githubFork/gitblit.git - Solinfo Gitblit

Strip folder name and .git from repo links in the project view

James Moger

2012-09-10 fabe060d3a435f116128851f828e35c2af5fde67

commit \| author \| age
8c9a20	1	/*
JM	2	* Copyright 2011 gitblit.com.
	3	*
	4	* Licensed under the Apache License, Version 2.0 (the "License");
	5	* you may not use this file except in compliance with the License.
	6	* You may obtain a copy of the License at
	7	*
	8	* http://www.apache.org/licenses/LICENSE-2.0
	9	*
	10	* Unless required by applicable law or agreed to in writing, software
	11	* distributed under the License is distributed on an "AS IS" BASIS,
	12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	13	* See the License for the specific language governing permissions and
	14	* limitations under the License.
	15	*/
	16	package com.gitblit;
	17
	18	import java.io.IOException;
	19	import java.text.MessageFormat;
	20
	21	import javax.servlet.FilterChain;
	22	import javax.servlet.ServletException;
	23	import javax.servlet.ServletRequest;
	24	import javax.servlet.ServletResponse;
	25	import javax.servlet.http.HttpServletRequest;
	26	import javax.servlet.http.HttpServletResponse;
	27
	28	import com.gitblit.models.RepositoryModel;
	29	import com.gitblit.models.UserModel;
	30	import com.gitblit.utils.StringUtils;
	31
	32	/**
ca9d0f	33	* The AccessRestrictionFilter is an AuthenticationFilter that confirms that the
JM	34	* requested repository can be accessed by the anonymous or named user.
892570	35	*
JM	36	* The filter extracts the name of the repository from the url and determines if
	37	* the requested action for the repository requires a Basic authentication
	38	* prompt. If authentication is required and no credentials are stored in the
	39	* "Authorization" header, then a basic authentication challenge is issued.
8c9a20	40	*
JM	41	* http://en.wikipedia.org/wiki/Basic_access_authentication
892570	42	*
JM	43	* @author James Moger
	44	*
8c9a20	45	*/
ca9d0f	46	public abstract class AccessRestrictionFilter extends AuthenticationFilter {
8c9a20	47
892570	48	/**
JM	49	* Extract the repository name from the url.
	50	*
	51	* @param url
	52	* @return repository name
	53	*/
8c9a20	54	protected abstract String extractRepositoryName(String url);
JM	55
892570	56	/**
JM	57	* Analyze the url and returns the action of the request.
	58	*
	59	* @param url
	60	* @return action of the request
	61	*/
	62	protected abstract String getUrlRequestAction(String url);
8c9a20	63
892570	64	/**
b74031	65	* Determine if the action may be executed on the repository.
JM	66	*
	67	* @param repository
	68	* @param action
	69	* @return true if the action may be performed
	70	*/
	71	protected abstract boolean isActionAllowed(RepositoryModel repository, String action);
	72
	73	/**
892570	74	* Determine if the repository requires authentication.
JM	75	*
	76	* @param repository
3f8cd4	77	* @param action
892570	78	* @return true if authentication required
JM	79	*/
3f8cd4	80	protected abstract boolean requiresAuthentication(RepositoryModel repository, String action);
8c9a20	81
892570	82	/**
JM	83	* Determine if the user can access the repository and perform the specified
	84	* action.
	85	*
	86	* @param repository
	87	* @param user
	88	* @param action
	89	* @return true if user may execute the action on the repository
	90	*/
	91	protected abstract boolean canAccess(RepositoryModel repository, UserModel user, String action);
8c9a20	92
892570	93	/**
JM	94	* doFilter does the actual work of preprocessing the request to ensure that
	95	* the user may proceed.
	96	*
88598b	97	* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
JM	98	* javax.servlet.ServletResponse, javax.servlet.FilterChain)
