X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fruntime%2FCmsUserAdmin.java;h=18a880e31470f2738bb5af79dd3e696c3fca5190;hb=336930c69f0cd3e1242e518479624c6366541275;hp=7c4d807746ff481e7bcdd56f7058ecc5d3b8c86c;hpb=b843d903237a2a4192c40d8c933e71137284050b;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java
index 7c4d80774..18a880e31 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java
@@ -5,15 +5,17 @@ import java.net.Inet6Address;
 import java.net.InetAddress;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URL;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Dictionary;
 import java.util.Iterator;
+import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 
-import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -31,18 +33,16 @@ import org.apache.commons.httpclient.params.HttpParams;
 import org.argeo.api.cms.CmsAuth;
 import org.argeo.api.cms.CmsConstants;
 import org.argeo.api.cms.CmsLog;
+import org.argeo.api.cms.CmsState;
 import org.argeo.cms.internal.http.client.HttpCredentialProvider;
 import org.argeo.cms.internal.http.client.SpnegoAuthScheme;
-import org.argeo.osgi.transaction.WorkControl;
-import org.argeo.osgi.transaction.WorkTransaction;
-import org.argeo.osgi.useradmin.AbstractUserDirectory;
 import org.argeo.osgi.useradmin.AggregatingUserAdmin;
-import org.argeo.osgi.useradmin.LdapUserAdmin;
-import org.argeo.osgi.useradmin.LdifUserAdmin;
-import org.argeo.osgi.useradmin.OsUserDirectory;
-import org.argeo.osgi.useradmin.UserAdminConf;
+import org.argeo.osgi.useradmin.DirectoryUserAdmin;
 import org.argeo.osgi.useradmin.UserDirectory;
-import org.argeo.util.naming.DnsBrowser;
+import org.argeo.util.directory.DirectoryConf;
+import org.argeo.util.naming.dns.DnsBrowser;
+import org.argeo.util.transaction.WorkControl;
+import org.argeo.util.transaction.WorkTransaction;
 import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSManager;
@@ -56,7 +56,7 @@ import org.osgi.service.useradmin.Role;
  * Aggregates multiple {@link UserDirectory} and integrates them with system
  * roles.
  */
-public class CmsUserAdmin extends AggregatingUserAdmin  {
+public class CmsUserAdmin extends AggregatingUserAdmin {
 	private final static CmsLog log = CmsLog.getLog(CmsUserAdmin.class);
 
 	// GSS API
@@ -68,23 +68,36 @@ public class CmsUserAdmin extends AggregatingUserAdmin  {
 	private WorkControl transactionManager;
 	private WorkTransaction userTransaction;
 
+	private CmsState cmsState;
+
 	public CmsUserAdmin() {
 		super(CmsConstants.ROLES_BASEDN, CmsConstants.TOKENS_BASEDN);
 	}
 
 	public void start() {
+		super.start();
+		List<Dictionary<String, Object>> configs = InitUtils.getUserDirectoryConfigs();
+		for (Dictionary<String, Object> config : configs) {
+			UserDirectory userDirectory = enableUserDirectory(config);
+			if (userDirectory.getRealm().isPresent())
+				loadIpaJaasConfiguration();
+		}
 	}
 
 	public void stop() {
+//		for (UserDirectory userDirectory : getUserDirectories()) {
+//			removeUserDirectory(userDirectory);
+//		}
+		super.stop();
 	}
-	
+
 	public UserDirectory enableUserDirectory(Dictionary<String, ?> properties) {
-		String uri = (String) properties.get(UserAdminConf.uri.name());
-		Object realm = properties.get(UserAdminConf.realm.name());
+		String uri = (String) properties.get(DirectoryConf.uri.name());
+		Object realm = properties.get(DirectoryConf.realm.name());
 		URI u;
 		try {
 			if (uri == null) {
-				String baseDn = (String) properties.get(UserAdminConf.baseDn.name());
+				String baseDn = (String) properties.get(DirectoryConf.baseDn.name());
 				u = KernelUtils.getOsgiInstanceUri(KernelConstants.DIR_NODE + '/' + baseDn + ".ldif");
 			} else if (realm != null) {
 				u = null;
@@ -96,32 +109,31 @@ public class CmsUserAdmin extends AggregatingUserAdmin  {
 		}
 
