001/*
002 * Copyright 2016-2021 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright 2016-2021 Ping Identity Corporation
007 *
008 * Licensed under the Apache License, Version 2.0 (the "License");
009 * you may not use this file except in compliance with the License.
010 * You may obtain a copy of the License at
011 *
012 *    http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing, software
015 * distributed under the License is distributed on an "AS IS" BASIS,
016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017 * See the License for the specific language governing permissions and
018 * limitations under the License.
019 */
020/*
021 * Copyright (C) 2016-2021 Ping Identity Corporation
022 *
023 * This program is free software; you can redistribute it and/or modify
024 * it under the terms of the GNU General Public License (GPLv2 only)
025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
026 * as published by the Free Software Foundation.
027 *
028 * This program is distributed in the hope that it will be useful,
029 * but WITHOUT ANY WARRANTY; without even the implied warranty of
030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
031 * GNU General Public License for more details.
032 *
033 * You should have received a copy of the GNU General Public License
034 * along with this program; if not, see <http://www.gnu.org/licenses>.
035 */
036package com.unboundid.ldap.sdk.unboundidds.extensions;
037
038
039
040import java.util.ArrayList;
041
042import com.unboundid.asn1.ASN1Element;
043import com.unboundid.asn1.ASN1OctetString;
044import com.unboundid.asn1.ASN1Sequence;
045import com.unboundid.ldap.sdk.Control;
046import com.unboundid.ldap.sdk.ExtendedRequest;
047import com.unboundid.ldap.sdk.LDAPException;
048import com.unboundid.ldap.sdk.ResultCode;
049import com.unboundid.util.Debug;
050import com.unboundid.util.NotMutable;
051import com.unboundid.util.NotNull;
052import com.unboundid.util.Nullable;
053import com.unboundid.util.StaticUtils;
054import com.unboundid.util.ThreadSafety;
055import com.unboundid.util.ThreadSafetyLevel;
056
057import static com.unboundid.ldap.sdk.unboundidds.extensions.ExtOpMessages.*;
058
059
060
061/**
062 * This class provides an implementation of an extended request that may be used
063 * to deregister a YubiKey OTP device with the Directory Server so that it may
064 * no longer used to authenticate using the UNBOUNDID-YUBIKEY-OTP SASL
065 * mechanism.
066 * <BR>
067 * <BLOCKQUOTE>
068 *   <B>NOTE:</B>  This class, and other classes within the
069 *   {@code com.unboundid.ldap.sdk.unboundidds} package structure, are only
070 *   supported for use against Ping Identity, UnboundID, and
071 *   Nokia/Alcatel-Lucent 8661 server products.  These classes provide support
072 *   for proprietary functionality or for external specifications that are not
073 *   considered stable or mature enough to be guaranteed to work in an
074 *   interoperable way with other types of LDAP servers.
075 * </BLOCKQUOTE>
076 * <BR>
077 * This extended request has an OID of 1.3.6.1.4.1.30221.2.6.55, and it must
078 * include a request value with the following encoding:
079 * <BR><BR>
080 * <PRE>
081 *   DeregisterYubiKeyOTPDeviceRequest ::= SEQUENCE {
082 *        authenticationID     [0] OCTET STRING OPTIONAL,
083 *        staticPassword       [1] OCTET STRING OPTIONAL,
084 *        yubiKeyOTP           [2] OCTET STRING OPTIONAL,
085 *        ... }
086 * </PRE>
087 *
088 *
089 * @see  RegisterYubiKeyOTPDeviceExtendedRequest
090 * @see  com.unboundid.ldap.sdk.unboundidds.UnboundIDYubiKeyOTPBindRequest
091 * @see  com.unboundid.ldap.sdk.unboundidds.RegisterYubiKeyOTPDevice
092 */
093@NotMutable()
094@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
095public final class DeregisterYubiKeyOTPDeviceExtendedRequest
096       extends ExtendedRequest
097{
098  /**
099   * The OID (1.3.6.1.4.1.30221.2.6.55) for the deregister YubiKey OTP device
100   * extended request.
