]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Improve node deployment
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / kernel / NodeUserAdmin.java
1 package org.argeo.cms.internal.kernel;
2
3 import java.io.IOException;
4 import java.net.Inet6Address;
5 import java.net.InetAddress;
6 import java.net.URI;
7 import java.net.URISyntaxException;
8 import java.nio.file.Files;
9 import java.nio.file.Path;
10 import java.security.PrivilegedExceptionAction;
11 import java.util.ArrayList;
12 import java.util.Dictionary;
13 import java.util.HashMap;
14 import java.util.Hashtable;
15 import java.util.Iterator;
16 import java.util.Map;
17
18 import javax.naming.ldap.LdapName;
19 import javax.security.auth.Subject;
20 import javax.security.auth.callback.Callback;
21 import javax.security.auth.callback.CallbackHandler;
22 import javax.security.auth.callback.NameCallback;
23 import javax.security.auth.callback.UnsupportedCallbackException;
24 import javax.security.auth.kerberos.KerberosPrincipal;
25 import javax.security.auth.login.LoginContext;
26 import javax.security.auth.login.LoginException;
27 import javax.transaction.TransactionManager;
28
29 import org.apache.commons.httpclient.auth.AuthPolicy;
30 import org.apache.commons.httpclient.auth.CredentialsProvider;
31 import org.apache.commons.httpclient.cookie.CookiePolicy;
32 import org.apache.commons.httpclient.params.DefaultHttpParams;
33 import org.apache.commons.httpclient.params.HttpMethodParams;
34 import org.apache.commons.httpclient.params.HttpParams;
35 import org.apache.commons.logging.Log;
36 import org.apache.commons.logging.LogFactory;
37 import org.argeo.cms.CmsException;
38 import org.argeo.cms.internal.http.NodeHttp;
39 import org.argeo.cms.internal.http.client.HttpCredentialProvider;
40 import org.argeo.cms.internal.http.client.SpnegoAuthScheme;
41 import org.argeo.naming.DnsBrowser;
42 import org.argeo.node.NodeConstants;
43 import org.argeo.osgi.useradmin.AbstractUserDirectory;
44 import org.argeo.osgi.useradmin.AggregatingUserAdmin;
45 import org.argeo.osgi.useradmin.LdapUserAdmin;
46 import org.argeo.osgi.useradmin.LdifUserAdmin;
47 import org.argeo.osgi.useradmin.UserAdminConf;
48 import org.argeo.osgi.useradmin.UserDirectory;
49 import org.ietf.jgss.GSSCredential;
50 import org.ietf.jgss.GSSException;
51 import org.ietf.jgss.GSSManager;
52 import org.ietf.jgss.GSSName;
53 import org.ietf.jgss.Oid;
54 import org.osgi.framework.BundleContext;
55 import org.osgi.framework.Constants;
56 import org.osgi.framework.FrameworkUtil;
57 import org.osgi.framework.ServiceRegistration;
58 import org.osgi.service.cm.ConfigurationException;
59 import org.osgi.service.cm.ManagedServiceFactory;
60 import org.osgi.service.useradmin.UserAdmin;
61 import org.osgi.util.tracker.ServiceTracker;
62
63 import bitronix.tm.BitronixTransactionManager;
64 import bitronix.tm.resource.ehcache.EhCacheXAResourceProducer;
65
66 /**
67 * Aggregates multiple {@link UserDirectory} and integrates them with system
68 * roles.
