package org.argeo.cms.internal.kernel;
import java.security.PrivilegedAction;
+import java.text.SimpleDateFormat;
import java.util.HashSet;
import java.util.Set;
+import javax.jcr.Credentials;
+import javax.jcr.LoginException;
+import javax.jcr.NoSuchWorkspaceException;
import javax.jcr.Node;
+import javax.jcr.Property;
import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
+import javax.jcr.nodetype.NodeType;
import javax.jcr.security.Privilege;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.security.auth.login.LoginContext;
import org.argeo.cms.CmsException;
+import org.argeo.jackrabbit.security.JackrabbitSecurityUtils;
import org.argeo.jcr.JcrRepositoryWrapper;
import org.argeo.jcr.JcrUtils;
import org.argeo.node.NodeConstants;
-import org.argeo.node.NodeNames;
-import org.argeo.node.NodeTypes;
import org.argeo.node.NodeUtils;
/**
* Make sure each user has a home directory available in the default workspace.
*/
class HomeRepository extends JcrRepositoryWrapper implements KernelConstants {
+
/** The home base path. */
- private String homeBasePath = "/home";
- // private String peopleBasePath = NodeConstants.PEOPLE_BASE_PATH;
+// private String homeBasePath = KernelConstants.DEFAULT_HOME_BASE_PATH;
+// private String usersBasePath = KernelConstants.DEFAULT_USERS_BASE_PATH;
+// private String groupsBasePath = KernelConstants.DEFAULT_GROUPS_BASE_PATH;
private Set<String> checkedUsers = new HashSet<String>();
- public HomeRepository(Repository repository) {
+ private SimpleDateFormat usersDatePath = new SimpleDateFormat("YYYY/MM");
+
+ private String defaultHomeWorkspace = NodeConstants.HOME;
+ private String defaultGroupsWorkspace = NodeConstants.GROUPS;
+ private String defaultGuestsWorkspace = NodeConstants.GUESTS;
+ private final boolean remote;
+
+ public HomeRepository(Repository repository, boolean remote) {
super(repository);
+ this.remote = remote;
putDescriptor(NodeConstants.CN, NodeConstants.HOME);
- LoginContext lc;
+ if (!remote) {
+ LoginContext lc;
+ try {
+ lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_DATA_ADMIN);
+ lc.login();
+ } catch (javax.security.auth.login.LoginException e1) {
+ throw new CmsException("Cannot login as systrem", e1);
+ }
+ Subject.doAs(lc.getSubject(), new PrivilegedAction<Void>() {
+
+ @Override
+ public Void run() {
+ loginOrCreateWorkspace(defaultHomeWorkspace);
+ loginOrCreateWorkspace(defaultGroupsWorkspace);
+ return null;
+ }
+
+ });
+ }
+ }
+
+ private void loginOrCreateWorkspace(String workspace) {
+ Session adminSession = null;
try {
- lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_DATA_ADMIN);
- lc.login();
- } catch (javax.security.auth.login.LoginException e1) {
- throw new CmsException("Cannot login as systrem", e1);
+ adminSession = JcrUtils.loginOrCreateWorkspace(getRepository(workspace), workspace);
+// JcrUtils.addPrivilege(adminSession, "/", NodeConstants.ROLE_USER, Privilege.JCR_READ);
+
+// initJcr(adminSession);
+ } catch (RepositoryException e) {
+ throw new CmsException("Cannot init JCR home", e);
+ } finally {
+ JcrUtils.logoutQuietly(adminSession);
}
- Subject.doAs(lc.getSubject(), new PrivilegedAction<Void>() {
-
- @Override
- public Void run() {
- try {
- Session adminSession = getRepository().login();
- initJcr(adminSession);
- } catch (RepositoryException e) {
- throw new CmsException("Cannot init JCR home", e);
- }
- return null;
- }
+ }
- });
+ @Override
+ public Session login(Credentials credentials, String workspaceName)
+ throws LoginException, NoSuchWorkspaceException, RepositoryException {
+ if (workspaceName == null) {
+ return super.login(credentials, getUserHomeWorkspace());
+ } else {
+ return super.login(credentials, workspaceName);
+ }
}
- // @Override
- // public Session login() throws LoginException, RepositoryException {
- // Session session = super.login();
- // String username = session.getUserID();
- // if (username == null)
- // return session;
- // if (session.getUserID().equals(AuthConstants.ROLE_ANONYMOUS))
- // return session;
- //
- // if (checkedUsers.contains(username))
- // return session;
- // Session adminSession = KernelUtils.openAdminSession(getRepository(),
- // session.getWorkspace().getName());
- // try {
- // syncJcr(adminSession, username);
- // checkedUsers.add(username);
- // } finally {
- // JcrUtils.logoutQuietly(adminSession);
- // }
- // return session;
- // }
