From 41124cddb6edd82c1630efb99b29c839304ed897 Mon Sep 17 00:00:00 2001 From: Eric Myhre Date: Thu, 13 Jun 2013 17:03:24 -0500 Subject: Support serving repositories over the SSH transport Gitblit would greatly benefit from an integrated SSH server. This would complete the transport trifecta. Change-Id: I6fb95abe65655fa74d47ea71522d8d9a1541450c --- src/main/java/com/gitblit/GitBlitServer.java | 1408 ++++++++++---------- .../java/com/gitblit/manager/ServicesManager.java | 18 + .../gitblit/transport/ssh/AbstractSshCommand.java | 75 ++ .../gitblit/transport/ssh/SshCommandFactory.java | 164 +++ .../gitblit/transport/ssh/SshCommandServer.java | 217 +++ .../java/com/gitblit/transport/ssh/SshDaemon.java | 159 +++ .../com/gitblit/transport/ssh/SshDaemonClient.java | 37 + .../gitblit/transport/ssh/SshKeyAuthenticator.java | 43 + 8 files changed, 1419 insertions(+), 702 deletions(-) create mode 100644 src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java create mode 100644 src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java create mode 100644 src/main/java/com/gitblit/transport/ssh/SshCommandServer.java create mode 100644 src/main/java/com/gitblit/transport/ssh/SshDaemon.java create mode 100644 src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java create mode 100644 src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java (limited to 'src/main/java') diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java index 64d3cadd..c37bc3a1 100644 --- a/src/main/java/com/gitblit/GitBlitServer.java +++ b/src/main/java/com/gitblit/GitBlitServer.java @@ -1,703 +1,707 @@ -/* - * Copyright 2011 gitblit.com. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.gitblit; - -import java.io.BufferedReader; -import java.io.BufferedWriter; -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.OutputStream; -import java.net.InetAddress; -import java.net.ServerSocket; -import java.net.Socket; -import java.net.URI; -import java.net.URL; -import java.net.UnknownHostException; -import java.security.ProtectionDomain; -import java.text.MessageFormat; -import java.util.ArrayList; -import java.util.Date; -import java.util.List; -import java.util.Properties; -import java.util.Scanner; - -import org.apache.log4j.PropertyConfigurator; -import org.eclipse.jetty.ajp.Ajp13SocketConnector; -import org.eclipse.jetty.security.ConstraintMapping; -import org.eclipse.jetty.security.ConstraintSecurityHandler; -import org.eclipse.jetty.server.Connector; -import org.eclipse.jetty.server.Server; -import org.eclipse.jetty.server.bio.SocketConnector; -import org.eclipse.jetty.server.nio.SelectChannelConnector; -import org.eclipse.jetty.server.session.HashSessionManager; -import org.eclipse.jetty.server.ssl.SslConnector; -import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; -import org.eclipse.jetty.server.ssl.SslSocketConnector; -import org.eclipse.jetty.util.security.Constraint; -import org.eclipse.jetty.util.thread.QueuedThreadPool; -import org.eclipse.jetty.webapp.WebAppContext; -import org.eclipse.jgit.storage.file.FileBasedConfig; -import org.eclipse.jgit.util.FS; -import org.eclipse.jgit.util.FileUtils; -import org.kohsuke.args4j.CmdLineException; -import org.kohsuke.args4j.CmdLineParser; -import org.kohsuke.args4j.Option; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.gitblit.authority.GitblitAuthority; -import com.gitblit.authority.NewCertificateConfig; -import com.gitblit.servlet.GitblitContext; -import com.gitblit.utils.StringUtils; -import com.gitblit.utils.TimeUtils; -import com.gitblit.utils.X509Utils; -import com.gitblit.utils.X509Utils.X509Log; -import com.gitblit.utils.X509Utils.X509Metadata; -import com.unboundid.ldap.listener.InMemoryDirectoryServer; -import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; -import com.unboundid.ldap.listener.InMemoryListenerConfig; -import com.unboundid.ldif.LDIFReader; - -/** - * GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts - * and stops an instance of Jetty that is configured from a combination of the - * gitblit.properties file and command line parameters. JCommander is used to - * simplify command line parameter processing. This class also automatically - * generates a self-signed certificate for localhost, if the keystore does not - * already exist. - * - * @author James Moger - * - */ -public class GitBlitServer { - - private static Logger logger; - - public static void main(String... args) { - GitBlitServer server = new GitBlitServer(); - - // filter out the baseFolder parameter - List filtered = new ArrayList(); - String folder = "data"; - for (int i = 0; i < args.length; i++) { - String arg = args[i]; - if (arg.equals("--baseFolder")) { - if (i + 1 == args.length) { - System.out.println("Invalid --baseFolder parameter!"); - System.exit(-1); - } else if (!".".equals(args[i + 1])) { - folder = args[i + 1]; - } - i = i + 1; - } else { - filtered.add(arg); - } - } - - Params.baseFolder = folder; - Params params = new Params(); - CmdLineParser parser = new CmdLineParser(params); - try { - parser.parseArgument(filtered); - if (params.help) { - server.usage(parser, null); - } - } catch (CmdLineException t) { - server.usage(parser, t); - } - - if (params.stop) { - server.stop(params); - } else { - server.start(params); - } - } - - /** - * Display the command line usage of Gitblit GO. - * - * @param parser - * @param t - */ - protected final void usage(CmdLineParser parser, CmdLineException t) { - System.out.println(Constants.BORDER); - System.out.println(Constants.getGitBlitVersion()); - System.out.println(Constants.BORDER); - System.out.println(); - if (t != null) { - System.out.println(t.getMessage()); - System.out.println(); - } - if (parser != null) { - parser.printUsage(System.out); - System.out - .println("\nExample:\n java -server -Xmx1024M -jar gitblit.jar --repositoriesFolder c:\\git --httpPort 80 --httpsPort 443"); - } - System.exit(0); - } - - /** - * Stop Gitblt GO. - */ - public void stop(Params params) { - try { - Socket s = new Socket(InetAddress.getByName("127.0.0.1"), params.shutdownPort); - OutputStream out = s.getOutputStream(); - System.out.println("Sending Shutdown Request to " + Constants.NAME); - out.write("\r\n".getBytes()); - out.flush(); - s.close(); - } catch (UnknownHostException e) { - e.printStackTrace(); - } catch (IOException e) { - e.printStackTrace(); - } - } - - /** - * Start Gitblit GO. - */ - protected final void start(Params params) { - final File baseFolder = new File(Params.baseFolder).getAbsoluteFile(); - FileSettings settings = params.FILESETTINGS; - if (!StringUtils.isEmpty(params.settingsfile)) { - if (new File(params.settingsfile).exists()) { - settings = new FileSettings(params.settingsfile); - } - } - - if (params.dailyLogFile) { - // Configure log4j for daily log file generation - InputStream is = null; - try { - is = getClass().getResourceAsStream("/log4j.properties"); - Properties loggingProperties = new Properties(); - loggingProperties.load(is); - - loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath()); - loggingProperties.put("log4j.rootCategory", "INFO, R"); - - if (settings.getBoolean(Keys.web.debugMode, false)) { - loggingProperties.put("log4j.logger.com.gitblit", "DEBUG"); - } - - PropertyConfigurator.configure(loggingProperties); - } catch (Exception e) { - e.printStackTrace(); - } finally { - try { - is.close(); - } catch (IOException e) { - e.printStackTrace(); - } - } - } - - logger = LoggerFactory.getLogger(GitBlitServer.class); - logger.info(Constants.BORDER); - logger.info(" _____ _ _ _ _ _ _"); - logger.info(" | __ \\(_)| | | | | |(_)| |"); - logger.info(" | | \\/ _ | |_ | |__ | | _ | |_"); - logger.info(" | | __ | || __|| '_ \\ | || || __|"); - logger.info(" | |_\\ \\| || |_ | |_) || || || |_"); - logger.info(" \\____/|_| \\__||_.