X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FNodeUserAdmin.java;h=69affd25a2b160d8c1f154e883a4e11fb6fcc547;hb=fb22feb37b0c2340d3d846dce4b6f47d0f728efb;hp=8410b3958aef378d49a34dbd260b43f83696a128;hpb=6338d85d3f970dd0eb8845693ddad90a93b99d03;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
index 8410b3958..69affd25a 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
@@ -14,6 +14,7 @@ import java.util.HashMap;
 import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Set;
 
 import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
@@ -28,22 +29,21 @@ import javax.transaction.TransactionManager;
 
 import org.apache.commons.httpclient.auth.AuthPolicy;
 import org.apache.commons.httpclient.auth.CredentialsProvider;
-import org.apache.commons.httpclient.cookie.CookiePolicy;
 import org.apache.commons.httpclient.params.DefaultHttpParams;
 import org.apache.commons.httpclient.params.HttpMethodParams;
 import org.apache.commons.httpclient.params.HttpParams;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.argeo.api.NodeConstants;
 import org.argeo.cms.CmsException;
-import org.argeo.cms.internal.http.NodeHttp;
 import org.argeo.cms.internal.http.client.HttpCredentialProvider;
 import org.argeo.cms.internal.http.client.SpnegoAuthScheme;
 import org.argeo.naming.DnsBrowser;
-import org.argeo.node.NodeConstants;
 import org.argeo.osgi.useradmin.AbstractUserDirectory;
 import org.argeo.osgi.useradmin.AggregatingUserAdmin;
 import org.argeo.osgi.useradmin.LdapUserAdmin;
 import org.argeo.osgi.useradmin.LdifUserAdmin;
+import org.argeo.osgi.useradmin.OsUserDirectory;
 import org.argeo.osgi.useradmin.UserAdminConf;
 import org.argeo.osgi.useradmin.UserDirectory;
 import org.ietf.jgss.GSSCredential;
@@ -57,12 +57,10 @@ import org.osgi.framework.FrameworkUtil;
 import org.osgi.framework.ServiceRegistration;
 import org.osgi.service.cm.ConfigurationException;
 import org.osgi.service.cm.ManagedServiceFactory;
+import org.osgi.service.useradmin.Authorization;
 import org.osgi.service.useradmin.UserAdmin;
 import org.osgi.util.tracker.ServiceTracker;
 
-import bitronix.tm.BitronixTransactionManager;
-import bitronix.tm.resource.ehcache.EhCacheXAResourceProducer;
-
 /**
  * Aggregates multiple {@link UserDirectory} and integrates them with system
  * roles.
@@ -74,18 +72,21 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
 	// OSGi
 	private Map<String, LdapName> pidToBaseDn = new HashMap<>();
 	private Map<String, ServiceRegistration<UserDirectory>> pidToServiceRegs = new HashMap<>();
-	private ServiceRegistration<UserAdmin> userAdminReg;
+//	private ServiceRegistration<UserAdmin> userAdminReg;
 
 	// JTA
 	private final ServiceTracker<TransactionManager, TransactionManager> tmTracker;
-	private final String cacheName = UserDirectory.class.getName();
+	// private final String cacheName = UserDirectory.class.getName();
 
 	// GSS API
 	private Path nodeKeyTab = KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH);
 	private GSSCredential acceptorCredentials;
 
-	public NodeUserAdmin(String systemRolesBaseDn) {
-		super(systemRolesBaseDn);
+	private boolean singleUser = false;
+//	private boolean systemRolesAvailable = false;
+
+	public NodeUserAdmin(String systemRolesBaseDn, String tokensBaseDn) {
+		super(systemRolesBaseDn, tokensBaseDn);
 		tmTracker = new ServiceTracker<>(bc, TransactionManager.class, null);
 		tmTracker.open();
 	}
@@ -105,8 +106,17 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
 		}
 
 		// Create
-		AbstractUserDirectory userDirectory = u.getScheme().equals("ldap") ? new LdapUserAdmin(properties)
-				: new LdifUserAdmin(u, properties);
+		AbstractUserDirectory userDirectory;
+		if (UserAdminConf.SCHEME_LDAP.equals(u.getScheme())) {
+			userDirectory = new LdapUserAdmin(properties);
+		} else if (UserAdminConf.SCHEME_FILE.equals(u.getScheme())) {
+			userDirectory = new LdifUserAdmin(u, properties);
+		} else if (UserAdminConf.SCHEME_OS.equals(u.getScheme())) {
+			userDirectory = new OsUserDirectory(u, properties);
+			singleUser = true;
+		} else {
+			throw new CmsException("Unsupported scheme " + u.getScheme());
+		}
 		Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
 		addUserDirectory(userDirectory);
 
@@ -125,15 +135,29 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
 			log.debug("User directory " + userDirectory.getBaseDn() + " [" + u.getScheme() + "] enabled."
 					+ (realm != null ? " " + realm + " realm." : ""));
 
-		if (!isSystemRolesBaseDn(baseDn)) {
-			if (userAdminReg != null)
-				userAdminReg.unregister();
-			// register self as main user admin
-			Dictionary<String, Object> userAdminregProps = currentState();
+		if (isSystemRolesBaseDn(baseDn)) {
+			// publishes only when system roles are available
+			Dictionary<String, Object> userAdminregProps = new Hashtable<>();
 			userAdminregProps.put(NodeConstants.CN, NodeConstants.DEFAULT);
 			userAdminregProps.put(Constants.SERVICE_RANKING, Integer.MAX_VALUE);
-			userAdminReg = bc.registerService(UserAdmin.class, this, userAdminregProps);
+			bc.registerService(UserAdmin.class, this, userAdminregProps);
 		}
+
+//		if (isSystemRolesBaseDn(baseDn))
+//			systemRolesAvailable = true;
+//
+//		// start publishing only when system roles are available
+//		if (systemRolesAvailable) {
+//			// The list of baseDns is published as properties
+//			// TODO clients should rather reference USerDirectory services
+//			if (userAdminReg != null)
+//				userAdminReg.unregister();
+//			// register self as main user admin
+//			Dictionary<String, Object> userAdminregProps = currentState();
+//			userAdminregProps.put(NodeConstants.CN, NodeConstants.DEFAULT);
+//			userAdminregProps.put(Constants.SERVICE_RANKING, Integer.MAX_VALUE);
+//			userAdminReg = bc.registerService(UserAdmin.class, this, userAdminregProps);
+//		}
 	}
 
 	@Override
@@ -150,14 +174,23 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
 		return "Node User Admin";
 	}
 
+	@Override
+	protected void addAbstractSystemRoles(Authorization rawAuthorization, Set<String> sysRoles) {
+		if (rawAuthorization.getName() == null) {
+			sysRoles.add(NodeConstants.ROLE_ANONYMOUS);
+		} else {
+			sysRoles.add(NodeConstants.ROLE_USER);
+		}
+	}
+
 	protected void postAdd(AbstractUserDirectory userDirectory) {
 		// JTA
 		TransactionManager tm = tmTracker.getService();
 		if (tm == null)
 			throw new CmsException("A JTA transaction manager must be available.");
 		userDirectory.setTransactionManager(tm);
-		if (tmTracker.getService() instanceof BitronixTransactionManager)
-			EhCacheXAResourceProducer.registerXAResource(cacheName, userDirectory.getXaResource());
+//		if (tmTracker.getService() instanceof BitronixTransactionManager)
+//			EhCacheXAResourceProducer.registerXAResource(cacheName, userDirectory.getXaResource());
 
 		Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
 		if (realm != null) {
@@ -191,14 +224,14 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
 			// schemes.add(AuthPolicy.BASIC);// incompatible with Basic
 			params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
 			params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
-			params.setParameter(HttpMethodParams.COOKIE_POLICY, CookiePolicy.BROWSER_COMPATIBILITY);
+			params.setParameter(HttpMethodParams.COOKIE_POLICY, KernelConstants.COOKIE_POLICY_BROWSER_COMPATIBILITY);
 			// params.setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
 		}
 	}
 
 	protected void preDestroy(AbstractUserDirectory userDirectory) {
-		if (tmTracker.getService() instanceof BitronixTransactionManager)
-			EhCacheXAResourceProducer.unregisterXAResource(cacheName, userDirectory.getXaResource());
+//		if (tmTracker.getService() instanceof BitronixTransactionManager)
+//			EhCacheXAResourceProducer.unregisterXAResource(cacheName, userDirectory.getXaResource());
 
 		Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
 		if (realm != null) {
@@ -223,7 +256,7 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
 			boolean consistentIp = localhost.getHostAddress().equals(ipfromDns);
 			String kerberosDomain = dnsBrowser.getRecord("_kerberos." + dnsZone, "TXT");
 			if (consistentIp && kerberosDomain != null && kerberosDomain.equals(realm) && Files.exists(nodeKeyTab)) {
-				return NodeHttp.DEFAULT_SERVICE + "/" + hostname + "@" + kerberosDomain;
+				return KernelConstants.DEFAULT_KERBEROS_SERVICE + "/" + hostname + "@" + kerberosDomain;
 			} else
 				return null;
 		} catch (Exception e) {
@@ -272,6 +305,10 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
 		return acceptorCredentials;
 	}
 
+	public boolean isSingleUser() {
+		return singleUser;
+	}
+
 	public final static Oid KERBEROS_OID;
 	static {
 		try {