OS user as single user

diff --git a/demo/argeo_node_local.properties b/demo/argeo_node_local.properties
new file mode 100644 (file)
index 0000000..8273754
--- /dev/null
+++ b/demo/argeo_node_local.properties
@@ -0,0 +1,38 @@
+argeo.osgi.start.2.node=\
+org.eclipse.equinox.http.servlet,\
+org.eclipse.equinox.http.jetty,\
+org.eclipse.equinox.metatype,\
+org.eclipse.equinox.cm,\
+org.eclipse.rap.rwt.osgi
+
+argeo.osgi.start.3.node=\
+org.argeo.cms
+
+argeo.osgi.start.4.apps=\
+org.eclipse.gemini.blueprint.extender
+
+argeo.osgi.start.4.workbench=\
+org.eclipse.equinox.http.registry,\
+
+java.security.manager=
+java.security.policy=file:../../all.policy
+
+argeo.node.repo.type=h2
+
+argeo.node.useradmin.uris=os:///
+
+# HTTP
+org.osgi.service.http.port=7070
+
+# Logging
+log4j.configuration=file:../../log4j.properties
+
+# DON'T CHANGE BELOW
+org.eclipse.rap.workbenchAutostart=false
+org.eclipse.equinox.http.jetty.autostart=false
+org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.security.jgss,\
+com.sun.jndi.dns,\
+com.sun.nio.file,\
+com.sun.nio.sctp

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
index 4762eb96c765578396650ba1044c0c92b9818e20..dadcc4dbcb109e23a604cbd8b4265eb8f3fe34bf 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
@@ -19,6 +19,7 @@ import org.argeo.cms.CmsException;
 import org.argeo.cms.internal.auth.CmsSessionImpl;
 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
 import org.argeo.cms.internal.http.WebCmsSessionImpl;
+import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.node.NodeConstants;
 import org.argeo.node.security.AnonymousPrincipal;
 import org.argeo.node.security.DataAdminPrincipal;
@@ -49,6 +50,10 @@ class CmsAuthUtils {
                // required for display name:
                subject.getPrivateCredentials().add(authorization);
 
+               if (Activator.isSingleUser()) {
+                       subject.getPrincipals().add(new DataAdminPrincipal());
+               }
+
                Set<Principal> principals = subject.getPrincipals();
                try {
                        String authName = authorization.getName();

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index e9938763927bc57b1e1e39ed549820e0c9a60c2d..e39918e4002d40d18584ad91819a2a86545c92e5 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -27,9 +27,11 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
+import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.naming.LdapAttrs;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
+import org.argeo.osgi.useradmin.OsUserUtils;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
 import org.osgi.service.useradmin.Authorization;
@@ -53,6 +55,8 @@ public class UserAdminLoginModule implements LoginModule {
 
        private Authorization bindAuthorization = null;
 
+       private boolean singleUser = Activator.isSingleUser();
+
        @SuppressWarnings("unchecked")
        @Override
        public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
@@ -85,7 +89,11 @@ public class UserAdminLoginModule implements LoginModule {
                        username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
                        certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
                        password = null;
+               } else if (singleUser) {
+                       username = OsUserUtils.getOsUsername();
+                       password = null;
                } else {
+
                        // ask for username and password
                        NameCallback nameCallback = new NameCallback("User");
                        PasswordCallback passwordCallback = new PasswordCallback("Password", false);
@@ -141,8 +149,11 @@ public class UserAdminLoginModule implements LoginModule {
                        }
                } else if (certificateChain != null) {
                        // TODO check CRLs/OSCP validity?
-                       // NB: authorization in commit() will work only if an LDAP connection password is provided
-               }else {
+                       // NB: authorization in commit() will work only if an LDAP connection password
+                       // is provided
+               } else if (singleUser) {
+                       // TODO verify IP address?
+               } else {
                        throw new CredentialNotFoundException("No credentials provided");
                }
 
@@ -152,6 +163,9 @@ public class UserAdminLoginModule implements LoginModule {
 
        @Override
        public boolean commit() throws LoginException {
+               if (singleUser) {
+                       OsUserUtils.loginAsSystemUser(subject);
+               }
                UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
                Authorization authorization;
                if (callbackHandler == null) {// anonymous

