| commit | author | age | ||
| 2659e7 | 1 | /* |
| JM | 2 | * Copyright 2013 gitblit.com. |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package com.gitblit; | |
| 17 | ||
| 18 | import java.io.File; | |
| 19 | ||
| 20 | import org.jvnet.libpam.PAM; | |
| 21 | import org.jvnet.libpam.PAMException; | |
| 22 | import org.jvnet.libpam.impl.CLibrary; | |
| 23 | import org.slf4j.Logger; | |
| 24 | import org.slf4j.LoggerFactory; | |
| 25 | ||
| 26 | import com.gitblit.Constants.AccountType; | |
| 27 | import com.gitblit.models.UserModel; | |
| 28 | import com.gitblit.utils.ArrayUtils; | |
| 29 | import com.gitblit.utils.StringUtils; | |
| 30 | ||
| 31 | /** | |
| 32 | * Implementation of a PAM user service for Linux/Unix/MacOSX. | |
| 699e71 | 33 | * |
| 2659e7 | 34 | * @author James Moger |
| JM | 35 | */ |
| 36 | public class PAMUserService extends GitblitUserService { | |
| 37 | ||
| 38 | private final Logger logger = LoggerFactory.getLogger(PAMUserService.class); | |
| 39 | ||
| 40 | private IStoredSettings settings; | |
| 699e71 | 41 | |
| 2659e7 | 42 | public PAMUserService() { |
| JM | 43 | super(); |
| 44 | } | |
| 45 | ||
| 46 | @Override | |
| 47 | public void setup(IStoredSettings settings) { | |
| 48 | this.settings = settings; | |
| 49 | ||
| 50 | String file = settings.getString(Keys.realm.pam.backingUserService, "${baseFolder}/users.conf"); | |
| 51 | File realmFile = GitBlit.getFileOrFolder(file); | |
| 52 | ||
| 53 | serviceImpl = createUserService(realmFile); | |
| 54 | logger.info("PAM User Service backed by " + serviceImpl.toString()); | |
| 699e71 | 55 | |
| 2659e7 | 56 | // Try to identify the passwd database |
| JM | 57 | String [] files = { "/etc/shadow", "/etc/master.passwd" }; |
| 58 | File passwdFile = null; | |
| 59 | for (String name : files) { | |
| 60 | File f = new File(name); | |
| 61 | if (f.exists()) { | |
| 62 | passwdFile = f; | |
| 63 | break; | |
| 64 | } | |
| 65 | } | |
| 66 | if (passwdFile == null) { | |
| 67 | logger.error("PAM User Service could not find a passwd database!"); | |
| 68 | } else if (!passwdFile.canRead()) { | |
| 69 | logger.error("PAM User Service can not read passwd database {}! PAM authentications may fail!", passwdFile); | |
| 70 | } | |
| 71 | } | |
| 699e71 | 72 | |
| 2659e7 | 73 | @Override |
| JM | 74 | public boolean supportsCredentialChanges() { |
| 75 | return false; | |
| 76 | } | |
| 77 | ||
| 78 | @Override | |
| 79 | public boolean supportsDisplayNameChanges() { | |
| 80 | return true; | |
| 81 | } | |
| 82 | ||
| 83 | @Override | |
| 84 | public boolean supportsEmailAddressChanges() { | |
| 85 | return true; | |
| 86 | } | |
| 87 | ||
| 88 | @Override | |
| 89 | public boolean supportsTeamMembershipChanges() { | |
| 90 | return true; | |
| 91 | } | |
| 699e71 | 92 | |
| 2659e7 | 93 | @Override |
| JM | 94 | protected AccountType getAccountType() { |
| 95 | return AccountType.PAM; | |
| 96 | } | |
| 97 | ||
| 98 | @Override | |
| 99 | public UserModel authenticate(String username, char[] password) { | |
| 100 | if (isLocalAccount(username)) { | |
| 101 | // local account, bypass PAM authentication | |
| 102 | return super.authenticate(username, password); | |
| 103 | } | |
| 699e71 | 104 | |
| 2659e7 | 105 | if (CLibrary.libc.getpwnam(username) == null) { |
| JM | 106 | logger.warn("Can not get PAM passwd for " + username); |
| 107 | return null; | |
| 108 | } | |
| 109 | ||
| 110 | PAM pam = null; | |
| 111 | try { | |
| 112 | String serviceName = settings.getString(Keys.realm.pam.serviceName, "system-auth"); | |
| 113 | pam = new PAM(serviceName); | |
| 114 | pam.authenticate(username, new String(password)); | |
| 115 | } catch (PAMException e) { | |
| 116 | logger.error(e.getMessage()); | |
| 117 | return null; | |
| 118 | } finally { | |
| 119 | pam.dispose(); | |
| 120 | } | |
| 121 | ||
| 122 | UserModel user = getUserModel(username); | |
| 123 | if (user == null) // create user object for new authenticated user | |
| 124 | user = new UserModel(username.toLowerCase()); | |
| 125 | ||
| 126 | // create a user cookie | |
| 127 | if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) { | |
| 128 | user.cookie = StringUtils.getSHA1(user.username + new String(password)); | |
| 129 | } | |
| 130 | ||
| 131 | // update user attributes from UnixUser | |
| 132 | user.accountType = getAccountType(); | |
| 133 | user.password = Constants.EXTERNAL_ACCOUNT; | |
| 134 | ||
| 135 | // TODO consider mapping PAM groups to teams | |
| 136 | ||
| 137 | // push the changes to the backing user service | |
| 138 | super.updateUserModel(user); | |
| 699e71 | 139 | |
| 2659e7 | 140 | return user; |
| JM | 141 | } |
| 142 | } | |
