X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FNodeUserAdmin.java;h=d6d721f6dcc9e33c84a765566b6e128760870e92;hb=3d611c76cc8df95ab66d27307acf9521c3130556;hp=7ead081510e7ba3088f7b03786edc998154b5e24;hpb=48a1e034607afb28d84480463b57f74a80a29929;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
index 7ead08151..d6d721f6d 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
@@ -1,9 +1,11 @@
 package org.argeo.cms.internal.kernel;
 
+import static org.argeo.cms.internal.kernel.KernelUtils.getFrameworkProp;
+import static org.argeo.cms.internal.kernel.KernelUtils.getOsgiInstanceDir;
+
 import java.io.File;
 import java.io.IOException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Dictionary;
@@ -14,6 +16,12 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import javax.jcr.Node;
+import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.Value;
+import javax.jcr.security.Privilege;
 import javax.naming.InvalidNameException;
 import javax.naming.ldap.LdapName;
 import javax.transaction.TransactionManager;
@@ -21,12 +29,18 @@ import javax.transaction.TransactionManager;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.argeo.ArgeoException;
 import org.argeo.cms.CmsException;
-import org.argeo.cms.KernelHeader;
-import org.argeo.osgi.useradmin.UserDirectory;
-import org.argeo.osgi.useradmin.UserAdminProps;
+import org.argeo.cms.auth.AuthConstants;
+import org.argeo.jcr.ArgeoJcrConstants;
+import org.argeo.jcr.ArgeoNames;
+import org.argeo.jcr.ArgeoTypes;
+import org.argeo.jcr.JcrUtils;
+import org.argeo.jcr.UserJcrUtils;
 import org.argeo.osgi.useradmin.LdapUserAdmin;
 import org.argeo.osgi.useradmin.LdifUserAdmin;
+import org.argeo.osgi.useradmin.UserAdminConf;
+import org.argeo.osgi.useradmin.UserDirectory;
 import org.argeo.osgi.useradmin.UserDirectoryException;
 import org.osgi.framework.InvalidSyntaxException;
 import org.osgi.service.useradmin.Authorization;
@@ -34,110 +48,64 @@ import org.osgi.service.useradmin.Role;
 import org.osgi.service.useradmin.User;
 import org.osgi.service.useradmin.UserAdmin;
 
-public class NodeUserAdmin implements UserAdmin {
+import bitronix.tm.resource.ehcache.EhCacheXAResourceProducer;
+
+/**
+ * Aggregates multiple {@link UserDirectory} and integrates them with this node
+ * system roles.
+ */
+public class NodeUserAdmin implements UserAdmin, KernelConstants {
 	private final static Log log = LogFactory.getLog(NodeUserAdmin.class);
 	final static LdapName ROLES_BASE;
 	static {
 		try {
-			ROLES_BASE = new LdapName(KernelHeader.ROLES_BASEDN);
+			ROLES_BASE = new LdapName(AuthConstants.ROLES_BASEDN);
 		} catch (InvalidNameException e) {
 			throw new UserDirectoryException("Cannot initialize "
 					+ NodeUserAdmin.class, e);
 		}
 	}
 
+	// DAOs
 	private UserAdmin nodeRoles = null;
 	private Map<LdapName, UserAdmin> userAdmins = new HashMap<LdapName, UserAdmin>();
 
-	public NodeUserAdmin() {
-		File osgiInstanceDir = KernelUtils.getOsgiInstanceDir();
-		File nodeBaseDir = new File(osgiInstanceDir, "node");
-		nodeBaseDir.mkdirs();
+	// JCR
+	/** The home base path. */
+	private String homeBasePath = "/home";
+	private String peopleBasePath = ArgeoJcrConstants.PEOPLE_BASE_PATH;
+	private Repository repository;
+	private Session adminSession;
 
