package org.argeo.cms.internal.runtime;
+import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.Reader;
import java.net.InetAddress;
import java.util.Objects;
import java.util.Set;
import java.util.StringJoiner;
+import java.util.TreeMap;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ForkJoinPool;
import org.argeo.api.uuid.UuidFactory;
import org.argeo.cms.CmsDeployProperty;
import org.argeo.cms.auth.ident.IdentClient;
-import org.argeo.util.FsUtils;
+import org.argeo.cms.util.FsUtils;
+import org.argeo.cms.util.OS;
/**
* Implementation of a {@link CmsState}, initialising the required services.
deployPropertyDefaults.put(CmsDeployProperty.LOCALE, Locale.getDefault().toString());
// certificates
- deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORETYPE, PkiUtils.PKCS12);
- deployPropertyDefaults.put(CmsDeployProperty.SSL_PASSWORD, PkiUtils.DEFAULT_KEYSTORE_PASSWORD);
- Path keyStorePath = getDataPath(PkiUtils.DEFAULT_KEYSTORE_PATH);
+ deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORETYPE, KernelConstants.PKCS12);
+ deployPropertyDefaults.put(CmsDeployProperty.SSL_PASSWORD, KernelConstants.DEFAULT_KEYSTORE_PASSWORD);
+ Path keyStorePath = getDataPath(KernelConstants.DEFAULT_KEYSTORE_PATH);
if (keyStorePath != null) {
deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORE, keyStorePath.toAbsolutePath().toString());
}
- Path trustStorePath = getDataPath(PkiUtils.DEFAULT_TRUSTSTORE_PATH);
+ Path trustStorePath = getDataPath(KernelConstants.DEFAULT_TRUSTSTORE_PATH);
if (trustStorePath != null) {
deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTORE, trustStorePath.toAbsolutePath().toString());
}
- deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTORETYPE, PkiUtils.PKCS12);
- deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTOREPASSWORD, PkiUtils.DEFAULT_KEYSTORE_PASSWORD);
+ deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTORETYPE, KernelConstants.PKCS12);
+ deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTOREPASSWORD, KernelConstants.DEFAULT_KEYSTORE_PASSWORD);
// SSH
Path authorizedKeysPath = getDataPath(KernelConstants.NODE_SSHD_AUTHORIZED_KEYS_PATH);
}
public void start() {
-// Runtime.getRuntime().addShutdownHook(new CmsShutdown());
-
try {
+ // First init check
+ Path privateBase = getDataPath(KernelConstants.DIR_PRIVATE);
+ if (privateBase != null && !Files.exists(privateBase)) {// first init
+ firstInit();
+ Files.createDirectories(privateBase);
+ }
+
initSecurity();
// initArgeoLogger();
if (log.isTraceEnabled())
log.trace("CMS State started");
-// String stateUuidStr = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_UUID);
-// this.uuid = UUID.fromString(stateUuidStr);
this.uuid = uuidFactory.timeUUID();
-// this.cleanState = stateUuid.equals(frameworkUuid);
// hostname
this.hostname = getDeployProperty(CmsDeployProperty.HOST);
log.debug("## CMS starting... (" + uuid + ")\n" + sb + "\n");
}
- Path nodeBase = getDataPath(KernelConstants.DIR_PRIVATE);
- if (nodeBase != null && !Files.exists(nodeBase)) {// first init
- firstInit();
+ if (log.isTraceEnabled()) {
+ // print system properties
+ StringJoiner sb = new StringJoiner("\n");
+ for (Object key : new TreeMap<>(System.getProperties()).keySet()) {
+ sb.add(key + "=" + System.getProperty(key.toString()));
+ }
+ log.trace("System properties:\n" + sb + "\n");
+
}
} catch (RuntimeException | IOException e) {
private void initSecurity() {
// private directory permissions
- Path privateDir = KernelUtils.getOsgiInstancePath(KernelConstants.DIR_PRIVATE);
+ Path privateDir = getDataPath(KernelConstants.DIR_PRIVATE);
if (privateDir != null) {
// TODO rather check whether we can read and write