__/ |_||_| \\__|"); - int spacing = (Constants.BORDER.length() - Constants.getGitBlitVersion().length()) / 2; - StringBuilder sb = new StringBuilder(); - while (spacing > 0) { - spacing--; - sb.append(' '); - } - logger.info(sb.toString() + Constants.getGitBlitVersion()); - logger.info(""); - logger.info(Constants.BORDER); - - System.setProperty("java.awt.headless", "true"); - - String osname = System.getProperty("os.name"); - String osversion = System.getProperty("os.version"); - logger.info("Running on " + osname + " (" + osversion + ")"); - - List connectors = new ArrayList(); - - // conditionally configure the http connector - if (params.port > 0) { - Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50)); - String bindInterface = settings.getString(Keys.server.httpBindInterface, null); - if (!StringUtils.isEmpty(bindInterface)) { - logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", - params.port, bindInterface)); - httpConnector.setHost(bindInterface); - } - if (params.port < 1024 && !isWindows()) { - logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); - } - if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { - // redirect HTTP requests to HTTPS - if (httpConnector instanceof SelectChannelConnector) { - ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort); - } else { - ((SocketConnector) httpConnector).setConfidentialPort(params.securePort); - } - } - connectors.add(httpConnector); - } - - // conditionally configure the https connector - if (params.securePort > 0) { - File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG); - File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE); - File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE); - File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST); - - // generate CA & web certificates, create certificate stores - X509Metadata metadata = new X509Metadata("localhost", params.storePassword); - // set default certificate values from config file - if (certificatesConf.exists()) { - FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect()); - try { - config.load(); - } catch (Exception e) { - logger.error("Error parsing " + certificatesConf, e); - } - NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config); - certificateConfig.update(metadata); - } - - metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR); - X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() { - @Override - public void log(String message) { - BufferedWriter writer = null; - try { - writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true)); - writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message)); - writer.newLine(); - writer.flush(); - } catch (Exception e) { - LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e); - } finally { - if (writer != null) { - try { - writer.close(); - } catch (IOException e) { - } - } - } - } - }); - - if (serverKeyStore.exists()) { - Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword, - caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates); - String bindInterface = settings.getString(Keys.server.httpsBindInterface, null); - if (!StringUtils.isEmpty(bindInterface)) { - logger.warn(MessageFormat.format( - "Binding ssl connector on port {0,number,0} to {1}", params.securePort, - bindInterface)); - secureConnector.setHost(bindInterface); - } - if (params.securePort < 1024 && !isWindows()) { - logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); - } - connectors.add(secureConnector); - } else { - logger.warn("Failed to find or load Keystore?"); - logger.warn("SSL connector DISABLED."); - } - } - - // conditionally configure the ajp connector - if (params.ajpPort > 0) { - Connector ajpConnector = createAJPConnector(params.ajpPort); - String bindInterface = settings.getString(Keys.server.ajpBindInterface, null); - if (!StringUtils.isEmpty(bindInterface)) { - logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", - params.ajpPort, bindInterface)); - ajpConnector.setHost(bindInterface); - } - if (params.ajpPort < 1024 && !isWindows()) { - logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); - } - connectors.add(ajpConnector); - } - - // tempDir is where the embedded Gitblit web application is expanded and - // where Jetty creates any necessary temporary files - File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp); - if (tempDir.exists()) { - try { - FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY); - } catch (IOException x) { - logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x); - } - } - if (!tempDir.mkdirs()) { - logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath()); - } - - Server server = new Server(); - server.setStopAtShutdown(true); - server.setConnectors(connectors.toArray(new Connector[connectors.size()])); - - // Get the execution path of this class - // We use this to set the WAR path. - ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain(); - URL location = protectionDomain.getCodeSource().getLocation(); - - // Root WebApp Context - WebAppContext rootContext = new WebAppContext(); - rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/")); - rootContext.setServer(server); - rootContext.setWar(location.toExternalForm()); - rootContext.setTempDirectory(tempDir); - - // Set cookies HttpOnly so they are not accessible to JavaScript engines - HashSessionManager sessionManager = new HashSessionManager(); - sessionManager.setHttpOnly(true); - // Use secure cookies if only serving https - sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0); - rootContext.getSessionHandler().setSessionManager(sessionManager); - - // Ensure there is a defined User Service - String realmUsers = params.userService; - if (StringUtils.isEmpty(realmUsers)) { - logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService)); - return; - } - - // Override settings from the command-line - settings.overrideSetting(Keys.realm.userService, params.userService); - settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder); - settings.overrideSetting(Keys.git.daemonPort, params.gitPort); - - // Start up an in-memory LDAP server, if configured - try { - if (!StringUtils.isEmpty(params.ldapLdifFile)) { - File ldifFile = new File(params.ldapLdifFile); - if (ldifFile != null && ldifFile.exists()) { - URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server)); - String firstLine = new Scanner(ldifFile).nextLine(); - String rootDN = firstLine.substring(4); - String bindUserName = settings.getString(Keys.realm.ldap.username, ""); - String bindPassword = settings.getString(Keys.realm.ldap.password, ""); - - // Get the port - int port = ldapUrl.getPort(); - if (port == -1) - port = 389; - - InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN); - config.addAdditionalBindCredentials(bindUserName, bindPassword); - config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port)); - config.setSchema(null); - - InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); - ds.importFromLDIF(true, new LDIFReader(ldifFile)); - ds.startListening(); - - logger.info("LDAP Server started at ldap://localhost:" + port); - } - } - } catch (Exception e) { - // Completely optional, just show a warning - logger.warn("Unable to start LDAP server", e); - } - - // Set the server's contexts - server.setHandler(rootContext); - - // redirect HTTP requests to HTTPS - if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { - logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort)); - // Create the internal mechanisms to handle secure connections and redirects - Constraint constraint = new Constraint(); - constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL); - - ConstraintMapping cm = new ConstraintMapping(); - cm.setConstraint(constraint); - cm.setPathSpec("/*"); - - ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); - sh.setConstraintMappings(new ConstraintMapping[] { cm }); - - // Configure this context to use the Security Handler defined before - rootContext.setHandler(sh); - } - - // Setup the Gitblit context - GitblitContext gitblit = newGitblit(settings, baseFolder); - rootContext.addEventListener(gitblit); - - try { - // start the shutdown monitor - if (params.shutdownPort > 0) { - Thread shutdownMonitor = new ShutdownMonitorThread(server, params); - shutdownMonitor.start(); - } - - // start Jetty - server.start(); - server.join(); - } catch (Exception e) { - e.printStackTrace(); - System.exit(100); - } - } - - protected GitblitContext newGitblit(IStoredSettings settings, File baseFolder) { - return new GitblitContext(settings, baseFolder); - } - - /** - * Creates an http connector. - * - * @param useNIO - * @param port - * @param threadPoolSize - * @return an http connector - */ - private Connector createConnector(boolean useNIO, int port, int threadPoolSize) { - Connector connector; - if (useNIO) { - logger.info("Setting up NIO SelectChannelConnector on port " + port); - SelectChannelConnector nioconn = new SelectChannelConnector(); - nioconn.setSoLingerTime(-1); - if (threadPoolSize > 0) { - nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); - } - connector = nioconn; - } else { - logger.info("Setting up SocketConnector on port " + port); - SocketConnector sockconn = new SocketConnector(); - if (threadPoolSize > 0) { - sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); - } - connector = sockconn; - } - - connector.setPort(port); - connector.setMaxIdleTime(30000); - return connector; - } - - /** - * Creates an https connector. - * - * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later. - * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html - * - * @param certAlias - * @param keyStore - * @param clientTrustStore - * @param storePassword - * @param caRevocationList - * @param useNIO - * @param port - * @param threadPoolSize - * @param requireClientCertificates - * @return an https connector - */ - private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore, - String storePassword, File caRevocationList, boolean useNIO, int port, int threadPoolSize, - boolean requireClientCertificates) { - GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias, - keyStore, clientTrustStore, storePassword, caRevocationList); - SslConnector connector; - if (useNIO) { - logger.info("Setting up NIO SslSelectChannelConnector on port " + port); - SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory); - ssl.setSoLingerTime(-1); - if (requireClientCertificates) { - factory.setNeedClientAuth(true); - } else { - factory.setWantClientAuth(true); - } - if (threadPoolSize > 0) { - ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); - } - connector = ssl; - } else { - logger.info("Setting up NIO SslSocketConnector on port " + port); - SslSocketConnector ssl = new SslSocketConnector(factory); - if (threadPoolSize > 0) { - ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); - } - connector = ssl; - } - connector.setPort(port); - connector.setMaxIdleTime(30000); - - return connector; - } - - /** - * Creates an ajp connector. - * - * @param port - * @return an ajp connector - */ - private Connector createAJPConnector(int port) { - logger.info("Setting up AJP Connector on port " + port); - Ajp13SocketConnector ajp = new Ajp13SocketConnector(); - ajp.setPort(port); - if (port < 1024 && !isWindows()) { - logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); - } - return ajp; - } - - /** - * Tests to see if the operating system is Windows. - * - * @return true if this is a windows machine - */ - private boolean isWindows() { - return System.getProperty("os.name").toLowerCase().indexOf("windows") > -1; - } - - /** - * The ShutdownMonitorThread opens a socket on a specified port and waits - * for an incoming connection. When that connection is accepted a shutdown - * message is issued to the running Jetty server. - * - * @author James Moger - * - */ - private static class ShutdownMonitorThread extends Thread { - - private final ServerSocket socket; - - private final Server server; - - private final Logger logger = LoggerFactory.getLogger(ShutdownMonitorThread.class); - - public ShutdownMonitorThread(Server server, Params params) { - this.server = server; - setDaemon(true); - setName(Constants.NAME + " Shutdown Monitor"); - ServerSocket skt = null; - try { - skt = new ServerSocket(params.shutdownPort, 1, InetAddress.getByName("127.0.0.1")); - } catch (Exception e) { - logger.warn("Could not open shutdown monitor on port " + params.shutdownPort, e); - } - socket = skt; - } - - @Override - public void run() { - logger.info("Shutdown Monitor listening on port " + socket.getLocalPort()); - Socket accept; - try { - accept = socket.accept(); - BufferedReader reader = new BufferedReader(new InputStreamReader( - accept.getInputStream())); - reader.readLine(); - logger.info(Constants.BORDER); - logger.info("Stopping " + Constants.NAME); - logger.info(Constants.BORDER); - server.stop(); - server.setStopAtShutdown(false); - accept.close(); - socket.close(); - } catch (Exception e) { - logger.warn("Failed to shutdown Jetty", e); - } - } - } - - /** - * Parameters class for GitBlitServer. - */ - public static class Params { - - public static String baseFolder; - - private final FileSettings FILESETTINGS = new FileSettings(new File(baseFolder, Constants.PROPERTIES_FILE).getAbsolutePath()); - - /* - * Server parameters - */ - @Option(name = "--help", aliases = { "-h"}, usage = "Show this help") - public Boolean help = false; - - @Option(name = "--stop", usage = "Stop Server") - public Boolean stop = false; - - @Option(name = "--tempFolder", usage = "Folder for server to extract built-in webapp", metaVar="PATH") - public String temp = FILESETTINGS.getString(Keys.server.tempFolder, "temp"); - - @Option(name = "--dailyLogFile", usage = "Log to a rolling daily log file INSTEAD of stdout.") - public Boolean dailyLogFile = false; - - /* - * GIT Servlet Parameters - */ - @Option(name = "--repositoriesFolder", usage = "Git Repositories Folder", metaVar="PATH") - public String repositoriesFolder = FILESETTINGS.getString(Keys.git.repositoriesFolder, - "git"); - - /* - * Authentication Parameters - */ - @Option(name = "--userService", usage = "Authentication and Authorization Service (filename or fully qualified classname)") - public String userService = FILESETTINGS.getString(Keys.realm.userService, - "users.conf"); - - /* - * JETTY Parameters - */ - @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.") - public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true); - - @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT") - public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0); - - @Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT") - public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443); - - @Option(name = "--ajpPort", usage = "AJP port to serve. (port <= 0 will disable this connector)", metaVar="PORT") - public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0); - - @Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT") - public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418); - - @Option(name = "--alias", usage = "Alias of SSL certificate in keystore for serving https.", metaVar="ALIAS") - public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, ""); - - @Option(name = "--storePassword", usage = "Password for SSL (https) keystore.", metaVar="PASSWORD") - public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, ""); - - @Option(name = "--shutdownPort", usage = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)", metaVar="PORT") - public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081); - - @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.") - public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false); - - /* - * Setting overrides - */ - @Option(name = "--settings", usage = "Path to alternative settings", metaVar="FILE") - public String settingsfile; - - @Option(name = "--ldapLdifFile", usage = "Path to LDIF file. This will cause an in-memory LDAP server to be started according to gitblit settings", metaVar="FILE") - public String ldapLdifFile; - - } +/* + * Copyright 2011 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit; + +import java.io.BufferedReader; +import java.io.BufferedWriter; +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.net.InetAddress; +import java.net.ServerSocket; +import java.net.Socket; +import java.net.URI; +import java.net.URL; +import java.net.UnknownHostException; +import java.security.ProtectionDomain; +import java.text.MessageFormat; +import java.util.ArrayList; +import java.util.Date; +import java.util.List; +import java.util.Properties; +import java.util.Scanner; + +import org.apache.log4j.PropertyConfigurator; +import org.eclipse.jetty.ajp.Ajp13SocketConnector; +import org.eclipse.jetty.security.ConstraintMapping; +import org.eclipse.jetty.security.ConstraintSecurityHandler; +import org.eclipse.jetty.server.Connector; +import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.server.bio.SocketConnector; +import org.eclipse.jetty.server.nio.SelectChannelConnector; +import org.eclipse.jetty.server.session.HashSessionManager; +import