X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FActivator.java;h=d7b953b5389eae6a4cecbb5b4bbe336c3aea6131;hb=f29320f6e6aca6d3c1b1deca1276930189fd3a60;hp=24c2f6bccc7d1c7e9d8e004f94d56623e92513dc;hpb=255654a72d48b875d71cea637532784953d80499;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java index 24c2f6bcc..d7b953b53 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.net.URL; import java.nio.file.Files; import java.nio.file.Path; +import java.security.AllPermission; import java.util.Dictionary; import java.util.List; import java.util.Locale; @@ -13,61 +14,116 @@ import javax.security.auth.login.Configuration; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.cms.CmsException; +import org.argeo.ident.IdentClient; import org.argeo.node.ArgeoLogger; import org.argeo.node.NodeConstants; import org.argeo.node.NodeDeployment; import org.argeo.node.NodeInstance; import org.argeo.node.NodeState; import org.argeo.util.LangUtils; +import org.ietf.jgss.GSSCredential; import org.osgi.framework.BundleActivator; import org.osgi.framework.BundleContext; import org.osgi.framework.Constants; import org.osgi.framework.ServiceReference; +import org.osgi.service.condpermadmin.BundleLocationCondition; +import org.osgi.service.condpermadmin.ConditionInfo; +import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; +import org.osgi.service.condpermadmin.ConditionalPermissionInfo; +import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; import org.osgi.service.log.LogReaderService; +import org.osgi.service.permissionadmin.PermissionInfo; +import org.osgi.service.useradmin.UserAdmin; +import org.osgi.util.tracker.ServiceTracker; /** - * Activates the {@link Kernel} from the provided {@link BundleContext}. Gives - * access to kernel information for the rest of the bundle (and only it) + * Activates the kernel. Gives access to kernel information for the rest of the + * bundle (and only it) */ public class Activator implements BundleActivator { private final static Log log = LogFactory.getLog(Activator.class); private static Activator instance; + // TODO make it configurable + private boolean hardened = false; + private BundleContext bc; + private LogReaderService logReaderService; - // private ConfigurationAdmin configurationAdmin; private NodeLogger logger; private CmsState nodeState; private CmsDeployment nodeDeployment; private CmsInstance nodeInstance; + private ServiceTracker userAdminSt; + @Override public void start(BundleContext bundleContext) throws Exception { + Runtime.getRuntime().addShutdownHook(new CmsShutdown()); instance = this; this.bc = bundleContext; this.logReaderService = getService(LogReaderService.class); - // this.configurationAdmin = getService(ConfigurationAdmin.class); try { - initSecurity();// must be first + initSecurity(); initArgeoLogger(); initNode(); - } catch (Exception e) { + + userAdminSt = new ServiceTracker<>(instance.bc, UserAdmin.class, null); + userAdminSt.open(); + if (log.isTraceEnabled()) + log.trace("Kernel bundle started"); + } catch (Throwable e) { log.error("## FATAL: CMS activator failed", e); - // throw new CmsException("Cannot initialize node", e); } } private void initSecurity() { if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) { - URL url = getClass().getClassLoader().getResource(KernelConstants.JAAS_CONFIG); - // URL url = - // getClass().getClassLoader().getResource(KernelConstants.JAAS_CONFIG_IPA); - System.setProperty(KernelConstants.JAAS_CONFIG_PROP, url.toExternalForm()); + String jaasConfig = KernelConstants.JAAS_CONFIG; + URL url = getClass().getClassLoader().getResource(jaasConfig); + // System.setProperty(KernelConstants.JAAS_CONFIG_PROP, + // url.toExternalForm()); + KernelUtils.setJaasConfiguration(url); } + // explicitly load JAAS configuration Configuration.getConfiguration(); + + // code-level permissions + String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY); + if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) { + // TODO rather use a tracker? + ConditionalPermissionAdmin permissionAdmin = bc + .getService(bc.getServiceReference(ConditionalPermissionAdmin.class)); + if (!hardened) { + // All permissions to all bundles + ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate(); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { + new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) }, + new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, + ConditionalPermissionInfo.ALLOW)); + // TODO data admin permission +// PermissionInfo dataAdminPerm = new PermissionInfo(AuthPermission.class.getName(), +// "createLoginContext." + NodeConstants.LOGIN_CONTEXT_DATA_ADMIN, null); +// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { +// new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) }, +// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.DENY)); +// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { +// new ConditionInfo(BundleSignerCondition.class.getName(), new String[] { "CN=\"Eclipse.org Foundation, Inc.\", OU=IT, O=\"Eclipse.org Foundation, Inc.\", L=Nepean, ST=Ontario, C=CA" }) }, +// new PermissionInfo[] { dataAdminPerm }, ConditionalPermissionInfo.ALLOW)); + update.commit(); + } else { + SecurityProfile securityProfile = new SecurityProfile() { + }; + securityProfile.applySystemPermissions(permissionAdmin); + } + } + } private void initArgeoLogger() { @@ -101,14 +157,24 @@ public class Activator implements BundleActivator { @Override public void stop(BundleContext bundleContext) throws Exception { - nodeInstance.shutdown(); - nodeDeployment.shutdown(); - nodeState.shutdown(); - - instance = null; - this.bc = null; - this.logReaderService = null; - // this.configurationAdmin = null; + try { + if (nodeInstance != null) + nodeInstance.shutdown(); + if (nodeDeployment != null) + nodeDeployment.shutdown(); + if (nodeState != null) + nodeState.shutdown(); + + if (userAdminSt != null) + userAdminSt.close(); + + instance = null; + this.bc = null; + this.logReaderService = null; + // this.configurationAdmin = null; + } catch (Exception e) { + log.error("CMS activator shutdown failed", e); + } } private T getService(Class clazz) { @@ -122,6 +188,51 @@ public class Activator implements BundleActivator { return instance.nodeState; } + public static GSSCredential getAcceptorCredentials() { + return getNodeUserAdmin().getAcceptorCredentials(); + } + + public static boolean isSingleUser() { + return getNodeUserAdmin().isSingleUser(); + } + + public static UserAdmin getUserAdmin() { + return (UserAdmin) getNodeUserAdmin(); + } + + public static String getHttpProxySslHeader() { + return KernelUtils.getFrameworkProp(NodeConstants.HTTP_PROXY_SSL_DN); + } + + public static IdentClient getIdentClient(String remoteAddr) { + if (!IdentClient.isDefaultAuthdPassphraseFileAvailable()) + return null; + // TODO make passphrase more configurable + return new IdentClient(remoteAddr); + } + + private static NodeUserAdmin getNodeUserAdmin() { + NodeUserAdmin res; + try { + res = instance.userAdminSt.waitForService(60000); + } catch (InterruptedException e) { + throw new CmsException("Cannot retrieve Node user admin", e); + } + if (res == null) + throw new CmsException("No Node user admin found"); + + return res; + // ServiceReference sr = + // instance.bc.getServiceReference(UserAdmin.class); + // NodeUserAdmin userAdmin = (NodeUserAdmin) instance.bc.getService(sr); + // return userAdmin; + + } + + // static CmsSecurity getCmsSecurity() { + // return instance.nodeSecurity; + // } + public String[] getLocales() { // TODO optimize? List locales = getNodeState().getLocales();