101   */
102  @NotNull public static final String
103       DEREGISTER_YUBIKEY_OTP_DEVICE_REQUEST_OID =
104            "1.3.6.1.4.1.30221.2.6.55";
105
106
107
108  /**
109   * The BER type for the authentication ID element of the request value
110   * sequence.
111   */
112  private static final byte TYPE_AUTHENTICATION_ID = (byte) 0x80;
113
114
115
116  /**
117   * The BER type for the static password element of the request value sequence.
118   */
119  private static final byte TYPE_STATIC_PASSWORD = (byte) 0x81;
120
121
122
123  /**
124   * The BER type for the YubiKey OTP element of the request value sequence.
125   */
126  private static final byte TYPE_YUBIKEY_OTP = (byte) 0x82;
127
128
129
130  /**
131   * The serial version UID for this serializable class.
132   */
133  private static final long serialVersionUID = -4029230013825076585L;
134
135
136
137  // The static password for the request.
138  @Nullable private final ASN1OctetString staticPassword;
139
140  // The authentication ID for the request.
141  @Nullable private final String authenticationID;
142
143  // The YubiKey OTP for the request.
144  @Nullable private final String yubiKeyOTP;
145
146
147
148  /**
149   * Creates a new deregister YubiKey OTP device extended request with the
150   * provided information.
151   *
152   * @param  authenticationID  The authentication ID that identifies the user
153   *                           for whom the YubiKey OTP device is to be
154   *                           deregistered.  It may be {@code null} if the
155   *                           device is to be deregistered for the user as whom
156   *                           the underlying connection is authenticated.
157   * @param  yubiKeyOTP        An optional one-time password generated by the
158   *                           YubiKey device to be deregistered.  If this is
159   *                           {@code null}, then all YubiKey OTP devices
160   *                           associated with the target user will be
161   *                           deregistered.  If it is non-{@code null}, then
162   *                           only the YubiKey device used to generate the OTP
163   *                           will be deregistered.
164   * @param  controls          The set of controls to include in the request.
165   *                           It may be {@code null} or empty if there should
166   *                           not be any request controls.
167   */
168  public DeregisterYubiKeyOTPDeviceExtendedRequest(
169              @Nullable final String authenticationID,
170              @Nullable final String yubiKeyOTP,
171              @Nullable final Control... controls)
172  {
173    this(authenticationID, (ASN1OctetString) null, yubiKeyOTP, controls);
174  }
175
176
177
178  /**
179   * Creates a new deregister YubiKey OTP device extended request with the
180   * provided information.
181   *
182   * @param  authenticationID  The authentication ID that identifies the user
183   *                           for whom the YubiKey OTP device is to be
184   *                           deregistered.  It may be {@code null} if the
185   *                           device is to be deregistered for the user as whom
186   *                           the underlying connection is authenticated.
187   * @param  staticPassword    The static password of the user for whom the
188   *                           device is to be deregistered.  It may be
189   *                           {@code null} if the server is configured to not
190   *                           require a static password when deregistering one
191   *                           or more devices.
192   * @param  yubiKeyOTP        An optional one-time password generated by the
193   *                           YubiKey device to be deregistered.  If this is
194   *                           {@code null}, then all YubiKey OTP devices
195   *                           associated with the target user will be
196   *                           deregistered.  If it is non-{@code null}, then
197   *                           only the YubiKey device used to generate the OTP
198   *                           will be deregistered.
199   * @param  controls          The set of controls to include in the request.
200   *                           It may be {@code null} or empty if there should
201   *                           not be any request controls.
