--- /dev/null
+Composite.qa {
+ background-color: gray;
+ color: white;
+}
+
+Button[PUSH].qa {
+ color: white;
+ background-color: gray;
+ padding: 0px;
+ spacing: 0px;
+ border: none;
+}
+
+Composite.support {
+ background-color: red;
+}
+
+Label.support {
+ background-color: red;
+ color: white;
+}
return fromJson
}
+function newArea(parent, style, layout) {
+ var control = new Composite(parent, SWT.NONE)
+ control.setLayout(layout)
+ CmsUtils.style(control, style)
+ return control
+}
+
function newLabel(parent, style, text) {
var control = new Label(parent, SWT.NONE)
control.setText(text)
return control
}
+function newButton(parent, style, text) {
+ var control = new Button(parent, SWT.FLAT)
+ control.setText(text)
+ CmsUtils.style(control, style)
+ CmsUtils.markup(control)
+ return control
+}
+
function newFormLabel(parent, style, text) {
return newLabel(parent, style, '<b>' + text + '</b>')
}
package org.argeo.cms.auth;
+import static org.argeo.naming.LdapAttrs.cn;
+import static org.argeo.naming.LdapAttrs.description;
+
import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import org.argeo.cms.CmsException;
import org.argeo.cms.internal.kernel.Activator;
import org.argeo.naming.LdapAttrs;
+import org.argeo.naming.NamingUtils;
+import org.argeo.node.NodeConstants;
import org.argeo.node.security.CryptoKeyring;
import org.argeo.osgi.useradmin.AuthenticatingUser;
import org.argeo.osgi.useradmin.IpaUtils;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.ServiceReference;
import org.osgi.service.useradmin.Authorization;
+import org.osgi.service.useradmin.Group;
import org.osgi.service.useradmin.User;
import org.osgi.service.useradmin.UserAdmin;
sharedState.put(CmsAuthUtils.SHARED_STATE_PWD, password);
}
User user = searchForUser(userAdmin, username);
+
+ // Tokens
+ if (user == null) {
+ String token = username;
+ Group tokenGroup = searchForToken(userAdmin, token);
+ if (tokenGroup != null) {
+ Authorization tokenAuthorization = getAuthorizationFromToken(userAdmin, tokenGroup);
+ if (tokenAuthorization != null) {
+ bindAuthorization = tokenAuthorization;
+ authenticatedUser = (User) userAdmin.getRole(bindAuthorization.getName());
+ return true;
+ }
+ }
+ }
+
if (user == null)
return true;// expect Kerberos
}
}
+
+ protected Group searchForToken(UserAdmin userAdmin, String token) {
+ String dn = cn + "=" + token + "," + NodeConstants.TOKENS_BASEDN;
+ Group tokenGroup = (Group) userAdmin.getRole(dn);
+ return tokenGroup;
+ }
+
+ protected Authorization getAuthorizationFromToken(UserAdmin userAdmin, Group tokenGroup) {
+ String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
+ if (expiryDateStr != null) {
+ Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
+ if (expiryDate.isBefore(Instant.now())) {
+ if (log.isDebugEnabled())
+ log.debug("Token " + tokenGroup.getName() + " has expired.");
+ return null;
+ }
+ }
+ Authorization auth = userAdmin.getAuthorization(tokenGroup);
+ return auth;
+ }
}
try (Writer writer = Files.newBufferedWriter(deployConfigPath)) {
new LdifWriter(writer).write(deployConfigs);
} catch (IOException e) {
- throw new CmsException("Cannot save deploy configs", e);
+ // throw new CmsException("Cannot save deploy configs", e);
+ log.error("Cannot save deploy configs", e);
}
}
}
uris.add(nodeRolesUri);
+ // node tokens
+ String nodeTokensUri = getFrameworkProp(NodeConstants.TOKENS_URI);
+ String baseNodeTokensDn = NodeConstants.TOKENS_BASEDN;
+ if (nodeTokensUri == null) {
+ nodeTokensUri = baseNodeTokensDn + ".ldif";
+ File nodeRolesFile = new File(nodeBaseDir, nodeRolesUri);
+ if (!nodeRolesFile.exists())
+ try {
+ FileUtils.copyInputStreamToFile(InitUtils.class.getResourceAsStream(baseNodeTokensDn + ".ldif"),
+ nodeRolesFile);
+ } catch (IOException e) {
+ throw new CmsException("Cannot copy demo resource", e);
+ }
