From f763d5bc49fa5cae85e85ca8ae69f51d10a86060 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Sat, 5 Nov 2011 13:23:44 +0000
Subject: [PATCH] Improve Security

git-svn-id: https://svn.argeo.org/commons/trunk@4888 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 .../META-INF/spring/security-ldap.xml         | 24 +++++------
 .../ldap.properties                           |  6 +++
 .../org.argeo.security.services/.project      | 22 ----------
 .../META-INF/spring/osgi.xml                  | 22 ----------
 .../META-INF/spring/services.xml              | 40 -----------------
 .../build.properties                          |  1 -
 .../org.argeo.security.services/pom.xml       | 12 ------
 .../security.properties                       |  1 -
 security/modules/pom.xml                      |  1 -
 .../ui/admin/wizards/NewUserWizard.java       |  4 +-
 .../java/org/argeo/security/UserAdminDao.java | 43 -------------------
 .../ldap/ArgeoLdapUserDetailsManager.java     |  5 +--
 ...aoLdap.java => ArgeoUserAdminDaoLdap.java} |  9 ++--
 .../ldap/jcr/JcrLdapSynchronizer.java         |  9 ++--
 14 files changed, 32 insertions(+), 167 deletions(-)
 delete mode 100644 security/modules/org.argeo.security.services/.project
 delete mode 100644 security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
 delete mode 100644 security/modules/org.argeo.security.services/META-INF/spring/services.xml
 delete mode 100644 security/modules/org.argeo.security.services/build.properties
 delete mode 100644 security/modules/org.argeo.security.services/pom.xml
 delete mode 100644 security/modules/org.argeo.security.services/security.properties
 delete mode 100644 security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/UserAdminDao.java
 rename security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/{ArgeoSecurityDaoLdap.java => ArgeoUserAdminDaoLdap.java} (95%)

diff --git a/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap.xml b/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap.xml
index 8ce3081e4..a31f79dc1 100644
--- a/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap.xml
+++ b/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap.xml
@@ -46,7 +46,18 @@
 	<!-- </bean> -->
 
 	<!-- USER DETAILS -->
-	<bean id="userAdminDao" class="org.argeo.security.ldap.ArgeoSecurityDaoLdap">
+	<bean id="userDetailsManager" class="org.argeo.security.ldap.ArgeoLdapUserDetailsManager">
+		<constructor-arg ref="contextSource" />
+		<property name="groupSearchBase" value="${argeo.ldap.groupBase}" />
+		<property name="groupMemberAttributeName" value="${argeo.ldap.groupMemberAttribute}" />
+		<property name="usernameMapper" ref="usernameMapper" />
+		<property name="userDetailsMapper" ref="jcrLdapSynchronizer" />
+		<property name="userAdminDao" ref="userAdminDao" />
+		<property name="passwordEncoder" ref="passwordEncoder" />
+		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" />
+	</bean>
+
+	<bean id="userAdminDao" class="org.argeo.security.ldap.ArgeoUserAdminDaoLdap">
 		<constructor-arg ref="contextSource" />
 		<property name="userBase" value="${argeo.ldap.userBase}" />
 		<property name="usernameAttribute" value="${argeo.ldap.usernameAttribute}" />
@@ -79,17 +90,6 @@
 		<property name="rolePrefix" value="${argeo.security.rolePrefix}" />
 	</bean>
 
-	<bean id="userDetailsManager" class="org.argeo.security.ldap.ArgeoLdapUserDetailsManager">
-		<constructor-arg ref="contextSource" />
-		<property name="groupSearchBase" value="${argeo.ldap.groupBase}" />
-		<property name="groupMemberAttributeName" value="${argeo.ldap.groupMemberAttribute}" />
-		<property name="usernameMapper" ref="usernameMapper" />
-		<property name="userDetailsMapper" ref="jcrLdapSynchronizer" />
-		<property name="userAdminDao" ref="userAdminDao" />
-		<property name="passwordEncoder" ref="passwordEncoder" />
-		<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" />
-	</bean>
-
 	<!-- LDAP LOW LEVEL -->
 	<bean id="contextSource"
 		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
diff --git a/security/modules/org.argeo.security.dao.ldap/ldap.properties b/security/modules/org.argeo.security.dao.ldap/ldap.properties
index b96150b19..b00b5261f 100644
--- a/security/modules/org.argeo.security.dao.ldap/ldap.properties
+++ b/security/modules/org.argeo.security.dao.ldap/ldap.properties
@@ -15,6 +15,7 @@ argeo.ldap.manager.password=secret
 
