X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FNodeUserAdmin.java;h=1a9817450ed427deee762ed39f0866d1d6a3942c;hb=73a89e099608a51d9aef814a3f85a62947275f59;hp=c04d820da418d1fd0cf6c8fa4fae813f1e1b1548;hpb=df8ecf06ff62ff3f31a7cbe7c992e183312563fd;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java index c04d820da..1a9817450 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java @@ -1,591 +1,330 @@ package org.argeo.cms.internal.kernel; +import java.io.IOException; +import java.net.Inet6Address; +import java.net.InetAddress; import java.net.URI; import java.net.URISyntaxException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; -import java.util.Arrays; import java.util.Dictionary; import java.util.HashMap; -import java.util.HashSet; import java.util.Hashtable; -import java.util.List; +import java.util.Iterator; import java.util.Map; import java.util.Set; -import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.kerberos.KerberosPrincipal; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; import javax.transaction.TransactionManager; +import org.apache.commons.httpclient.auth.AuthPolicy; +import org.apache.commons.httpclient.auth.CredentialsProvider; +import org.apache.commons.httpclient.params.DefaultHttpParams; +import org.apache.commons.httpclient.params.HttpMethodParams; +import org.apache.commons.httpclient.params.HttpParams; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.argeo.cms.CmsException; -import org.argeo.cms.auth.AuthConstants; -import org.argeo.node.NodeConstants; +import org.argeo.api.NodeConstants; +import org.argeo.cms.internal.http.client.HttpCredentialProvider; +import org.argeo.cms.internal.http.client.SpnegoAuthScheme; +import org.argeo.naming.DnsBrowser; +import org.argeo.osgi.useradmin.AbstractUserDirectory; +import org.argeo.osgi.useradmin.AggregatingUserAdmin; import org.argeo.osgi.useradmin.LdapUserAdmin; import org.argeo.osgi.useradmin.LdifUserAdmin; +import org.argeo.osgi.useradmin.OsUserDirectory; import org.argeo.osgi.useradmin.UserAdminConf; import org.argeo.osgi.useradmin.UserDirectory; -import org.argeo.osgi.useradmin.UserDirectoryException; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSException; +import org.ietf.jgss.GSSManager; +import org.ietf.jgss.GSSName; +import org.ietf.jgss.Oid; import org.osgi.framework.BundleContext; import org.osgi.framework.Constants; -import org.osgi.framework.FrameworkUtil; -import org.osgi.framework.InvalidSyntaxException; -import org.osgi.framework.ServiceReference; -import org.osgi.framework.ServiceRegistration; import org.osgi.service.cm.ConfigurationException; import org.osgi.service.cm.ManagedServiceFactory; import org.osgi.service.useradmin.Authorization; -import org.osgi.service.useradmin.Role; -import org.osgi.service.useradmin.User; import org.osgi.service.useradmin.UserAdmin; import org.osgi.util.tracker.ServiceTracker; -import bitronix.tm.resource.ehcache.EhCacheXAResourceProducer; - /** - * Aggregates multiple {@link UserDirectory} and integrates them with this node - * system roles. + * Aggregates multiple {@link UserDirectory} and integrates them with system + * roles. */ -class NodeUserAdmin implements UserAdmin, ManagedServiceFactory, KernelConstants { +class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactory, KernelConstants { private final static Log log = LogFactory.getLog(NodeUserAdmin.class); - final static LdapName ROLES_BASE; - static { - try { - ROLES_BASE = new LdapName(AuthConstants.ROLES_BASEDN); - } catch (InvalidNameException e) { - throw new UserDirectoryException("Cannot initialize " + NodeUserAdmin.class, e); - } - } - - private final BundleContext bc = FrameworkUtil.getBundle(getClass()).getBundleContext(); +// private final BundleContext bc = FrameworkUtil.getBundle(getClass()).getBundleContext(); - // DAOs - private UserAdmin nodeRoles = null; - private Map userAdmins = new HashMap(); + // OSGi private Map pidToBaseDn = new HashMap<>(); +// private Map> pidToServiceRegs = new HashMap<>(); +// private ServiceRegistration userAdminReg; - private ServiceRegistration userAdminReg; - + // JTA private final ServiceTracker tmTracker; - - // JCR - // private String homeBasePath = "/home"; - // private String peopleBasePath = ArgeoJcrConstants.PEOPLE_BASE_PATH; - // private Repository repository; - // private Session adminSession; - - private final String cacheName = UserDirectory.class.getName(); - - public NodeUserAdmin() { - // DAOs - // File nodeBaseDir = new File(getOsgiInstanceDir(), DIR_NODE); - // nodeBaseDir.mkdirs(); - // String userAdminUri = getFrameworkProp(NodeConstants.USERADMIN_URIS); - // initUserAdmins(userAdminUri, nodeBaseDir); - // String nodeRolesUri = getFrameworkProp(NodeConstants.ROLES_URI); - // initNodeRoles(nodeRolesUri, nodeBaseDir); - - // new ServiceTracker<>(bc, TransactionManager.class, new - // TransactionManagerStc()).open(); - tmTracker = new TransactionManagerStc(); - tmTracker.open(); + // private final String cacheName = UserDirectory.class.getName(); + + // GSS API + private Path nodeKeyTab = KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH); + private GSSCredential acceptorCredentials; + + private boolean singleUser = false; +// private boolean systemRolesAvailable = false; + + public NodeUserAdmin(String systemRolesBaseDn, String tokensBaseDn) { + super(systemRolesBaseDn, tokensBaseDn); + BundleContext bc = Activator.getBundleContext(); + if (bc != null) { + tmTracker = new ServiceTracker<>(bc, TransactionManager.class, null); + tmTracker.open(); + } else { + tmTracker = null; + } } @Override public void updated(String pid, Dictionary properties) throws ConfigurationException { String uri = (String) properties.get(UserAdminConf.uri.name()); + Object realm = properties.get(UserAdminConf.realm.name()); URI u; try { - u = new URI(uri); + if (uri == null) { + String baseDn = (String) properties.get(UserAdminConf.baseDn.name()); + u = KernelUtils.getOsgiInstanceUri(KernelConstants.DIR_NODE + '/' + baseDn + ".ldif"); + } else if (realm != null) { + u = null; + } else { + u = new URI(uri); + } } catch (URISyntaxException e) { - throw new CmsException("Badly formatted URI " + uri, e); + throw new IllegalArgumentException("Badly formatted URI " + uri, e); } - UserDirectory userDirectory = u.getScheme().equals("ldap") ? new LdapUserAdmin(properties) - : new LdifUserAdmin(properties); - LdapName baseDn; - try { - baseDn = new LdapName(userDirectory.getBaseDn()); - } catch (InvalidNameException e) { - throw new CmsException("Badly formatted base DN " + userDirectory.getBaseDn(), e); - } - if (isRolesDnBase(baseDn)) { - nodeRoles = (UserAdmin) userDirectory; - userDirectory.setExternalRoles(this); + + // Create + AbstractUserDirectory userDirectory; + if (realm != null || UserAdminConf.SCHEME_LDAP.equals(u.getScheme()) + || UserAdminConf.SCHEME_LDAPS.equals(u.getScheme())) { + userDirectory = new LdapUserAdmin(properties); + } else if (UserAdminConf.SCHEME_FILE.equals(u.getScheme())) { + userDirectory = new LdifUserAdmin(u, properties); + } else if (UserAdminConf.SCHEME_OS.equals(u.getScheme())) { + userDirectory = new OsUserDirectory(u, properties); + singleUser = true; + } else { + throw new IllegalArgumentException("Unsupported scheme " + u.getScheme()); } - userDirectory.init(); - addUserAdmin(baseDn.toString(), (UserAdmin) userDirectory); + addUserDirectory(userDirectory); - // publish user directory + // OSGi + LdapName baseDn = userDirectory.getBaseDn(); Dictionary regProps = new Hashtable<>(); regProps.put(Constants.SERVICE_PID, pid); + if (isSystemRolesBaseDn(baseDn)) + regProps.put(Constants.SERVICE_RANKING, Integer.MAX_VALUE); regProps.put(UserAdminConf.baseDn.name(), baseDn); - bc.registerService(UserDirectory.class, userDirectory, regProps); + // ServiceRegistration reg = + // bc.registerService(UserDirectory.class, userDirectory, regProps); + Activator.registerService(UserDirectory.class, userDirectory, regProps); pidToBaseDn.put(pid, baseDn); + // pidToServiceRegs.put(pid, reg); if (log.isDebugEnabled()) { - log.debug("User directory " + userDirectory.getBaseDn() + " [" + u.getScheme() + "] enabled."); + log.debug("User directory " + userDirectory.getBaseDn() + (u != null ? " [" + u.getScheme() + "]" : "") + + " enabled." + (realm != null ? " " + realm + " realm." : "")); } - if (!isRolesDnBase(baseDn)) { - if (userAdminReg != null) - userAdminReg.unregister(); - // register self as main user admin - userAdminReg = bc.registerService(UserAdmin.class, this, currentState()); + if (isSystemRolesBaseDn(baseDn)) { + // publishes only when system roles are available + Dictionary userAdminregProps = new Hashtable<>(); + userAdminregProps.put(NodeConstants.CN, NodeConstants.DEFAULT); + userAdminregProps.put(Constants.SERVICE_RANKING, Integer.MAX_VALUE); + Activator.registerService(UserAdmin.class, this, userAdminregProps); } - } - private boolean isRolesDnBase(LdapName baseDn) { - return baseDn.equals(ROLES_BASE); +// if (isSystemRolesBaseDn(baseDn)) +// systemRolesAvailable = true; +// +// // start publishing only when system roles are available +// if (systemRolesAvailable) { +// // The list of baseDns is published as properties +// // TODO clients should rather reference USerDirectory services +// if (userAdminReg != null) +// userAdminReg.unregister(); +// // register self as main user admin +// Dictionary userAdminregProps = currentState(); +// userAdminregProps.put(NodeConstants.CN, NodeConstants.DEFAULT); +// userAdminregProps.put(Constants.SERVICE_RANKING, Integer.MAX_VALUE); +// userAdminReg = bc.registerService(UserAdmin.class, this, userAdminregProps); +// } } @Override public void deleted(String pid) { + // assert pidToServiceRegs.get(pid) != null; + assert pidToBaseDn.get(pid) != null; + // pidToServiceRegs.remove(pid).unregister(); LdapName baseDn = pidToBaseDn.remove(pid); - UserAdmin userAdmin = userAdmins.remove(baseDn); - ((UserDirectory) userAdmin).destroy(); + removeUserDirectory(baseDn); } @Override public String getName() { - return "Node user admin"; + return "Node User Admin"; } - private class TransactionManagerStc extends ServiceTracker { - - public TransactionManagerStc() { - super(bc, TransactionManager.class, null); + @Override + protected void addAbstractSystemRoles(Authorization rawAuthorization, Set sysRoles) { + if (rawAuthorization.getName() == null) { + sysRoles.add(NodeConstants.ROLE_ANONYMOUS); + } else { + sysRoles.add(NodeConstants.ROLE_USER); } + } - @Override - public TransactionManager addingService(ServiceReference reference) { - TransactionManager transactionManager = bc.getService(reference); - if (nodeRoles != null) - ((UserDirectory) nodeRoles).setTransactionManager(transactionManager); - for (UserAdmin userAdmin : userAdmins.values()) { - if (userAdmin instanceof UserDirectory) - ((UserDirectory) userAdmin).setTransactionManager(transactionManager); + protected void postAdd(AbstractUserDirectory userDirectory) { + // JTA + TransactionManager tm = tmTracker != null ? tmTracker.getService() : null; + if (tm == null) + throw new IllegalStateException("A JTA transaction manager must be available."); + userDirectory.setTransactionManager(tm); +// if (tmTracker.getService() instanceof BitronixTransactionManager) +// EhCacheXAResourceProducer.registerXAResource(cacheName, userDirectory.getXaResource()); + + Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name()); + if (realm != null) { + if (Files.exists(nodeKeyTab)) { + String