import java.io.IOException;
import java.net.URL;
-import java.nio.file.Files;
-import java.nio.file.Path;
+import java.security.AllPermission;
import java.util.Dictionary;
import java.util.List;
import java.util.Locale;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
import javax.security.auth.login.Configuration;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.argeo.cms.CmsException;
-import org.argeo.node.ArgeoLogger;
-import org.argeo.node.NodeConstants;
-import org.argeo.node.NodeDeployment;
-import org.argeo.node.NodeInstance;
-import org.argeo.node.NodeState;
-import org.argeo.util.LangUtils;
+import org.argeo.api.ArgeoLogger;
+import org.argeo.api.NodeConstants;
+import org.argeo.api.NodeDeployment;
+import org.argeo.api.NodeInstance;
+import org.argeo.api.NodeState;
+import org.argeo.ident.IdentClient;
import org.ietf.jgss.GSSCredential;
+import org.osgi.framework.Bundle;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleContext;
import org.osgi.framework.Constants;
-import org.osgi.framework.ServiceReference;
+import org.osgi.framework.FrameworkUtil;
+import org.osgi.service.condpermadmin.BundleLocationCondition;
+import org.osgi.service.condpermadmin.ConditionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
+import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
import org.osgi.service.log.LogReaderService;
+import org.osgi.service.permissionadmin.PermissionInfo;
import org.osgi.service.useradmin.UserAdmin;
import org.osgi.util.tracker.ServiceTracker;
private static Activator instance;
- private BundleContext bc;
+ // TODO make it configurable
+ private boolean hardened = false;
+
+ private static BundleContext bundleContext;
private LogReaderService logReaderService;
private CmsInstance nodeInstance;
private ServiceTracker<UserAdmin, NodeUserAdmin> userAdminSt;
+ private ExecutorService internalExecutorService;
- @Override
- public void start(BundleContext bundleContext) throws Exception {
+ static {
+ Bundle bundle = FrameworkUtil.getBundle(Activator.class);
+ if (bundle != null) {
+ bundleContext = bundle.getBundleContext();
+ }
+ }
+
+ void init() {
Runtime.getRuntime().addShutdownHook(new CmsShutdown());
instance = this;
- this.bc = bundleContext;
- this.logReaderService = getService(LogReaderService.class);
+// this.bc = bundleContext;
+ if (bundleContext != null)
+ this.logReaderService = getService(LogReaderService.class);
+ this.internalExecutorService = Executors.newFixedThreadPool(Runtime.getRuntime().availableProcessors());
try {
initSecurity();
- initArgeoLogger();
+// initArgeoLogger();
initNode();
- userAdminSt = new ServiceTracker<>(instance.bc, UserAdmin.class, null);
- userAdminSt.open();
if (log.isTraceEnabled())
log.trace("Kernel bundle started");
} catch (Throwable e) {
}
}
+ void destroy() {
+ try {
+ if (nodeInstance != null)
+ nodeInstance.shutdown();
+ if (nodeDeployment != null)
+ nodeDeployment.shutdown();
+ if (nodeState != null)
+ nodeState.shutdown();
+
+ if (userAdminSt != null)
+ userAdminSt.close();
+
+ internalExecutorService.shutdown();
+ instance = null;
+ bundleContext = null;
+ this.logReaderService = null;
+ // this.configurationAdmin = null;
+ } catch (Exception e) {
+ log.error("CMS activator shutdown failed", e);
+ }
+ }
+
private void initSecurity() {
if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) {
String jaasConfig = KernelConstants.JAAS_CONFIG;
- URL url = getClass().getClassLoader().getResource(jaasConfig);
+ URL url = getClass().getResource(jaasConfig);
// System.setProperty(KernelConstants.JAAS_CONFIG_PROP,
// url.toExternalForm());
KernelUtils.setJaasConfiguration(url);
// explicitly load JAAS configuration
Configuration.getConfiguration();
- // ConditionalPermissionAdmin permissionAdmin = bc
- // .getService(bc.getServiceReference(ConditionalPermissionAdmin.class));
- // ConditionalPermissionUpdate update =
- // permissionAdmin.newConditionalPermissionUpdate();
- // // Self
- // update.getConditionalPermissionInfos()
- // .add(permissionAdmin.newConditionalPermissionInfo(null,
- // new ConditionInfo[] {
- // new ConditionInfo(BundleLocationCondition.class.getName(), new
- // String[] { "*" }) },
- // new PermissionInfo[] { new
- // PermissionInfo(AllPermission.class.getName(), null, null) },
- // ConditionalPermissionInfo.ALLOW));
- //
+ // code-level permissions
+ String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY);
+ if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) {
+ // TODO rather use a tracker?