 # USER
 argeo.ldap.userClass=inetOrgPerson
+argeo.ldap.osUserClass=posixAccount
 argeo.ldap.userBase=ou=People
 argeo.ldap.usernameAttribute=uid
 argeo.ldap.passwordAttribute=userPassword
@@ -23,5 +24,10 @@ argeo.ldap.groupClass=groupOfNames
 argeo.ldap.groupBase=ou=Roles
 argeo.ldap.groupRoleAttribute=cn
 argeo.ldap.groupMemberAttribute=member
+# OS GROUPS
+argeo.ldap.osGroupClass=posixGroup
+argeo.ldap.osGroupBase=ou=Group
+argeo.ldap.osGroupNameAttribute=cn
+argeo.ldap.osGroupMemberAttribute=memberUid
 
 argeo.ldap.password.useSalt=false
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.services/.project b/security/modules/org.argeo.security.services/.project
deleted file mode 100644
index e2c51e6cc..000000000
--- a/security/modules/org.argeo.security.services/.project
+++ /dev/null
@@ -1,22 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>org.argeo.security.services</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.eclipse.pde.ManifestBuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-		<buildCommand>
-			<name>org.eclipse.pde.SchemaBuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.eclipse.pde.PluginNature</nature>
-	</natures>
-</projectDescription>
diff --git a/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml b/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
deleted file mode 100644
index 173034810..000000000
--- a/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans:beans xmlns="http://www.springframework.org/schema/osgi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
-	xsi:schemaLocation="http://www.springframework.org/schema/osgi  
-       http://www.springframework.org/schema/osgi/spring-osgi-1.1.xsd
-       http://www.springframework.org/schema/beans   
-       http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
-
-	<!-- REFERENCES -->
-	<list id="authenticationProviders"
-		interface="org.springframework.security.providers.AuthenticationProvider"
-		cardinality="0..N">
-		<listener ref="authenticationProvidersRegister" bind-method="register"
-			unbind-method="unregister" />
-	</list>
-
-	<!-- SERVICES -->
-	<service ref="systemExecutionService" interface="org.argeo.security.SystemExecutionService" />
-
-	<service ref="authenticationManager"
-		interface="org.springframework.security.AuthenticationManager" />
-</beans:beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.services/META-INF/spring/services.xml b/security/modules/org.argeo.security.services/META-INF/spring/services.xml
deleted file mode 100644
index 1a56b8523..000000000
--- a/security/modules/org.argeo.security.services/META-INF/spring/services.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="
-       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
-
-	<bean
-		class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
-		<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
-		<property name="locations">
-			<value>osgibundle:security.properties</value>
-		</property>
-	</bean>
-
-	<bean id="systemExecutionService" class="org.argeo.security.core.KeyBasedSystemExecutionService">
-		<property name="authenticationManager" ref="authenticationManager" />
-		<property name="systemAuthenticationKey" value="${argeo.security.systemKey}" />
-	</bean>
-
-	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
-		<property name="providers">
-			<bean factory-bean="authenticationProvidersRegister"
-				factory-method="getProviders" />
-		</property>
-	</bean>
-	<bean id="authenticationProvidersRegister" class="org.argeo.security.core.AuthenticationProvidersRegister">
-		<property name="defaultProviders">
-			<list>
-				<bean class="org.springframework.security.adapters.AuthByAdapterProvider">
-					<property name="key" value="${argeo.security.systemKey}" />
-				</bean>
-				<bean class="org.argeo.security.core.OsAuthenticationProvider" />
-				<bean
-					class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
-					<property name="key" value="${argeo.security.systemKey}" />
-				</bean>
-			</list>
-		</property>
-	</bean>
-</beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.services/build.properties b/security/modules/org.argeo.security.services/build.properties
