X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FActivator.java;h=62c140efd5a5f167405380c45c2cb3dcd9b9614e;hb=681290ba6cddc797e8a955d06d40c054b47e2ab2;hp=51a4cc7a55834a42951bd71671fbcdac32ce96b7;hpb=a2ad417ed1d0219ac29d70ae985939764c13ce38;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
index 51a4cc7a5..62c140efd 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
@@ -4,63 +4,114 @@ import java.io.IOException;
 import java.net.URL;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.AllPermission;
 import java.util.Dictionary;
 import java.util.List;
 import java.util.Locale;
 
 import javax.security.auth.login.Configuration;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
+import org.argeo.ident.IdentClient;
 import org.argeo.node.ArgeoLogger;
 import org.argeo.node.NodeConstants;
 import org.argeo.node.NodeDeployment;
 import org.argeo.node.NodeInstance;
 import org.argeo.node.NodeState;
 import org.argeo.util.LangUtils;
+import org.ietf.jgss.GSSCredential;
 import org.osgi.framework.BundleActivator;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.Constants;
 import org.osgi.framework.ServiceReference;
+import org.osgi.service.condpermadmin.BundleLocationCondition;
+import org.osgi.service.condpermadmin.ConditionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
+import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
 import org.osgi.service.log.LogReaderService;
+import org.osgi.service.permissionadmin.PermissionInfo;
+import org.osgi.service.useradmin.UserAdmin;
+import org.osgi.util.tracker.ServiceTracker;
 
 /**
- * Activates the {@link Kernel} from the provided {@link BundleContext}. Gives
- * access to kernel information for the rest of the bundle (and only it)
+ * Activates the kernel. Gives access to kernel information for the rest of the
+ * bundle (and only it)
  */
 public class Activator implements BundleActivator {
+	private final static Log log = LogFactory.getLog(Activator.class);
+
 	private static Activator instance;
 
+	// TODO make it configurable
+	private boolean hardened = false;
+
 	private BundleContext bc;
+
 	private LogReaderService logReaderService;
-	// private ConfigurationAdmin configurationAdmin;
 
 	private NodeLogger logger;
 	private CmsState nodeState;
 	private CmsDeployment nodeDeployment;
 	private CmsInstance nodeInstance;
 
+	private ServiceTracker<UserAdmin, NodeUserAdmin> userAdminSt;
+
 	@Override
 	public void start(BundleContext bundleContext) throws Exception {
+		Runtime.getRuntime().addShutdownHook(new CmsShutdown());
 		instance = this;
 		this.bc = bundleContext;
 		this.logReaderService = getService(LogReaderService.class);
-		// this.configurationAdmin = getService(ConfigurationAdmin.class);
 
 		try {
-			initSecurity();// must be first
+			initSecurity();
 			initArgeoLogger();
 			initNode();
-		} catch (Exception e) {
-			e.printStackTrace();
-			throw new CmsException("Cannot initialize node", e);
+
+			userAdminSt = new ServiceTracker<>(instance.bc, UserAdmin.class, null);
+			userAdminSt.open();
+			if (log.isTraceEnabled())
+				log.trace("Kernel bundle started");
+		} catch (Throwable e) {
+			log.error("## FATAL: CMS activator failed", e);
 		}
 	}
 
 	private void initSecurity() {
-		URL url = getClass().getClassLoader().getResource(KernelConstants.JAAS_CONFIG);
-//		URL url = getClass().getClassLoader().getResource(KernelConstants.JAAS_CONFIG_IPA);
-		System.setProperty("java.security.auth.login.config", url.toExternalForm());
+		if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) {
+			String jaasConfig = KernelConstants.JAAS_CONFIG;
+			URL url = getClass().getClassLoader().getResource(jaasConfig);
+			// System.setProperty(KernelConstants.JAAS_CONFIG_PROP,
+			// url.toExternalForm());
+			KernelUtils.setJaasConfiguration(url);
+		}
+		// explicitly load JAAS configuration
 		Configuration.getConfiguration();
+
+		// code-level permissions
+		String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY);
+		if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) {
+			// TODO rather use a tracker?
+			ConditionalPermissionAdmin permissionAdmin = bc
+					.getService(bc.getServiceReference(ConditionalPermissionAdmin.class));
+			if (!hardened) {
+				// All permissions to all bundles
+				ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate();
+				update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+						new ConditionInfo[] {
+								new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+						new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
+						ConditionalPermissionInfo.ALLOW));
+			} else {
+				SecurityProfile securityProfile = new SecurityProfile() {
+				};
+				securityProfile.applySystemPermissions(permissionAdmin);
+			}
+		}
+
 	}
 
 	private void initArgeoLogger() {
@@ -94,14 +145,24 @@ public class Activator implements BundleActivator {
 
 	@Override
 	public void stop(BundleContext bundleContext) throws Exception {
-		nodeInstance.shutdown();
-		nodeDeployment.shutdown();
-		nodeState.shutdown();
-
-		instance = null;
-		this.bc = null;
-		this.logReaderService = null;
-		// this.configurationAdmin = null;
+		try {
+			if (nodeInstance != null)
+				nodeInstance.shutdown();
+			if (nodeDeployment != null)
+				nodeDeployment.shutdown();
+			if (nodeState != null)
+				nodeState.shutdown();
+
+			if (userAdminSt != null)
+				userAdminSt.close();
+
+			instance = null;
+			this.bc = null;
+			this.logReaderService = null;
+			// this.configurationAdmin = null;
+		} catch (Exception e) {
+			log.error("CMS activator shutdown failed", e);
+		}
 	}
 
 	private <T> T getService(Class<T> clazz) {
@@ -115,6 +176,51 @@ public class Activator implements BundleActivator {
 		return instance.nodeState;
 	}
 
+	public static GSSCredential getAcceptorCredentials() {
+		return getNodeUserAdmin().getAcceptorCredentials();
+	}
+
+	public static boolean isSingleUser() {
+		return getNodeUserAdmin().isSingleUser();
+	}
+
+	public static UserAdmin getUserAdmin() {
+		return (UserAdmin) getNodeUserAdmin();
+	}
+
+	public static String getHttpProxySslHeader() {
+		return KernelUtils.getFrameworkProp(NodeConstants.HTTP_PROXY_SSL_DN);
+	}
+
+	public static IdentClient getIdentClient(String remoteAddr) {
+		if (!IdentClient.isDefaultAuthdPassphraseFileAvailable())
+			return null;
+		// TODO make passphrase more configurable
+		return new IdentClient(remoteAddr);
+	}
+
+	private static NodeUserAdmin getNodeUserAdmin() {
+		NodeUserAdmin res;
+		try {
+			res = instance.userAdminSt.waitForService(60000);
+		} catch (InterruptedException e) {
+			throw new CmsException("Cannot retrieve Node user admin", e);
+		}
+		if (res == null)
+			throw new CmsException("No Node user admin found");
+
+		return res;
+		// ServiceReference<UserAdmin> sr =
+		// instance.bc.getServiceReference(UserAdmin.class);
+		// NodeUserAdmin userAdmin = (NodeUserAdmin) instance.bc.getService(sr);
+		// return userAdmin;
+
+	}
+
+	// static CmsSecurity getCmsSecurity() {
+	// return instance.nodeSecurity;
+	// }
+
 	public String[] getLocales() {
 		// TODO optimize?
 		List<Locale> locales = getNodeState().getLocales();