| commit | author | age | ||
| 04a985 | 1 | /* |
| JM | 2 | * Copyright 2013 gitblit.com. |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package com.gitblit.manager; | |
| 17 | ||
| 18 | import java.nio.charset.Charset; | |
| 19 | import java.security.Principal; | |
| 20 | import java.text.MessageFormat; | |
| 21 | import java.util.ArrayList; | |
| 22 | import java.util.HashMap; | |
| 23 | import java.util.List; | |
| 24 | import java.util.Map; | |
| 7ab32b | 25 | import java.util.concurrent.TimeUnit; |
| 04a985 | 26 | |
| JM | 27 | import javax.servlet.http.Cookie; |
| 28 | import javax.servlet.http.HttpServletRequest; | |
| 29 | import javax.servlet.http.HttpServletResponse; | |
| efdb2b | 30 | import javax.servlet.http.HttpSession; |
| 04a985 | 31 | |
| JM | 32 | import org.slf4j.Logger; |
| 33 | import org.slf4j.LoggerFactory; | |
| 34 | ||
| 35 | import com.gitblit.Constants; | |
| 36 | import com.gitblit.Constants.AccountType; | |
| 37 | import com.gitblit.Constants.AuthenticationType; | |
| 6e3481 | 38 | import com.gitblit.Constants.Role; |
| 04a985 | 39 | import com.gitblit.IStoredSettings; |
| JM | 40 | import com.gitblit.Keys; |
| 41 | import com.gitblit.auth.AuthenticationProvider; | |
| 42 | import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; | |
| 43 | import com.gitblit.auth.HtpasswdAuthProvider; | |
| 46f61d | 44 | import com.gitblit.auth.HttpHeaderAuthProvider; |
| 04a985 | 45 | import com.gitblit.auth.LdapAuthProvider; |
| JM | 46 | import com.gitblit.auth.PAMAuthProvider; |
| 47 | import com.gitblit.auth.RedmineAuthProvider; | |
| 48 | import com.gitblit.auth.SalesforceAuthProvider; | |
| 49 | import com.gitblit.auth.WindowsAuthProvider; | |
| 50 | import com.gitblit.models.TeamModel; | |
| 51 | import com.gitblit.models.UserModel; | |
| bcc8a0 | 52 | import com.gitblit.transport.ssh.SshKey; |
| 04a985 | 53 | import com.gitblit.utils.Base64; |
| JM | 54 | import com.gitblit.utils.HttpUtils; |
| 55 | import com.gitblit.utils.StringUtils; | |
| 56 | import com.gitblit.utils.X509Utils.X509Metadata; | |
| f9980e | 57 | import com.google.inject.Inject; |
| JM | 58 | import com.google.inject.Singleton; |
| 04a985 | 59 | |
| JM | 60 | /** |
| 61 | * The authentication manager handles user login & logout. | |
| 62 | * | |
| 63 | * @author James Moger | |
| 64 | * | |
| 65 | */ | |
| f9980e | 66 | @Singleton |
| 04a985 | 67 | public class AuthenticationManager implements IAuthenticationManager { |
| JM | 68 | |
| 69 | private final Logger logger = LoggerFactory.getLogger(getClass()); | |
| 70 | ||
| 71 | private final IStoredSettings settings; | |
| 72 | ||
| 73 | private final IRuntimeManager runtimeManager; | |
| 74 | ||
| 75 | private final IUserManager userManager; | |
| 76 | ||
| 77 | private final List<AuthenticationProvider> authenticationProviders; | |
| 78 | ||
| 79 | private final Map<String, Class<? extends AuthenticationProvider>> providerNames; | |
| 80 | ||
| 81 | private final Map<String, String> legacyRedirects; | |
| 82 | ||
| 1b34b0 | 83 | @Inject |
| 04a985 | 84 | public AuthenticationManager( |
| JM | 85 | IRuntimeManager runtimeManager, |
| 86 | IUserManager userManager) { | |
| 87 | ||
| 88 | this.settings = runtimeManager.getSettings(); | |
| 89 | this.runtimeManager = runtimeManager; | |
| 90 | this.userManager = userManager; | |
| 91 | this.authenticationProviders = new ArrayList<AuthenticationProvider>(); | |
| 92 | ||
| 93 | // map of shortcut provider names | |
| 94 | providerNames = new HashMap<String, Class<? extends AuthenticationProvider>>(); | |
| 95 | providerNames.put("htpasswd", HtpasswdAuthProvider.class); | |
| 46f61d | 96 | providerNames.put("httpheader", HttpHeaderAuthProvider.class); |
| 04a985 | 97 | providerNames.put("ldap", LdapAuthProvider.class); |
| JM | 98 | providerNames.put("pam", PAMAuthProvider.class); |
| 99 | providerNames.put("redmine", RedmineAuthProvider.class); | |
| 100 | providerNames.put("salesforce", SalesforceAuthProvider.class); | |