-		String userAdminUri = KernelUtils
-				.getFrameworkProp(KernelConstants.USERADMIN_URIS);
-		if (userAdminUri == null) {
-			String demoBaseDn = "dc=example,dc=com";
-			File businessRolesFile = new File(nodeBaseDir, demoBaseDn + ".ldif");
-			if (!businessRolesFile.exists())
-				try {
-					FileUtils.copyInputStreamToFile(getClass()
-							.getResourceAsStream(demoBaseDn + ".ldif"),
-							businessRolesFile);
-				} catch (IOException e) {
-					throw new CmsException("Cannot copy demo resource", e);
-				}
-			userAdminUri = businessRolesFile.toURI().toString();
-		}
+	private final String cacheName = UserDirectory.class.getName();
 
-		String[] uris = userAdminUri.split(" ");
-		for (String uri : uris) {
-			URI u;
-			try {
-				u = new URI(uri);
-				if (u.getScheme() == null) {
-					if (uri.startsWith("/"))
-						u = new File(uri).getAbsoluteFile().toURI();
-					else if (!uri.contains("/"))
-						u = new File(nodeBaseDir, uri).getAbsoluteFile()
-								.toURI();
-					else
-						throw new CmsException("Cannot interpret " + uri
-								+ " as an uri");
-				}
-			} catch (URISyntaxException e) {
-				throw new CmsException(
-						"Cannot interpret " + uri + " as an uri", e);
-			}
-			Dictionary<String, ?> properties = UserAdminProps.uriAsProperties(u
-					.toString());
-			UserDirectory businessRoles;
-			if (u.getScheme().startsWith("ldap")) {
-				businessRoles = new LdapUserAdmin(properties);
-			} else {
-				businessRoles = new LdifUserAdmin(properties);
-			}
-			businessRoles.init();
-			addUserAdmin(businessRoles.getBaseDn(), (UserAdmin) businessRoles);
-			if (log.isDebugEnabled())
-				log.debug("User directory " + businessRoles.getBaseDn() + " ["
-						+ u.getScheme() + "] enabled.");
+	public NodeUserAdmin(TransactionManager transactionManager,
+			Repository repository) {
+		this.repository = repository;
+		try {
+			this.adminSession = this.repository.login();
+		} catch (RepositoryException e) {
+			throw new CmsException("Cannot log-in", e);
 		}
 
-		// NOde roles
-		String nodeRolesUri = KernelUtils
-				.getFrameworkProp(KernelConstants.ROLES_URI);
-		String baseNodeRoleDn = KernelHeader.ROLES_BASEDN;
-		if (nodeRolesUri == null) {
-			File nodeRolesFile = new File(nodeBaseDir, baseNodeRoleDn + ".ldif");
-			if (!nodeRolesFile.exists())
-				try {
-					FileUtils.copyInputStreamToFile(getClass()
-							.getResourceAsStream("demo.ldif"), nodeRolesFile);
-				} catch (IOException e) {
-					throw new CmsException("Cannot copy demo resource", e);
-				}
-			nodeRolesUri = nodeRolesFile.toURI().toString();
-		}
+		// DAOs
+		File nodeBaseDir = new File(getOsgiInstanceDir(), DIR_NODE);
+		nodeBaseDir.mkdirs();
+		String userAdminUri = getFrameworkProp(USERADMIN_URIS);
+		initUserAdmins(userAdminUri, nodeBaseDir);
+		String nodeRolesUri = getFrameworkProp(ROLES_URI);
+		initNodeRoles(nodeRolesUri, nodeBaseDir);
 
