diff options
author | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-08-14 14:45:58 +0200 |
---|---|---|
committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-08-14 14:45:58 +0200 |
commit | 8d3738a22609c5206c50d7f5fbbf17ddc8df6db7 (patch) | |
tree | b50b369047d43b9226620e2a2973eff188d0648f /src/main/java/com | |
parent | 1df20a06c93ac68203f10d89f025d6ee74f5f23b (diff) | |
download | gitblit-8d3738a22609c5206c50d7f5fbbf17ddc8df6db7.tar.gz gitblit-8d3738a22609c5206c50d7f5fbbf17ddc8df6db7.zip |
Use existing setting but with new values
Instead of adding another setting and having to explain how the new one
and the existing `requireClientCertificates` setting are interdependent,
let's use the existing setting and add new values.
It is changed from a boolean to a string, with the values `required`,
`optional` and `disabled`. To keep backward compatibility with the old
values, the `true` value is mapped to `required` and the `false` value
is mapped to `optional`.
Diffstat (limited to 'src/main/java/com')
-rw-r--r-- | src/main/java/com/gitblit/Constants.java | 22 | ||||
-rw-r--r-- | src/main/java/com/gitblit/GitBlitServer.java | 15 |
2 files changed, 31 insertions, 6 deletions
diff --git a/src/main/java/com/gitblit/Constants.java b/src/main/java/com/gitblit/Constants.java index ab503bd3..c73bc24b 100644 --- a/src/main/java/com/gitblit/Constants.java +++ b/src/main/java/com/gitblit/Constants.java @@ -645,6 +645,28 @@ public class Constants { }
}
+ public enum TlsClientCertPolicy {
+ REQUIRED, TRUE, OPTIONAL, FALSE, DISABLED, NONE;
+
+ public static TlsClientCertPolicy fromString(String value) {
+ for (TlsClientCertPolicy t : values()) {
+ if (t.name().equalsIgnoreCase(value)) {
+ switch(t) {
+ case TRUE:
+ return REQUIRED;
+ case FALSE:
+ return OPTIONAL;
+ case NONE:
+ return DISABLED;
+ default:
+ return t;
+ }
+ }
+ }
+ return TlsClientCertPolicy.OPTIONAL;
+ }
+ }
+
/**
* The type of merge Gitblit will use when merging a ticket to the integration branch.
* <p>
diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java index 190cc5d2..63914121 100644 --- a/src/main/java/com/gitblit/GitBlitServer.java +++ b/src/main/java/com/gitblit/GitBlitServer.java @@ -57,6 +57,7 @@ import org.kohsuke.args4j.Option; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.gitblit.Constants.TlsClientCertPolicy; import com.gitblit.authority.GitblitAuthority; import com.gitblit.authority.NewCertificateConfig; import com.gitblit.servlet.GitblitContext; @@ -289,10 +290,15 @@ public class GitBlitServer { logger.info("Setting up HTTPS transport on port " + params.securePort); GitblitSslContextFactory factory = new GitblitSslContextFactory(params.alias, serverKeyStore, serverTrustStore, params.storePassword, caRevocationList); - if (params.requireClientCertificates) { + TlsClientCertPolicy clientCertPolicy = TlsClientCertPolicy.fromString(params.requireClientCertificates); + if (clientCertPolicy == TlsClientCertPolicy.REQUIRED) { factory.setNeedClientAuth(true); + } else if (clientCertPolicy == TlsClientCertPolicy.OPTIONAL) { + factory.setNeedClientAuth(false); + factory.setWantClientAuth(true); } else { - factory.setWantClientAuth((params.wantClientCertificates)); + factory.setNeedClientAuth(false); + factory.setWantClientAuth(false); } ServerConnector connector = new ServerConnector(server, factory); @@ -600,10 +606,7 @@ public class GitBlitServer { public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081); @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.") - public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false); - - @Option(name = "--wantClientCertificates", usage = "Ask for optional client X509 certificate for https connections. Ignored if client certificates are required.") - public Boolean wantClientCertificates = FILESETTINGS.getBoolean(Keys.server.wantClientCertificates, false); + public String requireClientCertificates = FILESETTINGS.getString(Keys.server.requireClientCertificates, "optional"); /* * Setting overrides |