From 08490f85954fc85940d1182c12a825b33491c3ba Mon Sep 17 00:00:00 2001 From: Mathieu Baudier Date: Mon, 2 Mar 2020 11:23:22 +0100 Subject: [PATCH] Improve tokens --- .../src/org/argeo/cms/CmsUserManager.java | 3 + .../argeo/cms/auth/UserAdminLoginModule.java | 4 +- .../cms/integration/CmsTokenServlet.java | 114 ++++++++++++++++++ .../cms/integration/TokenDescriptor.java | 49 ++++++++ .../cms/internal/auth/CmsUserManagerImpl.java | 34 +++--- .../argeo/cms/internal/kernel/CmsState.java | 2 +- .../cms/internal/kernel/NodeUserAdmin.java | 4 +- .../src/org/argeo/naming/NamingUtils.java | 10 ++ .../osgi/useradmin/AggregatingUserAdmin.java | 17 ++- 9 files changed, 216 insertions(+), 21 deletions(-) create mode 100644 org.argeo.cms/src/org/argeo/cms/integration/CmsTokenServlet.java create mode 100644 org.argeo.cms/src/org/argeo/cms/integration/TokenDescriptor.java diff --git a/org.argeo.cms/src/org/argeo/cms/CmsUserManager.java b/org.argeo.cms/src/org/argeo/cms/CmsUserManager.java index 39d4be622..1dafe7c81 100644 --- a/org.argeo.cms/src/org/argeo/cms/CmsUserManager.java +++ b/org.argeo.cms/src/org/argeo/cms/CmsUserManager.java @@ -1,5 +1,6 @@ package org.argeo.cms; +import java.time.ZonedDateTime; import java.util.List; import java.util.Set; @@ -73,6 +74,8 @@ public interface CmsUserManager { void addAuthToken(String userDn, String token, Integer hours, String... roles); + void addAuthToken(String userDn, String token, ZonedDateTime expiryDate, String... roles); + void expireAuthToken(String token); void expireAuthTokens(Subject subject); diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index 6a3ac97df..692d214bc 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -354,7 +354,9 @@ public class UserAdminLoginModule implements LoginModule { // return null; // } // } - Authorization auth = userAdmin.getAuthorization(tokenGroup); + String userDn = TokenUtils.userDn(tokenGroup); + User user = (User) userAdmin.getRole(userDn); + Authorization auth = userAdmin.getAuthorization(user); return auth; } } diff --git a/org.argeo.cms/src/org/argeo/cms/integration/CmsTokenServlet.java b/org.argeo.cms/src/org/argeo/cms/integration/CmsTokenServlet.java new file mode 100644 index 000000000..b2e5a7ed3 --- /dev/null +++ b/org.argeo.cms/src/org/argeo/cms/integration/CmsTokenServlet.java @@ -0,0 +1,114 @@ +package org.argeo.cms.integration; + +import java.io.IOException; +import java.time.ZonedDateTime; +import java.util.Set; +import java.util.UUID; + +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.argeo.cms.CmsUserManager; +import org.argeo.cms.auth.HttpRequestCallback; +import org.argeo.cms.auth.HttpRequestCallbackHandler; +import org.argeo.naming.NamingUtils; +import org.argeo.node.NodeConstants; +import org.osgi.service.useradmin.Authorization; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.databind.ObjectMapper; + +/** Provides access to tokens. */ +public class CmsTokenServlet extends HttpServlet { + private static final long serialVersionUID = 302918711430864140L; + + public final static String PARAM_EXPIRY_DATE = "expiryDate"; + public final static String PARAM_TOKEN = "token"; + + private final static int DEFAULT_HOURS = 24; + + private CmsUserManager userManager; + private ObjectMapper objectMapper = new ObjectMapper(); + + @Override + protected void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + LoginContext lc = null; + try { + lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request, response) { + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (Callback callback : callbacks) { + if (callback instanceof HttpRequestCallback) { + ((HttpRequestCallback) callback).setRequest(request); + ((HttpRequestCallback) callback).setResponse(response); + } + } + } + }); + lc.login(); + } catch (LoginException e) { + // ignore + } + + try { + Subject subject = lc.getSubject(); + Authorization authorization = extractFrom(subject.getPrivateCredentials(Authorization.class)); + String token = UUID.randomUUID().toString(); + String expiryDateStr = request.getParameter(PARAM_EXPIRY_DATE); + ZonedDateTime expiryDate; + if (expiryDateStr != null) { + expiryDate = NamingUtils.ldapDateToZonedDateTime(expiryDateStr); + } else { + expiryDate = ZonedDateTime.now().plusHours(DEFAULT_HOURS); + expiryDateStr = NamingUtils.instantToLdapDate(expiryDate); + } + userManager.addAuthToken(authorization.getName(), token, expiryDate); + + TokenDescriptor tokenDescriptor = new TokenDescriptor(); + tokenDescriptor.setUsername(authorization.getName()); + tokenDescriptor.setToken(token); + tokenDescriptor.setExpiryDate(expiryDateStr); +// tokenDescriptor.setRoles(Collections.unmodifiableSortedSet(new TreeSet<>(Arrays.asList(roles)))); + + response.setContentType("application/json"); + JsonGenerator