+ // nodeRolesUri = nodeRolesFile.toURI().toString();
+ }
+ uris.add(nodeTokensUri);
+
// Business roles
String userAdminUris = getFrameworkProp(NodeConstants.USERADMIN_URIS);
if (userAdminUris == null) {
--- /dev/null
+dn: ou=tokens,ou=node
+objectClass: organizationalUnit
+objectClass: top
+ou: tokens
userPKCS12("2.16.840.1.113730.3.1.216", "RFC 2798"),
/** */
displayName("2.16.840.1.113730.3.1.241", "RFC 2798"),
-
+
// Sun memberOf
- memberOf("1.2.840.113556.1.2.102","389 DS memberOf"),
+ memberOf("1.2.840.113556.1.2.102", "389 DS memberOf"),
// KERBEROS (partial)
krbPrincipalName("2.16.840.1.113719.1.301.6.8.1", "Novell Kerberos Schema Definitions"),
return new StringBuilder(LDAP_).append(name()).toString();
}
+ @Override
+ public final String toString() {
+ // must return the name
+ return name();
+ }
+
}
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
+import org.argeo.naming.LdapAttrs;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.useradmin.Authorization;
+import org.osgi.service.useradmin.Group;
import org.osgi.service.useradmin.Role;
import org.osgi.service.useradmin.User;
import org.osgi.service.useradmin.UserAdmin;
}
UserAdmin userAdmin = findUserAdmin(user.getName());
Authorization rawAuthorization = userAdmin.getAuthorization(user);
+ String usernameToUse;
+ String displayNameToUse;
+ if (user instanceof Group) {// tokens
+ String ownerDn = (String) user.getProperties().get(LdapAttrs.owner.name());
+ if (ownerDn != null) {
+ UserAdmin ownerUserAdmin = findUserAdmin(ownerDn);
+ User ownerUser = (User) ownerUserAdmin.getRole(ownerDn);
+ usernameToUse = ownerDn;
+ displayNameToUse = LdifAuthorization.extractDisplayName(ownerUser);
+ } else {
+ throw new UserDirectoryException(
+ "Cannot get authorization for group " + user.getName() + " without owner");
+ }
+ } else {// regular users
+ usernameToUse = rawAuthorization.getName();
+ displayNameToUse = rawAuthorization.toString();
+ }
// gather system roles
Set<String> sysRoles = new HashSet<String>();
for (String role : rawAuthorization.getRoles()) {
sysRoles.addAll(Arrays.asList(auth.getRoles()));
}
addAbstractSystemRoles(rawAuthorization, sysRoles);
- Authorization authorization = new AggregatingAuthorization(rawAuthorization.getName(),
- rawAuthorization.toString(), sysRoles, rawAuthorization.getRoles());
+ Authorization authorization = new AggregatingAuthorization(usernameToUse, displayNameToUse, sysRoles,
+ rawAuthorization.getRoles());
return authorization;
}
private final String displayName;
private final List<String> allRoles;
- @SuppressWarnings("unchecked")
public LdifAuthorization(User user, List<Role> allRoles) {
if (user == null) {
this.name = null;
this.displayName = "anonymous";
} else {
this.name = user.getName();
- Dictionary<String, Object> props = user.getProperties();
- Object displayName = props.get(LdapAttrs.displayName);
- if (displayName == null)
- displayName = props.get(LdapAttrs.cn);
- if (displayName == null)
- displayName = props.get(LdapAttrs.uid);
- if (displayName == null)
- displayName = user.getName();
- if (displayName == null)
- throw new UserDirectoryException("Cannot set display name for "
- + user);
- this.displayName = displayName.toString();
+ this.displayName = extractDisplayName(user);
}
// roles
String[] roles = new String[allRoles.size()];
public String toString() {
return displayName;
}
+
+ final static String extractDisplayName(User user) {
+ Dictionary<String, Object> props = user.getProperties();
+ Object displayName = props.get(LdapAttrs.displayName);
+ if (displayName == null)
+ displayName = props.get(LdapAttrs.cn);
+ if (displayName == null)
+ displayName = props.get(LdapAttrs.uid);
+ if (displayName == null)
+ displayName = user.getName();
+ if (displayName == null)
+ throw new UserDirectoryException("Cannot set display name for " + user);
+ return displayName.toString();
+ }
}