X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FCmsAuthUtils.java;h=72676611e4e43f631429c52e8b31a6a0893e4529;hb=b71546ddc74d6ca49d252806aafd491c75dfe1fb;hp=ab40e720c2eaf58b2b3d1a9457ee86c8dedbb47a;hpb=c1d7a7fa363100689019e733314723196280175b;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
index ab40e720c..72676611e 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
@@ -10,21 +10,16 @@ import javax.naming.InvalidNameException;
 import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
 import javax.security.auth.x500.X500Principal;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
 
-//import org.apache.jackrabbit.core.security.AnonymousPrincipal;
-//import org.apache.jackrabbit.core.security.SecurityConstants;
-//import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
-import org.argeo.cms.CmsException;
+import org.argeo.api.cms.CmsSession;
+import org.argeo.api.cms.CmsSessionId;
+import org.argeo.api.cms.DataAdminPrincipal;
+import org.argeo.api.cms.AnonymousPrincipal;
+import org.argeo.api.cms.CmsConstants;
 import org.argeo.cms.internal.auth.CmsSessionImpl;
 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
 import org.argeo.cms.internal.http.WebCmsSessionImpl;
-import org.argeo.cms.internal.kernel.Activator;
-import org.argeo.node.NodeConstants;
-import org.argeo.node.security.AnonymousPrincipal;
-import org.argeo.node.security.DataAdminPrincipal;
-import org.argeo.node.security.NodeSecurityUtils;
+import org.argeo.cms.security.NodeSecurityUtils;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.InvalidSyntaxException;
@@ -32,6 +27,7 @@ import org.osgi.framework.ServiceReference;
 import org.osgi.service.http.HttpContext;
 import org.osgi.service.useradmin.Authorization;
 
+/** Centralises security related registrations. */
 class CmsAuthUtils {
 	// Standard
 	final static String SHARED_STATE_NAME = AuthenticatingUser.SHARED_STATE_NAME;
@@ -55,9 +51,7 @@ class CmsAuthUtils {
 		// required for display name:
 		subject.getPrivateCredentials().add(authorization);
 
-		if (Activator.isSingleUser()) {
-			subject.getPrincipals().add(new DataAdminPrincipal());
-		}
+		boolean singleUser = authorization instanceof SingleUserAuthorization;
 
 		Set<Principal> principals = subject.getPrincipals();
 		try {
@@ -75,8 +69,11 @@ class CmsAuthUtils {
 				NodeSecurityUtils.checkUserName(name);
 				userPrincipal = new X500Principal(name.toString());
 				principals.add(userPrincipal);
-				// principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME,
-				// userPrincipal));
+
+				if (singleUser) {
+					principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_ADMIN_NAME, userPrincipal));
+					principals.add(new DataAdminPrincipal());
+				}
 			}
 
 			// Add roles provided by authorization
@@ -95,10 +92,8 @@ class CmsAuthUtils {
 			}
 
 		} catch (InvalidNameException e) {
-			throw new CmsException("Cannot commit", e);
+			throw new IllegalArgumentException("Cannot commit", e);
 		}
-
-		// registerSessionAuthorization(request, subject, authorization, locale);
 	}
 
 	private static void checkSubjectEmpty(Subject subject) {
@@ -126,72 +121,83 @@ class CmsAuthUtils {
 		// subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
 	}
 
-	synchronized static void registerSessionAuthorization(HttpServletRequest request, Subject subject,
+	@SuppressWarnings("unused")
+	synchronized static void registerSessionAuthorization(RemoteAuthRequest request, Subject subject,
 			Authorization authorization, Locale locale) {
 		// synchronized in order to avoid multiple registrations
 		// TODO move it to a service in order to avoid static synchronization
 		if (request != null) {
-			HttpSession httpSession = request.getSession(false);
+			RemoteAuthSession httpSession = request.getSession();
 			assert httpSession != null;
 			String httpSessId = httpSession.getId();
-			String remoteUser = authorization.getName() != null ? authorization.getName()
-					: NodeConstants.ROLE_ANONYMOUS;
+			boolean anonymous = authorization.getName() == null;
+			String remoteUser = !anonymous ? authorization.getName() : CmsConstants.ROLE_ANONYMOUS;
 			request.setAttribute(HttpContext.REMOTE_USER, remoteUser);
 			request.setAttribute(HttpContext.AUTHORIZATION, authorization);
 
