc)
               throws IamSvcException

Description copied from interface: IdentityDb

Authenticate with an API key and signature

Specified by:

authenticate in interface IdentityDb<I extends Identity>

Parameters:

akc - the API key credential

Returns:

an authenticated identity or null

Throws:

IamSvcException - when the call cannot be completed due to a service error

authenticate

public I authenticate(JwtCredential jwt)
               throws IamSvcException

Description copied from interface: IdentityDb

Authenticate with a JWT token

Specified by:

authenticate in interface IdentityDb<I extends Identity>

Parameters:

jwt - the JWT credential

Returns:

an authenticated identity or null

Throws:

IamSvcException - when the call cannot be completed due to a service error

createJwtToken

public String createJwtToken(Identity ii)
                      throws IamSvcException

Description copied from interface: IdentityDb

Create a JWT token for the given identity.

Specified by:

createJwtToken in interface IdentityDb<I extends Identity>

Parameters:

ii - an identity

Returns:

a JWT token

Throws:

IamSvcException - when the call cannot be completed due to a service error

invalidateJwtToken

public void invalidateJwtToken(String jwtToken)
                        throws IamSvcException

Description copied from interface: IdentityDb

Invalidate the given JWT token

Specified by:

invalidateJwtToken in interface IdentityDb<I extends Identity>

Parameters:

jwtToken - a JWT token

Throws:

IamSvcException - when the call cannot be completed due to a service error

createGroup

public G createGroup(String groupDesc)
              throws IamGroupExists,
IamSvcException

Description copied from interface: AccessManager

Create a group

Specified by:

createGroup in interface AccessManager<I extends Identity>

Parameters:

groupDesc - the group description

Returns:

a new group with the given description

Throws:

IamGroupExists - if the group already exists

IamSvcException - when the call cannot be completed due to a service error

createGroup

public G createGroup(String groupId,
 String groupDesc)
              throws IamGroupExists,
IamSvcException

Description copied from interface: AccessManager

Create a group with a given group ID

Specified by:

createGroup in interface AccessManager<I extends Identity>

Parameters:

groupId - a group ID

groupDesc - a group description

Returns:

a new group with the given id and description

Throws:

IamGroupExists - if the group already exists

IamSvcException - when the call cannot be completed due to a service error

addUserToGroup

public void addUserToGroup(String groupId,
 String userId)
                    throws IamSvcException,
IamIdentityDoesNotExist,
IamGroupDoesNotExist

Description copied from interface: AccessManager

Add a user to a given group

Specified by:

addUserToGroup in interface AccessManager<I extends Identity>

Parameters:

groupId - a group ID

userId - a user ID

Throws:

IamSvcException - when the call cannot be completed due to a service error

IamIdentityDoesNotExist - when the identity doesn't exist

IamGroupDoesNotExist - if the group does not exist

removeUserFromGroup

public void removeUserFromGroup(String groupId,
 String userId)
                         throws IamSvcException,
IamIdentityDoesNotExist,
IamGroupDoesNotExist

Description copied from interface: AccessManager

Remove a user from a given group

Specified by:

removeUserFromGroup in interface AccessManager<I extends Identity>

Parameters:

groupId - a group ID

userId - a user ID

Throws:

IamSvcException - when the call cannot be completed due to a service error

IamIdentityDoesNotExist - when the identity doesn't exist

IamGroupDoesNotExist - if the group does not exist

getUsersGroups

public Set<String> getUsersGroups(String userId)
                           throws IamSvcException,
IamIdentityDoesNotExist

Description copied from interface: AccessManager

Find out which groups a user is a member of.

Specified by:

getUsersGroups in interface AccessManager<I extends Identity>

Parameters:

userId - a user ID

Returns:

a set of 0 or more group IDs

Throws:

IamSvcException - when the call cannot be completed due to a service error

IamIdentityDoesNotExist - when the identity doesn't exist

getUsersInGroup

public Set<String> getUsersInGroup(String groupId)
                            throws IamSvcException,
IamGroupDoesNotExist

Description copied from interface: AccessManager

Get the set of user IDs in a particular group.