org.eclipse.jetty.server.ssl.SslConnector; +import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; +import org.eclipse.jetty.server.ssl.SslSocketConnector; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.thread.QueuedThreadPool; +import org.eclipse.jetty.webapp.WebAppContext; +import org.eclipse.jgit.storage.file.FileBasedConfig; +import org.eclipse.jgit.util.FS; +import org.eclipse.jgit.util.FileUtils; +import org.kohsuke.args4j.CmdLineException; +import org.kohsuke.args4j.CmdLineParser; +import org.kohsuke.args4j.Option; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.gitblit.authority.GitblitAuthority; +import com.gitblit.authority.NewCertificateConfig; +import com.gitblit.servlet.GitblitContext; +import com.gitblit.utils.StringUtils; +import com.gitblit.utils.TimeUtils; +import com.gitblit.utils.X509Utils; +import com.gitblit.utils.X509Utils.X509Log; +import com.gitblit.utils.X509Utils.X509Metadata; +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.listener.InMemoryListenerConfig; +import com.unboundid.ldif.LDIFReader; + +/** + * GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts + * and stops an instance of Jetty that is configured from a combination of the + * gitblit.properties file and command line parameters. JCommander is used to + * simplify command line parameter processing. This class also automatically + * generates a self-signed certificate for localhost, if the keystore does not + * already exist. + * + * @author James Moger + * + */ +public class GitBlitServer { + + private static Logger logger; + + public static void main(String... args) { + GitBlitServer server = new GitBlitServer(); + + // filter out the baseFolder parameter + List filtered = new ArrayList(); + String folder = "data"; + for (int i = 0; i < args.length; i++) { + String arg = args[i]; + if (arg.equals("--baseFolder")) { + if (i + 1 == args.length) { + System.out.println("Invalid --baseFolder parameter!"); + System.exit(-1); + } else if (!".".equals(args[i + 1])) { + folder = args[i + 1]; + } + i = i + 1; + } else { + filtered.add(arg); + } + } + + Params.baseFolder = folder; + Params params = new Params(); + CmdLineParser parser = new CmdLineParser(params); + try { + parser.parseArgument(filtered); + if (params.help) { + server.usage(parser, null); + } + } catch (CmdLineException t) { + server.usage(parser, t); + } + + if (params.stop) { + server.stop(params); + } else { + server.start(params); + } + } + + /** + * Display the command line usage of Gitblit GO. + * + * @param parser + * @param t + */ + protected final void usage(CmdLineParser parser, CmdLineException t) { + System.out.println(Constants.BORDER); + System.out.println(Constants.getGitBlitVersion()); + System.out.println(Constants.BORDER); + System.out.println(); + if (t != null) { + System.out.println(t.getMessage()); + System.out.println(); + } + if (parser != null) { + parser.printUsage(System.out); + System.out + .println("\nExample:\n java -server -Xmx1024M -jar gitblit.jar --repositoriesFolder c:\\git --httpPort 80 --httpsPort 443"); + } + System.exit(0); + } + + /** + * Stop Gitblt GO. + */ + public void stop(Params params) { + try { + Socket s = new Socket(InetAddress.getByName("127.0.0.1"), params.shutdownPort); + OutputStream out = s.getOutputStream(); + System.out.println("Sending Shutdown Request to " + Constants.NAME); + out.write("\r\n".getBytes()); + out.flush(); + s.close(); + } catch (UnknownHostException e) { + e.printStackTrace(); + } catch (IOException e) { + e.printStackTrace(); + } + } + + /** + * Start Gitblit GO. + */ + protected final void start(Params params) { + final File baseFolder = new File(Params.baseFolder).getAbsoluteFile(); + FileSettings settings = params.FILESETTINGS; + if (!StringUtils.isEmpty(params.settingsfile)) { + if (new File(params.settingsfile).exists()) { + settings = new FileSettings(params.settingsfile); + } + } + + if (params.dailyLogFile) { + // Configure log4j for daily log file generation + InputStream is = null; + try { + is = getClass().getResourceAsStream("/log4j.properties"); + Properties loggingProperties = new Properties(); + loggingProperties.load(is); + + loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath()); + loggingProperties.put("log4j.rootCategory", "INFO, R"); + + if (settings.getBoolean(Keys.web.debugMode, false)) { + loggingProperties.put("log4j.logger.com.gitblit", "DEBUG"); + } + + PropertyConfigurator.configure(loggingProperties); + } catch (Exception e) { + e.printStackTrace(); + } finally { + try { + is.close(); + } catch (IOException e) { + e.printStackTrace(); + } + } + } + + logger = LoggerFactory.getLogger(GitBlitServer.class); + logger.info(Constants.BORDER); + logger.info(" _____ _ _ _ _ _ _"); + logger.info(" | __ \\(_)| | | | | |(_)| |"); + logger.info(" | | \\/ _ | |_ | |__ | | _ | |_"); + logger.info(" | | __ | || __|| '_ \\ | || || __|"); + logger.info(" | |_\\ \\| || |_ | |_) || || || |_"); + logger.info(" \\____/|_| \\__||_.__/ |_||_| \\__|"); + int spacing = (Constants.BORDER.length() - Constants.getGitBlitVersion().length()) / 2; + StringBuilder sb = new StringBuilder(); + while (spacing > 0) { + spacing--; + sb.append(' '); + } + logger.info(sb.toString() + Constants.getGitBlitVersion()); + logger.info(""); + logger.info(Constants.BORDER); + + System.setProperty("java.awt.headless", "true"); + + String osname = System.getProperty("os.name"); + String osversion = System.getProperty("os.version"); + logger.info("Running on " + osname + " (" + osversion + ")"); + + List connectors = new ArrayList(); + + // conditionally configure the http connector + if (params.port > 0) { + Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50)); + String bindInterface = settings.getString(Keys.server.httpBindInterface, null); + if (!StringUtils.isEmpty(bindInterface)) { + logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", + params.port, bindInterface)); + httpConnector.setHost(bindInterface); + } + if (params.port < 1024 && !isWindows()) { + logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); + } + if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { + // redirect HTTP requests to HTTPS + if (httpConnector instanceof SelectChannelConnector) { + ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort); + } else { + ((SocketConnector) httpConnector).setConfidentialPort(params.securePort); + } + } + connectors.add(httpConnector); + } + + // conditionally configure the https connector + if (params.securePort > 0) { + File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG); + File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE); + File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE); + File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST); + + // generate CA & web certificates, create certificate stores + X509Metadata metadata = new X509Metadata("localhost", params.storePassword); + // set default certificate values from config file + if (certificatesConf.exists()) { + FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect()); + try { + config.load(); + } catch (Exception e) { + logger.error("Error parsing " + certificatesConf, e); + } + NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config); + certificateConfig.update(metadata); + } + + metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR); + X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() { + @Override + public void log(String message) { + BufferedWriter writer = null; + try { + writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true)); + writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message)); + writer.newLine(); + writer.flush(); + } catch (Exception e) { + LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e); + } finally { + if (writer != null) { + try { + writer.close(); + } catch (IOException e) { + } + } + } + } + }); + + if (serverKeyStore.exists()) { + Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword, + caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates); + String bindInterface = settings.getString(Keys.server.httpsBindInterface, null); + if (!StringUtils.isEmpty(bindInterface)) { + logger.warn(MessageFormat.format( + "Binding ssl connector on port {0,number,0} to {1}", params.securePort, + bindInterface)); + secureConnector.setHost(bindInterface); + } + if (params.securePort < 1024 && !isWindows()) { + logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); + } + connectors.add(secureConnector); + } else { + logger.warn("Failed to find or load Keystore?"); + logger.warn("SSL connector DISABLED."); + } + } + + // conditionally configure the ajp connector + if (params.ajpPort > 0) { + Connector ajpConnector = createAJPConnector(params.ajpPort); + String bindInterface = settings.getString(Keys.server.ajpBindInterface, null); + if (!StringUtils.isEmpty(bindInterface)) { + logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", + params.ajpPort, bindInterface)); + ajpConnector.setHost(bindInterface); + } + if (params.ajpPort < 1024 && !isWindows()) { + logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); + } + connectors.add(ajpConnector); + } + + // tempDir is where the embedded Gitblit web application is expanded and + // where Jetty creates any necessary temporary files + File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp); + if (tempDir.exists()) { + try { + FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY); + } catch (IOException x) { + logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x); + } + } + if (!tempDir.mkdirs()) { + logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath()); + } + + Server server = new Server(); + server.setStopAtShutdown(true); + server.setConnectors(connectors.toArray(new Connector[connectors.size()])); + + // Get the execution path of this class + // We use this to set the WAR path. + ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain(); + URL location = protectionDomain.getCodeSource().getLocation(); + + // Root WebApp Context + WebAppContext rootContext = new WebAppContext(); + rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/")); + rootContext.setServer(server); + rootContext.setWar(location.toExternalForm()); + rootContext.setTempDirectory(tempDir); + + // Set cookies HttpOnly so they are not accessible to JavaScript engines + HashSessionManager sessionManager = new HashSessionManager(); + sessionManager.setHttpOnly(true); + // Use secure cookies if only serving https + sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0); + rootContext.getSessionHandler().setSessionManager(sessionManager); + + // Ensure there is a defined User Service + String realmUsers = params.userService; + if (StringUtils.isEmpty(realmUsers)) { + logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService)); + return; + } + + // Override settings from the command-line + settings.overrideSetting(Keys.realm.userService, params.userService); + settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder); + settings.overrideSetting(Keys.git.daemonPort, params.gitPort); + settings.overrideSetting(Keys.git.sshPort, params.sshPort); + + // Start up an in-memory LDAP server, if configured + try { + if (!StringUtils.isEmpty(params.ldapLdifFile)) { + File ldifFile = new File(params.ldapLdifFile); + if (ldifFile != null && ldifFile.exists()) { + URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server)); + String firstLine = new Scanner(ldifFile).nextLine(); + String rootDN = firstLine.substring(4); + String bindUserName = settings.getString(Keys.realm.ldap.username, ""); + String bindPassword = settings.getString(Keys.realm.ldap.password, ""); + + // Get the port + int port = ldapUrl.getPort(); + if (port == -1) + port = 389; + + InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN); + config.addAdditionalBindCredentials(bindUserName, bindPassword); + config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port)); + config.setSchema(null); + + InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); + ds.importFromLDIF(true, new LDIFReader(ldifFile)); + ds.startListening(); + + logger.info("LDAP Server started at ldap://localhost:" + port); + } + } + } catch (Exception e) { + // Completely optional, just show a warning + logger.warn("Unable to start LDAP server", e); + } + + // Set the server's contexts + server.setHandler(rootContext); + + // redirect HTTP requests to HTTPS + if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { + logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort)); + // Create the internal mechanisms to handle secure connections and redirects + Constraint constraint = new Constraint(); + constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL); + + ConstraintMapping cm = new ConstraintMapping(); + cm.setConstraint(constraint); + cm.setPathSpec("/*"); + + ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); + sh.setConstraintMappings(new ConstraintMapping[] { cm }); + + // Configure this context to use the Security Handler defined before + rootContext.setHandler(sh); + } + + // Setup the Gitblit context + GitblitContext gitblit = newGitblit(settings, baseFolder); + rootContext.addEventListener(gitblit); + + try { + // start the shutdown monitor + if (params.shutdownPort > 0) { + Thread shutdownMonitor = new ShutdownMonitorThread(server, params); + shutdownMonitor.start(); + } + + // start Jetty + server.start(); + server.join(); + } catch (Exception e) { + e.printStackTrace(); + System.exit(100); + } + } + + protected GitblitContext newGitblit(IStoredSettings settings, File baseFolder) { + return new GitblitContext(settings, baseFolder); + } + + /** + * Creates an http connector. + * + * @param useNIO + * @param port + * @param threadPoolSize + * @return an http connector + */ + private Connector createConnector(boolean useNIO, int port, int threadPoolSize) { + Connector connector; + if (useNIO) { + logger.info("Setting up NIO SelectChannelConnector on port " + port); + SelectChannelConnector nioconn = new SelectChannelConnector(); + nioconn.setSoLingerTime(-1); + if (threadPoolSize > 0) { + nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); + } + connector = nioconn; + } else { + logger.info("Setting up SocketConnector on port " + port); + SocketConnector sockconn = new SocketConnector(); + if (threadPoolSize > 0) { + sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); + } + connector = sockconn; + } + + connector.setPort(port); + connector.setMaxIdleTime(30000); + return connector; + } + + /** + * Creates an https connector. + * + * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later. + * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html + * + * @param certAlias + * @param keyStore + * @param clientTrustStore + * @param storePassword + * @param caRevocationList + * @param useNIO + * @param port + * @param threadPoolSize + * @param requireClientCertificates + * @return an https connector + */ + private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore, + String storePassword, File caRevocationList, boolean useNIO, int port, int threadPoolSize, + boolean requireClientCertificates) { + GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias, + keyStore, clientTrustStore, storePassword, caRevocationList); + SslConnector connector; + if (useNIO) { + logger.info("Setting up NIO SslSelectChannelConnector on port " + port); + SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory); + ssl.setSoLingerTime(-1); + if (requireClientCertificates) { + factory.setNeedClientAuth(true); + } else { + factory.setWantClientAuth(true); + } + if (threadPoolSize > 0) { + ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); + } + connector = ssl; + } else { + logger.info("Setting up NIO SslSocketConnector on port " + port); + SslSocketConnector ssl = new SslSocketConnector(factory); + if (threadPoolSize > 0) { + ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); + } + connector = ssl; + } + connector.setPort(port); + connector.setMaxIdleTime(30000); + + return connector; + } + + /** + * Creates an ajp connector. + * + * @param port + * @return an ajp connector + */ + private Connector createAJPConnector(int port) { + logger.info("Setting up AJP Connector on port " + port); + Ajp13SocketConnector ajp = new Ajp13SocketConnector(); + ajp.setPort(port); + if (port < 1024 && !isWindows()) { + logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); + } + return ajp; + } + + /** + * Tests to see if the operating system is Windows. + * + * @return true if this is a windows machine + */ + private boolean isWindows() { + return System.getProperty("os.name").toLowerCase().indexOf("windows") > -1; + } + + /** + * The ShutdownMonitorThread opens a socket