jg = objectMapper.getFactory().createGenerator(response.getWriter()); + jg.writeObject(tokenDescriptor); + } catch (Exception e) { + new CmsExceptionsChain(e).writeAsJson(objectMapper, response); + } + } + + @Override + protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + // temporarily wrap POST for ease of testing + doPost(req, resp); + } + + @Override + protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + try { + String token = req.getParameter(PARAM_TOKEN); + userManager.expireAuthToken(token); + } catch (Exception e) { + new CmsExceptionsChain(e).writeAsJson(objectMapper, resp); + } + } + + protected T extractFrom(Set creds) { + if (creds.size() > 0) + return creds.iterator().next(); + else + return null; + } + + public void setUserManager(CmsUserManager userManager) { + this.userManager = userManager; + } +} diff --git a/org.argeo.cms/src/org/argeo/cms/integration/TokenDescriptor.java b/org.argeo.cms/src/org/argeo/cms/integration/TokenDescriptor.java new file mode 100644 index 000000000..1541b4f29 --- /dev/null +++ b/org.argeo.cms/src/org/argeo/cms/integration/TokenDescriptor.java @@ -0,0 +1,49 @@ +package org.argeo.cms.integration; + +import java.io.Serializable; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; + +/** A serializable descriptor of a token. */ +@JsonIgnoreProperties(ignoreUnknown = true) +public class TokenDescriptor implements Serializable { + private static final long serialVersionUID = -6607393871416803324L; + + private String token; + private String username; + private String expiryDate; +// private Set roles; + + public String getToken() { + return token; + } + + public void setToken(String token) { + this.token = token; + } + + public String getUsername() { + return username; + } + + public void setUsername(String username) { + this.username = username; + } + +// public Set getRoles() { +// return roles; +// } +// +// public void setRoles(Set roles) { +// this.roles = roles; +// } + + public String getExpiryDate() { + return expiryDate; + } + + public void setExpiryDate(String expiryDate) { + this.expiryDate = expiryDate; + } + +} diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java index 109a0d406..869dbb23c 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java @@ -36,7 +36,6 @@ import org.argeo.node.NodeConstants; import org.argeo.osgi.useradmin.TokenUtils; import org.argeo.osgi.useradmin.UserAdminConf; import org.osgi.framework.InvalidSyntaxException; -import org.osgi.framework.ServiceReference; import org.osgi.service.useradmin.Authorization; import org.osgi.service.useradmin.Group; import org.osgi.service.useradmin.Role; @@ -59,8 +58,6 @@ public class CmsUserManagerImpl implements CmsUserManager { private final static Log log = LogFactory.getLog(CmsUserManagerImpl.class); private UserAdmin userAdmin; - @Deprecated - private ServiceReference userAdminServiceReference; private Map serviceProperties; private UserTransaction userTransaction; @@ -206,8 +203,7 @@ public class CmsUserManagerImpl implements CmsUserManager { public Map getKnownBaseDns(boolean onlyWritable) { Map dns = new HashMap(); - String[] propertyKeys = userAdminServiceReference != null ? userAdminServiceReference.getPropertyKeys() - : serviceProperties.keySet().toArray(new String[serviceProperties.size()]); + String[] propertyKeys = serviceProperties.keySet().toArray(new String[serviceProperties.size()]); for (String uri : propertyKeys) { if (!uri.startsWith("/")) continue; @@ -374,25 +370,31 @@ public class CmsUserManagerImpl implements CmsUserManager { @Override public void addAuthToken(String userDn, String token, Integer hours, String... roles) { + addAuthToken(userDn, token, ZonedDateTime.now().plusHours(hours), roles); + } + + @Override + public void addAuthToken(String userDn, String token, ZonedDateTime expiryDate, String... roles) { try { userTransaction.begin(); User user = (User) userAdmin.getRole(userDn); String tokenDn = cn + "=" + token + "," + NodeConstants.TOKENS_BASEDN; Group tokenGroup = (Group) userAdmin.createRole(tokenDn, Role.GROUP); - for (String role : roles) { - Role r = userAdmin.getRole(role); - if (r != null) - tokenGroup.addMember(r); - else { - if (!role.equals(NodeConstants.ROLE_USER)) { - throw new IllegalStateException( - "Cannot add role " + role + " to token " + token + " for " + userDn); + if (roles != null) + for (String role : roles) { + Role r = userAdmin.getRole(role); + if (r != null) + tokenGroup.addMember(r); + else { + if (!role.equals(NodeConstants.ROLE_USER)) { + throw new IllegalStateException( + "Cannot add role " + role + " to token " + token + " for " + userDn); + } } } - } tokenGroup.getProperties().put(owner.name(), user.getName()); - if (hours != null) { - String ldapDate = NamingUtils.instantToLdapDate(ZonedDateTime.now().plusHours(hours)); + if (expiryDate != null) { + String ldapDate = NamingUtils.instantToLdapDate(expiryDate); tokenGroup.getProperties().put(description.name(), ldapDate); } userTransaction.commit(); diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsState.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsState.java index 2f3bdcefd..6c97fa141 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsState.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsState.java @@ -113,7 +113,7 @@ public class CmsState implements NodeState { bc.registerService(RepositoryFactory.class, repositoryFactory, null); // Security - NodeUserAdmin userAdmin = new NodeUserAdmin(NodeConstants.ROLES_BASEDN); + NodeUserAdmin userAdmin = new NodeUserAdmin(NodeConstants.ROLES_BASEDN, NodeConstants.TOKENS_BASEDN); stopHooks.add(() -> userAdmin.destroy()); bc.registerService(ManagedServiceFactory.class, userAdmin, LangUtils.dico(Constants.SERVICE_PID, NodeConstants.NODE_USER_ADMIN_PID)); diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java index f00c3c769..ba4ad8360 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java @@ -85,8 +85,8 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor private boolean singleUser = false; private boolean systemRolesAvailable = false; - public NodeUserAdmin(String systemRolesBaseDn) { - super(systemRolesBaseDn); + public NodeUserAdmin(String systemRolesBaseDn, String tokensBaseDn) { + super(systemRolesBaseDn, tokensBaseDn); tmTracker = new ServiceTracker<>(bc, TransactionManager.class, null); tmTracker.open(); } diff --git a/org.argeo.enterprise/src/org/argeo/naming/NamingUtils.java b/org.argeo.enterprise/src/org/argeo/naming/NamingUtils.java index cb93e8257..5a868ddb4 100644 --- a/org.argeo.enterprise/src/org/argeo/naming/NamingUtils.java +++ b/org.argeo.enterprise/src/org/argeo/naming/NamingUtils.java @@ -19,6 +19,7 @@ import java.util.List; import java.util.Map; public class NamingUtils { + /** As per https://tools.ietf.org/html/rfc4517#section-3.3.13 */ private final static DateTimeFormatter utcLdapDate = DateTimeFormatter.ofPattern("uuuuMMddHHmmssX") .withZone(ZoneOffset.UTC); @@ -31,6 +32,15 @@ public class NamingUtils { } } + /** @return null if not parseable */ + public static ZonedDateTime ldapDateToZonedDateTime(String ldapDate) { + try { + return OffsetDateTime.parse(ldapDate, utcLdapDate).toZonedDateTime(); + } catch (DateTimeParseException e) { + return null; + } + } + public static Calendar ldapDateToCalendar(String ldapDate) { OffsetDateTime instant = OffsetDateTime.parse(ldapDate, utcLdapDate); GregorianCalendar calendar = new GregorianCalendar(); diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java index b09c8df5e..75ca9ae88 100644 --- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java @@ -26,14 +26,20 @@ import org.osgi.service.useradmin.UserAdmin; */ public class AggregatingUserAdmin implements UserAdmin { private final LdapName systemRolesBaseDn; + private final LdapName tokensBaseDn; // DAOs private AbstractUserDirectory systemRoles = null; + private AbstractUserDirectory tokens = null; private Map businessRoles = new HashMap(); - public AggregatingUserAdmin(String systemRolesBaseDn) { + public AggregatingUserAdmin(String systemRolesBaseDn, String tokensBaseDn) { try { this.systemRolesBaseDn = new LdapName(systemRolesBaseDn); + if (tokensBaseDn != null) + this.tokensBaseDn = new LdapName(tokensBaseDn); + else + this.tokensBaseDn = null; } catch (InvalidNameException e) { throw new UserDirectoryException("Cannot initialize " + AggregatingUserAdmin.class, e); } @@ -130,6 +136,9 @@ public class AggregatingUserAdmin implements UserAdmin { if (isSystemRolesBaseDn(baseDn)) { this.systemRoles = userDirectory; systemRoles.setExternalRoles(this); + } else if (isTokensBaseDn(baseDn)) { + this.tokens = userDirectory; + tokens.setExternalRoles(this); } else { if (businessRoles.containsKey(baseDn)) throw new UserDirectoryException("There is already a user admin for " + baseDn); @@ -155,6 +164,8 @@ public class AggregatingUserAdmin implements UserAdmin { private UserAdmin findUserAdmin(LdapName name) { if (name.startsWith(systemRolesBaseDn)) return systemRoles; + if (tokensBaseDn != null && name.startsWith(tokensBaseDn)) + return tokens; List res = new ArrayList(1); for (LdapName baseDn : businessRoles.keySet()) { if (name.startsWith(baseDn)) { @@ -174,6 +185,10 @@ public class AggregatingUserAdmin implements UserAdmin { return baseDn.equals(systemRolesBaseDn); } + protected boolean isTokensBaseDn(LdapName baseDn) { + return tokensBaseDn != null && baseDn.equals(tokensBaseDn); + } + protected Dictionary currentState() { Dictionary res = new Hashtable(); // res.put(NodeConstants.CN, NodeConstants.DEFAULT); -- 2.30.2