Start finalizing security

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / NodeUserLoginModule.java
diff --git a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java

index 956b4a65cd512ba70f6575cf9d9105c803a3a33a..0b638bc2f1249d8716ee6a0e7fc167cc84a4a06e 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java
@@ -1,52 +1,37 @@
  package org.argeo.cms.auth;
  
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
  import java.util.Map;
-import java.util.Set;
  
-import javax.naming.InvalidNameException;
-import javax.naming.ldap.LdapName;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.login.FailedLoginException;
  import javax.security.auth.login.LoginException;
  import javax.security.auth.spi.LoginModule;
-import javax.security.auth.x500.X500Principal;
  
-import org.apache.jackrabbit.core.security.AnonymousPrincipal;
-import org.apache.jackrabbit.core.security.SecurityConstants;
-import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
-import org.argeo.cms.CmsException;
-import org.argeo.cms.internal.auth.ImpliedByPrincipal;
-import org.argeo.node.NodeConstants;
  import org.osgi.service.useradmin.Authorization;
  
  public class NodeUserLoginModule implements LoginModule, AuthConstants {
         private Subject subject;
         private Map<String, Object> sharedState = null;
  
-       private final static LdapName ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME;
-       private final static List<LdapName> RESERVED_ROLES;
-       private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL;
-       static {
-               try {
-                       // ROLE_KERNEL_NAME = new LdapName(AuthConstants.ROLE_KERNEL);
-                       ROLE_ADMIN_NAME = new LdapName(NodeConstants.ROLE_ADMIN);
-                       ROLE_USER_NAME = new LdapName(NodeConstants.ROLE_USER);
-                       ROLE_ANONYMOUS_NAME = new LdapName(NodeConstants.ROLE_ANONYMOUS);
-                       RESERVED_ROLES = Collections.unmodifiableList(Arrays.asList(new LdapName[] { ROLE_ADMIN_NAME,
-                                       ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, new LdapName(AuthConstants.ROLE_GROUP_ADMIN),
-                                       new LdapName(NodeConstants.ROLE_USER_ADMIN) }));
-                       ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(ROLE_ANONYMOUS_NAME.toString());
-               } catch (InvalidNameException e) {
-                       throw new Error("Cannot initialize login module class", e);
-               }
-       }
-
-       private Authorization authorization;
+//     private final static LdapName ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME;
+//     private final static List<LdapName> RESERVED_ROLES;
+//     private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL;
+//     static {
+//             try {
+//                     // ROLE_KERNEL_NAME = new LdapName(AuthConstants.ROLE_KERNEL);
+//                     ROLE_ADMIN_NAME = new LdapName(NodeConstants.ROLE_ADMIN);
+//                     ROLE_USER_NAME = new LdapName(NodeConstants.ROLE_USER);
+//                     ROLE_ANONYMOUS_NAME = new LdapName(NodeConstants.ROLE_ANONYMOUS);
+//                     RESERVED_ROLES = Collections.unmodifiableList(Arrays.asList(new LdapName[] { ROLE_ADMIN_NAME,
+//                                     ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, new LdapName(AuthConstants.ROLE_GROUP_ADMIN),
+//                                     new LdapName(NodeConstants.ROLE_USER_ADMIN) }));
+//                     ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(ROLE_ANONYMOUS_NAME.toString());
+//             } catch (InvalidNameException e) {
+//                     throw new Error("Cannot initialize login module class", e);
+//             }
+//     }
+
+       // private Authorization authorization;
  
         @SuppressWarnings("unchecked")
         @Override
@@ -58,9 +43,8 @@ public class NodeUserLoginModule implements LoginModule, AuthConstants {
  
         @Override
         public boolean login() throws LoginException {
-               authorization = (Authorization) sharedState.get(SHARED_STATE_AUTHORIZATION);
-               if (authorization == null)
-                       throw new FailedLoginException("No authorization available");
+               // if (authorization == null)
+               // throw new FailedLoginException("No authorization available");
                 // Iterator<Authorization> auth = subject.getPrivateCredentials(
                 // Authorization.class).iterator();
                 // if (!auth.hasNext())
@@ -71,48 +55,53 @@ public class NodeUserLoginModule implements LoginModule, AuthConstants {
  
         @Override
         public boolean commit() throws LoginException {
+               Authorization authorization = (Authorization) sharedState.get(SHARED_STATE_AUTHORIZATION);
                 if (authorization == null)
                         throw new LoginException("Authorization should not be null");
-               // required for display name:
-               subject.getPrivateCredentials().add(authorization);
-
-               Set<Principal> principals = subject.getPrincipals();
-               try {
-                       String authName = authorization.getName();
-
-                       // determine user's principal
-                       final LdapName name;
-                       final Principal userPrincipal;
-                       if (authName == null) {
-                               name = ROLE_ANONYMOUS_NAME;
-                               userPrincipal = ROLE_ANONYMOUS_PRINCIPAL;
-                               principals.add(userPrincipal);
-                               principals.add(new AnonymousPrincipal());
-                       } else {
-                               name = new LdapName(authName);
-                               checkUserName(name);
-                               userPrincipal = new X500Principal(name.toString());
-                               principals.add(userPrincipal);
-                               principals.add(new ImpliedByPrincipal(ROLE_USER_NAME, userPrincipal));
-                       }
-
-                       // Add roles provided by authorization
-                       for (String role : authorization.getRoles()) {
-                               LdapName roleName = new LdapName(role);
-                               if (roleName.equals(name)) {
-                                       // skip
-                               } else {
-                                       checkImpliedPrincipalName(roleName);
-                                       principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
-                                       if (roleName.equals(ROLE_ADMIN_NAME))
-                                               principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
-                               }
-                       }
-
-                       return true;
-               } catch (InvalidNameException e) {
-                       throw new CmsException("Cannot commit", e);
-               }
+               CmsAuthUtils.addAuthentication(subject, authorization);
+               return true;
+               // // required for display name:
+               // subject.getPrivateCredentials().add(authorization);
+               //
+               // Set<Principal> principals = subject.getPrincipals();
+               // try {
+               // String authName = authorization.getName();
+               //
+               // // determine user's principal
+               // final LdapName name;
+               // final Principal userPrincipal;
+               // if (authName == null) {
+               // name = ROLE_ANONYMOUS_NAME;
+               // userPrincipal = ROLE_ANONYMOUS_PRINCIPAL;
+               // principals.add(userPrincipal);
+               // principals.add(new AnonymousPrincipal());
+               // } else {
+               // name = new LdapName(authName);
+               // checkUserName(name);
+               // userPrincipal = new X500Principal(name.toString());
+               // principals.add(userPrincipal);
+               // principals.add(new ImpliedByPrincipal(ROLE_USER_NAME,
+               // userPrincipal));
+               // }
+               //
+               // // Add roles provided by authorization
+               // for (String role : authorization.getRoles()) {
+               // LdapName roleName = new LdapName(role);
+               // if (roleName.equals(name)) {
+               // // skip
+               // } else {
+               // checkImpliedPrincipalName(roleName);
+               // principals.add(new ImpliedByPrincipal(roleName.toString(),
+               // userPrincipal));
+               // if (roleName.equals(ROLE_ADMIN_NAME))
+               // principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
+               // }
+               // }
+               //
+               // return true;
+               // } catch (InvalidNameException e) {
+               // throw new CmsException("Cannot commit", e);
+               // }
         }
  
         @Override
@@ -126,12 +115,7 @@ public class NodeUserLoginModule implements LoginModule, AuthConstants {
                 if (subject == null)
                         throw new LoginException("Subject should not be null");
                 // Clean up principals
-               // Argeo
-               subject.getPrincipals().removeAll(subject.getPrincipals(X500Principal.class));
-               subject.getPrincipals().removeAll(subject.getPrincipals(ImpliedByPrincipal.class));
-               // Jackrabbit
-               subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
-               subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
+               CmsAuthUtils.cleanUp(subject);
                 // Clean up private credentials
                 subject.getPrivateCredentials().clear();
                 cleanUp();
@@ -140,16 +124,16 @@ public class NodeUserLoginModule implements LoginModule, AuthConstants {
  
         private void cleanUp() {
                 subject = null;
-               authorization = null;
+               // authorization = null;
         }
  
-       private void checkUserName(LdapName name) {
-               if (RESERVED_ROLES.contains(name))
-                       throw new CmsException(name + " is a reserved name");
-       }
-
-       private void checkImpliedPrincipalName(LdapName roleName) {
-               if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName))
-                       throw new CmsException(roleName + " cannot be listed as role");
-       }
+//     private void checkUserName(LdapName name) {
+//             if (RESERVED_ROLES.contains(name))
+//                     throw new CmsException(name + " is a reserved name");
+//     }
+//
+//     private void checkImpliedPrincipalName(LdapName roleName) {
+//             if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName))
+//                     throw new CmsException(roleName + " cannot be listed as role");
+//     }
  }