Improve single user login.

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
index f5503d5c5d74185b4dfbb18b2c2c102efdd8a08e..4c09650d4b0546bdc5c6220a23f23de99903cf95 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
@@ -20,7 +20,6 @@ import org.argeo.api.security.NodeSecurityUtils;
 import org.argeo.cms.internal.auth.CmsSessionImpl;
 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
 import org.argeo.cms.internal.http.WebCmsSessionImpl;
-import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.InvalidSyntaxException;
@@ -28,7 +27,7 @@ import org.osgi.framework.ServiceReference;
 import org.osgi.service.http.HttpContext;
 import org.osgi.service.useradmin.Authorization;
 
-/** Centrlaises security related registrations. */
+/** Centralises security related registrations. */
 class CmsAuthUtils {
        // Standard
        final static String SHARED_STATE_NAME = AuthenticatingUser.SHARED_STATE_NAME;
@@ -52,9 +51,7 @@ class CmsAuthUtils {
                // required for display name:
                subject.getPrivateCredentials().add(authorization);
 
-               if (Activator.isSingleUser()) {
-                       subject.getPrincipals().add(new DataAdminPrincipal());
-               }
+               boolean singleUser = authorization instanceof SingleUserAuthorization;
 
                Set<Principal> principals = subject.getPrincipals();
                try {
@@ -73,8 +70,9 @@ class CmsAuthUtils {
                                userPrincipal = new X500Principal(name.toString());
                                principals.add(userPrincipal);
 
-                               if (Activator.isSingleUser()) {
+                               if (singleUser) {
                                        principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_ADMIN_NAME, userPrincipal));
+                                       principals.add(new DataAdminPrincipal());
                                }
                        }
 
@@ -182,7 +180,9 @@ class CmsAuthUtils {
                                                "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
                        }
                } else {
-                       // TODO desktop, CLI
+                       CmsSessionImpl cmsSession = new CmsSessionImpl(subject, authorization, locale, "desktop");
+                       CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
+                       subject.getPrivateCredentials().add(nodeSessionId);
                }
        }
 

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserAuthorization.java b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserAuthorization.java
index b4144d30f85761c701a96dd072f3365e7e3a82c0..af4e636d88897ee6a2e9921b595ce0077ff5d91c 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserAuthorization.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserAuthorization.java
@@ -8,10 +8,15 @@ import org.osgi.service.useradmin.Authorization;
  * @see SingleUserLoginModule
  */
 public class SingleUserAuthorization implements Authorization {
+       private String name;
+
+       public SingleUserAuthorization(String name) {
+               this.name = name;
+       }
 
        @Override
        public String getName() {
-               return System.getProperty("user.name");
+               return name;
        }
 
        @Override

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
index 0b163bac3fb9c12c98f5f85c8a2d36dde0e9abb2..240564f9ec894b809c956829e01fc653dc8d0942 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
@@ -2,10 +2,8 @@ package org.argeo.cms.auth;
 
 import java.net.InetAddress;
 import java.net.UnknownHostException;
-import java.security.Principal;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Set;
 
 import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
@@ -18,11 +16,9 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.argeo.api.NodeConstants;
-import org.argeo.api.security.DataAdminPrincipal;
-import org.argeo.cms.internal.auth.ImpliedByPrincipal;
 import org.argeo.naming.LdapAttrs;
 import org.argeo.osgi.useradmin.IpaUtils;
+import org.argeo.osgi.useradmin.OsUserUtils;
 import org.osgi.service.useradmin.Authorization;
 
 /** Login module for when the system is owned by a single user. */
@@ -50,11 +46,12 @@ public class SingleUserLoginModule implements LoginModule {
 
        @Override
        public boolean commit() throws LoginException {
-               X500Principal principal;
+               String authorizationName;
                KerberosPrincipal kerberosPrincipal = CmsAuthUtils.getSinglePrincipal(subject, KerberosPrincipal.class);
                if (kerberosPrincipal != null) {
                        LdapName userDn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
-                       principal = new X500Principal(userDn.toString());
+                       X500Principal principal = new X500Principal(userDn.toString());
+                       authorizationName = principal.getName();
                } else {
                        Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
                        if (username == null)
@@ -67,12 +64,9 @@ public class SingleUserLoginModule implements LoginModule {
                                hostname = "localhost";
                        }
                        String baseDn = ("." + hostname).replaceAll("\\.", ",dc=");
-                       principal = new X500Principal(LdapAttrs.uid + "=" + username + baseDn);
+                       X500Principal principal = new X500Principal(LdapAttrs.uid + "=" + username + baseDn);
+                       authorizationName = principal.getName();
                }
-               Set<Principal> principals = subject.getPrincipals();
-               principals.add(principal);
-               principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal));
-               principals.add(new DataAdminPrincipal());
 
                HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
                Locale locale = Locale.getDefault();
@@ -80,8 +74,18 @@ public class SingleUserLoginModule implements LoginModule {
                        locale = request.getLocale();
                if (locale == null)
                        locale = Locale.getDefault();
-               Authorization authorization = new SingleUserAuthorization();
+               Authorization authorization = new SingleUserAuthorization(authorizationName);
                CmsAuthUtils.addAuthorization(subject, authorization);
+               
+               // Add standard Java OS login 
+               OsUserUtils.loginAsSystemUser(subject);
+
+               // additional principals (must be after Authorization registration)
+//             Set<Principal> principals = subject.getPrincipals();
+//             principals.add(principal);
+//             principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal));
+//             principals.add(new DataAdminPrincipal());
+
                CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
 
                return true;

