X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=4862c57ac03a0faf0ddc5cb0e4f14f2e298f2562;hb=57e34e0482e03cea9a6a34326c22c7c969ad07c8;hp=ebe81b6714c49feffbcdae26aceb4b901c6b8a61;hpb=8fe4f3585ddeb9f3d044aa77de07b4fdc0151a3b;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index ebe81b671..4862c57ac 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -2,6 +2,7 @@ package org.argeo.cms.auth;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
@@ -26,11 +27,15 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
+import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.naming.LdapAttrs;
+import org.argeo.node.security.CryptoKeyring;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
+import org.argeo.osgi.useradmin.OsUserUtils;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
+import org.osgi.framework.ServiceReference;
 import org.osgi.service.useradmin.Authorization;
 import org.osgi.service.useradmin.User;
 import org.osgi.service.useradmin.UserAdmin;
@@ -52,6 +57,8 @@ public class UserAdminLoginModule implements LoginModule {
 
 	private Authorization bindAuthorization = null;
 
+	private boolean singleUser = Activator.isSingleUser();
+
 	@SuppressWarnings("unchecked")
 	@Override
 	public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
@@ -68,16 +75,27 @@ public class UserAdminLoginModule implements LoginModule {
 
 	@Override
 	public boolean login() throws LoginException {
-		UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
+		UserAdmin userAdmin = Activator.getUserAdmin();
 		final String username;
 		final char[] password;
+		X509Certificate[] certificateChain = null;
 		if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
 				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
 			// NB: required by Basic http auth
 			username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
 			password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
 			// // TODO locale?
+		} else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
+				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
+			// NB: required by Basic http auth
+			username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+			certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+			password = null;
+		} else if (singleUser) {
+			username = OsUserUtils.getOsUsername();
+			password = null;
 		} else {
+
 			// ask for username and password
 			NameCallback nameCallback = new NameCallback("User");
 			PasswordCallback passwordCallback = new PasswordCallback("Password", false);
@@ -95,7 +113,7 @@ public class UserAdminLoginModule implements LoginModule {
 			if (locale == null)
 				locale = Locale.getDefault();
 			// FIXME add it to Subject
-//			Locale.setDefault(locale);
+			// Locale.setDefault(locale);
 
 			username = nameCallback.getName();
 			if (username == null || username.trim().equals("")) {
@@ -106,38 +124,58 @@ public class UserAdminLoginModule implements LoginModule {
 				password = passwordCallback.getPassword();
 			else
 				throw new CredentialNotFoundException("No credentials provided");
+			sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, username);
+			sharedState.put(CmsAuthUtils.SHARED_STATE_PWD, password);
 		}
-
 		User user = searchForUser(userAdmin, username);
 		if (user == null)
 			return true;// expect Kerberos
-		
-		// try bind first
-		try {
-			AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password);
-			bindAuthorization = userAdmin.getAuthorization(authenticatingUser);
-			// TODO check tokens as well
-			if (bindAuthorization != null) {
-				authenticatedUser = user;
-				return true;
+
+		if (password != null) {
+			// try bind first
+			try {
+				AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password);
+				bindAuthorization = userAdmin.getAuthorization(authenticatingUser);
+				// TODO check tokens as well
+				if (bindAuthorization != null) {
+					authenticatedUser = user;
+					return true;
+				}
+			} catch (Exception e) {
+				// silent
+				if (log.isTraceEnabled())
+					log.trace("Bind failed", e);
 			}
-		} catch (Exception e) {
-			// silent
-			if(log.isTraceEnabled())
-				log.trace("Bind failed", e);
-		}
-		
-		// works only if a connection password is provided
-		if (!user.hasCredential(null, password)) {
-			return false;
+
+			// works only if a connection password is provided
+			if (!user.hasCredential(null, password)) {
+				return false;
+			}
+		} else if (certificateChain != null) {
+			// TODO check CRLs/OSCP validity?
+			// NB: authorization in commit() will work only if an LDAP connection password
+			// is provided
+		} else if (singleUser) {
+			// TODO verify IP address?
+		} else {
+			throw new CredentialNotFoundException("No credentials provided");
 		}
+
 		authenticatedUser = user;
 		return true;
 	}
 
 	@Override
 	public boolean commit() throws LoginException {
-		UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
+		if (locale == null)
+			subject.getPublicCredentials().add(Locale.getDefault());
+		else
+			subject.getPublicCredentials().add(locale);
+
+		if (singleUser) {
+			OsUserUtils.loginAsSystemUser(subject);
+		}
+		UserAdmin userAdmin = Activator.getUserAdmin();
 		Authorization authorization;
 		if (callbackHandler == null) {// anonymous
 			authorization = userAdmin.getAuthorization(null);
@@ -175,9 +213,38 @@ public class UserAdminLoginModule implements LoginModule {
 				throw new LoginException(
 						"User admin found no authorization for authenticated user " + authenticatingUser.getName());
 		}
+
 		// Log and monitor new login
-		CmsAuthUtils.addAuthorization(subject, authorization, locale,
-				(HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST));
+		HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
+		CmsAuthUtils.addAuthorization(subject, authorization, locale, request);
+
+		// Unlock keyring (underlying login to the JCR repository)
+		char[] password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
+		if (password != null) {
+			ServiceReference<CryptoKeyring> keyringSr = bc.getServiceReference(CryptoKeyring.class);
+			if (keyringSr != null) {
+				CryptoKeyring keyring = bc.getService(keyringSr);
+				Subject.doAs(subject, new PrivilegedAction<Void>() {
+
+					@Override
+					public Void run() {
+						try {
+							keyring.unlock(password);
+						} catch (Exception e) {
+							e.printStackTrace();
+							log.warn("Could not unlock keyring with the password provided by " + authorization.getName()
+									+ ": " + e.getMessage());
+						}
+						return null;
+					}
+
+				});
+			}
+		}
+
+		// Register CmsSession with initial subject
+		CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
+
 		if (log.isDebugEnabled())
 			log.debug("Logged in to CMS: " + subject);
 		return true;