From: Mathieu Baudier Date: Tue, 9 Nov 2021 11:45:56 +0000 (+0100) Subject: Improve single user login. X-Git-Tag: argeo-commons-2.3.2~29^2 X-Git-Url: https://git.argeo.org/?p=lgpl%2Fargeo-commons.git;a=commitdiff_plain;h=52a45835da8cd816ac2e2b22ee9b84101fe8fb06 Improve single user login. --- diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index f5503d5c5..4c09650d4 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -20,7 +20,6 @@ import org.argeo.api.security.NodeSecurityUtils; import org.argeo.cms.internal.auth.CmsSessionImpl; import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.argeo.cms.internal.http.WebCmsSessionImpl; -import org.argeo.cms.internal.kernel.Activator; import org.argeo.osgi.useradmin.AuthenticatingUser; import org.osgi.framework.BundleContext; import org.osgi.framework.InvalidSyntaxException; @@ -28,7 +27,7 @@ import org.osgi.framework.ServiceReference; import org.osgi.service.http.HttpContext; import org.osgi.service.useradmin.Authorization; -/** Centrlaises security related registrations. */ +/** Centralises security related registrations. */ class CmsAuthUtils { // Standard final static String SHARED_STATE_NAME = AuthenticatingUser.SHARED_STATE_NAME; @@ -52,9 +51,7 @@ class CmsAuthUtils { // required for display name: subject.getPrivateCredentials().add(authorization); - if (Activator.isSingleUser()) { - subject.getPrincipals().add(new DataAdminPrincipal()); - } + boolean singleUser = authorization instanceof SingleUserAuthorization; Set principals = subject.getPrincipals(); try { @@ -73,8 +70,9 @@ class CmsAuthUtils { userPrincipal = new X500Principal(name.toString()); principals.add(userPrincipal); - if (Activator.isSingleUser()) { + if (singleUser) { principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_ADMIN_NAME, userPrincipal)); + principals.add(new DataAdminPrincipal()); } } @@ -182,7 +180,9 @@ class CmsAuthUtils { "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); } } else { - // TODO desktop, CLI + CmsSessionImpl cmsSession = new CmsSessionImpl(subject, authorization, locale, "desktop"); + CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid()); + subject.getPrivateCredentials().add(nodeSessionId); } } diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserAuthorization.java b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserAuthorization.java index b4144d30f..af4e636d8 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserAuthorization.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserAuthorization.java @@ -8,10 +8,15 @@ import org.osgi.service.useradmin.Authorization; * @see SingleUserLoginModule */ public class SingleUserAuthorization implements Authorization { + private String name; + + public SingleUserAuthorization(String name) { + this.name = name; + } @Override public String getName() { - return System.getProperty("user.name"); + return name; } @Override diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java index 0b163bac3..240564f9e 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java @@ -2,10 +2,8 @@ package org.argeo.cms.auth; import java.net.InetAddress; import java.net.UnknownHostException; -import java.security.Principal; import java.util.Locale; import java.util.Map; -import java.util.Set; import javax.naming.ldap.LdapName; import javax.security.auth.Subject; @@ -18,11 +16,9 @@ import javax.servlet.http.HttpServletRequest; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.argeo.api.NodeConstants; -import org.argeo.api.security.DataAdminPrincipal; -import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.argeo.naming.LdapAttrs; import org.argeo.osgi.useradmin.IpaUtils; +import org.argeo.osgi.useradmin.OsUserUtils; import org.osgi.service.useradmin.Authorization; /** Login module for when the system is owned by a single user. */ @@ -50,11 +46,12 @@ public class SingleUserLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { - X500Principal principal; + String authorizationName; KerberosPrincipal kerberosPrincipal = CmsAuthUtils.getSinglePrincipal(subject, KerberosPrincipal.class); if (kerberosPrincipal != null) { LdapName userDn = IpaUtils.kerberosToDn(kerberosPrincipal.getName()); - principal = new X500Principal(userDn.toString()); + X500Principal principal = new X500Principal(userDn.toString()); + authorizationName = principal.getName(); } else { Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); if (username == null) @@ -67,12 +64,9 @@ public class SingleUserLoginModule implements LoginModule { hostname = "localhost"; } String baseDn = ("." + hostname).replaceAll("\\.", ",dc="); - principal = new X500Principal(LdapAttrs.uid + "=" + username + baseDn); + X500Principal principal = new X500Principal(LdapAttrs.uid + "=" + username + baseDn); + authorizationName = principal.getName(); } - Set principals = subject.getPrincipals(); - principals.add(principal); - principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal)); - principals.add(new DataAdminPrincipal()); HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); Locale locale = Locale.getDefault(); @@ -80,8 +74,18 @@ public class SingleUserLoginModule