commit | author | age
|
e97c01
|
1 |
/* |
FB |
2 |
* Copyright 2015 gitblit.com. |
|
3 |
* |
|
4 |
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
5 |
* you may not use this file except in compliance with the License. |
|
6 |
* You may obtain a copy of the License at |
|
7 |
* |
|
8 |
* http://www.apache.org/licenses/LICENSE-2.0 |
|
9 |
* |
|
10 |
* Unless required by applicable law or agreed to in writing, software |
|
11 |
* distributed under the License is distributed on an "AS IS" BASIS, |
|
12 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
13 |
* See the License for the specific language governing permissions and |
|
14 |
* limitations under the License. |
|
15 |
*/ |
|
16 |
package com.gitblit.transport.ssh; |
|
17 |
|
|
18 |
import java.util.Locale; |
92ae83
|
19 |
|
e97c01
|
20 |
import org.apache.sshd.server.auth.gss.GSSAuthenticator; |
FB |
21 |
import org.apache.sshd.server.session.ServerSession; |
|
22 |
import org.slf4j.Logger; |
|
23 |
import org.slf4j.LoggerFactory; |
|
24 |
|
92ae83
|
25 |
import com.gitblit.IStoredSettings; |
JM |
26 |
import com.gitblit.Keys; |
|
27 |
import com.gitblit.manager.IAuthenticationManager; |
|
28 |
import com.gitblit.models.UserModel; |
|
29 |
|
e97c01
|
30 |
public class SshKrbAuthenticator extends GSSAuthenticator { |
92ae83
|
31 |
|
e97c01
|
32 |
protected final Logger log = LoggerFactory.getLogger(getClass()); |
FB |
33 |
protected final IAuthenticationManager authManager; |
7b6c1b
|
34 |
protected final boolean stripDomain; |
e97c01
|
35 |
|
FB |
36 |
|
92ae83
|
37 |
public SshKrbAuthenticator(IStoredSettings settings, IAuthenticationManager authManager) { |
e97c01
|
38 |
this.authManager = authManager; |
92ae83
|
39 |
|
JM |
40 |
String keytabString = settings.getString(Keys.git.sshKrb5Keytab, ""); |
|
41 |
if(! keytabString.isEmpty()) { |
|
42 |
setKeytabFile(keytabString); |
|
43 |
} |
|
44 |
|
|
45 |
String servicePrincipalName = settings.getString(Keys.git.sshKrb5ServicePrincipalName, ""); |
|
46 |
if(! servicePrincipalName.isEmpty()) { |
|
47 |
setServicePrincipalName(servicePrincipalName); |
|
48 |
} |
4e5468
|
49 |
|
be49ef
|
50 |
this.stripDomain = settings.getBoolean(Keys.git.sshKrb5StripDomain, false); |
e97c01
|
51 |
} |
FB |
52 |
|
92ae83
|
53 |
@Override |
e97c01
|
54 |
public boolean validateIdentity(ServerSession session, String identity) { |
FB |
55 |
log.info("identify with kerberos {}", identity); |
92ae83
|
56 |
SshDaemonClient client = session.getAttribute(SshDaemonClient.KEY); |
e97c01
|
57 |
if (client.getUser() != null) { |
FB |
58 |
log.info("{} has already authenticated!", identity); |
|
59 |
return true; |
|
60 |
} |
|
61 |
String username = identity.toLowerCase(Locale.US); |
7b6c1b
|
62 |
if (stripDomain) { |
VF |
63 |
int p = username.indexOf('@'); |
be49ef
|
64 |
if (p > 0) { |
7b6c1b
|
65 |
username = username.substring(0, p); |
be49ef
|
66 |
} |
7b6c1b
|
67 |
} |
e97c01
|
68 |
UserModel user = authManager.authenticate(username); |
FB |
69 |
if (user != null) { |
|
70 |
client.setUser(user); |
|
71 |
return true; |
|
72 |
} |
|
73 |
log.warn("could not authenticate {} for SSH", username); |
|
74 |
return false; |
|
75 |
} |
|
76 |
} |