 		// Create
-		AbstractUserDirectory userDirectory;
-		if (realm != null || UserAdminConf.SCHEME_LDAP.equals(u.getScheme())
-				|| UserAdminConf.SCHEME_LDAPS.equals(u.getScheme())) {
-			userDirectory = new LdapUserAdmin(properties);
-		} else if (UserAdminConf.SCHEME_FILE.equals(u.getScheme())) {
-			userDirectory = new LdifUserAdmin(u, properties);
-		} else if (UserAdminConf.SCHEME_OS.equals(u.getScheme())) {
-			userDirectory = new OsUserDirectory(u, properties);
-			singleUser = true;
-		} else {
-			throw new IllegalArgumentException("Unsupported scheme " + u.getScheme());
-		}
-		LdapName baseDn = userDirectory.getBaseDn();
+		UserDirectory userDirectory = new DirectoryUserAdmin(u, properties);
+//		if (realm != null || DirectoryConf.SCHEME_LDAP.equals(u.getScheme())
+//				|| DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) {
+//			userDirectory = new LdapUserAdmin(properties);
+//		} else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) {
+//			userDirectory = new LdifUserAdmin(u, properties);
+//		} else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) {
+//			userDirectory = new OsUserDirectory(u, properties);
+//			singleUser = true;
+//		} else {
+//			throw new IllegalArgumentException("Unsupported scheme " + u.getScheme());
+//		}
+		String basePath = userDirectory.getContext();
 
 		addUserDirectory(userDirectory);
-		if (isSystemRolesBaseDn(baseDn)) {
+		if (isSystemRolesBaseDn(basePath)) {
 			addStandardSystemRoles();
-		}	
+		}
 		if (log.isDebugEnabled()) {
-			log.debug("User directory " + userDirectory.getBaseDn() + (u != null ? " [" + u.getScheme() + "]" : "")
+			log.debug("User directory " + userDirectory.getContext() + (u != null ? " [" + u.getScheme() + "]" : "")
 					+ " enabled." + (realm != null ? " " + realm + " realm." : ""));
 		}
 		return userDirectory;
 	}
 
-
 	protected void addStandardSystemRoles() {
 		// we assume UserTransaction is already available (TODO make it more robust)
 		try {
@@ -145,7 +157,6 @@ public class CmsUserAdmin extends AggregatingUserAdmin  {
 		}
 	}
 
-
 	@Override
 	protected void addAbstractSystemRoles(Authorization rawAuthorization, Set<String> sysRoles) {
 		if (rawAuthorization.getName() == null) {
@@ -155,13 +166,14 @@ public class CmsUserAdmin extends AggregatingUserAdmin  {
 		}
 	}
 
-	protected void postAdd(AbstractUserDirectory userDirectory) {
+	@Override
+	protected void postAdd(UserDirectory userDirectory) {
 		userDirectory.setTransactionControl(transactionManager);
 
-		Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
-		if (realm != null) {
+		Optional<String> realm = userDirectory.getRealm();
+		if (realm.isPresent()) {
 			if (Files.exists(nodeKeyTab)) {
-				String servicePrincipal = getKerberosServicePrincipal(realm.toString());
+				String servicePrincipal = getKerberosServicePrincipal(realm.get());
 				if (servicePrincipal != null) {
 					CallbackHandler callbackHandler = new CallbackHandler() {
 						@Override
@@ -195,9 +207,10 @@ public class CmsUserAdmin extends AggregatingUserAdmin  {
 		}
 	}
 
-	protected void preDestroy(AbstractUserDirectory userDirectory) {
-		Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
-		if (realm != null) {
+	@Override
+	protected void preDestroy(UserDirectory userDirectory) {
+		Optional<String> realm = userDirectory.getRealm();
+		if (realm.isPresent()) {
 			if (acceptorCredentials != null) {
 				try {
 					acceptorCredentials.dispose();
@@ -209,6 +222,15 @@ public class CmsUserAdmin extends AggregatingUserAdmin  {
 		}
 	}
 
+	private void loadIpaJaasConfiguration() {
+		if (System.getProperty(KernelConstants.JAAS_CONFIG_PROP) == null) {
+			String jaasConfig = KernelConstants.JAAS_CONFIG_IPA;
+			URL url = getClass().getClassLoader().getResource(jaasConfig);
+			KernelUtils.setJaasConfiguration(url);
+			log.debug("Set IPA JAAS configuration.");
+		}
+	}
+
 	private String getKerberosServicePrincipal(String realm) {
 		String hostname;
 		try (DnsBrowser dnsBrowser = new DnsBrowser()) {
@@ -229,6 +251,13 @@ public class CmsUserAdmin extends AggregatingUserAdmin  {
 	}
 
 	private GSSCredential logInAsAcceptor(Subject subject, String servicePrincipal) {
+		// not static because class is not supported by Android
+		final Oid KERBEROS_OID;
+		try {
+			KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
+		} catch (GSSException e) {
+			throw new IllegalStateException("Cannot create Kerberos OID", e);
+		}
 		// GSS
 		Iterator<KerberosPrincipal> krb5It = subject.getPrincipals(KerberosPrincipal.class).iterator();
 		if (!krb5It.hasNext())
@@ -284,16 +313,8 @@ public class CmsUserAdmin extends AggregatingUserAdmin  {
 		this.userTransaction = userTransaction;
 	}
 
-	/*
-	 * STATIC
-	 */
-
-	public final static Oid KERBEROS_OID;
-	static {
-		try {
-			KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
-		} catch (GSSException e) {
-			throw new IllegalStateException("Cannot create Kerberos OID", e);
-		}
+	public void setCmsState(CmsState cmsState) {
+		this.cmsState = cmsState;
 	}
+
 }