Support serving repositories over the SSH transport

author Eric Myhre <hash@exultant.us>

Thu, 13 Jun 2013 22:03:24 +0000 (17:03 -0500)

committer James Moger <james.moger@gitblit.com>

Thu, 10 Apr 2014 22:58:07 +0000 (18:58 -0400)
author Eric Myhre <hash@exultant.us>
Thu, 13 Jun 2013 22:03:24 +0000 (17:03 -0500)
committer James Moger <james.moger@gitblit.com>
Thu, 10 Apr 2014 22:58:07 +0000 (18:58 -0400)
diff --git a/.classpath b/.classpath

index fd38d56a781102f0384492c3ea40b2b0ad341230..52377e2a898be14f1b4e0cd1d50ea8c7b3ffe16a 100644 (file)
--- a/.classpath
+++ b/.classpath
@@ -52,6 +52,8 @@
         <classpathentry kind="lib" path="ext/bcprov-jdk15on-1.49.jar" sourcepath="ext/src/bcprov-jdk15on-1.49.jar" />
         <classpathentry kind="lib" path="ext/bcmail-jdk15on-1.49.jar" sourcepath="ext/src/bcmail-jdk15on-1.49.jar" />
         <classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.49.jar" sourcepath="ext/src/bcpkix-jdk15on-1.49.jar" />
+       <classpathentry kind="lib" path="ext/sshd-core-0.6.0.jar" sourcepath="ext/src/sshd-core-0.6.0.jar" />
+       <classpathentry kind="lib" path="ext/mina-core-2.0.2.jar" sourcepath="ext/src/mina-core-2.0.2.jar" />
         <classpathentry kind="lib" path="ext/rome-0.9.jar" sourcepath="ext/src/rome-0.9.jar" />
         <classpathentry kind="lib" path="ext/jdom-1.0.jar" sourcepath="ext/src/jdom-1.0.jar" />
         <classpathentry kind="lib" path="ext/gson-1.7.2.jar" sourcepath="ext/src/gson-1.7.2.jar" />
diff --git a/build.moxie b/build.moxie

index 19a9027fb99711530f2227ebb45bf9404cd5aab0..7c3922665adc8a7edc6339c2b3200acd962f90e1 100644 (file)
--- a/build.moxie
+++ b/build.moxie
@@ -109,6 +109,7 @@ properties: {
    bouncycastle.version : 1.49
    selenium.version : 2.28.0
    wikitext.version : 1.4
+  sshd.version: 0.6.0
    }
  
  # Dependencies
@@ -155,6 +156,7 @@ dependencies:
  - compile 'org.bouncycastle:bcprov-jdk15on:${bouncycastle.version}' :war :authority
  - compile 'org.bouncycastle:bcmail-jdk15on:${bouncycastle.version}' :war :authority
  - compile 'org.bouncycastle:bcpkix-jdk15on:${bouncycastle.version}' :war :authority
+- compile 'org.apache.sshd:sshd-core:${sshd.version}' :war !org.easymock
  - compile 'rome:rome:0.9' :war :manager :api
  - compile 'com.google.code.gson:gson:1.7.2' :war :fedclient :manager :api
  - compile 'org.codehaus.groovy:groovy-all:${groovy.version}' :war
diff --git a/gitblit.iml b/gitblit.iml

index 8e787cbaee3511c1706dc367dc354b010f6d4f9b..c114d4d039bfa3de14052463cda320e214646314 100644 (file)
--- a/gitblit.iml
+++ b/gitblit.iml
@@ -528,6 +528,28 @@
          </SOURCES>
        </library>
      </orderEntry>
+    <orderEntry type="module-library">
+      <library name="sshd-core-0.6.0.jar">
+        <CLASSES>
+          <root url="jar://$MODULE_DIR$/ext/sshd-core-0.6.0.jar!/" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES>
+          <root url="jar://$MODULE_DIR$/ext/src/sshd-core-0.6.0.jar!/" />
+        </SOURCES>
+      </library>
+    </orderEntry>
+    <orderEntry type="module-library">
+      <library name="mina-core-2.0.2.jar">
+        <CLASSES>
+          <root url="jar://$MODULE_DIR$/ext/mina-core-2.0.2.jar!/" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES>
+          <root url="jar://$MODULE_DIR$/ext/src/mina-core-2.0.2.jar!/" />
+        </SOURCES>
+      </library>
+    </orderEntry>
      <orderEntry type="module-library">
        <library name="rome-0.9.jar">
          <CLASSES>
diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties

index 3c6053940512cdf6419abb55a4001eb7c3647c74..5bc28fd6ec4df09218ad8d750450e380de45bd2d 100644 (file)
--- a/src/main/distrib/data/gitblit.properties
+++ b/src/main/distrib/data/gitblit.properties
@@ -93,6 +93,23 @@ git.daemonBindInterface =
  # RESTART REQUIRED\r
  git.daemonPort = 9418\r
  \r
+# The port for serving the SSH service.  <= 0 disables this service.\r
+# On Unix/Linux systems, ports < 1024 require root permissions.\r
+# Recommended value: 29418\r
+#\r
+# SINCE 1.5.0\r
+# RESTART REQUIRED\r
+git.sshPort = 29418\r
+\r
+# Specify the interface for the SSH daemon to bind its service.\r
+# You may specify an ip or an empty value to bind to all interfaces.\r
+# Specifying localhost will result in Gitblit ONLY listening to requests to\r
+# localhost.\r
+#\r
+# SINCE 1.5.0\r
+# RESTART REQUIRED\r
+git.sshBindInterface = localhost\r
+\r
  # Allow push/pull over http/https with JGit servlet.\r
  # If you do NOT want to allow Git clients to clone/push to Gitblit set this\r
  # to false.  You might want to do this if you are only using ssh:// or git://.\r
diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java