| 101 | providerNames.put("windows", WindowsAuthProvider.class); | |
| 102 | ||
| 103 | // map of legacy external user services | |
| 104 | legacyRedirects = new HashMap<String, String>(); | |
| 105 | legacyRedirects.put("com.gitblit.HtpasswdUserService", "htpasswd"); | |
| 106 | legacyRedirects.put("com.gitblit.LdapUserService", "ldap"); | |
| 107 | legacyRedirects.put("com.gitblit.PAMUserService", "pam"); | |
| 108 | legacyRedirects.put("com.gitblit.RedmineUserService", "redmine"); | |
| 109 | legacyRedirects.put("com.gitblit.SalesforceUserService", "salesforce"); | |
| 110 | legacyRedirects.put("com.gitblit.WindowsUserService", "windows"); | |
| 111 | } | |
| 112 | ||
| 113 | @Override | |
| 114 | public AuthenticationManager start() { | |
| 115 | // automatically adjust legacy configurations | |
| 116 | String realm = settings.getString(Keys.realm.userService, "${baseFolder}/users.conf"); | |
| 117 | if (legacyRedirects.containsKey(realm)) { | |
| 118 | logger.warn(""); | |
| 088b6f | 119 | logger.warn(Constants.BORDER2); |
| 04a985 | 120 | logger.warn(" IUserService '{}' is obsolete!", realm); |
| JM | 121 | logger.warn(" Please set '{}={}'", "realm.authenticationProviders", legacyRedirects.get(realm)); |
| 088b6f | 122 | logger.warn(Constants.BORDER2); |
| 04a985 | 123 | logger.warn(""); |
| JM | 124 | |
| 125 | // conditionally override specified authentication providers | |
| 126 | if (StringUtils.isEmpty(settings.getString(Keys.realm.authenticationProviders, null))) { | |
| 127 | settings.overrideSetting(Keys.realm.authenticationProviders, legacyRedirects.get(realm)); | |
| 128 | } | |
| 129 | } | |
| 130 | ||
| 131 | // instantiate and setup specified authentication providers | |
| 132 | List<String> providers = settings.getStrings(Keys.realm.authenticationProviders); | |
| 133 | if (providers.isEmpty()) { | |
| 134 | logger.info("External authentication disabled."); | |
| 135 | } else { | |
| 136 | for (String provider : providers) { | |
| 137 | try { | |
| 138 | Class<?> authClass; | |
| 139 | if (providerNames.containsKey(provider)) { | |
| 140 | // map the name -> class | |
| 141 | authClass = providerNames.get(provider); | |
| 142 | } else { | |
| 143 | // reflective lookup | |
| 144 | authClass = Class.forName(provider); | |
| 145 | } | |
| 146 | logger.info("setting up {}", authClass.getName()); | |
| 147 | AuthenticationProvider authImpl = (AuthenticationProvider) authClass.newInstance(); | |
| 148 | authImpl.setup(runtimeManager, userManager); | |
| 149 | authenticationProviders.add(authImpl); | |
| 150 | } catch (Exception e) { | |
| 151 | logger.error("", e); | |
| 152 | } | |
| 153 | } | |
| 154 | } | |
| 155 | return this; | |
| 156 | } | |
| 157 | ||
| 158 | @Override | |
| 159 | public AuthenticationManager stop() { | |
| 6659fa | 160 | for (AuthenticationProvider provider : authenticationProviders) { |
| JM | 161 | try { |
| 162 | provider.stop(); | |
| 163 | } catch (Exception e) { | |
| 164 | logger.error("Failed to stop " + provider.getClass().getSimpleName(), e); | |
| 165 | } | |
| 166 | } | |
| 04a985 | 167 | return this; |
| JM | 168 | } |
| bcc8a0 | 169 | |
| b4a63a | 170 | public void addAuthenticationProvider(AuthenticationProvider prov) { |
| JM | 171 | authenticationProviders.add(prov); |
| 172 | } | |
| 04a985 | 173 | |
| JM | 174 | /** |
| 46f61d | 175 | * Used to handle authentication for page requests. |
| JJ | 176 | * |
| 177 | * This allows authentication to occur based on the contents of the request | |
| 178 | * itself. If no configured @{AuthenticationProvider}s authenticate succesffully, | |
| 179 | * a request for login will be shown. | |
| 04a985 | 180 | * |
| JM | 181 | * Authentication by X509Certificate is tried first and then by cookie. |
| 182 | * | |
| 183 | * @param httpRequest | |
| 184 | * @return a user object or null | |
| 185 | */ | |
| 186 | @Override | |
| 187 | public UserModel authenticate(HttpServletRequest httpRequest) { | |
