import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
+import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Dictionary;
import java.util.Iterator;
+import java.util.List;
+import java.util.Optional;
import java.util.Set;
-import javax.naming.ldap.LdapName;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.argeo.api.cms.CmsAuth;
import org.argeo.api.cms.CmsConstants;
import org.argeo.api.cms.CmsLog;
+import org.argeo.api.cms.CmsState;
import org.argeo.cms.internal.http.client.HttpCredentialProvider;
import org.argeo.cms.internal.http.client.SpnegoAuthScheme;
-import org.argeo.osgi.transaction.WorkControl;
-import org.argeo.osgi.transaction.WorkTransaction;
-import org.argeo.osgi.useradmin.AbstractUserDirectory;
import org.argeo.osgi.useradmin.AggregatingUserAdmin;
-import org.argeo.osgi.useradmin.LdapUserAdmin;
-import org.argeo.osgi.useradmin.LdifUserAdmin;
-import org.argeo.osgi.useradmin.OsUserDirectory;
-import org.argeo.osgi.useradmin.UserAdminConf;
+import org.argeo.osgi.useradmin.DirectoryUserAdmin;
import org.argeo.osgi.useradmin.UserDirectory;
-import org.argeo.util.naming.DnsBrowser;
+import org.argeo.util.directory.DirectoryConf;
+import org.argeo.util.naming.dns.DnsBrowser;
+import org.argeo.util.transaction.WorkControl;
+import org.argeo.util.transaction.WorkTransaction;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
* Aggregates multiple {@link UserDirectory} and integrates them with system
* roles.
*/
-public class CmsUserAdmin extends AggregatingUserAdmin {
+public class CmsUserAdmin extends AggregatingUserAdmin {
private final static CmsLog log = CmsLog.getLog(CmsUserAdmin.class);
// GSS API
private WorkControl transactionManager;
private WorkTransaction userTransaction;
+ private CmsState cmsState;
+
public CmsUserAdmin() {
super(CmsConstants.ROLES_BASEDN, CmsConstants.TOKENS_BASEDN);
}
public void start() {
+ super.start();
+ List<Dictionary<String, Object>> configs = InitUtils.getUserDirectoryConfigs();
+ for (Dictionary<String, Object> config : configs) {
+ UserDirectory userDirectory = enableUserDirectory(config);
+ if (userDirectory.getRealm().isPresent())
+ loadIpaJaasConfiguration();
+ }
}
public void stop() {
+// for (UserDirectory userDirectory : getUserDirectories()) {
+// removeUserDirectory(userDirectory);
+// }
+ super.stop();
}
-
+
public UserDirectory enableUserDirectory(Dictionary<String, ?> properties) {
- String uri = (String) properties.get(UserAdminConf.uri.name());
- Object realm = properties.get(UserAdminConf.realm.name());
+ String uri = (String) properties.get(DirectoryConf.uri.name());
+ Object realm = properties.get(DirectoryConf.realm.name());
URI u;
try {
if (uri == null) {
- String baseDn = (String) properties.get(UserAdminConf.baseDn.name());
+ String baseDn = (String) properties.get(DirectoryConf.baseDn.name());
u = KernelUtils.getOsgiInstanceUri(KernelConstants.DIR_NODE + '/' + baseDn + ".ldif");
} else if (realm != null) {
u = null;
}
// Create
- AbstractUserDirectory userDirectory;
- if (realm != null || UserAdminConf.SCHEME_LDAP.equals(u.getScheme())
- || UserAdminConf.SCHEME_LDAPS.equals(u.getScheme())) {
- userDirectory = new LdapUserAdmin(properties);
- } else if (UserAdminConf.SCHEME_FILE.equals(u.getScheme())) {
- userDirectory = new LdifUserAdmin(u, properties);
- } else if (UserAdminConf.SCHEME_OS.equals(u.getScheme())) {
- userDirectory = new OsUserDirectory(u, properties);
- singleUser = true;
- } else {
- throw new IllegalArgumentException("Unsupported scheme " + u.getScheme());
- }
- LdapName baseDn = userDirectory.getBaseDn();
+ UserDirectory userDirectory = new DirectoryUserAdmin(u, properties);