index 64d3caddb55bdfc8a34bf48dae1d5f718e09f3ac..c37bc3a1e53efd6ce37348a9b969ff7aaf784b18 100644 (file)
--- a/src/main/java/com/gitblit/GitBlitServer.java
+++ b/src/main/java/com/gitblit/GitBlitServer.java
@@ -1,703 +1,707 @@
-/*\r
- * Copyright 2011 gitblit.com.\r
- *\r
- * Licensed under the Apache License, Version 2.0 (the "License");\r
- * you may not use this file except in compliance with the License.\r
- * You may obtain a copy of the License at\r
- *\r
- *     http://www.apache.org/licenses/LICENSE-2.0\r
- *\r
- * Unless required by applicable law or agreed to in writing, software\r
- * distributed under the License is distributed on an "AS IS" BASIS,\r
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * See the License for the specific language governing permissions and\r
- * limitations under the License.\r
- */\r
-package com.gitblit;\r
-\r
-import java.io.BufferedReader;\r
-import java.io.BufferedWriter;\r
-import java.io.File;\r
-import java.io.FileWriter;\r
-import java.io.IOException;\r
-import java.io.InputStream;\r
-import java.io.InputStreamReader;\r
-import java.io.OutputStream;\r
-import java.net.InetAddress;\r
-import java.net.ServerSocket;\r
-import java.net.Socket;\r
-import java.net.URI;\r
-import java.net.URL;\r
-import java.net.UnknownHostException;\r
-import java.security.ProtectionDomain;\r
-import java.text.MessageFormat;\r
-import java.util.ArrayList;\r
-import java.util.Date;\r
-import java.util.List;\r
-import java.util.Properties;\r
-import java.util.Scanner;\r
-\r
-import org.apache.log4j.PropertyConfigurator;\r
-import org.eclipse.jetty.ajp.Ajp13SocketConnector;\r
-import org.eclipse.jetty.security.ConstraintMapping;\r
-import org.eclipse.jetty.security.ConstraintSecurityHandler;\r
-import org.eclipse.jetty.server.Connector;\r
-import org.eclipse.jetty.server.Server;\r
-import org.eclipse.jetty.server.bio.SocketConnector;\r
-import org.eclipse.jetty.server.nio.SelectChannelConnector;\r
-import org.eclipse.jetty.server.session.HashSessionManager;\r
-import org.eclipse.jetty.server.ssl.SslConnector;\r
-import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;\r
-import org.eclipse.jetty.server.ssl.SslSocketConnector;\r
-import org.eclipse.jetty.util.security.Constraint;\r
-import org.eclipse.jetty.util.thread.QueuedThreadPool;\r
-import org.eclipse.jetty.webapp.WebAppContext;\r
-import org.eclipse.jgit.storage.file.FileBasedConfig;\r
-import org.eclipse.jgit.util.FS;\r
-import org.eclipse.jgit.util.FileUtils;\r
-import org.kohsuke.args4j.CmdLineException;\r
-import org.kohsuke.args4j.CmdLineParser;\r
-import org.kohsuke.args4j.Option;\r
-import org.slf4j.Logger;\r
-import org.slf4j.LoggerFactory;\r
-\r
-import com.gitblit.authority.GitblitAuthority;\r
-import com.gitblit.authority.NewCertificateConfig;\r
-import com.gitblit.servlet.GitblitContext;\r
-import com.gitblit.utils.StringUtils;\r
-import com.gitblit.utils.TimeUtils;\r
-import com.gitblit.utils.X509Utils;\r
-import com.gitblit.utils.X509Utils.X509Log;\r
-import com.gitblit.utils.X509Utils.X509Metadata;\r
-import com.unboundid.ldap.listener.InMemoryDirectoryServer;\r
-import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;\r
-import com.unboundid.ldap.listener.InMemoryListenerConfig;\r
-import com.unboundid.ldif.LDIFReader;\r
-\r
-/**\r
- * GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts\r
- * and stops an instance of Jetty that is configured from a combination of the\r
- * gitblit.properties file and command line parameters. JCommander is used to\r
- * simplify command line parameter processing. This class also automatically\r
- * generates a self-signed certificate for localhost, if the keystore does not\r
- * already exist.\r
- *\r
- * @author James Moger\r
- *\r
- */\r
-public class GitBlitServer {\r
-\r
-       private static Logger logger;\r
-\r
-       public static void main(String... args) {\r
-               GitBlitServer server = new GitBlitServer();\r
-\r
-               // filter out the baseFolder parameter\r
-               List<String> filtered = new ArrayList<String>();\r
-               String folder = "data";\r
-               for (int i = 0; i < args.length; i++) {\r
-                       String arg = args[i];\r
-                       if (arg.equals("--baseFolder")) {\r
-                               if (i + 1 == args.length) {\r
-                                       System.out.println("Invalid --baseFolder parameter!");\r
-                                       System.exit(-1);\r
-                               } else if (!".".equals(args[i + 1])) {\r
-                                       folder = args[i + 1];\r
-                               }\r
-                               i = i + 1;\r
-                       } else {\r
-                               filtered.add(arg);\r
-                       }\r
-               }\r
-\r
-               Params.baseFolder = folder;\r
-               Params params = new Params();\r
-               CmdLineParser parser = new CmdLineParser(params);\r
-               try {\r
-                       parser.parseArgument(filtered);\r
-                       if (params.help) {\r
-                               server.usage(parser, null);\r
-                       }\r
-               } catch (CmdLineException t) {\r
-                       server.usage(parser, t);\r
-               }\r
-\r
-               if (params.stop) {\r
-                       server.stop(params);\r
-               } else {\r
-                       server.start(params);\r
-               }\r
-       }\r
-\r
-       /**\r
-        * Display the command line usage of Gitblit GO.\r
-        *\r
-        * @param parser\r
-        * @param t\r
-        */\r
-       protected final void usage(CmdLineParser parser, CmdLineException t) {\r
-               System.out.println(Constants.BORDER);\r
-               System.out.println(Constants.getGitBlitVersion());\r
-               System.out.println(Constants.BORDER);\r
-               System.out.println();\r
-               if (t != null) {\r
-                       System.out.println(t.getMessage());\r
-                       System.out.println();\r
-               }\r
-               if (parser != null) {\r
-                       parser.printUsage(System.out);\r
-                       System.out\r
-                                       .println("\nExample:\n  java -server -Xmx1024M -jar gitblit.jar --repositoriesFolder c:\\git --httpPort 80 --httpsPort 443");\r
-               }\r
-               System.exit(0);\r
-       }\r
-\r
-       /**\r
-        * Stop Gitblt GO.\r
-        */\r
-       public void stop(Params params) {\r
-               try {\r
-                       Socket s = new Socket(InetAddress.getByName("127.0.0.1"), params.shutdownPort);\r
-                       OutputStream out = s.getOutputStream();\r
-                       System.out.println("Sending Shutdown Request to " + Constants.NAME);\r
-                       out.write("\r\n".getBytes());\r
-                       out.flush();\r
-                       s.close();\r
-               } catch (UnknownHostException e) {\r
-                       e.printStackTrace();\r
-               } catch (IOException e) {\r
-                       e.printStackTrace();\r
-               }\r
-       }\r
-\r
-       /**\r
-        * Start Gitblit GO.\r
-        */\r
-       protected final void start(Params params) {\r
-               final File baseFolder = new File(Params.baseFolder).getAbsoluteFile();\r
-               FileSettings settings = params.FILESETTINGS;\r
-               if (!StringUtils.isEmpty(params.settingsfile)) {\r
-                       if (new File(params.settingsfile).exists()) {\r
-                               settings = new FileSettings(params.settingsfile);\r
-                       }\r
-               }\r
-\r
-               if (params.dailyLogFile) {\r
-                       // Configure log4j for daily log file generation\r
-                       InputStream is = null;\r
-                       try {\r
-                               is = getClass().getResourceAsStream("/log4j.properties");\r
-                               Properties loggingProperties = new Properties();\r
-                               loggingProperties.load(is);\r
-\r
-                               loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath());\r
-                               loggingProperties.put("log4j.rootCategory", "INFO, R");\r
-\r
-                               if (settings.getBoolean(Keys.web.debugMode, false)) {\r
-                                       loggingProperties.put("log4j.logger.com.gitblit", "DEBUG");\r
-                               }\r
-\r
-                               PropertyConfigurator.configure(loggingProperties);\r
-                       } catch (Exception e) {\r
-                               e.printStackTrace();\r
-                       } finally {\r
-                               try {\r
-                                       is.close();\r
-                               } catch (IOException e) {\r
-                                       e.printStackTrace();\r
-                               }\r
-                       }\r
-               }\r
-\r
-               logger = LoggerFactory.getLogger(GitBlitServer.class);\r
-               logger.info(Constants.BORDER);\r
-               logger.info("            _____  _  _    _      _  _  _");\r
-               logger.info("           |  __ \\(_)| |  | |    | |(_)| |");\r
-               logger.info("           | |  \\/ _ | |_ | |__  | | _ | |_");\r
-               logger.info("           | | __ | || __|| '_ \\ | || || __|");\r
-               logger.info("           | |_\\ \\| || |_ | |_) || || || |_");\r
-               logger.info("            \\____/|_| \\__||_.__/ |_||_| \\__|");\r
-               int spacing = (Constants.BORDER.length() - Constants.getGitBlitVersion().length()) / 2;\r
-               StringBuilder sb = new StringBuilder();\r
-               while (spacing > 0) {\r
-                       spacing--;\r
-                       sb.append(' ');\r
-               }\r
-               logger.info(sb.toString() + Constants.getGitBlitVersion());\r
-               logger.info("");\r
-               logger.info(Constants.BORDER);\r
-\r
-               System.setProperty("java.awt.headless", "true");\r
-\r
-               String osname = System.getProperty("os.name");\r
-               String osversion = System.getProperty("os.version");\r
-               logger.info("Running on " + osname + " (" + osversion + ")");\r
-\r
-               List<Connector> connectors = new ArrayList<Connector>();\r
-\r
-               // conditionally configure the http connector\r
-               if (params.port > 0) {\r
-                       Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50));\r
-                       String bindInterface = settings.getString(Keys.server.httpBindInterface, null);\r
-                       if (!StringUtils.isEmpty(bindInterface)) {\r
-                               logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",\r
-                                               params.port, bindInterface));\r
-                               httpConnector.setHost(bindInterface);\r
-                       }\r
-                       if (params.port < 1024 && !isWindows()) {\r
-                               logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");\r
-                       }\r
-                       if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {\r
-                               // redirect HTTP requests to HTTPS\r
-                               if (httpConnector instanceof SelectChannelConnector) {\r
-                                       ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort);\r
-                               } else {\r
-                                       ((SocketConnector) httpConnector).setConfidentialPort(params.securePort);\r
-                               }\r
-                       }\r
-                       connectors.add(httpConnector);\r
-               }\r
-\r
-               // conditionally configure the https connector\r
-               if (params.securePort > 0) {\r
-                       File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG);\r
-                       File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE);\r
-                       File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE);\r
-                       File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST);\r
-\r
-                       // generate CA & web certificates, create certificate stores\r
-                       X509Metadata metadata = new X509Metadata("localhost", params.storePassword);\r
-                       // set default certificate values from config file\r
-                       if (certificatesConf.exists()) {\r
-                               FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect());\r
-                               try {\r
-                                       config.load();\r
-                               } catch (Exception e) {\r
-                                       logger.error("Error parsing " + certificatesConf, e);\r
-                               }\r
-                               NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config);\r
-                               certificateConfig.update(metadata);\r
-                       }\r
-\r
-                       metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR);\r
-                       X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() {\r
-                               @Override\r
-                               public void log(String message) {\r
-                                       BufferedWriter writer = null;\r
-                                       try {\r
-                                               writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true));\r
-                                               writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message));\r
-                                               writer.newLine();\r
-                                               writer.flush();\r
-                                       } catch (Exception e) {\r
-                                               LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e);\r
-                                       } finally {\r
-                                               if (writer != null) {\r
-                                                       try {\r
-                                                               writer.close();\r
-                                                       } catch (IOException e) {\r
-                                                       }\r
-                                               }\r
-                                       }\r
-                               }\r
-                       });\r
-\r
-                       if (serverKeyStore.exists()) {\r
-                               Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,\r
-                                               caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates);\r
-                               String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);\r
-                               if (!StringUtils.isEmpty(bindInterface)) {\r
-                                       logger.warn(MessageFormat.format(\r
-                                                       "Binding ssl connector on port {0,number,0} to {1}", params.securePort,\r
-                                                       bindInterface));\r
-                                       secureConnector.setHost(bindInterface);\r
-                               }\r
-                               if (params.securePort < 1024 && !isWindows()) {\r
-                                       logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");\r
-                               }\r
-                               connectors.add(secureConnector);\r
-                       } else {\r
-                               logger.warn("Failed to find or load Keystore?");\r
-                               logger.warn("SSL connector DISABLED.");\r
-                       }\r
-               }\r
-\r
-               // conditionally configure the ajp connector\r
-               if (params.ajpPort > 0) {\r
-                       Connector ajpConnector = createAJPConnector(params.ajpPort);\r
-                       String bindInterface = settings.getString(Keys.server.ajpBindInterface, null);\r
-                       if (!StringUtils.isEmpty(bindInterface)) {\r
-                               logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",\r
-                                               params.ajpPort, bindInterface));\r
-                               ajpConnector.setHost(bindInterface);\r
-                       }\r
-                       if (params.ajpPort < 1024 && !isWindows()) {\r
