Improve LDIF user admin.

git-svn-id: https://svn.argeo.org/commons/trunk@8446 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc

diff --git a/demo/argeo_node_rap.properties b/demo/argeo_node_rap.properties
index b83483b9357ca3fe8741ac8af73af03ab379a019..052d49722d65896129f61c69f677796a04ceb872 100644 (file)
--- a/demo/argeo_node_rap.properties
+++ b/demo/argeo_node_rap.properties
@@ -25,6 +25,7 @@ java.security.policy=file:../../all.policy
 #?readOnly=false\
 #&userObjectClass=inetOrgPerson \
 #dc=example,dc=org.ldif"
+argeo.node.useradmin.uris="dc=example,dc=com.ldif ../../dc=demo,dc=mrschilling,dc=com.ldif"
 
 # HTTP
 org.osgi.service.http.port=7070

diff --git a/org.argeo.cms/src/org/argeo/cms/AbstractCmsEntryPoint.java b/org.argeo.cms/src/org/argeo/cms/AbstractCmsEntryPoint.java
index 6e30d8e31d7b16b3b9cf4938faf954e0721839b5..6ff18def0521a11eecd9e082a6ec488e3bcba171 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/AbstractCmsEntryPoint.java
+++ b/org.argeo.cms/src/org/argeo/cms/AbstractCmsEntryPoint.java
@@ -15,6 +15,7 @@ import javax.jcr.Session;
 import javax.jcr.nodetype.NodeType;
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginException;
+import javax.security.auth.x500.X500Principal;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
@@ -71,7 +72,9 @@ public abstract class AbstractCmsEntryPoint extends AbstractEntryPoint
                final HttpSession httpSession = httpRequest.getSession();
                AccessControlContext acc = (AccessControlContext) httpSession
                                .getAttribute(KernelHeader.ACCESS_CONTROL_CONTEXT);
-               if (acc != null)
+               if (acc != null
+                               && Subject.getSubject(acc).getPrincipals(X500Principal.class)
+                                               .size() == 1)
                        subject = Subject.getSubject(acc);
                else
                        subject = new Subject();

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
index bd48bc38501f40aa21c99497a8482839946c99f8..31295ae89fac8f58b04fe3ba0ed78247a229c086 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
@@ -3,7 +3,6 @@ package org.argeo.cms.internal.kernel;
 import java.io.File;
 import java.io.IOException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Dictionary;
@@ -23,10 +22,10 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
 import org.argeo.cms.KernelHeader;
-import org.argeo.osgi.useradmin.UserDirectory;
-import org.argeo.osgi.useradmin.UserAdminConf;
 import org.argeo.osgi.useradmin.LdapUserAdmin;
 import org.argeo.osgi.useradmin.LdifUserAdmin;
+import org.argeo.osgi.useradmin.UserAdminConf;
+import org.argeo.osgi.useradmin.UserDirectory;
 import org.argeo.osgi.useradmin.UserDirectoryException;
 import org.osgi.framework.InvalidSyntaxException;
 import org.osgi.service.useradmin.Authorization;
@@ -75,17 +74,23 @@ public class NodeUserAdmin implements UserAdmin {
                        URI u;
                        try {
                                u = new URI(uri);
+                               if (u.getPath() == null)
+                                       throw new CmsException("URI " + uri
+                                                       + " must have a path in order to determine base DN");
                                if (u.getScheme() == null) {
-                                       if (uri.startsWith("/"))
-                                               u = new File(uri).getAbsoluteFile().toURI();
+                                       if (uri.startsWith("/") || uri.startsWith("./")
+                                                       || uri.startsWith("../"))
+                                               u = new File(uri).getCanonicalFile().toURI();
                                        else if (!uri.contains("/"))
-                                               u = new File(nodeBaseDir, uri).getAbsoluteFile()
+                                               u = new File(nodeBaseDir, uri).getCanonicalFile()
                                                                .toURI();
                                        else
                                                throw new CmsException("Cannot interpret " + uri
                                                                + " as an uri");
+                               } else if (u.getScheme().equals("file")) {
+                                       u = new File(u).getCanonicalFile().toURI();
                                }
-                       } catch (URISyntaxException e) {
+                       } catch (Exception e) {
                                throw new CmsException(
                                                "Cannot interpret " + uri + " as an uri", e);
                        }

diff --git a/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
index 884e4ce09ff0ccd1e550f01fe3c402dadae12608..ae931039d17d46ac6442c73e70eaf1262c99d087 100644 (file)
--- a/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
+++ b/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
@@ -12,7 +12,9 @@ import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Dictionary;
+import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@@ -45,13 +47,13 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
        private final static Log log = LogFactory
                        .getLog(AbstractUserDirectory.class);
 
