]> git.argeo.org Git - lgpl/argeo-commons.git/blob - auth/UserAdminLoginModule.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Prepare next development cycle
[lgpl/argeo-commons.git] / auth / UserAdminLoginModule.java
1 package org.argeo.cms.auth;
2
3 import static org.argeo.naming.LdapAttrs.cn;
4
5 import java.io.IOException;
6 import java.security.PrivilegedAction;
7 import java.util.Arrays;
8 import java.util.HashSet;
9 import java.util.List;
10 import java.util.Locale;
11 import java.util.Map;
12 import java.util.Set;
13
14 import javax.naming.ldap.LdapName;
15 import javax.security.auth.Subject;
16 import javax.security.auth.callback.Callback;
17 import javax.security.auth.callback.CallbackHandler;
18 import javax.security.auth.callback.LanguageCallback;
19 import javax.security.auth.callback.NameCallback;
20 import javax.security.auth.callback.PasswordCallback;
21 import javax.security.auth.callback.UnsupportedCallbackException;
22 import javax.security.auth.kerberos.KerberosPrincipal;
23 import javax.security.auth.login.CredentialNotFoundException;
24 import javax.security.auth.login.LoginException;
25 import javax.security.auth.spi.LoginModule;
26 import javax.servlet.http.HttpServletRequest;
27
28 import org.apache.commons.logging.Log;
29 import org.apache.commons.logging.LogFactory;
30 import org.argeo.api.NodeConstants;
31 import org.argeo.api.security.CryptoKeyring;
32 import org.argeo.cms.CmsException;
33 import org.argeo.cms.internal.kernel.Activator;
34 import org.argeo.naming.LdapAttrs;
35 import org.argeo.osgi.useradmin.AuthenticatingUser;
36 import org.argeo.osgi.useradmin.IpaUtils;
37 import org.argeo.osgi.useradmin.OsUserUtils;
38 import org.argeo.osgi.useradmin.TokenUtils;
39 import org.osgi.framework.BundleContext;
40 import org.osgi.framework.FrameworkUtil;
41 import org.osgi.framework.ServiceReference;
42 import org.osgi.service.useradmin.Authorization;
43 import org.osgi.service.useradmin.Group;
44 import org.osgi.service.useradmin.User;
45 import org.osgi.service.useradmin.UserAdmin;
46
47 /**
48 * Use the {@link UserAdmin} in the OSGi registry as the basis for
49 * authentication.
50 */
51 public class UserAdminLoginModule implements LoginModule {
52 private final static Log log = LogFactory.getLog(UserAdminLoginModule.class);
53
54 private Subject subject;
55 private CallbackHandler callbackHandler;
56 private Map<String, Object> sharedState = null;
57
58 private List<String> indexedUserProperties = Arrays
59 .asList(new String[] { LdapAttrs.mail.name(), LdapAttrs.uid.name(), LdapAttrs.authPassword.name() });
60
61 // private state
62 private BundleContext bc;
63 private User authenticatedUser = null;
64 private Locale locale;
65
66 private Authorization bindAuthorization = null;
67
68 private boolean singleUser = Activator.isSingleUser();
69
70 @SuppressWarnings("unchecked")
71 @Override
72 public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
73 Map<String, ?> options) {
74 this.subject = subject;
75 try {
76 bc = FrameworkUtil.getBundle(UserAdminLoginModule.class).getBundleContext();
77 this.callbackHandler = callbackHandler;
78 this.sharedState = (Map<String, Object>) sharedState;
79 } catch (Exception e) {
80 throw new CmsException("Cannot initialize login module", e);
81 }
82 }
83
84 @Override
85 public boolean login() throws LoginException {
86 UserAdmin userAdmin = Activator.getUserAdmin();
87 final String username;
88 final char[] password;
89 Object certificateChain = null;
90 boolean preauth = false;
91 if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
92 && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
93 // NB: required by Basic http auth
94 username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
95 password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
96 // // TODO locale?
