X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;ds=sidebyside;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=54d328cc9787d329aa31ffc6512f3c4fa2036075;hb=d4cd517a9ff39f08ab28c129775de19c5c0ec02a;hp=b95d0577000c8591dd8c0c700c68cb9ce72c5b90;hpb=06ec86e90b88db589d8928b80cbc236f1ea3b230;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index b95d05770..54d328cc9 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -1,8 +1,9 @@
 package org.argeo.cms.auth;
 
+import static org.argeo.naming.LdapAttrs.cn;
+
 import java.io.IOException;
 import java.security.PrivilegedAction;
-import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
@@ -26,20 +27,27 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.argeo.api.NodeConstants;
+import org.argeo.api.security.CryptoKeyring;
 import org.argeo.cms.CmsException;
 import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.naming.LdapAttrs;
-import org.argeo.node.security.CryptoKeyring;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
 import org.argeo.osgi.useradmin.OsUserUtils;
+import org.argeo.osgi.useradmin.TokenUtils;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
 import org.osgi.framework.ServiceReference;
 import org.osgi.service.useradmin.Authorization;
+import org.osgi.service.useradmin.Group;
 import org.osgi.service.useradmin.User;
 import org.osgi.service.useradmin.UserAdmin;
 
+/**
+ * Use the {@link UserAdmin} in the OSGi registry as the basis for
+ * authentication.
+ */
 public class UserAdminLoginModule implements LoginModule {
 	private final static Log log = LogFactory.getLog(UserAdminLoginModule.class);
 
@@ -78,7 +86,8 @@ public class UserAdminLoginModule implements LoginModule {
 		UserAdmin userAdmin = Activator.getUserAdmin();
 		final String username;
 		final char[] password;
-		X509Certificate[] certificateChain = null;
+		Object certificateChain = null;
+		boolean preauth = false;
 		if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
 				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
 			// NB: required by Basic http auth
@@ -87,10 +96,24 @@ public class UserAdminLoginModule implements LoginModule {
 			// // TODO locale?
 		} else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
 				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
-			// NB: required by Basic http auth
+			String certDn = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+//			LdapName ldapName;
+//			try {
+//				ldapName = new LdapName(certificateName);
+//			} catch (InvalidNameException e) {
+//				e.printStackTrace();
+//				return false;
+//			}
+//			username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
+			username = certDn;
+			certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+			password = null;
+		} else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
+				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_ADDR)
+				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_PORT)) {// ident
 			username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
-			certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
 			password = null;
+			preauth = true;
 		} else if (singleUser) {
 			username = OsUserUtils.getOsUsername();
 			password = null;
@@ -128,6 +151,21 @@ public class UserAdminLoginModule implements LoginModule {
 			sharedState.put(CmsAuthUtils.SHARED_STATE_PWD, password);
 		}
 		User user = searchForUser(userAdmin, username);
+
+		// Tokens
+		if (user == null) {
+			String token = username;
+			Group tokenGroup = searchForToken(userAdmin, token);
+			if (tokenGroup != null) {
+				Authorization tokenAuthorization = getAuthorizationFromToken(userAdmin, tokenGroup);
+				if (tokenAuthorization != null) {
+					bindAuthorization = tokenAuthorization;
+					authenticatedUser = (User) userAdmin.getRole(bindAuthorization.getName());
+					return true;
+				}
+			}
+		}
+
 		if (user == null)
 			return true;// expect Kerberos
 
@@ -157,6 +195,8 @@ public class UserAdminLoginModule implements LoginModule {
 			// is provided
 		} else if (singleUser) {
 			// TODO verify IP address?
+		} else if (preauth) {
+			// ident
 		} else {
 			throw new CredentialNotFoundException("No credentials provided");
 		}
@@ -167,7 +207,10 @@ public class UserAdminLoginModule implements LoginModule {
 
 	@Override
 	public boolean commit() throws LoginException {
-		subject.getPublicCredentials().add(locale);
+		if (locale == null)
+			subject.getPublicCredentials().add(Locale.getDefault());
+		else
+			subject.getPublicCredentials().add(locale);
 
 		if (singleUser) {
 			OsUserUtils.loginAsSystemUser(subject);
@@ -185,7 +228,7 @@ public class UserAdminLoginModule implements LoginModule {
 				if (authenticatedUser == null) {
 					if (log.isTraceEnabled())
 						log.trace("Neither kerberos nor user admin login succeeded. Login failed.");
-					return false;
+					throw new CredentialNotFoundException("Bad credentials.");
 				} else {
 					authenticatingUser = authenticatedUser;
 				}
@@ -213,7 +256,7 @@ public class UserAdminLoginModule implements LoginModule {
 
 		// Log and monitor new login
 		HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
-		CmsAuthUtils.addAuthorization(subject, authorization, locale, request);
+		CmsAuthUtils.addAuthorization(subject, authorization);
 
 		// Unlock keyring (underlying login to the JCR repository)
 		char[] password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
@@ -296,4 +339,28 @@ public class UserAdminLoginModule implements LoginModule {
 		}
 
 	}
+
+	protected Group searchForToken(UserAdmin userAdmin, String token) {
+		String dn = cn + "=" + token + "," + NodeConstants.TOKENS_BASEDN;
+		Group tokenGroup = (Group) userAdmin.getRole(dn);
+		return tokenGroup;
+	}
+
+	protected Authorization getAuthorizationFromToken(UserAdmin userAdmin, Group tokenGroup) {
+		if (TokenUtils.isExpired(tokenGroup))
+			return null;
+//		String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
+//		if (expiryDateStr != null) {
+//			Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
+//			if (expiryDate.isBefore(Instant.now())) {
+//				if (log.isDebugEnabled())
+//					log.debug("Token " + tokenGroup.getName() + " has expired.");
+//				return null;
+//			}
+//		}
+		String userDn = TokenUtils.userDn(tokenGroup);
+		User user = (User) userAdmin.getRole(userDn);
+		Authorization auth = userAdmin.getAuthorization(user);
+		return auth;
+	}
 }