-		Dictionary<String, ?> nodeRolesProperties = UserAdminProps
-				.uriAsProperties(nodeRolesUri);
-		if (!nodeRolesProperties.get(UserAdminProps.baseDn.getFullName())
-				.equals(baseNodeRoleDn)) {
-			throw new CmsException("Invalid base dn for node roles");
-			// TODO deal with "mounted" roles with a different baseDN
-		}
-		UserDirectory nodeRoles;
-		if (nodeRolesUri.startsWith("ldap")) {
-			nodeRoles = new LdapUserAdmin(nodeRolesProperties);
-		} else {
-			nodeRoles = new LdifUserAdmin(nodeRolesProperties);
+		// Transaction manager
+		((UserDirectory) nodeRoles).setTransactionManager(transactionManager);
+		for (UserAdmin userAdmin : userAdmins.values()) {
+			if (userAdmin instanceof UserDirectory)
+				((UserDirectory) userAdmin)
+						.setTransactionManager(transactionManager);
 		}
-		nodeRoles.setExternalRoles(this);
-		nodeRoles.init();
-		addUserAdmin(baseNodeRoleDn, (UserAdmin)nodeRoles);
-		if (log.isTraceEnabled())
-			log.trace("Node roles enabled.");
+
+		// JCR
+		initJcr(adminSession);
 	}
 
 	Dictionary<String, ?> currentState() {
@@ -147,7 +115,7 @@ public class NodeUserAdmin implements UserAdmin {
 			if (userAdmins.get(name) instanceof UserDirectory) {
 				UserDirectory userDirectory = (UserDirectory) userAdmins
 						.get(name);
-				String uri = UserAdminProps.propertiesAsUri(
+				String uri = UserAdminConf.propertiesAsUri(
 						userDirectory.getProperties()).toString();
 				res.put(uri, "");
 			} else {
@@ -163,7 +131,15 @@ public class NodeUserAdmin implements UserAdmin {
 			if (userAdmins.get(name) instanceof UserDirectory) {
 				UserDirectory userDirectory = (UserDirectory) userAdmins
 						.get(name);
+				try {
+					// FIXME Make it less bitronix dependant
+					EhCacheXAResourceProducer.unregisterXAResource(cacheName,
+							userDirectory.getXaResource());
+				} catch (Exception e) {
+					log.error("Cannot unregister resource from Bitronix", e);
+				}
 				userDirectory.destroy();
+
 			}
 		}
 	}
@@ -175,7 +151,9 @@ public class NodeUserAdmin implements UserAdmin {
 
 	@Override
 	public boolean removeRole(String name) {
-		return findUserAdmin(name).removeRole(name);
+		boolean actuallyDeleted = findUserAdmin(name).removeRole(name);
+		nodeRoles.removeRole(name);
+		return actuallyDeleted;
 	}
 
 	@Override
@@ -207,7 +185,7 @@ public class NodeUserAdmin implements UserAdmin {
 
 	@Override
 	public Authorization getAuthorization(User user) {
-		if (user == null) {
+		if (user == null) {// anonymous
 			return nodeRoles.getAuthorization(null);
 		}
 		UserAdmin userAdmin = findUserAdmin(user.getName());
@@ -219,20 +197,17 @@ public class NodeUserAdmin implements UserAdmin {
 					.getRole(role));
 			systemRoles.addAll(Arrays.asList(auth.getRoles()));
 		}
-		return new NodeAuthorization(rawAuthorization.getName(),
-				rawAuthorization.toString(), systemRoles,
-				rawAuthorization.getRoles());
+		Authorization authorization = new NodeAuthorization(
+				rawAuthorization.getName(), rawAuthorization.toString(),
+				systemRoles, rawAuthorization.getRoles());
+		syncJcr(adminSession, authorization);
+		return authorization;
 	}
 
