diff options
| -rw-r--r-- | .classpath | 2 | ||||
| -rw-r--r-- | build.moxie | 2 | ||||
| -rw-r--r-- | gitblit.iml | 22 | ||||
| -rw-r--r-- | src/main/distrib/data/gitblit.properties | 17 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/GitBlitServer.java | 1408 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/manager/ServicesManager.java | 18 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java | 75 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java | 164 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/transport/ssh/SshCommandServer.java | 217 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/transport/ssh/SshDaemon.java | 159 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java | 37 | ||||
| -rw-r--r-- | src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java | 43 |
12 files changed, 1462 insertions, 702 deletions
@@ -52,6 +52,8 @@ <classpathentry kind="lib" path="ext/bcprov-jdk15on-1.49.jar" sourcepath="ext/src/bcprov-jdk15on-1.49.jar" /> <classpathentry kind="lib" path="ext/bcmail-jdk15on-1.49.jar" sourcepath="ext/src/bcmail-jdk15on-1.49.jar" /> <classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.49.jar" sourcepath="ext/src/bcpkix-jdk15on-1.49.jar" /> + <classpathentry kind="lib" path="ext/sshd-core-0.6.0.jar" sourcepath="ext/src/sshd-core-0.6.0.jar" /> + <classpathentry kind="lib" path="ext/mina-core-2.0.2.jar" sourcepath="ext/src/mina-core-2.0.2.jar" /> <classpathentry kind="lib" path="ext/rome-0.9.jar" sourcepath="ext/src/rome-0.9.jar" /> <classpathentry kind="lib" path="ext/jdom-1.0.jar" sourcepath="ext/src/jdom-1.0.jar" /> <classpathentry kind="lib" path="ext/gson-1.7.2.jar" sourcepath="ext/src/gson-1.7.2.jar" /> diff --git a/build.moxie b/build.moxie index 19a9027f..7c392266 100644 --- a/build.moxie +++ b/build.moxie @@ -109,6 +109,7 @@ properties: { bouncycastle.version : 1.49 selenium.version : 2.28.0 wikitext.version : 1.4 + sshd.version: 0.6.0 } # Dependencies @@ -155,6 +156,7 @@ dependencies: - compile 'org.bouncycastle:bcprov-jdk15on:${bouncycastle.version}' :war :authority - compile 'org.bouncycastle:bcmail-jdk15on:${bouncycastle.version}' :war :authority - compile 'org.bouncycastle:bcpkix-jdk15on:${bouncycastle.version}' :war :authority +- compile 'org.apache.sshd:sshd-core:${sshd.version}' :war !org.easymock - compile 'rome:rome:0.9' :war :manager :api - compile 'com.google.code.gson:gson:1.7.2' :war :fedclient :manager :api - compile 'org.codehaus.groovy:groovy-all:${groovy.version}' :war diff --git a/gitblit.iml b/gitblit.iml index 8e787cba..c114d4d0 100644 --- a/gitblit.iml +++ b/gitblit.iml @@ -529,6 +529,28 @@ </library> </orderEntry> <orderEntry type="module-library"> + <library name="sshd-core-0.6.0.jar"> + <CLASSES> + <root url="jar://$MODULE_DIR$/ext/sshd-core-0.6.0.jar!/" /> + </CLASSES> + <JAVADOC /> + <SOURCES> + <root url="jar://$MODULE_DIR$/ext/src/sshd-core-0.6.0.jar!/" /> + </SOURCES> + </library> + </orderEntry> + <orderEntry type="module-library"> + <library name="mina-core-2.0.2.jar"> + <CLASSES> + <root url="jar://$MODULE_DIR$/ext/mina-core-2.0.2.jar!/" /> + </CLASSES> + <JAVADOC /> + <SOURCES> + <root url="jar://$MODULE_DIR$/ext/src/mina-core-2.0.2.jar!/" /> + </SOURCES> + </library> + </orderEntry> + <orderEntry type="module-library"> <library name="rome-0.9.jar"> <CLASSES> <root url="jar://$MODULE_DIR$/ext/rome-0.9.jar!/" /> diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties index 3c605394..5bc28fd6 100644 --- a/src/main/distrib/data/gitblit.properties +++ b/src/main/distrib/data/gitblit.properties @@ -93,6 +93,23 @@ git.daemonBindInterface = # RESTART REQUIRED
git.daemonPort = 9418
+# The port for serving the SSH service. <= 0 disables this service.
+# On Unix/Linux systems, ports < 1024 require root permissions.
+# Recommended value: 29418
+#
+# SINCE 1.5.0
+# RESTART REQUIRED
+git.sshPort = 29418
+
+# Specify the interface for the SSH daemon to bind its service.
+# You may specify an ip or an empty value to bind to all interfaces.
+# Specifying localhost will result in Gitblit ONLY listening to requests to
+# localhost.
+#
+# SINCE 1.5.0
+# RESTART REQUIRED
+git.sshBindInterface = localhost
+
# Allow push/pull over http/https with JGit servlet.
# If you do NOT want to allow Git clients to clone/push to Gitblit set this
# to false. You might want to do this if you are only using ssh:// or git://.
diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java index 64d3cadd..c37bc3a1 100644 --- a/src/main/java/com/gitblit/GitBlitServer.java +++ b/src/main/java/com/gitblit/GitBlitServer.java @@ -1,703 +1,707 @@ -/*
- * Copyright 2011 gitblit.com.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gitblit;
-
-import java.io.BufferedReader;
-import java.io.BufferedWriter;
-import java.io.File;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
-import java.net.InetAddress;
-import java.net.ServerSocket;
-import java.net.Socket;
-import java.net.URI;
-import java.net.URL;
-import java.net.UnknownHostException;
-import java.security.ProtectionDomain;
-import java.text.MessageFormat;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.Properties;
-import java.util.Scanner;
-
-import org.apache.log4j.PropertyConfigurator;
-import org.eclipse.jetty.ajp.Ajp13SocketConnector;
-import org.eclipse.jetty.security.ConstraintMapping;
-import org.eclipse.jetty.security.ConstraintSecurityHandler;
-import org.eclipse.jetty.server.Connector;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.bio.SocketConnector;
-import org.eclipse.jetty.server.nio.SelectChannelConnector;
-import org.eclipse.jetty.server.session.HashSessionManager;
-import org.eclipse.jetty.server.ssl.SslConnector;
-import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
-import org.eclipse.jetty.server.ssl.SslSocketConnector;
-import org.eclipse.jetty.util.security.Constraint;
-import org.eclipse.jetty.util.thread.QueuedThreadPool;
-import org.eclipse.jetty.webapp.WebAppContext;
-import org.eclipse.jgit.storage.file.FileBasedConfig;
-import org.eclipse.jgit.util.FS;
-import org.eclipse.jgit.util.FileUtils;
-import org.kohsuke.args4j.CmdLineException;
-import org.kohsuke.args4j.CmdLineParser;
-import org.kohsuke.args4j.Option;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.gitblit.authority.GitblitAuthority;
-import com.gitblit.authority.NewCertificateConfig;
-import com.gitblit.servlet.GitblitContext;
-import com.gitblit.utils.StringUtils;
-import com.gitblit.utils.TimeUtils;
-import com.gitblit.utils.X509Utils;
-import com.gitblit.utils.X509Utils.X509Log;
-import com.gitblit.utils.X509Utils.X509Metadata;
-import com.unboundid.ldap.listener.InMemoryDirectoryServer;
-import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
-import com.unboundid.ldap.listener.InMemoryListenerConfig;
-import com.unboundid.ldif.LDIFReader;
-
-/**
- * GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts
- * and stops an instance of Jetty that is configured from a combination of the
- * gitblit.properties file and command line parameters. JCommander is used to
- * simplify command line parameter processing. This class also automatically
- * generates a self-signed certificate for localhost, if the keystore does not
- * already exist.
