From: Mathieu Baudier <mbaudier@argeo.org>
Date: Wed, 23 Sep 2015 08:28:14 +0000 (+0000)
Subject: Improve LDIF user admin.
X-Git-Tag: argeo-commons-2.1.30~120
X-Git-Url: http://git.argeo.org/?a=commitdiff_plain;h=ea63d7d123a50ff10657946ce3d928a57944621d;p=lgpl%2Fargeo-commons.git

Improve LDIF user admin.

git-svn-id: https://svn.argeo.org/commons/trunk@8446 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---

diff --git a/demo/argeo_node_rap.properties b/demo/argeo_node_rap.properties
index b83483b93..052d49722 100644
--- a/demo/argeo_node_rap.properties
+++ b/demo/argeo_node_rap.properties
@@ -25,6 +25,7 @@ java.security.policy=file:../../all.policy
 #?readOnly=false\
 #&userObjectClass=inetOrgPerson \
 #dc=example,dc=org.ldif"
+argeo.node.useradmin.uris="dc=example,dc=com.ldif ../../dc=demo,dc=mrschilling,dc=com.ldif"
 
 # HTTP
 org.osgi.service.http.port=7070
diff --git a/org.argeo.cms/src/org/argeo/cms/AbstractCmsEntryPoint.java b/org.argeo.cms/src/org/argeo/cms/AbstractCmsEntryPoint.java
index 6e30d8e31..6ff18def0 100644
--- a/org.argeo.cms/src/org/argeo/cms/AbstractCmsEntryPoint.java
+++ b/org.argeo.cms/src/org/argeo/cms/AbstractCmsEntryPoint.java
@@ -15,6 +15,7 @@ import javax.jcr.Session;
 import javax.jcr.nodetype.NodeType;
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginException;
+import javax.security.auth.x500.X500Principal;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
@@ -71,7 +72,9 @@ public abstract class AbstractCmsEntryPoint extends AbstractEntryPoint
 		final HttpSession httpSession = httpRequest.getSession();
 		AccessControlContext acc = (AccessControlContext) httpSession
 				.getAttribute(KernelHeader.ACCESS_CONTROL_CONTEXT);
-		if (acc != null)
+		if (acc != null
+				&& Subject.getSubject(acc).getPrincipals(X500Principal.class)
+						.size() == 1)
 			subject = Subject.getSubject(acc);
 		else
 			subject = new Subject();
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
index bd48bc385..31295ae89 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
@@ -3,7 +3,6 @@ package org.argeo.cms.internal.kernel;
 import java.io.File;
 import java.io.IOException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Dictionary;
@@ -23,10 +22,10 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
 import org.argeo.cms.KernelHeader;
-import org.argeo.osgi.useradmin.UserDirectory;
-import org.argeo.osgi.useradmin.UserAdminConf;
 import org.argeo.osgi.useradmin.LdapUserAdmin;
 import org.argeo.osgi.useradmin.LdifUserAdmin;
+import org.argeo.osgi.useradmin.UserAdminConf;
+import org.argeo.osgi.useradmin.UserDirectory;
 import org.argeo.osgi.useradmin.UserDirectoryException;
 import org.osgi.framework.InvalidSyntaxException;
 import org.osgi.service.useradmin.Authorization;
@@ -75,17 +74,23 @@ public class NodeUserAdmin implements UserAdmin {
 			URI u;
 			try {
 				u = new URI(uri);
+				if (u.getPath() == null)
+					throw new CmsException("URI " + uri
+							+ " must have a path in order to determine base DN");
 				if (u.getScheme() == null) {
-					if (uri.startsWith("/"))
-						u = new File(uri).getAbsoluteFile().toURI();
+					if (uri.startsWith("/") || uri.startsWith("./")
+							|| uri.startsWith("../"))
+						u = new File(uri).getCanonicalFile().toURI();
 					else if (!uri.contains("/"))
-						u = new File(nodeBaseDir, uri).getAbsoluteFile()
+						u = new File(nodeBaseDir, uri).getCanonicalFile()
 								.toURI();
 					else
 						throw new CmsException("Cannot interpret " + uri
 								+ " as an uri");
+				} else if (u.getScheme().equals("file")) {
+					u = new File(u).getCanonicalFile().toURI();
 				}
-			} catch (URISyntaxException e) {
+			} catch (Exception e) {
 				throw new CmsException(
 						"Cannot interpret " + uri + " as an uri", e);
 			}
diff --git a/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
index 884e4ce09..ae931039d 100644
--- a/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
+++ b/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
@@ -12,7 +12,9 @@ import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Dictionary;
+import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@@ -45,13 +47,13 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
 	private final static Log log = LogFactory
 			.getLog(AbstractUserDirectory.class);
 