 	//
 	// USER ADMIN AGGREGATOR
 	//
-	public synchronized void addUserAdmin(String baseDn, UserAdmin userAdmin) {
-		if (baseDn.equals(KernelHeader.ROLES_BASEDN)) {
-			nodeRoles = userAdmin;
-			return;
-		}
-
+	public void addUserAdmin(String baseDn, UserAdmin userAdmin) {
 		if (userAdmins.containsKey(baseDn))
 			throw new UserDirectoryException(
 					"There is already a user admin for " + baseDn);
@@ -242,22 +217,15 @@ public class NodeUserAdmin implements UserAdmin {
 			throw new UserDirectoryException("Badly formatted base DN "
 					+ baseDn, e);
 		}
-	}
-
-	public synchronized void removeUserAdmin(String baseDn) {
-		if (baseDn.equals(KernelHeader.ROLES_BASEDN))
-			throw new UserDirectoryException("Node roles cannot be removed.");
-		LdapName base;
-		try {
-			base = new LdapName(baseDn);
-		} catch (InvalidNameException e) {
-			throw new UserDirectoryException("Badly formatted base DN "
-					+ baseDn, e);
+		if (userAdmin instanceof UserDirectory) {
+			try {
+				// FIXME Make it less bitronix dependant
+				EhCacheXAResourceProducer.registerXAResource(cacheName,
+						((UserDirectory) userAdmin).getXaResource());
+			} catch (Exception e) {
+				log.error("Cannot register resource to Bitronix", e);
+			}
 		}
-		if (!userAdmins.containsKey(base))
-			throw new UserDirectoryException("There is no user admin for "
-					+ base);
-		userAdmins.remove(base);
 	}
 
