X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FHomeRepository.java;h=cc7005be3850932a0a001fee778d5a7878e00cf0;hb=b6cad136dfd4589bc2a8f48ec9168732517f451b;hp=d73b554e8bda61354c55b09538716ca8858f4966;hpb=d039711d38e91f8d419e784f9b88f3a86bfc8538;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/HomeRepository.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/HomeRepository.java index d73b554e8..cc7005be3 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/HomeRepository.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/HomeRepository.java @@ -1,13 +1,19 @@ package org.argeo.cms.internal.kernel; import java.security.PrivilegedAction; +import java.text.SimpleDateFormat; import java.util.HashSet; import java.util.Set; +import javax.jcr.Credentials; +import javax.jcr.LoginException; +import javax.jcr.NoSuchWorkspaceException; import javax.jcr.Node; +import javax.jcr.Property; import javax.jcr.Repository; import javax.jcr.RepositoryException; import javax.jcr.Session; +import javax.jcr.nodetype.NodeType; import javax.jcr.security.Privilege; import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; @@ -15,86 +21,110 @@ import javax.security.auth.Subject; import javax.security.auth.login.LoginContext; import org.argeo.cms.CmsException; +import org.argeo.jackrabbit.security.JackrabbitSecurityUtils; import org.argeo.jcr.JcrRepositoryWrapper; import org.argeo.jcr.JcrUtils; import org.argeo.node.NodeConstants; -import org.argeo.node.NodeNames; -import org.argeo.node.NodeTypes; import org.argeo.node.NodeUtils; /** * Make sure each user has a home directory available in the default workspace. */ class HomeRepository extends JcrRepositoryWrapper implements KernelConstants { + /** The home base path. */ - private String homeBasePath = "/home"; -// private String peopleBasePath = NodeConstants.PEOPLE_BASE_PATH; +// private String homeBasePath = KernelConstants.DEFAULT_HOME_BASE_PATH; +// private String usersBasePath = KernelConstants.DEFAULT_USERS_BASE_PATH; +// private String groupsBasePath = KernelConstants.DEFAULT_GROUPS_BASE_PATH; private Set checkedUsers = new HashSet(); - public HomeRepository(Repository repository) { + private SimpleDateFormat usersDatePath = new SimpleDateFormat("YYYY/MM"); + + private String defaultHomeWorkspace = NodeConstants.HOME; + private String defaultGroupsWorkspace = NodeConstants.GROUPS; + private String defaultGuestsWorkspace = NodeConstants.GUESTS; + private final boolean remote; + + public HomeRepository(Repository repository, boolean remote) { super(repository); + this.remote = remote; putDescriptor(NodeConstants.CN, NodeConstants.HOME); - LoginContext lc; + if (!remote) { + LoginContext lc; + try { + lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_DATA_ADMIN); + lc.login(); + } catch (javax.security.auth.login.LoginException e1) { + throw new CmsException("Cannot login as systrem", e1); + } + Subject.doAs(lc.getSubject(), new PrivilegedAction() { + + @Override + public Void run() { + loginOrCreateWorkspace(defaultHomeWorkspace); + loginOrCreateWorkspace(defaultGroupsWorkspace); + return null; + } + + }); + } + } + + private void loginOrCreateWorkspace(String workspace) { + Session adminSession = null; try { - lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_DATA_ADMIN); - lc.login(); - } catch (javax.security.auth.login.LoginException e1) { - throw new CmsException("Cannot login as systrem", e1); + adminSession = JcrUtils.loginOrCreateWorkspace(getRepository(workspace), workspace); +// JcrUtils.addPrivilege(adminSession, "/", NodeConstants.ROLE_USER, Privilege.JCR_READ); + +// initJcr(adminSession); + } catch (RepositoryException e) { + throw new CmsException("Cannot init JCR home", e); + } finally { + JcrUtils.logoutQuietly(adminSession); } - Subject.doAs(lc.getSubject(), new PrivilegedAction() { - - @Override - public Void run() { - try { - initJcr(getRepository().login()); - } catch (RepositoryException e) { - throw new CmsException("Cannot init JCR home", e); - } - return null; - } + } + + @Override + public Session login(Credentials credentials, String workspaceName) + throws LoginException, NoSuchWorkspaceException, RepositoryException { + if (workspaceName == null) { + return super.login(credentials, getUserHomeWorkspace()); + } else { + return super.login(credentials, workspaceName); + } + } - }); + protected String getUserHomeWorkspace() { + // TODO base on JAAS Subject metadata + return defaultHomeWorkspace; } - // @Override - // public Session login() throws LoginException, RepositoryException { - // Session session = super.login(); - // String username = session.getUserID(); - // if (username == null) - // return session; - // if (session.getUserID().equals(AuthConstants.ROLE_ANONYMOUS)) - // return session; - // - // if (checkedUsers.contains(username)) - // return session; - // Session adminSession = KernelUtils.openAdminSession(getRepository(), - // session.getWorkspace().getName()); - // try { - // syncJcr(adminSession, username); - // checkedUsers.add(username); - // } finally { - // JcrUtils.logoutQuietly(adminSession); - // } - // return session; - // } + protected String getGroupsWorkspace() { + // TODO base on JAAS Subject metadata + return defaultGroupsWorkspace; + } + + protected String getGuestsWorkspace() { + // TODO base on JAAS Subject metadata + return defaultGuestsWorkspace; + } @Override - protected void processNewSession(Session session) { + protected void processNewSession(Session session, String workspaceName) { String username = session.getUserID(); - if (username == null) + if (username == null || username.toString().equals("")) return; if (session.getUserID().equals(NodeConstants.ROLE_ANONYMOUS)) return; -// if (session.getUserID().equals(AuthConstants.ROLE_KERNEL)) -// return; -// if (session.getUserID().equals(SecurityConstants.ADMIN_ID)) -// return; + + String userHomeWorkspace = getUserHomeWorkspace(); + if (workspaceName != null && !workspaceName.equals(userHomeWorkspace)) + return; if (checkedUsers.contains(username)) return; - Session adminSession = KernelUtils.openAdminSession(getRepository(), - session.getWorkspace().getName()); + Session adminSession = KernelUtils.openAdminSession(getRepository(workspaceName), workspaceName); try { syncJcr(adminSession, username); checkedUsers.add(username); @@ -109,86 +139,59 @@ class HomeRepository extends JcrRepositoryWrapper implements KernelConstants { /** Session is logged out. */ private void initJcr(Session adminSession) { try { - JcrUtils.mkdirs(adminSession, homeBasePath); -// JcrUtils.mkdirs(adminSession, peopleBasePath); +// JcrUtils.mkdirs(adminSession, homeBasePath); +// JcrUtils.mkdirs(adminSession, groupsBasePath); adminSession.save(); - JcrUtils.addPrivilege(adminSession, homeBasePath, - NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_READ); -// JcrUtils.addPrivilege(adminSession, peopleBasePath, -// NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_ALL); +// JcrUtils.addPrivilege(adminSession, homeBasePath, NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_READ); +// JcrUtils.addPrivilege(adminSession, groupsBasePath, NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_READ); adminSession.save(); } catch (RepositoryException e) { - throw new CmsException("Cannot initialize node user admin", e); + throw new CmsException("Cannot initialize home repository", e); } finally { JcrUtils.logoutQuietly(adminSession); } } - private void syncJcr(Session session, String username) { + protected synchronized void syncJcr(Session adminSession, String username) { + // only in the default workspace +// if (workspaceName != null) +// return; + // skip system users + if (username.endsWith(NodeConstants.ROLES_BASEDN)) + return; + try { - Node userHome = NodeUtils.getUserHome(session, username); + Node userHome = NodeUtils.getUserHome(adminSession, username); if (userHome == null) { - String homePath = generateUserPath(homeBasePath, username); - if (session.itemExists(homePath))// duplicate user id - userHome = session.getNode(homePath).getParent() - .addNode(JcrUtils.lastPathElement(homePath)); - else - userHome = JcrUtils.mkdirs(session, homePath); - // userHome = JcrUtils.mkfolders(session, homePath); - userHome.addMixin(NodeTypes.NODE_USER_HOME); - userHome.setProperty(NodeNames.LDAP_UID, username); - session.save(); - - JcrUtils.clearAccessControList(session, homePath, username); - JcrUtils.addPrivilege(session, homePath, username, - Privilege.JCR_ALL); - } - -// Node userProfile = NodeUtils.getUserProfile(session, username); -// // new user -// if (userProfile == null) { -// String personPath = generateUserPath(peopleBasePath, username); -// Node personBase; -// if (session.itemExists(personPath))// duplicate user id -// personBase = session.getNode(personPath).getParent() -// .addNode(JcrUtils.lastPathElement(personPath)); +// String homePath = generateUserPath(username); + String userId = extractUserId(username); +// if (adminSession.itemExists(homePath))// duplicate user id +// userHome = adminSession.getNode(homePath).getParent().addNode(JcrUtils.lastPathElement(homePath)); // else -// personBase = JcrUtils.mkdirs(session, personPath); -// userProfile = personBase.addNode(ArgeoNames.ARGEO_PROFILE); -// userProfile.addMixin(ArgeoTypes.ARGEO_USER_PROFILE); -// userProfile.setProperty(ArgeoNames.ARGEO_USER_ID, username); -// // userProfile.setProperty(ArgeoNames.ARGEO_ENABLED, true); -// // userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_EXPIRED, -// // true); -// // userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_LOCKED, -// // true); -// // userProfile.setProperty(ArgeoNames.ARGEO_CREDENTIALS_NON_EXPIRED, -// // true); -// session.save(); -// -// JcrUtils.clearAccessControList(session, userProfile.getPath(), -// username); -// JcrUtils.addPrivilege(session, userProfile.getPath(), username, +// userHome = JcrUtils.mkdirs(adminSession, homePath); + userHome = adminSession.getRootNode().addNode(userId); +// userHome.addMixin(NodeTypes.NODE_USER_HOME); + userHome.addMixin(NodeType.MIX_CREATED); + userHome.setProperty(Property.JCR_ID, username); +// userHome.setProperty(NodeNames.LDAP_UID, username); + adminSession.save(); + + JcrUtils.clearAccessControList(adminSession, userHome.getPath(), username); + JcrUtils.addPrivilege(adminSession, userHome.getPath(), username, Privilege.JCR_ALL); +// JackrabbitSecurityUtils.denyPrivilege(adminSession, userHome.getPath(), NodeConstants.ROLE_USER, // Privilege.JCR_READ); -// } - - // Remote roles - // if (roles != null) { - // writeRemoteRoles(userProfile, roles); - // } - if (session.hasPendingChanges()) - session.save(); -// return userProfile; + } + if (adminSession.hasPendingChanges()) + adminSession.save(); } catch (RepositoryException e) { - JcrUtils.discardQuietly(session); - throw new CmsException("Cannot sync node security model for " - + username, e); + JcrUtils.discardQuietly(adminSession); + throw new CmsException("Cannot sync node security model for " + username, e); } } /** Generate path for a new user home */ - private String generateUserPath(String base, String username) { + private String generateUserPath(String username) { LdapName dn; try { dn = new LdapName(username); @@ -196,19 +199,64 @@ class HomeRepository extends JcrRepositoryWrapper implements KernelConstants { throw new CmsException("Invalid name " + username, e); } String userId = dn.getRdn(dn.size() - 1).getValue().toString(); - int atIndex = userId.indexOf('@'); - if (atIndex > 0) { - String domain = userId.substring(0, atIndex); - String name = userId.substring(atIndex + 1); - return base + '/' + JcrUtils.firstCharsToPath(domain, 2) + '/' - + domain + '/' + JcrUtils.firstCharsToPath(name, 2) + '/' - + name; - } else if (atIndex == 0 || atIndex == (userId.length() - 1)) { - throw new CmsException("Unsupported username " + userId); - } else { - return base + '/' + JcrUtils.firstCharsToPath(userId, 2) + '/' - + userId; + return '/' + userId; +// int atIndex = userId.indexOf('@'); +// if (atIndex < 0) { +// return homeBasePath+'/' + userId; +// } else { +// return usersBasePath + '/' + usersDatePath.format(new Date()) + '/' + userId; +// } + } + + private String extractUserId(String username) { + LdapName dn; + try { + dn = new LdapName(username); + } catch (InvalidNameException e) { + throw new CmsException("Invalid name " + username, e); } + String userId = dn.getRdn(dn.size() - 1).getValue().toString(); + return userId; +// int atIndex = userId.indexOf('@'); +// if (atIndex < 0) { +// return homeBasePath+'/' + userId; +// } else { +// return usersBasePath + '/' + usersDatePath.format(new Date()) + '/' + userId; +// } + } + + public void createWorkgroup(LdapName dn) { + String groupsWorkspace = getGroupsWorkspace(); + Session adminSession = KernelUtils.openAdminSession(getRepository(groupsWorkspace), groupsWorkspace); + String cn = dn.getRdn(dn.size() - 1).getValue().toString(); + Node newWorkgroup = NodeUtils.getGroupHome(adminSession, cn); + if (newWorkgroup != null) { + JcrUtils.logoutQuietly(adminSession); + throw new CmsException("Workgroup " + newWorkgroup + " already exists for " + dn); + } + try { + // TODO enhance transformation of cn to a valid node name + // String relPath = cn.replaceAll("[^a-zA-Z0-9]", "_"); + String relPath = JcrUtils.replaceInvalidChars(cn); + newWorkgroup = adminSession.getRootNode().addNode(relPath, NodeType.NT_UNSTRUCTURED); +// newWorkgroup = JcrUtils.mkdirs(adminSession.getNode(groupsBasePath), relPath, NodeType.NT_UNSTRUCTURED); +// newWorkgroup.addMixin(NodeTypes.NODE_GROUP_HOME); + newWorkgroup.addMixin(NodeType.MIX_CREATED); + newWorkgroup.setProperty(Property.JCR_ID, dn.toString()); +// newWorkgroup.setProperty(NodeNames.LDAP_CN, cn); + adminSession.save(); + JcrUtils.addPrivilege(adminSession, newWorkgroup.getPath(), dn.toString(), Privilege.JCR_ALL); + adminSession.save(); + } catch (RepositoryException e) { + throw new CmsException("Cannot create workgroup", e); + } finally { + JcrUtils.logoutQuietly(adminSession); + } + + } + + public boolean isRemote() { + return remote; } }