X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FNodeSecurity.java;h=f2cffb3ad8d479220c7e0485d93a6699ca6a1e6c;hb=25071ab6bcb2df1fa4057c2c04137f2d606772e7;hp=83216d0484a96a896d6c4f95e1473bcce3ce1efe;hpb=08fac35eeedb151c2fd1cc85ed4a36adf66e02fc;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
index 83216d048..f2cffb3ad 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
@@ -2,79 +2,119 @@ package org.argeo.cms.internal.kernel;
 
 import java.io.File;
 import java.io.IOException;
+import java.net.URL;
+import java.nio.file.ProviderNotFoundException;
+import java.security.KeyStore;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Arrays;
 
-import javax.jcr.RepositoryException;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.x500.X500Principal;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
 import org.argeo.cms.KernelHeader;
-import org.argeo.cms.internal.useradmin.SimpleJcrSecurityModel;
-import org.argeo.cms.internal.useradmin.jackrabbit.JackrabbitUserAdminService;
-import org.argeo.osgi.useradmin.AbstractLdapUserAdmin;
+import org.argeo.osgi.useradmin.AbstractUserDirectory;
 import org.argeo.osgi.useradmin.LdapUserAdmin;
 import org.argeo.osgi.useradmin.LdifUserAdmin;
-import org.argeo.security.OsAuthenticationToken;
-import org.argeo.security.UserAdminService;
-import org.argeo.security.core.InternalAuthentication;
-import org.argeo.security.core.InternalAuthenticationProvider;
-import org.argeo.security.core.OsAuthenticationProvider;
+import org.argeo.security.crypto.PkiUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.ServiceRegistration;
-import org.osgi.service.useradmin.Role;
 import org.osgi.service.useradmin.UserAdmin;
-import org.springframework.security.authentication.AnonymousAuthenticationProvider;
-import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.provisioning.UserDetailsManager;
 
 /** Authentication and user management. */
 class NodeSecurity implements AuthenticationManager {
-	private final static Log log = LogFactory.getLog(NodeSecurity.class);
+	private final static Log log;
+	static {
+		log = LogFactory.getLog(NodeSecurity.class);
+		// Make Bouncy Castle the default provider
+		Provider provider = new BouncyCastleProvider();
+		int position = Security.insertProviderAt(provider, 1);
+		if (position == -1)
+			log.error("Provider " + provider.getName()
+					+ " already installed and could not be set as default");
+		Provider defaultProvider = Security.getProviders()[0];
+		if (!defaultProvider.getName().equals(KernelHeader.SECURITY_PROVIDER))
+			log.error("Provider name is " + defaultProvider.getName()
+					+ " but it should be " + KernelHeader.SECURITY_PROVIDER);
+	}
 
 	private final BundleContext bundleContext;
-
-	private final OsAuthenticationProvider osAuth;
-	private final InternalAuthenticationProvider internalAuth;
-	private final AnonymousAuthenticationProvider anonymousAuth;
-	private final JackrabbitUserAdminService userAdminService;
 	private final NodeUserAdmin userAdmin;
+	private final Subject kernelSubject;
+
+	// private final OsAuthenticationProvider osAuth;
+	// private final InternalAuthenticationProvider internalAuth;
+	// private final AnonymousAuthenticationProvider anonymousAuth;
+	// private final JackrabbitUserAdminService userAdminService;
 
 	private ServiceRegistration<AuthenticationManager> authenticationManagerReg;
-	private ServiceRegistration<UserAdminService> userAdminServiceReg;
-	private ServiceRegistration<UserDetailsManager> userDetailsManagerReg;
+	// private ServiceRegistration<UserAdminService> userAdminServiceReg;
+	// private ServiceRegistration<UserDetailsManager> userDetailsManagerReg;
 
 	private ServiceRegistration<UserAdmin> userAdminReg;
 
-	public NodeSecurity(BundleContext bundleContext, JackrabbitNode node)
-			throws RepositoryException {
+	public NodeSecurity(BundleContext bundleContext) {
+		// Configure JAAS first
+		URL url = getClass().getClassLoader().getResource(
+				KernelConstants.JAAS_CONFIG);
+		System.setProperty("java.security.auth.login.config",
+				url.toExternalForm());
+
 		this.bundleContext = bundleContext;
+		this.kernelSubject = logKernel();
 
