X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FFirstInit.java;h=1c7cb149752a7c30ce6b56da3ad1f9db8da21929;hb=5b5c2b97eee9edd037e198acadf8b416a973863f;hp=aa9cf7fe8c7d317b0c2e18bab2e4f513160285ae;hpb=cf53e939cabed54ee2a3074afcf22417fbdf364d;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java index aa9cf7fe8..1c7cb1497 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java @@ -5,16 +5,24 @@ import static org.argeo.cms.internal.kernel.KernelUtils.getFrameworkProp; import java.io.File; import java.io.FileFilter; import java.io.IOException; +import java.net.InetAddress; import java.net.URI; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.KeyStore; import java.util.ArrayList; +import java.util.Arrays; import java.util.Dictionary; import java.util.Hashtable; import java.util.List; +import javax.security.auth.x500.X500Principal; + import org.apache.commons.io.FileUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.cms.CmsException; +import org.argeo.cms.internal.jcr.RepoConf; import org.argeo.node.NodeConstants; import org.argeo.osgi.useradmin.UserAdminConf; import org.eclipse.equinox.http.jetty.JettyConstants; @@ -48,7 +56,8 @@ class FirstInit { String httpPort = getFrameworkProp("org.osgi.service.http.port"); String httpsPort = getFrameworkProp("org.osgi.service.http.port.secure"); /// TODO make it more generic - String httpHost = getFrameworkProp("org.eclipse.equinox.http.jetty.http.host"); + String httpHost = getFrameworkProp(JettyConstants.PROPERTY_PREFIX + '.' + JettyConstants.HTTP_HOST); + String httpsHost = getFrameworkProp(JettyConstants.PROPERTY_PREFIX + '.' + JettyConstants.HTTPS_HOST); final Hashtable props = new Hashtable(); // try { @@ -60,16 +69,23 @@ class FirstInit { if (httpsPort != null) { props.put(JettyConstants.HTTPS_PORT, httpsPort); props.put(JettyConstants.HTTPS_ENABLED, true); + Path keyStorePath = KernelUtils.getOsgiInstancePath(KernelConstants.DEFAULT_KEYSTORE_PATH); + String keyStorePassword = getFrameworkProp( + JettyConstants.PROPERTY_PREFIX + '.' + JettyConstants.SSL_PASSWORD); + if (keyStorePassword == null) + keyStorePassword = "changeit"; + if (!Files.exists(keyStorePath)) + createSelfSignedKeyStore(keyStorePath, keyStorePassword); props.put(JettyConstants.SSL_KEYSTORETYPE, "PKCS12"); - props.put(JettyConstants.SSL_KEYSTORE, "../../ssl/server.p12"); - // jettyProps.put(JettyConstants.SSL_KEYSTORE, - // nodeSecurity.getHttpServerKeyStore().getCanonicalPath()); - props.put(JettyConstants.SSL_PASSWORD, "changeit"); + props.put(JettyConstants.SSL_KEYSTORE, keyStorePath.toString()); + props.put(JettyConstants.SSL_PASSWORD, keyStorePassword); props.put(JettyConstants.SSL_WANTCLIENTAUTH, true); } - if (httpHost != null) { + if (httpHost != null) props.put(JettyConstants.HTTP_HOST, httpHost); - } + if (httpsHost != null) + props.put(JettyConstants.HTTPS_HOST, httpHost); + props.put(NodeConstants.CN, NodeConstants.DEFAULT); } return props; @@ -99,23 +115,18 @@ class FirstInit { // Business roles String userAdminUris = getFrameworkProp(NodeConstants.USERADMIN_URIS); if (userAdminUris == null) { - String kerberosDomain = Activator.getCmsSecurity().getKerberosDomain(); - if (kerberosDomain != null) { - userAdminUris = "ipa:///" + kerberosDomain; - } else { - String demoBaseDn = "dc=example,dc=com"; - File businessRolesFile = new File(nodeBaseDir, demoBaseDn + ".ldif"); - if (!businessRolesFile.exists()) - try { - FileUtils.copyInputStreamToFile(getClass().getResourceAsStream(demoBaseDn + ".ldif"), - businessRolesFile); - } catch (IOException e) { - throw new CmsException("Cannot copy demo resource", e); - } - userAdminUris = businessRolesFile.toURI().toString(); - log.warn("## DEV Using dummy base DN " + demoBaseDn); - // TODO downgrade security level - } + String demoBaseDn = "dc=example,dc=com"; + File businessRolesFile = new File(nodeBaseDir, demoBaseDn + ".ldif"); + if (!businessRolesFile.exists()) + try { + FileUtils.copyInputStreamToFile(getClass().getResourceAsStream(demoBaseDn + ".ldif"), + businessRolesFile); + } catch (IOException e) { + throw new CmsException("Cannot copy demo resource", e); + } + userAdminUris = businessRolesFile.toURI().toString(); + log.warn("## DEV Using dummy base DN " + demoBaseDn); + // TODO downgrade security level } for (String userAdminUri : userAdminUris.split(" ")) uris.add(userAdminUri); @@ -149,8 +160,8 @@ class FirstInit { } /** - * Called before node initialisation, in order populate OSGi instance are - * with some files (typically LDIF, etc). + * Called before node initialisation, in order populate OSGi instance are with + * some files (typically LDIF, etc). */ static void prepareInstanceArea() { String nodeInit = getFrameworkProp(NodeConstants.NODE_INIT); @@ -185,4 +196,30 @@ class FirstInit { } } + private void createSelfSignedKeyStore(Path keyStorePath, String keyStorePassword) { + // for (Provider provider : Security.getProviders()) + // System.out.println(provider.getName()); + File keyStoreFile = keyStorePath.toFile(); + char[] ksPwd = keyStorePassword.toCharArray(); + char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length); + if (!keyStoreFile.exists()) { + try { + keyStoreFile.getParentFile().mkdirs(); + KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd); + PkiUtils.generateSelfSignedCertificate(keyStore, + new X500Principal("CN=" + InetAddress.getLocalHost().getHostName() + ",OU=UNSECURE,O=UNSECURE"), + 1024, keyPwd); + PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore); + if (log.isDebugEnabled()) + log.debug("Created self-signed unsecure keystore " + keyStoreFile); + } catch (Exception e) { + if (keyStoreFile.length() == 0) + keyStoreFile.delete(); + log.error("Cannot create keystore " + keyStoreFile, e); + } + } else { + throw new CmsException("Keystore " + keyStorePath + " already exists"); + } + } + }