X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FActivator.java;h=7b2cb78bfe403105566d7b1a60468cf399b711ab;hb=fb22feb37b0c2340d3d846dce4b6f47d0f728efb;hp=5ef545e6fa49e8cc59880ae9f3dc9b6fb5db14c0;hpb=d728b305c8c8e97b4434a75e5b47e73fa287cc51;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java index 5ef545e6f..7b2cb78bf 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java @@ -2,29 +2,35 @@ package org.argeo.cms.internal.kernel; import java.io.IOException; import java.net.URL; -import java.nio.file.Files; -import java.nio.file.Path; -import java.util.Dictionary; +import java.security.AllPermission; import java.util.List; import java.util.Locale; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; import javax.security.auth.login.Configuration; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.argeo.api.ArgeoLogger; +import org.argeo.api.NodeConstants; +import org.argeo.api.NodeDeployment; +import org.argeo.api.NodeInstance; +import org.argeo.api.NodeState; import org.argeo.cms.CmsException; -import org.argeo.node.ArgeoLogger; -import org.argeo.node.NodeConstants; -import org.argeo.node.NodeDeployment; -import org.argeo.node.NodeInstance; -import org.argeo.node.NodeState; -import org.argeo.util.LangUtils; +import org.argeo.ident.IdentClient; import org.ietf.jgss.GSSCredential; import org.osgi.framework.BundleActivator; import org.osgi.framework.BundleContext; import org.osgi.framework.Constants; import org.osgi.framework.ServiceReference; +import org.osgi.service.condpermadmin.BundleLocationCondition; +import org.osgi.service.condpermadmin.ConditionInfo; +import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; +import org.osgi.service.condpermadmin.ConditionalPermissionInfo; +import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; import org.osgi.service.log.LogReaderService; +import org.osgi.service.permissionadmin.PermissionInfo; import org.osgi.service.useradmin.UserAdmin; import org.osgi.util.tracker.ServiceTracker; @@ -37,6 +43,9 @@ public class Activator implements BundleActivator { private static Activator instance; + // TODO make it configurable + private boolean hardened = false; + private BundleContext bc; private LogReaderService logReaderService; @@ -47,6 +56,7 @@ public class Activator implements BundleActivator { private CmsInstance nodeInstance; private ServiceTracker userAdminSt; + private ExecutorService internalExecutorService; @Override public void start(BundleContext bundleContext) throws Exception { @@ -54,6 +64,7 @@ public class Activator implements BundleActivator { instance = this; this.bc = bundleContext; this.logReaderService = getService(LogReaderService.class); + this.internalExecutorService = Executors.newFixedThreadPool(Runtime.getRuntime().availableProcessors()); try { initSecurity(); @@ -62,7 +73,8 @@ public class Activator implements BundleActivator { userAdminSt = new ServiceTracker<>(instance.bc, UserAdmin.class, null); userAdminSt.open(); - log.debug("Kernel bundle started"); + if (log.isTraceEnabled()) + log.trace("Kernel bundle started"); } catch (Throwable e) { log.error("## FATAL: CMS activator failed", e); } @@ -79,20 +91,39 @@ public class Activator implements BundleActivator { // explicitly load JAAS configuration Configuration.getConfiguration(); - // ConditionalPermissionAdmin permissionAdmin = bc - // .getService(bc.getServiceReference(ConditionalPermissionAdmin.class)); - // ConditionalPermissionUpdate update = - // permissionAdmin.newConditionalPermissionUpdate(); - // // Self - // update.getConditionalPermissionInfos() - // .add(permissionAdmin.newConditionalPermissionInfo(null, - // new ConditionInfo[] { - // new ConditionInfo(BundleLocationCondition.class.getName(), new - // String[] { "*" }) }, - // new PermissionInfo[] { new - // PermissionInfo(AllPermission.class.getName(), null, null) }, - // ConditionalPermissionInfo.ALLOW)); - // + // code-level permissions + String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY); + if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) { + // TODO rather use a tracker? + ConditionalPermissionAdmin permissionAdmin = bc + .getService(bc.getServiceReference(ConditionalPermissionAdmin.class)); + if (!hardened) { + // All permissions to all bundles + ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate(); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { + new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) }, + new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, + ConditionalPermissionInfo.ALLOW)); + // TODO data admin permission +// PermissionInfo dataAdminPerm = new PermissionInfo(AuthPermission.class.getName(), +// "createLoginContext." + NodeConstants.LOGIN_CONTEXT_DATA_ADMIN, null); +// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { +// new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) }, +// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.DENY)); +// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { +// new ConditionInfo(BundleSignerCondition.class.getName(), new String[] { "CN=\"Eclipse.org Foundation, Inc.\", OU=IT, O=\"Eclipse.org Foundation, Inc.\", L=Nepean, ST=Ontario, C=CA" }) }, +// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.ALLOW)); + update.commit(); + } else { + SecurityProfile securityProfile = new SecurityProfile() { + }; + securityProfile.applySystemPermissions(permissionAdmin); + } + } + } private void initArgeoLogger() { @@ -102,18 +133,18 @@ public class Activator implements BundleActivator { private void initNode() throws IOException { // Node state - Path stateUuidPath = bc.getDataFile("stateUuid").toPath(); - String stateUuid; - if (Files.exists(stateUuidPath)) { - stateUuid = Files.readAllLines(stateUuidPath).get(0); - } else { - stateUuid = bc.getProperty(Constants.FRAMEWORK_UUID); - Files.write(stateUuidPath, stateUuid.getBytes()); - } - nodeState = new CmsState(stateUuid); - Dictionary regProps = LangUtils.dico(Constants.SERVICE_PID, NodeConstants.NODE_STATE_PID); - regProps.put(NodeConstants.CN, stateUuid); - bc.registerService(NodeState.class, nodeState, regProps); +// Path stateUuidPath = bc.getDataFile("stateUuid").toPath(); +// String stateUuid; +// if (Files.exists(stateUuidPath)) { +// stateUuid = Files.readAllLines(stateUuidPath).get(0); +// } else { +// stateUuid = bc.getProperty(Constants.FRAMEWORK_UUID); +// Files.write(stateUuidPath, stateUuid.getBytes()); +// } + nodeState = new CmsState(); +// Dictionary regProps = LangUtils.dico(Constants.SERVICE_PID, NodeConstants.NODE_STATE_PID); +// regProps.put(NodeConstants.CN, stateUuid); + bc.registerService(NodeState.class, nodeState, null); // Node deployment nodeDeployment = new CmsDeployment(); @@ -137,6 +168,7 @@ public class Activator implements BundleActivator { if (userAdminSt != null) userAdminSt.close(); + internalExecutorService.shutdown(); instance = null; this.bc = null; this.logReaderService = null; @@ -173,6 +205,13 @@ public class Activator implements BundleActivator { return KernelUtils.getFrameworkProp(NodeConstants.HTTP_PROXY_SSL_DN); } + public static IdentClient getIdentClient(String remoteAddr) { + if (!IdentClient.isDefaultAuthdPassphraseFileAvailable()) + return null; + // TODO make passphrase more configurable + return new IdentClient(remoteAddr); + } + private static NodeUserAdmin getNodeUserAdmin() { NodeUserAdmin res; try { @@ -191,6 +230,10 @@ public class Activator implements BundleActivator { } + static ExecutorService getInternalExecutorService() { + return instance.internalExecutorService; + } + // static CmsSecurity getCmsSecurity() { // return instance.nodeSecurity; // }