From 04a98505a4ab8f48aee22800fcac193d9367d0ae Mon Sep 17 00:00:00 2001 From: James Moger <james.moger@gitblit.com> Date: Fri, 29 Nov 2013 11:05:51 -0500 Subject: [PATCH] Refactor user services and separate authentication (issue-281) --- src/main/java/com/gitblit/auth/PAMAuthProvider.java | 269 +++++++++++++++++++++++++---------------------------- 1 files changed, 126 insertions(+), 143 deletions(-) diff --git a/src/main/java/com/gitblit/PAMUserService.java b/src/main/java/com/gitblit/auth/PAMAuthProvider.java similarity index 69% rename from src/main/java/com/gitblit/PAMUserService.java rename to src/main/java/com/gitblit/auth/PAMAuthProvider.java index db569fb..bbc82d8 100644 --- a/src/main/java/com/gitblit/PAMUserService.java +++ b/src/main/java/com/gitblit/auth/PAMAuthProvider.java @@ -1,143 +1,126 @@ -/* - * Copyright 2013 gitblit.com. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.gitblit; - -import java.io.File; - -import org.jvnet.libpam.PAM; -import org.jvnet.libpam.PAMException; -import org.jvnet.libpam.impl.CLibrary; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.gitblit.Constants.AccountType; -import com.gitblit.manager.IRuntimeManager; -import com.gitblit.models.UserModel; -import com.gitblit.utils.ArrayUtils; -import com.gitblit.utils.StringUtils; - -/** - * Implementation of a PAM user service for Linux/Unix/MacOSX. - * - * @author James Moger - */ -public class PAMUserService extends GitblitUserService { - - private final Logger logger = LoggerFactory.getLogger(PAMUserService.class); - - private IStoredSettings settings; - - public PAMUserService() { - super(); - } - - @Override - public void setup(IRuntimeManager runtimeManager) { - this.settings = runtimeManager.getSettings(); - - String file = settings.getString(Keys.realm.pam.backingUserService, "${baseFolder}/users.conf"); - File realmFile = runtimeManager.getFileOrFolder(file); - - serviceImpl = createUserService(realmFile); - logger.info("PAM User Service backed by " + serviceImpl.toString()); - - // Try to identify the passwd database - String [] files = { "/etc/shadow", "/etc/master.passwd" }; - File passwdFile = null; - for (String name : files) { - File f = new File(name); - if (f.exists()) { - passwdFile = f; - break; - } - } - if (passwdFile == null) { - logger.error("PAM User Service could not find a passwd database!"); - } else if (!passwdFile.canRead()) { - logger.error("PAM User Service can not read passwd database {}! PAM authentications may fail!", passwdFile); - } - } - - @Override - public boolean supportsCredentialChanges() { - return false; - } - - @Override - public boolean supportsDisplayNameChanges() { - return true; - } - - @Override - public boolean supportsEmailAddressChanges() { - return true; - } - - @Override - public boolean supportsTeamMembershipChanges() { - return true; - } - - @Override - public AccountType getAccountType() { - return AccountType.PAM; - } - - @Override - public UserModel authenticate(String username, char[] password) { - if (isLocalAccount(username)) { - // local account, bypass PAM authentication - return super.authenticate(username, password); - } - - if (CLibrary.libc.getpwnam(username) == null) { - logger.warn("Can not get PAM passwd for " + username); - return null; - } - - PAM pam = null; - try { - String serviceName = settings.getString(Keys.realm.pam.serviceName, "system-auth"); - pam = new PAM(serviceName); - pam.authenticate(username, new String(password)); - } catch (PAMException e) { - logger.error(e.getMessage()); - return null; - } finally { - pam.dispose(); - } - - UserModel user = getUserModel(username); - if (user == null) // create user object for new authenticated user - user = new UserModel(username.toLowerCase()); - - // create a user cookie - if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) { - user.cookie = StringUtils.getSHA1(user.username + new String(password)); - } - - // update user attributes from UnixUser - user.accountType = getAccountType(); - user.password = Constants.EXTERNAL_ACCOUNT; - - // TODO consider mapping PAM groups to teams - - // push the changes to the backing user service - super.updateUserModel(user); - - return user; - } -} +/* + * Copyright 2013 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.auth; + +import java.io.File; + +import org.jvnet.libpam.PAM; +import org.jvnet.libpam.PAMException; +import org.jvnet.libpam.impl.CLibrary; + +import com.gitblit.Constants; +import com.gitblit.Constants.AccountType; +import com.gitblit.Keys; +import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; +import com.gitblit.models.UserModel; +import com.gitblit.utils.ArrayUtils; +import com.gitblit.utils.StringUtils; + +/** + * Implementation of PAM authentication for Linux/Unix/MacOSX. + * + * @author James Moger + */ +public class PAMAuthProvider extends UsernamePasswordAuthenticationProvider { + + public PAMAuthProvider() { + super("pam"); + } + + @Override + public void setup() { + // Try to identify the passwd database + String [] files = { "/etc/shadow", "/etc/master.passwd" }; + File passwdFile = null; + for (String name : files) { + File f = new File(name); + if (f.exists()) { + passwdFile = f; + break; + } + } + if (passwdFile == null) { + logger.error("PAM Authentication could not find a passwd database!"); + } else if (!passwdFile.canRead()) { + logger.error("PAM Authentication can not read passwd database {}! PAM authentications may fail!", passwdFile); + } + } + + @Override + public boolean supportsCredentialChanges() { + return false; + } + + @Override + public boolean supportsDisplayNameChanges() { + return true; + } + + @Override + public boolean supportsEmailAddressChanges() { + return true; + } + + @Override + public boolean supportsTeamMembershipChanges() { + return true; + } + + @Override + public AccountType getAccountType() { + return AccountType.PAM; + } + + @Override + public UserModel authenticate(String username, char[] password) { + if (CLibrary.libc.getpwnam(username) == null) { + logger.warn("Can not get PAM passwd for " + username); + return null; + } + + PAM pam = null; + try { + String serviceName = settings.getString(Keys.realm.pam.serviceName, "system-auth"); + pam = new PAM(serviceName); + pam.authenticate(username, new String(password)); + } catch (PAMException e) { + logger.error(e.getMessage()); + return null; + } finally { + pam.dispose(); + } + + UserModel user = userManager.getUserModel(username); + if (user == null) // create user object for new authenticated user + user = new UserModel(username.toLowerCase()); + + // create a user cookie + if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) { + user.cookie = StringUtils.getSHA1(user.username + new String(password)); + } + + // update user attributes from UnixUser + user.accountType = getAccountType(); + user.password = Constants.EXTERNAL_ACCOUNT; + + // TODO consider mapping PAM groups to teams + + // push the changes to the backing user service + updateUser(user); + + return user; + } +} -- Gitblit v1.9.1