-                               logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");\r
-                       }\r
-                       connectors.add(ajpConnector);\r
-               }\r
-\r
-               // tempDir is where the embedded Gitblit web application is expanded and\r
-               // where Jetty creates any necessary temporary files\r
-               File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp);\r
-               if (tempDir.exists()) {\r
-                       try {\r
-                               FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY);\r
-                       } catch (IOException x) {\r
-                               logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x);\r
-                       }\r
-               }\r
-               if (!tempDir.mkdirs()) {\r
-                       logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath());\r
-               }\r
-\r
-               Server server = new Server();\r
-               server.setStopAtShutdown(true);\r
-               server.setConnectors(connectors.toArray(new Connector[connectors.size()]));\r
-\r
-               // Get the execution path of this class\r
-               // We use this to set the WAR path.\r
-               ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain();\r
-               URL location = protectionDomain.getCodeSource().getLocation();\r
-\r
-               // Root WebApp Context\r
-               WebAppContext rootContext = new WebAppContext();\r
-               rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/"));\r
-               rootContext.setServer(server);\r
-               rootContext.setWar(location.toExternalForm());\r
-               rootContext.setTempDirectory(tempDir);\r
-\r
-               // Set cookies HttpOnly so they are not accessible to JavaScript engines\r
-               HashSessionManager sessionManager = new HashSessionManager();\r
-               sessionManager.setHttpOnly(true);\r
-               // Use secure cookies if only serving https\r
-               sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);\r
-               rootContext.getSessionHandler().setSessionManager(sessionManager);\r
-\r
-               // Ensure there is a defined User Service\r
-               String realmUsers = params.userService;\r
-               if (StringUtils.isEmpty(realmUsers)) {\r
-                       logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService));\r
-                       return;\r
-               }\r
-\r
-               // Override settings from the command-line\r
-               settings.overrideSetting(Keys.realm.userService, params.userService);\r
-               settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder);\r
-               settings.overrideSetting(Keys.git.daemonPort, params.gitPort);\r
-\r
-               // Start up an in-memory LDAP server, if configured\r
-               try {\r
-                       if (!StringUtils.isEmpty(params.ldapLdifFile)) {\r
-                               File ldifFile = new File(params.ldapLdifFile);\r
-                               if (ldifFile != null && ldifFile.exists()) {\r
-                                       URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));\r
-                                       String firstLine = new Scanner(ldifFile).nextLine();\r
-                                       String rootDN = firstLine.substring(4);\r
-                                       String bindUserName = settings.getString(Keys.realm.ldap.username, "");\r
-                                       String bindPassword = settings.getString(Keys.realm.ldap.password, "");\r
-\r
-                                       // Get the port\r
-                                       int port = ldapUrl.getPort();\r
-                                       if (port == -1)\r
-                                               port = 389;\r
-\r
-                                       InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN);\r
-                                       config.addAdditionalBindCredentials(bindUserName, bindPassword);\r
-                                       config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port));\r
-                                       config.setSchema(null);\r
-\r
-                                       InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);\r
-                                       ds.importFromLDIF(true, new LDIFReader(ldifFile));\r
-                                       ds.startListening();\r
-\r
-                                       logger.info("LDAP Server started at ldap://localhost:" + port);\r
-                               }\r
-                       }\r
-               } catch (Exception e) {\r
-                       // Completely optional, just show a warning\r
-                       logger.warn("Unable to start LDAP server", e);\r
-               }\r
-\r
-               // Set the server's contexts\r
-               server.setHandler(rootContext);\r
-\r
-               // redirect HTTP requests to HTTPS\r
-               if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {\r
-                       logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort));\r
-                       // Create the internal mechanisms to handle secure connections and redirects\r
-                       Constraint constraint = new Constraint();\r
-                       constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);\r
-\r
-                       ConstraintMapping cm = new ConstraintMapping();\r
-                       cm.setConstraint(constraint);\r
-                       cm.setPathSpec("/*");\r
-\r
-                       ConstraintSecurityHandler sh = new ConstraintSecurityHandler();\r
-                       sh.setConstraintMappings(new ConstraintMapping[] { cm });\r
-\r
-                       // Configure this context to use the Security Handler defined before\r
-                       rootContext.setHandler(sh);\r
-               }\r
-\r
-               // Setup the Gitblit context\r
-               GitblitContext gitblit = newGitblit(settings, baseFolder);\r
-               rootContext.addEventListener(gitblit);\r
-\r
-               try {\r
-                       // start the shutdown monitor\r
-                       if (params.shutdownPort > 0) {\r
-                               Thread shutdownMonitor = new ShutdownMonitorThread(server, params);\r
-                               shutdownMonitor.start();\r
-                       }\r
-\r
-                       // start Jetty\r
-                       server.start();\r
-                       server.join();\r
-               } catch (Exception e) {\r
-                       e.printStackTrace();\r
-                       System.exit(100);\r
-               }\r
-       }\r
-\r
-       protected GitblitContext newGitblit(IStoredSettings settings, File baseFolder) {\r
-               return new GitblitContext(settings, baseFolder);\r
-       }\r
-\r
-       /**\r
-        * Creates an http connector.\r
-        *\r
-        * @param useNIO\r
-        * @param port\r
-        * @param threadPoolSize\r
-        * @return an http connector\r
-        */\r
-       private Connector createConnector(boolean useNIO, int port, int threadPoolSize) {\r
-               Connector connector;\r
-               if (useNIO) {\r
-                       logger.info("Setting up NIO SelectChannelConnector on port " + port);\r
-                       SelectChannelConnector nioconn = new SelectChannelConnector();\r
-                       nioconn.setSoLingerTime(-1);\r
-                       if (threadPoolSize > 0) {\r
-                               nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize));\r
-                       }\r
-                       connector = nioconn;\r
-               } else {\r
-                       logger.info("Setting up SocketConnector on port " + port);\r
-                       SocketConnector sockconn = new SocketConnector();\r
-                       if (threadPoolSize > 0) {\r
-                               sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize));\r
-                       }\r
-                       connector = sockconn;\r
-               }\r
-\r
-               connector.setPort(port);\r
-               connector.setMaxIdleTime(30000);\r
-               return connector;\r
-       }\r
-\r
-       /**\r
-        * Creates an https connector.\r
-        *\r
-        * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.\r
-        * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html\r
-        *\r
-        * @param certAlias\r
-        * @param keyStore\r
-        * @param clientTrustStore\r
-        * @param storePassword\r
-        * @param caRevocationList\r
-        * @param useNIO\r
-        * @param port\r
-        * @param threadPoolSize\r
-        * @param requireClientCertificates\r
-        * @return an https connector\r
-        */\r
-       private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,\r
-                       String storePassword, File caRevocationList, boolean useNIO,  int port, int threadPoolSize,\r
-                       boolean requireClientCertificates) {\r
-               GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,\r
-                               keyStore, clientTrustStore, storePassword, caRevocationList);\r
-               SslConnector connector;\r
-               if (useNIO) {\r
-                       logger.info("Setting up NIO SslSelectChannelConnector on port " + port);\r
-                       SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);\r
-                       ssl.setSoLingerTime(-1);\r
-                       if (requireClientCertificates) {\r
-                               factory.setNeedClientAuth(true);\r
-                       } else {\r
-                               factory.setWantClientAuth(true);\r
-                       }\r
-                       if (threadPoolSize > 0) {\r
-                               ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));\r
-                       }\r
-                       connector = ssl;\r
-               } else {\r
-                       logger.info("Setting up NIO SslSocketConnector on port " + port);\r
-                       SslSocketConnector ssl = new SslSocketConnector(factory);\r
-                       if (threadPoolSize > 0) {\r
-                               ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));\r
-                       }\r
-                       connector = ssl;\r
-               }\r
-               connector.setPort(port);\r
-               connector.setMaxIdleTime(30000);\r
-\r
-               return connector;\r
-       }\r
-\r
-       /**\r
-        * Creates an ajp connector.\r
-        *\r
-        * @param port\r
-        * @return an ajp connector\r
-        */\r
-       private Connector createAJPConnector(int port) {\r
-               logger.info("Setting up AJP Connector on port " + port);\r
-               Ajp13SocketConnector ajp = new Ajp13SocketConnector();\r
-               ajp.setPort(port);\r
-               if (port < 1024 && !isWindows()) {\r
-                       logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");\r
-               }\r
-               return ajp;\r
-       }\r
-\r
-       /**\r
-        * Tests to see if the operating system is Windows.\r
-        *\r
-        * @return true if this is a windows machine\r
-        */\r
-       private boolean isWindows() {\r
-               return System.getProperty("os.name").toLowerCase().indexOf("windows") > -1;\r
-       }\r
-\r
-       /**\r
-        * The ShutdownMonitorThread opens a socket on a specified port and waits\r
-        * for an incoming connection. When that connection is accepted a shutdown\r
-        * message is issued to the running Jetty server.\r
-        *\r
-        * @author James Moger\r
-        *\r
-        */\r
-       private static class ShutdownMonitorThread extends Thread {\r
-\r
-               private final ServerSocket socket;\r
-\r
-               private final Server server;\r
-\r
-               private final Logger logger = LoggerFactory.getLogger(ShutdownMonitorThread.class);\r
-\r
-               public ShutdownMonitorThread(Server server, Params params) {\r
-                       this.server = server;\r
-                       setDaemon(true);\r
-                       setName(Constants.NAME + " Shutdown Monitor");\r
-                       ServerSocket skt = null;\r
-                       try {\r
-                               skt = new ServerSocket(params.shutdownPort, 1, InetAddress.getByName("127.0.0.1"));\r
-                       } catch (Exception e) {\r
-                               logger.warn("Could not open shutdown monitor on port " + params.shutdownPort, e);\r
-                       }\r
-                       socket = skt;\r
-               }\r
-\r
-               @Override\r
-               public void run() {\r
-                       logger.info("Shutdown Monitor listening on port " + socket.getLocalPort());\r
-                       Socket accept;\r
-                       try {\r
-                               accept = socket.accept();\r
-                               BufferedReader reader = new BufferedReader(new InputStreamReader(\r
-                                               accept.getInputStream()));\r
-                               reader.readLine();\r
-                               logger.info(Constants.BORDER);\r
-                               logger.info("Stopping " + Constants.NAME);\r
-                               logger.info(Constants.BORDER);\r
-                               server.stop();\r
-                               server.setStopAtShutdown(false);\r
-                               accept.close();\r
-                               socket.close();\r
-                       } catch (Exception e) {\r
-                               logger.warn("Failed to shutdown Jetty", e);\r
-                       }\r
-               }\r
-       }\r
-\r
-       /**\r
-        * Parameters class for GitBlitServer.\r
-        */\r
-       public static class Params {\r
-\r
-               public static String baseFolder;\r
-\r
-               private final FileSettings FILESETTINGS = new FileSettings(new File(baseFolder, Constants.PROPERTIES_FILE).getAbsolutePath());\r
-\r
-               /*\r
-                * Server parameters\r
-                */\r
-               @Option(name = "--help", aliases = { "-h"}, usage = "Show this help")\r
-               public Boolean help = false;\r
-\r
-               @Option(name = "--stop", usage = "Stop Server")\r
-               public Boolean stop = false;\r
-\r
-               @Option(name = "--tempFolder", usage = "Folder for server to extract built-in webapp", metaVar="PATH")\r
-               public String temp = FILESETTINGS.getString(Keys.server.tempFolder, "temp");\r
-\r
-               @Option(name = "--dailyLogFile", usage = "Log to a rolling daily log file INSTEAD of stdout.")\r
-               public Boolean dailyLogFile = false;\r
-\r
-               /*\r
-                * GIT Servlet Parameters\r
-                */\r
-               @Option(name = "--repositoriesFolder", usage = "Git Repositories Folder", metaVar="PATH")\r
-               public String repositoriesFolder = FILESETTINGS.getString(Keys.git.repositoriesFolder,\r
-                               "git");\r
-\r
-               /*\r
-                * Authentication Parameters\r
-                */\r
-               @Option(name = "--userService", usage = "Authentication and Authorization Service (filename or fully qualified classname)")\r
-               public String userService = FILESETTINGS.getString(Keys.realm.userService,\r
-                               "users.conf");\r
-\r
-               /*\r
-                * JETTY Parameters\r
-                */\r
-               @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.")\r
-               public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true);\r
-\r
-               @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT")\r
-               public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0);\r
-\r
-               @Option(name = "--httpsPort", usage = "HTTPS port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")\r
-               public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443);\r
-\r
-               @Option(name = "--ajpPort", usage = "AJP port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")\r
-               public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);\r
-\r
-               @Option(name = "--gitPort", usage = "Git Daemon port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")\r
-               public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418);\r
-\r
-               @Option(name = "--alias", usage = "Alias of SSL certificate in keystore for serving https.", metaVar="ALIAS")\r
