package org.argeo.cms;
+import java.time.ZonedDateTime;
import java.util.List;
import java.util.Set;
void addAuthToken(String userDn, String token, Integer hours, String... roles);
+ void addAuthToken(String userDn, String token, ZonedDateTime expiryDate, String... roles);
+
void expireAuthToken(String token);
void expireAuthTokens(Subject subject);
// return null;
// }
// }
- Authorization auth = userAdmin.getAuthorization(tokenGroup);
+ String userDn = TokenUtils.userDn(tokenGroup);
+ User user = (User) userAdmin.getRole(userDn);
+ Authorization auth = userAdmin.getAuthorization(user);
return auth;
}
}
--- /dev/null
+package org.argeo.cms.integration;
+
+import java.io.IOException;
+import java.time.ZonedDateTime;
+import java.util.Set;
+import java.util.UUID;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.argeo.cms.CmsUserManager;
+import org.argeo.cms.auth.HttpRequestCallback;
+import org.argeo.cms.auth.HttpRequestCallbackHandler;
+import org.argeo.naming.NamingUtils;
+import org.argeo.node.NodeConstants;
+import org.osgi.service.useradmin.Authorization;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+/** Provides access to tokens. */
+public class CmsTokenServlet extends HttpServlet {
+ private static final long serialVersionUID = 302918711430864140L;
+
+ public final static String PARAM_EXPIRY_DATE = "expiryDate";
+ public final static String PARAM_TOKEN = "token";
+
+ private final static int DEFAULT_HOURS = 24;
+
+ private CmsUserManager userManager;
+ private ObjectMapper objectMapper = new ObjectMapper();
+
+ @Override
+ protected void doPost(HttpServletRequest request, HttpServletResponse response)
+ throws ServletException, IOException {
+ LoginContext lc = null;
+ try {
+ lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request, response) {
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (Callback callback : callbacks) {
+ if (callback instanceof HttpRequestCallback) {
+ ((HttpRequestCallback) callback).setRequest(request);
+ ((HttpRequestCallback) callback).setResponse(response);
+ }
+ }
+ }
+ });
+ lc.login();
+ } catch (LoginException e) {
+ // ignore
+ }
+
+ try {
+ Subject subject = lc.getSubject();
+ Authorization authorization = extractFrom(subject.getPrivateCredentials(Authorization.class));
+ String token = UUID.randomUUID().toString();
+ String expiryDateStr = request.getParameter(PARAM_EXPIRY_DATE);
+ ZonedDateTime expiryDate;
+ if (expiryDateStr != null) {
+ expiryDate = NamingUtils.ldapDateToZonedDateTime(expiryDateStr);
+ } else {
+ expiryDate = ZonedDateTime.now().plusHours(DEFAULT_HOURS);
+ expiryDateStr = NamingUtils.instantToLdapDate(expiryDate);
+ }
+ userManager.addAuthToken(authorization.getName(), token, expiryDate);
+
+ TokenDescriptor tokenDescriptor = new TokenDescriptor();
+ tokenDescriptor.setUsername(authorization.getName());
+ tokenDescriptor.setToken(token);
+ tokenDescriptor.setExpiryDate(expiryDateStr);
+// tokenDescriptor.setRoles(Collections.unmodifiableSortedSet(new TreeSet<>(Arrays.asList(roles))));
+
+ response.setContentType("application/json");
+ JsonGenerator jg = objectMapper.getFactory().createGenerator(response.getWriter());
+ jg.writeObject(tokenDescriptor);
+ } catch (Exception e) {
+ new CmsExceptionsChain(e).writeAsJson(objectMapper, response);
+ }
+ }
+
+ @Override
+ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ // temporarily wrap POST for ease of testing
+ doPost(req, resp);
+ }
+
+ @Override
+ protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ try {
+ String token = req.getParameter(PARAM_TOKEN);