- *
- * @author James Moger
- *
- */
-public class GitBlitServer {
-
- private static Logger logger;
-
- public static void main(String... args) {
- GitBlitServer server = new GitBlitServer();
-
- // filter out the baseFolder parameter
- List<String> filtered = new ArrayList<String>();
- String folder = "data";
- for (int i = 0; i < args.length; i++) {
- String arg = args[i];
- if (arg.equals("--baseFolder")) {
- if (i + 1 == args.length) {
- System.out.println("Invalid --baseFolder parameter!");
- System.exit(-1);
- } else if (!".".equals(args[i + 1])) {
- folder = args[i + 1];
- }
- i = i + 1;
- } else {
- filtered.add(arg);
- }
- }
-
- Params.baseFolder = folder;
- Params params = new Params();
- CmdLineParser parser = new CmdLineParser(params);
- try {
- parser.parseArgument(filtered);
- if (params.help) {
- server.usage(parser, null);
- }
- } catch (CmdLineException t) {
- server.usage(parser, t);
- }
-
- if (params.stop) {
- server.stop(params);
- } else {
- server.start(params);
- }
- }
-
- /**
- * Display the command line usage of Gitblit GO.
- *
- * @param parser
- * @param t
- */
- protected final void usage(CmdLineParser parser, CmdLineException t) {
- System.out.println(Constants.BORDER);
- System.out.println(Constants.getGitBlitVersion());
- System.out.println(Constants.BORDER);
- System.out.println();
- if (t != null) {
- System.out.println(t.getMessage());
- System.out.println();
- }
- if (parser != null) {
- parser.printUsage(System.out);
- System.out
- .println("\nExample:\n java -server -Xmx1024M -jar gitblit.jar --repositoriesFolder c:\\git --httpPort 80 --httpsPort 443");
- }
- System.exit(0);
- }
-
- /**
- * Stop Gitblt GO.
- */
- public void stop(Params params) {
- try {
- Socket s = new Socket(InetAddress.getByName("127.0.0.1"), params.shutdownPort);
- OutputStream out = s.getOutputStream();
- System.out.println("Sending Shutdown Request to " + Constants.NAME);
- out.write("\r\n".getBytes());
- out.flush();
- s.close();
- } catch (UnknownHostException e) {
- e.printStackTrace();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
-
- /**
- * Start Gitblit GO.
- */
- protected final void start(Params params) {
- final File baseFolder = new File(Params.baseFolder).getAbsoluteFile();
- FileSettings settings = params.FILESETTINGS;
- if (!StringUtils.isEmpty(params.settingsfile)) {
- if (new File(params.settingsfile).exists()) {
- settings = new FileSettings(params.settingsfile);
- }
- }
-
- if (params.dailyLogFile) {
- // Configure log4j for daily log file generation
- InputStream is = null;
- try {
- is = getClass().getResourceAsStream("/log4j.properties");
- Properties loggingProperties = new Properties();
- loggingProperties.load(is);
-
- loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath());
- loggingProperties.put("log4j.rootCategory", "INFO, R");
-
- if (settings.getBoolean(Keys.web.debugMode, false)) {
- loggingProperties.put("log4j.logger.com.gitblit", "DEBUG");
- }
-
- PropertyConfigurator.configure(loggingProperties);
- } catch (Exception e) {
- e.printStackTrace();
- } finally {
- try {
- is.close();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- }
-
- logger = LoggerFactory.getLogger(GitBlitServer.class);
- logger.info(Constants.BORDER);
- logger.info(" _____ _ _ _ _ _ _");
- logger.info(" | __ \\(_)| | | | | |(_)| |");
- logger.info(" | | \\/ _ | |_ | |__ | | _ | |_");
- logger.info(" | | __ | || __|| '_ \\ | || || __|");
- logger.info(" | |_\\ \\| || |_ | |_) || || || |_");
- logger.info(" \\____/|_| \\__||_.__/ |_||_| \\__|");
- int spacing = (Constants.BORDER.length() - Constants.getGitBlitVersion().length()) / 2;
- StringBuilder sb = new StringBuilder();
- while (spacing > 0) {
- spacing--;
- sb.append(' ');
- }
- logger.info(sb.toString() + Constants.getGitBlitVersion());
- logger.info("");
- logger.info(Constants.BORDER);
-
- System.setProperty("java.awt.headless", "true");
-
- String osname = System.getProperty("os.name");
- String osversion = System.getProperty("os.version");
- logger.info("Running on " + osname + " (" + osversion + ")");
-
- List<Connector> connectors = new ArrayList<Connector>();
-
- // conditionally configure the http connector
- if (params.port > 0) {
- Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50));
- String bindInterface = settings.getString(Keys.server.httpBindInterface, null);
- if (!StringUtils.isEmpty(bindInterface)) {
- logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
- params.port, bindInterface));
- httpConnector.setHost(bindInterface);
- }
- if (params.port < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
- if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
- // redirect HTTP requests to HTTPS
- if (httpConnector instanceof SelectChannelConnector) {
- ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort);
- } else {
- ((SocketConnector) httpConnector).setConfidentialPort(params.securePort);
- }
- }
- connectors.add(httpConnector);
- }
-
- // conditionally configure the https connector
- if (params.securePort > 0) {
- File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG);
- File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE);
- File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE);
- File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST);
-
- // generate CA & web certificates, create certificate stores
- X509Metadata metadata = new X509Metadata("localhost", params.storePassword);
- // set default certificate values from config file
- if (certificatesConf.exists()) {
- FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect());
- try {
- config.load();
- } catch (Exception e) {
- logger.error("Error parsing " + certificatesConf, e);
- }
- NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config);
- certificateConfig.update(metadata);
- }
-
- metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR);
- X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() {
- @Override
- public void log(String message) {
- BufferedWriter writer = null;
- try {
- writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true));
- writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message));
- writer.newLine();
- writer.flush();
- } catch (Exception e) {
- LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e);
- } finally {
- if (writer != null) {
- try {
- writer.close();
- } catch (IOException e) {
- }
- }
- }
- }
- });
-
- if (serverKeyStore.exists()) {
- Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
- caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates);
- String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
- if (!StringUtils.isEmpty(bindInterface)) {
- logger.warn(MessageFormat.format(
- "Binding ssl connector on port {0,number,0} to {1}", params.securePort,
- bindInterface));
- secureConnector.setHost(bindInterface);
- }
- if (params.securePort < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
- connectors.add(secureConnector);
- } else {
- logger.warn("Failed to find or load Keystore?");
- logger.warn("SSL connector DISABLED.");
- }
- }
-
- // conditionally configure the ajp connector
- if (params.ajpPort > 0) {
- Connector ajpConnector = createAJPConnector(params.ajpPort);
- String bindInterface = settings.getString(Keys.server.ajpBindInterface, null);
- if (!StringUtils.isEmpty(bindInterface)) {
- logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
- params.ajpPort, bindInterface));
- ajpConnector.setHost(bindInterface);
- }
- if (params.ajpPort < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
- connectors.add(ajpConnector);
- }
-
- // tempDir is where the embedded Gitblit web application is expanded and
- // where Jetty creates any necessary temporary files
- File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp);
- if (tempDir.exists()) {
- try {
- FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY);
- } catch (IOException x) {
- logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x);
- }
- }
- if (!tempDir.mkdirs()) {
- logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath());
- }
-
- Server server = new Server();
- server.setStopAtShutdown(true);
- server.setConnectors(connectors.toArray(new Connector[connectors.size()]));
-
- // Get the execution path of this class
- // We use this to set the WAR path.
- ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain();
- URL location = protectionDomain.getCodeSource().getLocation();
-
- // Root WebApp Context
- WebAppContext rootContext = new WebAppContext();
- rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/"));
- rootContext.setServer(server);
- rootContext.setWar(location.toExternalForm());
- rootContext.setTempDirectory(tempDir);
-
- // Set cookies HttpOnly so they are not accessible to JavaScript engines
- HashSessionManager sessionManager = new HashSessionManager();
- sessionManager.setHttpOnly(true);
- // Use secure cookies if only serving https
- sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
- rootContext.getSessionHandler().setSessionManager(sessionManager);
-
- // Ensure there is a defined User Service
- String realmUsers = params.userService;
- if (StringUtils.isEmpty(realmUsers)) {
- logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService));
- return;
- }
-
- // Override settings from the command-line
- settings.overrideSetting(Keys.realm.userService, params.userService);
- settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder);
- settings.overrideSetting(Keys.git.daemonPort, params.gitPort);
-
- // Start up an in-memory LDAP server, if configured
- try {
- if (!StringUtils.isEmpty(params.ldapLdifFile)) {
- File ldifFile = new File(params.ldapLdifFile);
- if (ldifFile != null && ldifFile.exists()) {
- URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
- String firstLine = new Scanner(ldifFile).nextLine();
- String rootDN = firstLine.substring(4);
- String bindUserName = settings.getString(Keys.realm.ldap.username, "");
- String bindPassword = settings.getString(Keys.realm.ldap.password, "");
-
- // Get the port
- int port = ldapUrl.getPort();
- if (port == -1)
- port = 389;
-
- InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN);
- config.addAdditionalBindCredentials(bindUserName, bindPassword);
- config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port));
- config.setSchema(null);
-
- InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
- ds.importFromLDIF(true, new LDIFReader(ldifFile));
- ds.startListening();
-
- logger.info("LDAP Server started at ldap://localhost:" + port);
- }
- }
- } catch (Exception e) {
- // Completely optional, just show a warning
- logger.warn("Unable to start LDAP server", e);
- }
-
- // Set the server's contexts
- server.setHandler(rootContext);
-
- // redirect HTTP requests to HTTPS
- if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
- logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort));
- // Create the internal mechanisms to handle secure connections and redirects
- Constraint constraint = new Constraint();
- constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
-
- ConstraintMapping cm = new ConstraintMapping();
- cm.setConstraint(constraint);
- cm.setPathSpec("/*");
-
- ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
- sh.setConstraintMappings(new ConstraintMapping[] { cm });
-
- // Configure this context to use the Security Handler defined before
- rootContext.setHandler(sh);
- }
-
- // Setup the Gitblit context
- GitblitContext gitblit = newGitblit(settings, baseFolder);
- rootContext.addEventListener(gitblit);
-
- try {
- // start the shutdown monitor
- if (params.shutdownPort > 0) {
- Thread shutdownMonitor = new ShutdownMonitorThread(server, params);
- shutdownMonitor.start();
- }
-
- // start Jetty
- server.start();
- server.join();
- } catch (Exception e) {
- e.printStackTrace();
- System.exit(100);
- }
- }
-
- protected GitblitContext newGitblit(IStoredSettings settings, File baseFolder) {
- return new GitblitContext(settings, baseFolder);
- }
-
- /**
- * Creates an http connector.
- *
- * @param useNIO
- * @param port
- * @param threadPoolSize
- * @return an http connector
- */
- private Connector createConnector(boolean useNIO, int port, int threadPoolSize) {
- Connector connector;
- if (useNIO) {
- logger.info("Setting up NIO SelectChannelConnector on port " + port);
- SelectChannelConnector nioconn = new SelectChannelConnector();
- nioconn.setSoLingerTime(-1);
- if (threadPoolSize > 0) {
- nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
- }
- connector = nioconn;
- } else {
- logger.info("Setting up SocketConnector on port " + port);
- SocketConnector sockconn = new SocketConnector();
- if (threadPoolSize > 0) {
- sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
- }
- connector = sockconn;
- }
-
- connector.setPort(port);
- connector.setMaxIdleTime(30000);
- return connector;
- }
-
- /**
- * Creates an https connector.
- *
- * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
- * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
- *
- * @param certAlias
- * @param keyStore
- * @param clientTrustStore
- * @param storePassword
- * @param caRevocationList
- * @param useNIO
- * @param port
- * @param threadPoolSize
- * @param requireClientCertificates
- * @return an https connector
- */
- private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
- String storePassword, File caRevocationList, boolean useNIO, int port, int threadPoolSize,
- boolean requireClientCertificates) {
- GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,
- keyStore, clientTrustStore, storePassword, caRevocationList);
- SslConnector connector;
- if (useNIO) {
- logger.info("Setting up NIO SslSelectChannelConnector on port " + port);
- SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);
- ssl.setSoLingerTime(-1);
- if (requireClientCertificates) {
- factory.setNeedClientAuth(true);
- } else {
- factory.setWantClientAuth(true);
- }
- if (threadPoolSize > 0) {
- ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
- }
- connector = ssl;
- } else {
- logger.info("Setting up NIO SslSocketConnector on port " + port);
- SslSocketConnector ssl = new SslSocketConnector(factory);
- if (threadPoolSize > 0) {
- ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
- }
- connector = ssl;
- }
- connector.setPort(port);
- connector.setMaxIdleTime(30000);
-
- return connector;
- }
-
- /**
- * Creates an ajp connector.
- *
- * @param port
- * @return an ajp connector
- */
- private Connector createAJPConnector(int port) {
- logger.info("Setting up AJP Connector on port " + port);
- Ajp13SocketConnector ajp = new Ajp13SocketConnector();
- ajp.setPort(port);
- if (port < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
- return ajp;
- }
-
- /**
- * Tests to see if the operating system is Windows.
- *
- * @return true if this is a windows machine
- */
- private boolean isWindows() {
- return System.getProperty("os.name").toLowerCase().indexOf("windows") > -1;
- }
-
- /**
- * The ShutdownMonitorThread opens a socket on a specified port and waits
- * for an incoming connection. When that connection is accepted a shutdown
- * message is issued to the running Jetty server.
- *
- * @author James Moger
- *
- */
- private static class ShutdownMonitorThread extends Thread {
-
- private final ServerSocket socket;
-
- private final Server server;
-
- private final Logger logger = LoggerFactory.getLogger(ShutdownMonitorThread.class);
-
- public ShutdownMonitorThread(Server server, Params params) {
- this.server = server;
- setDaemon(true);
- setName(Constants.NAME + " Shutdown Monitor");
- ServerSocket skt = null;
- try {
- skt = new ServerSocket(params.shutdownPort, 1, InetAddress.getByName("127.0.0.1"));
- } catch (Exception e) {
- logger.warn("Could not open shutdown monitor on port " + params.shutdownPort, e);
- }
- socket = skt;
- }
-
- @Override
- public void run() {
- logger.info("Shutdown Monitor listening on port " + socket.getLocalPort());
- Socket accept;
- try {
- accept = socket.accept();
- BufferedReader reader = new BufferedReader(new InputStreamReader(
- accept.getInputStream()));
- reader.readLine();
- logger.info(Constants.BORDER);
- logger.info("Stopping " + Constants.NAME);
- logger.info(Constants.BORDER);
- server.stop();
- server.setStopAtShutdown(false);
- accept.close();
- socket.close();
- } catch (Exception e) {
- logger.warn("Failed to shutdown Jetty", e);
- }
- }
- }
-
- /**
- * Parameters class for GitBlitServer.
- */
- public static class Params {
-
- public static String baseFolder;
-
- private final FileSettings FILESETTINGS = new FileSettings(new File(baseFolder, Constants.PROPERTIES_FILE).getAbsolutePath());
-
- /*
- * Server parameters
- */
- @Option(name = "--help", aliases = { "-h"}, usage = "Show this help")
- public Boolean help = false;
-
- @Option(name = "--stop", usage = "Stop Server")
- public Boolean stop = false;
-
- @Option(name = "--tempFolder", usage = "Folder for server to extract built-in webapp", metaVar="PATH")
- public String temp = FILESETTINGS.getString(Keys.server.tempFolder, "temp");
-
- @Option(name = "--dailyLogFile", usage = "Log to a rolling daily log file INSTEAD of stdout.")
- public Boolean dailyLogFile = false;
-
- /*
- * GIT Servlet Parameters
- */
- @Option(name = "--repositoriesFolder", usage = "Git Repositories Folder", metaVar="PATH")
- public String repositoriesFolder = FILESETTINGS.getString(Keys.git.repositoriesFolder,
- "git");
-
- /*
- * Authentication Parameters
- */
- @Option(name = "--userService", usage = "Authentication and Authorization Service (filename or fully qualified classname)")
- public String userService = FILESETTINGS.getString(Keys.realm.userService,
- "users.conf");
-
- /*
- * JETTY Parameters
- */
- @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.")