-               public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");\r
-\r
-               @Option(name = "--storePassword", usage = "Password for SSL (https) keystore.", metaVar="PASSWORD")\r
-               public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");\r
-\r
-               @Option(name = "--shutdownPort", usage = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)", metaVar="PORT")\r
-               public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081);\r
-\r
-               @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.")\r
-               public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false);\r
-\r
-               /*\r
-                * Setting overrides\r
-                */\r
-               @Option(name = "--settings", usage = "Path to alternative settings", metaVar="FILE")\r
-               public String settingsfile;\r
-\r
-               @Option(name = "--ldapLdifFile", usage = "Path to LDIF file.  This will cause an in-memory LDAP server to be started according to gitblit settings", metaVar="FILE")\r
-               public String ldapLdifFile;\r
-\r
-       }\r
+/*
+ * Copyright 2011 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit;
+
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.URI;
+import java.net.URL;
+import java.net.UnknownHostException;
+import java.security.ProtectionDomain;
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Properties;
+import java.util.Scanner;
+
+import org.apache.log4j.PropertyConfigurator;
+import org.eclipse.jetty.ajp.Ajp13SocketConnector;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
+import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.bio.SocketConnector;
+import org.eclipse.jetty.server.nio.SelectChannelConnector;
+import org.eclipse.jetty.server.session.HashSessionManager;
+import org.eclipse.jetty.server.ssl.SslConnector;
+import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
+import org.eclipse.jetty.server.ssl.SslSocketConnector;
+import org.eclipse.jetty.util.security.Constraint;
+import org.eclipse.jetty.util.thread.QueuedThreadPool;
+import org.eclipse.jetty.webapp.WebAppContext;
+import org.eclipse.jgit.storage.file.FileBasedConfig;
+import org.eclipse.jgit.util.FS;
+import org.eclipse.jgit.util.FileUtils;
+import org.kohsuke.args4j.CmdLineException;
+import org.kohsuke.args4j.CmdLineParser;
+import org.kohsuke.args4j.Option;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.gitblit.authority.GitblitAuthority;
+import com.gitblit.authority.NewCertificateConfig;
+import com.gitblit.servlet.GitblitContext;
+import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.TimeUtils;
+import com.gitblit.utils.X509Utils;
+import com.gitblit.utils.X509Utils.X509Log;
+import com.gitblit.utils.X509Utils.X509Metadata;
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldif.LDIFReader;
+
+/**
+ * GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts
+ * and stops an instance of Jetty that is configured from a combination of the
+ * gitblit.properties file and command line parameters. JCommander is used to
+ * simplify command line parameter processing. This class also automatically
+ * generates a self-signed certificate for localhost, if the keystore does not
+ * already exist.
+ *
+ * @author James Moger
+ *
+ */
+public class GitBlitServer {
+
+       private static Logger logger;
+
+       public static void main(String... args) {
+               GitBlitServer server = new GitBlitServer();
+
+               // filter out the baseFolder parameter
+               List<String> filtered = new ArrayList<String>();
+               String folder = "data";
+               for (int i = 0; i < args.length; i++) {
+                       String arg = args[i];
+                       if (arg.equals("--baseFolder")) {
+                               if (i + 1 == args.length) {
+                                       System.out.println("Invalid --baseFolder parameter!");
+                                       System.exit(-1);
+                               } else if (!".".equals(args[i + 1])) {
+                                       folder = args[i + 1];
+                               }
+                               i = i + 1;
+                       } else {
+                               filtered.add(arg);
+                       }
+               }
+
+               Params.baseFolder = folder;
+               Params params = new Params();
+               CmdLineParser parser = new CmdLineParser(params);
+               try {
+                       parser.parseArgument(filtered);
+                       if (params.help) {
+                               server.usage(parser, null);
+                       }
+               } catch (CmdLineException t) {
+                       server.usage(parser, t);
+               }
+
+               if (params.stop) {
+                       server.stop(params);
+               } else {
+                       server.start(params);
+               }
+       }
+
+       /**
+        * Display the command line usage of Gitblit GO.
+        *
+        * @param parser
+        * @param t
+        */
+       protected final void usage(CmdLineParser parser, CmdLineException t) {
+               System.out.println(Constants.BORDER);
+               System.out.println(Constants.getGitBlitVersion());
+               System.out.println(Constants.BORDER);
+               System.out.println();
+               if (t != null) {
+                       System.out.println(t.getMessage());
+                       System.out.println();
+               }
+               if (parser != null) {
+                       parser.printUsage(System.out);
+                       System.out
+                                       .println("\nExample:\n  java -server -Xmx1024M -jar gitblit.jar --repositoriesFolder c:\\git --httpPort 80 --httpsPort 443");
+               }
+               System.exit(0);
+       }
+
+       /**
+        * Stop Gitblt GO.
+        */
+       public void stop(Params params) {
+               try {
+                       Socket s = new Socket(InetAddress.getByName("127.0.0.1"), params.shutdownPort);
+                       OutputStream out = s.getOutputStream();
+                       System.out.println("Sending Shutdown Request to " + Constants.NAME);
+                       out.write("\r\n".getBytes());
+                       out.flush();
+                       s.close();
+               } catch (UnknownHostException e) {
+                       e.printStackTrace();
+               } catch (IOException e) {
+                       e.printStackTrace();
+               }
+       }
+
+       /**
+        * Start Gitblit GO.
+        */
+       protected final void start(Params params) {
+               final File baseFolder = new File(Params.baseFolder).getAbsoluteFile();
+               FileSettings settings = params.FILESETTINGS;
+               if (!StringUtils.isEmpty(params.settingsfile)) {
+                       if (new File(params.settingsfile).exists()) {
+                               settings = new FileSettings(params.settingsfile);
+                       }
+               }
+
+               if (params.dailyLogFile) {
+                       // Configure log4j for daily log file generation
+                       InputStream is = null;
+                       try {
+                               is = getClass().getResourceAsStream("/log4j.properties");
+                               Properties loggingProperties = new Properties();
+                               loggingProperties.load(is);
+
+                               loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath());
+                               loggingProperties.put("log4j.rootCategory", "INFO, R");
+
+                               if (settings.getBoolean(Keys.web.debugMode, false)) {
+                                       loggingProperties.put("log4j.logger.com.gitblit", "DEBUG");
+                               }
+
+                               PropertyConfigurator.configure(loggingProperties);
+                       } catch (Exception e) {
+                               e.printStackTrace();
+                       } finally {
+                               try {
+                                       is.close();
+                               } catch (IOException e) {
+                                       e.printStackTrace();
+                               }
+                       }
+               }
+
+               logger = LoggerFactory.getLogger(GitBlitServer.class);
+               logger.info(Constants.BORDER);
+               logger.info("            _____  _  _    _      _  _  _");
+               logger.info("           |  __ \\(_)| |  | |    | |(_)| |");
+               logger.info("           | |  \\/ _ | |_ | |__  | | _ | |_");
+               logger.info("           | | __ | || __|| '_ \\ | || || __|");
+               logger.info("           | |_\\ \\| || |_ | |_) || || || |_");
+               logger.info("            \\____/|_| \\__||_.__/ |_||_| \\__|");
+               int spacing = (Constants.BORDER.length() - Constants.getGitBlitVersion().length()) / 2;
+               StringBuilder sb = new StringBuilder();
+               while (spacing > 0) {
+                       spacing--;
+                       sb.append(' ');
+               }
+               logger.info(sb.toString() + Constants.getGitBlitVersion());
+               logger.info("");
+               logger.info(Constants.BORDER);
+
+               System.setProperty("java.awt.headless", "true");
+
+               String osname = System.getProperty("os.name");
+               String osversion = System.getProperty("os.version");
+               logger.info("Running on " + osname + " (" + osversion + ")");
+
+               List<Connector> connectors = new ArrayList<Connector>();
+
+               // conditionally configure the http connector
+               if (params.port > 0) {
+                       Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50));
+                       String bindInterface = settings.getString(Keys.server.httpBindInterface, null);
+                       if (!StringUtils.isEmpty(bindInterface)) {
+                               logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
+                                               params.port, bindInterface));
+                               httpConnector.setHost(bindInterface);
+                       }
+                       if (params.port < 1024 && !isWindows()) {
+                               logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+                       }
+                       if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+                               // redirect HTTP requests to HTTPS
+                               if (httpConnector instanceof SelectChannelConnector) {
+                                       ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort);
+                               } else {
+                                       ((SocketConnector) httpConnector).setConfidentialPort(params.securePort);
+                               }
+                       }
+                       connectors.add(httpConnector);
+               }
+
+               // conditionally configure the https connector
+               if (params.securePort > 0) {
+                       File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG);
+                       File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE);
+                       File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE);
+                       File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST);
+
+                       // generate CA & web certificates, create certificate stores
+                       X509Metadata metadata = new X509Metadata("localhost", params.storePassword);
+                       // set default certificate values from config file
+                       if (certificatesConf.exists()) {
+                               FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect());
+                               try {
+                                       config.load();
+                               } catch (Exception e) {
+                                       logger.error("Error parsing " + certificatesConf, e);
+                               }
+                               NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config);
+                               certificateConfig.update(metadata);
+                       }
+
+                       metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR);
+                       X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() {
+                               @Override
+                               public void log(String message) {
+                                       BufferedWriter writer = null;
+                                       try {
+                                               writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true));
+                                               writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message));
+                                               writer.newLine();
+                                               writer.flush();
+                                       } catch (Exception e) {
+                                               LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e);
+                                       } finally {
+                                               if (writer != null) {
+                                                       try {
+                                                               writer.close();
+                                                       } catch (IOException e) {
+                                                       }
+                                               }
+                                       }
+                               }
+                       });
+
+                       if (serverKeyStore.exists()) {
+                               Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
+                                               caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates);
+                               String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
+                               if (!StringUtils.isEmpty(bindInterface)) {
+                                       logger.warn(MessageFormat.format(
+                                                       "Binding ssl connector on port {0,number,0} to {1}", params.securePort,
+                                                       bindInterface));
+                                       secureConnector.setHost(bindInterface);
+                               }
+                               if (params.securePort < 1024 && !isWindows()) {
+                                       logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+                               }
+                               connectors.add(secureConnector);
+                       } else {
+                               logger.warn("Failed to find or load Keystore?");
+                               logger.warn("SSL connector DISABLED.");
+                       }
+               }
+
+               // conditionally configure the ajp connector
+               if (params.ajpPort > 0) {
+                       Connector ajpConnector = createAJPConnector(params.ajpPort);
+                       String bindInterface = settings.getString(Keys.server.ajpBindInterface, null);
+                       if (!StringUtils.isEmpty(bindInterface)) {
+                               logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
+                                               params.ajpPort, bindInterface));
+                               ajpConnector.setHost(bindInterface);
+                       }
+                       if (params.ajpPort < 1024 && !isWindows()) {
+                               logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+                       }
+                       connectors.add(ajpConnector);
+               }
+
+               // tempDir is where the embedded Gitblit web application is expanded and
+               // where Jetty creates any necessary temporary files
+               File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp);
+               if (tempDir.exists()) {
+                       try {
+                               FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY);
+                       } catch (IOException x) {
+                               logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x);
+                       }
+               }
+               if (!tempDir.mkdirs()) {
+                       logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath());
