X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=4057b26af800e042d6fc1076ec89ad2f5ee7be63;hb=73a89e099608a51d9aef814a3f85a62947275f59;hp=b50bf8ac4699ba5098fff3cac93d041d5c687efd;hpb=715f6820660b91d532e3bd75a53786267066e1a7;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index b50bf8ac4..4057b26af 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -1,11 +1,9 @@ package org.argeo.cms.auth; import static org.argeo.naming.LdapAttrs.cn; -import static org.argeo.naming.LdapAttrs.description; import java.io.IOException; import java.security.PrivilegedAction; -import java.time.Instant; import java.util.Arrays; import java.util.HashSet; import java.util.List; @@ -13,7 +11,6 @@ import java.util.Locale; import java.util.Map; import java.util.Set; -import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; @@ -30,15 +27,14 @@ import javax.servlet.http.HttpServletRequest; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.argeo.cms.CmsException; +import org.argeo.api.NodeConstants; +import org.argeo.api.security.CryptoKeyring; import org.argeo.cms.internal.kernel.Activator; import org.argeo.naming.LdapAttrs; -import org.argeo.naming.NamingUtils; -import org.argeo.node.NodeConstants; -import org.argeo.node.security.CryptoKeyring; import org.argeo.osgi.useradmin.AuthenticatingUser; import org.argeo.osgi.useradmin.IpaUtils; import org.argeo.osgi.useradmin.OsUserUtils; +import org.argeo.osgi.useradmin.TokenUtils; import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; import org.osgi.framework.ServiceReference; @@ -47,6 +43,10 @@ import org.osgi.service.useradmin.Group; import org.osgi.service.useradmin.User; import org.osgi.service.useradmin.UserAdmin; +/** + * Use the {@link UserAdmin} in the OSGi registry as the basis for + * authentication. + */ public class UserAdminLoginModule implements LoginModule { private final static Log log = LogFactory.getLog(UserAdminLoginModule.class); @@ -76,7 +76,7 @@ public class UserAdminLoginModule implements LoginModule { this.callbackHandler = callbackHandler; this.sharedState = (Map) sharedState; } catch (Exception e) { - throw new CmsException("Cannot initialize login module", e); + throw new IllegalStateException("Cannot initialize login module", e); } } @@ -86,6 +86,7 @@ public class UserAdminLoginModule implements LoginModule { final String username; final char[] password; Object certificateChain = null; + boolean preauth = false; if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) { // NB: required by Basic http auth @@ -94,20 +95,29 @@ public class UserAdminLoginModule implements LoginModule { // // TODO locale? } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) { - String certificateName = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); - LdapName ldapName; - try { - ldapName = new LdapName(certificateName); - } catch (InvalidNameException e) { - e.printStackTrace(); - return false; - } - username = ldapName.getRdn(ldapName.size() - 1).getValue().toString(); + String certDn = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); +// LdapName ldapName; +// try { +// ldapName = new LdapName(certificateName); +// } catch (InvalidNameException e) { +// e.printStackTrace(); +// return false; +// } +// username = ldapName.getRdn(ldapName.size() - 1).getValue().toString(); + username = certDn; certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN); password = null; + } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) + && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_ADDR) + && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_PORT)) {// ident + username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); + password = null; + preauth = true; } else if (singleUser) { username = OsUserUtils.getOsUsername(); password = null; + // TODO retrieve from http session + locale = Locale.getDefault(); } else { // ask for username and password @@ -186,6 +196,8 @@ public class UserAdminLoginModule implements LoginModule { // is provided } else if (singleUser) { // TODO verify IP address? + } else if (preauth) { + // ident } else { throw new CredentialNotFoundException("No credentials provided"); } @@ -196,9 +208,7 @@ public class UserAdminLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { - if (locale == null) - subject.getPublicCredentials().add(Locale.getDefault()); - else + if (locale != null) subject.getPublicCredentials().add(locale); if (singleUser) { @@ -217,7 +227,7 @@ public class UserAdminLoginModule implements LoginModule { if (authenticatedUser == null) { if (log.isTraceEnabled()) log.trace("Neither kerberos nor user admin login succeeded. Login failed."); - return false; + throw new CredentialNotFoundException("Bad credentials."); } else { authenticatingUser = authenticatedUser; } @@ -245,7 +255,7 @@ public class UserAdminLoginModule implements LoginModule { // Log and monitor new login HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); - CmsAuthUtils.addAuthorization(subject, authorization, locale, request); + CmsAuthUtils.addAuthorization(subject, authorization); // Unlock keyring (underlying login to the JCR repository) char[] password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD); @@ -288,8 +298,6 @@ public class UserAdminLoginModule implements LoginModule { public boolean logout() throws LoginException { if (log.isTraceEnabled()) log.trace("Logging out from CMS... " + subject); - // boolean httpSessionLogoutOk = CmsAuthUtils.logoutSession(bc, - // subject); CmsAuthUtils.cleanUp(subject); return true; } @@ -300,6 +308,7 @@ public class UserAdminLoginModule implements LoginModule { Set collectedUsers = new HashSet<>(); // try dn User user = null; + user = null; // try all indexes for (String attr : indexedUserProperties) { user = userAdmin.getUser(attr, providedUsername); @@ -336,16 +345,20 @@ public class UserAdminLoginModule implements LoginModule { } protected Authorization getAuthorizationFromToken(UserAdmin userAdmin, Group tokenGroup) { - String expiryDateStr = (String) tokenGroup.getProperties().get(description.name()); - if (expiryDateStr != null) { - Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr); - if (expiryDate.isBefore(Instant.now())) { - if (log.isDebugEnabled()) - log.debug("Token " + tokenGroup.getName() + " has expired."); - return null; - } - } - Authorization auth = userAdmin.getAuthorization(tokenGroup); + if (TokenUtils.isExpired(tokenGroup)) + return null; +// String expiryDateStr = (String) tokenGroup.getProperties().get(description.name()); +// if (expiryDateStr != null) { +// Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr); +// if (expiryDate.isBefore(Instant.now())) { +// if (log.isDebugEnabled()) +// log.debug("Token " + tokenGroup.getName() + " has expired."); +// return null; +// } +// } + String userDn = TokenUtils.userDn(tokenGroup); + User user = (User) userAdmin.getRole(userDn); + Authorization auth = userAdmin.getAuthorization(user); return auth; } }