X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fruntime%2FCmsStateImpl.java;h=d364620f56f09118a99cd36564146c1f61919a8f;hb=d471976de607d0db9dfce8f72dcaa6c45c2079d8;hp=126a7e68af8b308b23dfcd1e837bbd2095156166;hpb=0d10cb454d6c3c98e671dafc11600c884dce8d75;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsStateImpl.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsStateImpl.java index 126a7e68a..d364620f5 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsStateImpl.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsStateImpl.java @@ -1,7 +1,6 @@ package org.argeo.cms.internal.runtime; -import java.io.File; -import java.io.FileFilter; +import java.io.BufferedInputStream; import java.io.IOException; import java.io.Reader; import java.net.InetAddress; @@ -11,27 +10,35 @@ import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; +import java.nio.file.attribute.PosixFilePermission; import java.security.KeyStore; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Objects; +import java.util.Set; import java.util.StringJoiner; import java.util.UUID; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.ForkJoinPool; +import java.util.concurrent.ForkJoinTask; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; import javax.security.auth.login.Configuration; -import org.apache.commons.io.FileUtils; import org.argeo.api.cms.CmsConstants; import org.argeo.api.cms.CmsLog; import org.argeo.api.cms.CmsState; import org.argeo.api.uuid.UuidFactory; import org.argeo.cms.CmsDeployProperty; import org.argeo.cms.auth.ident.IdentClient; +import org.argeo.cms.util.FsUtils; /** * Implementation of a {@link CmsState}, initialising the required services. @@ -51,36 +58,74 @@ public class CmsStateImpl implements CmsState { private final Map deployPropertyDefaults; public CmsStateImpl() { + this.deployPropertyDefaults = Collections.unmodifiableMap(createDeployPropertiesDefaults()); + } + + protected Map createDeployPropertiesDefaults() { Map deployPropertyDefaults = new HashMap<>(); deployPropertyDefaults.put(CmsDeployProperty.NODE_INIT, "../../init"); deployPropertyDefaults.put(CmsDeployProperty.LOCALE, Locale.getDefault().toString()); - deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORETYPE, PkiUtils.PKCS12); - deployPropertyDefaults.put(CmsDeployProperty.SSL_PASSWORD, "changeit"); - Path keyStorePath = getDataPath(PkiUtils.DEFAULT_KEYSTORE_PATH); - deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORE, keyStorePath.toAbsolutePath().toString()); + // certificates + deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORETYPE, KernelConstants.PKCS12); + deployPropertyDefaults.put(CmsDeployProperty.SSL_PASSWORD, KernelConstants.DEFAULT_KEYSTORE_PASSWORD); + Path keyStorePath = getDataPath(KernelConstants.DEFAULT_KEYSTORE_PATH); + if (keyStorePath != null) { + deployPropertyDefaults.put(CmsDeployProperty.SSL_KEYSTORE, keyStorePath.toAbsolutePath().toString()); + } - this.deployPropertyDefaults = Collections.unmodifiableMap(deployPropertyDefaults); + Path trustStorePath = getDataPath(KernelConstants.DEFAULT_TRUSTSTORE_PATH); + if (trustStorePath != null) { + deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTORE, trustStorePath.toAbsolutePath().toString()); + } + deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTORETYPE, KernelConstants.PKCS12); + deployPropertyDefaults.put(CmsDeployProperty.SSL_TRUSTSTOREPASSWORD, KernelConstants.DEFAULT_KEYSTORE_PASSWORD); + + // SSH + Path authorizedKeysPath = getDataPath(KernelConstants.NODE_SSHD_AUTHORIZED_KEYS_PATH); + if (authorizedKeysPath != null) { + deployPropertyDefaults.put(CmsDeployProperty.SSHD_AUTHORIZEDKEYS, + authorizedKeysPath.toAbsolutePath().toString()); + } + return deployPropertyDefaults; } public void start() { -// Runtime.getRuntime().addShutdownHook(new CmsShutdown()); - try { + // First init check + Path privateBase = getDataPath(KernelConstants.DIR_PRIVATE); + if (privateBase != null && !Files.exists(privateBase)) {// first init + firstInit(); + Files.createDirectories(privateBase); + } + initSecurity(); // initArgeoLogger(); if (log.isTraceEnabled()) log.trace("CMS State started"); -// String stateUuidStr = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_UUID); -// this.uuid = UUID.fromString(stateUuidStr); this.uuid = uuidFactory.timeUUID(); -// this.cleanState = stateUuid.equals(frameworkUuid); - try { - this.hostname = InetAddress.getLocalHost().getHostName(); - } catch (UnknownHostException e) { - log.error("Cannot set hostname: " + e); + + // hostname + this.hostname = getDeployProperty(CmsDeployProperty.HOST); + // TODO verify we have access to the IP address + if (hostname == null) { + final String LOCALHOST_IP = "::1"; + ForkJoinTask hostnameFJT = ForkJoinPool.commonPool().submit(() -> { + try { + String hostname = InetAddress.getLocalHost().getHostName(); + return hostname; + } catch (UnknownHostException e) { + throw new IllegalStateException("Cannot get local hostname", e); + } + }); + try { + this.hostname = hostnameFJT.get(5, TimeUnit.SECONDS); + } catch (InterruptedException | ExecutionException | TimeoutException e) { + this.hostname = LOCALHOST_IP; + log.warn("Could not get local hostname, using " + this.hostname); + } } availableSince = System.currentTimeMillis(); @@ -106,18 +151,29 @@ public class CmsStateImpl implements CmsState { log.debug("## CMS starting... (" + uuid + ")\n" + sb + "\n"); } -// initI18n(); -// initServices(); - if (!Files.exists(getDataPath(CmsConstants.NODE))) {// first init - firstInit(); - } - } catch (RuntimeException | IOException e) { - log.error("## FATAL: CMS activator failed", e); + log.error("## FATAL: CMS state failed", e); } } private void initSecurity() { + // private directory permissions + Path privateDir = getDataPath(KernelConstants.DIR_PRIVATE); + if (privateDir != null) { + // TODO rather check whether we can read and write + Set posixPermissions = new HashSet<>(); + posixPermissions.add(PosixFilePermission.OWNER_READ); + posixPermissions.add(PosixFilePermission.OWNER_WRITE); + posixPermissions.add(PosixFilePermission.OWNER_EXECUTE); + try { + if (!Files.exists(privateDir)) + Files.createDirectories(privateDir); + Files.setPosixFilePermissions(privateDir, posixPermissions); + } catch (IOException e) { + log.error("Cannot set permissions on " + privateDir, e); + } + } + if (getDeployProperty(CmsDeployProperty.JAVA_LOGIN_CONFIG) == null) { String jaasConfig = KernelConstants.JAAS_CONFIG; URL url = getClass().getResource(jaasConfig); @@ -137,17 +193,20 @@ public class CmsStateImpl implements CmsState { private void initCertificates() { // server certificate Path keyStorePath = Paths.get(getDeployProperty(CmsDeployProperty.SSL_KEYSTORE)); - Path pemKeyPath = getDataPath(PkiUtils.DEFAULT_PEM_KEY_PATH); - Path pemCertPath = getDataPath(PkiUtils.DEFAULT_PEM_CERT_PATH); + Path pemKeyPath = getDataPath(KernelConstants.DEFAULT_PEM_KEY_PATH); + Path pemCertPath = getDataPath(KernelConstants.DEFAULT_PEM_CERT_PATH); char[] keyStorePassword = getDeployProperty(CmsDeployProperty.SSL_PASSWORD).toCharArray(); + // Keystore // if PEM files both exists, update the PKCS12 file if (Files.exists(pemCertPath) && Files.exists(pemKeyPath)) { // TODO check certificate update time? monitor changes? - KeyStore keyStore = PkiUtils.getKeyStore(keyStorePath, keyStorePassword, PkiUtils.PKCS12); + KeyStore keyStore = PkiUtils.getKeyStore(keyStorePath, keyStorePassword, + getDeployProperty(CmsDeployProperty.SSL_KEYSTORETYPE)); try (Reader key = Files.newBufferedReader(pemKeyPath, StandardCharsets.US_ASCII); - Reader cert = Files.newBufferedReader(pemCertPath, StandardCharsets.US_ASCII);) { - PkiUtils.loadPem(keyStore, key, keyStorePassword, cert); + BufferedInputStream cert = new BufferedInputStream(Files.newInputStream(pemCertPath));) { + PkiUtils.loadPrivateCertificatePem(keyStore, CmsConstants.NODE, key, keyStorePassword, cert); + Files.createDirectories(keyStorePath.getParent()); PkiUtils.saveKeyStore(keyStorePath, keyStorePassword, keyStore); if (log.isDebugEnabled()) log.debug("PEM certificate stored in " + keyStorePath); @@ -156,16 +215,28 @@ public class CmsStateImpl implements CmsState { } } - if (!Files.exists(keyStorePath)) - PkiUtils.createSelfSignedKeyStore(keyStorePath, keyStorePassword, PkiUtils.PKCS12); -// props.put(JettyHttpConstants.SSL_KEYSTORETYPE, PkiUtils.PKCS12); -// props.put(JettyHttpConstants.SSL_KEYSTORE, keyStorePath.toString()); -// props.put(JettyHttpConstants.SSL_PASSWORD, new String(keyStorePassword)); - -// props.put(InternalHttpConstants.SSL_KEYSTORETYPE, "PKCS11"); -// props.put(InternalHttpConstants.SSL_KEYSTORE, "../../nssdb"); -// props.put(InternalHttpConstants.SSL_PASSWORD, keyStorePassword); + // Truststore + Path trustStorePath = Paths.get(getDeployProperty(CmsDeployProperty.SSL_TRUSTSTORE)); + char[] trustStorePassword = getDeployProperty(CmsDeployProperty.SSL_TRUSTSTOREPASSWORD).toCharArray(); + + // IPA CA + Path ipaCaCertPath = Paths.get(KernelConstants.IPA_PEM_CA_CERT_PATH); + if (Files.exists(ipaCaCertPath)) { + KeyStore trustStore = PkiUtils.getKeyStore(trustStorePath, trustStorePassword, + getDeployProperty(CmsDeployProperty.SSL_TRUSTSTORETYPE)); + try (BufferedInputStream cert = new BufferedInputStream(Files.newInputStream(ipaCaCertPath));) { + PkiUtils.loadTrustedCertificatePem(trustStore, trustStorePassword, cert); + Files.createDirectories(keyStorePath.getParent()); + PkiUtils.saveKeyStore(trustStorePath, trustStorePassword, trustStore); + if (log.isDebugEnabled()) + log.debug("IPA CA certificate stored in " + trustStorePath); + } catch (IOException e) { + log.error("Cannot trust CA certificate", e); + } + } +// if (!Files.exists(keyStorePath)) +// PkiUtils.createSelfSignedKeyStore(keyStorePath, keyStorePassword, PkiUtils.PKCS12); } public void stop() { @@ -245,25 +316,30 @@ public class CmsStateImpl implements CmsState { // try defaults if (deployPropertyDefaults.containsKey(deployProperty)) { value = deployPropertyDefaults.get(deployProperty); + if (deployProperty.isSystemPropertyOnly()) + System.setProperty(deployProperty.getProperty(), value); } - // try legacy properties - String legacyProperty = switch (deployProperty) { - case DIRECTORY -> "argeo.node.useradmin.uris"; - case DB_URL -> "argeo.node.dburl"; - case DB_USER -> "argeo.node.dbuser"; - case DB_PASSWORD -> "argeo.node.dbpassword"; - case HTTP_PORT -> "org.osgi.service.http.port"; - case HTTPS_PORT -> "org.osgi.service.http.port.secure"; - case HOST -> "org.eclipse.equinox.http.jetty.http.host"; - case LOCALE -> "argeo.i18n.defaultLocale"; - - default -> null; - }; - if (legacyProperty != null) { - value = doGetDeployProperty(legacyProperty); - if (value != null) { - log.warn("Retrieved deploy property " + deployProperty.getProperty() - + " through deprecated property " + legacyProperty); + + if (value == null) { + // try legacy properties + String legacyProperty = switch (deployProperty) { + case DIRECTORY -> "argeo.node.useradmin.uris"; + case DB_URL -> "argeo.node.dburl"; + case DB_USER -> "argeo.node.dbuser"; + case DB_PASSWORD -> "argeo.node.dbpassword"; + case HTTP_PORT -> "org.osgi.service.http.port"; + case HTTPS_PORT -> "org.osgi.service.http.port.secure"; + case HOST -> "org.eclipse.equinox.http.jetty.http.host"; + case LOCALE -> "argeo.i18n.defaultLocale"; + + default -> null; + }; + if (legacyProperty != null) { + value = doGetDeployProperty(legacyProperty); + if (value != null) { + log.warn("Retrieved deploy property " + deployProperty.getProperty() + + " through deprecated property " + legacyProperty); + } } } } @@ -303,10 +379,6 @@ public class CmsStateImpl implements CmsState { /* * ACCESSORS */ - public String getHostname() { - return hostname; - } - @Override public UUID getUuid() { return uuid; @@ -316,6 +388,10 @@ public class CmsStateImpl implements CmsState { this.uuidFactory = uuidFactory; } + public String getHostname() { + return hostname; + } + /** * Called before node initialisation, in order populate OSGi instance are with * some files (typically LDIF, etc). @@ -323,6 +399,8 @@ public class CmsStateImpl implements CmsState { public static void prepareFirstInitInstanceArea(List nodeInits) { for (String nodeInit : nodeInits) { + if (nodeInit == null) + continue; if (nodeInit.startsWith("http")) { // TODO reconnect it @@ -330,29 +408,17 @@ public class CmsStateImpl implements CmsState { } else { // TODO use java.nio.file - File initDir; + Path initDir; if (nodeInit.startsWith(".")) initDir = KernelUtils.getExecutionDir(nodeInit); else - initDir = new File(nodeInit); + initDir = Paths.get(nodeInit); // TODO also uncompress archives - if (initDir.exists()) - try { - // TODO use NIO utilities - FileUtils.copyDirectory(initDir, KernelUtils.getOsgiInstancePath("").toFile(), - new FileFilter() { - - @Override - public boolean accept(File pathname) { - if (pathname.getName().equals(".svn") || pathname.getName().equals(".git")) - return false; - return true; - } - }); - log.info("CMS initialized from " + initDir.getCanonicalPath()); - } catch (IOException e) { - throw new RuntimeException("Cannot initialize from " + initDir, e); - } + if (Files.exists(initDir)) { + Path dataPath = KernelUtils.getOsgiInstancePath(""); + FsUtils.copyDirectory(initDir, dataPath); + log.info("CMS initialized from " + initDir); + } } } }