| 188 | return authenticate(httpRequest, false); | |
| 189 | } | |
| 190 | ||
| 191 | /** | |
| 192 | * Authenticate a user based on HTTP request parameters. | |
| 193 | * | |
| 46f61d | 194 | * Authentication by custom HTTP header, servlet container principal, X509Certificate, cookie, |
| 04a985 | 195 | * and finally BASIC header. |
| JM | 196 | * |
| 197 | * @param httpRequest | |
| 198 | * @param requiresCertificate | |
| 199 | * @return a user object or null | |
| 200 | */ | |
| 201 | @Override | |
| 202 | public UserModel authenticate(HttpServletRequest httpRequest, boolean requiresCertificate) { | |
| 62e025 | 203 | |
| JJ | 204 | // Check if this request has already been authenticated, and trust that instead of re-processing |
| 205 | String reqAuthUser = (String) httpRequest.getAttribute(Constants.ATTRIB_AUTHUSER); | |
| 206 | if (!StringUtils.isEmpty(reqAuthUser)) { | |
| db09ef | 207 | logger.debug("Called servlet authenticate when request is already authenticated."); |
| 62e025 | 208 | return userManager.getUserModel(reqAuthUser); |
| JJ | 209 | } |
| 210 | ||
| 04a985 | 211 | // try to authenticate by servlet container principal |
| JM | 212 | if (!requiresCertificate) { |
| 213 | Principal principal = httpRequest.getUserPrincipal(); | |
| 214 | if (principal != null) { | |
| 215 | String username = principal.getName(); | |
| 216 | if (!StringUtils.isEmpty(username)) { | |
| 23e08c | 217 | boolean internalAccount = userManager.isInternalAccount(username); |
| 04a985 | 218 | UserModel user = userManager.getUserModel(username); |
| JM | 219 | if (user != null) { |
| 220 | // existing user | |
| 62e025 | 221 | flagRequest(httpRequest, AuthenticationType.CONTAINER, user.username); |
| 04a985 | 222 | logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}", |
| JM | 223 | user.username, httpRequest.getRemoteAddr())); |
| 9aa119 | 224 | return validateAuthentication(user, AuthenticationType.CONTAINER); |
| 04a985 | 225 | } else if (settings.getBoolean(Keys.realm.container.autoCreateAccounts, false) |
| JM | 226 | && !internalAccount) { |
| 227 | // auto-create user from an authenticated container principal | |
| 228 | user = new UserModel(username.toLowerCase()); | |
| 229 | user.displayName = username; | |
| 230 | user.password = Constants.EXTERNAL_ACCOUNT; | |
| 231 | user.accountType = AccountType.CONTAINER; | |
| 2c0555 | 232 | |
| FB | 233 | // Try to extract user's informations for the session |
| 234 | // it uses "realm.container.autoAccounts.*" as the attribute name to look for | |
| 235 | HttpSession session = httpRequest.getSession(); | |
| 236 | String emailAddress = resolveAttribute(session, Keys.realm.container.autoAccounts.emailAddress); | |
| 237 | if(emailAddress != null) { | |
| 238 | user.emailAddress = emailAddress; | |
| 239 | } | |
| 240 | String displayName = resolveAttribute(session, Keys.realm.container.autoAccounts.displayName); | |
| 241 | if(displayName != null) { | |
| 242 | user.displayName = displayName; | |
| 243 | } | |
| 244 | String userLocale = resolveAttribute(session, Keys.realm.container.autoAccounts.locale); | |
| 245 | if(userLocale != null) { | |
| 246 | user.getPreferences().setLocale(userLocale); | |
| 247 | } | |
| 248 | String adminRole = settings.getString(Keys.realm.container.autoAccounts.adminRole, null); | |
| 249 | if(adminRole != null && ! adminRole.isEmpty()) { | |
| 250 | if(httpRequest.isUserInRole(adminRole)) { | |
| 251 | user.canAdmin = true; | |
| 252 | } | |
| 253 | } | |
| 254 | ||
| 04a985 | 255 | userManager.updateUserModel(user); |
| 62e025 | 256 | flagRequest(httpRequest, AuthenticationType.CONTAINER, user.username); |
| 04a985 | 257 | logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}", |
| JM | 258 | user.username, httpRequest.getRemoteAddr())); |
| 9aa119 | 259 | return validateAuthentication(user, AuthenticationType.CONTAINER); |
| 04a985 | 260 | } else if (!internalAccount) { |
| JM | 261 | logger.warn(MessageFormat.format("Failed to find UserModel for {0}, attempted servlet container authentication from {1}", |
