X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=e39918e4002d40d18584ad91819a2a86545c92e5;hb=35507e18257f2e9f59842ba5120fcd3f19c4cf4d;hp=269f509ed45d665ab4bb1b3dbcccefad21712d42;hpb=12a285bfc5d33b64e39a1083a24b5d65515acf52;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 269f509ed..e39918e40 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -2,6 +2,7 @@ package org.argeo.cms.auth;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
@@ -26,8 +27,11 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
+import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.naming.LdapAttrs;
+import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
+import org.argeo.osgi.useradmin.OsUserUtils;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
 import org.osgi.service.useradmin.Authorization;
@@ -41,14 +45,18 @@ public class UserAdminLoginModule implements LoginModule {
 	private CallbackHandler callbackHandler;
 	private Map<String, Object> sharedState = null;
 
-	private List<String> indexedUserProperties = Arrays.asList(
-			new String[] { LdapAttrs.DN, LdapAttrs.mail.name(), LdapAttrs.uid.name(), LdapAttrs.authPassword.name() });
+	private List<String> indexedUserProperties = Arrays
+			.asList(new String[] { LdapAttrs.mail.name(), LdapAttrs.uid.name(), LdapAttrs.authPassword.name() });
 
 	// private state
 	private BundleContext bc;
 	private User authenticatedUser = null;
 	private Locale locale;
 
+	private Authorization bindAuthorization = null;
+
+	private boolean singleUser = Activator.isSingleUser();
+
 	@SuppressWarnings("unchecked")
 	@Override
 	public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
@@ -68,13 +76,24 @@ public class UserAdminLoginModule implements LoginModule {
 		UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
 		final String username;
 		final char[] password;
+		X509Certificate[] certificateChain = null;
 		if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
 				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
 			// NB: required by Basic http auth
 			username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
 			password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
 			// // TODO locale?
+		} else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
+				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
+			// NB: required by Basic http auth
+			username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+			certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+			password = null;
+		} else if (singleUser) {
+			username = OsUserUtils.getOsUsername();
+			password = null;
 		} else {
+
 			// ask for username and password
 			NameCallback nameCallback = new NameCallback("User");
 			PasswordCallback passwordCallback = new PasswordCallback("Password", false);
@@ -92,7 +111,7 @@ public class UserAdminLoginModule implements LoginModule {
 			if (locale == null)
 				locale = Locale.getDefault();
 			// FIXME add it to Subject
-			// UiContext.setLocale(locale);
+			// Locale.setDefault(locale);
 
 			username = nameCallback.getName();
 			if (username == null || username.trim().equals("")) {
@@ -104,26 +123,56 @@ public class UserAdminLoginModule implements LoginModule {
 			else
 				throw new CredentialNotFoundException("No credentials provided");
 		}
-
-		// User user = userAdmin.getUser(null, username);
 		User user = searchForUser(userAdmin, username);
 		if (user == null)
 			return true;// expect Kerberos
-		// throw new FailedLoginException("Invalid credentials");
-		if (!user.hasCredential(null, password))
-			return false;
-		// throw new FailedLoginException("Invalid credentials");
+
+		if (password != null) {
+			// try bind first
+			try {
+				AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password);
+				bindAuthorization = userAdmin.getAuthorization(authenticatingUser);
+				// TODO check tokens as well
+				if (bindAuthorization != null) {
+					authenticatedUser = user;
+					return true;
+				}
+			} catch (Exception e) {
+				// silent
+				if (log.isTraceEnabled())
+					log.trace("Bind failed", e);
+			}
+
+			// works only if a connection password is provided
+			if (!user.hasCredential(null, password)) {
+				return false;
+			}
+		} else if (certificateChain != null) {
+			// TODO check CRLs/OSCP validity?
+			// NB: authorization in commit() will work only if an LDAP connection password
+			// is provided
+		} else if (singleUser) {
+			// TODO verify IP address?
+		} else {
+			throw new CredentialNotFoundException("No credentials provided");
+		}
+
 		authenticatedUser = user;
 		return true;
 	}
 
 	@Override
 	public boolean commit() throws LoginException {
+		if (singleUser) {
+			OsUserUtils.loginAsSystemUser(subject);
+		}
 		UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
 		Authorization authorization;
 		if (callbackHandler == null) {// anonymous
 			authorization = userAdmin.getAuthorization(null);
-		} else {
+		} else if (bindAuthorization != null) {// bind
+			authorization = bindAuthorization;
+		} else {// Kerberos
 			User authenticatingUser;
 			Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
 			if (kerberosPrincipals.isEmpty()) {
@@ -184,23 +233,26 @@ public class UserAdminLoginModule implements LoginModule {
 			Set<User> collectedUsers = new HashSet<>();
 			// try dn
 			User user = null;
-			try {
-				user = (User) userAdmin.getRole(providedUsername);
-				if (user != null)
-					collectedUsers.add(user);
-			} catch (Exception e) {
-				// silent
-			}
 			// try all indexes
 			for (String attr : indexedUserProperties) {
 				user = userAdmin.getUser(attr, providedUsername);
 				if (user != null)
 					collectedUsers.add(user);
 			}
-			if (collectedUsers.size() == 1)
-				return collectedUsers.iterator().next();
-			else if (collectedUsers.size() > 1)
+			if (collectedUsers.size() == 1) {
+				user = collectedUsers.iterator().next();
+				return user;
+			} else if (collectedUsers.size() > 1) {
 				log.warn(collectedUsers.size() + " users for provided username" + providedUsername);
+			}
+			// try DN as a last resort
+			try {
+				user = (User) userAdmin.getRole(providedUsername);
+				if (user != null)
+					return user;
+			} catch (Exception e) {
+				// silent
+			}
 			return null;
 		} catch (Exception e) {
 			if (log.isTraceEnabled())