X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FInitUtils.java;h=a2006a7049e306018c57902fb86c636e417fc904;hb=549ff25baf9371d910065303e22daf49321b517a;hp=011d3856adc01ab15fec341f8700a75557ab6730;hpb=9ec85110269f8be5c83ea26e283359bb451a67b7;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/InitUtils.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/InitUtils.java index 011d3856a..a2006a704 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/InitUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/InitUtils.java @@ -5,77 +5,34 @@ import static org.argeo.cms.internal.kernel.KernelUtils.getFrameworkProp; import java.io.File; import java.io.FileFilter; import java.io.IOException; +import java.io.Reader; import java.net.InetAddress; import java.net.URI; -import java.net.URISyntaxException; +import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.security.KeyStore; import java.util.ArrayList; import java.util.Arrays; import java.util.Dictionary; -import java.util.HashMap; import java.util.Hashtable; import java.util.List; -import java.util.Map; -import javax.jcr.Repository; -import javax.jcr.RepositoryException; -import javax.jcr.RepositoryFactory; import javax.security.auth.x500.X500Principal; import org.apache.commons.io.FileUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.argeo.api.NodeConstants; +import org.argeo.api.cms.CmsConstants; +import org.argeo.api.cms.CmsLog; import org.argeo.cms.internal.http.InternalHttpConstants; -import org.argeo.cms.internal.jcr.RepoConf; -import org.argeo.jackrabbit.client.ClientDavexRepositoryFactory; -import org.argeo.jcr.JcrException; -import org.argeo.naming.LdapAttrs; import org.argeo.osgi.useradmin.UserAdminConf; -import org.osgi.framework.BundleContext; -import org.osgi.framework.Constants; /** * Interprets framework properties in order to generate the initial deploy * configuration. */ class InitUtils { - private final static Log log = LogFactory.getLog(InitUtils.class); + private final static CmsLog log = CmsLog.getLog(InitUtils.class); - /** Override the provided config with the framework properties */ - static Dictionary getNodeRepositoryConfig(Dictionary provided) { - Dictionary props = provided != null ? provided : new Hashtable(); - for (RepoConf repoConf : RepoConf.values()) { - Object value = getFrameworkProp(NodeConstants.NODE_REPO_PROP_PREFIX + repoConf.name()); - if (value != null) { - props.put(repoConf.name(), value); - if (log.isDebugEnabled()) - log.debug("Set node repo configuration " + repoConf.name() + " to " + value); - } - } - props.put(NodeConstants.CN, NodeConstants.NODE_REPOSITORY); - return props; - } - - static Dictionary getRepositoryConfig(String dataModelName, Dictionary provided) { - if (dataModelName.equals(NodeConstants.NODE_REPOSITORY) || dataModelName.equals(NodeConstants.EGO_REPOSITORY)) - throw new IllegalArgumentException("Data model '" + dataModelName + "' is reserved."); - Dictionary props = provided != null ? provided : new Hashtable(); - for (RepoConf repoConf : RepoConf.values()) { - Object value = getFrameworkProp( - NodeConstants.NODE_REPOS_PROP_PREFIX + dataModelName + '.' + repoConf.name()); - if (value != null) { - props.put(repoConf.name(), value); - if (log.isDebugEnabled()) - log.debug("Set " + dataModelName + " repo configuration " + repoConf.name() + " to " + value); - } - } - if (props.size() != 0) - props.put(NodeConstants.CN, dataModelName); - return props; - } /** Override the provided config with the framework properties */ static Dictionary getHttpServerConfig(Dictionary provided) { @@ -110,15 +67,40 @@ class InitUtils { // server certificate Path keyStorePath = KernelUtils.getOsgiInstancePath(KernelConstants.DEFAULT_KEYSTORE_PATH); - String keyStorePassword = getFrameworkProp( + Path pemKeyPath = KernelUtils.getOsgiInstancePath(KernelConstants.DEFAULT_PEM_KEY_PATH); + Path pemCertPath = KernelUtils.getOsgiInstancePath(KernelConstants.DEFAULT_PEM_CERT_PATH); + String keyStorePasswordStr = getFrameworkProp( InternalHttpConstants.JETTY_PROPERTY_PREFIX + InternalHttpConstants.SSL_PASSWORD); - if (keyStorePassword == null) - keyStorePassword = "changeit"; + char[] keyStorePassword; + if (keyStorePasswordStr == null) + keyStorePassword = "changeit".toCharArray(); + else + keyStorePassword = keyStorePasswordStr.toCharArray(); + + // if PEM files both exists, update the PKCS12 file + if (Files.exists(pemCertPath) && Files.exists(pemKeyPath)) { + // TODO check certificate update time? monitor changes? + KeyStore keyStore = PkiUtils.getKeyStore(keyStorePath, keyStorePassword, PkiUtils.PKCS12); + try (Reader key = Files.newBufferedReader(pemKeyPath, StandardCharsets.US_ASCII); + Reader cert = Files.newBufferedReader(pemCertPath, StandardCharsets.US_ASCII);) { + PkiUtils.loadPem(keyStore, key, keyStorePassword, cert); + PkiUtils.saveKeyStore(keyStorePath, keyStorePassword, keyStore); + if (log.isDebugEnabled()) + log.debug("PEM certificate stored in " + keyStorePath); + } catch (IOException e) { + log.error("Cannot read PEM files " + pemKeyPath + " and " + pemCertPath, e); + } + } + if (!Files.exists(keyStorePath)) createSelfSignedKeyStore(keyStorePath, keyStorePassword, PkiUtils.PKCS12); props.put(InternalHttpConstants.SSL_KEYSTORETYPE, PkiUtils.PKCS12); props.put(InternalHttpConstants.SSL_KEYSTORE, keyStorePath.toString()); - props.put(InternalHttpConstants.SSL_PASSWORD, keyStorePassword); + props.put(InternalHttpConstants.SSL_PASSWORD, new String(keyStorePassword)); + +// props.put(InternalHttpConstants.SSL_KEYSTORETYPE, "PKCS11"); +// props.put(InternalHttpConstants.SSL_KEYSTORE, "../../nssdb"); +// props.put(InternalHttpConstants.SSL_PASSWORD, keyStorePassword); // client certificate authentication String wantClientAuth = getFrameworkProp( @@ -135,7 +117,7 @@ class InitUtils { if (webSocketEnabled != null && webSocketEnabled.equals("true")) props.put(InternalHttpConstants.WEBSOCKET_ENABLED, true); - props.put(NodeConstants.CN, NodeConstants.DEFAULT); + props.put(CmsConstants.CN, CmsConstants.DEFAULT); } return props; } @@ -146,8 +128,8 @@ class InitUtils { List uris = new ArrayList<>(); // node roles - String nodeRolesUri = getFrameworkProp(NodeConstants.ROLES_URI); - String baseNodeRoleDn = NodeConstants.ROLES_BASEDN; + String nodeRolesUri = getFrameworkProp(CmsConstants.ROLES_URI); + String baseNodeRoleDn = CmsConstants.ROLES_BASEDN; if (nodeRolesUri == null) { nodeRolesUri = baseNodeRoleDn + ".ldif"; File nodeRolesFile = new File(nodeBaseDir, nodeRolesUri); @@ -163,8 +145,8 @@ class InitUtils { uris.add(nodeRolesUri); // node tokens - String nodeTokensUri = getFrameworkProp(NodeConstants.TOKENS_URI); - String baseNodeTokensDn = NodeConstants.TOKENS_BASEDN; + String nodeTokensUri = getFrameworkProp(CmsConstants.TOKENS_URI); + String baseNodeTokensDn = CmsConstants.TOKENS_BASEDN; if (nodeTokensUri == null) { nodeTokensUri = baseNodeTokensDn + ".ldif"; File nodeTokensFile = new File(nodeBaseDir, nodeTokensUri); @@ -180,7 +162,7 @@ class InitUtils { uris.add(nodeTokensUri); // Business roles - String userAdminUris = getFrameworkProp(NodeConstants.USERADMIN_URIS); + String userAdminUris = getFrameworkProp(CmsConstants.USERADMIN_URIS); if (userAdminUris == null) { String demoBaseDn = "dc=example,dc=com"; userAdminUris = demoBaseDn + ".ldif"; @@ -237,14 +219,15 @@ class InitUtils { * some files (typically LDIF, etc). */ static void prepareFirstInitInstanceArea() { - String nodeInits = getFrameworkProp(NodeConstants.NODE_INIT); + String nodeInits = getFrameworkProp(CmsConstants.NODE_INIT); if (nodeInits == null) nodeInits = "../../init"; for (String nodeInit : nodeInits.split(",")) { if (nodeInit.startsWith("http")) { - registerRemoteInit(nodeInit); + // TODO reconnect it + //registerRemoteInit(nodeInit); } else { // TODO use java.nio.file @@ -273,51 +256,29 @@ class InitUtils { } } - private static void registerRemoteInit(String uri) { - try { - BundleContext bundleContext = KernelUtils.getBundleContext(); - Repository repository = createRemoteRepository(new URI(uri)); - Hashtable properties = new Hashtable<>(); - properties.put(NodeConstants.CN, NodeConstants.NODE_INIT); - properties.put(LdapAttrs.labeledURI.name(), uri); - properties.put(Constants.SERVICE_RANKING, -1000); - bundleContext.registerService(Repository.class, repository, properties); - } catch (RepositoryException e) { - throw new JcrException(e); - } catch (URISyntaxException e) { - throw new IllegalArgumentException(e); - } - } - - private static Repository createRemoteRepository(URI uri) throws RepositoryException { - RepositoryFactory repositoryFactory = new ClientDavexRepositoryFactory(); - Map params = new HashMap(); - params.put(ClientDavexRepositoryFactory.JACKRABBIT_DAVEX_URI, uri.toString()); - // TODO make it configurable - params.put(ClientDavexRepositoryFactory.JACKRABBIT_REMOTE_DEFAULT_WORKSPACE, NodeConstants.SYS_WORKSPACE); - return repositoryFactory.getRepository(params); - } - - private static void createSelfSignedKeyStore(Path keyStorePath, String keyStorePassword, String keyStoreType) { + private static void createSelfSignedKeyStore(Path keyStorePath, char[] keyStorePassword, String keyStoreType) { // for (Provider provider : Security.getProviders()) // System.out.println(provider.getName()); - File keyStoreFile = keyStorePath.toFile(); - char[] ksPwd = keyStorePassword.toCharArray(); - char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length); - if (!keyStoreFile.exists()) { +// File keyStoreFile = keyStorePath.toFile(); + char[] keyPwd = Arrays.copyOf(keyStorePassword, keyStorePassword.length); + if (!Files.exists(keyStorePath)) { try { - keyStoreFile.getParentFile().mkdirs(); - KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd, keyStoreType); + Files.createDirectories(keyStorePath.getParent()); + KeyStore keyStore = PkiUtils.getKeyStore(keyStorePath, keyStorePassword, keyStoreType); PkiUtils.generateSelfSignedCertificate(keyStore, new X500Principal("CN=" + InetAddress.getLocalHost().getHostName() + ",OU=UNSECURE,O=UNSECURE"), 1024, keyPwd); - PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore); + PkiUtils.saveKeyStore(keyStorePath, keyStorePassword, keyStore); if (log.isDebugEnabled()) - log.debug("Created self-signed unsecure keystore " + keyStoreFile); + log.debug("Created self-signed unsecure keystore " + keyStorePath); } catch (Exception e) { - if (keyStoreFile.length() == 0) - keyStoreFile.delete(); - log.error("Cannot create keystore " + keyStoreFile, e); + try { + if (Files.size(keyStorePath) == 0) + Files.delete(keyStorePath); + } catch (IOException e1) { + // silent + } + log.error("Cannot create keystore " + keyStorePath, e); } } else { throw new IllegalStateException("Keystore " + keyStorePath + " already exists");