202   */
203  public DeregisterYubiKeyOTPDeviceExtendedRequest(
204              @Nullable final String authenticationID,
205              @Nullable final String staticPassword,
206              @Nullable final String yubiKeyOTP,
207              @Nullable final Control... controls)
208  {
209    this(authenticationID,
210         RegisterYubiKeyOTPDeviceExtendedRequest.encodePassword(staticPassword),
211         yubiKeyOTP, controls);
212  }
213
214
215
216  /**
217   * Creates a new deregister YubiKey OTP device extended request with the
218   * provided information.
219   *
220   * @param  authenticationID  The authentication ID that identifies the user
221   *                           for whom the YubiKey OTP device is to be
222   *                           deregistered.  It may be {@code null} if the
223   *                           device is to be deregistered for the user as whom
224   *                           the underlying connection is authenticated.
225   * @param  staticPassword    The static password of the user for whom the
226   *                           device is to be deregistered.  It may be
227   *                           {@code null} if the server is configured to not
228   *                           require a static password when deregistering one
229   *                           or more devices.
230   * @param  yubiKeyOTP        An optional one-time password generated by the
231   *                           YubiKey device to be deregistered.  If this is
232   *                           {@code null}, then all YubiKey OTP devices
233   *                           associated with the target user will be
234   *                           deregistered.  If it is non-{@code null}, then
235   *                           only the YubiKey device used to generate the OTP
236   *                           will be deregistered.
237   * @param  controls          The set of controls to include in the request.
238   *                           It may be {@code null} or empty if there should
239   *                           not be any request controls.
240   */
241  public DeregisterYubiKeyOTPDeviceExtendedRequest(
242              @Nullable final String authenticationID,
243              @Nullable final byte[] staticPassword,
244              @Nullable final String yubiKeyOTP,
245              @Nullable final Control... controls)
246  {
247    this(authenticationID,
248         RegisterYubiKeyOTPDeviceExtendedRequest.encodePassword(staticPassword),
249         yubiKeyOTP, controls);
250  }
251
252
253
254  /**
255   * Creates a new deregister YubiKey OTP device extended request with the
256   * provided information.
257   *
258   * @param  authenticationID  The authentication ID that identifies the user
259   *                           for whom the YubiKey OTP device is to be
260   *                           deregistered.  It may be {@code null} if the
261   *                           device is to be deregistered for the user as whom
262   *                           the underlying connection is authenticated.
263   * @param  staticPassword    The static password of the user for whom the
264   *                           device is to be deregistered.  It may be
265   *                           {@code null} if the server is configured to not
266   *                           require a static password when deregistering one
267   *                           or more devices.
268   * @param  yubiKeyOTP        An optional one-time password generated by the
269   *                           YubiKey device to be deregistered.  If this is
270   *                           {@code null}, then all YubiKey OTP devices
271   *                           associated with the target user will be
272   *                           deregistered.  If it is non-{@code null}, then
273   *                           only the YubiKey device used to generate the OTP
274   *                           will be deregistered.
275   * @param  controls          The set of controls to include in the request.
276   *                           It may be {@code null} or empty if there should
277   *                           not be any request controls.
278   */
279  private DeregisterYubiKeyOTPDeviceExtendedRequest(
280               @Nullable final String authenticationID,
281               @Nullable final ASN1OctetString staticPassword,
282               @Nullable final String yubiKeyOTP,
283               @Nullable final Control... controls)
284  {
285    super(DEREGISTER_YUBIKEY_OTP_DEVICE_REQUEST_OID,
286         encodeValue(authenticationID, staticPassword, yubiKeyOTP), controls);
287
288    this.authenticationID = authenticationID;
289    this.staticPassword   = staticPassword;
290    this.yubiKeyOTP       = yubiKeyOTP;
291  }
292
293
294
295  /**
296   * Creates a new deregister YubiKey OTP device extended request that is
297   * decoded from the provided generic extended request.
298   *
299   * @param  request  The generic extended request to decode as a deregister
300   *                  YubiKey OTP device request.
301   *
302   * @throws  LDAPException  If a problem is encountered while attempting to
303   *                         decode the provided request.