69 */
70 class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactory, KernelConstants {
71 private final static Log log = LogFactory.getLog(NodeUserAdmin.class);
72 private final BundleContext bc = FrameworkUtil.getBundle(getClass()).getBundleContext();
73
74 // OSGi
75 private Map<String, LdapName> pidToBaseDn = new HashMap<>();
76 private Map<String, ServiceRegistration<UserDirectory>> pidToServiceRegs = new HashMap<>();
77 private ServiceRegistration<UserAdmin> userAdminReg;
78
79 // JTA
80 private final ServiceTracker<TransactionManager, TransactionManager> tmTracker;
81 private final String cacheName = UserDirectory.class.getName();
82
83 // GSS API
84 private Path nodeKeyTab = KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH);
85 private GSSCredential acceptorCredentials;
86
87 public NodeUserAdmin(String systemRolesBaseDn) {
88 super(systemRolesBaseDn);
89 tmTracker = new ServiceTracker<>(bc, TransactionManager.class, null);
90 tmTracker.open();
91 }
92
93 @Override
94 public void updated(String pid, Dictionary<String, ?> properties) throws ConfigurationException {
95 String uri = (String) properties.get(UserAdminConf.uri.name());
96 URI u;
97 try {
98 u = new URI(uri);
99 } catch (URISyntaxException e) {
100 throw new CmsException("Badly formatted URI " + uri, e);
101 }
102
103 // Create
104 AbstractUserDirectory userDirectory = u.getScheme().equals("ldap") ? new LdapUserAdmin(properties)
105 : new LdifUserAdmin(properties);
106 Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
107 addUserDirectory(userDirectory);
108
109 // OSGi
110 LdapName baseDn = userDirectory.getBaseDn();
111 Dictionary<String, Object> regProps = new Hashtable<>();
112 regProps.put(Constants.SERVICE_PID, pid);
113 if (isSystemRolesBaseDn(baseDn))
114 regProps.put(Constants.SERVICE_RANKING, Integer.MAX_VALUE);
115 regProps.put(UserAdminConf.baseDn.name(), baseDn);
116 ServiceRegistration<UserDirectory> reg = bc.registerService(UserDirectory.class, userDirectory, regProps);
117 pidToBaseDn.put(pid, baseDn);
118 pidToServiceRegs.put(pid, reg);
119
120 if (log.isDebugEnabled())
121 log.debug("User directory " + userDirectory.getBaseDn() + " [" + u.getScheme() + "] enabled."
122 + (realm != null ? " " + realm + " realm." : ""));
123
124 if (!isSystemRolesBaseDn(baseDn)) {
125 if (userAdminReg != null)
126 userAdminReg.unregister();
127 // register self as main user admin
128 Dictionary<String, Object> userAdminregProps = currentState();
129 userAdminregProps.put(NodeConstants.CN, NodeConstants.DEFAULT);
130 userAdminregProps.put(Constants.SERVICE_RANKING, Integer.MAX_VALUE);
131 userAdminReg = bc.registerService(UserAdmin.class, this, userAdminregProps);
132 }
133 }
134
135 @Override
136 public void deleted(String pid) {
137 assert pidToServiceRegs.get(pid) != null;
138 assert pidToBaseDn.get(pid) != null;
139 pidToServiceRegs.remove(pid).unregister();
140 LdapName baseDn = pidToBaseDn.remove(pid);
141 removeUserDirectory(baseDn);
142 }
143
144 @Override
145 public String getName() {
146 return "Node User Admin";
147 }
148
149 protected void postAdd(AbstractUserDirectory userDirectory) {
150 // JTA
151 TransactionManager tm = tmTracker.getService();
152 if (tm == null)
153 throw new CmsException("A JTA transaction manager must be available.");
154 userDirectory.setTransactionManager(tm);
155 if (tmTracker.getService() instanceof BitronixTransactionManager)
156 EhCacheXAResourceProducer.registerXAResource(cacheName, userDirectory.getXaResource());
157
158 Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
159 if (realm != null) {
160 if (Files.exists(nodeKeyTab)) {
161 String servicePrincipal = getKerberosServicePrincipal(realm.toString());
162 if (servicePrincipal != null) {
163 CallbackHandler callbackHandler = new CallbackHandler() {
164 @Override
165 public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
166 for (Callback callback : callbacks)
167 if (callback instanceof NameCallback)
168 ((NameCallback) callback).setName(servicePrincipal);