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
index e7dcfc1a2ddbe7c2a95cd5c71865c881710dd1ad..25746a48116b29f84930e93ea7a18272d1199412 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java
@@ -161,9 +161,18 @@ public class Activator implements BundleActivator {
        }
 
        public static GSSCredential getAcceptorCredentials() {
+               return getNodeUserAdmin().getAcceptorCredentials();
+       }
+
+       public static boolean isSingleUser() {
+               return getNodeUserAdmin().isSingleUser();
+       }
+
+       private static NodeUserAdmin getNodeUserAdmin() {
                ServiceReference<UserAdmin> sr = instance.bc.getServiceReference(UserAdmin.class);
                NodeUserAdmin userAdmin = (NodeUserAdmin) instance.bc.getService(sr);
-               return userAdmin.getAcceptorCredentials();
+               return userAdmin;
+
        }
 
        // static CmsSecurity getCmsSecurity() {

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java
index 9d7b9bed1a5a9a87bb79200d43474e8f450b544a..6175e4d030c79abe9d99d7eaec0561391f1677fa 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java
@@ -148,7 +148,7 @@ class FirstInit {
                                                u = new URI(uri);
                                        } else
                                                throw new CmsException("Cannot interpret " + uri + " as an uri");
-                               } else if (u.getScheme().equals("file")) {
+                               } else if (u.getScheme().equals(UserAdminConf.SCHEME_FILE)) {
                                        u = new File(u).getCanonicalFile().toURI();
                                }
                        } catch (Exception e) {

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
index 8410b3958aef378d49a34dbd260b43f83696a128..436d30058839cb330d6471e67f277180cbbb8b19 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
@@ -44,6 +44,7 @@ import org.argeo.osgi.useradmin.AbstractUserDirectory;
 import org.argeo.osgi.useradmin.AggregatingUserAdmin;
 import org.argeo.osgi.useradmin.LdapUserAdmin;
 import org.argeo.osgi.useradmin.LdifUserAdmin;
+import org.argeo.osgi.useradmin.OsUserDirectory;
 import org.argeo.osgi.useradmin.UserAdminConf;
 import org.argeo.osgi.useradmin.UserDirectory;
 import org.ietf.jgss.GSSCredential;
@@ -84,6 +85,8 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
        private Path nodeKeyTab = KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH);
        private GSSCredential acceptorCredentials;
 
+       private boolean singleUser = false;
+
        public NodeUserAdmin(String systemRolesBaseDn) {
                super(systemRolesBaseDn);
                tmTracker = new ServiceTracker<>(bc, TransactionManager.class, null);
@@ -105,8 +108,17 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
                }
 
                // Create
-               AbstractUserDirectory userDirectory = u.getScheme().equals("ldap") ? new LdapUserAdmin(properties)
-                               : new LdifUserAdmin(u, properties);
+               AbstractUserDirectory userDirectory;
+               if (UserAdminConf.SCHEME_LDAP.equals(u.getScheme())) {
+                       userDirectory = new LdapUserAdmin(properties);
+               } else if (UserAdminConf.SCHEME_FILE.equals(u.getScheme())) {
+                       userDirectory = new LdifUserAdmin(u, properties);
+               } else if (UserAdminConf.SCHEME_OS.equals(u.getScheme())) {
+                       userDirectory = new OsUserDirectory(u, properties);
+                       singleUser = true;
+               } else {
+                       throw new CmsException("Unsupported scheme " + u.getScheme());
+               }
                Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
                addUserDirectory(userDirectory);
 
@@ -272,6 +284,10 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
                return acceptorCredentials;
        }
 
+       public boolean isSingleUser() {
+               return singleUser;
+       }
+
        public final static Oid KERBEROS_OID;
        static {
                try {