servicePrincipal = getKerberosServicePrincipal(realm.toString()); + if (servicePrincipal != null) { + CallbackHandler callbackHandler = new CallbackHandler() { + @Override + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (Callback callback : callbacks) + if (callback instanceof NameCallback) + ((NameCallback) callback).setName(servicePrincipal); + + } + }; + try { + LoginContext nodeLc = new LoginContext(NodeConstants.LOGIN_CONTEXT_NODE, callbackHandler); + nodeLc.login(); + acceptorCredentials = logInAsAcceptor(nodeLc.getSubject(), servicePrincipal); + } catch (LoginException e) { + throw new IllegalStateException("Cannot log in kernel", e); + } + } } - if (log.isDebugEnabled()) - log.debug("Set transaction manager"); - return transactionManager; - } - @Override - public void removedService(ServiceReference reference, TransactionManager service) { - ((UserDirectory) nodeRoles).setTransactionManager(null); - for (UserAdmin userAdmin : userAdmins.values()) { - if (userAdmin instanceof UserDirectory) - ((UserDirectory) userAdmin).setTransactionManager(null); - } + // Register client-side SPNEGO auth scheme + AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class); + HttpParams params = DefaultHttpParams.getDefaultParams(); + ArrayList schemes = new ArrayList<>(); + schemes.add(SpnegoAuthScheme.NAME);// SPNEGO preferred + // schemes.add(AuthPolicy.BASIC);// incompatible with Basic + params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes); + params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider()); + params.setParameter(HttpMethodParams.COOKIE_POLICY, KernelConstants.COOKIE_POLICY_BROWSER_COMPATIBILITY); + // params.setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY); } - } - // @Deprecated - // public NodeUserAdmin(TransactionManager transactionManager, Repository - // repository) { - // // this.repository = repository; - // // try { - // // this.adminSession = this.repository.login(); - // // } catch (RepositoryException e) { - // // throw new CmsException("Cannot log-in", e); - // // } - // - // // DAOs - // File nodeBaseDir = new File(getOsgiInstanceDir(), DIR_NODE); - // nodeBaseDir.mkdirs(); - // String userAdminUri = getFrameworkProp(NodeConstants.USERADMIN_URIS); - // initUserAdmins(userAdminUri, nodeBaseDir); - // String nodeRolesUri = getFrameworkProp(NodeConstants.ROLES_URI); - // initNodeRoles(nodeRolesUri, nodeBaseDir); - // - // // Transaction manager - // ((UserDirectory) nodeRoles).setTransactionManager(transactionManager); - // for (UserAdmin userAdmin : userAdmins.values()) { - // if (userAdmin instanceof UserDirectory) - // ((UserDirectory) userAdmin).setTransactionManager(transactionManager); - // } - // - // // JCR - // // initJcr(adminSession); - // } - - Dictionary currentState() { - Dictionary res = new Hashtable(); - res.put(NodeConstants.CN, NodeConstants.DEFAULT); - for (LdapName name : userAdmins.keySet()) { - StringBuilder buf = new StringBuilder(); - if (userAdmins.get(name) instanceof UserDirectory) { - UserDirectory userDirectory = (UserDirectory) userAdmins.get(name); - String uri = UserAdminConf.propertiesAsUri(userDirectory.getProperties()).toString(); - res.put(uri, ""); - } else { - buf.append('/').append(name.toString()).append("?readOnly=true"); - } - } - return res; - } + protected void preDestroy(AbstractUserDirectory userDirectory) { +// if (tmTracker.getService() instanceof BitronixTransactionManager) +// EhCacheXAResourceProducer.unregisterXAResource(cacheName, userDirectory.getXaResource()); - public void destroy() { - for (LdapName name : userAdmins.keySet()) { - if (userAdmins.get(name) instanceof UserDirectory) { - UserDirectory userDirectory = (UserDirectory) userAdmins.get(name); + Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name()); + if (realm != null) { + if (acceptorCredentials != null) { try { - // FIXME Make it less bitronix dependant - EhCacheXAResourceProducer.unregisterXAResource(cacheName, userDirectory.getXaResource()); - } catch (Exception e) { - log.error("Cannot unregister resource from Bitronix", e); + acceptorCredentials.dispose(); + } catch (GSSException e) { + // silent } - userDirectory.destroy(); - + acceptorCredentials = null; } } } - @Override - public Role createRole(String name, int type) { - return findUserAdmin(name).createRole(name, type); - } - - @Override - public boolean removeRole(String name) { - boolean actuallyDeleted = findUserAdmin(name).removeRole(name); - nodeRoles.removeRole(name); - return actuallyDeleted; - } - - @Override - public Role getRole(String name) { - return findUserAdmin(name).getRole(name); - } - - @Override - public Role[] getRoles(String filter) throws InvalidSyntaxException { - List res = new ArrayList(); - for (UserAdmin userAdmin : userAdmins.values()) { - res.addAll(Arrays.asList(userAdmin.getRoles(filter))); + private String getKerberosServicePrincipal(String realm) { + String hostname; + try (DnsBrowser dnsBrowser = new DnsBrowser()) { + InetAddress localhost = InetAddress.getLocalHost(); + hostname = localhost.getHostName(); + String dnsZone = hostname.substring(hostname.indexOf('.') + 1); + String ipfromDns = dnsBrowser.getRecord(hostname, localhost instanceof Inet6Address ? "AAAA" : "A"); + boolean consistentIp = localhost.getHostAddress().equals(ipfromDns); + String kerberosDomain = dnsBrowser.getRecord("_kerberos." + dnsZone, "TXT"); + if (consistentIp && kerberosDomain != null && kerberosDomain.equals(realm) && Files.exists(nodeKeyTab)) { + return KernelConstants.DEFAULT_KERBEROS_SERVICE + "/" + hostname + "@" + kerberosDomain; + } else + return null; + } catch (Exception e) { + log.warn("Exception when determining kerberos principal", e); + return null; } - res.addAll(Arrays.asList(nodeRoles.getRoles(filter))); - return res.toArray(new Role[res.size()]); } - @Override - public User getUser(String key, String value) { - List res = new ArrayList(); - for (UserAdmin userAdmin : userAdmins.values()) { - User u = userAdmin.getUser(key, value); - if (u != null) - res.add(u); + private GSSCredential logInAsAcceptor(Subject subject, String servicePrincipal) { + // GSS + Iterator krb5It = subject.getPrincipals(KerberosPrincipal.class).iterator(); + if (!krb5It.hasNext()) + return null; + KerberosPrincipal krb5Principal = null; + while (krb5It.hasNext()) { + KerberosPrincipal principal = krb5It.next(); + if (principal.getName().equals(servicePrincipal)) + krb5Principal = principal; } - // Note: node roles cannot contain users, so it is not searched - return res.size() == 1 ? res.get(0) : null; - } - @Override - public Authorization getAuthorization(User user) { - if (user == null) {// anonymous - return nodeRoles.getAuthorization(null); - } - UserAdmin userAdmin = findUserAdmin(user.getName()); - Authorization rawAuthorization = userAdmin.getAuthorization(user); - // gather system roles - Set systemRoles = new HashSet(); - for (String role : rawAuthorization.getRoles()) { - Authorization auth = nodeRoles.getAuthorization((User) userAdmin.getRole(role)); - systemRoles.addAll(Arrays.asList(auth.getRoles())); - } - Authorization authorization = new NodeAuthorization(rawAuthorization.getName(), rawAuthorization.toString(), - systemRoles, rawAuthorization.getRoles()); - // syncJcr(adminSession, authorization); - return authorization; - } + if (krb5Principal == null) + return null; - // - // USER ADMIN AGGREGATOR - // - public void addUserAdmin(String baseDn, UserAdmin userAdmin) { + GSSManager manager = GSSManager.getInstance(); try { - LdapName key = new LdapName(baseDn); - if (userAdmins.containsKey(key)) - throw new UserDirectoryException("There is already a user