+ userManager.expireAuthToken(token);
+ } catch (Exception e) {
+ new CmsExceptionsChain(e).writeAsJson(objectMapper, resp);
+ }
+ }
+
+ protected <T> T extractFrom(Set<T> creds) {
+ if (creds.size() > 0)
+ return creds.iterator().next();
+ else
+ return null;
+ }
+
+ public void setUserManager(CmsUserManager userManager) {
+ this.userManager = userManager;
+ }
+}
--- /dev/null
+package org.argeo.cms.integration;
+
+import java.io.Serializable;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
+/** A serializable descriptor of a token. */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class TokenDescriptor implements Serializable {
+ private static final long serialVersionUID = -6607393871416803324L;
+
+ private String token;
+ private String username;
+ private String expiryDate;
+// private Set<String> roles;
+
+ public String getToken() {
+ return token;
+ }
+
+ public void setToken(String token) {
+ this.token = token;
+ }
+
+ public String getUsername() {
+ return username;
+ }
+
+ public void setUsername(String username) {
+ this.username = username;
+ }
+
+// public Set<String> getRoles() {
+// return roles;
+// }
+//
+// public void setRoles(Set<String> roles) {
+// this.roles = roles;
+// }
+
+ public String getExpiryDate() {
+ return expiryDate;
+ }
+
+ public void setExpiryDate(String expiryDate) {
+ this.expiryDate = expiryDate;
+ }
+
+}
import org.argeo.osgi.useradmin.TokenUtils;
import org.argeo.osgi.useradmin.UserAdminConf;
import org.osgi.framework.InvalidSyntaxException;
-import org.osgi.framework.ServiceReference;
import org.osgi.service.useradmin.Authorization;
import org.osgi.service.useradmin.Group;
import org.osgi.service.useradmin.Role;
private final static Log log = LogFactory.getLog(CmsUserManagerImpl.class);
private UserAdmin userAdmin;
- @Deprecated
- private ServiceReference<UserAdmin> userAdminServiceReference;
private Map<String, String> serviceProperties;
private UserTransaction userTransaction;
public Map<String, String> getKnownBaseDns(boolean onlyWritable) {
Map<String, String> dns = new HashMap<String, String>();
- String[] propertyKeys = userAdminServiceReference != null ? userAdminServiceReference.getPropertyKeys()
- : serviceProperties.keySet().toArray(new String[serviceProperties.size()]);
+ String[] propertyKeys = serviceProperties.keySet().toArray(new String[serviceProperties.size()]);
for (String uri : propertyKeys) {
if (!uri.startsWith("/"))
continue;
@Override
public void addAuthToken(String userDn, String token, Integer hours, String... roles) {
+ addAuthToken(userDn, token, ZonedDateTime.now().plusHours(hours), roles);
+ }
+
+ @Override
+ public void addAuthToken(String userDn, String token, ZonedDateTime expiryDate, String... roles) {
try {
userTransaction.begin();
User user = (User) userAdmin.getRole(userDn);
String tokenDn = cn + "=" + token + "," + NodeConstants.TOKENS_BASEDN;
Group tokenGroup = (Group) userAdmin.createRole(tokenDn, Role.GROUP);
- for (String role : roles) {
- Role r = userAdmin.getRole(role);
- if (r != null)
- tokenGroup.addMember(r);
- else {
- if (!role.equals(NodeConstants.ROLE_USER)) {
- throw new IllegalStateException(
- "Cannot add role " + role + " to token " + token + " for " + userDn);
+ if (roles != null)
+ for (String role : roles) {
+ Role r = userAdmin.getRole(role);
+ if (r != null)
+ tokenGroup.addMember(r);
+ else {
+ if (!role.equals(NodeConstants.ROLE_USER)) {
+ throw new IllegalStateException(
+ "Cannot add role " + role + " to token " + token + " for " + userDn);
+ }
}
}
- }
tokenGroup.getProperties().put(owner.name(), user.getName());