diff --git a/org.argeo.enterprise/ext/test/org/argeo/osgi/useradmin/UserAdminConfTest.java b/org.argeo.enterprise/ext/test/org/argeo/osgi/useradmin/UserAdminConfTest.java
new file mode 100644 (file)
index 0000000..d69cae4
--- /dev/null
+++ b/org.argeo.enterprise/ext/test/org/argeo/osgi/useradmin/UserAdminConfTest.java
@@ -0,0 +1,53 @@
+package org.argeo.osgi.useradmin;
+
+import static org.argeo.osgi.useradmin.UserAdminConf.propertiesAsUri;
+import static org.argeo.osgi.useradmin.UserAdminConf.uriAsProperties;
+
+import java.net.URI;
+import java.util.Dictionary;
+
+import junit.framework.TestCase;
+
+public class UserAdminConfTest extends TestCase {
+       public void testUriFormat() throws Exception {
+               // LDAP
+               URI uriIn = new URI("ldap://" + "uid=admin,ou=system:secret@localhost:10389" + "/dc=example,dc=com"
+                               + "?readOnly=false&userObjectClass=person");
+               Dictionary<String, ?> props = uriAsProperties(uriIn.toString());
+               System.out.println(props);
+               assertEquals("dc=example,dc=com", props.get(UserAdminConf.baseDn.name()));
+               assertEquals("false", props.get(UserAdminConf.readOnly.name()));
+               assertEquals("person", props.get(UserAdminConf.userObjectClass.name()));
+               URI uriOut = propertiesAsUri(props);
+               System.out.println(uriOut);
+               assertEquals("/dc=example,dc=com?userObjectClass=person&readOnly=false", uriOut.toString());
+
+               // File
+               uriIn = new URI("file://some/dir/dc=example,dc=com.ldif");
+               props = uriAsProperties(uriIn.toString());
+               System.out.println(props);
+               assertEquals("dc=example,dc=com", props.get(UserAdminConf.baseDn.name()));
+
+               // Base configuration
+               uriIn = new URI("/dc=example,dc=com.ldif?readOnly=true&userBase=ou=CoWorkers,ou=People&groupBase=ou=Roles");
+               props = uriAsProperties(uriIn.toString());
+               System.out.println(props);
+               assertEquals("dc=example,dc=com", props.get(UserAdminConf.baseDn.name()));
+               assertEquals("true", props.get(UserAdminConf.readOnly.name()));
+               assertEquals("ou=CoWorkers,ou=People", props.get(UserAdminConf.userBase.name()));
+               assertEquals("ou=Roles", props.get(UserAdminConf.groupBase.name()));
+               uriOut = propertiesAsUri(props);
+               System.out.println(uriOut);
+               assertEquals("/dc=example,dc=com?userBase=ou=CoWorkers,ou=People&groupBase=ou=Roles&readOnly=true", uriOut.toString());
+
+               // OS
+               uriIn = new URI("os:///dc=example,dc=com");
+               props = uriAsProperties(uriIn.toString());
+               System.out.println(props);
+               assertEquals("dc=example,dc=com", props.get(UserAdminConf.baseDn.name()));
+               assertEquals("true", props.get(UserAdminConf.readOnly.name()));
+               uriOut = propertiesAsUri(props);
+               System.out.println(uriOut);
+               assertEquals("/dc=example,dc=com?readOnly=true", uriOut.toString());
+       }
+}

diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
index 6d33edb35b64db959c0ffc7ca47c47af33d12e9f..56f2f5c170bdc67719c2dcde9c28935065fa1a47 100644 (file)
--- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
@@ -419,15 +419,17 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                        return true;
                if (uri.getScheme() == null)
                        return false;// assume relative file to be writable
-               if (uri.getScheme().equals("file")) {
+               if (uri.getScheme().equals(UserAdminConf.SCHEME_FILE)) {
                        File file = new File(uri);
                        if (file.exists())
                                return !file.canWrite();
                        else
                                return !file.getParentFile().canWrite();
-               } else if (uri.getScheme().equals("ldap")) {
+               } else if (uri.getScheme().equals(UserAdminConf.SCHEME_LDAP)) {
                        if (uri.getAuthority() != null)// assume writable if authenticated
                                return false;
+               } else if (uri.getScheme().equals(UserAdminConf.SCHEME_OS)) {
+                       return true;
                }
                return true;// read only by default
        }

diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserDirectory.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserDirectory.java
new file mode 100644 (file)
index 0000000..3953a70
--- /dev/null
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserDirectory.java
@@ -0,0 +1,66 @@
+package org.argeo.osgi.useradmin;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Dictionary;
+import java.util.List;
+
+import javax.naming.NameNotFoundException;
+import javax.naming.NamingException;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.BasicAttributes;
+import javax.naming.ldap.LdapName;
+
+import org.argeo.naming.LdapAttrs;
+import org.osgi.framework.Filter;
+import org.osgi.service.useradmin.User;
+
+public class OsUserDirectory extends AbstractUserDirectory {
+       private final String osUsername = System.getProperty("user.name");
+       private final LdapName osUserDn;
+       private final LdifUser osUser;
+
+       public OsUserDirectory(URI uriArg, Dictionary<String, ?> props) {
+               super(uriArg, props);
+               try {
+                       osUserDn = new LdapName(LdapAttrs.uid.name() + "=" + osUsername + "," + getUserBase() + "," + getBaseDn());
+                       Attributes attributes = new BasicAttributes();
+                       attributes.put(LdapAttrs.uid.name(), osUsername);
+                       osUser = new LdifUser(this, osUserDn, attributes);
+               } catch (NamingException e) {
+                       throw new UserDirectoryException("Cannot create system user", e);
+               }
+       }
+
+       @Override
+       protected List<LdapName> getDirectGroups(LdapName dn) {
+               return new ArrayList<>();
+       }
+
+       @Override
+       protected Boolean daoHasRole(LdapName dn) {
+               return osUserDn.equals(dn);
+       }
+
+       @Override
+       protected DirectoryUser daoGetRole(LdapName key) throws NameNotFoundException {
+               if (osUserDn.equals(key))
+                       return osUser;
+               else
+                       throw new NameNotFoundException("Not an OS role");
+       }
+
+       @Override
+       protected List<DirectoryUser> doGetRoles(Filter f) {
+               List<DirectoryUser> res = new ArrayList<>();
+               if (f.match(osUser.getProperties()))
+                       res.add(osUser);
+               return res;
+       }
+
+       @Override
+       protected AbstractUserDirectory scope(User user) {
+               throw new UnsupportedOperationException();
+       }
+
+}

diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserUtils.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserUtils.java
new file mode 100644 (file)
index 0000000..8a36cb0
--- /dev/null
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserUtils.java
@@ -0,0 +1,53 @@
+package org.argeo.osgi.useradmin;
+
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.security.NoSuchAlgorithmException;
+import java.security.URIParameter;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+public class OsUserUtils {
+       private static String LOGIN_CONTEXT_USER_NIX = "USER_NIX";
+       private static String LOGIN_CONTEXT_USER_WINDOWS = "USER_WINDOWS";
+
+       public static String getOsUsername() {
+               return System.getProperty("user.name");
+       }
+
+       public static LoginContext loginAsSystemUser(Subject subject) {
+               try {
+                       URL jaasConfigurationUrl = OsUserUtils.class.getClassLoader()
+                                       .getResource("org/argeo/osgi/useradmin/jaas-os.cfg");
+                       URIParameter uriParameter = new URIParameter(jaasConfigurationUrl.toURI());
+                       Configuration jaasConfiguration = Configuration.getInstance("JavaLoginConfig", uriParameter);
+                       LoginContext lc = new LoginContext(isWindows() ? LOGIN_CONTEXT_USER_WINDOWS : LOGIN_CONTEXT_USER_NIX,
+                                       subject, null, jaasConfiguration);
+                       lc.login();
+                       return lc;
+               } catch (URISyntaxException | NoSuchAlgorithmException | LoginException e) {
+                       throw new RuntimeException("Cannot loging as system user", e);
+               }
+       }
+
+       public static void main(String args[]) {
+               Subject subject = new Subject();
+               LoginContext loginContext = loginAsSystemUser(subject);
+               System.out.println(subject);
+               try {
+                       loginContext.logout();
+               } catch (LoginException e) {
+                       // silent
+               }
+       }
+
+       private static boolean isWindows() {
+               return System.getProperty("os.name").startsWith("Windows");
+       }
+
+       private OsUserUtils() {
+       }
+}

diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/UserAdminConf.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/UserAdminConf.java
index 19426b6c5c072a8ee22108d22429597e0e1aa8a8..b3ead140c7b5aa641418d5ec54ca204ed853f585 100644 (file)
--- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/UserAdminConf.java
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/UserAdminConf.java
@@ -4,6 +4,7 @@ import java.io.IOException;
 import java.net.InetAddress;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.UnknownHostException;
 import java.util.Dictionary;
 import java.util.Enumeration;
 import java.util.Hashtable;
@@ -48,6 +49,11 @@ public enum UserAdminConf {
        public final static String FACTORY_PID = "org.argeo.osgi.useradmin.config";
        private final static Log log = LogFactory.getLog(UserAdminConf.class);
 