169
170 }
171 };
172 try {
173 LoginContext nodeLc = new LoginContext(NodeConstants.LOGIN_CONTEXT_NODE, callbackHandler);
174 nodeLc.login();
175 acceptorCredentials = logInAsAcceptor(nodeLc.getSubject(), servicePrincipal);
176 } catch (LoginException e) {
177 throw new CmsException("Cannot log in kernel", e);
178 }
179 }
180 }
181
182 // Register client-side SPNEGO auth scheme
183 AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class);
184 HttpParams params = DefaultHttpParams.getDefaultParams();
185 ArrayList<String> schemes = new ArrayList<>();
186 schemes.add(SpnegoAuthScheme.NAME);// SPNEGO preferred
187 // schemes.add(AuthPolicy.BASIC);// incompatible with Basic
188 params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
189 params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
190 params.setParameter(HttpMethodParams.COOKIE_POLICY, CookiePolicy.BROWSER_COMPATIBILITY);
191 // params.setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
192 }
193 }
194
195 protected void preDestroy(AbstractUserDirectory userDirectory) {
196 if (tmTracker.getService() instanceof BitronixTransactionManager)
197 EhCacheXAResourceProducer.unregisterXAResource(cacheName, userDirectory.getXaResource());
198
199 Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
200 if (realm != null) {
201 if (acceptorCredentials != null) {
202 try {
203 acceptorCredentials.dispose();
204 } catch (GSSException e) {
205 // silent
206 }
207 acceptorCredentials = null;
208 }
209 }
210 }
211
212 private String getKerberosServicePrincipal(String realm) {
213 String hostname;
214 try (DnsBrowser dnsBrowser = new DnsBrowser()) {
215 InetAddress localhost = InetAddress.getLocalHost();
216 hostname = localhost.getHostName();
217 String dnsZone = hostname.substring(hostname.indexOf('.') + 1);
218 String ipfromDns = dnsBrowser.getRecord(hostname, localhost instanceof Inet6Address ? "AAAA" : "A");
219 boolean consistentIp = localhost.getHostAddress().equals(ipfromDns);
220 String kerberosDomain = dnsBrowser.getRecord("_kerberos." + dnsZone, "TXT");
221 if (consistentIp && kerberosDomain != null && kerberosDomain.equals(realm) && Files.exists(nodeKeyTab)) {
222 return NodeHttp.DEFAULT_SERVICE + "/" + hostname + "@" + kerberosDomain;
223 } else
224 return null;
225 } catch (Exception e) {
226 log.warn("Exception when determining kerberos principal", e);
227 return null;
228 }
229 }
230
231 private GSSCredential logInAsAcceptor(Subject subject, String servicePrincipal) {
232 // GSS
233 Iterator<KerberosPrincipal> krb5It = subject.getPrincipals(KerberosPrincipal.class).iterator();
234 if (!krb5It.hasNext())
235 return null;
236 KerberosPrincipal krb5Principal = null;
237 while (krb5It.hasNext()) {
238 KerberosPrincipal principal = krb5It.next();
239 if (principal.getName().equals(servicePrincipal))
240 krb5Principal = principal;
241 }
242
243 if (krb5Principal == null)
244 return null;
245
246 GSSManager manager = GSSManager.getInstance();
247 try {
248 GSSName gssName = manager.createName(krb5Principal.getName(), null);
249 GSSCredential serverCredentials = Subject.doAs(subject, new PrivilegedExceptionAction<GSSCredential>() {
250
251 @Override
252 public GSSCredential run() throws GSSException {
253 return manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, KERBEROS_OID,
254 GSSCredential.ACCEPT_ONLY);
255
256 }
257
258 });
259 if (log.isDebugEnabled())
260 log.debug("GSS acceptor configured for " + krb5Principal);
261 return serverCredentials;
262 } catch (Exception gsse) {
263 throw new CmsException("Cannot create acceptor credentials for " + krb5Principal, gsse);
264 }
265 }
266
267 public GSSCredential getAcceptorCredentials() {
268 return acceptorCredentials;
269 }
270
271 public final static Oid KERBEROS_OID;
272 static {
273 try {
274 KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
275 } catch (GSSException e) {
276 throw new IllegalStateException("Cannot create Kerberos OID", e);
277 }
278 }
279
280 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi