IPA authentication working.

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / UserAdminLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 16cc7ac19548141679bc25d9c5c4c8673bc5475f..4057b26af800e042d6fc1076ec89ad2f5ee7be63 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -1,12 +1,9 @@
 package org.argeo.cms.auth;
 
 import static org.argeo.naming.LdapAttrs.cn;
-import static org.argeo.naming.LdapAttrs.description;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
-import java.security.cert.X509Certificate;
-import java.time.Instant;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
@@ -30,15 +27,14 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.argeo.cms.CmsException;
+import org.argeo.api.NodeConstants;
+import org.argeo.api.security.CryptoKeyring;
 import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.naming.LdapAttrs;
-import org.argeo.naming.NamingUtils;
-import org.argeo.node.NodeConstants;
-import org.argeo.node.security.CryptoKeyring;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
 import org.argeo.osgi.useradmin.OsUserUtils;
+import org.argeo.osgi.useradmin.TokenUtils;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
 import org.osgi.framework.ServiceReference;
@@ -47,6 +43,10 @@ import org.osgi.service.useradmin.Group;
 import org.osgi.service.useradmin.User;
 import org.osgi.service.useradmin.UserAdmin;
 
+/**
+ * Use the {@link UserAdmin} in the OSGi registry as the basis for
+ * authentication.
+ */
 public class UserAdminLoginModule implements LoginModule {
        private final static Log log = LogFactory.getLog(UserAdminLoginModule.class);
 
@@ -76,7 +76,7 @@ public class UserAdminLoginModule implements LoginModule {
                        this.callbackHandler = callbackHandler;
                        this.sharedState = (Map<String, Object>) sharedState;
                } catch (Exception e) {
-                       throw new CmsException("Cannot initialize login module", e);
+                       throw new IllegalStateException("Cannot initialize login module", e);
                }
        }
 
@@ -85,7 +85,8 @@ public class UserAdminLoginModule implements LoginModule {
                UserAdmin userAdmin = Activator.getUserAdmin();
                final String username;
                final char[] password;
-               X509Certificate[] certificateChain = null;
+               Object certificateChain = null;
+               boolean preauth = false;
                if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
                        // NB: required by Basic http auth
@@ -94,13 +95,29 @@ public class UserAdminLoginModule implements LoginModule {
                        // // TODO locale?
                } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
-                       // NB: required by Basic http auth
+                       String certDn = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+//                     LdapName ldapName;
+//                     try {
+//                             ldapName = new LdapName(certificateName);
+//                     } catch (InvalidNameException e) {
+//                             e.printStackTrace();
+//                             return false;
+//                     }
+//                     username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
+                       username = certDn;
+                       certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+                       password = null;
+               } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
+                               && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_ADDR)
+                               && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_PORT)) {// ident
                        username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
-                       certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
                        password = null;
+                       preauth = true;
                } else if (singleUser) {
                        username = OsUserUtils.getOsUsername();
                        password = null;
+                       // TODO retrieve from http session
+                       locale = Locale.getDefault();
                } else {
 
                        // ask for username and password
@@ -179,6 +196,8 @@ public class UserAdminLoginModule implements LoginModule {
                        // is provided
                } else if (singleUser) {
                        // TODO verify IP address?
+               } else if (preauth) {
+                       // ident
                } else {
                        throw new CredentialNotFoundException("No credentials provided");
                }
@@ -189,9 +208,7 @@ public class UserAdminLoginModule implements LoginModule {
 
        @Override
        public boolean commit() throws LoginException {
-               if (locale == null)
-                       subject.getPublicCredentials().add(Locale.getDefault());
-               else
+               if (locale != null)
                        subject.getPublicCredentials().add(locale);
 
                if (singleUser) {
@@ -210,7 +227,7 @@ public class UserAdminLoginModule implements LoginModule {
                                if (authenticatedUser == null) {
                                        if (log.isTraceEnabled())
                                                log.trace("Neither kerberos nor user admin login succeeded. Login failed.");
-                                       return false;
+                                       throw new CredentialNotFoundException("Bad credentials.");
                                } else {
                                        authenticatingUser = authenticatedUser;
                                }
@@ -238,7 +255,7 @@ public class UserAdminLoginModule implements LoginModule {
 
                // Log and monitor new login
                HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
-               CmsAuthUtils.addAuthorization(subject, authorization, locale, request);
+               CmsAuthUtils.addAuthorization(subject, authorization);
 
                // Unlock keyring (underlying login to the JCR repository)
                char[] password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
@@ -281,8 +298,6 @@ public class UserAdminLoginModule implements LoginModule {
        public boolean logout() throws LoginException {
                if (log.isTraceEnabled())
                        log.trace("Logging out from CMS... " + subject);
-               // boolean httpSessionLogoutOk = CmsAuthUtils.logoutSession(bc,
-               // subject);
                CmsAuthUtils.cleanUp(subject);
                return true;
        }
@@ -293,6 +308,7 @@ public class UserAdminLoginModule implements LoginModule {
                        Set<User> collectedUsers = new HashSet<>();
                        // try dn
                        User user = null;
+                       user = null;
                        // try all indexes
                        for (String attr : indexedUserProperties) {
                                user = userAdmin.getUser(attr, providedUsername);
@@ -329,16 +345,20 @@ public class UserAdminLoginModule implements LoginModule {
        }
 
        protected Authorization getAuthorizationFromToken(UserAdmin userAdmin, Group tokenGroup) {
-               String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
-               if (expiryDateStr != null) {
-                       Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
-                       if (expiryDate.isBefore(Instant.now())) {
-                               if (log.isDebugEnabled())
-                                       log.debug("Token " + tokenGroup.getName() + " has expired.");
-                               return null;
-                       }
-               }
-               Authorization auth = userAdmin.getAuthorization(tokenGroup);
+               if (TokenUtils.isExpired(tokenGroup))
+                       return null;
+//             String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
+//             if (expiryDateStr != null) {
+//                     Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
+//                     if (expiryDate.isBefore(Instant.now())) {
+//                             if (log.isDebugEnabled())
+//                                     log.debug("Token " + tokenGroup.getName() + " has expired.");
+//                             return null;
+//                     }
+//             }
+               String userDn = TokenUtils.userDn(tokenGroup);
+               User user = (User) userAdmin.getRole(userDn);
+               Authorization auth = userAdmin.getAuthorization(user);
                return auth;
        }
 }