From 58ec99a5ae0a63167bf378d98751a8066271758d Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Fri, 28 Jun 2024 05:23:14 +0200
Subject: [PATCH] Fix IPA initialisation

---
 .../cms/internal/runtime/CmsUserAdmin.java    | 17 +++++++++++++---
 .../cms/internal/runtime/KernelConstants.java |  5 +++++
 .../cms/internal/runtime/KernelUtils.java     | 16 +++++++--------
 .../argeo/cms/internal/runtime/jaas-ipa.cfg   |  2 +-
 .../src/org/argeo/api/init/InitConstants.java | 16 ++++++++-------
 .../org/argeo/api/init/RuntimeManager.java    |  2 +-
 .../org/argeo/init/RuntimeManagerMain.java    | 20 ++++++++++++++-----
 7 files changed, 52 insertions(+), 26 deletions(-)

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java
index e6f903d39..2e2947220 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java
@@ -54,7 +54,7 @@ public class CmsUserAdmin extends AggregatingUserAdmin {
 	private final static CmsLog log = CmsLog.getLog(CmsUserAdmin.class);
 
 	// GSS API
-	private Path nodeKeyTab = KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH);
+	private Path nodeKeyTab = null;
 	private GSSCredential acceptorCredentials;
 
 	private boolean singleUser = false;
@@ -271,7 +271,7 @@ public class CmsUserAdmin extends AggregatingUserAdmin {
 		Optional<String> realm = userDirectory.getRealm();
 		if (realm.isPresent()) {
 			loadIpaJaasConfiguration();
-			if (Files.exists(nodeKeyTab)) {
+			if (nodeKeyTab != null && Files.exists(nodeKeyTab)) {
 				String servicePrincipal = getKerberosServicePrincipal(realm.get());
 				if (servicePrincipal != null) {
 					CallbackHandler callbackHandler = new CallbackHandler() {
@@ -313,6 +313,17 @@ public class CmsUserAdmin extends AggregatingUserAdmin {
 
 	private void loadIpaJaasConfiguration() {
 		if (CmsStateImpl.getDeployProperty(cmsState, CmsDeployProperty.JAVA_LOGIN_CONFIG) == null) {
+			if (System.getProperty(KernelConstants.PROP_ARGEO_NODE_KRB5_KEYTAB) == null) {
+				System.setProperty(KernelConstants.PROP_ARGEO_NODE_KRB5_KEYTAB,
+						KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH).toString());
+			}
+			Path kt = Paths.get(System.getProperty(KernelConstants.PROP_ARGEO_NODE_KRB5_KEYTAB));
+			if (nodeKeyTab != null) {
+				if (!nodeKeyTab.equals(kt))
+					throw new IllegalStateException("A node keytab is already set");
+			} else {
+				nodeKeyTab = kt;
+			}
 			String jaasConfig = KernelConstants.JAAS_CONFIG_IPA;
 			URL url = getClass().getClassLoader().getResource(jaasConfig);
 			KernelUtils.setJaasConfiguration(url);
@@ -321,7 +332,7 @@ public class CmsUserAdmin extends AggregatingUserAdmin {
 	}
 
 	protected String getKerberosServicePrincipal(String realm) {
-		if (!Files.exists(nodeKeyTab))
+		if (nodeKeyTab == null || !Files.exists(nodeKeyTab))
 			return null;
 		List<String> dns = CmsStateImpl.getDeployProperties(cmsState, CmsDeployProperty.DNS);
 		String hostname = CmsStateImpl.getDeployProperty(cmsState, CmsDeployProperty.HOST);
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/KernelConstants.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/KernelConstants.java
index e6ca1ba60..c1bf42a47 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/KernelConstants.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/KernelConstants.java
@@ -8,6 +8,11 @@ interface KernelConstants {
 	String DIR_PRIVATE = "private";
 
 	// Files
+	/**
+	 * Kerberos 5 keytab which will be common to all IPA-enabled children
+	 * frameworks.
+	 */
+	String PROP_ARGEO_NODE_KRB5_KEYTAB = "argeo.node.krb5.keytab";
 	String NODE_KEY_TAB_PATH = DIR_PRIVATE + "/krb5.keytab";
 	String NODE_SSHD_AUTHORIZED_KEYS_PATH = DIR_PRIVATE + "/authorized_keys";
 
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/KernelUtils.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/KernelUtils.java
index db33ff9d4..fe9e3581c 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/KernelUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/KernelUtils.java
@@ -12,9 +12,7 @@ import java.util.Dictionary;
 import java.util.Hashtable;
 import java.util.Properties;
 import java.util.TreeMap;
-import java.util.TreeSet;
 