97 } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
98 && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
99 String certDn = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
100 // LdapName ldapName;
101 // try {
102 // ldapName = new LdapName(certificateName);
103 // } catch (InvalidNameException e) {
104 // e.printStackTrace();
105 // return false;
106 // }
107 // username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
108 username = certDn;
109 certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
110 password = null;
111 } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
112 && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_ADDR)
113 && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_PORT)) {// ident
114 username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
115 password = null;
116 preauth = true;
117 } else if (singleUser) {
118 username = OsUserUtils.getOsUsername();
119 password = null;
120 } else {
121
122 // ask for username and password
123 NameCallback nameCallback = new NameCallback("User");
124 PasswordCallback passwordCallback = new PasswordCallback("Password", false);
125 LanguageCallback langCallback = new LanguageCallback();
126 try {
127 callbackHandler.handle(new Callback[] { nameCallback, passwordCallback, langCallback });
128 } catch (IOException e) {
129 throw new LoginException("Cannot handle callback: " + e.getMessage());
130 } catch (UnsupportedCallbackException e) {
131 return false;
132 }
133
134 // i18n
135 locale = langCallback.getLocale();
136 if (locale == null)
137 locale = Locale.getDefault();
138 // FIXME add it to Subject
139 // Locale.setDefault(locale);
140
141 username = nameCallback.getName();
142 if (username == null || username.trim().equals("")) {
143 // authorization = userAdmin.getAuthorization(null);
144 throw new CredentialNotFoundException("No credentials provided");
145 }
146 if (passwordCallback.getPassword() != null)
147 password = passwordCallback.getPassword();
148 else
149 throw new CredentialNotFoundException("No credentials provided");
150 sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, username);
151 sharedState.put(CmsAuthUtils.SHARED_STATE_PWD, password);
152 }
153 User user = searchForUser(userAdmin, username);
154
155 // Tokens
156 if (user == null) {
157 String token = username;
158 Group tokenGroup = searchForToken(userAdmin, token);
159 if (tokenGroup != null) {
160 Authorization tokenAuthorization = getAuthorizationFromToken(userAdmin, tokenGroup);
161 if (tokenAuthorization != null) {
162 bindAuthorization = tokenAuthorization;
163 authenticatedUser = (User) userAdmin.getRole(bindAuthorization.getName());
164 return true;
165 }
166 }
167 }
168
169 if (user == null)
170 return true;// expect Kerberos
171
172 if (password != null) {
173 // try bind first
174 try {
175 AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password);
176 bindAuthorization = userAdmin.getAuthorization(authenticatingUser);
177 // TODO check tokens as well
178 if (bindAuthorization != null) {
179 authenticatedUser = user;
180 return true;
181 }
182 } catch (Exception e) {
183 // silent
184 if (log.isTraceEnabled())
185 log.trace("Bind failed", e);
186 }
187
188 // works only if a connection password is provided
189 if (!user.hasCredential(null, password)) {
190 return false;
191 }
192 } else if (certificateChain != null) {
193 // TODO check CRLs/OSCP validity?
194 // NB: authorization in commit() will work only if an LDAP connection password
195 // is provided
196 } else if (singleUser) {
197 // TODO verify IP address?
198 } else if (preauth) {
199 // ident
200 } else {
201 throw new CredentialNotFoundException("No credentials provided");
202 }
203
204 authenticatedUser = user;
205 return true;
206 }
207
208 @Override
209 public boolean commit() throws LoginException {
210 if (locale == null)
211 subject.getPublicCredentials().add(Locale.getDefault());
212 else
213 subject.getPublicCredentials().add(locale);
214
215 if (singleUser) {
216 OsUserUtils.loginAsSystemUser(subject);
217 }
218 UserAdmin userAdmin = Activator.getUserAdmin();
219 Authorization authorization;
220 if (callbackHandler == null) {// anonymous
221 authorization = userAdmin.getAuthorization(null);
222 } else if (bindAuthorization != null) {// bind
223 authorization = bindAuthorization;
224 } else {// Kerberos
225 User authenticatingUser;
226 Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
227 if (kerberosPrincipals.isEmpty()) {
228 if (authenticatedUser == null) {