| 262 | principal.getName(), httpRequest.getRemoteAddr())); | |
| 263 | } | |
| 264 | } | |
| 265 | } | |
| 266 | } | |
| 267 | ||
| 268 | // try to authenticate by certificate | |
| 269 | boolean checkValidity = settings.getBoolean(Keys.git.enforceCertificateValidity, true); | |
| 270 | String [] oids = settings.getStrings(Keys.git.certificateUsernameOIDs).toArray(new String[0]); | |
| 271 | UserModel model = HttpUtils.getUserModelFromCertificate(httpRequest, checkValidity, oids); | |
| 272 | if (model != null) { | |
| 273 | // grab real user model and preserve certificate serial number | |
| 274 | UserModel user = userManager.getUserModel(model.username); | |
| 275 | X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest); | |
| 276 | if (user != null) { | |
| 62e025 | 277 | flagRequest(httpRequest, AuthenticationType.CERTIFICATE, user.username); |
| 04a985 | 278 | logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}", |
| JM | 279 | user.username, metadata.serialNumber, httpRequest.getRemoteAddr())); |
| 9aa119 | 280 | return validateAuthentication(user, AuthenticationType.CERTIFICATE); |
| 04a985 | 281 | } else { |
| JM | 282 | logger.warn(MessageFormat.format("Failed to find UserModel for {0}, attempted client certificate ({1}) authentication from {2}", |
| 283 | model.username, metadata.serialNumber, httpRequest.getRemoteAddr())); | |
| 284 | } | |
| 285 | } | |
| 286 | ||
| 287 | if (requiresCertificate) { | |
| 288 | // caller requires client certificate authentication (e.g. git servlet) | |
| 289 | return null; | |
| 290 | } | |
| 291 | ||
| 7ab32b | 292 | UserModel user = null; |
| JM | 293 | |
| 04a985 | 294 | // try to authenticate by cookie |
| 7ab32b | 295 | String cookie = getCookie(httpRequest); |
| JM | 296 | if (!StringUtils.isEmpty(cookie)) { |
| 297 | user = userManager.getUserModel(cookie.toCharArray()); | |
| 298 | if (user != null) { | |
| 62e025 | 299 | flagRequest(httpRequest, AuthenticationType.COOKIE, user.username); |
| 7ab32b | 300 | logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}", |
| 04a985 | 301 | user.username, httpRequest.getRemoteAddr())); |
| 9aa119 | 302 | return validateAuthentication(user, AuthenticationType.COOKIE); |
| 7ab32b | 303 | } |
| 04a985 | 304 | } |
| JM | 305 | |
| 306 | // try to authenticate by BASIC | |
| 307 | final String authorization = httpRequest.getHeader("Authorization"); | |
| 308 | if (authorization != null && authorization.startsWith("Basic")) { | |
| 309 | // Authorization: Basic base64credentials | |
| 310 | String base64Credentials = authorization.substring("Basic".length()).trim(); | |
| 311 | String credentials = new String(Base64.decode(base64Credentials), | |
| 312 | Charset.forName("UTF-8")); | |
| 313 | // credentials = username:password | |
| 314 | final String[] values = credentials.split(":", 2); | |
| 315 | ||
| 316 | if (values.length == 2) { | |
| 317 | String username = values[0]; | |
| 318 | char[] password = values[1].toCharArray(); | |
| 0d7c65 | 319 | user = authenticate(username, password, httpRequest.getRemoteAddr()); |
| 04a985 | 320 | if (user != null) { |
| 62e025 | 321 | flagRequest(httpRequest, AuthenticationType.CREDENTIALS, user.username); |
| 04a985 | 322 | logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}", |
| JM | 323 | user.username, httpRequest.getRemoteAddr())); |
| 9aa119 | 324 | return validateAuthentication(user, AuthenticationType.CREDENTIALS); |
| 04a985 | 325 | } |
| JM | 326 | } |
| 327 | } | |
| 46f61d | 328 | |
| JJ | 329 | // Check each configured AuthenticationProvider |
| 330 | for (AuthenticationProvider ap : authenticationProviders) { | |
| 331 | UserModel authedUser = ap.authenticate(httpRequest); | |
| 332 | if (null != authedUser) { | |
| 333 | flagRequest(httpRequest, ap.getAuthenticationType(), authedUser.username); | |
| 334 | logger.debug(MessageFormat.format("{0} authenticated by {1} from {2} for {3}", | |
