diff options
Diffstat (limited to 'src/main/java')
4 files changed, 180 insertions, 1 deletions
diff --git a/src/main/java/com/gitblit/guice/WebModule.java b/src/main/java/com/gitblit/guice/WebModule.java index 5b569182..c6172c3d 100644 --- a/src/main/java/com/gitblit/guice/WebModule.java +++ b/src/main/java/com/gitblit/guice/WebModule.java @@ -19,6 +19,7 @@ import java.util.HashMap; import java.util.Map; import com.gitblit.Constants; +import com.gitblit.servlet.AccessDeniedServlet; import com.gitblit.servlet.BranchGraphServlet; import com.gitblit.servlet.DownloadZipFilter; import com.gitblit.servlet.DownloadZipServlet; @@ -70,6 +71,17 @@ public class WebModule extends ServletModule { serve("/robots.txt").with(RobotsTxtServlet.class); serve("/logo.png").with(LogoServlet.class); + /* Prevent accidental access to 'resources' such as GitBlit java classes + * + * In the GO setup the JAR containing the application and the WAR injected + * into Jetty are the same file. However Jetty expects to serve the entire WAR + * contents, except the WEB-INF folder. Thus, all java binary classes in the + * JAR are served by default as is they were legitimate resources. + * + * The below servlet mappings prevent that behavior + */ + serve(fuzzy("/com/")).with(AccessDeniedServlet.class); + // global filters filter(ALL).through(ProxyFilter.class); filter(ALL).through(EnforceAuthenticationFilter.class); diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index 29221e6f..cbf0a1bd 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -215,6 +215,29 @@ public class AuthenticationManager implements IAuthenticationManager { user.displayName = username; user.password = Constants.EXTERNAL_ACCOUNT; user.accountType = AccountType.CONTAINER; + + // Try to extract user's informations for the session + // it uses "realm.container.autoAccounts.*" as the attribute name to look for + HttpSession session = httpRequest.getSession(); + String emailAddress = resolveAttribute(session, Keys.realm.container.autoAccounts.emailAddress); + if(emailAddress != null) { + user.emailAddress = emailAddress; + } + String displayName = resolveAttribute(session, Keys.realm.container.autoAccounts.displayName); + if(displayName != null) { + user.displayName = displayName; + } + String userLocale = resolveAttribute(session, Keys.realm.container.autoAccounts.locale); + if(userLocale != null) { + user.getPreferences().setLocale(userLocale); + } + String adminRole = settings.getString(Keys.realm.container.autoAccounts.adminRole, null); + if(adminRole != null && ! adminRole.isEmpty()) { + if(httpRequest.isUserInRole(adminRole)) { + user.canAdmin = true; + } + } + userManager.updateUserModel(user); flagSession(httpRequest, AuthenticationType.CONTAINER); logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}", @@ -293,6 +316,31 @@ public class AuthenticationManager implements IAuthenticationManager { } return null; } + + /** + * Extract given attribute from the session and return it's content + * it return null if attributeMapping is empty, or if the value is + * empty + * + * @param session The user session + * @param attributeMapping + * @return + */ + private String resolveAttribute(HttpSession session, String attributeMapping) { + String attributeName = settings.getString(attributeMapping, null); + if(StringUtils.isEmpty(attributeName)) { + return null; + } + Object attributeValue = session.getAttribute(attributeName); + if(attributeValue == null) { + return null; + } + String value = attributeValue.toString(); + if(value.isEmpty()) { + return null; + } + return value; + } /** * Authenticate a user based on a public key. diff --git a/src/main/java/com/gitblit/servlet/AccessDeniedServlet.java b/src/main/java/com/gitblit/servlet/AccessDeniedServlet.java new file mode 100644 index 00000000..ae0797e2 --- /dev/null +++ b/src/main/java/com/gitblit/servlet/AccessDeniedServlet.java @@ -0,0 +1,63 @@ +/* + * Copyright 2015 Jean-Baptiste Mayer + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.servlet; + +import java.io.IOException; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import com.google.inject.Singleton; + +/** + * Access-denied Servlet. + * + * This servlet serves only 404 Not Found error replies. + * + * This servlet is used to override the container's default behavior to