X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fruntime%2FCmsStateImpl.java;h=d335b48b191b111ce428ac2bab5dc19beff228e8;hb=bfb5eb067a6796c0ee2a575b1e2431220352513a;hp=7928857562e5a54ebc6c1388216afb82ca457ec3;hpb=dca2b13e0e3ca3e7a9469e089b980c48c880ad1a;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsStateImpl.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsStateImpl.java index 792885756..d335b48b1 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsStateImpl.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsStateImpl.java @@ -4,12 +4,11 @@ import java.io.File; import java.io.FileFilter; import java.io.IOException; import java.io.Reader; -import java.net.InetAddress; import java.net.URL; -import java.net.UnknownHostException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; +import java.nio.file.Paths; import java.security.KeyStore; import java.util.ArrayList; import java.util.Arrays; @@ -43,7 +42,7 @@ public class CmsStateImpl implements CmsState { private UUID uuid; // private final boolean cleanState; - private String hostname; +// private String hostname; private UuidFactory uuidFactory; @@ -51,9 +50,20 @@ public class CmsStateImpl implements CmsState { public CmsStateImpl() { Map deployPropertyDefaults = new HashMap<>(); - deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORETYPE, PkiUtils.PKCS12); deployPropertyDefaults.put(CmsDeployProperty.NODE_INIT, "../../init"); deployPropertyDefaults.put(CmsDeployProperty.LOCALE, Locale.getDefault().toString()); + + // certificates + deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORETYPE, PkiUtils.PKCS12); + deployPropertyDefaults.put(CmsDeployProperty.SSL_PASSWORD, PkiUtils.DEFAULT_KEYSTORE_PASSWORD); + Path keyStorePath = getDataPath(PkiUtils.DEFAULT_KEYSTORE_PATH); + deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORE, keyStorePath.toAbsolutePath().toString()); + + Path trustStorePath = getDataPath(PkiUtils.DEFAULT_TRUSTSTORE_PATH); + deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTORETYPE, PkiUtils.PKCS12); + deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTOREPASSWORD, PkiUtils.DEFAULT_KEYSTORE_PASSWORD); + deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTORE, trustStorePath.toAbsolutePath().toString()); + this.deployPropertyDefaults = Collections.unmodifiableMap(deployPropertyDefaults); } @@ -71,11 +81,11 @@ public class CmsStateImpl implements CmsState { // this.uuid = UUID.fromString(stateUuidStr); this.uuid = uuidFactory.timeUUID(); // this.cleanState = stateUuid.equals(frameworkUuid); - try { - this.hostname = InetAddress.getLocalHost().getHostName(); - } catch (UnknownHostException e) { - log.error("Cannot set hostname: " + e); - } +// try { +// this.hostname = InetAddress.getLocalHost().getHostName(); +// } catch (UnknownHostException e) { +// log.error("Cannot set hostname: " + e); +// } availableSince = System.currentTimeMillis(); if (log.isDebugEnabled()) { @@ -107,7 +117,7 @@ public class CmsStateImpl implements CmsState { } } catch (RuntimeException | IOException e) { - log.error("## FATAL: CMS activator failed", e); + log.error("## FATAL: CMS state failed", e); } } @@ -130,23 +140,21 @@ public class CmsStateImpl implements CmsState { private void initCertificates() { // server certificate - Path keyStorePath = getDataPath(PkiUtils.DEFAULT_KEYSTORE_PATH); + Path keyStorePath = Paths.get(getDeployProperty(CmsDeployProperty.SSL_KEYSTORE)); Path pemKeyPath = getDataPath(PkiUtils.DEFAULT_PEM_KEY_PATH); Path pemCertPath = getDataPath(PkiUtils.DEFAULT_PEM_CERT_PATH); - String keyStorePasswordStr = doGetDeployProperty(CmsDeployProperty.SSL_PASSWORD.getProperty()); - char[] keyStorePassword; - if (keyStorePasswordStr == null) - keyStorePassword = "changeit".toCharArray(); - else - keyStorePassword = keyStorePasswordStr.toCharArray(); + char[] keyStorePassword = getDeployProperty(CmsDeployProperty.SSL_PASSWORD).toCharArray(); + // Keystore // if PEM files both exists, update the PKCS12 file if (Files.exists(pemCertPath) && Files.exists(pemKeyPath)) { // TODO check certificate