+// if (realm != null || DirectoryConf.SCHEME_LDAP.equals(u.getScheme())
+// || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) {
+// userDirectory = new LdapUserAdmin(properties);
+// } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) {
+// userDirectory = new LdifUserAdmin(u, properties);
+// } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) {
+// userDirectory = new OsUserDirectory(u, properties);
+// singleUser = true;
+// } else {
+// throw new IllegalArgumentException("Unsupported scheme " + u.getScheme());
+// }
+ String basePath = userDirectory.getContext();
addUserDirectory(userDirectory);
- if (isSystemRolesBaseDn(baseDn)) {
+ if (isSystemRolesBaseDn(basePath)) {
addStandardSystemRoles();
- }
+ }
if (log.isDebugEnabled()) {
- log.debug("User directory " + userDirectory.getBaseDn() + (u != null ? " [" + u.getScheme() + "]" : "")
+ log.debug("User directory " + userDirectory.getContext() + (u != null ? " [" + u.getScheme() + "]" : "")
+ " enabled." + (realm != null ? " " + realm + " realm." : ""));
}
return userDirectory;
}
-
protected void addStandardSystemRoles() {
// we assume UserTransaction is already available (TODO make it more robust)
try {
}
}
-
@Override
protected void addAbstractSystemRoles(Authorization rawAuthorization, Set<String> sysRoles) {
if (rawAuthorization.getName() == null) {
}
}
- protected void postAdd(AbstractUserDirectory userDirectory) {
+ @Override
+ protected void postAdd(UserDirectory userDirectory) {
userDirectory.setTransactionControl(transactionManager);
- Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
- if (realm != null) {
+ Optional<String> realm = userDirectory.getRealm();
+ if (realm.isPresent()) {
if (Files.exists(nodeKeyTab)) {
- String servicePrincipal = getKerberosServicePrincipal(realm.toString());
+ String servicePrincipal = getKerberosServicePrincipal(realm.get());
if (servicePrincipal != null) {
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
}
}
- protected void preDestroy(AbstractUserDirectory userDirectory) {
- Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
- if (realm != null) {
+ @Override
+ protected void preDestroy(UserDirectory userDirectory) {
+ Optional<String> realm = userDirectory.getRealm();
+ if (realm.isPresent()) {
if (acceptorCredentials != null) {
try {
acceptorCredentials.dispose();
}
}
+ private void loadIpaJaasConfiguration() {
+ if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) {
+ String jaasConfig = KernelConstants.JAAS_CONFIG_IPA;
+ URL url = getClass().getClassLoader().getResource(jaasConfig);
+ KernelUtils.setJaasConfiguration(url);
+ log.debug("Set IPA JAAS configuration.");
+ }
+ }
+
private String getKerberosServicePrincipal(String realm) {
String hostname;
try (DnsBrowser dnsBrowser = new DnsBrowser()) {
}
private GSSCredential logInAsAcceptor(Subject subject, String servicePrincipal) {
+ // not static because class is not supported by Android
+ final Oid KERBEROS_OID;
+ try {
+ KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
+ } catch (GSSException e) {
+ throw new IllegalStateException("Cannot create Kerberos OID", e);
+ }
// GSS
Iterator<KerberosPrincipal> krb5It = subject.getPrincipals(KerberosPrincipal.class).iterator();
if (!krb5It.hasNext())
this.userTransaction = userTransaction;
}
- /*
- * STATIC
- */
-
- public final static Oid KERBEROS_OID;
- static {
- try {
- KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
- } catch (GSSException e) {
- throw new IllegalStateException("Cannot create Kerberos OID", e);
- }
+ public void setCmsState(CmsState cmsState) {
+ this.cmsState = cmsState;
}
+
}