-       private Dictionary<String, ?> properties;
-       private String baseDn = "dc=example,dc=com";
-       private String userObjectClass;
-       private String groupObjectClass;
+       private final Hashtable<String, Object> properties;
+       private final String baseDn;
+       private final String userObjectClass;
+       private final String groupObjectClass;
 
-       private boolean isReadOnly;
-       private URI uri;
+       private final boolean readOnly;
+       private final URI uri;
 
        private UserAdmin externalRoles;
        private List<String> indexedUserProperties = Arrays.asList(new String[] {
@@ -65,9 +67,12 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
        private ThreadLocal<WorkingCopy> workingCopy = new ThreadLocal<AbstractUserDirectory.WorkingCopy>();
        private Xid editingTransactionXid = null;
 
-       AbstractUserDirectory(Dictionary<String, ?> properties) {
-               // TODO make a copy?
-               this.properties = properties;
+       AbstractUserDirectory(Dictionary<String, ?> props) {
+               properties = new Hashtable<String, Object>();
+               for (Enumeration<String> keys = props.keys(); keys.hasMoreElements();) {
+                       String key = keys.nextElement();
+                       properties.put(key, props.get(key));
+               }
 
                String uriStr = UserAdminConf.uri.getValue(properties);
                if (uriStr == null)
@@ -76,20 +81,21 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
                        try {
                                uri = new URI(uriStr);
                        } catch (URISyntaxException e) {
-                               throw new UserDirectoryException("Badly formatted URI", e);
+                               throw new UserDirectoryException("Badly formatted URI "
+                                               + uriStr, e);
                        }
 
                baseDn = UserAdminConf.baseDn.getValue(properties).toString();
-               String isReadOnly = UserAdminConf.readOnly.getValue(properties);
-               if (isReadOnly == null)
-                       this.isReadOnly = readOnlyDefault(uri);
-               else
-                       this.isReadOnly = new Boolean(isReadOnly);
+               String readOnlyStr = UserAdminConf.readOnly.getValue(properties);
+               if (readOnlyStr == null) {
+                       readOnly = readOnlyDefault(uri);
+                       properties.put(UserAdminConf.readOnly.property(),
+                                       Boolean.toString(readOnly));
+               } else
+                       readOnly = new Boolean(readOnlyStr);
 
-               this.userObjectClass = UserAdminConf.userObjectClass
-                               .getValue(properties);
-               this.groupObjectClass = UserAdminConf.groupObjectClass
-                               .getValue(properties);
+               userObjectClass = UserAdminConf.userObjectClass.getValue(properties);
+               groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties);
        }
 
        /** Returns the groups this user is a direct member of. */
@@ -371,10 +377,6 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
                return uri;
        }
 
-       protected void setUri(URI uri) {
-               this.uri = uri;
-       }
-
        protected List<String> getIndexedUserProperties() {
                return indexedUserProperties;
        }
@@ -383,22 +385,21 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
                this.indexedUserProperties = indexedUserProperties;
        }
 
-       protected void setReadOnly(boolean isReadOnly) {
-               this.isReadOnly = isReadOnly;
-       }
-
        private static boolean readOnlyDefault(URI uri) {
                if (uri == null)
                        return true;
                if (uri.getScheme().equals("file")) {
                        File file = new File(uri);
-                       return !file.canWrite();
+                       if (file.exists())
+                               return !file.canWrite();
+                       else
+                               return !file.getParentFile().canWrite();
                }
                return true;
        }
 
        public boolean isReadOnly() {
-               return isReadOnly;
+               return readOnly;
        }
 
        UserAdmin getExternalRoles() {

diff --git a/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdifUserAdmin.java b/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdifUserAdmin.java
index a03a25f09e5ce58fc21208f9817608d75df54fdb..4613ef5289fbb331ecc61e8d982c93c6d3e41c87 100644 (file)
--- a/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdifUserAdmin.java
+++ b/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdifUserAdmin.java
@@ -40,8 +40,6 @@ public class LdifUserAdmin extends AbstractUserDirectory {
        public LdifUserAdmin(InputStream in) {
                super(new Hashtable<String, Object>());
                load(in);
-               setReadOnly(true);
-               setUri(null);
        }
 
        private static Dictionary<String, Object> fromUri(String uri, String baseDn) {
@@ -65,8 +63,12 @@ public class LdifUserAdmin extends AbstractUserDirectory {
        }
 
        public void save() {
-               if (getUri() == null || isReadOnly())
-                       throw new UserDirectoryException("Cannot save LDIF user admin");
+               if (getUri() == null)
+                       throw new UserDirectoryException(
+                                       "Cannot save LDIF user admin: no URI is set");
+               if (isReadOnly())
+                       throw new UserDirectoryException("Cannot save LDIF user admin: "
+                                       + getUri() + " is read-only");
                try (FileOutputStream out = new FileOutputStream(new File(getUri()))) {
                        save(out);
                } catch (IOException e) {