implements LoginModule { locale = request.getLocale(); if (locale == null) locale = Locale.getDefault(); - Authorization authorization = new SingleUserAuthorization(); + Authorization authorization = new SingleUserAuthorization(authorizationName); CmsAuthUtils.addAuthorization(subject, authorization); + + // Add standard Java OS login + OsUserUtils.loginAsSystemUser(subject); + + // additional principals (must be after Authorization registration) +// Set principals = subject.getPrincipals(); +// principals.add(principal); +// principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal)); +// principals.add(new DataAdminPrincipal()); + CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale); return true; diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index 4057b26af..092a06b77 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -33,7 +33,6 @@ import org.argeo.cms.internal.kernel.Activator; import org.argeo.naming.LdapAttrs; import org.argeo.osgi.useradmin.AuthenticatingUser; import org.argeo.osgi.useradmin.IpaUtils; -import org.argeo.osgi.useradmin.OsUserUtils; import org.argeo.osgi.useradmin.TokenUtils; import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; @@ -64,7 +63,7 @@ public class UserAdminLoginModule implements LoginModule { private Authorization bindAuthorization = null; - private boolean singleUser = Activator.isSingleUser(); +// private boolean singleUser = Activator.isSingleUser(); @SuppressWarnings("unchecked") @Override @@ -113,11 +112,11 @@ public class UserAdminLoginModule implements LoginModule { username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); password = null; preauth = true; - } else if (singleUser) { - username = OsUserUtils.getOsUsername(); - password = null; - // TODO retrieve from http session - locale = Locale.getDefault(); +// } else if (singleUser) { +// username = OsUserUtils.getOsUsername(); +// password = null; +// // TODO retrieve from http session +// locale = Locale.getDefault(); } else { // ask for username and password @@ -194,8 +193,8 @@ public class UserAdminLoginModule implements LoginModule { // TODO check CRLs/OSCP validity? // NB: authorization in commit() will work only if an LDAP connection password // is provided - } else if (singleUser) { - // TODO verify IP address? +// } else if (singleUser) { +// // TODO verify IP address? } else if (preauth) { // ident } else { @@ -211,9 +210,9 @@ public class UserAdminLoginModule implements LoginModule { if (locale != null) subject.getPublicCredentials().add(locale); - if (singleUser) { - OsUserUtils.loginAsSystemUser(subject); - } +// if (singleUser) { +// OsUserUtils.loginAsSystemUser(subject); +// } UserAdmin userAdmin = Activator.getUserAdmin(); Authorization authorization; if (callbackHandler == null) {// anonymous diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java index 8086c8636..6d50f3dab 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java @@ -226,6 +226,7 @@ public class Activator implements BundleActivator { return getNodeUserAdmin().getAcceptorCredentials(); } + @Deprecated public static boolean isSingleUser() { return getNodeUserAdmin().isSingleUser(); } diff --git a/org.argeo.maintenance/src/org/argeo/maintenance/AbstractMaintenanceService.java b/org.argeo.maintenance/src/org/argeo/maintenance/AbstractMaintenanceService.java index c756bd8e0..6003d638d 100644 --- a/org.argeo.maintenance/src/org/argeo/maintenance/AbstractMaintenanceService.java +++ b/org.argeo.maintenance/src/org/argeo/maintenance/AbstractMaintenanceService.java @@ -159,25 +159,27 @@ public abstract class AbstractMaintenanceService { } /** Add a user or group to a group. */ - protected void addToGroup(String roledDn, String groupDn) { - if (roledDn.contentEquals(groupDn)) { + protected void addToGroup(String groupToAddDn, String groupDn) { + if (groupToAddDn.contentEquals(groupDn)) { if (log.isTraceEnabled()) log.trace("Ignore adding group " + groupDn + " to itself"); return; } if (getUserAdmin() == null) { - log.warn("No user admin service available, cannot add group " + roledDn + " to " + groupDn); + log.warn("No user admin service available, cannot add group " + groupToAddDn + " to " + groupDn); return; } - Group managerGroup = (Group) getUserAdmin().getRole(roledDn); + Group groupToAdd = (Group) getUserAdmin().getRole(groupToAddDn); + if (groupToAdd == null) + throw new IllegalArgumentException("Group " + groupToAddDn + " not found"); Group group = (Group) getUserAdmin().getRole(groupDn); if (group == null) throw new IllegalArgumentException("Group " + groupDn + " not found"); try { getUserTransaction().begin(); - if (group.addMember(managerGroup)) - log.info("Added " + roledDn + " to " + group); + if (group.addMember(groupToAdd)) + log.info("Added " + groupToAddDn + " to " + group); getUserTransaction().commit(); } catch (Exception e) { try { @@ -185,7 +187,7 @@ public abstract class AbstractMaintenanceService { } catch (Exception e1) { // silent } - throw new IllegalStateException("Cannot add " + managerGroup + " to " + group); + throw new IllegalStateException("Cannot add " + groupToAddDn + " to " + groupDn); } }