X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FNodeSecurity.java;h=eeb2b18b468c37a6fc61ce900aded1eab349c4cb;hb=a9703e4b430af19ae04c9982d2393bf1b7504006;hp=aed824fbdff830b3b21f0cbd7ba22c39e48e6821;hpb=e91af5c65a42b3ff98400caa552965cdb3f730e6;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java index aed824fbd..eeb2b18b4 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java @@ -1,14 +1,14 @@ package org.argeo.cms.internal.kernel; +import static org.argeo.cms.internal.kernel.KernelUtils.getOsgiInstanceDir; + import java.io.File; import java.io.IOException; import java.net.URL; -import java.nio.file.ProviderNotFoundException; import java.security.KeyStore; import java.security.Provider; import java.security.Security; import java.util.Arrays; -import java.util.Hashtable; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; @@ -23,54 +23,41 @@ import javax.security.auth.x500.X500Principal; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.cms.CmsException; -import org.argeo.cms.KernelHeader; -import org.argeo.security.crypto.PkiUtils; +import org.argeo.cms.auth.AuthConstants; import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.osgi.framework.BundleContext; -import org.osgi.framework.ServiceRegistration; -import org.osgi.service.useradmin.UserAdmin; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; - -/** Authentication and user management. */ -class NodeSecurity implements AuthenticationManager { - private final static Log log; - static { - log = LogFactory.getLog(NodeSecurity.class); - // Make Bouncy Castle the default provider - Provider provider = new BouncyCastleProvider(); - int position = Security.insertProviderAt(provider, 1); - if (position == -1) - log.error("Provider " + provider.getName() - + " already installed and could not be set as default"); - Provider defaultProvider = Security.getProviders()[0]; - if (!defaultProvider.getName().equals(KernelHeader.SECURITY_PROVIDER)) - log.error("Provider name is " + defaultProvider.getName() - + " but it should be " + KernelHeader.SECURITY_PROVIDER); - } - private final BundleContext bundleContext; - private final NodeUserAdmin userAdmin; - private final Subject kernelSubject; +/** Low-level kernel security */ +class NodeSecurity implements KernelConstants { + public final static int HARDENED = 3; + public final static int STAGING = 2; + public final static int DEV = 1; + + private final boolean firstInit; - private ServiceRegistration authenticationManagerReg; + private final Subject kernelSubject; + private int securityLevel = STAGING; - private ServiceRegistration userAdminReg; + private final File keyStoreFile; - public NodeSecurity(BundleContext bundleContext) { + public NodeSecurity() { // Configure JAAS first URL url = getClass().getClassLoader().getResource( KernelConstants.JAAS_CONFIG); System.setProperty("java.security.auth.login.config", url.toExternalForm()); + // log.debug("JASS config: " + url.toExternalForm()); + // disable Jetty autostart + // System.setProperty("org.eclipse.equinox.http.jetty.autostart", + // "false"); + + firstInit = !new File(getOsgiInstanceDir(), DIR_NODE).exists(); - this.bundleContext = bundleContext; - this.kernelSubject = logKernel(); - userAdmin = new NodeUserAdmin(); + this.keyStoreFile = new File(KernelUtils.getOsgiInstanceDir(), + "node.p12"); + this.kernelSubject = logInKernel(); } - private Subject logKernel() { + private Subject logInKernel() { final Subject kernelSubject = new Subject(); createKeyStoreIfNeeded(); @@ -80,7 +67,8 @@ class NodeSecurity implements AuthenticationManager { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { // alias - ((NameCallback) callbacks[1]).setName(KernelHeader.ROLE_KERNEL); + ((NameCallback) callbacks[1]) + .setName(AuthConstants.ROLE_KERNEL); // store pwd ((PasswordCallback) callbacks[2]).setPassword("changeit" .toCharArray()); @@ -100,61 +88,51 @@ class NodeSecurity implements AuthenticationManager { return kernelSubject; } - public void publish() { - authenticationManagerReg = bundleContext.registerService( - AuthenticationManager.class, this, null); - Hashtable properties = new Hashtable(); - // properties.put(KernelConstants.USERADMIN_URI, - // userAdmin.asConfigUris()); - userAdminReg = bundleContext.registerService(UserAdmin.class, - userAdmin, properties); - } - void destroy() { - authenticationManagerReg.unregister(); - - userAdmin.destroy(); - userAdminReg.unregister(); - // Logout kernel try { LoginContext kernelLc = new LoginContext( KernelConstants.LOGIN_CONTEXT_KERNEL, kernelSubject); kernelLc.logout(); } catch (LoginException e) { - throw new CmsException("Cannot log in kernel", e); + throw new CmsException("Cannot log out kernel", e); } - Security.removeProvider(KernelHeader.SECURITY_PROVIDER); - } - - public NodeUserAdmin getUserAdmin() { - return userAdmin; + Security.removeProvider(SECURITY_PROVIDER); } public Subject getKernelSubject() { return kernelSubject; } - @Override - public Authentication authenticate(Authentication authentication) - throws AuthenticationException { - log.error("Authentication manager is deprecated and should not be used."); - throw new ProviderNotFoundException( - "Authentication manager is deprecated and should not be used."); + public synchronized int getSecurityLevel() { + return securityLevel; + } + + public boolean isFirstInit() { + return firstInit; + } + + public void setSecurityLevel(int newValue) { + if (newValue != STAGING || newValue != DEV) + throw new CmsException("Invalid value for security level " + + newValue); + if (newValue >= securityLevel) + throw new CmsException( + "Impossible to increase security level (from " + + securityLevel + " to " + newValue + ")"); + securityLevel = newValue; } private void createKeyStoreIfNeeded() { char[] ksPwd = "changeit".toCharArray(); char[] keyPwd = Arrays.copyOf(ksPwd, ksPwd.length); - File keyStoreFile = new File(KernelUtils.getOsgiInstanceDir(), - "node.p12"); if (!keyStoreFile.exists()) { try { keyStoreFile.getParentFile().mkdirs(); KeyStore keyStore = PkiUtils.getKeyStore(keyStoreFile, ksPwd); PkiUtils.generateSelfSignedCertificate(keyStore, - new X500Principal(KernelHeader.ROLE_KERNEL), keyPwd); + new X500Principal(AuthConstants.ROLE_KERNEL), keyPwd); PkiUtils.saveKeyStore(keyStoreFile, ksPwd, keyStore); } catch (Exception e) { throw new CmsException("Cannot create key store " @@ -162,4 +140,24 @@ class NodeSecurity implements AuthenticationManager { } } } + + File getHttpServerKeyStore() { + return keyStoreFile; + } + + private final static String SECURITY_PROVIDER = "BC";// Bouncy Castle + private final static Log log; + static { + log = LogFactory.getLog(NodeSecurity.class); + // Make Bouncy Castle the default provider + Provider provider = new BouncyCastleProvider(); + int position = Security.insertProviderAt(provider, 1); + if (position == -1) + log.error("Provider " + provider.getName() + + " already installed and could not be set as default"); + Provider defaultProvider = Security.getProviders()[0]; + if (!defaultProvider.getName().equals(SECURITY_PROVIDER)) + log.error("Provider name is " + defaultProvider.getName() + + " but it should be " + SECURITY_PROVIDER); + } }