- public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true);
-
- @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT")
- public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0);
-
- @Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
- public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443);
-
- @Option(name = "--ajpPort", usage = "AJP port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
- public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
-
- @Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
- public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418);
-
- @Option(name = "--alias", usage = "Alias of SSL certificate in keystore for serving https.", metaVar="ALIAS")
- public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");
-
- @Option(name = "--storePassword", usage = "Password for SSL (https) keystore.", metaVar="PASSWORD")
- public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
-
- @Option(name = "--shutdownPort", usage = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)", metaVar="PORT")
- public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081);
-
- @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.")
- public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false);
-
- /*
- * Setting overrides
- */
- @Option(name = "--settings", usage = "Path to alternative settings", metaVar="FILE")
- public String settingsfile;
-
- @Option(name = "--ldapLdifFile", usage = "Path to LDIF file. This will cause an in-memory LDAP server to be started according to gitblit settings", metaVar="FILE")
- public String ldapLdifFile;
-
- }
+/* + * Copyright 2011 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit; + +import java.io.BufferedReader; +import java.io.BufferedWriter; +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.net.InetAddress; +import java.net.ServerSocket; +import java.net.Socket; +import java.net.URI; +import java.net.URL; +import java.net.UnknownHostException; +import java.security.ProtectionDomain; +import java.text.MessageFormat; +import java.util.ArrayList; +import java.util.Date; +import java.util.List; +import java.util.Properties; +import java.util.Scanner; + +import org.apache.log4j.PropertyConfigurator; +import org.eclipse.jetty.ajp.Ajp13SocketConnector; +import org.eclipse.jetty.security.ConstraintMapping; +import org.eclipse.jetty.security.ConstraintSecurityHandler; +import org.eclipse.jetty.server.Connector; +import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.server.bio.SocketConnector; +import org.eclipse.jetty.server.nio.SelectChannelConnector; +import org.eclipse.jetty.server.session.HashSessionManager; +import org.eclipse.jetty.server.ssl.SslConnector; +import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; +import org.eclipse.jetty.server.ssl.SslSocketConnector; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.thread.QueuedThreadPool; +import org.eclipse.jetty.webapp.WebAppContext; +import org.eclipse.jgit.storage.file.FileBasedConfig; +import org.eclipse.jgit.util.FS; +import org.eclipse.jgit.util.FileUtils; +import org.kohsuke.args4j.CmdLineException; +import org.kohsuke.args4j.CmdLineParser; +import org.kohsuke.args4j.Option; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.gitblit.authority.GitblitAuthority; +import com.gitblit.authority.NewCertificateConfig; +import com.gitblit.servlet.GitblitContext; +import com.gitblit.utils.StringUtils; +import com.gitblit.utils.TimeUtils; +import com.gitblit.utils.X509Utils; +import com.gitblit.utils.X509Utils.X509Log; +import com.gitblit.utils.X509Utils.X509Metadata; +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.listener.InMemoryListenerConfig; +import com.unboundid.ldif.LDIFReader; + +/** + * GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts + * and stops an instance of Jetty that is configured from a combination of the + * gitblit.properties file and command line parameters. JCommander is used to + * simplify command line parameter processing. This class also automatically + * generates a self-signed certificate for localhost, if the keystore does not + * already exist. + * + * @author James Moger + * + */ +public class GitBlitServer { + + private static Logger logger; + + public static void main(String... args) { + GitBlitServer server = new GitBlitServer(); + + // filter out the baseFolder parameter + List<String> filtered = new ArrayList<String>(); + String folder = "data"; + for (int i = 0; i < args.length; i++) { + String arg = args[i]; + if (arg.equals("--baseFolder")) { + if (i + 1 == args.length) { + System.out.println("Invalid --baseFolder parameter!"); + System.exit(-1); + } else if (!".".equals(args[i + 1])) { + folder = args[i + 1]; + } + i = i + 1; + } else { + filtered.add(arg); + } + } + + Params.baseFolder = folder; + Params params = new Params(); + CmdLineParser parser = new CmdLineParser(params); + try { + parser.parseArgument(filtered); + if (params.help) { + server.usage(parser, null); + } + } catch (CmdLineException t) { + server.usage(parser, t); + } + + if (params.stop) { + server.stop(params); + } else { + server.start(params); + } + } + + /** + * Display the command line usage of Gitblit GO. + * + * @param parser + * @param t + */ + protected final void usage(CmdLineParser parser, CmdLineException t) { + System.out.println(Constants.BORDER); + System.out.println(Constants.getGitBlitVersion()); + System.out.println(Constants.BORDER); + System.out.println(); + if (t != null) { + System.out.println(t.getMessage()); + System.out.println(); + } + if (parser != null) { + parser.printUsage(System.out); + System.out + .println("\nExample:\n java -server -Xmx1024M -jar gitblit.jar --repositoriesFolder c:\\git --httpPort 80 --httpsPort 443"); + } + System.exit(0); + } + + /** + * Stop Gitblt GO. + */ + public void stop(Params params) { + try { + Socket s = new Socket(InetAddress.getByName("127.0.0.1"), params.shutdownPort); + OutputStream out = s.getOutputStream(); + System.out.println("Sending Shutdown Request to " + Constants.NAME); + out.write("\r\n".getBytes()); + out.flush(); + s.close(); + } catch (UnknownHostException e) { + e.printStackTrace(); + } catch (IOException e) { + e.printStackTrace(); + } + } + + /** + * Start Gitblit GO. + */ + protected final void start(Params params) { + final File baseFolder = new File(Params.baseFolder).getAbsoluteFile(); + FileSettings settings = params.FILESETTINGS; + if (!StringUtils.isEmpty(params.settingsfile)) { + if (new File(params.settingsfile).exists()) { + settings = new FileSettings(params.settingsfile); + } + } + + if (params.dailyLogFile) { + // Configure log4j for daily log file generation + InputStream is = null; + try { + is = getClass().getResourceAsStream("/log4j.properties"); + Properties loggingProperties = new Properties(); + loggingProperties.load(is); + + loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath()); + loggingProperties.put("log4j.rootCategory", "INFO, R"); + + if (settings.getBoolean(Keys.web.debugMode, false)) { + loggingProperties.put("log4j.logger.com.gitblit", "DEBUG"); + } + + PropertyConfigurator.configure(loggingProperties); + } catch (Exception e) { + e.printStackTrace(); + } finally { + try { + is.close(); + } catch (IOException e) { + e.printStackTrace(); + } + } + } + + logger = LoggerFactory.getLogger(GitBlitServer.class); + logger.info(Constants.BORDER); + logger.info(" _____ _ _ _ _ _ _"); + logger.info(" | __ \\(_)| | | | | |(_)| |"); + logger.info(" | | \\/ _ | |_ | |__ | | _ | |_"); + logger.info(" | | __ | || __|| '_ \\ | || || __|"); + logger.info(" | |_\\ \\| || |_ | |_) || || || |_"); + logger.info(" \\____/|_| \\__||_.