-	private Dictionary<String, ?> properties;
-	private String baseDn = "dc=example,dc=com";
-	private String userObjectClass;
-	private String groupObjectClass;
+	private final Hashtable<String, Object> properties;
+	private final String baseDn;
+	private final String userObjectClass;
+	private final String groupObjectClass;
 
-	private boolean isReadOnly;
-	private URI uri;
+	private final boolean readOnly;
+	private final URI uri;
 
 	private UserAdmin externalRoles;
 	private List<String> indexedUserProperties = Arrays.asList(new String[] {
@@ -65,9 +67,12 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
 	private ThreadLocal<WorkingCopy> workingCopy = new ThreadLocal<AbstractUserDirectory.WorkingCopy>();
 	private Xid editingTransactionXid = null;
 
-	AbstractUserDirectory(Dictionary<String, ?> properties) {
-		// TODO make a copy?
-		this.properties = properties;
+	AbstractUserDirectory(Dictionary<String, ?> props) {
+		properties = new Hashtable<String, Object>();
+		for (Enumeration<String> keys = props.keys(); keys.hasMoreElements();) {
+			String key = keys.nextElement();
+			properties.put(key, props.get(key));
+		}
 
 		String uriStr = UserAdminConf.uri.getValue(properties);
 		if (uriStr == null)
@@ -76,20 +81,21 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
 			try {
 				uri = new URI(uriStr);
 			} catch (URISyntaxException e) {
-				throw new UserDirectoryException("Badly formatted URI", e);
+				throw new UserDirectoryException("Badly formatted URI "
+						+ uriStr, e);
 			}
 
 		baseDn = UserAdminConf.baseDn.getValue(properties).toString();
-		String isReadOnly = UserAdminConf.readOnly.getValue(properties);
-		if (isReadOnly == null)
-			this.isReadOnly = readOnlyDefault(uri);
-		else
-			this.isReadOnly = new Boolean(isReadOnly);
+		String readOnlyStr = UserAdminConf.readOnly.getValue(properties);
+		if (readOnlyStr == null) {
+			readOnly = readOnlyDefault(uri);
+			properties.put(UserAdminConf.readOnly.property(),
+					Boolean.toString(readOnly));
+		} else
+			readOnly = new Boolean(readOnlyStr);
 
-		this.userObjectClass = UserAdminConf.userObjectClass
-				.getValue(properties);
-		this.groupObjectClass = UserAdminConf.groupObjectClass
-				.getValue(properties);
+		userObjectClass = UserAdminConf.userObjectClass.getValue(properties);
+		groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties);
 	}
 
 	/** Returns the groups this user is a direct member of. */
@@ -371,10 +377,6 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
 		return uri;
 	}
 
-	protected void setUri(URI uri) {
-		this.uri = uri;
-	}
-
 	protected List<String> getIndexedUserProperties() {
 		return indexedUserProperties;
 	}
@@ -383,22 +385,21 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
 		this.indexedUserProperties = indexedUserProperties;
 	}
 
-	protected void setReadOnly(boolean isReadOnly) {
-		this.isReadOnly = isReadOnly;
-	}
-
 	private static boolean readOnlyDefault(URI uri) {
 		if (uri == null)
 			return true;
 		if (uri.getScheme().equals("file")) {
 			File file = new File(uri);
-			return !file.canWrite();
+			if (file.exists())
+				return !file.canWrite();
+			else
+				return !file.getParentFile().canWrite();
 		}
 		return true;
 	}
 
 	public boolean isReadOnly() {
-		return isReadOnly;
+		return readOnly;
 	}
 
 	UserAdmin getExternalRoles() {
diff --git a/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdifUserAdmin.java b/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdifUserAdmin.java
index a03a25f09..4613ef528 100644
--- a/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdifUserAdmin.java
+++ b/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdifUserAdmin.java
@@ -40,8 +40,6 @@ public class LdifUserAdmin extends AbstractUserDirectory {
 	public LdifUserAdmin(InputStream in) {
 		super(new Hashtable<String, Object>());
 		load(in);
-		setReadOnly(true);
-		setUri(null);
 	}
 
 	private static Dictionary<String, Object> fromUri(String uri, String baseDn) {
@@ -65,8 +63,12 @@ public class LdifUserAdmin extends AbstractUserDirectory {
 	}
 
 	public void save() {
-		if (getUri() == null || isReadOnly())
-			throw new UserDirectoryException("Cannot save LDIF user admin");
+		if (getUri() == null)
+			throw new UserDirectoryException(
+					"Cannot save LDIF user admin: no URI is set");
+		if (isReadOnly())
+			throw new UserDirectoryException("Cannot save LDIF user admin: "
+					+ getUri() + " is read-only");
 		try (FileOutputStream out = new FileOutputStream(new File(getUri()))) {
 			save(out);
 		} catch (IOException e) {