Work on hardening.

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / kernel / Activator.java
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java

index 5ef545e6fa49e8cc59880ae9f3dc9b6fb5db14c0..d7b953b5389eae6a4cecbb5b4bbe336c3aea6131 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
@@ -4,6 +4,7 @@ import java.io.IOException;
  import java.net.URL;
  import java.nio.file.Files;
  import java.nio.file.Path;
+import java.security.AllPermission;
  import java.util.Dictionary;
  import java.util.List;
  import java.util.Locale;
@@ -13,6 +14,7 @@ import javax.security.auth.login.Configuration;
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;
  import org.argeo.cms.CmsException;
+import org.argeo.ident.IdentClient;
  import org.argeo.node.ArgeoLogger;
  import org.argeo.node.NodeConstants;
  import org.argeo.node.NodeDeployment;
@@ -24,7 +26,13 @@ import org.osgi.framework.BundleActivator;
  import org.osgi.framework.BundleContext;
  import org.osgi.framework.Constants;
  import org.osgi.framework.ServiceReference;
+import org.osgi.service.condpermadmin.BundleLocationCondition;
+import org.osgi.service.condpermadmin.ConditionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
+import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
  import org.osgi.service.log.LogReaderService;
+import org.osgi.service.permissionadmin.PermissionInfo;
  import org.osgi.service.useradmin.UserAdmin;
  import org.osgi.util.tracker.ServiceTracker;
  
@@ -37,6 +45,9 @@ public class Activator implements BundleActivator {
  
         private static Activator instance;
  
+       // TODO make it configurable
+       private boolean hardened = false;
+
         private BundleContext bc;
  
         private LogReaderService logReaderService;
@@ -62,7 +73,8 @@ public class Activator implements BundleActivator {
  
                         userAdminSt = new ServiceTracker<>(instance.bc, UserAdmin.class, null);
                         userAdminSt.open();
-                       log.debug("Kernel bundle started");
+                       if (log.isTraceEnabled())
+                               log.trace("Kernel bundle started");
                 } catch (Throwable e) {
                         log.error("## FATAL: CMS activator failed", e);
                 }
@@ -79,20 +91,39 @@ public class Activator implements BundleActivator {
                 // explicitly load JAAS configuration
                 Configuration.getConfiguration();
  
-               // ConditionalPermissionAdmin permissionAdmin = bc
-               // .getService(bc.getServiceReference(ConditionalPermissionAdmin.class));
-               // ConditionalPermissionUpdate update =
-               // permissionAdmin.newConditionalPermissionUpdate();
-               // // Self
-               // update.getConditionalPermissionInfos()
-               // .add(permissionAdmin.newConditionalPermissionInfo(null,
-               // new ConditionInfo[] {
-               // new ConditionInfo(BundleLocationCondition.class.getName(), new
-               // String[] { "*" }) },
-               // new PermissionInfo[] { new
-               // PermissionInfo(AllPermission.class.getName(), null, null) },
-               // ConditionalPermissionInfo.ALLOW));
-               //
+               // code-level permissions
+               String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY);
+               if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) {
+                       // TODO rather use a tracker?
+                       ConditionalPermissionAdmin permissionAdmin = bc
+                                       .getService(bc.getServiceReference(ConditionalPermissionAdmin.class));
+                       if (!hardened) {
+                               // All permissions to all bundles
+                               ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate();
+                               update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+                                               new ConditionInfo[] {
+                                                               new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+                                               new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
+                                               ConditionalPermissionInfo.ALLOW));
+                               // TODO data admin permission
+//                             PermissionInfo dataAdminPerm = new PermissionInfo(AuthPermission.class.getName(),
+//                                             "createLoginContext." + NodeConstants.LOGIN_CONTEXT_DATA_ADMIN, null);
+//                             update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+//                                             new ConditionInfo[] {
+//                                                             new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+//                                             new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.DENY));
+//                             update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+//                                             new ConditionInfo[] {
+//                                                             new ConditionInfo(BundleSignerCondition.class.getName(), new String[] { "CN=\"Eclipse.org Foundation, Inc.\", OU=IT, O=\"Eclipse.org Foundation, Inc.\", L=Nepean, ST=Ontario, C=CA" }) },
+//                                             new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.ALLOW));
+                               update.commit();
+                       } else {
+                               SecurityProfile securityProfile = new SecurityProfile() {
+                               };
+                               securityProfile.applySystemPermissions(permissionAdmin);
+                       }
+               }
+
         }
  
         private void initArgeoLogger() {
@@ -173,6 +204,13 @@ public class Activator implements BundleActivator {
                 return KernelUtils.getFrameworkProp(NodeConstants.HTTP_PROXY_SSL_DN);
         }
  
+       public static IdentClient getIdentClient(String remoteAddr) {
+               if (!IdentClient.isDefaultAuthdPassphraseFileAvailable())
+                       return null;
+               // TODO make passphrase more configurable
+               return new IdentClient(remoteAddr);
+       }
+
         private static NodeUserAdmin getNodeUserAdmin() {
                 NodeUserAdmin res;
                 try {