X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fruntime%2FCmsUserAdmin.java;h=ab98c062585684c9a536dc95a20644d7208dc1bf;hb=f3ea14abccc33b1c3326417a87c91145be776c72;hp=9ebc429178ce0276f7a83ae37eba2ebb083c96cf;hpb=dca2b13e0e3ca3e7a9469e089b980c48c880ad1a;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java index 9ebc42917..ab98c0625 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java @@ -1,14 +1,13 @@ package org.argeo.cms.internal.runtime; -import java.io.File; import java.io.IOException; -import java.net.Inet6Address; import java.net.InetAddress; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; import java.nio.file.Files; import java.nio.file.Path; +import java.nio.file.Paths; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Dictionary; @@ -26,19 +25,11 @@ import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; -import org.apache.commons.httpclient.auth.AuthPolicy; -import org.apache.commons.httpclient.auth.CredentialsProvider; -import org.apache.commons.httpclient.params.DefaultHttpParams; -import org.apache.commons.httpclient.params.HttpMethodParams; -import org.apache.commons.httpclient.params.HttpParams; -import org.apache.commons.io.FileUtils; import org.argeo.api.cms.CmsAuth; import org.argeo.api.cms.CmsConstants; import org.argeo.api.cms.CmsLog; import org.argeo.api.cms.CmsState; import org.argeo.cms.CmsDeployProperty; -import org.argeo.cms.internal.http.client.HttpCredentialProvider; -import org.argeo.cms.internal.http.client.SpnegoAuthScheme; import org.argeo.osgi.useradmin.AggregatingUserAdmin; import org.argeo.osgi.useradmin.DirectoryUserAdmin; import org.argeo.osgi.useradmin.UserDirectory; @@ -81,9 +72,9 @@ public class CmsUserAdmin extends AggregatingUserAdmin { super.start(); List> configs = getUserDirectoryConfigs(); for (Dictionary config : configs) { - UserDirectory userDirectory = enableUserDirectory(config); - if (userDirectory.getRealm().isPresent()) - loadIpaJaasConfiguration(); + enableUserDirectory(config); +// if (userDirectory.getRealm().isPresent()) +// loadIpaJaasConfiguration(); } log.debug(() -> "CMS user admin available"); } @@ -97,42 +88,42 @@ public class CmsUserAdmin extends AggregatingUserAdmin { protected List> getUserDirectoryConfigs() { List> res = new ArrayList<>(); - File nodeBaseDir = cmsState.getDataPath(KernelConstants.DIR_NODE).toFile(); + Path nodeBase = cmsState.getDataPath(KernelConstants.DIR_NODE); List uris = new ArrayList<>(); // node roles String nodeRolesUri = null;// getFrameworkProp(CmsConstants.ROLES_URI); String baseNodeRoleDn = CmsConstants.ROLES_BASEDN; - if (nodeRolesUri == null) { + if (nodeRolesUri == null && nodeBase != null) { nodeRolesUri = baseNodeRoleDn + ".ldif"; - File nodeRolesFile = new File(nodeBaseDir, nodeRolesUri); - if (!nodeRolesFile.exists()) + Path nodeRolesFile = nodeBase.resolve(nodeRolesUri); + if (!Files.exists(nodeRolesFile)) try { - FileUtils.copyInputStreamToFile(CmsUserAdmin.class.getResourceAsStream(baseNodeRoleDn + ".ldif"), - nodeRolesFile); + Files.copy(CmsUserAdmin.class.getResourceAsStream(baseNodeRoleDn + ".ldif"), nodeRolesFile); } catch (IOException e) { throw new RuntimeException("Cannot copy demo resource", e); } // nodeRolesUri = nodeRolesFile.toURI().toString(); } - uris.add(nodeRolesUri); + if (nodeRolesUri != null) + uris.add(nodeRolesUri); // node tokens String nodeTokensUri = null;// getFrameworkProp(CmsConstants.TOKENS_URI); String baseNodeTokensDn = CmsConstants.TOKENS_BASEDN; - if (nodeTokensUri == null) { + if (nodeTokensUri == null && nodeBase != null) { nodeTokensUri = baseNodeTokensDn + ".ldif"; - File nodeTokensFile = new File(nodeBaseDir, nodeTokensUri); - if (!nodeTokensFile.exists()) + Path nodeTokensFile = nodeBase.resolve(nodeTokensUri); + if (!Files.exists(nodeTokensFile)) try { - FileUtils.copyInputStreamToFile(CmsUserAdmin.class.getResourceAsStream(baseNodeTokensDn + ".ldif"), - nodeTokensFile); + Files.copy(CmsUserAdmin.class.getResourceAsStream(baseNodeTokensDn + ".ldif"), nodeTokensFile); } catch (IOException e) { throw new RuntimeException("Cannot copy demo resource", e); } // nodeRolesUri = nodeRolesFile.toURI().toString(); } - uris.add(nodeTokensUri); + if (nodeTokensUri != null) + uris.add(nodeTokensUri); // Business roles // String userAdminUris = getFrameworkProp(CmsConstants.USERADMIN_URIS); @@ -144,19 +135,17 @@ public class CmsUserAdmin extends AggregatingUserAdmin { uris.add(userAdminUri); } - if (uris.size() == 0) { + if (uris.size() == 0 && nodeBase != null) { // TODO put this somewhere else String demoBaseDn = "dc=example,dc=com"; String userAdminUri = demoBaseDn + ".ldif"; - File businessRolesFile = new File(nodeBaseDir, userAdminUri); - File systemRolesFile = new File(nodeBaseDir, "ou=roles,ou=node.ldif"); - if (!businessRolesFile.exists()) + Path businessRolesFile = nodeBase.resolve(userAdminUri); + Path systemRolesFile = nodeBase.resolve("ou=roles,ou=node.ldif"); + if (!Files.exists(businessRolesFile)) try { - FileUtils.copyInputStreamToFile(CmsUserAdmin.class.getResourceAsStream(demoBaseDn + ".ldif"), - businessRolesFile); - if (!systemRolesFile.exists()) - FileUtils.copyInputStreamToFile( - CmsUserAdmin.class.getResourceAsStream("example-ou=roles,ou=node.ldif"), + Files.copy(CmsUserAdmin.class.getResourceAsStream(demoBaseDn + ".ldif"), businessRolesFile); + if (!Files.exists(systemRolesFile)) + Files.copy(CmsUserAdmin.class.getResourceAsStream("example-ou=roles,ou=node.ldif"), systemRolesFile); } catch (IOException e) { throw new RuntimeException("Cannot copy demo resources", e); @@ -176,14 +165,14 @@ public class CmsUserAdmin extends AggregatingUserAdmin { "URI " + uri + " must have a path in order to determine base DN"); if (u.getScheme() == null) { if (uri.startsWith("/") || uri.startsWith("./") || uri.startsWith("../")) - u = new File(uri).getCanonicalFile().toURI(); + u = Paths.get(uri).toRealPath().toUri(); else if (!uri.contains("/")) { // u = KernelUtils.getOsgiInstanceUri(KernelConstants.DIR_NODE + '/' + uri); u = new URI(uri); } else throw new IllegalArgumentException("Cannot interpret " + uri + " as an uri"); } else if (u.getScheme().equals(DirectoryConf.SCHEME_FILE)) { - u = new File(u).getCanonicalFile().toURI(); + u = Paths.get(u).toRealPath().toUri(); } } catch (Exception e) { throw new RuntimeException("Cannot interpret " + uri + " as an uri", e); @@ -276,6 +265,7 @@ public class CmsUserAdmin extends AggregatingUserAdmin { Optional realm = userDirectory.getRealm(); if (realm.isPresent()) { + loadIpaJaasConfiguration(); if (Files.exists(nodeKeyTab)) { String servicePrincipal = getKerberosServicePrincipal(realm.get()); if (servicePrincipal != null) { @@ -289,7 +279,7 @@ public class CmsUserAdmin extends AggregatingUserAdmin { } }; try { - LoginContext nodeLc = new LoginContext(CmsAuth.LOGIN_CONTEXT_NODE, callbackHandler); + LoginContext nodeLc = CmsAuth.NODE.newLoginContext(callbackHandler); nodeLc.login(); acceptorCredentials = logInAsAcceptor(nodeLc.getSubject(), servicePrincipal); } catch (LoginException e) { @@ -298,16 +288,6 @@ public class CmsUserAdmin extends AggregatingUserAdmin { } } - // Register client-side SPNEGO auth scheme - AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class); - HttpParams params = DefaultHttpParams.getDefaultParams(); - ArrayList schemes = new ArrayList<>(); - schemes.add(SpnegoAuthScheme.NAME);// SPNEGO preferred - // schemes.add(AuthPolicy.BASIC);// incompatible with Basic - params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes); - params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider()); - params.setParameter(HttpMethodParams.COOKIE_POLICY, KernelConstants.COOKIE_POLICY_BROWSER_COMPATIBILITY); - // params.setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY); } } @@ -335,16 +315,21 @@ public class CmsUserAdmin extends AggregatingUserAdmin { } } - private String getKerberosServicePrincipal(String realm) { - String hostname; - try (DnsBrowser dnsBrowser = new DnsBrowser()) { - InetAddress localhost = InetAddress.getLocalHost(); - hostname = localhost.getHostName(); + protected String getKerberosServicePrincipal(String realm) { + if (!Files.exists(nodeKeyTab)) + return null; + List dns = CmsStateImpl.getDeployProperties(cmsState, CmsDeployProperty.DNS); + String hostname = CmsStateImpl.getDeployProperty(cmsState, CmsDeployProperty.HOST); + try (DnsBrowser dnsBrowser = new DnsBrowser(dns)) { + hostname = hostname != null ? hostname : InetAddress.getLocalHost().getHostName(); String dnsZone = hostname.substring(hostname.indexOf('.') + 1); - String ipfromDns = dnsBrowser.getRecord(hostname, localhost instanceof Inet6Address ? "AAAA" : "A"); - boolean consistentIp = localhost.getHostAddress().equals(ipfromDns); + String ipv4fromDns = dnsBrowser.getRecord(hostname, "A"); + String ipv6fromDns = dnsBrowser.getRecord(hostname, "AAAA"); + if (ipv4fromDns == null && ipv6fromDns == null) + throw new IllegalStateException("hostname " + hostname + " is not registered in DNS"); + // boolean consistentIp = localhost.getHostAddress().equals(ipfromDns); String kerberosDomain = dnsBrowser.getRecord("_kerberos." + dnsZone, "TXT"); - if (consistentIp && kerberosDomain != null && kerberosDomain.equals(realm) && Files.exists(nodeKeyTab)) { + if (kerberosDomain != null && kerberosDomain.equals(realm)) { return KernelConstants.DEFAULT_KERBEROS_SERVICE + "/" + hostname + "@" + kerberosDomain; } else return null;