| 335 | authedUser.username, ap.getServiceName(), httpRequest.getRemoteAddr(), | |
| 336 | httpRequest.getPathInfo())); | |
| 337 | return validateAuthentication(authedUser, ap.getAuthenticationType()); | |
| 338 | } | |
| 339 | } | |
| 04a985 | 340 | return null; |
| 9aa119 | 341 | } |
| 2c0555 | 342 | |
| FB | 343 | /** |
| 344 | * Extract given attribute from the session and return it's content | |
| 345 | * it return null if attributeMapping is empty, or if the value is | |
| 346 | * empty | |
| 347 | * | |
| 348 | * @param session The user session | |
| 349 | * @param attributeMapping | |
| 350 | * @return | |
| 351 | */ | |
| 352 | private String resolveAttribute(HttpSession session, String attributeMapping) { | |
| 353 | String attributeName = settings.getString(attributeMapping, null); | |
| 354 | if(StringUtils.isEmpty(attributeName)) { | |
| 355 | return null; | |
| 356 | } | |
| 357 | Object attributeValue = session.getAttribute(attributeName); | |
| 358 | if(attributeValue == null) { | |
| 359 | return null; | |
| 360 | } | |
| 361 | String value = attributeValue.toString(); | |
| 362 | if(value.isEmpty()) { | |
| 363 | return null; | |
| 364 | } | |
| 365 | return value; | |
| 366 | } | |
| 9aa119 | 367 | |
| JM | 368 | /** |
| 44e2ee | 369 | * Authenticate a user based on a public key. |
| e3b636 | 370 | * |
| 44e2ee | 371 | * This implementation assumes that the authentication has already take place |
| JM | 372 | * (e.g. SSHDaemon) and that this is a validation/verification of the user. |
| 373 | * | |
| 374 | * @param username | |
| 375 | * @param key | |
| e3b636 | 376 | * @return a user object or null |
| DO | 377 | */ |
| 378 | @Override | |
| bcc8a0 | 379 | public UserModel authenticate(String username, SshKey key) { |
| e3b636 | 380 | if (username != null) { |
| DO | 381 | if (!StringUtils.isEmpty(username)) { |
| 382 | UserModel user = userManager.getUserModel(username); | |
| 383 | if (user != null) { | |
| 384 | // existing user | |
| 44e2ee | 385 | logger.debug(MessageFormat.format("{0} authenticated by {1} public key", |
| JM | 386 | user.username, key.getAlgorithm())); |
| 387 | return validateAuthentication(user, AuthenticationType.PUBLIC_KEY); | |
| e3b636 | 388 | } |
| 44e2ee | 389 | logger.warn(MessageFormat.format("Failed to find UserModel for {0} during public key authentication", |
| JM | 390 | username)); |
| e3b636 | 391 | } |
| DO | 392 | } else { |
| 44e2ee | 393 | logger.warn("Empty user passed to AuthenticationManager.authenticate!"); |
| e3b636 | 394 | } |
| DO | 395 | return null; |
| 396 | } | |
| 397 | ||
| 398 | ||
| 399 | /** | |
| e97c01 | 400 | * Return the UserModel for already authenticated user. |
| FB | 401 | * |
| 402 | * This implementation assumes that the authentication has already take place | |
| 403 | * (e.g. SSHDaemon) and that this is a validation/verification of the user. | |
| 404 | * | |
| 405 | * @param username | |
| 406 | * @return a user object or null | |
| 407 | */ | |
| 408 | @Override | |
| 409 | public UserModel authenticate(String username) { | |
| 410 | if (username != null) { | |
| 411 | if (!StringUtils.isEmpty(username)) { | |
| 412 | UserModel user = userManager.getUserModel(username); | |
| 413 | if (user != null) { | |
| 414 | // existing user | |
| 415 | logger.debug(MessageFormat.format("{0} authenticated externally", user.username)); | |
| 416 | return validateAuthentication(user, AuthenticationType.CONTAINER); | |
| 417 | } | |
| 418 | logger.warn(MessageFormat.format("Failed to find UserModel for {0} during external authentication", | |
| 419 | username)); | |
| 420 | } | |
| 421 | } else { | |
| 422 | logger.warn("Empty user passed to AuthenticationManager.authenticate!"); | |
| 423 | } | |
| 424 | return null; | |
| 425 | } | |
| 426 | ||
| 427 | ||
| 428 | /** | |
| 9aa119 | 429 | * This method allows the authentication manager to reject authentication |
| JM | 430 | * attempts. It is called after the username/secret have been verified to |