+               }
+
+               Server server = new Server();
+               server.setStopAtShutdown(true);
+               server.setConnectors(connectors.toArray(new Connector[connectors.size()]));
+
+               // Get the execution path of this class
+               // We use this to set the WAR path.
+               ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain();
+               URL location = protectionDomain.getCodeSource().getLocation();
+
+               // Root WebApp Context
+               WebAppContext rootContext = new WebAppContext();
+               rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/"));
+               rootContext.setServer(server);
+               rootContext.setWar(location.toExternalForm());
+               rootContext.setTempDirectory(tempDir);
+
+               // Set cookies HttpOnly so they are not accessible to JavaScript engines
+               HashSessionManager sessionManager = new HashSessionManager();
+               sessionManager.setHttpOnly(true);
+               // Use secure cookies if only serving https
+               sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
+               rootContext.getSessionHandler().setSessionManager(sessionManager);
+
+               // Ensure there is a defined User Service
+               String realmUsers = params.userService;
+               if (StringUtils.isEmpty(realmUsers)) {
+                       logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService));
+                       return;
+               }
+
+               // Override settings from the command-line
+               settings.overrideSetting(Keys.realm.userService, params.userService);
+               settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder);
+               settings.overrideSetting(Keys.git.daemonPort, params.gitPort);
+               settings.overrideSetting(Keys.git.sshPort, params.sshPort);
+
+               // Start up an in-memory LDAP server, if configured
+               try {
+                       if (!StringUtils.isEmpty(params.ldapLdifFile)) {
+                               File ldifFile = new File(params.ldapLdifFile);
+                               if (ldifFile != null && ldifFile.exists()) {
+                                       URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
+                                       String firstLine = new Scanner(ldifFile).nextLine();
+                                       String rootDN = firstLine.substring(4);
+                                       String bindUserName = settings.getString(Keys.realm.ldap.username, "");
+                                       String bindPassword = settings.getString(Keys.realm.ldap.password, "");
+
+                                       // Get the port
+                                       int port = ldapUrl.getPort();
+                                       if (port == -1)
+                                               port = 389;
+
+                                       InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN);
+                                       config.addAdditionalBindCredentials(bindUserName, bindPassword);
+                                       config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port));
+                                       config.setSchema(null);
+
+                                       InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
+                                       ds.importFromLDIF(true, new LDIFReader(ldifFile));
+                                       ds.startListening();
+
+                                       logger.info("LDAP Server started at ldap://localhost:" + port);
+                               }
+                       }
+               } catch (Exception e) {
+                       // Completely optional, just show a warning
+                       logger.warn("Unable to start LDAP server", e);
+               }
+
+               // Set the server's contexts
+               server.setHandler(rootContext);
+
+               // redirect HTTP requests to HTTPS
+               if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+                       logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort));
+                       // Create the internal mechanisms to handle secure connections and redirects
+                       Constraint constraint = new Constraint();
+                       constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
+
+                       ConstraintMapping cm = new ConstraintMapping();
+                       cm.setConstraint(constraint);
+                       cm.setPathSpec("/*");
+
+                       ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
+                       sh.setConstraintMappings(new ConstraintMapping[] { cm });
+
+                       // Configure this context to use the Security Handler defined before
+                       rootContext.setHandler(sh);
+               }
+
+               // Setup the Gitblit context
+               GitblitContext gitblit = newGitblit(settings, baseFolder);
+               rootContext.addEventListener(gitblit);
+
+               try {
+                       // start the shutdown monitor
+                       if (params.shutdownPort > 0) {
+                               Thread shutdownMonitor = new ShutdownMonitorThread(server, params);
+                               shutdownMonitor.start();
+                       }
+
+                       // start Jetty
+                       server.start();
+                       server.join();
+               } catch (Exception e) {
+                       e.printStackTrace();
+                       System.exit(100);
+               }
+       }
+
+       protected GitblitContext newGitblit(IStoredSettings settings, File baseFolder) {
+               return new GitblitContext(settings, baseFolder);
+       }
+
+       /**
+        * Creates an http connector.
+        *
+        * @param useNIO
+        * @param port
+        * @param threadPoolSize
+        * @return an http connector
+        */
+       private Connector createConnector(boolean useNIO, int port, int threadPoolSize) {
+               Connector connector;
+               if (useNIO) {
+                       logger.info("Setting up NIO SelectChannelConnector on port " + port);
+                       SelectChannelConnector nioconn = new SelectChannelConnector();
+                       nioconn.setSoLingerTime(-1);
+                       if (threadPoolSize > 0) {
+                               nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
+                       }
+                       connector = nioconn;
+               } else {
+                       logger.info("Setting up SocketConnector on port " + port);
+                       SocketConnector sockconn = new SocketConnector();
+                       if (threadPoolSize > 0) {
+                               sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
+                       }
+                       connector = sockconn;
+               }
+
+               connector.setPort(port);
+               connector.setMaxIdleTime(30000);
+               return connector;
+       }
+
+       /**
+        * Creates an https connector.
+        *
+        * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
+        * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
+        *
+        * @param certAlias
+        * @param keyStore
+        * @param clientTrustStore
+        * @param storePassword
+        * @param caRevocationList
+        * @param useNIO
+        * @param port
+        * @param threadPoolSize
+        * @param requireClientCertificates
+        * @return an https connector
+        */
+       private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
+                       String storePassword, File caRevocationList, boolean useNIO,  int port, int threadPoolSize,
+                       boolean requireClientCertificates) {
+               GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,
+                               keyStore, clientTrustStore, storePassword, caRevocationList);
+               SslConnector connector;
+               if (useNIO) {
+                       logger.info("Setting up NIO SslSelectChannelConnector on port " + port);
+                       SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);
+                       ssl.setSoLingerTime(-1);
+                       if (requireClientCertificates) {
+                               factory.setNeedClientAuth(true);
+                       } else {
+                               factory.setWantClientAuth(true);
+                       }
+                       if (threadPoolSize > 0) {
+                               ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
+                       }
+                       connector = ssl;
+               } else {
+                       logger.info("Setting up NIO SslSocketConnector on port " + port);
+                       SslSocketConnector ssl = new SslSocketConnector(factory);
+                       if (threadPoolSize > 0) {
+                               ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
+                       }
+                       connector = ssl;
+               }
+               connector.setPort(port);
+               connector.setMaxIdleTime(30000);
+
+               return connector;
+       }
+
+       /**
+        * Creates an ajp connector.
+        *
+        * @param port
+        * @return an ajp connector
+        */
+       private Connector createAJPConnector(int port) {
+               logger.info("Setting up AJP Connector on port " + port);
+               Ajp13SocketConnector ajp = new Ajp13SocketConnector();
+               ajp.setPort(port);
+               if (port < 1024 && !isWindows()) {
+                       logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+               }
+               return ajp;
+       }
+
+       /**
+        * Tests to see if the operating system is Windows.
+        *
+        * @return true if this is a windows machine
+        */
+       private boolean isWindows() {
+               return System.getProperty("os.name").toLowerCase().indexOf("windows") > -1;
+       }
+
+       /**
+        * The ShutdownMonitorThread opens a socket on a specified port and waits
+        * for an incoming connection. When that connection is accepted a shutdown
+        * message is issued to the running Jetty server.
+        *
+        * @author James Moger
+        *
+        */
+       private static class ShutdownMonitorThread extends Thread {
+
+               private final ServerSocket socket;
+
+               private final Server server;
+
+               private final Logger logger = LoggerFactory.getLogger(ShutdownMonitorThread.class);
+
+               public ShutdownMonitorThread(Server server, Params params) {
+                       this.server = server;
+                       setDaemon(true);
+                       setName(Constants.NAME + " Shutdown Monitor");
+                       ServerSocket skt = null;
+                       try {
+                               skt = new ServerSocket(params.shutdownPort, 1, InetAddress.getByName("127.0.0.1"));
+                       } catch (Exception e) {
+                               logger.warn("Could not open shutdown monitor on port " + params.shutdownPort, e);
+                       }
+                       socket = skt;
+               }
+
+               @Override
+               public void run() {
+                       logger.info("Shutdown Monitor listening on port " + socket.getLocalPort());
+                       Socket accept;
+                       try {
+                               accept = socket.accept();
+                               BufferedReader reader = new BufferedReader(new InputStreamReader(
+                                               accept.getInputStream()));
+                               reader.readLine();
+                               logger.info(Constants.BORDER);
+                               logger.info("Stopping " + Constants.NAME);
+                               logger.info(Constants.BORDER);
+                               server.stop();
+                               server.setStopAtShutdown(false);
+                               accept.close();
+                               socket.close();
+                       } catch (Exception e) {
+                               logger.warn("Failed to shutdown Jetty", e);
+                       }
+               }
+       }
+
+       /**
+        * Parameters class for GitBlitServer.
+        */
+       public static class Params {
+
+               public static String baseFolder;
+
+               private final FileSettings FILESETTINGS = new FileSettings(new File(baseFolder, Constants.PROPERTIES_FILE).getAbsolutePath());
+
+               /*
+                * Server parameters
+                */
+               @Option(name = "--help", aliases = { "-h"}, usage = "Show this help")
+               public Boolean help = false;
+
+               @Option(name = "--stop", usage = "Stop Server")
+               public Boolean stop = false;
+
+               @Option(name = "--tempFolder", usage = "Folder for server to extract built-in webapp", metaVar="PATH")
+               public String temp = FILESETTINGS.getString(Keys.server.tempFolder, "temp");
+
+               @Option(name = "--dailyLogFile", usage = "Log to a rolling daily log file INSTEAD of stdout.")
+               public Boolean dailyLogFile = false;
+
+               /*
+                * GIT Servlet Parameters
+                */
+               @Option(name = "--repositoriesFolder", usage = "Git Repositories Folder", metaVar="PATH")
+               public String repositoriesFolder = FILESETTINGS.getString(Keys.git.repositoriesFolder,
+                               "git");
+
+               /*
+                * Authentication Parameters
+                */
+               @Option(name = "--userService", usage = "Authentication and Authorization Service (filename or fully qualified classname)")
+               public String userService = FILESETTINGS.getString(Keys.realm.userService,
+                               "users.conf");
+
+               /*
+                * JETTY Parameters
+                */
+               @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.")
+               public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true);
+
+               @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT")
+               public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0);
+
+               @Option(name = "--httpsPort", usage = "HTTPS port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")
+               public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443);
+
+               @Option(name = "--ajpPort", usage = "AJP port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")
+               public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
+
+               @Option(name = "--gitPort", usage = "Git Daemon port to serve.  (port <= 0 will disable this connector)", metaVar="PORT")
+               public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418);
+
+        @Option(name = "--sshPort", usage = "Git SSH port to serve.  (port <= 0 will disable this connector)", metaVar = "PORT")
+        public Integer sshPort = FILESETTINGS.getInteger(Keys.git.sshPort, 29418);
+
+               @Option(name = "--alias", usage = "Alias of SSL certificate in keystore for serving https.", metaVar="ALIAS")
+               public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");
+
+               @Option(name = "--storePassword", usage = "Password for SSL (https) keystore.", metaVar="PASSWORD")
+               public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
+
+               @Option(name = "--shutdownPort", usage = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)", metaVar="PORT")
+               public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081);
+
+               @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.")
+               public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false);
+
+               /*
+                * Setting overrides
+                */
+               @Option(name = "--settings", usage = "Path to alternative settings", metaVar="FILE")
+               public String settingsfile;
+
+               @Option(name = "--ldapLdifFile", usage = "Path to LDIF file.  This will cause an in-memory LDAP server to be started according to gitblit settings", metaVar="FILE")
+               public String ldapLdifFile;
+
+       }
  }
 \ No newline at end of file
diff --git a/src/main/java/com/gitblit/manager/ServicesManager.java b/src/main/java/com/gitblit/manager/ServicesManager.java