update time? monitor changes? - KeyStore keyStore = PkiUtils.getKeyStore(keyStorePath, keyStorePassword, PkiUtils.PKCS12); + KeyStore keyStore = PkiUtils.getKeyStore(keyStorePath, keyStorePassword, + getDeployProperty(CmsDeployProperty.SSL_KEYSTORETYPE)); try (Reader key = Files.newBufferedReader(pemKeyPath, StandardCharsets.US_ASCII); Reader cert = Files.newBufferedReader(pemCertPath, StandardCharsets.US_ASCII);) { PkiUtils.loadPem(keyStore, key, keyStorePassword, cert); + Files.createDirectories(keyStorePath.getParent()); PkiUtils.saveKeyStore(keyStorePath, keyStorePassword, keyStore); if (log.isDebugEnabled()) log.debug("PEM certificate stored in " + keyStorePath); @@ -155,6 +163,26 @@ public class CmsStateImpl implements CmsState { } } + // Truststore + Path trustStorePath = Paths.get(getDeployProperty(CmsDeployProperty.SSL_TRUSTSTORE)); + char[] trustStorePassword = getDeployProperty(CmsDeployProperty.SSL_TRUSTSTOREPASSWORD).toCharArray(); + + // IPA CA + Path ipaCaCertPath = Paths.get(PkiUtils.IPA_PEM_CA_CERT_PATH); + if (Files.exists(ipaCaCertPath)) { + KeyStore trustStore = PkiUtils.getKeyStore(trustStorePath, trustStorePassword, + getDeployProperty(CmsDeployProperty.SSL_TRUSTSTORETYPE)); + try (Reader cert = Files.newBufferedReader(ipaCaCertPath, StandardCharsets.US_ASCII);) { + PkiUtils.loadPem(trustStore, null, trustStorePassword, cert); + Files.createDirectories(keyStorePath.getParent()); + PkiUtils.saveKeyStore(trustStorePath, trustStorePassword, trustStore); + if (log.isDebugEnabled()) + log.debug("IPA CA certificate stored in " + trustStorePath); + } catch (IOException e) { + log.error("Cannot trust CA certificate", e); + } + } + if (!Files.exists(keyStorePath)) PkiUtils.createSelfSignedKeyStore(keyStorePath, keyStorePassword, PkiUtils.PKCS12); // props.put(JettyHttpConstants.SSL_KEYSTORETYPE, PkiUtils.PKCS12); @@ -244,25 +272,30 @@ public class CmsStateImpl implements CmsState { // try defaults if (deployPropertyDefaults.containsKey(deployProperty)) { value = deployPropertyDefaults.get(deployProperty); + if (deployProperty.isSystemPropertyOnly()) + System.setProperty(deployProperty.getProperty(), value); } - // try legacy properties - String legacyProperty = switch (deployProperty) { - case DIRECTORY -> "argeo.node.useradmin.uris"; - case DB_URL -> "argeo.node.dburl"; - case DB_USER -> "argeo.node.dbuser"; - case DB_PASSWORD -> "argeo.node.dbpassword"; - case HTTP_PORT -> "org.osgi.service.http.port"; - case HTTPS_PORT -> "org.osgi.service.http.port.secure"; - case HOST -> "org.eclipse.equinox.http.jetty.http.host"; - case LOCALE -> "argeo.i18n.defaultLocale"; - - default -> null; - }; - if (legacyProperty != null) { - value = doGetDeployProperty(legacyProperty); - if (value != null) { - log.warn("Retrieved deploy property " + deployProperty.getProperty() - + " through deprecated property " + legacyProperty); + + if (value == null) { + // try legacy properties + String legacyProperty = switch (deployProperty) { + case DIRECTORY -> "argeo.node.useradmin.uris"; + case DB_URL -> "argeo.node.dburl"; + case DB_USER -> "argeo.node.dbuser"; + case DB_PASSWORD -> "argeo.node.dbpassword"; + case HTTP_PORT -> "org.osgi.service.http.port"; + case HTTPS_PORT -> "org.osgi.service.http.port.secure"; + case HOST -> "org.eclipse.equinox.http.jetty.http.host"; + case LOCALE -> "argeo.i18n.defaultLocale"; + + default -> null; + }; + if (legacyProperty != null) { + value = doGetDeployProperty(legacyProperty); + if (value != null) { + log.warn("Retrieved deploy property " + deployProperty.getProperty() + + " through deprecated property " + legacyProperty); + } } } } @@ -302,10 +335,6 @@ public class CmsStateImpl implements CmsState { /* * ACCESSORS */ - public String getHostname() { - return hostname; - } - @Override public UUID getUuid() { return uuid; @@ -322,6 +351,8 @@ public class CmsStateImpl implements CmsState { public static void prepareFirstInitInstanceArea(List nodeInits) { for (String nodeInit : nodeInits) { + if(nodeInit==null) + continue; if (nodeInit.startsWith("http")) { // TODO reconnect it