 	private UserAdmin findUserAdmin(String name) {
@@ -295,4 +263,244 @@ public class NodeUserAdmin implements UserAdmin {
 						.setTransactionManager(transactionManager);
 		}
 	}
+
+	private void initUserAdmins(String userAdminUri, File nodeBaseDir) {
+		if (userAdminUri == null) {
+			String demoBaseDn = "dc=example,dc=com";
+			File businessRolesFile = new File(nodeBaseDir, demoBaseDn + ".ldif");
+			if (!businessRolesFile.exists())
+				try {
+					FileUtils.copyInputStreamToFile(getClass()
+							.getResourceAsStream(demoBaseDn + ".ldif"),
+							businessRolesFile);
+				} catch (IOException e) {
+					throw new CmsException("Cannot copy demo resource", e);
+				}
+			userAdminUri = businessRolesFile.toURI().toString();
+		}
+		String[] uris = userAdminUri.split(" ");
+		for (String uri : uris) {
+			URI u;
+			try {
+				u = new URI(uri);
+				if (u.getPath() == null)
+					throw new CmsException("URI " + uri
+							+ " must have a path in order to determine base DN");
+				if (u.getScheme() == null) {
+					if (uri.startsWith("/") || uri.startsWith("./")
+							|| uri.startsWith("../"))
+						u = new File(uri).getCanonicalFile().toURI();
+					else if (!uri.contains("/"))
+						u = new File(nodeBaseDir, uri).getCanonicalFile()
+								.toURI();
+					else
+						throw new CmsException("Cannot interpret " + uri
+								+ " as an uri");
+				} else if (u.getScheme().equals("file")) {
+					u = new File(u).getCanonicalFile().toURI();
+				}
+			} catch (Exception e) {
+				throw new CmsException(
+						"Cannot interpret " + uri + " as an uri", e);
+			}
+			Dictionary<String, ?> properties = UserAdminConf.uriAsProperties(u
+					.toString());
+			UserDirectory businessRoles;
+			if (u.getScheme().startsWith("ldap")) {
+				businessRoles = new LdapUserAdmin(properties);
+			} else {
+				businessRoles = new LdifUserAdmin(properties);
+			}
+			businessRoles.init();
+			String baseDn = businessRoles.getBaseDn();
+			if (userAdmins.containsKey(baseDn))
+				throw new UserDirectoryException(
+						"There is already a user admin for " + baseDn);
+			try {
+				userAdmins.put(new LdapName(baseDn), (UserAdmin) businessRoles);
+			} catch (InvalidNameException e) {
+				throw new UserDirectoryException("Badly formatted base DN "
+						+ baseDn, e);
+			}
+			addUserAdmin(businessRoles.getBaseDn(), (UserAdmin) businessRoles);
+			if (log.isDebugEnabled())
+				log.debug("User directory " + businessRoles.getBaseDn() + " ["
+						+ u.getScheme() + "] enabled.");
+		}
+
+	}
+
+	private void initNodeRoles(String nodeRolesUri, File nodeBaseDir) {
+		String baseNodeRoleDn = AuthConstants.ROLES_BASEDN;
+		if (nodeRolesUri == null) {
+			File nodeRolesFile = new File(nodeBaseDir, baseNodeRoleDn + ".ldif");
+			if (!nodeRolesFile.exists())
+				try {
+					FileUtils.copyInputStreamToFile(getClass()
+							.getResourceAsStream(baseNodeRoleDn + ".ldif"),
+							nodeRolesFile);
+				} catch (IOException e) {
+					throw new CmsException("Cannot copy demo resource", e);
+				}
+			nodeRolesUri = nodeRolesFile.toURI().toString();
+		}
+
+		Dictionary<String, ?> nodeRolesProperties = UserAdminConf
+				.uriAsProperties(nodeRolesUri);
+		if (!nodeRolesProperties.get(UserAdminConf.baseDn.property()).equals(
+				baseNodeRoleDn)) {
+			throw new CmsException("Invalid base dn for node roles");
+			// TODO deal with "mounted" roles with a different baseDN
+		}
+		if (nodeRolesUri.startsWith("ldap")) {
+			nodeRoles = new LdapUserAdmin(nodeRolesProperties);
+		} else {
+			nodeRoles = new LdifUserAdmin(nodeRolesProperties);
+		}
+		((UserDirectory) nodeRoles).setExternalRoles(this);
+		((UserDirectory) nodeRoles).init();
+		addUserAdmin(baseNodeRoleDn, (UserAdmin) nodeRoles);
+		if (log.isTraceEnabled())
+			log.trace("Node roles enabled.");
+
+	}
+
+	/*
+	 * JCR
+	 */
+	private void initJcr(Session adminSession) {
+		try {
+			JcrUtils.mkdirs(adminSession, homeBasePath);
+			JcrUtils.mkdirs(adminSession, peopleBasePath);
+			adminSession.save();
+
+			JcrUtils.addPrivilege(adminSession, homeBasePath,
+					AuthConstants.ROLE_USER_ADMIN, Privilege.JCR_READ);
+			JcrUtils.addPrivilege(adminSession, peopleBasePath,
+					AuthConstants.ROLE_USER_ADMIN, Privilege.JCR_ALL);
+			adminSession.save();
+		} catch (RepositoryException e) {
+			throw new CmsException("Cannot initialize node user admin", e);
+		}
+	}
+
+	private Node syncJcr(Session session, Authorization authorization) {