on a specified port and waits + * for an incoming connection. When that connection is accepted a shutdown + * message is issued to the running Jetty server. + * + * @author James Moger + * + */ + private static class ShutdownMonitorThread extends Thread { + + private final ServerSocket socket; + + private final Server server; + + private final Logger logger = LoggerFactory.getLogger(ShutdownMonitorThread.class); + + public ShutdownMonitorThread(Server server, Params params) { + this.server = server; + setDaemon(true); + setName(Constants.NAME + " Shutdown Monitor"); + ServerSocket skt = null; + try { + skt = new ServerSocket(params.shutdownPort, 1, InetAddress.getByName("127.0.0.1")); + } catch (Exception e) { + logger.warn("Could not open shutdown monitor on port " + params.shutdownPort, e); + } + socket = skt; + } + + @Override + public void run() { + logger.info("Shutdown Monitor listening on port " + socket.getLocalPort()); + Socket accept; + try { + accept = socket.accept(); + BufferedReader reader = new BufferedReader(new InputStreamReader( + accept.getInputStream())); + reader.readLine(); + logger.info(Constants.BORDER); + logger.info("Stopping " + Constants.NAME); + logger.info(Constants.BORDER); + server.stop(); + server.setStopAtShutdown(false); + accept.close(); + socket.close(); + } catch (Exception e) { + logger.warn("Failed to shutdown Jetty", e); + } + } + } + + /** + * Parameters class for GitBlitServer. + */ + public static class Params { + + public static String baseFolder; + + private final FileSettings FILESETTINGS = new FileSettings(new File(baseFolder, Constants.PROPERTIES_FILE).getAbsolutePath()); + + /* + * Server parameters + */ + @Option(name = "--help", aliases = { "-h"}, usage = "Show this help") + public Boolean help = false; + + @Option(name = "--stop", usage = "Stop Server") + public Boolean stop = false; + + @Option(name = "--tempFolder", usage = "Folder for server to extract built-in webapp", metaVar="PATH") + public String temp = FILESETTINGS.getString(Keys.server.tempFolder, "temp"); + + @Option(name = "--dailyLogFile", usage = "Log to a rolling daily log file INSTEAD of stdout.") + public Boolean dailyLogFile = false; + + /* + * GIT Servlet Parameters + */ + @Option(name = "--repositoriesFolder", usage = "Git Repositories Folder", metaVar="PATH") + public String repositoriesFolder = FILESETTINGS.getString(Keys.git.repositoriesFolder, + "git"); + + /* + * Authentication Parameters + */ + @Option(name = "--userService", usage = "Authentication and Authorization Service (filename or fully qualified classname)") + public String userService = FILESETTINGS.getString(Keys.realm.userService, + "users.conf"); + + /* + * JETTY Parameters + */ + @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.") + public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true); + + @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT") + public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0); + + @Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT") + public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443); + + @Option(name = "--ajpPort", usage = "AJP port to serve. (port <= 0 will disable this connector)", metaVar="PORT") + public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0); + + @Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT") + public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418); + + @Option(name = "--sshPort", usage = "Git SSH port to serve. (port <= 0 will disable this connector)", metaVar = "PORT") + public Integer sshPort = FILESETTINGS.getInteger(Keys.git.sshPort, 29418); + + @Option(name = "--alias", usage = "Alias of SSL certificate in keystore for serving https.", metaVar="ALIAS") + public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, ""); + + @Option(name = "--storePassword", usage = "Password for SSL (https) keystore.", metaVar="PASSWORD") + public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, ""); + + @Option(name = "--shutdownPort", usage = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)", metaVar="PORT") + public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081); + + @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.") + public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false); + + /* + * Setting overrides + */ + @Option(name = "--settings", usage = "Path to alternative settings", metaVar="FILE") + public String settingsfile; + + @Option(name = "--ldapLdifFile", usage = "Path to LDIF file. This will cause an in-memory LDAP server to be started according to gitblit settings", metaVar="FILE") + public String ldapLdifFile; + + } } \ No newline at end of file diff --git a/src/main/java/com/gitblit/manager/ServicesManager.java b/src/main/java/com/gitblit/manager/ServicesManager.java index 8107a7d8..2cd583ad 100644 --- a/src/main/java/com/gitblit/manager/ServicesManager.java +++ b/src/main/java/com/gitblit/manager/ServicesManager.java @@ -42,6 +42,7 @@ import com.gitblit.models.FederationModel; import com.gitblit.models.RepositoryModel; import com.gitblit.models.UserModel; import com.gitblit.service.FederationPullService; +import com.gitblit.transport.ssh.SshDaemon; import com.gitblit.utils.StringUtils; import com.gitblit.utils.TimeUtils; @@ -67,6 +68,8 @@ public class ServicesManager implements IManager { private GitDaemon gitDaemon; + private SshDaemon sshDaemon; + public ServicesManager(IGitblit gitblit) { this.settings = gitblit.getSettings(); this.gitblit = gitblit; @@ -77,6 +80,7 @@ public class ServicesManager implements IManager { configureFederation(); configureFanout(); configureGitDaemon(); + configureSshDaemon(); return this; } @@ -138,6 +142,20 @@ public class ServicesManager implements IManager { } } + protected void configureSshDaemon() { + int port = settings.getInteger(Keys.git.sshPort, 0); + String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost"); + if (port > 0) { + try { + sshDaemon = new SshDaemon(gitblit); + sshDaemon.start(); + } catch (IOException e) { + sshDaemon = null; + logger.error(MessageFormat.format("Failed to start SSH daemon on {0}:{1,number,0}", bindInterface, port), e); + } + } + } + protected void configureFanout() { // startup Fanout PubSub service if (settings.getInteger(Keys.fanout.port, 0) > 0) { diff --git a/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java b/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java new file mode 100644 index 00000000..e4741ed0 --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java @@ -0,0 +1,75 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; + +import org.apache.sshd.server.Command; +import org.apache.sshd.server.Environment; +import org.apache.sshd.server.ExitCallback; +import org.apache.sshd.server.SessionAware; +import org.apache.sshd.server.session.ServerSession; + +/** + * + * @author Eric Myrhe + * + */ +abstract class AbstractSshCommand implements Command, SessionAware { + + protected InputStream in; + + protected OutputStream out; + + protected OutputStream err; + + protected ExitCallback exit; + + protected ServerSession session; + + @Override + public void setInputStream(InputStream in) { + this.in = in; + } + + @Override + public void setOutputStream(OutputStream out) { + this.out = out; + } + + @Override + public void setErrorStream(OutputStream err) { + this.err = err; + } + + @Override + public void setExitCallback(ExitCallback exit) { + this.exit = exit; + } + + @Override + public void setSession(final ServerSession session) { + this.session = session; + } + + @Override + public void destroy() {} + + @Override + public abstract void start(Environment env) throws IOException; +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java b/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java new file mode 100644 index 00000000..c0b4930d --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java @@ -0,0 +1,164 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.io.IOException; +import java.util.Scanner; + +import org.apache.sshd.server.Command; +import org.apache.sshd.server.CommandFactory; +import org.apache.sshd.server.Environment; +import org.eclipse.jgit.errors.RepositoryNotFoundException; +import org.eclipse.jgit.lib.Repository; +import org.eclipse.jgit.transport.PacketLineOut; +import org.eclipse.jgit.transport.ReceivePack; +import