package org.argeo.cms.internal.kernel;
import java.io.File;
import java.io.IOException;
import java.lang.management.ManagementFactory;
import java.net.URL;
import java.security.KeyStore;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.Repository;
import javax.jcr.RepositoryFactory;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.jackrabbit.util.TransientFileFactory;
import org.argeo.ArgeoException;
import org.argeo.cms.CmsException;
import org.argeo.cms.KernelHeader;
import org.argeo.jackrabbit.OsgiJackrabbitRepositoryFactory;
import org.argeo.jcr.ArgeoJcrConstants;
import org.argeo.security.core.InternalAuthentication;
import org.argeo.security.crypto.PkiUtils;
import org.eclipse.equinox.http.servlet.ExtendedHttpService;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceEvent;
import org.osgi.framework.ServiceListener;
import org.osgi.framework.ServiceReference;
import org.osgi.util.tracker.ServiceTracker;
import org.springframework.security.core.context.SecurityContextHolder;
/**
* Argeo CMS Kernel. Responsible for :
*
* - security
* - provisioning
* - transaction
* - logging
* - local and remote file systems access
* - OS access
*
*/
final class Kernel implements ServiceListener {
private final static Log log = LogFactory.getLog(Kernel.class);
private final BundleContext bundleContext = Activator.getBundleContext();
ThreadGroup threadGroup = new ThreadGroup(Kernel.class.getSimpleName());
JackrabbitNode node;
OsgiJackrabbitRepositoryFactory repositoryFactory;
NodeSecurity nodeSecurity;
NodeHttp nodeHttp;
private KernelThread kernelThread;
private final Subject kernelSubject = new Subject();
public Kernel() {
URL url = getClass().getClassLoader().getResource(
KernelConstants.JAAS_CONFIG);
System.setProperty("java.security.auth.login.config",
url.toExternalForm());
createKeyStoreIfNeeded();
CallbackHandler cbHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
// alias
((NameCallback) callbacks[1]).setName(KernelHeader.ROLE_KERNEL);
// store pwd
((PasswordCallback) callbacks[2]).setPassword("changeit"
.toCharArray());
// key pwd
((PasswordCallback) callbacks[3]).setPassword("changeit"
.toCharArray());
}
};
try {
LoginContext kernelLc = new LoginContext(
KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject,
cbHandler);
kernelLc.login();
} catch (LoginException e) {
throw new CmsException("Cannot log in kernel", e);
}
}
final void init() {
Subject.doAs(kernelSubject, new PrivilegedAction() {
@Override
public Void run() {
doInit();
return null;
}
});
}
private void doInit() {
ClassLoader currentContextCl = Thread.currentThread()
.getContextClassLoader();
Thread.currentThread().setContextClassLoader(
Kernel.class.getClassLoader());
long begin = System.currentTimeMillis();
InternalAuthentication initAuth = new InternalAuthentication(
KernelConstants.DEFAULT_SECURITY_KEY);
SecurityContextHolder.getContext().setAuthentication(initAuth);
try {
// Jackrabbit node
node = new JackrabbitNode(bundleContext);
// JCR repository factory
repositoryFactory = new OsgiJackrabbitRepositoryFactory();
// Authentication
nodeSecurity = new NodeSecurity(bundleContext, node);
// Equinox dependency
ExtendedHttpService httpService = waitForHttpService();
nodeHttp = new NodeHttp(httpService, node, nodeSecurity);
// Kernel thread
kernelThread = new KernelThread(this);
kernelThread.setContextClassLoader(Kernel.class.getClassLoader());
kernelThread.start();
// Publish services to OSGi
nodeSecurity.publish();
node.publish(repositoryFactory);
bundleContext.registerService(RepositoryFactory.class,
repositoryFactory, null);
bundleContext.addServiceListener(Kernel.this);
} catch (Exception e) {
log.error("Cannot initialize Argeo CMS", e);
throw new ArgeoException("Cannot initialize", e);
} finally {
Thread.currentThread().setContextClassLoader(currentContextCl);
}
long jvmUptime = ManagementFactory.getRuntimeMXBean().getUptime();
log.info("## ARGEO CMS UP in " + (jvmUptime / 1000) + "."