892570	99	*/
8c9a20	100	@Override
JM	101	public void doFilter(final ServletRequest request, final ServletResponse response,
	102	final FilterChain chain) throws IOException, ServletException {
	103
	104	HttpServletRequest httpRequest = (HttpServletRequest) request;
	105	HttpServletResponse httpResponse = (HttpServletResponse) response;
	106
ca9d0f	107	String fullUrl = getFullUrl(httpRequest);
78753b	108	String repository = extractRepositoryName(fullUrl);
8c9a20	109
JM	110	// Determine if the request URL is restricted
	111	String fullSuffix = fullUrl.substring(repository.length());
892570	112	String urlRequestType = getUrlRequestAction(fullSuffix);
8c9a20	113
JM	114	// Load the repository model
	115	RepositoryModel model = GitBlit.self().getRepositoryModel(repository);
	116	if (model == null) {
	117	// repository not found. send 404.
ca9d0f	118	logger.info(MessageFormat.format("ARF: {0} ({1})", fullUrl,
JM	119	HttpServletResponse.SC_NOT_FOUND));
8c9a20	120	httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
JM	121	return;
	122	}
b74031	123
JM	124	// Confirm that the action may be executed on the repository
	125	if (!isActionAllowed(model, urlRequestType)) {
	126	logger.info(MessageFormat.format("ARF: action {0} on {1} forbidden ({2})",
	127	urlRequestType, model, HttpServletResponse.SC_FORBIDDEN));
	128	httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
	129	return;
	130	}
8c9a20	131
ca9d0f	132	// Wrap the HttpServletRequest with the AccessRestrictionRequest which
JM	133	// overrides the servlet container user principal methods.
	134	// JGit requires either:
	135	//
	136	// 1. servlet container authenticated user
	137	// 2. http.receivepack = true in each repository's config
	138	//
	139	// Gitblit must conditionally authenticate users per-repository so just
	140	// enabling http.receivepack is insufficient.
	141	AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest);
	142	UserModel user = getUser(httpRequest);
	143	if (user != null) {
	144	authenticatedRequest.setUser(user);
	145	}
	146
8c9a20	147	// BASIC authentication challenge and response processing
3f8cd4	148	if (!StringUtils.isEmpty(urlRequestType) && requiresAuthentication(model, urlRequestType)) {
ca9d0f	149	if (user == null) {
JM	150	// challenge client to provide credentials. send 401.
8c9a20	151	if (GitBlit.isDebugMode()) {
ca9d0f	152	logger.info(MessageFormat.format("ARF: CHALLENGE {0}", fullUrl));
8c9a20	153	}
ca9d0f	154	httpResponse.setHeader("WWW-Authenticate", CHALLENGE);
JM	155	httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
	156	return;
	157	} else {
	158	// check user access for request
	159	if (user.canAdmin \|\| canAccess(model, user, urlRequestType)) {
	160	// authenticated request permitted.
	161	// pass processing to the restricted servlet.
	162	newSession(authenticatedRequest, httpResponse);
	163	logger.info(MessageFormat.format("ARF: {0} ({1}) authenticated", fullUrl,
	164	HttpServletResponse.SC_CONTINUE));
	165	chain.doFilter(authenticatedRequest, httpResponse);
	166	return;
	167	}
	168	// valid user, but not for requested access. send 403.
	169	if (GitBlit.isDebugMode()) {
	170	logger.info(MessageFormat.format("ARF: {0} forbidden to access {1}",
	171	user.username, fullUrl));
	172	}
	173	httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
	174	return;
8c9a20	175	}
JM	176	}
	177
	178	if (GitBlit.isDebugMode()) {
ca9d0f	179	logger.info(MessageFormat.format("ARF: {0} ({1}) unauthenticated", fullUrl,
JM	180	HttpServletResponse.SC_CONTINUE));
8c9a20	181	}
JM	182	// unauthenticated request permitted.
	183	// pass processing to the restricted servlet.
ca9d0f	184	chain.doFilter(authenticatedRequest, httpResponse);
8c9a20	185	}
JM	186	}