-		osAuth = new OsAuthenticationProvider();
-		internalAuth = new InternalAuthenticationProvider(
-				Activator.getSystemKey());
-		anonymousAuth = new AnonymousAuthenticationProvider(
-				Activator.getSystemKey());
+		// osAuth = new OsAuthenticationProvider();
+		// internalAuth = new InternalAuthenticationProvider(
+		// Activator.getSystemKey());
+		// anonymousAuth = new AnonymousAuthenticationProvider(
+		// Activator.getSystemKey());
 
 		// user admin
-		userAdminService = new JackrabbitUserAdminService();
-		userAdminService.setRepository(node);
-		userAdminService.setSecurityModel(new SimpleJcrSecurityModel());
-		userAdminService.init();
+		// userAdminService = new JackrabbitUserAdminService();
+		// userAdminService.setRepository(node);
+		// userAdminService.setSecurityModel(new SimpleJcrSecurityModel());
+		// userAdminService.init();
 
 		userAdmin = new NodeUserAdmin();
 
-		String baseDn = "dc=example,dc=com";
+		File osgiInstanceDir = KernelUtils.getOsgiInstanceDir();
+		File homeDir = new File(osgiInstanceDir, "node");
+		homeDir.mkdirs();
+
 		String userAdminUri = KernelUtils
 				.getFrameworkProp(KernelConstants.USERADMIN_URI);
-		if (userAdminUri == null)
-			userAdminUri = getClass().getResource(baseDn + ".ldif").toString();
+		String baseDn = "dc=example,dc=com";
+		if (userAdminUri == null) {
+			File businessRolesFile = new File(homeDir, baseDn + ".ldif");
+			// userAdminUri = getClass().getResource(baseDn +
+			// ".ldif").toString();
+			if (!businessRolesFile.exists())
+				try {
+					FileUtils.copyInputStreamToFile(getClass()
+							.getResourceAsStream(baseDn + ".ldif"),
+							businessRolesFile);
+				} catch (IOException e) {
+					throw new CmsException("Cannot copy demo resource", e);
+				}
+			userAdminUri = businessRolesFile.toURI().toString();
+		}
 
-		AbstractLdapUserAdmin businessRoles;
+		AbstractUserDirectory businessRoles;
 		if (userAdminUri.startsWith("ldap"))
 			businessRoles = new LdapUserAdmin(userAdminUri);
 		else {
@@ -83,19 +123,18 @@ class NodeSecurity implements AuthenticationManager {
 		businessRoles.init();
 		userAdmin.addUserAdmin(baseDn, businessRoles);
 
-		File osgiInstanceDir = KernelUtils.getOsgiInstanceDir();
-		File homeDir = new File(osgiInstanceDir, "node");
-
-		String baseNodeRoleDn = KernelConstants.ROLES_BASEDN;
+		String baseNodeRoleDn = KernelHeader.ROLES_BASEDN;
 		File nodeRolesFile = new File(homeDir, baseNodeRoleDn + ".ldif");
-		try {
-			FileUtils.copyInputStreamToFile(
-					getClass().getResourceAsStream("demo.ldif"), nodeRolesFile);
-		} catch (IOException e) {
-			throw new CmsException("Cannot copy demo resource", e);
-		}
+		if (!nodeRolesFile.exists())
+			try {
+				FileUtils.copyInputStreamToFile(
+						getClass().getResourceAsStream("demo.ldif"),
+						nodeRolesFile);
+			} catch (IOException e) {
+				throw new CmsException("Cannot copy demo resource", e);
+			}
 		LdifUserAdmin nodeRoles = new LdifUserAdmin(nodeRolesFile.toURI()
-				.toString());
+				.toString(), false);
 		nodeRoles.setExternalRoles(userAdmin);
 		nodeRoles.init();
 		// nodeRoles.createRole(KernelHeader.ROLE_ADMIN, Role.GROUP);
@@ -103,45 +142,118 @@ class NodeSecurity implements AuthenticationManager {
 
 	}
 
+	private Subject logKernel() {
+		final Subject kernelSubject = new Subject();
+		createKeyStoreIfNeeded();
+
+		CallbackHandler cbHandler = new CallbackHandler() {
+
+			@Override
+			public void handle(Callback[] callbacks) throws IOException,
+					UnsupportedCallbackException {
+				// alias
+				((NameCallback) callbacks[1]).setName(KernelHeader.ROLE_KERNEL);
+				// store pwd
+				((PasswordCallback) callbacks[2]).setPassword("changeit"
+						.toCharArray());
+				// key pwd
+				((PasswordCallback) callbacks[3]).setPassword("changeit"
+						.toCharArray());
+			}
+		};
+		try {
+			LoginContext kernelLc = new LoginContext(
+					KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject,
+					cbHandler);
+			kernelLc.login();
+		} catch (LoginException e) {
+			throw new CmsException("Cannot log in kernel", e);
+		}
+		return kernelSubject;
+	}
+
 	public void publish() {
 		authenticationManagerReg = bundleContext.registerService(
 				AuthenticationManager.class, this, null);
-		userAdminServiceReg = bundleContext.registerService(
-				UserAdminService.class, userAdminService, null);
-		userDetailsManagerReg = bundleContext.registerService(
-				UserDetailsManager.class, userAdminService, null);
+		// userAdminServiceReg = bundleContext.registerService(
+		// UserAdminService.class, userAdminService, null);
+		// userDetailsManagerReg = bundleContext.registerService(
+		// UserDetailsManager.class, userAdminService, null);
 		userAdminReg = bundleContext.registerService(UserAdmin.class,
 				userAdmin, null);
 	}
 
 	void destroy() {
-		try {
-			userAdminService.destroy();
-		} catch (RepositoryException e) {
-			log.error("Error while destroying Jackrabbit useradmin");
-		}
-		userDetailsManagerReg.unregister();
-		userAdminServiceReg.unregister();
+		// try {
+		// userAdminService.destroy();
+		// } catch (RepositoryException e) {
+		// log.error("Error while destroying Jackrabbit useradmin");
+		// }
+		// userDetailsManagerReg.unregister();
+		// userAdminServiceReg.unregister();
 		authenticationManagerReg.unregister();
 
 		// userAdmin.destroy();
 		userAdminReg.unregister();
+
+		// Logout kernel
+		try {
+			LoginContext kernelLc = new LoginContext(
+					KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject);
+			kernelLc.logout();
+		} catch (LoginException e) {
+			throw new CmsException("Cannot log in kernel", e);
+		}
+
+		Security.removeProvider(KernelHeader.SECURITY_PROVIDER);
+	}
+
+	public NodeUserAdmin getUserAdmin() {
+		return userAdmin;
+	}
+
+	public Subject getKernelSubject() {
+		return kernelSubject;
 	}
 
 	@Override
 	public Authentication authenticate(Authentication authentication)
 			throws AuthenticationException {
-		Authentication auth = null;
-		if (authentication instanceof InternalAuthentication)
-			auth = internalAuth.authenticate(authentication);
-		else if (authentication instanceof AnonymousAuthenticationToken)
-			auth = anonymousAuth.authenticate(authentication);
-		else if (authentication instanceof UsernamePasswordAuthenticationToken)
-			auth = userAdminService.authenticate(authentication);
-		else if (authentication instanceof OsAuthenticationToken)
-			auth = osAuth.authenticate(authentication);
-		if (auth == null)
-			throw new CmsException("Could not authenticate " + authentication);
-		return auth;
+		log.error("Authentication manager is deprectaed and should not be used.");
+		// Authentication auth = null;
+		// if (authentication instanceof InternalAuthentication)
+		// auth = internalAuth.authenticate(authentication);
+		// else if (authentication instanceof AnonymousAuthenticationToken)
+		// auth = anonymousAuth.authenticate(authentication);
+		// else if (authentication instanceof
+		// UsernamePasswordAuthenticationToken)
+		// auth = userAdminService.authenticate(authentication);
+		// else if (authentication instanceof OsAuthenticationToken)
+		// auth = osAuth.authenticate(authentication);
+		// if (auth == null)
+		// throw new CmsException("Could not authenticate " + authentication);
+		throw new ProviderNotFoundException(
+				"Authentication manager is deprectaed and should not be used.");
 	}
+
+	private void createKeyStoreIfNeeded() {
+		char[] ksPwd = "changeit".toCharArray();
+		char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length);
+		File keyStoreFile = new File(KernelUtils.getOsgiInstanceDir(),
+				"node.p12");
+		if (!keyStoreFile.exists()) {
+			try {
+				keyStoreFile.getParentFile().mkdirs();
+				KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd);
+				PkiUtils.generateSelfSignedCertificate(keyStore,
+						new X500Principal(KernelHeader.ROLE_KERNEL), keyPwd);
+				PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore);
+
+			} catch (Exception e) {
+				throw new CmsException("Cannot create key store "
+						+ keyStoreFile, e);
+			}
+		}
+	}
+
 }