__/ |_||_| \\__|"); + int spacing = (Constants.BORDER.length() - Constants.getGitBlitVersion().length()) / 2; + StringBuilder sb = new StringBuilder(); + while (spacing > 0) { + spacing--; + sb.append(' '); + } + logger.info(sb.toString() + Constants.getGitBlitVersion()); + logger.info(""); + logger.info(Constants.BORDER); + + System.setProperty("java.awt.headless", "true"); + + String osname = System.getProperty("os.name"); + String osversion = System.getProperty("os.version"); + logger.info("Running on " + osname + " (" + osversion + ")"); + + List<Connector> connectors = new ArrayList<Connector>(); + + // conditionally configure the http connector + if (params.port > 0) { + Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50)); + String bindInterface = settings.getString(Keys.server.httpBindInterface, null); + if (!StringUtils.isEmpty(bindInterface)) { + logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", + params.port, bindInterface)); + httpConnector.setHost(bindInterface); + } + if (params.port < 1024 && !isWindows()) { + logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); + } + if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { + // redirect HTTP requests to HTTPS + if (httpConnector instanceof SelectChannelConnector) { + ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort); + } else { + ((SocketConnector) httpConnector).setConfidentialPort(params.securePort); + } + } + connectors.add(httpConnector); + } + + // conditionally configure the https connector + if (params.securePort > 0) { + File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG); + File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE); + File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE); + File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST); + + // generate CA & web certificates, create certificate stores + X509Metadata metadata = new X509Metadata("localhost", params.storePassword); + // set default certificate values from config file + if (certificatesConf.exists()) { + FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect()); + try { + config.load(); + } catch (Exception e) { + logger.error("Error parsing " + certificatesConf, e); + } + NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config); + certificateConfig.update(metadata); + } + + metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR); + X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() { + @Override + public void log(String message) { + BufferedWriter writer = null; + try { + writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true)); + writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message)); + writer.newLine(); + writer.flush(); + } catch (Exception e) { + LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e); + } finally { + if (writer != null) { + try { + writer.close(); + } catch (IOException e) { + } + } + } + } + }); + + if (serverKeyStore.exists()) { + Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword, + caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates); + String bindInterface = settings.getString(Keys.server.httpsBindInterface, null); + if (!StringUtils.isEmpty(bindInterface)) { + logger.warn(MessageFormat.format( + "Binding ssl connector on port {0,number,0} to {1}", params.securePort, + bindInterface)); + secureConnector.setHost(bindInterface); + } + if (params.securePort < 1024 && !isWindows()) { + logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); + } + connectors.add(secureConnector); + } else { + logger.warn("Failed to find or load Keystore?"); + logger.warn("SSL connector DISABLED."); + } + } + + // conditionally configure the ajp connector + if (params.ajpPort > 0) { + Connector ajpConnector = createAJPConnector(params.ajpPort); + String bindInterface = settings.getString(Keys.server.ajpBindInterface, null); + if (!StringUtils.isEmpty(bindInterface)) { + logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", + params.ajpPort, bindInterface)); + ajpConnector.setHost(bindInterface); + } + if (params.ajpPort < 1024 && !isWindows()) { + logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); + } + connectors.add(ajpConnector); + } + + // tempDir is where the embedded Gitblit web application is expanded and + // where Jetty creates any necessary temporary files + File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp); + if (tempDir.exists()) { + try { + FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY); + } catch (IOException x) { + logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x); + } + } + if (!tempDir.mkdirs()) { + logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath()); + } + + Server server = new Server(); + server.setStopAtShutdown(true); + server.setConnectors(connectors.toArray(new Connector[connectors.size()])); + + // Get the execution path of this class + // We use this to set the WAR path. + ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain(); + URL location = protectionDomain.getCodeSource().getLocation(); + + // Root WebApp Context + WebAppContext rootContext = new WebAppContext(); + rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/")); + rootContext.setServer(server); + rootContext.setWar(location.toExternalForm()); + rootContext.setTempDirectory(tempDir); + + // Set cookies HttpOnly so they are not accessible to JavaScript engines + HashSessionManager sessionManager = new HashSessionManager(); + sessionManager.setHttpOnly(true); + // Use secure cookies if only serving https + sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0); + rootContext.getSessionHandler().setSessionManager(sessionManager); + + // Ensure there is a defined User Service + String realmUsers = params.userService; + if (StringUtils.isEmpty(realmUsers)) { + logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService)); + return; + } + + // Override settings from the command-line + settings.overrideSetting(Keys.realm.userService, params.userService); + settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder); + settings.overrideSetting(Keys.git.daemonPort, params.gitPort); + settings.overrideSetting(Keys.git.sshPort, params.sshPort); + + // Start up an in-memory LDAP server, if configured + try { + if (!StringUtils.isEmpty(params.ldapLdifFile)) { + File ldifFile = new File(params.ldapLdifFile); + if (ldifFile != null && ldifFile.exists()) { + URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server)); + String firstLine = new Scanner(ldifFile).nextLine(); + String rootDN = firstLine.substring(4); + String bindUserName = settings.getString(Keys.realm.ldap.username, ""); + String bindPassword = settings.getString(Keys.realm.ldap.password, ""); + + // Get the port + int port = ldapUrl.getPort(); + if (port == -1) + port = 389; + + InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN); + config.addAdditionalBindCredentials(bindUserName, bindPassword); + config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port)); + config.setSchema(null); + + InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); + ds.importFromLDIF(true, new LDIFReader(ldifFile)); + ds.startListening(); + + logger.info("LDAP Server started at ldap://localhost:" + port); + } + } + } catch (Exception e) { + // Completely optional, just show a warning + logger.warn("Unable to start LDAP server", e); + } + + // Set the server's contexts + server.setHandler(rootContext); + + // redirect HTTP requests to HTTPS + if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { + logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort)); + // Create the internal mechanisms to handle secure connections and redirects + Constraint constraint = new Constraint(); + constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL); + + ConstraintMapping cm = new ConstraintMapping(); + cm.setConstraint(constraint); + cm.setPathSpec("/*"); + + ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); + sh.setConstraintMappings(new ConstraintMapping[] { cm }); + + // Configure this context to use the Security Handler defined before + rootContext.setHandler(sh); + } + + // Setup the Gitblit context + GitblitContext gitblit = newGitblit(settings, baseFolder); + rootContext.addEventListener(gitblit); + + try { + // start the shutdown monitor + if (params.shutdownPort > 0) { + Thread shutdownMonitor = new ShutdownMonitorThread(server, params); + shutdownMonitor.start(); + } + + // start Jetty + server.start(); + server.join(); + } catch (Exception e) { + e.printStackTrace(); + System.exit(100); + } + } + + protected GitblitContext newGitblit(IStoredSettings settings, File baseFolder) { + return new GitblitContext(settings, baseFolder); + } + + /** + * Creates an http connector. + * + * @param useNIO + * @param port + * @param threadPoolSize + * @return an http connector + */ + private Connector createConnector(boolean useNIO, int port, int threadPoolSize) { + Connector connector; + if (useNIO) { + logger.info("Setting up NIO SelectChannelConnector on port " + port); + SelectChannelConnector nioconn = new SelectChannelConnector(); + nioconn.setSoLingerTime(-1); + if (threadPoolSize > 0) { + nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); + } + connector = nioconn; + } else { + logger.info("Setting up SocketConnector on port " + port); + SocketConnector sockconn = new SocketConnector(); + if (threadPoolSize > 0) { + sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); + } + connector = sockconn; + } + + connector.setPort(port); + connector.setMaxIdleTime(30000); + return connector; + } + + /** + * Creates an https connector. + * + * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later. + * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html + * + * @param certAlias + * @param keyStore + * @param clientTrustStore + * @param storePassword + * @param caRevocationList + * @param useNIO + * @param port + * @param threadPoolSize + * @param requireClientCertificates + * @return an https connector + */ + private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore, + String storePassword, File caRevocationList, boolean useNIO, int port, int threadPoolSize, + boolean