+		// TODO check user name validity (e.g. should not start by ROLE_)
+		String username = authorization.getName();
+		String[] roles = authorization.getRoles();
+		try {
+			Node userHome = UserJcrUtils.getUserHome(session, username);
+			if (userHome == null) {
+				String homePath = generateUserPath(homeBasePath, username);
+				if (session.itemExists(homePath))// duplicate user id
+					userHome = session.getNode(homePath).getParent()
+							.addNode(JcrUtils.lastPathElement(homePath));
+				else
+					userHome = JcrUtils.mkdirs(session, homePath);
+				// userHome = JcrUtils.mkfolders(session, homePath);
+				userHome.addMixin(ArgeoTypes.ARGEO_USER_HOME);
+				userHome.setProperty(ArgeoNames.ARGEO_USER_ID, username);
+				session.save();
+
+				JcrUtils.clearAccessControList(session, homePath, username);
+				JcrUtils.addPrivilege(session, homePath, username,
+						Privilege.JCR_ALL);
+			}
+
+			Node userProfile = UserJcrUtils.getUserProfile(session, username);
+			// new user
+			if (userProfile == null) {
+				String personPath = generateUserPath(peopleBasePath, username);
+				Node personBase;
+				if (session.itemExists(personPath))// duplicate user id
+					personBase = session.getNode(personPath).getParent()
+							.addNode(JcrUtils.lastPathElement(personPath));
+				else
+					personBase = JcrUtils.mkdirs(session, personPath);
+				userProfile = personBase.addNode(ArgeoNames.ARGEO_PROFILE);
+				userProfile.addMixin(ArgeoTypes.ARGEO_USER_PROFILE);
+				userProfile.setProperty(ArgeoNames.ARGEO_USER_ID, username);
+				userProfile.setProperty(ArgeoNames.ARGEO_ENABLED, true);
+				userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_EXPIRED,
+						true);
+				userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_LOCKED,
+						true);
+				userProfile.setProperty(
+						ArgeoNames.ARGEO_CREDENTIALS_NON_EXPIRED, true);
+				session.save();
+
+				JcrUtils.clearAccessControList(session, userProfile.getPath(),
+						username);
+				JcrUtils.addPrivilege(session, userProfile.getPath(), username,
+						Privilege.JCR_READ);
+			}
+
+			// Remote roles
+			if (roles != null) {
+				writeRemoteRoles(userProfile, roles);
+			}
+			adminSession.save();
+			return userProfile;
+		} catch (RepositoryException e) {
+			JcrUtils.discardQuietly(session);
+			throw new ArgeoException("Cannot sync node security model for "
+					+ username, e);
+		}
+	}
+
+	/** Generate path for a new user home */
+	private String generateUserPath(String base, String username) {
+		LdapName dn;
+		try {
+			dn = new LdapName(username);
+		} catch (InvalidNameException e) {
+			throw new ArgeoException("Invalid name " + username, e);
+		}
+		String userId = dn.getRdn(dn.size() - 1).getValue().toString();
+		int atIndex = userId.indexOf('@');
+		if (atIndex > 0) {
+			String domain = userId.substring(0, atIndex);
+			String name = userId.substring(atIndex + 1);
+			return base + '/' + JcrUtils.firstCharsToPath(domain, 2) + '/'
+					+ domain + '/' + JcrUtils.firstCharsToPath(name, 2) + '/'
+					+ name;
+		} else if (atIndex == 0 || atIndex == (userId.length() - 1)) {
+			throw new ArgeoException("Unsupported username " + userId);
+		} else {
+			return base + '/' + JcrUtils.firstCharsToPath(userId, 2) + '/'
+					+ userId;
+		}
+	}
+
+	/** Write remote roles used by remote access in the home directory */
+	private void writeRemoteRoles(Node userHome, String[] roles)
+			throws RepositoryException {
+		boolean writeRoles = false;
+		if (userHome.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) {
+			Value[] remoteRoles = userHome.getProperty(
+					ArgeoNames.ARGEO_REMOTE_ROLES).getValues();
+			if (remoteRoles.length != roles.length)
+				writeRoles = true;
+			else
+				for (int i = 0; i < remoteRoles.length; i++)
+					if (!remoteRoles[i].getString().equals(roles[i]))
+						writeRoles = true;
+		} else
+			writeRoles = true;
+
+		if (writeRoles) {
+			userHome.getSession().getWorkspace().getVersionManager()
+					.checkout(userHome.getPath());
+			userHome.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roles);
+			JcrUtils.updateLastModified(userHome);
+			userHome.getSession().save();
+			userHome.getSession().getWorkspace().getVersionManager()
+					.checkin(userHome.getPath());
+			if (log.isDebugEnabled())
+				log.debug("Wrote remote roles " + roles + " for "
+						+ userHome.getProperty(ArgeoNames.ARGEO_USER_ID));
+		}
+
+	}
+
 }