+       public final static String SCHEME_LDAP = "ldap";
+       public final static String SCHEME_FILE = "file";
+       public final static String SCHEME_OS = "os";
+       public final static String SCHEME_IPA = "ipa";
+
        /** The default value. */
        private Object def;
 
@@ -124,28 +130,33 @@ public enum UserAdminConf {
                        Hashtable<String, Object> res = new Hashtable<String, Object>();
                        URI u = new URI(uriStr);
                        String scheme = u.getScheme();
-                       if (scheme != null && scheme.equals("ipa")) {
+                       if (scheme != null && scheme.equals(SCHEME_IPA)) {
                                u = convertIpaConfig(u);
                                scheme = u.getScheme();
                        }
                        String path = u.getPath();
                        // base DN
                        String bDn = path.substring(path.lastIndexOf('/') + 1, path.length());
+                       if (bDn.equals("") && SCHEME_OS.equals(scheme)) {
+                               bDn = getBaseDnFromHostname();
+                       }
+
                        if (bDn.endsWith(".ldif"))
                                bDn = bDn.substring(0, bDn.length() - ".ldif".length());
 
                        String principal = null;
                        String credentials = null;
                        if (scheme != null)
-                               if (scheme.equals("ldap") || scheme.equals("ldaps")) {
+                               if (scheme.equals(SCHEME_LDAP) || scheme.equals("ldaps")) {
                                        // TODO additional checks
                                        if (u.getUserInfo() != null) {
                                                String[] userInfo = u.getUserInfo().split(":");
                                                principal = userInfo.length > 0 ? userInfo[0] : null;
                                                credentials = userInfo.length > 1 ? userInfo[1] : null;
                                        }
-                               } else if (scheme.equals("file")) {
-                               } else if (scheme.equals("ipa")) {
+                               } else if (scheme.equals(SCHEME_FILE)) {
+                               } else if (scheme.equals(SCHEME_IPA)) {
+                               } else if (scheme.equals(SCHEME_OS)) {
                                } else
                                        throw new UserDirectoryException("Unsupported scheme " + scheme);
                        Map<String, List<String>> query = NamingUtils.queryToMap(u);
@@ -159,14 +170,20 @@ public enum UserAdminConf {
                                }
                        }
                        res.put(baseDn.name(), bDn);
+                       if (SCHEME_OS.equals(scheme))
+                               res.put(readOnly.name(), "true");
                        if (principal != null)
                                res.put(Context.SECURITY_PRINCIPAL, principal);
                        if (credentials != null)
                                res.put(Context.SECURITY_CREDENTIALS, credentials);
                        if (scheme != null) {// relative URIs are dealt with externally
-                               URI bareUri = new URI(scheme, null, u.getHost(), u.getPort(),
-                                               scheme.equals("file") ? u.getPath() : null, null, null);
-                               res.put(uri.name(), bareUri.toString());
+                               if (SCHEME_OS.equals(scheme)) {
+                                       res.put(uri.name(), SCHEME_OS + ":///");
+                               } else {
+                                       URI bareUri = new URI(scheme, null, u.getHost(), u.getPort(),
+                                                       scheme.equals(SCHEME_FILE) ? u.getPath() : null, null, null);
+                                       res.put(uri.name(), bareUri.toString());
+                               }
                        }
                        return res;
                } catch (Exception e) {
@@ -196,7 +213,7 @@ public enum UserAdminConf {
                                }
                        }
                        URI convertedUri = new URI(
-                                       "ldap://" + ldapHostsStr + "/" + IpaUtils.domainToUserDirectoryConfigPath(kerberosRealm));
+                                       SCHEME_LDAP + "://" + ldapHostsStr + "/" + IpaUtils.domainToUserDirectoryConfigPath(kerberosRealm));
                        if (log.isDebugEnabled())
                                log.debug("Converted " + uri + " to " + convertedUri);
                        return convertedUri;
@@ -219,38 +236,22 @@ public enum UserAdminConf {
 