requireClientCertificates) { + GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias, + keyStore, clientTrustStore, storePassword, caRevocationList); + SslConnector connector; + if (useNIO) { + logger.info("Setting up NIO SslSelectChannelConnector on port " + port); + SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory); + ssl.setSoLingerTime(-1); + if (requireClientCertificates) { + factory.setNeedClientAuth(true); + } else { + factory.setWantClientAuth(true); + } + if (threadPoolSize > 0) { + ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); + } + connector = ssl; + } else { + logger.info("Setting up NIO SslSocketConnector on port " + port); + SslSocketConnector ssl = new SslSocketConnector(factory); + if (threadPoolSize > 0) { + ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); + } + connector = ssl; + } + connector.setPort(port); + connector.setMaxIdleTime(30000); + + return connector; + } + + /** + * Creates an ajp connector. + * + * @param port + * @return an ajp connector + */ + private Connector createAJPConnector(int port) { + logger.info("Setting up AJP Connector on port " + port); + Ajp13SocketConnector ajp = new Ajp13SocketConnector(); + ajp.setPort(port); + if (port < 1024 && !isWindows()) { + logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); + } + return ajp; + } + + /** + * Tests to see if the operating system is Windows. + * + * @return true if this is a windows machine + */ + private boolean isWindows() { + return System.getProperty("os.name").toLowerCase().indexOf("windows") > -1; + } + + /** + * The ShutdownMonitorThread opens a socket on a specified port and waits + * for an incoming connection. When that connection is accepted a shutdown + * message is issued to the running Jetty server. + * + * @author James Moger + * + */ + private static class ShutdownMonitorThread extends Thread { + + private final ServerSocket socket; + + private final Server server; + + private final Logger logger = LoggerFactory.getLogger(ShutdownMonitorThread.class); + + public ShutdownMonitorThread(Server server, Params params) { + this.server = server; + setDaemon(true); + setName(Constants.NAME + " Shutdown Monitor"); + ServerSocket skt = null; + try { + skt = new ServerSocket(params.shutdownPort, 1, InetAddress.getByName("127.0.0.1")); + } catch (Exception e) { + logger.warn("Could not open shutdown monitor on port " + params.shutdownPort, e); + } + socket = skt; + } + + @Override + public void run() { + logger.info("Shutdown Monitor listening on port " + socket.getLocalPort()); + Socket accept; + try { + accept = socket.accept(); + BufferedReader reader = new BufferedReader(new InputStreamReader( + accept.getInputStream())); + reader.readLine(); + logger.info(Constants.BORDER); + logger.info("Stopping " + Constants.NAME); + logger.info(Constants.BORDER); + server.stop(); + server.setStopAtShutdown(false); + accept.close(); + socket.close(); + } catch (Exception e) { + logger.warn("Failed to shutdown Jetty", e); + } + } + } + + /** + * Parameters class for GitBlitServer. + */ + public static class Params { + + public static String baseFolder; + + private final FileSettings FILESETTINGS = new FileSettings(new File(baseFolder, Constants.PROPERTIES_FILE).getAbsolutePath()); + + /* + * Server parameters + */ + @Option(name = "--help", aliases = { "-h"}, usage = "Show this help") + public Boolean help = false; + + @Option(name = "--stop", usage = "Stop Server") + public Boolean stop = false; + + @Option(name = "--tempFolder", usage = "Folder for server to extract built-in webapp", metaVar="PATH") + public String temp = FILESETTINGS.getString(Keys.server.tempFolder, "temp"); + + @Option(name = "--dailyLogFile", usage = "Log to a rolling daily log file INSTEAD of stdout.") + public Boolean dailyLogFile = false; + + /* + * GIT Servlet Parameters + */ + @Option(name = "--repositoriesFolder", usage = "Git Repositories Folder", metaVar="PATH") + public String repositoriesFolder = FILESETTINGS.getString(Keys.git.repositoriesFolder, + "git"); + + /* + * Authentication Parameters + */ + @Option(name = "--userService", usage = "Authentication and Authorization Service (filename or fully qualified classname)") + public String userService = FILESETTINGS.getString(Keys.realm.userService, + "users.conf"); + + /* + * JETTY Parameters + */ + @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.") + public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true); + + @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT") + public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0); + + @Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT") + public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443); + + @Option(name = "--ajpPort", usage = "AJP port to serve. (port <= 0 will disable this connector)", metaVar="PORT") + public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0); + + @Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT") + public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418); + + @Option(name = "--sshPort", usage = "Git SSH port to serve. (port <= 0 will disable this connector)", metaVar = "PORT") + public Integer sshPort = FILESETTINGS.getInteger(Keys.git.sshPort, 29418); + + @Option(name = "--alias", usage = "Alias of SSL certificate in keystore for serving https.", metaVar="ALIAS") + public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, ""); + + @Option(name = "--storePassword", usage = "Password for SSL (https) keystore.", metaVar="PASSWORD") + public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, ""); + + @Option(name = "--shutdownPort", usage = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)", metaVar="PORT") + public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081); + + @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.") + public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false); + + /* + * Setting overrides + */ + @Option(name = "--settings", usage = "Path to alternative settings", metaVar="FILE") + public String settingsfile; + + @Option(name = "--ldapLdifFile", usage = "Path to LDIF file. This will cause an in-memory LDAP server to be started according to gitblit settings", metaVar="FILE") + public String ldapLdifFile; + + } }
\ No newline at end of file diff --git a/src/main/java/com/gitblit/manager/ServicesManager.java b/src/main/java/com/gitblit/manager/ServicesManager.java index 8107a7d8..2cd583ad 100644 --- a/src/main/java/com/gitblit/manager/ServicesManager.java +++ b/src/main/java/com/gitblit/manager/ServicesManager.java @@ -42,6 +42,7 @@ import com.gitblit.models.FederationModel; import com.gitblit.models.RepositoryModel; import com.gitblit.models.UserModel; import com.gitblit.service.FederationPullService; +import com.gitblit.transport.ssh.SshDaemon; import com.gitblit.utils.StringUtils; import com.gitblit.utils.TimeUtils; @@ -67,6 +68,8 @@ public class ServicesManager implements IManager { private GitDaemon gitDaemon; + private SshDaemon sshDaemon; + public ServicesManager(IGitblit gitblit) { this.settings = gitblit.getSettings(); this.gitblit = gitblit; @@ -77,6 +80,7 @@ public class ServicesManager implements IManager { configureFederation(); configureFanout(); configureGitDaemon(); + configureSshDaemon(); return this; } @@ -138,6 +142,20 @@ public class ServicesManager implements IManager { } } + protected void configureSshDaemon() { + int port = settings.getInteger(Keys.git.sshPort, 0); + String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost"); + if (port > 0) { + try { + sshDaemon = new SshDaemon(gitblit); + sshDaemon.start(); + } catch (IOException e) { + sshDaemon = null; + logger.error(MessageFormat.format("Failed to start SSH daemon on {0}:{1,number,0}", bindInterface, port), e); + } + } + } + protected void configureFanout() { // startup Fanout PubSub service if (settings.getInteger(Keys.fanout.port, 0) > 0) { diff --git a/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java b/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java new file mode 100644 index 00000000..e4741ed0 --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java @@ -0,0 +1,75 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; + +import org.apache.sshd.server.Command; +import org.apache.sshd.server.Environment; +import org.apache.sshd.server.ExitCallback; +import org.apache.sshd.server.SessionAware; +import org.apache.sshd.server.session.ServerSession; + +/** + * + * @author Eric Myrhe + * + */ +abstract class AbstractSshCommand implements Command, SessionAware { + + protected InputStream in; + + protected OutputStream out; + + protected OutputStream err; + + protected ExitCallback exit; + + protected ServerSession session; + + @Override + public void setInputStream(InputStream in) { + this.in = in; + } + + @Override + public void setOutputStream(OutputStream out) { + this.out = out; + } + + @Override + public void setErrorStream(OutputStream err) { + this.err = err; + } + + @Override + public void setExitCallback(ExitCallback exit) { + this.exit = exit; + } + + @Override + public void setSession(final ServerSession session) { + this.session = session; + } + + @Override + public void destroy() {} + + @Override + public abstract void start(Environment env) throws IOException; +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java b/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java new file mode 100644 index 00000000..c0b4930d --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java @@ -0,0 +1,164 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.io.IOException; +import java.util.Scanner; + +import org.apache.sshd.server.Command; +import org.apache.sshd.server.CommandFactory; +import org.apache.sshd.server.Environment; +import org.eclipse.jgit.errors.RepositoryNotFoundException; +import org.eclipse.jgit.lib.Repository; +import org.eclipse.jgit.transport.PacketLineOut; +import org.eclipse.jgit.transport.ReceivePack; +import org.eclipse.jgit.transport.ServiceMayNotContinueException; +import org.eclipse.jgit.transport.UploadPack; +import org.eclipse.jgit.transport.resolver.ReceivePackFactory; +import org.eclipse.jgit.transport.resolver.ServiceNotAuthorizedException; +import org.eclipse.jgit.transport.resolver.ServiceNotEnabledException; +import org.eclipse.jgit.transport.resolver.UploadPackFactory; + +import com.gitblit.git.RepositoryResolver; + +/** + * + * @author Eric Myhre + * + */ +public class SshCommandFactory implements CommandFactory { + public SshCommandFactory(RepositoryResolver<SshDaemonClient> repositoryResolver, UploadPackFactory<SshDaemonClient> uploadPackFactory, ReceivePackFactory<SshDaemonClient> receivePackFactory) { + this.repositoryResolver = repositoryResolver; + this.uploadPackFactory = uploadPackFactory; + this.receivePackFactory = receivePackFactory; + } + + private RepositoryResolver<SshDaemonClient> repositoryResolver; + + private UploadPackFactory<SshDaemonClient> uploadPackFactory; + + private ReceivePackFactory<SshDaemonClient> receivePackFactory; + + @Override + public Command createCommand(final String commandLine) { + Scanner commandScanner = new Scanner(commandLine); + final String command = commandScanner.next(); + final String argument = commandScanner.nextLine(); + + if ("git-upload-pack".equals(command)) + return new UploadPackCommand(argument); + if ("git-receive-pack".equals(command)) + return new ReceivePackCommand(argument); + return new NonCommand(); + } + + public abstract class RepositoryCommand extends AbstractSshCommand { + protected final String repositoryName; + + public RepositoryCommand(String repositoryName) { + this.repositoryName = repositoryName; + } + + @Override + public void start(Environment env) throws IOException { + Repository db = null; + try { + SshDaemonClient client = session.getAttribute(SshDaemonClient.ATTR_KEY); + db = selectRepository(client, repositoryName); + if (db == null) return; + run(client, db); + exit.onExit(0); + } catch (ServiceNotEnabledException e) { + // Ignored. Client cannot use this repository. + } catch (ServiceNotAuthorizedException e) { + // Ignored. Client cannot use this repository. + } finally { + if (db != null) + db.close(); + exit.onExit(1); + } + } + + protected Repository selectRepository(SshDaemonClient client, String name) throws IOException { + try { + return openRepository(client, name); + } catch (ServiceMayNotContinueException e) { + // An error when opening the repo means the client is expecting a ref + // advertisement, so use that style of error. + PacketLineOut pktOut = new PacketLineOut(out); + pktOut.writeString("ERR " + e.getMessage() + "\n"); //$NON-NLS-1$ //$NON-NLS-2$ + return null; + } + } + + protected Repository openRepository(SshDaemonClient client, String name) + throws ServiceMayNotContinueException { + // Assume any attempt to use \ was by a Windows client + // and correct to the more typical / used in Git URIs. + // + name = name.replace('\\', '/'); + + // ssh://git@thishost/path should always be name="/path" here + // + if (!name.startsWith("/")) //$NON-NLS-1$ + return null; + + try { + return repositoryResolver.open(client, name.substring(1)); + } catch (RepositoryNotFoundException e) { + // null signals it "wasn't found", which is all that is suitable + // for the remote client to know. + return null; + } catch (ServiceNotEnabledException e) { + // null signals it "wasn't found", which is all that is suitable + // for the remote client to know. + return null; + } + } + + protected abstract void run(SshDaemonClient client, Repository db) + throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException; + } + + public class UploadPackCommand extends RepositoryCommand { + public UploadPackCommand(String repositoryName) { super(repositoryName); } + + @Override + protected void run(SshDaemonClient client, Repository db) + throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException { + UploadPack up = uploadPackFactory.create(client, db); + up.upload(in, out, null); + } + } + + public class ReceivePackCommand extends RepositoryCommand { + public ReceivePackCommand(String repositoryName) { super(repositoryName); } + + @Override + protected void run(SshDaemonClient client, Repository db) + throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException { + ReceivePack rp = receivePackFactory.create(client, db); + rp.receive(in, out, null); + } + } + + public static class NonCommand extends AbstractSshCommand { + @Override + public void start(Environment env) { + exit.onExit(127); + } + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java b/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java new file mode 100644 index 00000000..26e3d67e --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java @@ -0,0 +1,217 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.io.IOException; +import java.net.InetSocketAddress; +import java.security.InvalidKeyException; +import java.util.Arrays; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; + +import org.apache.mina.core.future.IoFuture; +import org.apache.mina.core.future.IoFutureListener; +import org.apache.mina.core.session.IoSession; +import org.apache.mina.transport.socket.SocketSessionConfig; +import org.apache.sshd.SshServer; +import org.apache.sshd.common.Channel; +import org.apache.sshd.common.Cipher; +import org.apache.sshd.common.Compression; +import org.apache.sshd.common.KeyExchange; +import org.apache.sshd.common.KeyPairProvider; +import org.apache.sshd.common.Mac; +import org.apache.sshd.common.NamedFactory; +import org.apache.sshd.common.Session; +import org.apache.sshd.common.Signature; +import org.apache.sshd.common.cipher.AES128CBC; +import org.apache.sshd.common.cipher.AES192CBC; +import org.apache.sshd.common.cipher.AES256CBC; +import org.apache.sshd.common.cipher.BlowfishCBC; +import org.apache.sshd.common.cipher.TripleDESCBC; +import org.apache.sshd.common.compression.CompressionNone; +import org.apache.sshd.common.mac.HMACMD5; +import org.apache.sshd.common.mac.HMACMD596; +import org.apache.sshd.common.mac.HMACSHA1; +import org.apache.sshd.common.mac.HMACSHA196; +import org.apache.sshd.common.random.BouncyCastleRandom; +import org.apache.sshd.common.random.SingletonRandomFactory; +import org.apache.sshd.common.signature.SignatureDSA; +import org.apache.sshd.common.signature.SignatureRSA; +import org.apache.sshd.common.util.SecurityUtils; +import org.apache.sshd.server.CommandFactory; +import org.apache.sshd.server.FileSystemFactory; +import org.apache.sshd.server.FileSystemView; +import org.apache.sshd.server.ForwardingFilter; +import org.apache.sshd.server.PublickeyAuthenticator; +import org.apache.sshd.server.SshFile; +import org.apache.sshd.server.UserAuth; +import org.apache.sshd.server.auth.UserAuthPublicKey; +import org.apache.sshd.server.channel.ChannelDirectTcpip; +import org.apache.sshd.server.channel.ChannelSession; +import org.apache.sshd.server.kex.DHG1; +import org.apache.sshd.server.kex.DHG14; +import org.apache.sshd.server.session.ServerSession; +import org.apache.sshd.server.session.SessionFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * + * @author Eric Myhre + * + */ +public class SshCommandServer extends SshServer { + + private static final Logger log = LoggerFactory.getLogger(SshCommandServer.class); + + public SshCommandServer() { + setSessionFactory(new SessionFactory() { + @Override + protected ServerSession createSession(final IoSession io) throws Exception { + log.info("connection accepted on " + io); + + if (io.getConfig() instanceof SocketSessionConfig) { + final SocketSessionConfig c = (SocketSessionConfig) io.getConfig(); + c.setKeepAlive(true); + } + + final ServerSession s = (ServerSession) super.createSession(io); + s.setAttribute(SshDaemonClient.ATTR_KEY, new SshDaemonClient()); + + io.getCloseFuture().addListener(new IoFutureListener<IoFuture>() { + @Override + public void operationComplete(IoFuture future) { + log.info("connection closed on " + io); + } + }); + return s; + } + }); + } + + /** + * Performs most of default configuration (setup random sources, setup ciphers, + * etc; also, support for forwarding and filesystem is explicitly disallowed). + * + * {@link #setKeyPairProvider(KeyPairProvider)} and + * {@link #setPublickeyAuthenticator(PublickeyAuthenticator)} are left for you. + * And applying {@link #setCommandFactory(CommandFactory)} is probably wise if you + * want something to actually happen when users do successfully authenticate. + */ + @SuppressWarnings("unchecked") + public void setup() { + if (!SecurityUtils.isBouncyCastleRegistered()) + throw new RuntimeException("BC crypto not available"); + + setKeyExchangeFactories(Arrays.