-			CmsSessionImpl cmsSession = CmsSessionImpl.getByLocalId(httpSessId);
-			if (cmsSession != null) {
-				if (authorization.getName() != null) {
-					if (cmsSession.getAuthorization().getName() == null) {
-						cmsSession.close();
-						cmsSession = null;
-					} else if (!authorization.getName().equals(cmsSession.getAuthorization().getName())) {
-						throw new CmsException("Inconsistent user " + authorization.getName()
-								+ " for existing CMS session " + cmsSession);
-					}
-					// keyring
-					if (cmsSession != null)
+			CmsSessionImpl cmsSession;
+			CmsSessionImpl currentLocalSession = CmsSessionImpl.getByLocalId(httpSessId);
+			if (currentLocalSession != null) {
+				boolean currentLocalSessionAnonymous = currentLocalSession.getAuthorization().getName() == null;
+				if (!anonymous) {
+					if (currentLocalSessionAnonymous) {
+						currentLocalSession.close();
+						// new CMS session
+						cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request);
+					} else if (!authorization.getName().equals(currentLocalSession.getAuthorization().getName())) {
+						throw new IllegalStateException("Inconsistent user " + authorization.getName()
+								+ " for existing CMS session " + currentLocalSession);
+					} else {
+						// keep current session
+						cmsSession = currentLocalSession;
+						// keyring
 						subject.getPrivateCredentials().addAll(cmsSession.getSecretKeys());
+					}
 				} else {// anonymous
-					if (cmsSession.getAuthorization().getName() != null) {
-						cmsSession.close();
-						// TODO rather throw an exception ? log a warning ?
-						cmsSession = null;
+					if (!currentLocalSessionAnonymous) {
+						currentLocalSession.close();
+						throw new IllegalStateException(
+								"Existing CMS session " + currentLocalSession + " was not logged out properly.");
 					}
+					// keep current session
+					cmsSession = currentLocalSession;
 				}
-			} else if (cmsSession == null) {
+			} else {
+				// new CMS session
 				cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request);
 			}
-			// request.setAttribute(CmsSession.class.getName(), cmsSession);
-			if (cmsSession != null) {
-				CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
-				if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0)
-					subject.getPrivateCredentials().add(nodeSessionId);
-				else {
-					UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next()
-							.getUuid();
-					// if (storedSessionId.equals(httpSessionId.getValue()))
-					throw new CmsException(
-							"Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
-				}
+
+			if (cmsSession == null)// should be dead code (cf. SuppressWarning of the method)
+				throw new IllegalStateException("CMS session cannot be null");
+
+			CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
+			if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0) {
+				subject.getPrivateCredentials().add(nodeSessionId);
+			} else {
+				UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid();
+				// if (storedSessionId.equals(httpSessionId.getValue()))
+				throw new IllegalStateException(
+						"Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
 			}
 		} else {
-			// TODO desktop, CLI
+			CmsSessionImpl cmsSession = new CmsSessionImpl(subject, authorization, locale, "desktop");
+			CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
+			subject.getPrivateCredentials().add(nodeSessionId);
 		}
 	}
 
-	public static CmsSession cmsSessionFromHttpSession(BundleContext bc, String httpSessionId) {
+	public static CmsSessionImpl cmsSessionFromHttpSession(BundleContext bc, String httpSessionId) {
 		Authorization authorization = null;
 		Collection<ServiceReference<CmsSession>> sr;
 		try {
 			sr = bc.getServiceReferences(CmsSession.class,
 					"(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessionId + ")");
 		} catch (InvalidSyntaxException e) {
-			throw new CmsException("Cannot get CMS session for id " + httpSessionId, e);
+			throw new IllegalArgumentException("Cannot get CMS session for id " + httpSessionId, e);
 		}
-		CmsSession cmsSession;
+		CmsSessionImpl cmsSession;
 		if (sr.size() == 1) {
-			cmsSession = bc.getService(sr.iterator().next());
+			cmsSession = (CmsSessionImpl) bc.getService(sr.iterator().next());
 //			locale = cmsSession.getLocale();
 			authorization = cmsSession.getAuthorization();
 			if (authorization.getName() == null)
@@ -199,7 +205,7 @@ class CmsAuthUtils {
 		} else if (sr.size() == 0)
 			return null;
 		else
-			throw new CmsException(sr.size() + ">1 web sessions detected for http session " + httpSessionId);
+			throw new IllegalStateException(sr.size() + ">1 web sessions detected for http session " + httpSessionId);
 		return cmsSession;
 	}