import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
+import java.security.AllPermission;
import java.util.Dictionary;
import java.util.List;
import java.util.Locale;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.argeo.cms.CmsException;
+import org.argeo.ident.IdentClient;
import org.argeo.node.ArgeoLogger;
import org.argeo.node.NodeConstants;
import org.argeo.node.NodeDeployment;
import org.osgi.framework.BundleContext;
import org.osgi.framework.Constants;
import org.osgi.framework.ServiceReference;
+import org.osgi.service.condpermadmin.BundleLocationCondition;
+import org.osgi.service.condpermadmin.ConditionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
+import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
import org.osgi.service.log.LogReaderService;
+import org.osgi.service.permissionadmin.PermissionInfo;
import org.osgi.service.useradmin.UserAdmin;
+import org.osgi.util.tracker.ServiceTracker;
/**
* Activates the kernel. Gives access to kernel information for the rest of the
private static Activator instance;
+ // TODO make it configurable
+ private boolean hardened = false;
+
private BundleContext bc;
- // private CmsSecurity nodeSecurity;
+
private LogReaderService logReaderService;
- // private ConfigurationAdmin configurationAdmin;
private NodeLogger logger;
private CmsState nodeState;
private CmsDeployment nodeDeployment;
private CmsInstance nodeInstance;
+ private ServiceTracker<UserAdmin, NodeUserAdmin> userAdminSt;
+
@Override
public void start(BundleContext bundleContext) throws Exception {
Runtime.getRuntime().addShutdownHook(new CmsShutdown());
instance = this;
this.bc = bundleContext;
this.logReaderService = getService(LogReaderService.class);
- // this.configurationAdmin = getService(ConfigurationAdmin.class);
try {
- // nodeSecurity = new CmsSecurity();
initSecurity();
initArgeoLogger();
initNode();
- } catch (Exception e) {
+
+ userAdminSt = new ServiceTracker<>(instance.bc, UserAdmin.class, null);
+ userAdminSt.open();
+ if (log.isTraceEnabled())
+ log.trace("Kernel bundle started");
+ } catch (Throwable e) {
log.error("## FATAL: CMS activator failed", e);
}
}
// explicitly load JAAS configuration
Configuration.getConfiguration();
- // ConditionalPermissionAdmin permissionAdmin = bc
- // .getService(bc.getServiceReference(ConditionalPermissionAdmin.class));
- // ConditionalPermissionUpdate update =
- // permissionAdmin.newConditionalPermissionUpdate();
- // // Self
- // update.getConditionalPermissionInfos()
- // .add(permissionAdmin.newConditionalPermissionInfo(null,
- // new ConditionInfo[] {
- // new ConditionInfo(BundleLocationCondition.class.getName(), new
- // String[] { "*" }) },
- // new PermissionInfo[] { new
- // PermissionInfo(AllPermission.class.getName(), null, null) },
- // ConditionalPermissionInfo.ALLOW));
- //
+ // code-level permissions
+ String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY);
+ if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) {
+ // TODO rather use a tracker?
+ ConditionalPermissionAdmin permissionAdmin = bc
+ .getService(bc.getServiceReference(ConditionalPermissionAdmin.class));
+ if (!hardened) {
+ // All permissions to all bundles
+ ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate();
+ update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+ new ConditionInfo[] {
+ new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+ new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
+ ConditionalPermissionInfo.ALLOW));
+ // TODO data admin permission
+// PermissionInfo dataAdminPerm = new PermissionInfo(AuthPermission.class.getName(),
+// "createLoginContext." + NodeConstants.LOGIN_CONTEXT_DATA_ADMIN, null);
+// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+// new ConditionInfo[] {
+// new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.DENY));
+// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+// new ConditionInfo[] {
+// new ConditionInfo(BundleSignerCondition.class.getName(), new String[] { "CN=\"Eclipse.org Foundation, Inc.\", OU=IT, O=\"Eclipse.org Foundation, Inc.\", L=Nepean, ST=Ontario, C=CA" }) },
+// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.ALLOW));
+ update.commit();
+ } else {
+ SecurityProfile securityProfile = new SecurityProfile() {
+ };
+ securityProfile.applySystemPermissions(permissionAdmin);
+ }
+ }
+
}
private void initArgeoLogger() {
- // Jetty
- // disable integration of Jetty logging with SLF4J
- // in order to avoid chicken and egg problems
- // org.eclipse.jetty.util.log.Log.setLog(new StdErrLog());
- // org.eclipse.jetty.util.log.Logger jettyLog =
- // org.eclipse.jetty.util.log.Log.getLog();
- // if (jettyLog != null) {
- // jettyLog.warn("TEST JETTY LOG", new Object[0]);
- // }
-
logger = new NodeLogger(logReaderService);
bc.registerService(ArgeoLogger.class, logger, null);
}
if (nodeState != null)
nodeState.shutdown();
+ if (userAdminSt != null)
+ userAdminSt.close();
+
instance = null;
this.bc = null;
this.logReaderService = null;
return getNodeUserAdmin().isSingleUser();
}
+ public static UserAdmin getUserAdmin() {
+ return (UserAdmin) getNodeUserAdmin();
+ }
+
+ public static String getHttpProxySslHeader() {
+ return KernelUtils.getFrameworkProp(NodeConstants.HTTP_PROXY_SSL_DN);
+ }
+
+ public static IdentClient getIdentClient(String remoteAddr) {
+ if (!IdentClient.isDefaultAuthdPassphraseFileAvailable())
+ return null;
+ // TODO make passphrase more configurable
+ return new IdentClient(remoteAddr);
+ }
+
private static NodeUserAdmin getNodeUserAdmin() {
- ServiceReference<UserAdmin> sr = instance.bc.getServiceReference(UserAdmin.class);
- NodeUserAdmin userAdmin = (NodeUserAdmin) instance.bc.getService(sr);
- return userAdmin;
+ NodeUserAdmin res;
+ try {
+ res = instance.userAdminSt.waitForService(60000);
+ } catch (InterruptedException e) {
+ throw new CmsException("Cannot retrieve Node user admin", e);
+ }
+ if (res == null)
+ throw new CmsException("No Node user admin found");
+
+ return res;
+ // ServiceReference<UserAdmin> sr =
+ // instance.bc.getServiceReference(UserAdmin.class);
+ // NodeUserAdmin userAdmin = (NodeUserAdmin) instance.bc.getService(sr);
+ // return userAdmin;
}
projects / lgpl / argeo-commons.git / blobdiff