X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=b50bf8ac4699ba5098fff3cac93d041d5c687efd;hb=715f6820660b91d532e3bd75a53786267066e1a7;hp=de2d8bf75fe9e21dbd2141f3b9e5229dc61f9d23;hpb=44990a14a843b1eac4c0dfca228559c9e86c256b;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index de2d8bf75..b50bf8ac4 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -1,8 +1,11 @@ package org.argeo.cms.auth; +import static org.argeo.naming.LdapAttrs.cn; +import static org.argeo.naming.LdapAttrs.description; + import java.io.IOException; import java.security.PrivilegedAction; -import java.security.cert.X509Certificate; +import java.time.Instant; import java.util.Arrays; import java.util.HashSet; import java.util.List; @@ -10,6 +13,7 @@ import java.util.Locale; import java.util.Map; import java.util.Set; +import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; @@ -29,6 +33,8 @@ import org.apache.commons.logging.LogFactory; import org.argeo.cms.CmsException; import org.argeo.cms.internal.kernel.Activator; import org.argeo.naming.LdapAttrs; +import org.argeo.naming.NamingUtils; +import org.argeo.node.NodeConstants; import org.argeo.node.security.CryptoKeyring; import org.argeo.osgi.useradmin.AuthenticatingUser; import org.argeo.osgi.useradmin.IpaUtils; @@ -37,6 +43,7 @@ import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; import org.osgi.framework.ServiceReference; import org.osgi.service.useradmin.Authorization; +import org.osgi.service.useradmin.Group; import org.osgi.service.useradmin.User; import org.osgi.service.useradmin.UserAdmin; @@ -78,7 +85,7 @@ public class UserAdminLoginModule implements LoginModule { UserAdmin userAdmin = Activator.getUserAdmin(); final String username; final char[] password; - X509Certificate[] certificateChain = null; + Object certificateChain = null; if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) { // NB: required by Basic http auth @@ -87,9 +94,16 @@ public class UserAdminLoginModule implements LoginModule { // // TODO locale? } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) { - // NB: required by Basic http auth - username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); - certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN); + String certificateName = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); + LdapName ldapName; + try { + ldapName = new LdapName(certificateName); + } catch (InvalidNameException e) { + e.printStackTrace(); + return false; + } + username = ldapName.getRdn(ldapName.size() - 1).getValue().toString(); + certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN); password = null; } else if (singleUser) { username = OsUserUtils.getOsUsername(); @@ -128,6 +142,21 @@ public class UserAdminLoginModule implements LoginModule { sharedState.put(CmsAuthUtils.SHARED_STATE_PWD, password); } User user = searchForUser(userAdmin, username); + + // Tokens + if (user == null) { + String token = username; + Group tokenGroup = searchForToken(userAdmin, token); + if (tokenGroup != null) { + Authorization tokenAuthorization = getAuthorizationFromToken(userAdmin, tokenGroup); + if (tokenAuthorization != null) { + bindAuthorization = tokenAuthorization; + authenticatedUser = (User) userAdmin.getRole(bindAuthorization.getName()); + return true; + } + } + } + if (user == null) return true;// expect Kerberos @@ -167,6 +196,11 @@ public class UserAdminLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { + if (locale == null) + subject.getPublicCredentials().add(Locale.getDefault()); + else + subject.getPublicCredentials().add(locale); + if (singleUser) { OsUserUtils.loginAsSystemUser(subject); } @@ -236,7 +270,7 @@ public class UserAdminLoginModule implements LoginModule { }); } } - + // Register CmsSession with initial subject CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale); @@ -294,4 +328,24 @@ public class UserAdminLoginModule implements LoginModule { } } + + protected Group searchForToken(UserAdmin userAdmin, String token) { + String dn = cn + "=" + token + "," + NodeConstants.TOKENS_BASEDN; + Group tokenGroup = (Group) userAdmin.getRole(dn); + return tokenGroup; + } + + protected Authorization getAuthorizationFromToken(UserAdmin userAdmin, Group tokenGroup) { + String expiryDateStr = (String) tokenGroup.getProperties().get(description.name()); + if (expiryDateStr != null) { + Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr); + if (expiryDate.isBefore(Instant.now())) { + if (log.isDebugEnabled()) + log.debug("Token " + tokenGroup.getName() + " has expired."); + return null; + } + } + Authorization auth = userAdmin.getAuthorization(tokenGroup); + return auth; + } }