+ protected String getUserHomeWorkspace() {
+ // TODO base on JAAS Subject metadata
+ return defaultHomeWorkspace;
+ }
+
+ protected String getGroupsWorkspace() {
+ // TODO base on JAAS Subject metadata
+ return defaultGroupsWorkspace;
+ }
+
+ protected String getGuestsWorkspace() {
+ // TODO base on JAAS Subject metadata
+ return defaultGuestsWorkspace;
+ }
@Override
- protected void processNewSession(Session session) {
+ protected void processNewSession(Session session, String workspaceName) {
String username = session.getUserID();
- if (username == null)
+ if (username == null || username.toString().equals(""))
return;
if (session.getUserID().equals(NodeConstants.ROLE_ANONYMOUS))
return;
- // if (session.getUserID().equals(AuthConstants.ROLE_KERNEL))
- // return;
- // if (session.getUserID().equals(SecurityConstants.ADMIN_ID))
- // return;
+
+ String userHomeWorkspace = getUserHomeWorkspace();
+ if (workspaceName != null && !workspaceName.equals(userHomeWorkspace))
+ return;
if (checkedUsers.contains(username))
return;
- Session adminSession = KernelUtils.openAdminSession(getRepository(), session.getWorkspace().getName());
+ Session adminSession = KernelUtils.openAdminSession(getRepository(workspaceName), workspaceName);
try {
syncJcr(adminSession, username);
checkedUsers.add(username);
/** Session is logged out. */
private void initJcr(Session adminSession) {
try {
- JcrUtils.mkdirs(adminSession, homeBasePath);
- // JcrUtils.mkdirs(adminSession, peopleBasePath);
+// JcrUtils.mkdirs(adminSession, homeBasePath);
+// JcrUtils.mkdirs(adminSession, groupsBasePath);
adminSession.save();
- JcrUtils.addPrivilege(adminSession, homeBasePath, NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_READ);
- // JcrUtils.addPrivilege(adminSession, peopleBasePath,
- // NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_ALL);
+// JcrUtils.addPrivilege(adminSession, homeBasePath, NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_READ);
+// JcrUtils.addPrivilege(adminSession, groupsBasePath, NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_READ);
adminSession.save();
} catch (RepositoryException e) {
- throw new CmsException("Cannot initialize node user admin", e);
+ throw new CmsException("Cannot initialize home repository", e);
} finally {
JcrUtils.logoutQuietly(adminSession);
}
}
- private void syncJcr(Session session, String username) {
+ protected synchronized void syncJcr(Session adminSession, String username) {
+ // only in the default workspace
+// if (workspaceName != null)
+// return;
+ // skip system users
+ if (username.endsWith(NodeConstants.ROLES_BASEDN))
+ return;
+
try {
- Node userHome = NodeUtils.getUserHome(session, username);
+ Node userHome = NodeUtils.getUserHome(adminSession, username);
if (userHome == null) {
- String homePath = generateUserPath(homeBasePath, username);
- if (session.itemExists(homePath))// duplicate user id
- userHome = session.getNode(homePath).getParent().addNode(JcrUtils.lastPathElement(homePath));
- else
- userHome = JcrUtils.mkdirs(session, homePath);
- // userHome = JcrUtils.mkfolders(session, homePath);
- userHome.addMixin(NodeTypes.NODE_USER_HOME);
- userHome.setProperty(NodeNames.LDAP_UID, username);
- session.save();
-
- JcrUtils.clearAccessControList(session, homePath, username);
- JcrUtils.addPrivilege(session, homePath, username, Privilege.JCR_ALL);
- }
+// String homePath = generateUserPath(username);
+ String userId = extractUserId(username);
+// if (adminSession.itemExists(homePath))// duplicate user id
+// userHome = adminSession.getNode(homePath).getParent().addNode(JcrUtils.lastPathElement(homePath));
+// else
+// userHome = JcrUtils.mkdirs(adminSession, homePath);
+ userHome = adminSession.getRootNode().addNode(userId);
+// userHome.addMixin(NodeTypes.NODE_USER_HOME);
+ userHome.addMixin(NodeType.MIX_CREATED);
+ userHome.setProperty(Property.JCR_ID, username);
+// userHome.setProperty(NodeNames.LDAP_UID, username);
+ adminSession.save();
- // Node userProfile = NodeUtils.getUserProfile(session, username);
- // // new user
- // if (userProfile == null) {
- // String personPath = generateUserPath(peopleBasePath, username);
- // Node personBase;
- // if (session.itemExists(personPath))// duplicate user id
- // personBase = session.getNode(personPath).getParent()
- // .addNode(JcrUtils.lastPathElement(personPath));
- // else
