Merged #255 "Invalid kerberos patches, works now and with a test."

5 files changed, 97 insertions, 1 deletions

diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java
index cbf0a1bd..38e45a6f 100644
--- a/src/main/java/com/gitblit/manager/AuthenticationManager.java
+++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -374,6 +374,35 @@ public class AuthenticationManager implements IAuthenticationManager {
 
 
 	/**
+	 * Return the UserModel for already authenticated user.
+	 *
+	 * This implementation assumes that the authentication has already take place
+	 * (e.g. SSHDaemon) and that this is a validation/verification of the user.
+	 *
+	 * @param username
+	 * @return a user object or null
+	 */
+	@Override
+	public UserModel authenticate(String username) {
+		if (username != null) {
+			if (!StringUtils.isEmpty(username)) {
+				UserModel user = userManager.getUserModel(username);
+				if (user != null) {
+					// existing user
+					logger.debug(MessageFormat.format("{0} authenticated externally", user.username));
+					return validateAuthentication(user, AuthenticationType.CONTAINER);
+				}
+				logger.warn(MessageFormat.format("Failed to find UserModel for {0} during external authentication",
+							username));
+			}
+		} else {
+			logger.warn("Empty user passed to AuthenticationManager.authenticate!");
+		}
+		return null;
+	}
+
+
+	/**
 	 * This method allows the authentication manager to reject authentication
 	 * attempts.  It is called after the username/secret have been verified to
 	 * ensure that the authentication technique has been logged.
diff --git a/src/main/java/com/gitblit/manager/GitblitManager.java b/src/main/java/com/gitblit/manager/GitblitManager.java
index deaa5347..8d25b3f5 100644
--- a/src/main/java/com/gitblit/manager/GitblitManager.java
+++ b/src/main/java/com/gitblit/manager/GitblitManager.java
@@ -662,6 +662,11 @@ public class GitblitManager implements IGitblit {
 	}
 
 	@Override
+	public UserModel authenticate(String username) {
+		return authenticationManager.authenticate(username);
+	}
+
+	@Override
 	public UserModel authenticate(HttpServletRequest httpRequest, boolean requiresCertificate) {
 		UserModel user = authenticationManager.authenticate(httpRequest, requiresCertificate);
 		if (user == null) {
diff --git a/src/main/java/com/gitblit/manager/IAuthenticationManager.java b/src/main/java/com/gitblit/manager/IAuthenticationManager.java
index d48ec534..c81092b9 100644
--- a/src/main/java/com/gitblit/manager/IAuthenticationManager.java
+++ b/src/main/java/com/gitblit/manager/IAuthenticationManager.java
@@ -71,6 +71,16 @@ public interface IAuthenticationManager extends IManager {
 	UserModel authenticate(String username, char[] password);
 
 	/**
+	 * Return the UserModel for already authenticated user.
+	 *
+	 * @see IUserService.authenticate(String, char[])
+	 * @param username
+	 * @return a user object or null
+	 * @since 1.7.0
+	 */
+	UserModel authenticate(String username);
+
+	/**
 	 * Returns the Gitlbit cookie in the request.
 	 *
 	 * @param request
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
index ec7d7c36..0ff5c284 100644
--- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
@@ -134,7 +134,7 @@ public class SshDaemon {
 		//Will do GSS ?
 		GSSAuthenticator gssAuthenticator = null;
 		if(settings.getBoolean(Keys.git.sshWithKrb5, false)) {
-			gssAuthenticator = new GSSAuthenticator();
+			gssAuthenticator = new SshKrbAuthenticator(gitblit);
 			String keytabString = settings.getString(Keys.git.sshKrb5Keytab,
 					"");
 			if(! keytabString.isEmpty()) {
diff --git a/src/main/java/com/gitblit/transport/ssh/SshKrbAuthenticator.java b/src/main/java/com/gitblit/transport/ssh/SshKrbAuthenticator.java
new file mode 100644
index 00000000..8170c934
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshKrbAuthenticator.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2015 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import com.gitblit.manager.IAuthenticationManager;
+import com.gitblit.models.UserModel;
+import java.util.Locale;
+import org.apache.sshd.server.auth.gss.GSSAuthenticator;
+import org.apache.sshd.server.session.ServerSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SshKrbAuthenticator extends GSSAuthenticator {
+	
+	protected final Logger log = LoggerFactory.getLogger(getClass());
+	protected final IAuthenticationManager authManager;
+
+	public SshKrbAuthenticator(IAuthenticationManager authManager) {
+		this.authManager = authManager;
+		log.info("registry  {}", authManager);
+	}
+
+	public boolean validateIdentity(ServerSession session, String identity) {
+		log.info("identify with kerberos {}", identity);
+		SshDaemonClient client = (SshDaemonClient)session.getAttribute(SshDaemonClient.KEY);
+		if (client.getUser() != null) {
+			log.info("{} has already authenticated!", identity);
+			return true;
+		}
+		String username = identity.toLowerCase(Locale.US);
+		UserModel user = authManager.authenticate(username);
+		if (user != null) {
+			client.setUser(user);
+			return true;
+		}
+		log.warn("could not authenticate {} for SSH", username);
+		return false;
+	}
+}