        }
 
-       // private static Map<String, List<String>> splitQuery(String query) throws
-       // UnsupportedEncodingException {
-       // final Map<String, List<String>> query_pairs = new LinkedHashMap<String,
-       // List<String>>();
-       // if (query == null)
-       // return query_pairs;
-       // final String[] pairs = query.split("&");
-       // for (String pair : pairs) {
-       // final int idx = pair.indexOf("=");
-       // final String key = idx > 0 ? URLDecoder.decode(pair.substring(0, idx),
-       // "UTF-8") : pair;
-       // if (!query_pairs.containsKey(key)) {
-       // query_pairs.put(key, new LinkedList<String>());
-       // }
-       // final String value = idx > 0 && pair.length() > idx + 1
-       // ? URLDecoder.decode(pair.substring(idx + 1), "UTF-8") : null;
-       // query_pairs.get(key).add(value);
-       // }
-       // return query_pairs;
-       // }
-
-       public static void main(String[] args) {
-               Dictionary<String, ?> props = uriAsProperties("ldap://" + "uid=admin,ou=system:secret@localhost:10389"
-                               + "/dc=example,dc=com" + "?readOnly=false&userObjectClass=person");
-               System.out.println(props);
-               System.out.println(propertiesAsUri(props));
-
-               System.out.println(uriAsProperties("file://some/dir/dc=example,dc=com.ldif"));
-
-               props = uriAsProperties(
-                               "/dc=example,dc=com.ldif?readOnly=true" + "&userBase=ou=CoWorkers,ou=People&groupBase=ou=Roles");
-               System.out.println(props);
-               System.out.println(propertiesAsUri(props));
+       private static String getBaseDnFromHostname() {
+               String hostname;
+               try {
+                       hostname = InetAddress.getLocalHost().getHostName();
+               } catch (UnknownHostException e) {
+                       log.warn("Using localhost as hostname", e);
+                       hostname = "localhost.localdomain";
+               }
+               int dotIdx = hostname.indexOf('.');
+               if (dotIdx >= 0) {
+                       String domain = hostname.substring(dotIdx + 1, hostname.length());
+                       String bDn = ("." + domain).replaceAll("\\.", ",dc=");
+                       bDn = bDn.substring(1, bDn.length());
+                       return bDn;
+               } else {
+                       return "dc=" + hostname;
+               }
        }
 }

diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/jaas-os.cfg b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/jaas-os.cfg
new file mode 100644 (file)
index 0000000..da04505
--- /dev/null
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/jaas-os.cfg
@@ -0,0 +1,8 @@
+USER_NIX {
+    com.sun.security.auth.module.UnixLoginModule requisite; 
+};
+
+USER_NT {
+    com.sun.security.auth.module.NTLoginModule requisite; 
+};
+

diff --git a/org.argeo.node.api/src/org/argeo/node/security/DataAdminPrincipal.java b/org.argeo.node.api/src/org/argeo/node/security/DataAdminPrincipal.java
index 280d537ae001642608dcafe7825c7b2aa92ed8a7..53d2cedc61814e883850adf37c7a6e67c776b986 100644 (file)
--- a/org.argeo.node.api/src/org/argeo/node/security/DataAdminPrincipal.java
+++ b/org.argeo.node.api/src/org/argeo/node/security/DataAdminPrincipal.java
@@ -20,7 +20,7 @@ public final class DataAdminPrincipal implements Principal {
 
        @Override
        public boolean equals(Object obj) {
-               return this == obj;
+               return obj instanceof DataAdminPrincipal;
        }
 
        @Override

diff --git a/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java b/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
index 97618d5ecaa11d3cd48e911cdda635fb970d32ab..fd01cc6c6c63a6c0a56483230278334220016429 100644 (file)
--- a/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
+++ b/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
@@ -10,11 +10,13 @@ import javax.naming.ldap.LdapName;
 import org.argeo.node.NodeConstants;
 
 public class NodeSecurityUtils {
-       public final static LdapName ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, ROLE_USER_ADMIN_NAME;
+       public final static LdapName ROLE_ADMIN_NAME, ROLE_DATA_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME,
+                       ROLE_USER_ADMIN_NAME;
        public final static List<LdapName> RESERVED_ROLES;
        static {
                try {
                        ROLE_ADMIN_NAME = new LdapName(NodeConstants.ROLE_ADMIN);
+                       ROLE_DATA_ADMIN_NAME = new LdapName(NodeConstants.ROLE_DATA_ADMIN);
                        ROLE_USER_NAME = new LdapName(NodeConstants.ROLE_USER);
                        ROLE_USER_ADMIN_NAME = new LdapName(NodeConstants.ROLE_USER_ADMIN);
                        ROLE_ANONYMOUS_NAME = new LdapName(NodeConstants.ROLE_ANONYMOUS);