-import org.argeo.api.cms.CmsLog;
 import org.argeo.cms.internal.osgi.CmsActivator;
 
 /** Package utilities */
@@ -97,8 +95,8 @@ class KernelUtils implements KernelConstants {
 	static String getFrameworkProp(String key, String def) {
 		String value;
 		value = CmsActivator.getFrameworkProperty(key);
-		if (value == null)
-			value = System.getProperty(key);
+//		if (value == null)
+//			value = System.getProperty(key);
 		if (value == null)
 			return def;
 		return value;
@@ -108,11 +106,11 @@ class KernelUtils implements KernelConstants {
 		return getFrameworkProp(key, null);
 	}
 
-	static void logFrameworkProperties(CmsLog log) {
-		for (Object sysProp : new TreeSet<Object>(System.getProperties().keySet())) {
-			log.debug(sysProp + "=" + getFrameworkProp(sysProp.toString()));
-		}
-	}
+//	static void logFrameworkProperties(CmsLog log) {
+//		for (Object sysProp : new TreeSet<Object>(System.getProperties().keySet())) {
+//			log.debug(sysProp + "=" + getFrameworkProp(sysProp.toString()));
+//		}
+//	}
 
 	static void printSystemProperties(PrintStream out) {
 		TreeMap<String, String> display = new TreeMap<>();
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg b/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg
index 0ef142f4a..10102fcbc 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg
+++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg
@@ -18,7 +18,7 @@ DATA_ADMIN {
 
 NODE {
     com.sun.security.auth.module.Krb5LoginModule optional
-     keyTab="${osgi.instance.area}private/krb5.keytab" 
+     keyTab="${argeo.node.krb5.keytab}" 
      useKeyTab=true
      storeKey=true;
     org.argeo.cms.auth.DataAdminLoginModule requisite;
diff --git a/org.argeo.init/src/org/argeo/api/init/InitConstants.java b/org.argeo.init/src/org/argeo/api/init/InitConstants.java
index fae934638..1074eacbe 100644
--- a/org.argeo.init/src/org/argeo/api/init/InitConstants.java
+++ b/org.argeo.init/src/org/argeo/api/init/InitConstants.java
@@ -2,12 +2,6 @@ package org.argeo.api.init;
 
 /** Supported init constants. */
 public interface InitConstants {
-	/** Read-only configuration area */
-	String PROP_ARGEO_CONFIG_AREA = "argeo.configArea";
-	/** Read-write persistent data area */
-	String PROP_ARGEO_STATE_AREA = "argeo.stateArea";
-	/** Read-write cache area */
-	String PROP_ARGEO_CACHE_AREA = "argeo.cacheArea";
 
 	String PROP_ARGEO_OSGI_SOURCES = "argeo.osgi.sources";
 	String PROP_ARGEO_OSGI_START = "argeo.osgi.start";
@@ -22,6 +16,14 @@ public interface InitConstants {
 	String PROP_OSGI_BUNDLES_DEFAULTSTARTLEVEL = "osgi.bundles.defaultStartLevel";
 	String PROP_OSGI_STARTLEVEL = "osgi.startLevel";
 
+	// System properties
+	/** Read-only configuration area */
+	String PROP_ARGEO_CONFIG_AREA = "argeo.configArea";
+	/** Read-write persistent data area */
+	String PROP_ARGEO_STATE_AREA = "argeo.stateArea";
+	/** Read-write cache area */
+	String PROP_ARGEO_CACHE_AREA = "argeo.cacheArea";
+
 	// FOREIGN RUNTIME PROPERTIES
 	/**
 	 * UUID of the parent framework. It is set by the parent runtime and marks a
@@ -34,7 +36,7 @@ public interface InitConstants {
 	String PROP_ARGEO_OSGI_EXPORT_CATEGORIES = "argeo.osgi.export.categories";
 	String PROP_ARGEO_OSGI_EXPORT_ENABLED = "argeo.osgi.export.enabled";
 
-	// Symbolic names
+	// BUndle symbolic names
 	String SYMBOLIC_NAME_INIT = "org.argeo.init";
 	String SYMBOLIC_NAME_EQUINOX = "org.eclipse.osgi";
 
diff --git a/org.argeo.init/src/org/argeo/api/init/RuntimeManager.java b/org.argeo.init/src/org/argeo/api/init/RuntimeManager.java
index 2344a8688..649ae17f5 100644
--- a/org.argeo.init/src/org/argeo/api/init/RuntimeManager.java
+++ b/org.argeo.init/src/org/argeo/api/init/RuntimeManager.java
@@ -85,7 +85,7 @@ public interface RuntimeManager {
 