229 if (log.isTraceEnabled())
230 log.trace("Neither kerberos nor user admin login succeeded. Login failed.");
231 throw new CredentialNotFoundException("Bad credentials.");
232 } else {
233 authenticatingUser = authenticatedUser;
234 }
235 } else {
236 KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
237 LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
238 authenticatingUser = new AuthenticatingUser(dn);
239 if (authenticatedUser != null && !authenticatingUser.getName().equals(authenticatedUser.getName()))
240 throw new LoginException("Kerberos login " + authenticatingUser.getName()
241 + " is inconsistent with user admin login " + authenticatedUser.getName());
242 }
243 authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
244
245 @Override
246 public Authorization run() {
247 Authorization authorization = userAdmin.getAuthorization(authenticatingUser);
248 return authorization;
249 }
250
251 });
252 if (authorization == null)
253 throw new LoginException(
254 "User admin found no authorization for authenticated user " + authenticatingUser.getName());
255 }
256
257 // Log and monitor new login
258 HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
259 CmsAuthUtils.addAuthorization(subject, authorization);
260
261 // Unlock keyring (underlying login to the JCR repository)
262 char[] password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
263 if (password != null) {
264 ServiceReference<CryptoKeyring> keyringSr = bc.getServiceReference(CryptoKeyring.class);
265 if (keyringSr != null) {
266 CryptoKeyring keyring = bc.getService(keyringSr);
267 Subject.doAs(subject, new PrivilegedAction<Void>() {
268
269 @Override
270 public Void run() {
271 try {
272 keyring.unlock(password);
273 } catch (Exception e) {
274 e.printStackTrace();
275 log.warn("Could not unlock keyring with the password provided by " + authorization.getName()
276 + ": " + e.getMessage());
277 }
278 return null;
279 }
280
281 });
282 }
283 }
284
285 // Register CmsSession with initial subject
286 CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
287
288 if (log.isDebugEnabled())
289 log.debug("Logged in to CMS: " + subject);
290 return true;
291 }
292
293 @Override
294 public boolean abort() throws LoginException {
295 return true;
296 }
297
298 @Override
299 public boolean logout() throws LoginException {
300 if (log.isTraceEnabled())
301 log.trace("Logging out from CMS... " + subject);
302 // boolean httpSessionLogoutOk = CmsAuthUtils.logoutSession(bc,
303 // subject);
304 CmsAuthUtils.cleanUp(subject);
305 return true;
306 }
307
308 protected User searchForUser(UserAdmin userAdmin, String providedUsername) {
309 try {
310 // TODO check value null or empty
311 Set<User> collectedUsers = new HashSet<>();
312 // try dn
313 User user = null;
314 // try all indexes
315 for (String attr : indexedUserProperties) {
316 user = userAdmin.getUser(attr, providedUsername);
317 if (user != null)
318 collectedUsers.add(user);
319 }
320 if (collectedUsers.size() == 1) {
321 user = collectedUsers.iterator().next();
322 return user;
323 } else if (collectedUsers.size() > 1) {
324 log.warn(collectedUsers.size() + " users for provided username" + providedUsername);
325 }
326 // try DN as a last resort
327 try {
328 user = (User) userAdmin.getRole(providedUsername);
329 if (user != null)
330 return user;
331 } catch (Exception e) {
332 // silent
333 }
334 return null;
335 } catch (Exception e) {
336 if (log.isTraceEnabled())
337 log.warn("Cannot search for user " + providedUsername, e);
338 return null;
339 }
340
341 }
342
343 protected Group searchForToken(UserAdmin userAdmin, String token) {
344 String dn = cn + "=" + token + "," + NodeConstants.TOKENS_BASEDN;
345 Group tokenGroup = (Group) userAdmin.getRole(dn);
346 return tokenGroup;
347 }
348
349 protected Authorization getAuthorizationFromToken(UserAdmin userAdmin, Group tokenGroup) {
350 if (TokenUtils.isExpired(tokenGroup))
351 return null;
352 // String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
353 // if (expiryDateStr != null) {
354 // Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
355 // if (expiryDate.isBefore(Instant.now())) {
356 // if (log.isDebugEnabled())
357 // log.debug("Token " + tokenGroup.getName() + " has expired.");
358 // return null;
359 // }
360 // }
361 String userDn = TokenUtils.userDn(tokenGroup);
362 User user = (User) userAdmin.getRole(userDn);
363 Authorization auth = userAdmin.getAuthorization(user);
364 return auth;
365 }
366 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi