Improve tokens

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / UserAdminLoginModule.java
diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java

index 83accceb4d6f1047a6a4eb9ba11b120a2f40db13..692d214bcccc23ce5fe51303ef9e66336bccc3a4 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -1,12 +1,9 @@
  package org.argeo.cms.auth;
  
  import static org.argeo.naming.LdapAttrs.cn;
-import static org.argeo.naming.LdapAttrs.description;
  
  import java.io.IOException;
  import java.security.PrivilegedAction;
-import java.security.cert.X509Certificate;
-import java.time.Instant;
  import java.util.Arrays;
  import java.util.HashSet;
  import java.util.List;
@@ -14,7 +11,6 @@ import java.util.Locale;
  import java.util.Map;
  import java.util.Set;
  
-import javax.naming.InvalidNameException;
  import javax.naming.ldap.LdapName;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
@@ -34,12 +30,12 @@ import org.apache.commons.logging.LogFactory;
  import org.argeo.cms.CmsException;
  import org.argeo.cms.internal.kernel.Activator;
  import org.argeo.naming.LdapAttrs;
-import org.argeo.naming.NamingUtils;
  import org.argeo.node.NodeConstants;
  import org.argeo.node.security.CryptoKeyring;
  import org.argeo.osgi.useradmin.AuthenticatingUser;
  import org.argeo.osgi.useradmin.IpaUtils;
  import org.argeo.osgi.useradmin.OsUserUtils;
+import org.argeo.osgi.useradmin.TokenUtils;
  import org.osgi.framework.BundleContext;
  import org.osgi.framework.FrameworkUtil;
  import org.osgi.framework.ServiceReference;
@@ -86,7 +82,8 @@ public class UserAdminLoginModule implements LoginModule {
                 UserAdmin userAdmin = Activator.getUserAdmin();
                 final String username;
                 final char[] password;
-               X509Certificate[] certificateChain = null;
+               Object certificateChain = null;
+               boolean preauth = false;
                 if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                 && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
                         // NB: required by Basic http auth
@@ -95,17 +92,24 @@ public class UserAdminLoginModule implements LoginModule {
                         // // TODO locale?
                 } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                 && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
-                       String certificateName = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
-                       LdapName ldapName;
-                       try {
-                               ldapName = new LdapName(certificateName);
-                       } catch (InvalidNameException e) {
-                               e.printStackTrace();
-                               return false;
-                       }
-                       username = ldapName.getRdn(ldapName.size()-1).getValue().toString();
-                       certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+                       String certDn = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+//                     LdapName ldapName;
+//                     try {
+//                             ldapName = new LdapName(certificateName);
+//                     } catch (InvalidNameException e) {
+//                             e.printStackTrace();
+//                             return false;
+//                     }
+//                     username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
+                       username = certDn;
+                       certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
                         password = null;
+               } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
+                               && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_ADDR)
+                               && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_PORT)) {// ident
+                       username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+                       password = null;
+                       preauth = true;
                 } else if (singleUser) {
                         username = OsUserUtils.getOsUsername();
                         password = null;
@@ -187,6 +191,8 @@ public class UserAdminLoginModule implements LoginModule {
                         // is provided
                 } else if (singleUser) {
                         // TODO verify IP address?
+               } else if (preauth) {
+                       // ident
                 } else {
                         throw new CredentialNotFoundException("No credentials provided");
                 }
@@ -246,7 +252,7 @@ public class UserAdminLoginModule implements LoginModule {
  
                 // Log and monitor new login
                 HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
-               CmsAuthUtils.addAuthorization(subject, authorization, locale, request);
+               CmsAuthUtils.addAuthorization(subject, authorization);
  
                 // Unlock keyring (underlying login to the JCR repository)
                 char[] password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
@@ -337,16 +343,20 @@ public class UserAdminLoginModule implements LoginModule {
         }
  
         protected Authorization getAuthorizationFromToken(UserAdmin userAdmin, Group tokenGroup) {
-               String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
-               if (expiryDateStr != null) {
-                       Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
-                       if (expiryDate.isBefore(Instant.now())) {
-                               if (log.isDebugEnabled())
-                                       log.debug("Token " + tokenGroup.getName() + " has expired.");
-                               return null;
-                       }
-               }
-               Authorization auth = userAdmin.getAuthorization(tokenGroup);
+               if (TokenUtils.isExpired(tokenGroup))
+                       return null;
+//             String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
+//             if (expiryDateStr != null) {
+//                     Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
+//                     if (expiryDate.isBefore(Instant.now())) {
+//                             if (log.isDebugEnabled())
+//                                     log.debug("Token " + tokenGroup.getName() + " has expired.");
+//                             return null;
+//                     }
+//             }
+               String userDn = TokenUtils.userDn(tokenGroup);
+               User user = (User) userAdmin.getRole(userDn);
+               Authorization auth = userAdmin.getAuthorization(user);
                 return auth;
         }
  }