deleted file mode 100644
index 5f22cdd44..000000000
--- a/security/modules/org.argeo.security.services/build.properties
+++ /dev/null
@@ -1 +0,0 @@
-bin.includes = META-INF/
diff --git a/security/modules/org.argeo.security.services/pom.xml b/security/modules/org.argeo.security.services/pom.xml
deleted file mode 100644
index 17f86f029..000000000
--- a/security/modules/org.argeo.security.services/pom.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-	<modelVersion>4.0.0</modelVersion>
-	<parent>
-		<groupId>org.argeo.commons.security</groupId>
-		<version>0.3.4-SNAPSHOT</version>
-		<artifactId>modules</artifactId>
-		<relativePath>..</relativePath>
-	</parent>
-	<artifactId>org.argeo.security.services</artifactId>
-	<name>Commons Security Services</name>
-</project>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.services/security.properties b/security/modules/org.argeo.security.services/security.properties
deleted file mode 100644
index ae7aa8725..000000000
--- a/security/modules/org.argeo.security.services/security.properties
+++ /dev/null
@@ -1 +0,0 @@
-argeo.security.systemKey=argeo
diff --git a/security/modules/pom.xml b/security/modules/pom.xml
index 8d10e4d92..7a05b23dc 100644
--- a/security/modules/pom.xml
+++ b/security/modules/pom.xml
@@ -15,7 +15,6 @@
 		<module>org.argeo.security.dao.os</module>
 		<module>org.argeo.security.dao.jackrabbit</module>
 		<module>org.argeo.security.dao.ldap</module>
-		<module>org.argeo.security.services</module>
 		<module>org.argeo.security.webapp</module>
 	</modules>
 	<build>
diff --git a/security/plugins/org.argeo.security.ui.admin/src/main/java/org/argeo/security/ui/admin/wizards/NewUserWizard.java b/security/plugins/org.argeo.security.ui.admin/src/main/java/org/argeo/security/ui/admin/wizards/NewUserWizard.java
index aa1351815..3af4fa954 100644
--- a/security/plugins/org.argeo.security.ui.admin/src/main/java/org/argeo/security/ui/admin/wizards/NewUserWizard.java
+++ b/security/plugins/org.argeo.security.ui.admin/src/main/java/org/argeo/security/ui/admin/wizards/NewUserWizard.java
@@ -41,8 +41,8 @@ public class NewUserWizard extends Wizard {
 		String username = mainUserInfo.getUsername();
 		try {
 			Node userProfile = JcrUtils.createUserProfile(session, username);
-			session.getWorkspace().getVersionManager()
-					.checkout(userProfile.getPath());
+			// session.getWorkspace().getVersionManager()
+			// .checkout(userProfile.getPath());
 			mainUserInfo.mapToProfileNode(userProfile);
 			String password = mainUserInfo.getPassword();
 			// TODO add roles
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/UserAdminDao.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/UserAdminDao.java
deleted file mode 100644
index cf8c77b59..000000000
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/UserAdminDao.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2010 Mathieu Baudier <mbaudier@argeo.org>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *         http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.argeo.security;
-
-import java.util.Set;
-
-/**
- * Access to the users and roles referential (dependent from the underlying
- * storage, e.g. LDAP).
- */
-public interface UserAdminDao {
-	/** List all users */
-	public Set<String> listUsers();
-
-	/** List roles that can be modified */
-	public Set<String> listEditableRoles();
-
-	/**
-	 * Creates a new role in the underlying storage. <b>DO NOT CALL DIRECTLY</b>
-	 * use {@link ArgeoSecurityService#newRole(String)} instead.
-	 */
-	public void createRole(String role, String superuserName);
-
-	public void deleteRole(String role);
-
-	/** List all users having this role. */
-	public Set<String> listUsersInRole(String role);
-
-}
diff --git a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoLdapUserDetailsManager.java b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoLdapUserDetailsManager.java
index 392ac4a27..5de5f7bb7 100644
--- a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoLdapUserDetailsManager.java
+++ b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoLdapUserDetailsManager.java
@@ -11,7 +11,6 @@ import java.util.Set;
 import java.util.TreeSet;
 