admin for " + baseDn); - userAdmins.put(key, userAdmin); - } catch (InvalidNameException e) { - throw new UserDirectoryException("Badly formatted base DN " + baseDn, e); - } - if (userAdmin instanceof UserDirectory) { - UserDirectory userDirectory = (UserDirectory) userAdmin; - try { - userDirectory.setTransactionManager(tmTracker.getService()); - // FIXME Make it less bitronix dependant - EhCacheXAResourceProducer.registerXAResource(cacheName, ((UserDirectory) userAdmin).getXaResource()); - } catch (Exception e) { - log.error("Cannot register resource to Bitronix", e); - } + GSSName gssName = manager.createName(krb5Principal.getName(), null); + GSSCredential serverCredentials = Subject.doAs(subject, new PrivilegedExceptionAction() { + + @Override + public GSSCredential run() throws GSSException { + return manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, KERBEROS_OID, + GSSCredential.ACCEPT_ONLY); + + } + + }); + if (log.isDebugEnabled()) + log.debug("GSS acceptor configured for " + krb5Principal); + return serverCredentials; + } catch (Exception gsse) { + throw new IllegalStateException("Cannot create acceptor credentials for " + krb5Principal, gsse); } } - private UserAdmin findUserAdmin(String name) { - try { - return findUserAdmin(new LdapName(name)); - } catch (InvalidNameException e) { - throw new UserDirectoryException("Badly formatted name " + name, e); - } + public GSSCredential getAcceptorCredentials() { + return acceptorCredentials; } - private UserAdmin findUserAdmin(LdapName name) { - if (name.startsWith(ROLES_BASE)) - return nodeRoles; - List res = new ArrayList(1); - for (LdapName baseDn : userAdmins.keySet()) { - if (name.startsWith(baseDn)) - res.add(userAdmins.get(baseDn)); - } - if (res.size() == 0) - throw new UserDirectoryException("Cannot find user admin for " + name); - if (res.size() > 1) - throw new UserDirectoryException("Multiple user admin found for " + name); - return res.get(0); + public boolean isSingleUser() { + return singleUser; } - public void setTransactionManager(TransactionManager transactionManager) { - if (nodeRoles instanceof UserDirectory) - ((UserDirectory) nodeRoles).setTransactionManager(transactionManager); - for (UserAdmin userAdmin : userAdmins.values()) { - if (userAdmin instanceof UserDirectory) - ((UserDirectory) userAdmin).setTransactionManager(transactionManager); + public final static Oid KERBEROS_OID; + static { + try { + KERBEROS_OID = new Oid("1.3.6.1.5.5.2"); + } catch (GSSException e) { + throw new IllegalStateException("Cannot create Kerberos OID", e); } } - // private void initUserAdmins(String userAdminUri, File nodeBaseDir) { - // // if (userAdminUri == null) { - // // String demoBaseDn = "dc=example,dc=com"; - // // File businessRolesFile = new File(nodeBaseDir, demoBaseDn + ".ldif"); - // // if (!businessRolesFile.exists()) - // // try { - // // - // FileUtils.copyInputStreamToFile(getClass().getResourceAsStream(demoBaseDn - // // + ".ldif"), - // // businessRolesFile); - // // } catch (IOException e) { - // // throw new CmsException("Cannot copy demo resource", e); - // // } - // // userAdminUri = businessRolesFile.toURI().toString(); - // // } - // String[] uris = userAdminUri.split(" "); - // for (String uri : uris) { - // URI u; - // try { - // u = new URI(uri); - // if (u.getPath() == null) - // throw new CmsException("URI " + uri + " must have a path in order to - // determine base DN"); - // if (u.getScheme() == null) { - // if (uri.startsWith("/") || uri.startsWith("./") || uri.startsWith("../")) - // u = new File(uri).getCanonicalFile().toURI(); - // else if (!uri.contains("/")) { - // u = new URI(nodeBaseDir.toURI() + uri); - // // u = new File(nodeBaseDir, uri).getCanonicalFile() - // // .toURI(); - // } else - // throw new CmsException("Cannot interpret " + uri + " as an