index 8107a7d8a41c6df55f35c77fc4943179b1502c6c..2cd583adf93619031286831089f421bdcc24c953 100644 (file)
--- a/src/main/java/com/gitblit/manager/ServicesManager.java
+++ b/src/main/java/com/gitblit/manager/ServicesManager.java
@@ -42,6 +42,7 @@ import com.gitblit.models.FederationModel;
  import com.gitblit.models.RepositoryModel;
  import com.gitblit.models.UserModel;
  import com.gitblit.service.FederationPullService;
+import com.gitblit.transport.ssh.SshDaemon;
  import com.gitblit.utils.StringUtils;
  import com.gitblit.utils.TimeUtils;
  
@@ -67,6 +68,8 @@ public class ServicesManager implements IManager {
  
         private GitDaemon gitDaemon;
  
+       private SshDaemon sshDaemon;
+
         public ServicesManager(IGitblit gitblit) {
                 this.settings = gitblit.getSettings();
                 this.gitblit = gitblit;
@@ -77,6 +80,7 @@ public class ServicesManager implements IManager {
                 configureFederation();
                 configureFanout();
                 configureGitDaemon();
+               configureSshDaemon();
  
                 return this;
         }
@@ -138,6 +142,20 @@ public class ServicesManager implements IManager {
                 }
         }
  
+       protected void configureSshDaemon() {
+               int port = settings.getInteger(Keys.git.sshPort, 0);
+               String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost");
+               if (port > 0) {
+                       try {
+                               sshDaemon = new SshDaemon(gitblit);
+                               sshDaemon.start();
+                       } catch (IOException e) {
+                               sshDaemon = null;
+                               logger.error(MessageFormat.format("Failed to start SSH daemon on {0}:{1,number,0}", bindInterface, port), e);
+                       }
+               }
+       }
+
         protected void configureFanout() {
                 // startup Fanout PubSub service
                 if (settings.getInteger(Keys.fanout.port, 0) > 0) {
diff --git a/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java b/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java

new file mode 100644 (file)

index 0000000..e4741ed
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import org.apache.sshd.server.Command;
+import org.apache.sshd.server.Environment;
+import org.apache.sshd.server.ExitCallback;
+import org.apache.sshd.server.SessionAware;
+import org.apache.sshd.server.session.ServerSession;
+
+/**
+ *
+ * @author Eric Myrhe
+ *
+ */
+abstract class AbstractSshCommand implements Command, SessionAware {
+
+       protected InputStream in;
+
+       protected OutputStream out;
+
+       protected OutputStream err;
+
+       protected ExitCallback exit;
+
+       protected ServerSession session;
+
+       @Override
+       public void setInputStream(InputStream in) {
+               this.in = in;
+       }
+
+       @Override
+       public void setOutputStream(OutputStream out) {
+               this.out = out;
+       }
+
+       @Override
+       public void setErrorStream(OutputStream err) {
+               this.err = err;
+       }
+
+       @Override
+       public void setExitCallback(ExitCallback exit) {
+               this.exit = exit;
+       }
+
+       @Override
+       public void setSession(final ServerSession session) {
+               this.session = session;
+       }
+
+       @Override
+       public void destroy() {}
+
+       @Override
+       public abstract void start(Environment env) throws IOException;
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java b/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java

new file mode 100644 (file)