Specified by:

getUsersInGroup in interface AccessManager<I extends Identity>

Parameters:

groupId - a group ID

Returns:

a set of 0 or more user IDs

Throws:

IamSvcException - when the call cannot be completed due to a service error

IamGroupDoesNotExist - when the identity doesn't exist

getAllGroups

public Collection<String> getAllGroups()
                                throws IamSvcException

Description copied from interface: AccessManager

Get all group IDs in this db. Clearly not suitable for systems beyond a few thousand groups. For larger scale, this call may throw an IamSvcException signaling that the underlying database won't return a group list.

Specified by:

getAllGroups in interface AccessManager<I extends Identity>

Returns:

a collection of group Ids

Throws:

IamSvcException - when the call cannot be completed due to a service error

loadGroup

public G loadGroup(String id)
            throws IamSvcException

Description copied from interface: AccessDb

Get a group by its identifier.

Specified by:

loadGroup in interface AccessDb<I extends Identity>

Parameters:

id - the group's ID

Returns:

a group, or null if it does not exist

Throws:

IamSvcException - if there's a problem in the IAM service

getAclFor

public AccessControlList getAclFor(Resource resource)
                            throws IamSvcException

Description copied from interface: AccessDb

load an ACL for a resource

Specified by:

getAclFor in interface AccessDb<I extends Identity>

Parameters:

resource - the resource for which you want the ACL

Returns:

an ACL, or null if there is none

Throws:

IamSvcException - if there's a problem in the IAM service

canUser

public boolean canUser(String id,
 Resource resource,
 String operation)
                throws IamSvcException

Description copied from interface: AccessDb

Can the given user perform the requested access?

Specified by:

canUser in interface AccessDb<I extends Identity>

Parameters:

id - the identity/subject making the request

resource - the resource on which access is requested

operation - the operation

Returns:

true if the user is allowed to perform the operation, false otherwise

Throws:

IamSvcException - if there's a problem in the IAM service

createTag

public String createTag(String userId,
 String appTagType,
 long duration,
 TimeUnit durationTimeUnit,
 String nonce)
                 throws IamSvcException

Description copied from interface: TagManager

Create a tag for a given user id with a particular type and duration. If a tag for the same user with the same type exists, it's replaced with the new tag.

Specified by:

createTag in interface TagManager

Parameters:

userId - a user ID

appTagType - a tag type

duration - the length of time the tag should exist

durationTimeUnit - the time unit for the duration

nonce - used to seed random number generator

Returns:

a tag

Throws:

IamSvcException - if there's a problem in the IAM service

getUserIdForTag

public String getUserIdForTag(String tag)
                       throws IamSvcException

Description copied from interface: TagManager

Retrieves the userId associated with a tag. If the tag has expired, null is returned.

Specified by:

getUserIdForTag in interface TagManager

Parameters:

tag - a tag generated by createTag

Returns:

a user ID or null if no entry exists (or an entry existed but expired)

Throws:

IamSvcException - if there's a problem in the IAM service

removeMatchingTag

public void removeMatchingTag(String userId,
 String appTagType)
                       throws IamSvcException

Description copied from interface: TagManager

Remove any matching tag for the given user and type.

Specified by:

removeMatchingTag in interface TagManager

Parameters:

userId - a user ID

appTagType - a tag type

Throws:

IamSvcException - if there's a problem in the IAM service

sweepExpiredTags

public void sweepExpiredTags()
                      throws IamSvcException

Description copied from interface: TagManager

Sweep any expired tags. The tag manager implementation may not actually require this operation. In that case, make it a no-op.

Specified by:

sweepExpiredTags in interface TagManager

Throws:

IamSvcException - if there's a problem in the IAM service

onAclUpdate

public void onAclUpdate(AccessControlList accessControlList)

Specified by:

onAclUpdate in interface AclUpdateListener

populateMetrics

public void populateMetrics(MetricsCatalog metrics)

Specified by:

populateMetrics in interface MetricsSupplier