serve + * all contents of the application's WAR. We can selectively prevent access to + * a specific path simply by mapping this servlet onto specific paths. + * + * + * @author Jean-Baptiste Mayer + * + */ +@Singleton +public class AccessDeniedServlet extends HttpServlet { + /** + * + */ + private static final long serialVersionUID = -3239463647917811122L; + + @Override + protected void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, java.io.IOException { + processRequest(request, response); + } + + @Override + protected void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + processRequest(request, response); + } + + private void processRequest(HttpServletRequest request, + HttpServletResponse response) { + response.setStatus(HttpServletResponse.SC_NOT_FOUND); + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java index 9667154f..ec7d7c36 100644 --- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java +++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java @@ -23,15 +23,25 @@ import java.net.InetSocketAddress; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.text.MessageFormat; +import java.util.ArrayList; +import java.util.List; +import java.util.Locale; import java.util.concurrent.atomic.AtomicBoolean; import org.apache.sshd.SshServer; +import org.apache.sshd.common.NamedFactory; import org.apache.sshd.common.io.IoServiceFactoryFactory; import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory; import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory; import org.apache.sshd.common.keyprovider.FileKeyPairProvider; import org.apache.sshd.common.util.SecurityUtils; import org.apache.sshd.server.auth.CachingPublicKeyAuthenticator; +import org.apache.sshd.server.UserAuth; +import org.apache.sshd.server.auth.UserAuthKeyboardInteractive; +import org.apache.sshd.server.auth.UserAuthPassword; +import org.apache.sshd.server.auth.UserAuthPublicKey; +import org.apache.sshd.server.auth.gss.GSSAuthenticator; +import org.apache.sshd.server.auth.gss.UserAuthGSS; import org.bouncycastle.openssl.PEMWriter; import org.eclipse.jgit.internal.JGitText; import org.slf4j.Logger; @@ -120,7 +130,49 @@ public class SshDaemon { } else { addr = new InetSocketAddress(bindInterface, port); } - + + //Will do GSS ? + GSSAuthenticator gssAuthenticator = null; + if(settings.getBoolean(Keys.git.sshWithKrb5, false)) { + gssAuthenticator = new GSSAuthenticator(); + String keytabString = settings.getString(Keys.git.sshKrb5Keytab, + ""); + if(! keytabString.isEmpty()) { + gssAuthenticator.setKeytabFile(keytabString); + } + String servicePrincipalName = settings.getString(Keys.git.sshKrb5ServicePrincipalName, + ""); + if(! servicePrincipalName.isEmpty()) { + gssAuthenticator.setServicePrincipalName(servicePrincipalName); + } + } + + //Sort the authenticators for sshd + List<NamedFactory<UserAuth>> userAuthFactories = new ArrayList<>(); + String sshAuthenticatorsOrderString = settings.getString(Keys.git.sshAuthenticatorsOrder, + "password,keyboard-interactive,publickey"); + for(String authenticator: sshAuthenticatorsOrderString.split(",")) { + String authenticatorName = authenticator.trim().toLowerCase(Locale.US); + switch (authenticatorName) { + case "gssapi-with-mic": + if(gssAuthenticator != null) { + userAuthFactories.add(new UserAuthGSS.Factory()); + } + break; + case "publickey": + userAuthFactories.add(new UserAuthPublicKey.Factory()); + break; + case "password": + userAuthFactories.add(new UserAuthPassword.Factory()); + break; + case "keyboard-interactive": + userAuthFactories.add(new UserAuthKeyboardInteractive.Factory()); + break; + default: + log.error("Unknown ssh authenticator: '{}'", authenticatorName); + } + } + // Create the SSH server sshd = SshServer.setUpDefaultServer(); sshd.setPort(addr.getPort()); @@ -128,6 +180,10 @@ public class SshDaemon { sshd.setKeyPairProvider(hostKeyPairProvider); sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator)); sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit)); + if(gssAuthenticator != null) { + sshd.setGSSAuthenticator(gssAuthenticator); + } + sshd.setUserAuthFactories(userAuthFactories); sshd.setSessionFactory(new SshServerSessionFactory()); sshd.setFileSystemFactory(new DisabledFilesystemFactory()); sshd.setTcpipForwardingFilter(new NonForwardingFilter()); |