uri"); - // } else if (u.getScheme().equals("file")) { - // u = new File(u).getCanonicalFile().toURI(); - // } - // } catch (Exception e) { - // throw new CmsException("Cannot interpret " + uri + " as an uri", e); - // } - // Dictionary properties = - // UserAdminConf.uriAsProperties(u.toString()); - // UserDirectory businessRoles; - // if (u.getScheme().startsWith("ldap")) { - // businessRoles = new LdapUserAdmin(properties); - // } else { - // businessRoles = new LdifUserAdmin(properties); - // } - // businessRoles.init(); - // String baseDn = businessRoles.getBaseDn(); - // if (userAdmins.containsKey(baseDn)) - // throw new UserDirectoryException("There is already a user admin for " + - // baseDn); - // try { - // userAdmins.put(new LdapName(baseDn), (UserAdmin) businessRoles); - // } catch (InvalidNameException e) { - // throw new UserDirectoryException("Badly formatted base DN " + baseDn, e); - // } - // addUserAdmin(businessRoles.getBaseDn(), (UserAdmin) businessRoles); - // if (log.isDebugEnabled()) - // log.debug("User directory " + businessRoles.getBaseDn() + " [" + - // u.getScheme() + "] enabled."); - // } - // - // } - // - // private void initNodeRoles(String nodeRolesUri, File nodeBaseDir) { - // String baseNodeRoleDn = AuthConstants.ROLES_BASEDN; - // if (nodeRolesUri == null) { - // File nodeRolesFile = new File(nodeBaseDir, baseNodeRoleDn + ".ldif"); - // if (!nodeRolesFile.exists()) - // try { - // FileUtils.copyInputStreamToFile(getClass().getResourceAsStream(baseNodeRoleDn - // + ".ldif"), - // nodeRolesFile); - // } catch (IOException e) { - // throw new CmsException("Cannot copy demo resource", e); - // } - // nodeRolesUri = nodeRolesFile.toURI().toString(); - // } - // - // Dictionary nodeRolesProperties = - // UserAdminConf.uriAsProperties(nodeRolesUri); - // if - // (!nodeRolesProperties.get(UserAdminConf.baseDn.name()).equals(baseNodeRoleDn)) - // { - // throw new CmsException("Invalid base dn for node roles"); - // // TODO deal with "mounted" roles with a different baseDN - // } - // if (nodeRolesUri.startsWith("ldap")) { - // nodeRoles = new LdapUserAdmin(nodeRolesProperties); - // } else { - // nodeRoles = new LdifUserAdmin(nodeRolesProperties); - // } - // ((UserDirectory) nodeRoles).setExternalRoles(this); - // ((UserDirectory) nodeRoles).init(); - // addUserAdmin(baseNodeRoleDn, (UserAdmin) nodeRoles); - // if (log.isTraceEnabled()) - // log.trace("Node roles enabled."); - // - // } - - /* - * JCR - */ - // private void initJcr(Session adminSession) { - // try { - // JcrUtils.mkdirs(adminSession, homeBasePath); - // JcrUtils.mkdirs(adminSession, peopleBasePath); - // adminSession.save(); - // - // JcrUtils.addPrivilege(adminSession, homeBasePath, - // AuthConstants.ROLE_USER_ADMIN, Privilege.JCR_READ); - // JcrUtils.addPrivilege(adminSession, peopleBasePath, - // AuthConstants.ROLE_USER_ADMIN, Privilege.JCR_ALL); - // adminSession.save(); - // } catch (RepositoryException e) { - // throw new CmsException("Cannot initialize node user admin", e); - // } - // } - // - // private Node syncJcr(Session session, Authorization authorization) { - // // TODO check user name validity (e.g. should not start by ROLE_) - // String username = authorization.getName(); - // // String[] roles = authorization.getRoles(); - // try { - // Node userHome = UserJcrUtils.getUserHome(session, username); - // if (userHome == null) { - // String homePath = generateUserPath(homeBasePath, username); - // if (session.itemExists(homePath))// duplicate user id - // userHome = - // session.getNode(homePath).getParent().addNode(JcrUtils.lastPathElement(homePath)); - // else - // userHome = JcrUtils.mkdirs(session, homePath); - // // userHome = JcrUtils.mkfolders(session, homePath); - // userHome.addMixin(ArgeoTypes.ARGEO_USER_HOME); - // userHome.setProperty(ArgeoNames.ARGEO_USER_ID, username); - // session.save(); - // - // JcrUtils.clearAccessControList(session, homePath, username); - // JcrUtils.addPrivilege(session, homePath, username, Privilege.JCR_ALL); - // } - // - // Node userProfile = UserJcrUtils.getUserProfile(session, username); - // // new user - // if (userProfile == null) { - // String personPath = generateUserPath(peopleBasePath, username); - // Node personBase; - // if (session.itemExists(personPath))// duplicate user id - // personBase = - // session.getNode(personPath).getParent().addNode(JcrUtils.lastPathElement(personPath)); - // else - // personBase = JcrUtils.mkdirs(session, personPath); - // userProfile = personBase.addNode(ArgeoNames.ARGEO_PROFILE); - // userProfile.addMixin(ArgeoTypes.ARGEO_USER_PROFILE); - // userProfile.setProperty(ArgeoNames.ARGEO_USER_ID, username); - // userProfile.setProperty(ArgeoNames.ARGEO_ENABLED, true); - // userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_EXPIRED, true); - // userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_LOCKED, true); - // userProfile.setProperty(ArgeoNames.ARGEO_CREDENTIALS_NON_EXPIRED, true); - // session.save(); - // - // JcrUtils.clearAccessControList(session, userProfile.getPath(), username); - // JcrUtils.addPrivilege(session, userProfile.getPath(), username, - // Privilege.JCR_READ); - // } - // - // // Remote roles - // // if (roles != null) { - // // writeRemoteRoles(userProfile, roles); - // // } - // if (adminSession.hasPendingChanges()) - // adminSession.save(); - // return userProfile; - // } catch (RepositoryException e) { - // JcrUtils.discardQuietly(session); - // throw new ArgeoException("Cannot sync node security model for " + - // username, e); - // } - // } - // - // /** Generate path for a new user home */ - // private String generateUserPath(String base, String username) { - // LdapName dn; - // try { - // dn = new LdapName(username); - // } catch (InvalidNameException e) { - // throw new ArgeoException("Invalid name " + username, e); - // } - // String userId = dn.getRdn(dn.size() - 1).getValue().toString(); - // int atIndex = userId.indexOf('@'); - // if (atIndex > 0) { - // String domain = userId.substring(0, atIndex); - // String name = userId.substring(atIndex + 1); - // return base + '/' + JcrUtils.firstCharsToPath(domain, 2) + '/' + domain + - // '/' - // + JcrUtils.firstCharsToPath(name, 2) + '/' + name; - // } else if (atIndex == 0 || atIndex == (userId.length() - 1)) { - // throw new ArgeoException("Unsupported username " + userId); - // } else { - // return base + '/' + JcrUtils.firstCharsToPath(userId, 2) + '/' + userId; - // } - // } - - // /** Write remote roles used by remote access in the home directory */ - // private void writeRemoteRoles(Node userHome, String[] roles) - // throws RepositoryException { - // boolean writeRoles = false; - // if (userHome.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) { - // Value[] remoteRoles = userHome.getProperty( - // ArgeoNames.ARGEO_REMOTE_ROLES).getValues(); - // if (remoteRoles.length != roles.length) - // writeRoles = true; - // else - // for (int i = 0; i < remoteRoles.length; i++) - // if (!remoteRoles[i].getString().equals(roles[i])) - // writeRoles = true; - // } else - // writeRoles = true; - // - // if (writeRoles) { - // userHome.getSession().getWorkspace().getVersionManager() - // .checkout(userHome.getPath()); - // userHome.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roles); - // JcrUtils.updateLastModified(userHome); - // userHome.getSession().save(); - // userHome.getSession().getWorkspace().getVersionManager() - // .checkin(userHome.getPath()); - // if (log.isDebugEnabled()) - // log.debug("Wrote remote roles " + roles + " for " - // + userHome.getProperty(ArgeoNames.ARGEO_USER_ID)); - // } - // - // } }