| 431 | * ensure that the authentication technique has been logged. | |
| 432 | * | |
| 433 | * @param user | |
| 434 | * @return | |
| 435 | */ | |
| 436 | protected UserModel validateAuthentication(UserModel user, AuthenticationType type) { | |
| 437 | if (user == null) { | |
| 438 | return null; | |
| 439 | } | |
| 440 | if (user.disabled) { | |
| 441 | // user has been disabled | |
| 442 | logger.warn("Rejected {} authentication attempt by disabled account \"{}\"", | |
| 443 | type, user.username); | |
| 444 | return null; | |
| 445 | } | |
| 446 | return user; | |
| 04a985 | 447 | } |
| JM | 448 | |
| 62e025 | 449 | protected void flagRequest(HttpServletRequest httpRequest, AuthenticationType authenticationType, String authedUsername) { |
| JJ | 450 | httpRequest.setAttribute(Constants.ATTRIB_AUTHUSER, authedUsername); |
| 451 | httpRequest.setAttribute(Constants.ATTRIB_AUTHTYPE, authenticationType); | |
| 04a985 | 452 | } |
| JM | 453 | |
| 454 | /** | |
| 455 | * Authenticate a user based on a username and password. | |
| 456 | * | |
| 457 | * @see IUserService.authenticate(String, char[]) | |
| 458 | * @param username | |
| 459 | * @param password | |
| 460 | * @return a user object or null | |
| 461 | */ | |
| 462 | @Override | |
| 0d7c65 | 463 | public UserModel authenticate(String username, char[] password, String remoteIP) { |
| 04a985 | 464 | if (StringUtils.isEmpty(username)) { |
| JM | 465 | // can not authenticate empty username |
| 466 | return null; | |
| 467 | } | |
| 468 | ||
| 469 | String usernameDecoded = StringUtils.decodeUsername(username); | |
| 470 | String pw = new String(password); | |
| 471 | if (StringUtils.isEmpty(pw)) { | |
| 472 | // can not authenticate empty password | |
| 473 | return null; | |
| 474 | } | |
| 475 | ||
| 476 | UserModel user = userManager.getUserModel(usernameDecoded); | |
| 1293c2 | 477 | |
| JM | 478 | // try local authentication |
| 479 | if (user != null && user.isLocalAccount()) { | |
| 0d7c65 | 480 | UserModel returnedUser = authenticateLocal(user, password); |
| PM | 481 | if (returnedUser != null) { |
| 482 | // user authenticated | |
| 483 | return returnedUser; | |
| 484 | } | |
| 485 | } else { | |
| 486 | // try registered external authentication providers | |
| 487 | for (AuthenticationProvider provider : authenticationProviders) { | |
| 488 | if (provider instanceof UsernamePasswordAuthenticationProvider) { | |
| 489 | UserModel returnedUser = provider.authenticate(usernameDecoded, password); | |
| 490 | if (returnedUser != null) { | |
| 491 | // user authenticated | |
| 492 | returnedUser.accountType = provider.getAccountType(); | |
| 493 | return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); | |
| 494 | } | |
| 04a985 | 495 | } |
| JM | 496 | } |
| 497 | } | |
| bcc8a0 | 498 | |
| b4a63a | 499 | // could not authenticate locally or with a provider |
| 0d7c65 | 500 | logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", username, |
| PM | 501 | remoteIP != null ? remoteIP : "unknown")); |
| 502 | ||
| b4a63a | 503 | return null; |
| JM | 504 | } |
| bcc8a0 | 505 | |
| b4a63a | 506 | /** |
| JM | 507 | * Returns a UserModel if local authentication succeeds. |
| bcc8a0 | 508 | * |
| b4a63a | 509 | * @param user |
| JM | 510 | * @param password |
| 511 | * @return a UserModel if local authentication succeeds, null otherwise | |
| 512 | */ | |
| 513 | protected UserModel authenticateLocal(UserModel user, char [] password) { | |
| 514 | UserModel returnedUser = null; | |
| 515 | if (user.password.startsWith(StringUtils.MD5_TYPE)) { | |
| 516 | // password digest | |
| 517 | String md5 = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(password)); | |
| 518 | if (user.password.equalsIgnoreCase(md5)) { | |
| 519 | returnedUser = user; | |
| 520 | } | |
| 521 | } else if (user.password.startsWith(StringUtils.COMBINED_MD5_TYPE)) { | |
| 522 | // username+password digest | |
| 523 | String md5 = StringUtils.COMBINED_MD5_TYPE | |