org.eclipse.jgit.transport.ServiceMayNotContinueException; +import org.eclipse.jgit.transport.UploadPack; +import org.eclipse.jgit.transport.resolver.ReceivePackFactory; +import org.eclipse.jgit.transport.resolver.ServiceNotAuthorizedException; +import org.eclipse.jgit.transport.resolver.ServiceNotEnabledException; +import org.eclipse.jgit.transport.resolver.UploadPackFactory; + +import com.gitblit.git.RepositoryResolver; + +/** + * + * @author Eric Myhre + * + */ +public class SshCommandFactory implements CommandFactory { + public SshCommandFactory(RepositoryResolver repositoryResolver, UploadPackFactory uploadPackFactory, ReceivePackFactory receivePackFactory) { + this.repositoryResolver = repositoryResolver; + this.uploadPackFactory = uploadPackFactory; + this.receivePackFactory = receivePackFactory; + } + + private RepositoryResolver repositoryResolver; + + private UploadPackFactory uploadPackFactory; + + private ReceivePackFactory receivePackFactory; + + @Override + public Command createCommand(final String commandLine) { + Scanner commandScanner = new Scanner(commandLine); + final String command = commandScanner.next(); + final String argument = commandScanner.nextLine(); + + if ("git-upload-pack".equals(command)) + return new UploadPackCommand(argument); + if ("git-receive-pack".equals(command)) + return new ReceivePackCommand(argument); + return new NonCommand(); + } + + public abstract class RepositoryCommand extends AbstractSshCommand { + protected final String repositoryName; + + public RepositoryCommand(String repositoryName) { + this.repositoryName = repositoryName; + } + + @Override + public void start(Environment env) throws IOException { + Repository db = null; + try { + SshDaemonClient client = session.getAttribute(SshDaemonClient.ATTR_KEY); + db = selectRepository(client, repositoryName); + if (db == null) return; + run(client, db); + exit.onExit(0); + } catch (ServiceNotEnabledException e) { + // Ignored. Client cannot use this repository. + } catch (ServiceNotAuthorizedException e) { + // Ignored. Client cannot use this repository. + } finally { + if (db != null) + db.close(); + exit.onExit(1); + } + } + + protected Repository selectRepository(SshDaemonClient client, String name) throws IOException { + try { + return openRepository(client, name); + } catch (ServiceMayNotContinueException e) { + // An error when opening the repo means the client is expecting a ref + // advertisement, so use that style of error. + PacketLineOut pktOut = new PacketLineOut(out); + pktOut.writeString("ERR " + e.getMessage() + "\n"); //$NON-NLS-1$ //$NON-NLS-2$ + return null; + } + } + + protected Repository openRepository(SshDaemonClient client, String name) + throws ServiceMayNotContinueException { + // Assume any attempt to use \ was by a Windows client + // and correct to the more typical / used in Git URIs. + // + name = name.replace('\\', '/'); + + // ssh://git@thishost/path should always be name="/path" here + // + if (!name.startsWith("/")) //$NON-NLS-1$ + return null; + + try { + return repositoryResolver.open(client, name.substring(1)); + } catch (RepositoryNotFoundException e) { + // null signals it "wasn't found", which is all that is suitable + // for the remote client to know. + return null; + } catch (ServiceNotEnabledException e) { + // null signals it "wasn't found", which is all that is suitable + // for the remote client to know. + return null; + } + } + + protected abstract void run(SshDaemonClient client, Repository db) + throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException; + } + + public class UploadPackCommand extends RepositoryCommand { + public UploadPackCommand(String repositoryName) { super(repositoryName); } + + @Override + protected void run(SshDaemonClient client, Repository db) + throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException { + UploadPack up = uploadPackFactory.create(client, db); + up.upload(in, out, null); + } + } + + public class ReceivePackCommand extends RepositoryCommand { + public ReceivePackCommand(String repositoryName) { super(repositoryName); } + + @Override + protected void run(SshDaemonClient client, Repository db) + throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException { + ReceivePack rp = receivePackFactory.create(client, db); + rp.receive(in, out, null); + } + } + + public static class NonCommand extends AbstractSshCommand { + @Override + public void start(Environment env) { + exit.onExit(127); + } + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java b/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java new file mode 100644 index 00000000..26e3d67e --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java @@ -0,0 +1,217 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.io.IOException; +import java.net.InetSocketAddress; +import java.security.InvalidKeyException; +import java.util.Arrays; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; + +import org.apache.mina.core.future.IoFuture; +import org.apache.mina.core.future.IoFutureListener; +import org.apache.mina.core.session.IoSession; +import org.apache.mina.transport.socket.SocketSessionConfig; +import org.apache.sshd.SshServer; +import org.apache.sshd.common.Channel; +import org.apache.sshd.common.Cipher; +import org.apache.sshd.common.Compression; +import org.apache.sshd.common.KeyExchange; +import org.apache.sshd.common.KeyPairProvider; +import org.apache.sshd.common.Mac; +import org.apache.sshd.common.NamedFactory; +import org.apache.sshd.common.Session; +import org.apache.sshd.common.Signature; +import org.apache.sshd.common.cipher.AES128CBC; +import org.apache.sshd.common.cipher.AES192CBC; +import org.apache.sshd.common.cipher.AES256CBC; +import org.apache.sshd.common.cipher.BlowfishCBC; +import org.apache.sshd.common.cipher.TripleDESCBC; +import org.apache.sshd.common.compression.CompressionNone; +import org.apache.sshd.common.mac.HMACMD5; +import org.apache.sshd.common.mac.HMACMD596; +import org.apache.sshd.common.mac.HMACSHA1; +import org.apache.sshd.common.mac.HMACSHA196; +import org.apache.sshd.common.random.BouncyCastleRandom; +import org.apache.sshd.common.random.SingletonRandomFactory; +import org.apache.sshd.common.signature.SignatureDSA; +import org.apache.sshd.common.signature.SignatureRSA; +import org.apache.sshd.common.util.SecurityUtils; +import org.apache.sshd.server.CommandFactory; +import org.apache.sshd.server.FileSystemFactory; +import org.apache.sshd.server.FileSystemView; +import org.apache.sshd.server.ForwardingFilter; +import org.apache.sshd.server.PublickeyAuthenticator; +import org.apache.sshd.server.SshFile; +import org.apache.sshd.server.UserAuth; +import org.apache.sshd.server.auth.UserAuthPublicKey; +import org.apache.sshd.server.channel.ChannelDirectTcpip; +import org.apache.sshd.server.channel.ChannelSession; +import org.apache.sshd.server.kex.DHG1; +import org.apache.sshd.server.kex.DHG14; +import org.apache.sshd.server.session.ServerSession; +import org.apache.sshd.server.session.SessionFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * + * @author Eric Myhre + * + */ +public class SshCommandServer extends SshServer { + + private static final Logger log = LoggerFactory.getLogger(SshCommandServer.class); + + public SshCommandServer() { + setSessionFactory(new SessionFactory() { + @Override + protected ServerSession createSession(final IoSession io) throws Exception { + log.info("connection accepted on " + io); + + if (io.getConfig() instanceof SocketSessionConfig) { + final SocketSessionConfig c = (SocketSessionConfig) io.getConfig(); + c.setKeepAlive(true); + } + + final ServerSession s = (ServerSession) super.createSession(io); + s.setAttribute(SshDaemonClient.ATTR_KEY, new SshDaemonClient()); + + io.getCloseFuture().addListener(new IoFutureListener() { + @Override + public void operationComplete(IoFuture future) { + log.info("connection closed on " + io); + } + }); + return s; + } + }); + } + + /** + * Performs most of default configuration (setup random sources, setup ciphers, + * etc; also, support for forwarding and filesystem is explicitly disallowed). + * + * {@link #setKeyPairProvider(KeyPairProvider)} and + * {@link #setPublickeyAuthenticator(PublickeyAuthenticator)} are left for you. + * And applying {@link #setCommandFactory(CommandFactory)} is probably wise if you + * want something to actually happen when users do successfully authenticate. + */ + @SuppressWarnings("unchecked") + public void setup() { + if (!SecurityUtils.isBouncyCastleRegistered()) + throw new RuntimeException("BC crypto not available"); + + setKeyExchangeFactories(Arrays.