304   */
305  public DeregisterYubiKeyOTPDeviceExtendedRequest(
306              @NotNull final ExtendedRequest request)
307         throws LDAPException
308  {
309    super(request);
310
311    final ASN1OctetString value = request.getValue();
312    if (value == null)
313    {
314      throw new LDAPException(ResultCode.DECODING_ERROR,
315           ERR_DEREGISTER_YUBIKEY_OTP_REQUEST_NO_VALUE.get());
316    }
317
318    try
319    {
320      String authID = null;
321      ASN1OctetString staticPW = null;
322      String otp = null;
323      for (final ASN1Element e :
324           ASN1Sequence.decodeAsSequence(value.getValue()).elements())
325      {
326        switch (e.getType())
327        {
328          case TYPE_AUTHENTICATION_ID:
329            authID = ASN1OctetString.decodeAsOctetString(e).stringValue();
330            break;
331          case TYPE_STATIC_PASSWORD:
332            staticPW = ASN1OctetString.decodeAsOctetString(e);
333            break;
334          case TYPE_YUBIKEY_OTP:
335            otp = ASN1OctetString.decodeAsOctetString(e).stringValue();
336            break;
337          default:
338            throw new LDAPException(ResultCode.DECODING_ERROR,
339                 ERR_DEREGISTER_YUBIKEY_OTP_REQUEST_UNRECOGNIZED_TYPE.get(
340                      StaticUtils.toHex(e.getType())));
341        }
342      }
343
344      authenticationID = authID;
345      staticPassword   = staticPW;
346      yubiKeyOTP       = otp;
347    }
348    catch (final LDAPException le)
349    {
350      Debug.debugException(le);
351      throw le;
352    }
353    catch (final Exception e)
354    {
355      Debug.debugException(e);
356      throw new LDAPException(ResultCode.DECODING_ERROR,
357           ERR_DEREGISTER_YUBIKEY_OTP_REQUEST_ERROR_DECODING_VALUE.get(
358                StaticUtils.getExceptionMessage(e)),
359           e);
360    }
361  }
362
363
364
365  /**
366   * Encodes the provided information into an ASN.1 octet string suitable for
367   * use as the value of this extended request.
368   *
369   * @param  authenticationID  The authentication ID that identifies the user
370   *                           for whom the YubiKey OTP device is to be
371   *                           deregistered.  It may be {@code null} if the
372   *                           device is to be deregistered for the user as whom
373   *                           the underlying connection is authenticated.
374   * @param  staticPassword    The static password of the user for whom the
375   *                           device is to be deregistered.  It may be
376   *                           {@code null} if the server is configured to not
377   *                           require a static password when deregistering one
378   *                           or more devices.
379   * @param  yubiKeyOTP        An optional one-time password generated by the
380   *                           YubiKey device to be deregistered.  If this is
381   *                           {@code null}, then all YubiKey OTP devices
382   *                           associated with the target user will be
383   *                           deregistered.  If it is non-{@code null}, then
384   *                           only the YubiKey device used to generate the OTP
385   *                           will be deregistered.
386   *
387   * @return  The ASN.1 octet string containing the encoded request value.
388   */
389  @NotNull()
390  private static ASN1OctetString encodeValue(
391               @Nullable final String authenticationID,
392               @Nullable final ASN1OctetString staticPassword,
393               @Nullable final String yubiKeyOTP)
394  {
395    final ArrayList<ASN1Element> elements = new ArrayList<>(3);
396
397    if (authenticationID != null)
398    {
399      elements.add(
400           new ASN1OctetString(TYPE_AUTHENTICATION_ID, authenticationID));
401    }
402
403    if (staticPassword != null)
404    {
405      elements.add(staticPassword);
406    }
407
408    if (yubiKeyOTP != null)
409    {
410      elements.add(new ASN1OctetString(TYPE_YUBIKEY_OTP, yubiKeyOTP));
411    }
412
413    return new ASN1OctetString(new ASN1Sequence(elements).encode());
414  }
415
416
417
418  /**
419   * Retrieves the authentication ID that identifies the user from whom the
420   * YubiKey OTP device is to be deregistered, if provided.