+ (jvmUptime % 1000) + "s ##");
long initDuration = System.currentTimeMillis() - begin;
if (log.isTraceEnabled())
log.trace("Kernel initialization took " + initDuration + "ms");
directorsCut(initDuration);
}
void destroy() {
long begin = System.currentTimeMillis();
kernelThread.destroyAndJoin();
if (nodeHttp != null)
nodeHttp.destroy();
if (nodeSecurity != null)
nodeSecurity.destroy();
if (node != null)
node.destroy();
bundleContext.removeServiceListener(this);
// Clean hanging threads from Jackrabbit
TransientFileFactory.shutdown();
try {
LoginContext kernelLc = new LoginContext(
KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject);
kernelLc.logout();
} catch (LoginException e) {
throw new CmsException("Cannot log in kernel", e);
}
long duration = System.currentTimeMillis() - begin;
log.info("## ARGEO CMS DOWN in " + (duration / 1000) + "."
+ (duration % 1000) + "s ##");
}
@Override
public void serviceChanged(ServiceEvent event) {
ServiceReference sr = event.getServiceReference();
Object jcrRepoAlias = sr
.getProperty(ArgeoJcrConstants.JCR_REPOSITORY_ALIAS);
if (jcrRepoAlias != null) {// JCR repository
String alias = jcrRepoAlias.toString();
Repository repository = (Repository) bundleContext.getService(sr);
Map props = new HashMap();
for (String key : sr.getPropertyKeys())
props.put(key, sr.getProperty(key));
if (ServiceEvent.REGISTERED == event.getType()) {
try {
repositoryFactory.register(repository, props);
nodeHttp.registerRepositoryServlets(alias, repository);
} catch (Exception e) {
throw new CmsException("Could not publish JCR repository "
+ alias, e);
}
} else if (ServiceEvent.UNREGISTERING == event.getType()) {
repositoryFactory.unregister(repository, props);
nodeHttp.unregisterRepositoryServlets(alias);
}
}
}
private ExtendedHttpService waitForHttpService() {
final ServiceTracker st = new ServiceTracker(
bundleContext, ExtendedHttpService.class, null);
st.open();
ExtendedHttpService httpService;
try {
httpService = st.waitForService(1000);
} catch (InterruptedException e) {
httpService = null;
}
if (httpService == null)
throw new CmsException("Could not find "
+ ExtendedHttpService.class + " service.");
return httpService;
}
private void createKeyStoreIfNeeded() {
char[] ksPwd = "changeit".toCharArray();
char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length);
File keyStoreFile = KernelUtils.getOsgiConfigurationFile("node.p12");
if (!keyStoreFile.exists()) {
try {
KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd);
X509Certificate cert = PkiUtils.generateSelfSignedCertificate(
keyStore, new X500Principal(KernelHeader.ROLE_KERNEL),
keyPwd);
PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore);
} catch (Exception e) {
throw new CmsException("Cannot create key store "
+ keyStoreFile, e);
}
}
}
final private static void directorsCut(long initDuration) {
// final long ms = 128l + (long) (Math.random() * 128d);
long ms = initDuration / 100;
log.info("Spend " + ms + "ms"
+ " reflecting on the progress brought to mankind"
+ " by Free Software...");
long beginNano = System.nanoTime();
try {
Thread.sleep(ms, 0);
} catch (InterruptedException e) {
// silent
}
long durationNano = System.nanoTime() - beginNano;
final double M = 1000d * 1000d;
double sleepAccuracy = ((double) durationNano) / (ms * M);
if (log.isDebugEnabled())
log.debug("Sleep accuracy: "
+ String.format("%.2f", 100 - (sleepAccuracy * 100 - 100))
+ " %");
}
}