From: David Ostrovsky Date: Fri, 26 Sep 2014 08:50:37 +0000 (+0200) Subject: Extract authenticate method from CachingPublicKeyAuthenticator X-Git-Tag: v1.7.0~1^2~149^2~1 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=f6196b803b7351da29f5d24958abbedf0df41a05;p=gitblit.git Extract authenticate method from CachingPublicKeyAuthenticator --- diff --git a/src/main/java/com/gitblit/transport/ssh/CachingPublicKeyAuthenticator.java b/src/main/java/com/gitblit/transport/ssh/CachingPublicKeyAuthenticator.java deleted file mode 100644 index e804a0da..00000000 --- a/src/main/java/com/gitblit/transport/ssh/CachingPublicKeyAuthenticator.java +++ /dev/null @@ -1,112 +0,0 @@ -/* - * Copyright 2014 gitblit.com. - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy of - * the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations under - * the License. - */ -package com.gitblit.transport.ssh; - -import java.security.PublicKey; -import java.util.HashMap; -import java.util.List; -import java.util.Locale; -import java.util.Map; -import java.util.concurrent.ConcurrentHashMap; - -import org.apache.sshd.common.Session; -import org.apache.sshd.common.SessionListener; -import org.apache.sshd.server.PublickeyAuthenticator; -import org.apache.sshd.server.session.ServerSession; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.gitblit.manager.IAuthenticationManager; -import com.gitblit.models.UserModel; -import com.google.common.base.Preconditions; - -/** - * Authenticates an SSH session against a public key. - * - */ -public class CachingPublicKeyAuthenticator implements PublickeyAuthenticator, SessionListener { - - protected final Logger log = LoggerFactory.getLogger(getClass()); - - protected final IPublicKeyManager keyManager; - - protected final IAuthenticationManager authManager; - - private final Map> cache = new ConcurrentHashMap>(); - - public CachingPublicKeyAuthenticator(IPublicKeyManager keyManager, IAuthenticationManager authManager) { - this.keyManager = keyManager; - this.authManager = authManager; - } - - @Override - public boolean authenticate(String username, PublicKey key, ServerSession session) { - Map map = cache.get(session); - if (map == null) { - map = new HashMap(); - cache.put(session, map); - session.addListener(this); - } - if (map.containsKey(key)) { - return map.get(key); - } - boolean result = doAuthenticate(username, key, session); - map.put(key, result); - return result; - } - - private boolean doAuthenticate(String username, PublicKey suppliedKey, ServerSession session) { - SshDaemonClient client = session.getAttribute(SshDaemonClient.KEY); - Preconditions.checkState(client.getUser() == null); - username = username.toLowerCase(Locale.US); - List keys = keyManager.getKeys(username); - if (keys.isEmpty()) { - log.info("{} has not added any public keys for ssh authentication", username); - return false; - } - - SshKey pk = new SshKey(suppliedKey); - log.debug("auth supplied {}", pk.getFingerprint()); - - for (SshKey key : keys) { - log.debug("auth compare to {}", key.getFingerprint()); - if (key.getPublicKey().equals(suppliedKey)) { - UserModel user = authManager.authenticate(username, key); - if (user != null) { - client.setUser(user); - client.setKey(key); - return true; - } - } - } - - log.warn("could not authenticate {} for SSH using the supplied public key", username); - return false; - } - - @Override - public void sessionCreated(Session session) { - } - - @Override - public void sessionEvent(Session sesssion, Event event) { - } - - @Override - public void sessionClosed(Session session) { - cache.remove(session); - } -} diff --git a/src/main/java/com/gitblit/transport/ssh/FileBasedPubKeyAuth.java b/src/main/java/com/gitblit/transport/ssh/FileBasedPubKeyAuth.java new file mode 100644 index 00000000..b6a52f9c --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/FileBasedPubKeyAuth.java @@ -0,0 +1,77 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.gitblit.transport.ssh; + +import java.security.PublicKey; +import java.util.List; +import java.util.Locale; + +import org.apache.sshd.server.PublickeyAuthenticator; +import org.apache.sshd.server.session.ServerSession; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.gitblit.manager.IAuthenticationManager; +import com.gitblit.models.UserModel; +import com.google.common.base.Preconditions; + +/** + * Authenticates an SSH session against a public key. + * + */ +public class FileBasedPubKeyAuth implements PublickeyAuthenticator { + + protected final Logger log = LoggerFactory.getLogger(getClass()); + + protected final IPublicKeyManager keyManager; + + protected final IAuthenticationManager authManager; + + public FileBasedPubKeyAuth(IPublicKeyManager keyManager, IAuthenticationManager authManager) { + this.keyManager = keyManager; + this.authManager = authManager; + } + + @Override + public boolean authenticate(String username, PublicKey suppliedKey, ServerSession session) { + SshDaemonClient client = session.getAttribute(SshDaemonClient.KEY); + Preconditions.checkState(client.getUser() == null); + username = username.toLowerCase(Locale.US); + List keys = keyManager.getKeys(username); + if (keys.isEmpty()) { + log.info("{} has not added any public keys for ssh authentication", username); + return false; + } + + SshKey pk = new SshKey(suppliedKey); + log.debug("auth supplied {}", pk.getFingerprint()); + + for (SshKey key : keys) { + log.debug("auth compare to {}", key.getFingerprint()); + if (key.getPublicKey().equals(suppliedKey)) { + UserModel user = authManager.authenticate(username, key); + if (user != null) { + client.setUser(user); + client.setKey(key); + return true; + } + } + } + + log.warn("could not authenticate {} for SSH using the supplied public key", username); + return false; + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java index 261daa66..2740e915 100644 --- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java +++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java @@ -31,6 +31,7 @@ import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory; import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory; import org.apache.sshd.common.keyprovider.FileKeyPairProvider; import org.apache.sshd.common.util.SecurityUtils; +import org.apache.sshd.server.auth.CachingPublicKeyAuthenticator; import org.bouncycastle.openssl.PEMWriter; import org.eclipse.jgit.internal.JGitText; import org.slf4j.Logger; @@ -96,7 +97,7 @@ public class SshDaemon { // Client public key authenticator CachingPublicKeyAuthenticator keyAuthenticator = - new CachingPublicKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit); + new CachingPublicKeyAuthenticator(new FileBasedPubKeyAuth(gitblit.getPublicKeyManager(), gitblit)); // Configure the preferred SSHD backend String sshBackendStr = settings.getString(Keys.git.sshBackend,