| 524 | + StringUtils.getMD5(user.username.toLowerCase() + new String(password)); | |
| 525 | if (user.password.equalsIgnoreCase(md5)) { | |
| 526 | returnedUser = user; | |
| 527 | } | |
| 528 | } else if (user.password.equals(new String(password))) { | |
| 529 | // plain-text password | |
| 530 | returnedUser = user; | |
| 531 | } | |
| 532 | return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); | |
| 04a985 | 533 | } |
| JM | 534 | |
| 535 | /** | |
| 7ab32b | 536 | * Returns the Gitlbit cookie in the request. |
| JM | 537 | * |
| 538 | * @param request | |
| 539 | * @return the Gitblit cookie for the request or null if not found | |
| 540 | */ | |
| 541 | @Override | |
| 542 | public String getCookie(HttpServletRequest request) { | |
| 543 | if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) { | |
| 544 | Cookie[] cookies = request.getCookies(); | |
| 545 | if (cookies != null && cookies.length > 0) { | |
| 546 | for (Cookie cookie : cookies) { | |
| 547 | if (cookie.getName().equals(Constants.NAME)) { | |
| 548 | String value = cookie.getValue(); | |
| 549 | return value; | |
| 550 | } | |
| 551 | } | |
| 552 | } | |
| 553 | } | |
| 554 | return null; | |
| 555 | } | |
| 556 | ||
| 557 | /** | |
| 04a985 | 558 | * Sets a cookie for the specified user. |
| JM | 559 | * |
| 560 | * @param response | |
| 561 | * @param user | |
| 562 | */ | |
| 563 | @Override | |
| ec7ed8 | 564 | @Deprecated |
| 04a985 | 565 | public void setCookie(HttpServletResponse response, UserModel user) { |
| ec7ed8 | 566 | setCookie(null, response, user); |
| JM | 567 | } |
| 568 | ||
| 569 | /** | |
| 570 | * Sets a cookie for the specified user. | |
| 571 | * | |
| 572 | * @param request | |
| 573 | * @param response | |
| 574 | * @param user | |
| 575 | */ | |
| 576 | @Override | |
| 577 | public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) { | |
| 04a985 | 578 | if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) { |
| 62e025 | 579 | boolean standardLogin = true; |
| JJ | 580 | |
| 581 | if (null != request) { | |
| 582 | // Pull the auth type from the request, it is set there if container managed | |
| 583 | AuthenticationType authenticationType = (AuthenticationType) request.getAttribute(Constants.ATTRIB_AUTHTYPE); | |
| 584 | ||
| 585 | if (null != authenticationType) | |
| 586 | standardLogin = authenticationType.isStandard(); | |
| 587 | } | |
| 04a985 | 588 | |
| JM | 589 | if (standardLogin) { |
| 590 | Cookie userCookie; | |
| 591 | if (user == null) { | |
| 592 | // clear cookie for logout | |
| 593 | userCookie = new Cookie(Constants.NAME, ""); | |
| 594 | } else { | |
| 595 | // set cookie for login | |
| 596 | String cookie = userManager.getCookie(user); | |
| 597 | if (StringUtils.isEmpty(cookie)) { | |
| 598 | // create empty cookie | |
| 599 | userCookie = new Cookie(Constants.NAME, ""); | |
| 600 | } else { | |
| 601 | // create real cookie | |
| 602 | userCookie = new Cookie(Constants.NAME, cookie); | |
| 7ab32b | 603 | // expire the cookie in 7 days |
| JM | 604 | userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7)); |
| 04a985 | 605 | } |
| JM | 606 | } |
| ec7ed8 | 607 | String path = "/"; |
| JM | 608 | if (request != null) { |
| 609 | if (!StringUtils.isEmpty(request.getContextPath())) { | |
| 610 | path = request.getContextPath(); | |
| 611 | } | |
| 612 | } | |
| 613 | userCookie.setPath(path); | |
| 04a985 | 614 | response.addCookie(userCookie); |
| JM | 615 | } |
| 616 | } | |
| 617 | } | |
| 618 | ||
| 619 | /** | |
| 620 | * Logout a user. | |
| 621 | * | |
| ec7ed8 | 622 | * @param response |
| 04a985 | 623 | * @param user |
| JM | 624 | */ |
| 625 | @Override | |
| ec7ed8 | 626 | @Deprecated |
| 04a985 | 627 | public void logout(HttpServletResponse response, UserModel user) { |
| ec7ed8 | 628 | setCookie(null, response, null); |
| JM | 629 | } |
| 630 | ||
| 631 | /** | |
| 632 | * Logout a user. | |
| 633 | * | |
| 634 | * @param request | |
| 635 | * @param response | |