<NamedFactory<KeyExchange>>asList( + new DHG14.Factory(), + new DHG1.Factory()) + ); + + setRandomFactory(new SingletonRandomFactory(new BouncyCastleRandom.Factory())); + + setupCiphers(); + + setCompressionFactories(Arrays.<NamedFactory<Compression>>asList( + new CompressionNone.Factory()) + ); + + setMacFactories(Arrays.<NamedFactory<Mac>>asList( + new HMACMD5.Factory(), + new HMACSHA1.Factory(), + new HMACMD596.Factory(), + new HMACSHA196.Factory()) + ); + + setChannelFactories(Arrays.<NamedFactory<Channel>>asList( + new ChannelSession.Factory(), + new ChannelDirectTcpip.Factory()) + ); + + setSignatureFactories(Arrays.<NamedFactory<Signature>>asList( + new SignatureDSA.Factory(), + new SignatureRSA.Factory()) + ); + + setFileSystemFactory(new FileSystemFactory() { + @Override + public FileSystemView createFileSystemView(Session session) throws IOException { + return new FileSystemView() { + @Override + public SshFile getFile(SshFile baseDir, String file) { + return null; + } + + @Override + public SshFile getFile(String file) { + return null; + } + }; + } + }); + + setForwardingFilter(new ForwardingFilter() { + @Override + public boolean canForwardAgent(ServerSession session) { + return false; + } + + @Override + public boolean canForwardX11(ServerSession session) { + return false; + } + + @Override + public boolean canConnect(InetSocketAddress address, ServerSession session) { + return false; + } + + @Override + public boolean canListen(InetSocketAddress address, ServerSession session) { + return false; + } + }); + + setUserAuthFactories(Arrays.<NamedFactory<UserAuth>>asList( + new UserAuthPublicKey.Factory()) + ); + } + + protected void setupCiphers() { + List<NamedFactory<Cipher>> avail = new LinkedList<NamedFactory<Cipher>>(); + avail.add(new AES128CBC.Factory()); + avail.add(new TripleDESCBC.Factory()); + avail.add(new BlowfishCBC.Factory()); + avail.add(new AES192CBC.Factory()); + avail.add(new AES256CBC.Factory()); + + for (Iterator<NamedFactory<Cipher>> i = avail.iterator(); i.hasNext();) { + final NamedFactory<Cipher> f = i.next(); + try { + final Cipher c = f.create(); + final byte[] key = new byte[c.getBlockSize()]; + final byte[] iv = new byte[c.getIVSize()]; + c.init(Cipher.Mode.Encrypt, key, iv); + } catch (InvalidKeyException e) { + i.remove(); + } catch (Exception e) { + i.remove(); + } + } + setCipherFactories(avail); + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java new file mode 100644 index 00000000..6f5d5f9e --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java @@ -0,0 +1,159 @@ +/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.text.MessageFormat;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider;
+import org.eclipse.jgit.internal.JGitText;
+import org.eclipse.jgit.transport.resolver.ReceivePackFactory;
+import org.eclipse.jgit.transport.resolver.UploadPackFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.gitblit.IStoredSettings;
+import com.gitblit.Keys;
+import com.gitblit.git.GitblitReceivePackFactory;
+import com.gitblit.git.GitblitUploadPackFactory;
+import com.gitblit.git.RepositoryResolver;
+import com.gitblit.manager.IGitblit;
+import com.gitblit.utils.StringUtils;
+
+/**
+ * Manager for the ssh transport. Roughly analogous to the
+ * {@link com.gitblit.git.GitDaemon} class.
+ *
+ * @author Eric Myhre
+ *
+ */
+public class SshDaemon {
+
+ private final Logger logger = LoggerFactory.getLogger(SshDaemon.class);
+
+ /**
+ * 22: IANA assigned port number for ssh. Note that this is a distinct concept
+ * from gitblit's default conf for ssh port -- this "default" is what the git
+ * protocol itself defaults to if it sees and ssh url without a port.
+ */
+ public static final int DEFAULT_PORT = 22;
+
+ private static final String HOST_KEY_STORE = "sshKeyStore.pem";
+
+ private InetSocketAddress myAddress;
+
+ private AtomicBoolean run;
+
+ private SshCommandServer sshd;
+
+ private RepositoryResolver<SshDaemonClient> repositoryResolver;
+
+ private UploadPackFactory<SshDaemonClient> uploadPackFactory;
+
+ private ReceivePackFactory<SshDaemonClient> receivePackFactory;
+
+ /**
+ * Construct the Gitblit SSH daemon.
+ *
+ * @param gitblit
+ */
+ public SshDaemon(IGitblit gitblit) {
+
+ IStoredSettings settings = gitblit.getSettings();
+ int port = settings.getInteger(Keys.git.sshPort, 0);
+ String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost");
+
+ if (StringUtils.isEmpty(bindInterface)) {
+ myAddress = new InetSocketAddress(port);
+ } else {
+ myAddress = new InetSocketAddress(bindInterface, port);
+ }
+
+ sshd = new SshCommandServer();
+ sshd.setPort(myAddress.getPort());
+ sshd.setHost(myAddress.getHostName());
+ sshd.setup();
+ sshd.setKeyPairProvider(new PEMGeneratorHostKeyProvider(new File(gitblit.getBaseFolder(), HOST_KEY_STORE).getPath()));
+ sshd.setPublickeyAuthenticator(new SshKeyAuthenticator(gitblit));
+
+ run = new AtomicBoolean(false);
+ repositoryResolver = new RepositoryResolver<SshDaemonClient>(gitblit);
+ uploadPackFactory = new GitblitUploadPackFactory<SshDaemonClient>(gitblit);
+ receivePackFactory = new GitblitReceivePackFactory<SshDaemonClient>(gitblit);
+
+ sshd.setCommandFactory(new SshCommandFactory(
+ repositoryResolver,
+ uploadPackFactory,
+ receivePackFactory
+ ));
+ }
+
+ public int getPort() {
+ return myAddress.getPort();
+ }
+
+ public String formatUrl(String gituser, String servername, String repository) {
+ if (getPort() == DEFAULT_PORT) {
+ // standard port
+ return MessageFormat.format("{0}@{1}/{2}", gituser, servername, repository);
+ } else {
+ // non-standard port
+ return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}", gituser, servername, getPort(), repository);
+ }
+ }
+
+ /**
+ * Start this daemon on a background thread.
+ *
+ * @throws IOException
+ * the server socket could not be opened.
+ * @throws IllegalStateException
+ * the daemon is already running.
+ */
+ public synchronized void start() throws IOException {
+ if (run.get()) {
+ throw new IllegalStateException(JGitText.get().daemonAlreadyRunning);
+ }
+
+ sshd.start();
+ run.set(true);
+
+ logger.info(MessageFormat.format("SSH Daemon is listening on {0}:{1,number,0}",
+ myAddress.getAddress().getHostAddress(), myAddress.getPort()));
+ }
+
+ /** @return true if this daemon is receiving connections. */
+ public boolean isRunning() {
+ return run.get();
+ }
+
+ /** Stop this daemon. */
+ public synchronized void stop() {
+ if (run.get()) {
+ logger.info("SSH Daemon stopping...");
+ run.set(false);
+
+ try {
+ sshd.stop();
+ } catch (InterruptedException e) {
+ logger.error("SSH Daemon stop interrupted", e);
+ }
+ }
+ }
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java b/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java new file mode 100644 index 00000000..2e8008ac --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java @@ -0,0 +1,37 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.net.InetAddress; + +import org.apache.sshd.common.Session.AttributeKey; + +/** + * + * @author Eric Myrhe + * + */ +public class SshDaemonClient { + public static final AttributeKey<SshDaemonClient> ATTR_KEY = new AttributeKey<SshDaemonClient>(); + + public InetAddress getRemoteAddress() { + return null; + } + + public String getRemoteUser() { + return null; + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java b/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java new file mode 100644 index 00000000..4c97c58d --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java @@ -0,0 +1,43 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.security.PublicKey; + +import org.apache.sshd.server.PublickeyAuthenticator; +import org.apache.sshd.server.session.ServerSession; + +import com.gitblit.manager.IGitblit; + +/** + * + * @author Eric Myrhe + * + */ +public class SshKeyAuthenticator implements PublickeyAuthenticator { + + protected final IGitblit gitblit; + + public SshKeyAuthenticator(IGitblit gitblit) { + this.gitblit = gitblit; + } + + @Override + public boolean authenticate(String username, PublicKey key, ServerSession session) { + // TODO actually authenticate + return true; + } +} |