>asList( + new DHG14.Factory(), + new DHG1.Factory()) + ); + + setRandomFactory(new SingletonRandomFactory(new BouncyCastleRandom.Factory())); + + setupCiphers(); + + setCompressionFactories(Arrays.>asList( + new CompressionNone.Factory()) + ); + + setMacFactories(Arrays.>asList( + new HMACMD5.Factory(), + new HMACSHA1.Factory(), + new HMACMD596.Factory(), + new HMACSHA196.Factory()) + ); + + setChannelFactories(Arrays.>asList( + new ChannelSession.Factory(), + new ChannelDirectTcpip.Factory()) + ); + + setSignatureFactories(Arrays.>asList( + new SignatureDSA.Factory(), + new SignatureRSA.Factory()) + ); + + setFileSystemFactory(new FileSystemFactory() { + @Override + public FileSystemView createFileSystemView(Session session) throws IOException { + return new FileSystemView() { + @Override + public SshFile getFile(SshFile baseDir, String file) { + return null; + } + + @Override + public SshFile getFile(String file) { + return null; + } + }; + } + }); + + setForwardingFilter(new ForwardingFilter() { + @Override + public boolean canForwardAgent(ServerSession session) { + return false; + } + + @Override + public boolean canForwardX11(ServerSession session) { + return false; + } + + @Override + public boolean canConnect(InetSocketAddress address, ServerSession session) { + return false; + } + + @Override + public boolean canListen(InetSocketAddress address, ServerSession session) { + return false; + } + }); + + setUserAuthFactories(Arrays.>asList( + new UserAuthPublicKey.Factory()) + ); + } + + protected void setupCiphers() { + List> avail = new LinkedList>(); + avail.add(new AES128CBC.Factory()); + avail.add(new TripleDESCBC.Factory()); + avail.add(new BlowfishCBC.Factory()); + avail.add(new AES192CBC.Factory()); + avail.add(new AES256CBC.Factory()); + + for (Iterator> i = avail.iterator(); i.hasNext();) { + final NamedFactory f = i.next(); + try { + final Cipher c = f.create(); + final byte[] key = new byte[c.getBlockSize()]; + final byte[] iv = new byte[c.getIVSize()]; + c.init(Cipher.Mode.Encrypt, key, iv); + } catch (InvalidKeyException e) { + i.remove(); + } catch (Exception e) { + i.remove(); + } + } + setCipherFactories(avail); + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java new file mode 100644 index 00000000..6f5d5f9e --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java @@ -0,0 +1,159 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.io.File; +import java.io.IOException; +import java.net.InetSocketAddress; +import java.text.MessageFormat; +import java.util.concurrent.atomic.AtomicBoolean; + +import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider; +import org.eclipse.jgit.internal.JGitText; +import org.eclipse.jgit.transport.resolver.ReceivePackFactory; +import org.eclipse.jgit.transport.resolver.UploadPackFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.gitblit.IStoredSettings; +import com.gitblit.Keys; +import com.gitblit.git.GitblitReceivePackFactory; +import com.gitblit.git.GitblitUploadPackFactory; +import com.gitblit.git.RepositoryResolver; +import com.gitblit.manager.IGitblit; +import com.gitblit.utils.StringUtils; + +/** + * Manager for the ssh transport. Roughly analogous to the + * {@link com.gitblit.git.GitDaemon} class. + * + * @author Eric Myhre + * + */ +public class SshDaemon { + + private final Logger logger = LoggerFactory.getLogger(SshDaemon.class); + + /** + * 22: IANA assigned port number for ssh. Note that this is a distinct concept + * from gitblit's default conf for ssh port -- this "default" is what the git + * protocol itself defaults to if it sees and ssh url without a port. + */ + public static final int DEFAULT_PORT = 22; + + private static final String HOST_KEY_STORE = "sshKeyStore.pem"; + + private InetSocketAddress myAddress; + + private AtomicBoolean run; + + private SshCommandServer sshd; + + private RepositoryResolver repositoryResolver; + + private UploadPackFactory uploadPackFactory; + + private ReceivePackFactory receivePackFactory; + + /** + * Construct the Gitblit SSH daemon. + * + * @param gitblit + */ + public SshDaemon(IGitblit gitblit) { + + IStoredSettings settings = gitblit.getSettings(); + int port = settings.getInteger(Keys.git.sshPort, 0); + String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost"); + + if (StringUtils.isEmpty(bindInterface)) { + myAddress = new InetSocketAddress(port); + } else { + myAddress = new InetSocketAddress(bindInterface, port); + } + + sshd = new SshCommandServer(); + sshd.setPort(myAddress.getPort()); + sshd.setHost(myAddress.getHostName()); + sshd.setup(); + sshd.setKeyPairProvider(new PEMGeneratorHostKeyProvider(new File(gitblit.getBaseFolder(), HOST_KEY_STORE).getPath())); + sshd.setPublickeyAuthenticator(new SshKeyAuthenticator(gitblit)); + + run = new AtomicBoolean(false); + repositoryResolver = new RepositoryResolver(gitblit); + uploadPackFactory = new GitblitUploadPackFactory(gitblit); + receivePackFactory = new GitblitReceivePackFactory(gitblit); + + sshd.setCommandFactory(new SshCommandFactory( + repositoryResolver, + uploadPackFactory, + receivePackFactory + )); + } + + public int getPort() { + return myAddress.getPort(); + } + + public String formatUrl(String gituser, String servername, String repository) { + if (getPort() == DEFAULT_PORT) { + // standard port + return MessageFormat.format("{0}@{1}/{2}", gituser, servername, repository); + } else { + // non-standard port + return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}", gituser, servername, getPort(), repository); + } + } + + /** + * Start this daemon on a background thread. + * + * @throws IOException + * the server socket could not be opened. + * @throws IllegalStateException + * the daemon is already running. + */ + public synchronized void start() throws IOException { + if (run.get()) { + throw new IllegalStateException(JGitText.get().daemonAlreadyRunning); + } + + sshd.start(); + run.set(true); + + logger.info(MessageFormat.format("SSH Daemon is listening on {0}:{1,number,0}", + myAddress.getAddress().getHostAddress(), myAddress.getPort())); + } + + /** @return true if this daemon is receiving connections. */ + public boolean isRunning() { + return run.get(); + } + + /** Stop this daemon. */ + public synchronized void stop() { + if (run.get()) { + logger.info("SSH Daemon stopping..."); + run.set(false); + + try { + sshd.stop(); + } catch (InterruptedException e) { + logger.error("SSH Daemon stop interrupted", e); + } + } + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java b/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java new file mode 100644 index 00000000..2e8008ac --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java @@ -0,0 +1,37 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.net.InetAddress; + +import org.apache.sshd.common.Session.AttributeKey; + +/** + * + * @author Eric Myrhe + * + */ +public class SshDaemonClient { + public static final AttributeKey ATTR_KEY = new AttributeKey(); + + public InetAddress getRemoteAddress() { + return null; + } + + public String getRemoteUser() { + return null; + } +} diff --git a/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java b/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java new file mode 100644 index 00000000..4c97c58d --- /dev/null +++ b/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java @@ -0,0 +1,43 @@ +/* + * Copyright 2014 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.transport.ssh; + +import java.security.PublicKey; + +import org.apache.sshd.server.PublickeyAuthenticator; +import org.apache.sshd.server.session.ServerSession; + +import com.gitblit.manager.IGitblit; + +/** + * + * @author Eric Myrhe + * + */ +public class SshKeyAuthenticator implements PublickeyAuthenticator { + + protected final IGitblit gitblit; + + public SshKeyAuthenticator(IGitblit gitblit) { + this.gitblit = gitblit; + } + + @Override + public boolean authenticate(String username, PublicKey key, ServerSession session) { + // TODO actually authenticate + return true; + } +} -- cgit v1.2.3