| 636 | * @param user | |
| 637 | */ | |
| 638 | @Override | |
| 639 | public void logout(HttpServletRequest request, HttpServletResponse response, UserModel user) { | |
| 640 | setCookie(request, response, null); | |
| 04a985 | 641 | } |
| JM | 642 | |
| 643 | /** | |
| 644 | * Returns true if the user's credentials can be changed. | |
| 645 | * | |
| 646 | * @param user | |
| 647 | * @return true if the user service supports credential changes | |
| 648 | */ | |
| 649 | @Override | |
| 650 | public boolean supportsCredentialChanges(UserModel user) { | |
| 651 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsCredentialChanges(); | |
| 652 | } | |
| 653 | ||
| 654 | /** | |
| 655 | * Returns true if the user's display name can be changed. | |
| 656 | * | |
| 657 | * @param user | |
| 658 | * @return true if the user service supports display name changes | |
| 659 | */ | |
| 660 | @Override | |
| 661 | public boolean supportsDisplayNameChanges(UserModel user) { | |
| 662 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsDisplayNameChanges(); | |
| 663 | } | |
| 664 | ||
| 665 | /** | |
| 666 | * Returns true if the user's email address can be changed. | |
| 667 | * | |
| 668 | * @param user | |
| 669 | * @return true if the user service supports email address changes | |
| 670 | */ | |
| 671 | @Override | |
| 672 | public boolean supportsEmailAddressChanges(UserModel user) { | |
| 673 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsEmailAddressChanges(); | |
| 674 | } | |
| 675 | ||
| 676 | /** | |
| 677 | * Returns true if the user's team memberships can be changed. | |
| 678 | * | |
| 679 | * @param user | |
| 680 | * @return true if the user service supports team membership changes | |
| 681 | */ | |
| 682 | @Override | |
| 683 | public boolean supportsTeamMembershipChanges(UserModel user) { | |
| 684 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsTeamMembershipChanges(); | |
| 685 | } | |
| 686 | ||
| 687 | /** | |
| 688 | * Returns true if the team memberships can be changed. | |
| 689 | * | |
| 690 | * @param user | |
| 691 | * @return true if the team membership can be changed | |
| 692 | */ | |
| 693 | @Override | |
| 694 | public boolean supportsTeamMembershipChanges(TeamModel team) { | |
| 695 | return (team != null && team.isLocalTeam()) || findProvider(team).supportsTeamMembershipChanges(); | |
| 696 | } | |
| 697 | ||
| 6e3481 | 698 | /** |
| JM | 699 | * Returns true if the user's role can be changed. |
| 700 | * | |
| 701 | * @param user | |
| 702 | * @return true if the user's role can be changed | |
| 703 | */ | |
| 704 | @Override | |
| 705 | public boolean supportsRoleChanges(UserModel user, Role role) { | |
| 706 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsRoleChanges(user, role); | |
| 707 | } | |
| 708 | ||
| 709 | /** | |
| 710 | * Returns true if the team's role can be changed. | |
| 711 | * | |
| 712 | * @param user | |
| 713 | * @return true if the team's role can be changed | |
| 714 | */ | |
| 715 | @Override | |
| 716 | public boolean supportsRoleChanges(TeamModel team, Role role) { | |
| 717 | return (team != null && team.isLocalTeam()) || findProvider(team).supportsRoleChanges(team, role); | |
| 718 | } | |
| 719 | ||
| 04a985 | 720 | protected AuthenticationProvider findProvider(UserModel user) { |
| JM | 721 | for (AuthenticationProvider provider : authenticationProviders) { |
| 722 | if (provider.getAccountType().equals(user.accountType)) { | |
| 723 | return provider; | |
| 724 | } | |
| 725 | } | |
| 726 | return AuthenticationProvider.NULL_PROVIDER; | |
| 727 | } | |
| 728 | ||
| 729 | protected AuthenticationProvider findProvider(TeamModel team) { | |
| 730 | for (AuthenticationProvider provider : authenticationProviders) { | |
| 731 | if (provider.getAccountType().equals(team.accountType)) { | |
| 732 | return provider; | |
| 733 | } | |
| 734 | } | |
| 735 | return AuthenticationProvider.NULL_PROVIDER; | |
| 736 | } | |
| 737 | } | |