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 4057b26af800e042d6fc1076ec89ad2f5ee7be63..092a06b7778e8bd6ecbcff7b53293ce3494a36b2 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -33,7 +33,6 @@ import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.naming.LdapAttrs;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
-import org.argeo.osgi.useradmin.OsUserUtils;
 import org.argeo.osgi.useradmin.TokenUtils;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
@@ -64,7 +63,7 @@ public class UserAdminLoginModule implements LoginModule {
 
        private Authorization bindAuthorization = null;
 
-       private boolean singleUser = Activator.isSingleUser();
+//     private boolean singleUser = Activator.isSingleUser();
 
        @SuppressWarnings("unchecked")
        @Override
@@ -113,11 +112,11 @@ public class UserAdminLoginModule implements LoginModule {
                        username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
                        password = null;
                        preauth = true;
-               } else if (singleUser) {
-                       username = OsUserUtils.getOsUsername();
-                       password = null;
-                       // TODO retrieve from http session
-                       locale = Locale.getDefault();
+//             } else if (singleUser) {
+//                     username = OsUserUtils.getOsUsername();
+//                     password = null;
+//                     // TODO retrieve from http session
+//                     locale = Locale.getDefault();
                } else {
 
                        // ask for username and password
@@ -194,8 +193,8 @@ public class UserAdminLoginModule implements LoginModule {
                        // TODO check CRLs/OSCP validity?
                        // NB: authorization in commit() will work only if an LDAP connection password
                        // is provided
-               } else if (singleUser) {
-                       // TODO verify IP address?
+//             } else if (singleUser) {
+//                     // TODO verify IP address?
                } else if (preauth) {
                        // ident
                } else {
@@ -211,9 +210,9 @@ public class UserAdminLoginModule implements LoginModule {
                if (locale != null)
                        subject.getPublicCredentials().add(locale);
 
-               if (singleUser) {
-                       OsUserUtils.loginAsSystemUser(subject);
-               }
+//             if (singleUser) {
+//                     OsUserUtils.loginAsSystemUser(subject);
+//             }
                UserAdmin userAdmin = Activator.getUserAdmin();
                Authorization authorization;
                if (callbackHandler == null) {// anonymous

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
index 8086c8636440f9700ecb8e58f894d1a13731730c..6d50f3dabed2f2c1de6b758c6fb35080a37a7f4c 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
@@ -226,6 +226,7 @@ public class Activator implements BundleActivator {
                return getNodeUserAdmin().getAcceptorCredentials();
        }
 
+       @Deprecated
        public static boolean isSingleUser() {
                return getNodeUserAdmin().isSingleUser();
        }

diff --git a/org.argeo.maintenance/src/org/argeo/maintenance/AbstractMaintenanceService.java b/org.argeo.maintenance/src/org/argeo/maintenance/AbstractMaintenanceService.java
index c756bd8e048447bba544d725ca39f0e61972cad6..6003d638ddadab47a630d694903704ca62dce2c4 100644 (file)
--- a/org.argeo.maintenance/src/org/argeo/maintenance/AbstractMaintenanceService.java
+++ b/org.argeo.maintenance/src/org/argeo/maintenance/AbstractMaintenanceService.java
@@ -159,25 +159,27 @@ public abstract class AbstractMaintenanceService {
        }
 
        /** Add a user or group to a group. */
-       protected void addToGroup(String roledDn, String groupDn) {
-               if (roledDn.contentEquals(groupDn)) {
+       protected void addToGroup(String groupToAddDn, String groupDn) {
+               if (groupToAddDn.contentEquals(groupDn)) {
                        if (log.isTraceEnabled())
                                log.trace("Ignore adding group " + groupDn + " to itself");
                        return;
                }
 
                if (getUserAdmin() == null) {
-                       log.warn("No user admin service available, cannot add group " + roledDn + " to " + groupDn);
+                       log.warn("No user admin service available, cannot add group " + groupToAddDn + " to " + groupDn);
                        return;
                }
-               Group managerGroup = (Group) getUserAdmin().getRole(roledDn);
+               Group groupToAdd = (Group) getUserAdmin().getRole(groupToAddDn);
+               if (groupToAdd == null)
+                       throw new IllegalArgumentException("Group " + groupToAddDn + " not found");
                Group group = (Group) getUserAdmin().getRole(groupDn);
                if (group == null)
                        throw new IllegalArgumentException("Group " + groupDn + " not found");
                try {
                        getUserTransaction().begin();
-                       if (group.addMember(managerGroup))
-                               log.info("Added " + roledDn + " to " + group);
+                       if (group.addMember(groupToAdd))
+                               log.info("Added " + groupToAddDn + " to " + group);
                        getUserTransaction().commit();
                } catch (Exception e) {
                        try {
@@ -185,7 +187,7 @@ public abstract class AbstractMaintenanceService {
                        } catch (Exception e1) {
                                // silent
                        }
-                       throw new IllegalStateException("Cannot add " + managerGroup + " to " + group);
+                       throw new IllegalStateException("Cannot add " + groupToAddDn + " to " + groupDn);
                }
        }