X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FActivator.java;h=62c140efd5a5f167405380c45c2cb3dcd9b9614e;hb=681290ba6cddc797e8a955d06d40c054b47e2ab2;hp=6aacfd4931760f6e9c85f8d1724f35cfccf55dca;hpb=2d6b7c0c3badea29451c4d8e41ebb5aca2258806;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java index 6aacfd493..62c140efd 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java @@ -2,150 +2,167 @@ package org.argeo.cms.internal.kernel; import java.io.IOException; import java.net.URL; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.AllPermission; import java.util.Dictionary; -import java.util.Hashtable; import java.util.List; import java.util.Locale; +import javax.security.auth.login.Configuration; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.cms.CmsException; +import org.argeo.ident.IdentClient; import org.argeo.node.ArgeoLogger; import org.argeo.node.NodeConstants; import org.argeo.node.NodeDeployment; +import org.argeo.node.NodeInstance; import org.argeo.node.NodeState; import org.argeo.util.LangUtils; +import org.ietf.jgss.GSSCredential; import org.osgi.framework.BundleActivator; import org.osgi.framework.BundleContext; import org.osgi.framework.Constants; import org.osgi.framework.ServiceReference; -import org.osgi.service.cm.Configuration; -import org.osgi.service.cm.ConfigurationAdmin; -import org.osgi.service.cm.ManagedService; +import org.osgi.service.condpermadmin.BundleLocationCondition; +import org.osgi.service.condpermadmin.ConditionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; +import org.osgi.service.condpermadmin.ConditionalPermissionInfo; +import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; import org.osgi.service.log.LogReaderService; +import org.osgi.service.permissionadmin.PermissionInfo; +import org.osgi.service.useradmin.UserAdmin; +import org.osgi.util.tracker.ServiceTracker; /** - * Activates the {@link Kernel} from the provided {@link BundleContext}. Gives - * access to kernel information for the rest of the bundle (and only it) + * Activates the kernel. Gives access to kernel information for the rest of the + * bundle (and only it) */ public class Activator implements BundleActivator { - // public final static String SYSTEM_KEY_PROPERTY = - // "argeo.security.systemKey"; - private final Log log = LogFactory.getLog(Activator.class); - - // private final static String systemKey; - // static { - // System.setProperty(SYSTEM_KEY_PROPERTY, systemKey); - // } + private final static Log log = LogFactory.getLog(Activator.class); - // private static Kernel kernel; private static Activator instance; + // TODO make it configurable + private boolean hardened = false; + private BundleContext bc; - private ConditionalPermissionAdmin permissionAdmin; + private LogReaderService logReaderService; - private ConfigurationAdmin configurationAdmin; private NodeLogger logger; private CmsState nodeState; private CmsDeployment nodeDeployment; + private CmsInstance nodeInstance; + + private ServiceTracker userAdminSt; @Override public void start(BundleContext bundleContext) throws Exception { - // try { - // kernel = new Kernel(); - // kernel.init(); - // } catch (Exception e) { - // log.error("Cannot boot kernel", e); - // } - + Runtime.getRuntime().addShutdownHook(new CmsShutdown()); instance = this; this.bc = bundleContext; - this.permissionAdmin = getService(ConditionalPermissionAdmin.class); this.logReaderService = getService(LogReaderService.class); - this.configurationAdmin = getService(ConfigurationAdmin.class); - initSecurity();// must be first - initArgeoLogger(); - initNodeState(); + try { + initSecurity(); + initArgeoLogger(); + initNode(); + + userAdminSt = new ServiceTracker<>(instance.bc, UserAdmin.class, null); + userAdminSt.open(); + if (log.isTraceEnabled()) + log.trace("Kernel bundle started"); + } catch (Throwable e) { + log.error("## FATAL: CMS activator failed", e); + } } private void initSecurity() { - URL url = getClass().getClassLoader().getResource(KernelConstants.JAAS_CONFIG); - System.setProperty("java.security.auth.login.config", url.toExternalForm()); + if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) { + String jaasConfig = KernelConstants.JAAS_CONFIG; + URL url = getClass().getClassLoader().getResource(jaasConfig); + // System.setProperty(KernelConstants.JAAS_CONFIG_PROP, + // url.toExternalForm()); + KernelUtils.setJaasConfiguration(url); + } + // explicitly load JAAS configuration + Configuration.getConfiguration(); + + // code-level permissions + String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY); + if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) { + // TODO rather use a tracker? + ConditionalPermissionAdmin permissionAdmin = bc + .getService(bc.getServiceReference(ConditionalPermissionAdmin.class)); + if (!hardened) { + // All permissions to all bundles + ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate(); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { + new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) }, + new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, + ConditionalPermissionInfo.ALLOW)); + } else { + SecurityProfile securityProfile = new SecurityProfile() { + }; + securityProfile.applySystemPermissions(permissionAdmin); + } + } + } private void initArgeoLogger() { logger = new NodeLogger(logReaderService); - - // register bc.registerService(ArgeoLogger.class, logger, null); } - private void initNodeState() throws IOException { - nodeState = new CmsState(); - - Object cn; - Configuration nodeConf = configurationAdmin.getConfiguration(NodeConstants.NODE_STATE_PID); - Dictionary props = nodeConf.getProperties(); - if (props == null) { - if (log.isDebugEnabled()) - log.debug("Clean node state"); - Dictionary envProps = new Hashtable<>(); - // Use the UUID of the first framework run as state UUID - cn = bc.getProperty(Constants.FRAMEWORK_UUID); - envProps.put(NodeConstants.CN, cn); - nodeConf.update(envProps); + private void initNode() throws IOException { + // Node state + Path stateUuidPath = bc.getDataFile("stateUuid").toPath(); + String stateUuid; + if (Files.exists(stateUuidPath)) { + stateUuid = Files.readAllLines(stateUuidPath).get(0); } else { - // Check if state is in line with environment - // Dictionary envProps = new Hashtable<>(); - // for (String key : LangUtils.keys(envProps)) { - // Object envValue = envProps.get(key); - // Object storedValue = props.get(key); - // if (storedValue == null) - // throw new CmsException("No state value for env " + key + "=" + - // envValue - // + ", please clean the OSGi configuration."); - // if (!storedValue.equals(envValue)) - // throw new CmsException("State value for " + key + "=" + - // storedValue - // + " is different from env value =" + envValue + ", please clean - // the OSGi configuration."); - // } - cn = props.get(NodeConstants.CN); - if (cn == null) - throw new CmsException("No state UUID available"); - } - - Dictionary regProps = LangUtils.init(Constants.SERVICE_PID, NodeConstants.NODE_STATE_PID); - regProps.put(NodeConstants.CN, cn); - bc.registerService(LangUtils.names(NodeState.class, ManagedService.class), nodeState, regProps); - - try { - nodeDeployment = new CmsDeployment(); - bc.registerService(LangUtils.names(NodeDeployment.class), nodeDeployment, null); - } catch (RuntimeException e) { - e.printStackTrace(); - throw e; + stateUuid = bc.getProperty(Constants.FRAMEWORK_UUID); + Files.write(stateUuidPath, stateUuid.getBytes()); } + nodeState = new CmsState(stateUuid); + Dictionary regProps = LangUtils.dico(Constants.SERVICE_PID, NodeConstants.NODE_STATE_PID); + regProps.put(NodeConstants.CN, stateUuid); + bc.registerService(NodeState.class, nodeState, regProps); + + // Node deployment + nodeDeployment = new CmsDeployment(); + bc.registerService(NodeDeployment.class, nodeDeployment, null); + + // Node instance + nodeInstance = new CmsInstance(); + bc.registerService(NodeInstance.class, nodeInstance, null); } @Override public void stop(BundleContext bundleContext) throws Exception { - nodeState.shutdown(); - - instance = null; - this.bc = null; - this.permissionAdmin = null; - this.logReaderService = null; - this.configurationAdmin = null; - - // if (kernel != null) { - // kernel.destroy(); - // kernel = null; - // } - + try { + if (nodeInstance != null) + nodeInstance.shutdown(); + if (nodeDeployment != null) + nodeDeployment.shutdown(); + if (nodeState != null) + nodeState.shutdown(); + + if (userAdminSt != null) + userAdminSt.close(); + + instance = null; + this.bc = null; + this.logReaderService = null; + // this.configurationAdmin = null; + } catch (Exception e) { + log.error("CMS activator shutdown failed", e); + } } private T getService(Class clazz) { @@ -159,6 +176,51 @@ public class Activator implements BundleActivator { return instance.nodeState; } + public static GSSCredential getAcceptorCredentials() { + return getNodeUserAdmin().getAcceptorCredentials(); + } + + public static boolean isSingleUser() { + return getNodeUserAdmin().isSingleUser(); + } + + public static UserAdmin getUserAdmin() { + return (UserAdmin) getNodeUserAdmin(); + } + + public static String getHttpProxySslHeader() { + return KernelUtils.getFrameworkProp(NodeConstants.HTTP_PROXY_SSL_DN); + } + + public static IdentClient getIdentClient(String remoteAddr) { + if (!IdentClient.isDefaultAuthdPassphraseFileAvailable()) + return null; + // TODO make passphrase more configurable + return new IdentClient(remoteAddr); + } + + private static NodeUserAdmin getNodeUserAdmin() { + NodeUserAdmin res; + try { + res = instance.userAdminSt.waitForService(60000); + } catch (InterruptedException e) { + throw new CmsException("Cannot retrieve Node user admin", e); + } + if (res == null) + throw new CmsException("No Node user admin found"); + + return res; + // ServiceReference sr = + // instance.bc.getServiceReference(UserAdmin.class); + // NodeUserAdmin userAdmin = (NodeUserAdmin) instance.bc.getService(sr); + // return userAdmin; + + } + + // static CmsSecurity getCmsSecurity() { + // return instance.nodeSecurity; + // } + public String[] getLocales() { // TODO optimize? List locales = getNodeState().getLocales();