Set<PosixFilePermission> posixPermissions = new HashSet<>();
posixPermissions.add(PosixFilePermission.OWNER_WRITE);
posixPermissions.add(PosixFilePermission.OWNER_EXECUTE);
try {
- Files.setPosixFilePermissions(privateDir, posixPermissions);
+ if (!Files.exists(privateDir))
+ Files.createDirectories(privateDir);
+ if (!OS.LOCAL.isMSWindows())
+ Files.setPosixFilePermissions(privateDir, posixPermissions);
} catch (IOException e) {
- log.error("Cannot set permissions on " + privateDir);
+ log.error("Cannot set permissions on " + privateDir, e);
}
}
// explicitly load JAAS configuration
Configuration.getConfiguration();
- boolean initSsl = getDeployProperty(CmsDeployProperty.HTTPS_PORT) != null;
- if (initSsl) {
+ boolean initCertificates = (getDeployProperty(CmsDeployProperty.HTTPS_PORT) != null)
+ || (getDeployProperty(CmsDeployProperty.SSHD_PORT) != null);
+ if (initCertificates) {
initCertificates();
}
}
private void initCertificates() {
// server certificate
Path keyStorePath = Paths.get(getDeployProperty(CmsDeployProperty.SSL_KEYSTORE));
- Path pemKeyPath = getDataPath(PkiUtils.DEFAULT_PEM_KEY_PATH);
- Path pemCertPath = getDataPath(PkiUtils.DEFAULT_PEM_CERT_PATH);
+ Path pemKeyPath = getDataPath(KernelConstants.DEFAULT_PEM_KEY_PATH);
+ Path pemCertPath = getDataPath(KernelConstants.DEFAULT_PEM_CERT_PATH);
char[] keyStorePassword = getDeployProperty(CmsDeployProperty.SSL_PASSWORD).toCharArray();
// Keystore
KeyStore keyStore = PkiUtils.getKeyStore(keyStorePath, keyStorePassword,
getDeployProperty(CmsDeployProperty.SSL_KEYSTORETYPE));
try (Reader key = Files.newBufferedReader(pemKeyPath, StandardCharsets.US_ASCII);
- Reader cert = Files.newBufferedReader(pemCertPath, StandardCharsets.US_ASCII);) {
+ BufferedInputStream cert = new BufferedInputStream(Files.newInputStream(pemCertPath));) {
PkiUtils.loadPrivateCertificatePem(keyStore, CmsConstants.NODE, key, keyStorePassword, cert);
Files.createDirectories(keyStorePath.getParent());
PkiUtils.saveKeyStore(keyStorePath, keyStorePassword, keyStore);
char[] trustStorePassword = getDeployProperty(CmsDeployProperty.SSL_TRUSTSTOREPASSWORD).toCharArray();
// IPA CA
- Path ipaCaCertPath = Paths.get(PkiUtils.IPA_PEM_CA_CERT_PATH);
+ Path ipaCaCertPath = Paths.get(KernelConstants.IPA_PEM_CA_CERT_PATH);
if (Files.exists(ipaCaCertPath)) {
KeyStore trustStore = PkiUtils.getKeyStore(trustStorePath, trustStorePassword,
getDeployProperty(CmsDeployProperty.SSL_TRUSTSTORETYPE));
- try (Reader cert = Files.newBufferedReader(ipaCaCertPath, StandardCharsets.US_ASCII);) {
+ try (BufferedInputStream cert = new BufferedInputStream(Files.newInputStream(ipaCaCertPath));) {
PkiUtils.loadTrustedCertificatePem(trustStore, trustStorePassword, cert);
Files.createDirectories(keyStorePath.getParent());
PkiUtils.saveKeyStore(trustStorePath, trustStorePassword, trustStore);
log.error("Cannot trust CA certificate", e);
}
}
-
- if (!Files.exists(keyStorePath))
- PkiUtils.createSelfSignedKeyStore(keyStorePath, keyStorePassword, PkiUtils.PKCS12);
-// props.put(JettyHttpConstants.SSL_KEYSTORETYPE, PkiUtils.PKCS12);
-// props.put(JettyHttpConstants.SSL_KEYSTORE, keyStorePath.toString());
-// props.put(JettyHttpConstants.SSL_PASSWORD, new String(keyStorePassword));
-
-// props.put(InternalHttpConstants.SSL_KEYSTORETYPE, "PKCS11");
-// props.put(InternalHttpConstants.SSL_KEYSTORE, "../../nssdb");
-// props.put(InternalHttpConstants.SSL_PASSWORD, keyStorePassword);
-
}
public void stop() {
return KernelUtils.getOsgiInstancePath(relativePath);
}
+ @Override
+ public Path getStatePath(String relativePath) {
+ return KernelUtils.getOsgiConfigurationPath(relativePath);
+ }
+
@Override
public Long getAvailableSince() {
return availableSince;