index 0000000..c0b4930
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java
@@ -0,0 +1,164 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.io.IOException;
+import java.util.Scanner;
+
+import org.apache.sshd.server.Command;
+import org.apache.sshd.server.CommandFactory;
+import org.apache.sshd.server.Environment;
+import org.eclipse.jgit.errors.RepositoryNotFoundException;
+import org.eclipse.jgit.lib.Repository;
+import org.eclipse.jgit.transport.PacketLineOut;
+import org.eclipse.jgit.transport.ReceivePack;
+import org.eclipse.jgit.transport.ServiceMayNotContinueException;
+import org.eclipse.jgit.transport.UploadPack;
+import org.eclipse.jgit.transport.resolver.ReceivePackFactory;
+import org.eclipse.jgit.transport.resolver.ServiceNotAuthorizedException;
+import org.eclipse.jgit.transport.resolver.ServiceNotEnabledException;
+import org.eclipse.jgit.transport.resolver.UploadPackFactory;
+
+import com.gitblit.git.RepositoryResolver;
+
+/**
+ *
+ * @author Eric Myhre
+ *
+ */
+public class SshCommandFactory implements CommandFactory {
+       public SshCommandFactory(RepositoryResolver<SshDaemonClient> repositoryResolver, UploadPackFactory<SshDaemonClient> uploadPackFactory, ReceivePackFactory<SshDaemonClient> receivePackFactory) {
+               this.repositoryResolver = repositoryResolver;
+               this.uploadPackFactory = uploadPackFactory;
+               this.receivePackFactory = receivePackFactory;
+       }
+
+       private RepositoryResolver<SshDaemonClient> repositoryResolver;
+
+       private UploadPackFactory<SshDaemonClient> uploadPackFactory;
+
+       private ReceivePackFactory<SshDaemonClient> receivePackFactory;
+
+       @Override
+       public Command createCommand(final String commandLine) {
+               Scanner commandScanner = new Scanner(commandLine);
+               final String command = commandScanner.next();
+               final String argument = commandScanner.nextLine();
+
+               if ("git-upload-pack".equals(command))
+                       return new UploadPackCommand(argument);
+               if ("git-receive-pack".equals(command))
+                       return new ReceivePackCommand(argument);
+               return new NonCommand();
+       }
+
+       public abstract class RepositoryCommand extends AbstractSshCommand {
+               protected final String repositoryName;
+
+               public RepositoryCommand(String repositoryName) {
+                       this.repositoryName = repositoryName;
+               }
+
+               @Override
+               public void start(Environment env) throws IOException {
+                       Repository db = null;
+                       try {
+                               SshDaemonClient client = session.getAttribute(SshDaemonClient.ATTR_KEY);
+                               db = selectRepository(client, repositoryName);
+                               if (db == null) return;
+                               run(client, db);
+                               exit.onExit(0);
+                       } catch (ServiceNotEnabledException e) {
+                               // Ignored. Client cannot use this repository.
+                       } catch (ServiceNotAuthorizedException e) {
+                               // Ignored. Client cannot use this repository.
+                       } finally {
+                               if (db != null)
+                                       db.close();
+                               exit.onExit(1);
+                       }
+               }
+
+               protected Repository selectRepository(SshDaemonClient client, String name) throws IOException {
+                       try {
+                               return openRepository(client, name);
+                       } catch (ServiceMayNotContinueException e) {
+                               // An error when opening the repo means the client is expecting a ref
+                               // advertisement, so use that style of error.
+                               PacketLineOut pktOut = new PacketLineOut(out);
+                               pktOut.writeString("ERR " + e.getMessage() + "\n"); //$NON-NLS-1$ //$NON-NLS-2$
+                               return null;
+                       }
+               }
+
+               protected Repository openRepository(SshDaemonClient client, String name)
+                               throws ServiceMayNotContinueException {
+                       // Assume any attempt to use \ was by a Windows client
+                       // and correct to the more typical / used in Git URIs.
+                       //
+                       name = name.replace('\\', '/');
+
+                       // ssh://git@thishost/path should always be name="/path" here
+                       //
+                       if (!name.startsWith("/")) //$NON-NLS-1$
+                               return null;
+
+                       try {
+                               return repositoryResolver.open(client, name.substring(1));
+                       } catch (RepositoryNotFoundException e) {
+                               // null signals it "wasn't found", which is all that is suitable
+                               // for the remote client to know.
+                               return null;
+                       } catch (ServiceNotEnabledException e) {
+                               // null signals it "wasn't found", which is all that is suitable
+                               // for the remote client to know.
+                               return null;
+                       }
+               }
+
+               protected abstract void run(SshDaemonClient client, Repository db)
+                       throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException;
+       }
+
+       public class UploadPackCommand extends RepositoryCommand {
+               public UploadPackCommand(String repositoryName) { super(repositoryName); }
+
+               @Override
+               protected void run(SshDaemonClient client, Repository db)
+                               throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException {
+                       UploadPack up = uploadPackFactory.create(client, db);
+                       up.upload(in, out, null);
+               }
+       }
+
+       public class ReceivePackCommand extends RepositoryCommand {
+               public ReceivePackCommand(String repositoryName) { super(repositoryName); }
+
+               @Override
+               protected void run(SshDaemonClient client, Repository db)
+                               throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException {
+                       ReceivePack rp = receivePackFactory.create(client, db);
+                       rp.receive(in, out, null);
+               }
+       }
+
+       public static class NonCommand extends AbstractSshCommand {
+               @Override
+               public void start(Environment env) {
+                       exit.onExit(127);
+               }
+       }
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java b/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java

new file mode 100644 (file)

index 0000000..26e3d67
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java
@@ -0,0 +1,217 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.security.InvalidKeyException;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.apache.mina.core.future.IoFuture;
+import org.apache.mina.core.future.IoFutureListener;
+import org.apache.mina.core.session.IoSession;
+import org.apache.mina.transport.socket.SocketSessionConfig;
+import org.apache.sshd.SshServer;
+import org.apache.sshd.common.Channel;
+import org.apache.sshd.common.Cipher;
+import org.apache.sshd.common.Compression;
+import org.apache.sshd.common.KeyExchange;
+import org.apache.sshd.common.KeyPairProvider;
+import org.apache.sshd.common.Mac;
+import org.apache.sshd.common.NamedFactory;
+import org.apache.sshd.common.Session;
+import org.apache.sshd.common.Signature;
+import org.apache.sshd.common.cipher.AES128CBC;
+import org.apache.sshd.common.cipher.AES192CBC;
+import org.apache.sshd.common.cipher.AES256CBC;
+import org.apache.sshd.common.cipher.BlowfishCBC;
+import org.apache.sshd.common.cipher.TripleDESCBC;
+import org.apache.sshd.common.compression.CompressionNone;
+import org.apache.sshd.common.mac.HMACMD5;
+import org.apache.sshd.common.mac.HMACMD596;
+import org.apache.sshd.common.mac.HMACSHA1;
+import org.apache.sshd.common.mac.HMACSHA196;
+import org.apache.sshd.common.random.BouncyCastleRandom;
+import org.apache.sshd.common.random.SingletonRandomFactory;
+import org.apache.sshd.common.signature.SignatureDSA;
+import org.apache.sshd.common.signature.SignatureRSA;
+import org.apache.sshd.common.util.SecurityUtils;
+import org.apache.sshd.server.CommandFactory;
+import org.apache.sshd.server.FileSystemFactory;
+import org.apache.sshd.server.FileSystemView;
+import org.apache.sshd.server.ForwardingFilter;
+import org.apache.sshd.server.PublickeyAuthenticator;
+import org.apache.sshd.server.SshFile;
+import org.apache.sshd.server.UserAuth;
+import org.apache.sshd.server.auth.UserAuthPublicKey;
+import org.apache.sshd.server.channel.ChannelDirectTcpip;
+import org.apache.sshd.server.channel.ChannelSession;
+import org.apache.sshd.server.kex.DHG1;
+import org.apache.sshd.server.kex.DHG14;
+import org.apache.sshd.server.session.ServerSession;
+import org.apache.sshd.server.session.SessionFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ *
+ * @author Eric Myhre
+ *
+ */
+public class SshCommandServer extends SshServer {
+
+       private static final Logger log = LoggerFactory.getLogger(SshCommandServer.class);
+
+       public SshCommandServer() {
+               setSessionFactory(new SessionFactory() {
+                       @Override
+                       protected ServerSession createSession(final IoSession io) throws Exception {
+                               log.info("connection accepted on " + io);
+
+                               if (io.getConfig() instanceof SocketSessionConfig) {
+                                       final SocketSessionConfig c = (SocketSessionConfig) io.getConfig();
+                                       c.setKeepAlive(true);
+                               }
+
+                               final ServerSession s = (ServerSession) super.createSession(io);
+                               s.setAttribute(SshDaemonClient.ATTR_KEY, new SshDaemonClient());
+
+                               io.getCloseFuture().addListener(new IoFutureListener<IoFuture>() {
+                                       @Override
+                                       public void operationComplete(IoFuture future) {
+                                               log.info("connection closed on " + io);
+                                       }
+                               });
+                               return s;
+                       }
+               });
+       }
+
+       /**
+        * Performs most of default configuration (setup random sources, setup ciphers,
+        * etc; also, support for forwarding and filesystem is explicitly disallowed).
+        *
+        * {@link #setKeyPairProvider(KeyPairProvider)} and
+        * {@link #setPublickeyAuthenticator(PublickeyAuthenticator)} are left for you.
+        * And applying {@link #setCommandFactory(CommandFactory)} is probably wise if you
+        * want something to actually happen when users do successfully authenticate.
+        */
+       @SuppressWarnings("unchecked")
+       public void setup() {
+               if (!SecurityUtils.isBouncyCastleRegistered())
+                       throw new RuntimeException("BC crypto not available");
+
+               setKeyExchangeFactories(Arrays.<NamedFactory<KeyExchange>>asList(
+                               new DHG14.Factory(),
+                               new DHG1.Factory())
+               );
+
+               setRandomFactory(new SingletonRandomFactory(new BouncyCastleRandom.Factory()));
+
+               setupCiphers();
+
+               setCompressionFactories(Arrays.<NamedFactory<Compression>>asList(
+                               new CompressionNone.Factory())
+               );
+
+               setMacFactories(Arrays.<NamedFactory<Mac>>asList(
+                               new HMACMD5.Factory(),
+                               new HMACSHA1.Factory(),
+                               new HMACMD596.Factory(),
+                               new HMACSHA196.Factory())
+               );
+
+               setChannelFactories(Arrays.<NamedFactory<Channel>>asList(
+                               new ChannelSession.Factory(),
+                               new ChannelDirectTcpip.Factory())
+               );
+
+               setSignatureFactories(Arrays.<NamedFactory<Signature>>asList(
+                               new SignatureDSA.Factory(),
+                               new SignatureRSA.Factory())
+               );
+
+               setFileSystemFactory(new FileSystemFactory() {
+                       @Override
+                       public FileSystemView createFileSystemView(Session session) throws IOException {
+                               return new FileSystemView() {
+                                       @Override
+                                       public SshFile getFile(SshFile baseDir, String file) {
+                                               return null;
+                                       }
+
+                                       @Override
+                                       public SshFile getFile(String file) {
+                                               return null;
+                                       }
+                               };
+                       }
+               });
+
+               setForwardingFilter(new ForwardingFilter() {
+                       @Override
+                       public boolean canForwardAgent(ServerSession session) {
+                               return false;
+                       }
+
+                       @Override
+                       public boolean canForwardX11(ServerSession session) {
+                               return false;
+                       }
+
+                       @Override
+                       public boolean canConnect(InetSocketAddress address, ServerSession session) {
+                               return false;
+                       }
+
+                       @Override
+                       public boolean canListen(InetSocketAddress address, ServerSession session) {
+                               return false;
+                       }
+               });
+
+               setUserAuthFactories(Arrays.<NamedFactory<UserAuth>>asList(
+                               new UserAuthPublicKey.Factory())
+               );
+       }
+
+       protected void setupCiphers() {
+               List<NamedFactory<Cipher>> avail = new LinkedList<NamedFactory<Cipher>>();
+               avail.add(new AES128CBC.Factory());
+               avail.add(new TripleDESCBC.Factory());
+               avail.add(new BlowfishCBC.Factory());
+               avail.add(new AES192CBC.Factory());
+               avail.add(new AES256CBC.Factory());
+
+               for (Iterator<NamedFactory<Cipher>> i = avail.iterator(); i.hasNext();) {
+                       final NamedFactory<Cipher> f = i.next();
+                       try {
+                               final Cipher c = f.create();
+                               final byte[] key = new byte[c.getBlockSize()];
+                               final byte[] iv = new byte[c.getIVSize()];
+                               c.init(Cipher.Mode.Encrypt, key, iv);
+                       } catch (InvalidKeyException e) {
+                               i.remove();
+                       } catch (Exception e) {
+                               i.remove();
+                       }
+               }
+               setCipherFactories(avail);
+       }
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java