- if (hours != null) {
- String ldapDate = NamingUtils.instantToLdapDate(ZonedDateTime.now().plusHours(hours));
+ if (expiryDate != null) {
+ String ldapDate = NamingUtils.instantToLdapDate(expiryDate);
tokenGroup.getProperties().put(description.name(), ldapDate);
}
userTransaction.commit();
bc.registerService(RepositoryFactory.class, repositoryFactory, null);
// Security
- NodeUserAdmin userAdmin = new NodeUserAdmin(NodeConstants.ROLES_BASEDN);
+ NodeUserAdmin userAdmin = new NodeUserAdmin(NodeConstants.ROLES_BASEDN, NodeConstants.TOKENS_BASEDN);
stopHooks.add(() -> userAdmin.destroy());
bc.registerService(ManagedServiceFactory.class, userAdmin,
LangUtils.dico(Constants.SERVICE_PID, NodeConstants.NODE_USER_ADMIN_PID));
private boolean singleUser = false;
private boolean systemRolesAvailable = false;
- public NodeUserAdmin(String systemRolesBaseDn) {
- super(systemRolesBaseDn);
+ public NodeUserAdmin(String systemRolesBaseDn, String tokensBaseDn) {
+ super(systemRolesBaseDn, tokensBaseDn);
tmTracker = new ServiceTracker<>(bc, TransactionManager.class, null);
tmTracker.open();
}
import java.util.Map;
public class NamingUtils {
+ /** As per https://tools.ietf.org/html/rfc4517#section-3.3.13 */
private final static DateTimeFormatter utcLdapDate = DateTimeFormatter.ofPattern("uuuuMMddHHmmssX")
.withZone(ZoneOffset.UTC);
}
}
+ /** @return null if not parseable */
+ public static ZonedDateTime ldapDateToZonedDateTime(String ldapDate) {
+ try {
+ return OffsetDateTime.parse(ldapDate, utcLdapDate).toZonedDateTime();
+ } catch (DateTimeParseException e) {
+ return null;
+ }
+ }
+
public static Calendar ldapDateToCalendar(String ldapDate) {
OffsetDateTime instant = OffsetDateTime.parse(ldapDate, utcLdapDate);
GregorianCalendar calendar = new GregorianCalendar();
*/
public class AggregatingUserAdmin implements UserAdmin {
private final LdapName systemRolesBaseDn;
+ private final LdapName tokensBaseDn;
// DAOs
private AbstractUserDirectory systemRoles = null;
+ private AbstractUserDirectory tokens = null;
private Map<LdapName, AbstractUserDirectory> businessRoles = new HashMap<LdapName, AbstractUserDirectory>();
- public AggregatingUserAdmin(String systemRolesBaseDn) {
+ public AggregatingUserAdmin(String systemRolesBaseDn, String tokensBaseDn) {
try {
this.systemRolesBaseDn = new LdapName(systemRolesBaseDn);
+ if (tokensBaseDn != null)
+ this.tokensBaseDn = new LdapName(tokensBaseDn);
+ else
+ this.tokensBaseDn = null;
} catch (InvalidNameException e) {
throw new UserDirectoryException("Cannot initialize " + AggregatingUserAdmin.class, e);
}
if (isSystemRolesBaseDn(baseDn)) {
this.systemRoles = userDirectory;
systemRoles.setExternalRoles(this);
+ } else if (isTokensBaseDn(baseDn)) {
+ this.tokens = userDirectory;
+ tokens.setExternalRoles(this);
} else {
if (businessRoles.containsKey(baseDn))
throw new UserDirectoryException("There is already a user admin for " + baseDn);
private UserAdmin findUserAdmin(LdapName name) {
if (name.startsWith(systemRolesBaseDn))
return systemRoles;
+ if (tokensBaseDn != null && name.startsWith(tokensBaseDn))
+ return tokens;
List<UserAdmin> res = new ArrayList<UserAdmin>(1);
for (LdapName baseDn : businessRoles.keySet()) {
if (name.startsWith(baseDn)) {
return baseDn.equals(systemRolesBaseDn);
}
+ protected boolean isTokensBaseDn(LdapName baseDn) {
+ return tokensBaseDn != null && baseDn.equals(tokensBaseDn);
+ }
+
protected Dictionary<String, Object> currentState() {
Dictionary<String, Object> res = new Hashtable<String, Object>();
// res.put(NodeConstants.CN, NodeConstants.DEFAULT);