X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FNodeSecurity.java;h=94579be185d10fe55f055112a839c59741a8eda1;hb=61780b581925666edd4bd7743a00dca7170f1d35;hp=0a512fff93988b778b01300ef65e70ffed67a9dc;hpb=27d9f106d83b7e747ae99bfd21cc6d3cdb60c560;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java index 0a512fff9..94579be18 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java @@ -1,147 +1,172 @@ package org.argeo.cms.internal.kernel; +import static org.argeo.cms.internal.kernel.KernelUtils.getOsgiInstanceDir; + import java.io.File; import java.io.IOException; +import java.net.URL; +import java.security.KeyStore; +import java.util.Arrays; + +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.security.auth.x500.X500Principal; -import javax.jcr.RepositoryException; - -import org.apache.commons.io.FileUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.cms.CmsException; -import org.argeo.cms.KernelHeader; -import org.argeo.cms.internal.useradmin.SimpleJcrSecurityModel; -import org.argeo.cms.internal.useradmin.jackrabbit.JackrabbitUserAdminService; -import org.argeo.osgi.useradmin.AbstractLdapUserAdmin; -import org.argeo.osgi.useradmin.LdapUserAdmin; -import org.argeo.osgi.useradmin.LdifUserAdmin; -import org.argeo.security.OsAuthenticationToken; -import org.argeo.security.UserAdminService; -import org.argeo.security.core.InternalAuthentication; -import org.argeo.security.core.InternalAuthenticationProvider; -import org.argeo.security.core.OsAuthenticationProvider; -import org.osgi.framework.BundleContext; -import org.osgi.framework.ServiceRegistration; -import org.osgi.service.useradmin.Role; -import org.osgi.service.useradmin.UserAdmin; -import org.springframework.security.authentication.AnonymousAuthenticationProvider; -import org.springframework.security.authentication.AnonymousAuthenticationToken; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.provisioning.UserDetailsManager; - -/** Authentication and user management. */ -class NodeSecurity implements AuthenticationManager { +import org.argeo.cms.auth.AuthConstants; + +/** Low-level kernel security */ +class NodeSecurity implements KernelConstants { private final static Log log = LogFactory.getLog(NodeSecurity.class); - private final BundleContext bundleContext; - - private final OsAuthenticationProvider osAuth; - private final InternalAuthenticationProvider internalAuth; - private final AnonymousAuthenticationProvider anonymousAuth; - private final JackrabbitUserAdminService userAdminService; - private final NodeUserAdmin userAdmin; - - private ServiceRegistration authenticationManagerReg; - private ServiceRegistration userAdminServiceReg; - private ServiceRegistration userDetailsManagerReg; - - private ServiceRegistration userAdminReg; - - public NodeSecurity(BundleContext bundleContext, JackrabbitNode node) - throws RepositoryException { - this.bundleContext = bundleContext; - - osAuth = new OsAuthenticationProvider(); - internalAuth = new InternalAuthenticationProvider( - Activator.getSystemKey()); - anonymousAuth = new AnonymousAuthenticationProvider( - Activator.getSystemKey()); - - // user admin - userAdminService = new JackrabbitUserAdminService(); - userAdminService.setRepository(node); - userAdminService.setSecurityModel(new SimpleJcrSecurityModel()); - userAdminService.init(); - - userAdmin = new NodeUserAdmin(); - - String baseDn = "dc=example,dc=com"; - String userAdminUri = KernelUtils - .getFrameworkProp(KernelConstants.USERADMIN_URI); - if (userAdminUri == null) - userAdminUri = getClass().getResource(baseDn + ".ldif").toString(); - - AbstractLdapUserAdmin businessRoles; - if (userAdminUri.startsWith("ldap")) - businessRoles = new LdapUserAdmin(userAdminUri); - else { - businessRoles = new LdifUserAdmin(userAdminUri); - } - businessRoles.init(); - userAdmin.addUserAdmin(baseDn, businessRoles); + public final static int HARDENED = 3; + public final static int STAGING = 2; + public final static int DEV = 1; + + private final boolean firstInit; + + private final Subject kernelSubject; + private int securityLevel = STAGING; + + private final File keyStoreFile; - File osgiInstanceDir = KernelUtils.getOsgiInstanceDir(); - File homeDir = new File(osgiInstanceDir, "node"); + public NodeSecurity() { + // Configure JAAS first + URL url = getClass().getClassLoader().getResource(KernelConstants.JAAS_CONFIG); + System.setProperty("java.security.auth.login.config", url.toExternalForm()); + // log.debug("JASS config: " + url.toExternalForm()); + // disable Jetty autostart + // System.setProperty("org.eclipse.equinox.http.jetty.autostart", + // "false"); - String baseNodeRoleDn = KernelHeader.ROLES_BASEDN; - File nodeRolesFile = new File(homeDir, baseNodeRoleDn + ".ldif"); + firstInit = !new File(getOsgiInstanceDir(), DIR_NODE).exists(); + + this.keyStoreFile = new File(KernelUtils.getOsgiInstanceDir(), "node.p12"); + createKeyStoreIfNeeded(); + if (keyStoreFile.exists()) + this.kernelSubject = logInHardenedKernel(); + else + this.kernelSubject = logInKernel(); + } + + private Subject logInKernel() { + final Subject kernelSubject = new Subject(); try { - FileUtils.copyInputStreamToFile( - getClass().getResourceAsStream("demo.ldif"), nodeRolesFile); - } catch (IOException e) { - throw new CmsException("Cannot copy demo resource", e); + LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject); + kernelLc.login(); + } catch (LoginException e) { + throw new CmsException("Cannot log in kernel", e); } - LdifUserAdmin nodeRoles = new LdifUserAdmin(nodeRolesFile.toURI() - .toString()); - nodeRoles.setExternalRoles(userAdmin); - nodeRoles.init(); - // nodeRoles.createRole(KernelHeader.ROLE_ADMIN, Role.GROUP); - userAdmin.addUserAdmin(baseNodeRoleDn, nodeRoles); - + return kernelSubject; } - public void publish() { - authenticationManagerReg = bundleContext.registerService( - AuthenticationManager.class, this, null); - userAdminServiceReg = bundleContext.registerService( - UserAdminService.class, userAdminService, null); - userDetailsManagerReg = bundleContext.registerService( - UserDetailsManager.class, userAdminService, null); - userAdminReg = bundleContext.registerService(UserAdmin.class, - userAdmin, null); + private Subject logInHardenedKernel() { + final Subject kernelSubject = new Subject(); + createKeyStoreIfNeeded(); + + CallbackHandler cbHandler = new CallbackHandler() { + + @Override + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + // alias + ((NameCallback) callbacks[1]).setName(AuthConstants.ROLE_KERNEL); + // store pwd + ((PasswordCallback) callbacks[2]).setPassword("changeit".toCharArray()); + // key pwd + ((PasswordCallback) callbacks[3]).setPassword("changeit".toCharArray()); + } + }; + try { + LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_HARDENED_KERNEL, kernelSubject, + cbHandler); + kernelLc.login(); + } catch (LoginException e) { + throw new CmsException("Cannot log in kernel", e); + } + return kernelSubject; } void destroy() { + // Logout kernel try { - userAdminService.destroy(); - } catch (RepositoryException e) { - log.error("Error while destroying Jackrabbit useradmin"); + LoginContext kernelLc = new LoginContext(KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject); + kernelLc.logout(); + } catch (LoginException e) { + throw new CmsException("Cannot log out kernel", e); } - userDetailsManagerReg.unregister(); - userAdminServiceReg.unregister(); - authenticationManagerReg.unregister(); - // userAdmin.destroy(); - userAdminReg.unregister(); + // Security.removeProvider(SECURITY_PROVIDER); } - @Override - public Authentication authenticate(Authentication authentication) - throws AuthenticationException { - Authentication auth = null; - if (authentication instanceof InternalAuthentication) - auth = internalAuth.authenticate(authentication); - else if (authentication instanceof AnonymousAuthenticationToken) - auth = anonymousAuth.authenticate(authentication); - else if (authentication instanceof UsernamePasswordAuthenticationToken) - auth = userAdminService.authenticate(authentication); - else if (authentication instanceof OsAuthenticationToken) - auth = osAuth.authenticate(authentication); - if (auth == null) - throw new CmsException("Could not authenticate " + authentication); - return auth; + public Subject getKernelSubject() { + return kernelSubject; } + + public synchronized int getSecurityLevel() { + return securityLevel; + } + + public boolean isFirstInit() { + return firstInit; + } + + public void setSecurityLevel(int newValue) { + if (newValue != STAGING || newValue != DEV) + throw new CmsException("Invalid value for security level " + newValue); + if (newValue >= securityLevel) + throw new CmsException( + "Impossible to increase security level (from " + securityLevel + " to " + newValue + ")"); + securityLevel = newValue; + } + + private void createKeyStoreIfNeeded() { + // for (Provider provider : Security.getProviders()) + // System.out.println(provider.getName()); + + char[] ksPwd = "changeit".toCharArray(); + char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length); + if (!keyStoreFile.exists()) { + try { + keyStoreFile.getParentFile().mkdirs(); + KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd); + PkiUtils.generateSelfSignedCertificate(keyStore, new X500Principal(AuthConstants.ROLE_KERNEL), 1024, + keyPwd); + PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore); + if (log.isDebugEnabled()) + log.debug("Created keystore " + keyStoreFile); + } catch (Exception e) { + if (keyStoreFile.length() == 0) + keyStoreFile.delete(); + log.error("Cannot create keystore " + keyStoreFile, e); + } + } + } + + File getHttpServerKeyStore() { + return keyStoreFile; + } + + // private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle + // private final static Log log; + // static { + // log = LogFactory.getLog(NodeSecurity.class); + // // Make Bouncy Castle the default provider + // Provider provider = new BouncyCastleProvider(); + // int position = Security.insertProviderAt(provider, 1); + // if (position == -1) + // log.error("Provider " + provider.getName() + // + " already installed and could not be set as default"); + // Provider defaultProvider = Security.getProviders()[0]; + // if (!defaultProvider.getName().equals(SECURITY_PROVIDER)) + // log.error("Provider name is " + defaultProvider.getName() + // + " but it should be " + SECURITY_PROVIDER); + // } }