new file mode 100644 (file)

index 0000000..6f5d5f9
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
@@ -0,0 +1,159 @@
+/*\r
+ * Copyright 2014 gitblit.com.\r
+ *\r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ *\r
+ *     http://www.apache.org/licenses/LICENSE-2.0\r
+ *\r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ */\r
+package com.gitblit.transport.ssh;\r
+\r
+import java.io.File;\r
+import java.io.IOException;\r
+import java.net.InetSocketAddress;\r
+import java.text.MessageFormat;\r
+import java.util.concurrent.atomic.AtomicBoolean;\r
+\r
+import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider;\r
+import org.eclipse.jgit.internal.JGitText;\r
+import org.eclipse.jgit.transport.resolver.ReceivePackFactory;\r
+import org.eclipse.jgit.transport.resolver.UploadPackFactory;\r
+import org.slf4j.Logger;\r
+import org.slf4j.LoggerFactory;\r
+\r
+import com.gitblit.IStoredSettings;\r
+import com.gitblit.Keys;\r
+import com.gitblit.git.GitblitReceivePackFactory;\r
+import com.gitblit.git.GitblitUploadPackFactory;\r
+import com.gitblit.git.RepositoryResolver;\r
+import com.gitblit.manager.IGitblit;\r
+import com.gitblit.utils.StringUtils;\r
+\r
+/**\r
+ * Manager for the ssh transport. Roughly analogous to the\r
+ * {@link com.gitblit.git.GitDaemon} class.\r
+ *\r
+ * @author Eric Myhre\r
+ *\r
+ */\r
+public class SshDaemon {\r
+\r
+       private final Logger logger = LoggerFactory.getLogger(SshDaemon.class);\r
+\r
+       /**\r
+        * 22: IANA assigned port number for ssh. Note that this is a distinct concept\r
+        * from gitblit's default conf for ssh port -- this "default" is what the git\r
+        * protocol itself defaults to if it sees and ssh url without a port.\r
+        */\r
+       public static final int DEFAULT_PORT = 22;\r
+\r
+       private static final String HOST_KEY_STORE = "sshKeyStore.pem";\r
+\r
+       private InetSocketAddress myAddress;\r
+\r
+       private AtomicBoolean run;\r
+\r
+       private SshCommandServer sshd;\r
+\r
+       private RepositoryResolver<SshDaemonClient> repositoryResolver;\r
+\r
+       private UploadPackFactory<SshDaemonClient> uploadPackFactory;\r
+\r
+       private ReceivePackFactory<SshDaemonClient> receivePackFactory;\r
+\r
+       /**\r
+        * Construct the Gitblit SSH daemon.\r
+        *\r
+        * @param gitblit\r
+        */\r
+       public SshDaemon(IGitblit gitblit) {\r
+\r
+               IStoredSettings settings = gitblit.getSettings();\r
+               int port = settings.getInteger(Keys.git.sshPort, 0);\r
+               String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost");\r
+\r
+               if (StringUtils.isEmpty(bindInterface)) {\r
+                       myAddress = new InetSocketAddress(port);\r
+               } else {\r
+                       myAddress = new InetSocketAddress(bindInterface, port);\r
+               }\r
+\r
+               sshd = new SshCommandServer();\r
+               sshd.setPort(myAddress.getPort());\r
+               sshd.setHost(myAddress.getHostName());\r
+               sshd.setup();\r
+               sshd.setKeyPairProvider(new PEMGeneratorHostKeyProvider(new File(gitblit.getBaseFolder(), HOST_KEY_STORE).getPath()));\r
+               sshd.setPublickeyAuthenticator(new SshKeyAuthenticator(gitblit));\r
+\r
+               run = new AtomicBoolean(false);\r
+               repositoryResolver = new RepositoryResolver<SshDaemonClient>(gitblit);\r
+               uploadPackFactory = new GitblitUploadPackFactory<SshDaemonClient>(gitblit);\r
+               receivePackFactory = new GitblitReceivePackFactory<SshDaemonClient>(gitblit);\r
+\r
+               sshd.setCommandFactory(new SshCommandFactory(\r
+                               repositoryResolver,\r
+                               uploadPackFactory,\r
+                               receivePackFactory\r
+               ));\r
+       }\r
+\r
+       public int getPort() {\r
+               return myAddress.getPort();\r
+       }\r
+\r
+       public String formatUrl(String gituser, String servername, String repository) {\r
+               if (getPort() == DEFAULT_PORT) {\r
+                       // standard port\r
+                       return MessageFormat.format("{0}@{1}/{2}", gituser, servername, repository);\r
+               } else {\r
+                       // non-standard port\r
+                       return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}", gituser, servername, getPort(), repository);\r
+               }\r
+       }\r
+\r
+       /**\r
+        * Start this daemon on a background thread.\r
+        *\r
+        * @throws IOException\r
+        *             the server socket could not be opened.\r
+        * @throws IllegalStateException\r
+        *             the daemon is already running.\r
+        */\r
+       public synchronized void start() throws IOException {\r
+               if (run.get()) {\r
+                       throw new IllegalStateException(JGitText.get().daemonAlreadyRunning);\r
+               }\r
+\r
+               sshd.start();\r
+               run.set(true);\r
+\r
+               logger.info(MessageFormat.format("SSH Daemon is listening on {0}:{1,number,0}",\r
+                               myAddress.getAddress().getHostAddress(), myAddress.getPort()));\r
+       }\r
+\r
+       /** @return true if this daemon is receiving connections. */\r
+       public boolean isRunning() {\r
+               return run.get();\r
+       }\r
+\r
+       /** Stop this daemon. */\r
+       public synchronized void stop() {\r
+               if (run.get()) {\r
+                       logger.info("SSH Daemon stopping...");\r
+                       run.set(false);\r
+\r
+                       try {\r
+                               sshd.stop();\r
+                       } catch (InterruptedException e) {\r
+                               logger.error("SSH Daemon stop interrupted", e);\r
+                       }\r
+               }\r
+       }\r
+}\r
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java b/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java

new file mode 100644 (file)

index 0000000..2e8008a
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.net.InetAddress;
+
+import org.apache.sshd.common.Session.AttributeKey;
+
+/**
+ *
+ * @author Eric Myrhe
+ *
+ */
+public class SshDaemonClient {
+       public static final AttributeKey<SshDaemonClient> ATTR_KEY = new AttributeKey<SshDaemonClient>();
+
+       public InetAddress getRemoteAddress() {
+               return null;
+       }
+
+       public String getRemoteUser() {
+               return null;
+       }
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java b/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java

new file mode 100644 (file)

index 0000000..4c97c58
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.security.PublicKey;
+
+import org.apache.sshd.server.PublickeyAuthenticator;
+import org.apache.sshd.server.session.ServerSession;
+
+import com.gitblit.manager.IGitblit;
+
+/**
+ *
+ * @author Eric Myrhe
+ *
+ */
+public class SshKeyAuthenticator implements PublickeyAuthenticator {
+
+       protected final IGitblit gitblit;
+
+       public SshKeyAuthenticator(IGitblit gitblit) {
+               this.gitblit = gitblit;
+       }
+
+       @Override
+       public boolean authenticate(String username, PublicKey key, ServerSession session) {
+               // TODO actually authenticate
+               return true;
+       }
+}
author	Eric Myhre <hash@exultant.us>
	Thu, 13 Jun 2013 22:03:24 +0000 (17:03 -0500)
committer	James Moger <james.moger@gitblit.com>
	Thu, 10 Apr 2014 22:58:07 +0000 (18:58 -0400)
.classpath		patch \| blob \| history
build.moxie		patch \| blob \| history
gitblit.iml		patch \| blob \| history
src/main/distrib/data/gitblit.properties		patch \| blob \| history
src/main/java/com/gitblit/GitBlitServer.java		patch \| blob \| history
src/main/java/com/gitblit/manager/ServicesManager.java		patch \| blob \| history
src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java	[new file with mode: 0644]	patch \| blob
src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java	[new file with mode: 0644]	patch \| blob
src/main/java/com/gitblit/transport/ssh/SshCommandServer.java	[new file with mode: 0644]	patch \| blob
src/main/java/com/gitblit/transport/ssh/SshDaemon.java	[new file with mode: 0644]	patch \| blob
src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java	[new file with mode: 0644]	patch \| blob
src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java	[new file with mode: 0644]	patch \| blob