+ ConditionalPermissionAdmin permissionAdmin = bundleContext
+ .getService(bundleContext.getServiceReference(ConditionalPermissionAdmin.class));
+ if (!hardened) {
+ // All permissions to all bundles
+ ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate();
+ update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+ new ConditionInfo[] {
+ new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+ new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
+ ConditionalPermissionInfo.ALLOW));
+ // TODO data admin permission
+// PermissionInfo dataAdminPerm = new PermissionInfo(AuthPermission.class.getName(),
+// "createLoginContext." + NodeConstants.LOGIN_CONTEXT_DATA_ADMIN, null);
+// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+// new ConditionInfo[] {
+// new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.DENY));
+// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+// new ConditionInfo[] {
+// new ConditionInfo(BundleSignerCondition.class.getName(), new String[] { "CN=\"Eclipse.org Foundation, Inc.\", OU=IT, O=\"Eclipse.org Foundation, Inc.\", L=Nepean, ST=Ontario, C=CA" }) },
+// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.ALLOW));
+ update.commit();
+ } else {
+ SecurityProfile securityProfile = new SecurityProfile() {
+ };
+ securityProfile.applySystemPermissions(permissionAdmin);
+ }
+ }
+
}
private void initArgeoLogger() {
logger = new NodeLogger(logReaderService);
- bc.registerService(ArgeoLogger.class, logger, null);
+ if (bundleContext != null)
+ bundleContext.registerService(ArgeoLogger.class, logger, null);
}
private void initNode() throws IOException {
// Node state
- Path stateUuidPath = bc.getDataFile("stateUuid").toPath();
- String stateUuid;
- if (Files.exists(stateUuidPath)) {
- stateUuid = Files.readAllLines(stateUuidPath).get(0);
- } else {
- stateUuid = bc.getProperty(Constants.FRAMEWORK_UUID);
- Files.write(stateUuidPath, stateUuid.getBytes());
- }
- nodeState = new CmsState(stateUuid);
- Dictionary<String, Object> regProps = LangUtils.dico(Constants.SERVICE_PID, NodeConstants.NODE_STATE_PID);
- regProps.put(NodeConstants.CN, stateUuid);
- bc.registerService(NodeState.class, nodeState, regProps);
+ nodeState = new CmsState();
+ registerService(NodeState.class, nodeState, null);
// Node deployment
nodeDeployment = new CmsDeployment();
- bc.registerService(NodeDeployment.class, nodeDeployment, null);
+// registerService(NodeDeployment.class, nodeDeployment, null);
// Node instance
nodeInstance = new CmsInstance();
- bc.registerService(NodeInstance.class, nodeInstance, null);
+ registerService(NodeInstance.class, nodeInstance, null);
}
- @Override
- public void stop(BundleContext bundleContext) throws Exception {
- try {
- if (nodeInstance != null)
- nodeInstance.shutdown();
- if (nodeDeployment != null)
- nodeDeployment.shutdown();
- if (nodeState != null)
- nodeState.shutdown();
+ public static <T> void registerService(Class<T> clss, T service, Dictionary<String, ?> properties) {
+ if (bundleContext != null) {
+ bundleContext.registerService(clss, service, properties);
+ }
- if (userAdminSt != null)
- userAdminSt.close();
+ }
- instance = null;
- this.bc = null;
- this.logReaderService = null;
- // this.configurationAdmin = null;
- } catch (Exception e) {
- log.error("CMS activator shutdown failed", e);
+ public static <T> T getService(Class<T> clss) {
+ if (bundleContext != null) {
+ return bundleContext.getService(bundleContext.getServiceReference(clss));
+ } else {
+ return null;
}
}
- private <T> T getService(Class<T> clazz) {
- ServiceReference<T> sr = bc.getServiceReference(clazz);
- if (sr == null)
- throw new CmsException("No service available for " + clazz);
- return bc.getService(sr);
+ /*
+ * OSGi
+ */
+
+ @Override
+ public void start(BundleContext bc) throws Exception {
+ if (!bc.getBundle().equals(bundleContext.getBundle()))
+ throw new IllegalStateException(
+ "Bundle " + bc.getBundle() + " is not consistent with " + bundleContext.getBundle());
+ init();
+ userAdminSt = new ServiceTracker<>(bundleContext, UserAdmin.class, null);
+ userAdminSt.open();
+ }
+
+ @Override
+ public void stop(BundleContext bc) throws Exception {
+ if (!bc.getBundle().equals(bundleContext.getBundle()))
+ throw new IllegalStateException(
+ "Bundle " + bc.getBundle() + " is not consistent with " + bundleContext.getBundle());
+ destroy();
}
+// private <T> T getService(Class<T> clazz) {
+// ServiceReference<T> sr = bundleContext.getServiceReference(clazz);
+// if (sr == null)
+// throw new IllegalStateException("No service available for " + clazz);
+// return bundleContext.getService(sr);
+// }
+
public static NodeState getNodeState() {
return instance.nodeState;
}
return getNodeUserAdmin().getAcceptorCredentials();
}
+ @Deprecated
public static boolean isSingleUser() {
return getNodeUserAdmin().isSingleUser();
}
return KernelUtils.getFrameworkProp(NodeConstants.HTTP_PROXY_SSL_DN);
}
+ public static IdentClient getIdentClient(String remoteAddr) {
+ if (!IdentClient.isDefaultAuthdPassphraseFileAvailable())
+ return null;
+ // TODO make passphrase more configurable
+ return new IdentClient(remoteAddr);
+ }
+
private static NodeUserAdmin getNodeUserAdmin() {
NodeUserAdmin res;
try {
res = instance.userAdminSt.waitForService(60000);
} catch (InterruptedException e) {
- throw new CmsException("Cannot retrieve Node user admin", e);
+ throw new IllegalStateException("Cannot retrieve Node user admin", e);
}
if (res == null)
- throw new CmsException("No Node user admin found");
+ throw new IllegalStateException("No Node user admin found");
return res;
// ServiceReference<UserAdmin> sr =
}
+ static ExecutorService getInternalExecutorService() {
+ return instance.internalExecutorService;
+ }
+
// static CmsSecurity getCmsSecurity() {
// return instance.nodeSecurity;
// }
return res;
}
+ static BundleContext getBundleContext() {
+ return bundleContext;
+ }
+
+ public static void main(String[] args) {
+ instance = new Activator();
+ instance.init();
+ }
+
}