 import org.argeo.ArgeoException;
-import org.argeo.security.UserAdminDao;
 import org.argeo.security.UserAdminService;
 import org.springframework.ldap.core.ContextSource;
 import org.springframework.security.Authentication;
@@ -25,7 +24,7 @@ import org.springframework.security.userdetails.ldap.LdapUserDetailsManager;
 public class ArgeoLdapUserDetailsManager extends LdapUserDetailsManager
 		implements UserAdminService {
 	private String superUsername = "root";
-	private UserAdminDao userAdminDao;
+	private ArgeoUserAdminDaoLdap userAdminDao;
 	private PasswordEncoder passwordEncoder;
 	private final Random random;
 
@@ -124,7 +123,7 @@ public class ArgeoLdapUserDetailsManager extends LdapUserDetailsManager
 		this.superUsername = superUsername;
 	}
 
-	public void setUserAdminDao(UserAdminDao userAdminDao) {
+	public void setUserAdminDao(ArgeoUserAdminDaoLdap userAdminDao) {
 		this.userAdminDao = userAdminDao;
 	}
 
diff --git a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoUserAdminDaoLdap.java
similarity index 95%
rename from security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
rename to security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoUserAdminDaoLdap.java
index dc6cd6392..082e737c7 100644
--- a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
+++ b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/ArgeoUserAdminDaoLdap.java
@@ -25,7 +25,6 @@ import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
 
-import org.argeo.security.UserAdminDao;
 import org.springframework.ldap.core.ContextExecutor;
 import org.springframework.ldap.core.ContextMapper;
 import org.springframework.ldap.core.DirContextAdapter;
@@ -36,10 +35,10 @@ import org.springframework.security.ldap.LdapUsernameToDnMapper;
 import org.springframework.security.ldap.LdapUtils;
 
 /**
- * Wraps a Spring LDAP user details manager, providing additional methods to
- * manage roles.
+ * Wraps low-level LDAP operation on user and roles, used by
+ * {@link ArgeoLdapUserDetailsManager}
  */
-public class ArgeoSecurityDaoLdap implements UserAdminDao {
+public class ArgeoUserAdminDaoLdap {
 	private String userBase;
 	private String usernameAttribute;
 	private String groupBase;
@@ -57,7 +56,7 @@ public class ArgeoSecurityDaoLdap implements UserAdminDao {
 	 * Standard constructor, using the LDAP context source shared with Spring
 	 * Security components.
 	 */
-	public ArgeoSecurityDaoLdap(BaseLdapPathContextSource contextSource) {
+	public ArgeoUserAdminDaoLdap(BaseLdapPathContextSource contextSource) {
 		this.ldapTemplate = new LdapTemplate(contextSource);
 	}
 
diff --git a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
index 3a644a693..0f59f1ee5 100644
--- a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
+++ b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java
@@ -336,9 +336,12 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper,
 			Node userProfile = securitySession.getNode(
 					jcrUserDetails.getHomePath()).getNode(ARGEO_PROFILE);
 			for (String jcrProperty : propertyToAttributes.keySet()) {
-				ModificationItem mi = jcrToLdap(jcrProperty, userProfile
-						.getProperty(jcrProperty).getString());
-				ctx.setAttribute(mi.getAttribute());
+				if (userProfile.hasProperty(jcrProperty)) {
+					ModificationItem mi = jcrToLdap(jcrProperty, userProfile
+							.getProperty(jcrProperty).getString());
+					if (mi != null)
+						ctx.setAttribute(mi.getAttribute());
+				}
 			}
 			if (log.isTraceEnabled())
 				log.trace("Mapped " + userProfile + " to " + ctx.getDn());
-- 
2.39.2