 	/**
 	 * Load config from a {@link Properties} formatted stream. If a property value
-	 * starts with a '+' character, itis expected that the last character is a
+	 * starts with a '+' character, it is expected that the last character is a
 	 * separator and it will be prepended to the existing value.
 	 */
 	@Deprecated
diff --git a/org.argeo.init/src/org/argeo/init/RuntimeManagerMain.java b/org.argeo.init/src/org/argeo/init/RuntimeManagerMain.java
index 29ae5eb06..27778427c 100644
--- a/org.argeo.init/src/org/argeo/init/RuntimeManagerMain.java
+++ b/org.argeo.init/src/org/argeo/init/RuntimeManagerMain.java
@@ -31,15 +31,23 @@ public class RuntimeManagerMain {
 	RuntimeManagerMain(Path configArea, Path stateArea, Path cacheArea) {
 		RuntimeManager.loadDefaults(configuration);
 
+		configuration.put(InitConstants.PROP_OSGI_USE_SYSTEM_PROPERTIES, "false");
+
+		configuration.put(InitConstants.PROP_ARGEO_CONFIG_AREA, configArea.toString());
+		configuration.put(InitConstants.PROP_ARGEO_STATE_AREA, stateArea.toString());
+		configuration.put(InitConstants.PROP_ARGEO_CACHE_AREA, cacheArea.toString());
+
 		configuration.put(InitConstants.PROP_OSGI_SHARED_CONFIGURATION_AREA, configArea.toUri().toString());
 		configuration.put(InitConstants.PROP_OSGI_SHARED_CONFIGURATION_AREA_RO, "true");
-//		configuration.put(InitConstants.PROP_OSGI_USE_SYSTEM_PROPERTIES, "false");
 
 		configuration.put(InitConstants.PROP_OSGI_CONFIGURATION_AREA,
 				cacheArea.resolve(RuntimeManager.OSGI_STORAGE_DIRNAME).toUri().toString());
 		configuration.put(InitConstants.PROP_OSGI_INSTANCE_AREA,
 				stateArea.resolve(RuntimeManager.DATA).toUri().toString());
 
+		// TODO find a cleaner way to configure Jackrabbit indexes
+		configuration.put("argeo.node.repo.indexesBase", cacheArea.resolve("indexes").toString());
+
 		logger.log(Level.TRACE, () -> "Runtime manager configuration: " + configuration);
 	}
 
@@ -84,20 +92,22 @@ public class RuntimeManagerMain {
 		ThinLoggerFinder.reloadConfiguration();
 		logger.log(Logger.Level.DEBUG, () -> "Argeo Init starting with PID " + ProcessHandle.current().pid());
 
-		Path writableArea = getLocalPath(InitConstants.PROP_ARGEO_STATE_AREA, ENV_STATE_DIRECTORY);
-		Path configArea =getLocalPath(InitConstants.PROP_ARGEO_CONFIG_AREA, ENV_CONFIGURATION_DIRECTORY);
-		Path cacheArea = getLocalPath(InitConstants.PROP_ARGEO_CACHE_AREA, ENV_CACHE_DIRECTORY);
+		Path writableArea = getLocalPath(InitConstants.PROP_ARGEO_STATE_AREA, ENV_STATE_DIRECTORY, null);
+		Path configArea = getLocalPath(InitConstants.PROP_ARGEO_CONFIG_AREA, ENV_CONFIGURATION_DIRECTORY, null);
+		Path cacheArea = getLocalPath(InitConstants.PROP_ARGEO_CACHE_AREA, ENV_CACHE_DIRECTORY, writableArea);
 		RuntimeManagerMain runtimeManager = new RuntimeManagerMain(configArea, writableArea, cacheArea);
 		runtimeManager.run();
 	}
 
-	private static Path getLocalPath(String systemProperty, String environmentVariable) {
+	private static Path getLocalPath(String systemProperty, String environmentVariable, Path defaultPath) {
 		String prop = System.getProperty(systemProperty);
 		if (prop != null)
 			return Paths.get(prop);
 		String env = System.getenv().get(environmentVariable);
 		if (env != null)
 			return Paths.get(env);
+		if (defaultPath != null)
+			return defaultPath;
 		throw new IllegalStateException("No local path set with system property " + systemProperty
 				+ " or environment variable " + environmentVariable);
 		// TODO allocate a temporary directory? or defaults based on working directory ?
-- 
2.39.2