421   *
422   * @return  The authentication ID that identifies the target user, or
423   *          {@code null} if the device is to be deregistered for the user as
424   *          whom the underlying connection is authenticated.
425   */
426  @Nullable()
427  public String getAuthenticationID()
428  {
429    return authenticationID;
430  }
431
432
433
434  /**
435   * Retrieves the string representation of the static password for the target
436   * user, if provided.
437   *
438   * @return  The string representation of the static password for the target
439   *          user, or {@code null} if no static password was provided.
440   */
441  @Nullable()
442  public String getStaticPasswordString()
443  {
444    if (staticPassword == null)
445    {
446      return null;
447    }
448    else
449    {
450      return staticPassword.stringValue();
451    }
452  }
453
454
455
456  /**
457   * Retrieves the bytes that comprise the static password for the target user,
458   * if provided.
459   *
460   * @return  The bytes that comprise the static password for the target user,
461   *          or {@code null} if no static password was provided.
462   */
463  @Nullable()
464  public byte[] getStaticPasswordBytes()
465  {
466    if (staticPassword == null)
467    {
468      return null;
469    }
470    else
471    {
472      return staticPassword.getValue();
473    }
474  }
475
476
477
478  /**
479   * Retrieves a one-time password generated by the YubiKey device to be
480   * deregistered, if provided.
481   *
482   * @return  A one-time password generated by the YubiKey device to be
483   *          deregistered, or {@code null} if all devices associated with the
484   *          target user should be deregistered.
485   */
486  @Nullable()
487  public String getYubiKeyOTP()
488  {
489    return yubiKeyOTP;
490  }
491
492
493
494  /**
495   * {@inheritDoc}
496   */
497  @Override()
498  @NotNull()
499  public DeregisterYubiKeyOTPDeviceExtendedRequest duplicate()
500  {
501    return duplicate(getControls());
502  }
503
504
505
506  /**
507   * {@inheritDoc}
508   */
509  @Override()
510  @NotNull()
511  public DeregisterYubiKeyOTPDeviceExtendedRequest duplicate(
512              @Nullable final Control[] controls)
513  {
514    final DeregisterYubiKeyOTPDeviceExtendedRequest r =
515         new DeregisterYubiKeyOTPDeviceExtendedRequest(authenticationID,
516              staticPassword, yubiKeyOTP, controls);
517    r.setResponseTimeoutMillis(getResponseTimeoutMillis(null));
518    return r;
519  }
520
521
522
523  /**
524   * {@inheritDoc}
525   */
526  @Override()
527  @NotNull()
528  public String getExtendedRequestName()
529  {
530    return INFO_DEREGISTER_YUBIKEY_OTP_REQUEST_NAME.get();
531  }
532
533
534
535  /**
536   * {@inheritDoc}
537   */
538  @Override()
539  public void toString(@NotNull final StringBuilder buffer)
540  {
541    buffer.append("DeregisterYubiKeyOTPDeviceExtendedRequest(");
542
543    if (authenticationID != null)
544    {
545      buffer.append("authenticationID='");
546      buffer.append(authenticationID);
547      buffer.append("', ");
548    }
549
550    buffer.append("staticPasswordProvided=");
551    buffer.append(staticPassword != null);
552    buffer.append(", otpProvided=");
553    buffer.append(yubiKeyOTP != null);
554
555    final Control[] controls = getControls();
556    if (controls.length > 0)
557    {
558      buffer.append(", controls={");
559      for (int i=0; i < controls.length; i++)
560      {
561        if (i > 0)
562        {
563          buffer.append(", ");
564        }
565
566        buffer.append(controls[i]);
567      }
568      buffer.append('}');
569    }
570
571    buffer.append(')');
572  }
573}