- // personBase = JcrUtils.mkdirs(session, personPath);
- // userProfile = personBase.addNode(ArgeoNames.ARGEO_PROFILE);
- // userProfile.addMixin(ArgeoTypes.ARGEO_USER_PROFILE);
- // userProfile.setProperty(ArgeoNames.ARGEO_USER_ID, username);
- // // userProfile.setProperty(ArgeoNames.ARGEO_ENABLED, true);
- // // userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_EXPIRED,
- // // true);
- // // userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_LOCKED,
- // // true);
- // //
- // userProfile.setProperty(ArgeoNames.ARGEO_CREDENTIALS_NON_EXPIRED,
- // // true);
- // session.save();
- //
- // JcrUtils.clearAccessControList(session, userProfile.getPath(),
- // username);
- // JcrUtils.addPrivilege(session, userProfile.getPath(), username,
- // Privilege.JCR_READ);
- // }
-
- // Remote roles
- // if (roles != null) {
- // writeRemoteRoles(userProfile, roles);
- // }
- if (session.hasPendingChanges())
- session.save();
- // return userProfile;
+ JcrUtils.clearAccessControList(adminSession, userHome.getPath(), username);
+ JcrUtils.addPrivilege(adminSession, userHome.getPath(), username, Privilege.JCR_ALL);
+// JackrabbitSecurityUtils.denyPrivilege(adminSession, userHome.getPath(), NodeConstants.ROLE_USER,
+// Privilege.JCR_READ);
+ }
+ if (adminSession.hasPendingChanges())
+ adminSession.save();
} catch (RepositoryException e) {
- JcrUtils.discardQuietly(session);
+ JcrUtils.discardQuietly(adminSession);
throw new CmsException("Cannot sync node security model for " + username, e);
}
}
/** Generate path for a new user home */
- private String generateUserPath(String base, String username) {
+ private String generateUserPath(String username) {
LdapName dn;
try {
dn = new LdapName(username);
throw new CmsException("Invalid name " + username, e);
}
String userId = dn.getRdn(dn.size() - 1).getValue().toString();
- int atIndex = userId.indexOf('@');
- if (atIndex > 0) {
- String domain = userId.substring(0, atIndex);
- String name = userId.substring(atIndex + 1);
- return base + '/' + domain + '/' + name;
- } else if (atIndex == 0 || atIndex == (userId.length() - 1)) {
- throw new CmsException("Unsupported username " + userId);
- } else {
- return base + '/' + userId;
+ return '/' + userId;
+// int atIndex = userId.indexOf('@');
+// if (atIndex < 0) {
+// return homeBasePath+'/' + userId;
+// } else {
+// return usersBasePath + '/' + usersDatePath.format(new Date()) + '/' + userId;
+// }
+ }
+
+ private String extractUserId(String username) {
+ LdapName dn;
+ try {
+ dn = new LdapName(username);
+ } catch (InvalidNameException e) {
+ throw new CmsException("Invalid name " + username, e);
}
+ String userId = dn.getRdn(dn.size() - 1).getValue().toString();
+ return userId;
+// int atIndex = userId.indexOf('@');
+// if (atIndex < 0) {
+// return homeBasePath+'/' + userId;
+// } else {
+// return usersBasePath + '/' + usersDatePath.format(new Date()) + '/' + userId;
+// }
+ }
+
+ public void createWorkgroup(LdapName dn) {
+ String groupsWorkspace = getGroupsWorkspace();
+ Session adminSession = KernelUtils.openAdminSession(getRepository(groupsWorkspace), groupsWorkspace);
+ String cn = dn.getRdn(dn.size() - 1).getValue().toString();
+ Node newWorkgroup = NodeUtils.getGroupHome(adminSession, cn);
+ if (newWorkgroup != null) {
+ JcrUtils.logoutQuietly(adminSession);
+ throw new CmsException("Workgroup " + newWorkgroup + " already exists for " + dn);
+ }
+ try {
+ // TODO enhance transformation of cn to a valid node name
+ // String relPath = cn.replaceAll("[^a-zA-Z0-9]", "_");
+ String relPath = JcrUtils.replaceInvalidChars(cn);
+ newWorkgroup = adminSession.getRootNode().addNode(relPath, NodeType.NT_UNSTRUCTURED);
+// newWorkgroup = JcrUtils.mkdirs(adminSession.getNode(groupsBasePath), relPath, NodeType.NT_UNSTRUCTURED);
+// newWorkgroup.addMixin(NodeTypes.NODE_GROUP_HOME);
+ newWorkgroup.addMixin(NodeType.MIX_CREATED);
+ newWorkgroup.setProperty(Property.JCR_ID, dn.toString());
+// newWorkgroup.setProperty(NodeNames.LDAP_CN, cn);
+ adminSession.save();
+ JcrUtils.addPrivilege(adminSession, newWorkgroup.getPath(), dn.toString(), Privilege.JCR_ALL);
+ adminSession.save();
+ } catch (RepositoryException e) {
+ throw new CmsException("Cannot create workgroup", e);
+ } finally {
+ JcrUtils.logoutQuietly(adminSession);
+ }
+
+ }
+
+ public boolean isRemote() {
+ return remote;
}
}
projects / lgpl / argeo-commons.git / blobdiff