Programatically add standard system roles

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java
index 4d5b68e647f225b195fc924286cc30d8418b7b81..c4dee903fb4513946a6dee37ce0fb07d67808330 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java
@@ -17,6 +17,7 @@ import java.util.Set;
 import javax.jcr.Repository;
 import javax.jcr.Session;
 import javax.security.auth.callback.CallbackHandler;
+import javax.transaction.UserTransaction;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -44,6 +45,7 @@ import org.osgi.framework.wiring.BundleWiring;
 import org.osgi.service.cm.Configuration;
 import org.osgi.service.cm.ConfigurationAdmin;
 import org.osgi.service.cm.ManagedService;
+import org.osgi.service.useradmin.Role;
 import org.osgi.service.useradmin.UserAdmin;
 import org.osgi.util.tracker.ServiceTracker;
 
@@ -103,9 +105,11 @@ public class CmsDeployment implements NodeDeployment {
                ServiceTracker<?, ?> userAdminSt = new ServiceTracker<UserAdmin, UserAdmin>(bc, UserAdmin.class, null) {
                        @Override
                        public UserAdmin addingService(ServiceReference<UserAdmin> reference) {
+                               UserAdmin userAdmin = super.addingService(reference);
+                               addStandardSystemRoles(userAdmin);
                                userAdminAvailable = true;
                                checkReadiness();
-                               return super.addingService(reference);
+                               return userAdmin;
                        }
                };
                // userAdminSt.open();
@@ -151,6 +155,26 @@ public class CmsDeployment implements NodeDeployment {
                KernelUtils.asyncOpen(confAdminSt);
        }
 
+       private void addStandardSystemRoles(UserAdmin userAdmin) {
+               // we assume UserTransaction is already available (TODO make it more robust)
+               UserTransaction userTransaction = bc.getService(bc.getServiceReference(UserTransaction.class));
+               try {
+                       userTransaction.begin();
+                       if (userAdmin.getRole(NodeConstants.ROLE_ADMIN) == null)
+                               userAdmin.createRole(NodeConstants.ROLE_ADMIN, Role.GROUP);
+                       if (userAdmin.getRole(NodeConstants.ROLE_USER_ADMIN) == null)
+                               userAdmin.createRole(NodeConstants.ROLE_USER_ADMIN, Role.GROUP);
+                       userTransaction.commit();
+               } catch (Exception e) {
+                       try {
+                               userTransaction.rollback();
+                       } catch (Exception e1) {
+                               // silent
+                       }
+                       throw new CmsException("Cannot add standard system roles", e);
+               }
+       }
+
        private void loadIpaJaasConfiguration() {
                if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) {
                        String jaasConfig = KernelConstants.JAAS_CONFIG_IPA;

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/ou=roles,ou=node.ldif b/org.argeo.cms/src/org/argeo/cms/internal/kernel/ou=roles,ou=node.ldif
index d4c151c63b1f7d7d3c36f14955ffae5483fb5435..85247edce310fb886425026f3a2f9a9fb7ab824c 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/ou=roles,ou=node.ldif
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/ou=roles,ou=node.ldif
@@ -7,21 +7,3 @@ dn: ou=roles,ou=node
 objectClass: organizationalUnit
 objectClass: top
 ou: roles
-
-dn: cn=admin,ou=roles,ou=node
-objectClass: groupOfNames
-objectClass: top
-cn: admin
-member: uid=root,ou=People,dc=example,dc=com
-
-dn: cn=userAdmin,ou=roles,ou=node
-objectClass: groupOfNames
-objectClass: top
-cn: userAdmin
-member: cn=admin,ou=roles,ou=node
-
-dn: cn=registering,ou=roles,ou=node
-objectClass: groupOfNames
-objectClass: top
-cn: registering
-