@@ -127,7 +127,22 @@ | |||
<filter-name>ZipFilter</filter-name> | |||
<url-pattern>/zip/*</url-pattern> | |||
</filter-mapping> | |||
<!-- Rpc Restriction Filter | |||
<url-pattern> MUST match: | |||
* RpcServlet | |||
* com.gitblit.Constants.RPC_PATH | |||
* Wicket Filter ignorePaths parameter --> | |||
<filter> | |||
<filter-name>RpcFilter</filter-name> | |||
<filter-class>com.gitblit.RpcFilter</filter-class> | |||
</filter> | |||
<filter-mapping> | |||
<filter-name>RpcFilter</filter-name> | |||
<url-pattern>/rpc/*</url-pattern> | |||
</filter-mapping> | |||
<!-- Wicket Filter --> | |||
<filter> | |||
@@ -152,6 +167,7 @@ | |||
* ZipServlet <url-pattern> | |||
* com.gitblit.Constants.ZIP_PATH | |||
* FederationServlet <url-pattern> | |||
* RpcFilter <url-pattern> | |||
* RpcServlet <url-pattern> --> | |||
<param-value>git/,feed/,zip/,federation/,rpc/</param-value> | |||
</init-param> |
@@ -16,34 +16,23 @@ | |||
package com.gitblit; | |||
import java.io.IOException; | |||
import java.nio.charset.Charset; | |||
import java.security.Principal; | |||
import java.text.MessageFormat; | |||
import java.util.Enumeration; | |||
import java.util.HashMap; | |||
import java.util.Map; | |||
import javax.servlet.Filter; | |||
import javax.servlet.FilterChain; | |||
import javax.servlet.FilterConfig; | |||
import javax.servlet.ServletException; | |||
import javax.servlet.ServletRequest; | |||
import javax.servlet.ServletResponse; | |||
import javax.servlet.http.HttpServletRequest; | |||
import javax.servlet.http.HttpServletResponse; | |||
import javax.servlet.http.HttpSession; | |||
import org.eclipse.jgit.util.Base64; | |||
import org.slf4j.Logger; | |||
import org.slf4j.LoggerFactory; | |||
import com.gitblit.AuthenticationFilter.AuthenticatedRequest; | |||
import com.gitblit.models.RepositoryModel; | |||
import com.gitblit.models.UserModel; | |||
import com.gitblit.utils.StringUtils; | |||
/** | |||
* The AccessRestrictionFilter is a servlet filter that preprocesses requests | |||
* that match its url pattern definition in the web.xml file. | |||
* The AccessRestrictionFilter is an AuthenticationFilter that confirms that the | |||
* requested repository can be accessed by the anonymous or named user. | |||
* | |||
* The filter extracts the name of the repository from the url and determines if | |||
* the requested action for the repository requires a Basic authentication | |||
@@ -55,19 +44,7 @@ import com.gitblit.utils.StringUtils; | |||
* @author James Moger | |||
* | |||
*/ | |||
public abstract class AccessRestrictionFilter implements Filter { | |||
private static final String BASIC = "Basic"; | |||
private static final String CHALLENGE = BASIC + " realm=\"" + Constants.NAME + "\""; | |||
private static final String SESSION_SECURED = "com.gitblit.secured"; | |||
protected transient Logger logger; | |||
public AccessRestrictionFilter() { | |||
logger = LoggerFactory.getLogger(getClass()); | |||
} | |||
public abstract class AccessRestrictionFilter extends AuthenticationFilter { | |||
/** | |||
* Extract the repository name from the url. | |||
@@ -118,26 +95,7 @@ public abstract class AccessRestrictionFilter implements Filter { | |||
HttpServletRequest httpRequest = (HttpServletRequest) request; | |||
HttpServletResponse httpResponse = (HttpServletResponse) response; | |||
// Wrap the HttpServletRequest with the AccessRestrictionRequest which | |||
// overrides the servlet container user principal methods. | |||
// JGit requires either: | |||
// | |||
// 1. servlet container authenticated user | |||
// 2. http.receivepack = true in each repository's config | |||
// | |||
// Gitblit must conditionally authenticate users per-repository so just | |||
// enabling http.receivepack is insufficient. | |||
AccessRestrictionRequest accessRequest = new AccessRestrictionRequest(httpRequest); | |||
String servletUrl = httpRequest.getContextPath() + httpRequest.getServletPath(); | |||
String url = httpRequest.getRequestURI().substring(servletUrl.length()); | |||
String params = httpRequest.getQueryString(); | |||
if (url.length() > 0 && url.charAt(0) == '/') { | |||
url = url.substring(1); | |||
} | |||
String fullUrl = url + (StringUtils.isEmpty(params) ? "" : ("?" + params)); | |||
String fullUrl = getFullUrl(httpRequest); | |||
String repository = extractRepositoryName(fullUrl); | |||
// Determine if the request URL is restricted | |||
@@ -148,145 +106,64 @@ public abstract class AccessRestrictionFilter implements Filter { | |||
RepositoryModel model = GitBlit.self().getRepositoryModel(repository); | |||
if (model == null) { | |||
// repository not found. send 404. | |||
logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_NOT_FOUND + ")"); | |||
logger.info(MessageFormat.format("ARF: {0} ({1})", fullUrl, | |||
HttpServletResponse.SC_NOT_FOUND)); | |||
httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND); | |||
return; | |||
} | |||
// Wrap the HttpServletRequest with the AccessRestrictionRequest which | |||
// overrides the servlet container user principal methods. | |||
// JGit requires either: | |||
// | |||
// 1. servlet container authenticated user | |||
// 2. http.receivepack = true in each repository's config | |||
// | |||
// Gitblit must conditionally authenticate users per-repository so just | |||
// enabling http.receivepack is insufficient. | |||
AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest); | |||
UserModel user = getUser(httpRequest); | |||
if (user != null) { | |||
authenticatedRequest.setUser(user); | |||
} | |||
// BASIC authentication challenge and response processing | |||
if (!StringUtils.isEmpty(urlRequestType) && requiresAuthentication(model)) { | |||
// look for client authorization credentials in header | |||
final String authorization = httpRequest.getHeader("Authorization"); | |||
if (authorization != null && authorization.startsWith(BASIC)) { | |||
// Authorization: Basic base64credentials | |||
String base64Credentials = authorization.substring(BASIC.length()).trim(); | |||
String credentials = new String(Base64.decode(base64Credentials), | |||
Charset.forName("UTF-8")); | |||
// credentials = username:password | |||
final String[] values = credentials.split(":"); | |||
if (values.length == 2) { | |||
String username = values[0]; | |||
char[] password = values[1].toCharArray(); | |||
UserModel user = GitBlit.self().authenticate(username, password); | |||
if (user != null) { | |||
accessRequest.setUser(user); | |||
if (user.canAdmin || canAccess(model, user, urlRequestType)) { | |||
// authenticated request permitted. | |||
// pass processing to the restricted servlet. | |||
newSession(accessRequest, httpResponse); | |||
logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_CONTINUE | |||
+ ") authenticated"); | |||
chain.doFilter(accessRequest, httpResponse); | |||
return; | |||
} | |||
// valid user, but not for requested access. send 403. | |||
if (GitBlit.isDebugMode()) { | |||
logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_FORBIDDEN | |||
+ ")"); | |||
logger.info(MessageFormat.format("AUTH: {0} forbidden to access {1}", | |||
user.username, url)); | |||
} | |||
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); | |||
return; | |||
} | |||
if (user == null) { | |||
// challenge client to provide credentials. send 401. | |||
if (GitBlit.isDebugMode()) { | |||
logger.info(MessageFormat.format("ARF: CHALLENGE {0}", fullUrl)); | |||
} | |||
httpResponse.setHeader("WWW-Authenticate", CHALLENGE); | |||
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); | |||
return; | |||
} else { | |||
// check user access for request | |||
if (user.canAdmin || canAccess(model, user, urlRequestType)) { | |||
// authenticated request permitted. | |||
// pass processing to the restricted servlet. | |||
newSession(authenticatedRequest, httpResponse); | |||
logger.info(MessageFormat.format("ARF: {0} ({1}) authenticated", fullUrl, | |||
HttpServletResponse.SC_CONTINUE)); | |||
chain.doFilter(authenticatedRequest, httpResponse); | |||
return; | |||
} | |||
// valid user, but not for requested access. send 403. | |||
if (GitBlit.isDebugMode()) { | |||
logger.info(MessageFormat | |||
.format("AUTH: invalid credentials ({0})", credentials)); | |||
logger.info(MessageFormat.format("ARF: {0} forbidden to access {1}", | |||
user.username, fullUrl)); | |||
} | |||
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); | |||
return; | |||
} | |||
// challenge client to provide credentials. send 401. | |||
if (GitBlit.isDebugMode()) { | |||
logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_UNAUTHORIZED + ")"); | |||
logger.info("AUTH: Challenge " + CHALLENGE); | |||
} | |||
httpResponse.setHeader("WWW-Authenticate", CHALLENGE); | |||
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); | |||
return; | |||
} | |||
if (GitBlit.isDebugMode()) { | |||
logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_CONTINUE | |||
+ ") unauthenticated"); | |||
logger.info(MessageFormat.format("ARF: {0} ({1}) unauthenticated", fullUrl, | |||
HttpServletResponse.SC_CONTINUE)); | |||
} | |||
// unauthenticated request permitted. | |||
// pass processing to the restricted servlet. | |||
chain.doFilter(accessRequest, httpResponse); | |||
} | |||
/** | |||
* Taken from Jetty's LoginAuthenticator.renewSessionOnAuthentication() | |||
*/ | |||
protected void newSession(HttpServletRequest request, HttpServletResponse response) { | |||
HttpSession oldSession = request.getSession(false); | |||
if (oldSession != null && oldSession.getAttribute(SESSION_SECURED) == null) { | |||
synchronized (this) { | |||
Map<String, Object> attributes = new HashMap<String, Object>(); | |||
Enumeration<String> e = oldSession.getAttributeNames(); | |||
while (e.hasMoreElements()) { | |||
String name = e.nextElement(); | |||
attributes.put(name, oldSession.getAttribute(name)); | |||
oldSession.removeAttribute(name); | |||
} | |||
oldSession.invalidate(); | |||
HttpSession newSession = request.getSession(true); | |||
newSession.setAttribute(SESSION_SECURED, Boolean.TRUE); | |||
for (Map.Entry<String, Object> entry : attributes.entrySet()) { | |||
newSession.setAttribute(entry.getKey(), entry.getValue()); | |||
} | |||
} | |||
} | |||
} | |||
/** | |||
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig) | |||
*/ | |||
@Override | |||
public void init(final FilterConfig config) throws ServletException { | |||
} | |||
/** | |||
* @see javax.servlet.Filter#destroy() | |||
*/ | |||
@Override | |||
public void destroy() { | |||
} | |||
/** | |||
* Wraps a standard HttpServletRequest and overrides user principal methods. | |||
*/ | |||
public static class AccessRestrictionRequest extends ServletRequestWrapper { | |||
private UserModel user; | |||
public AccessRestrictionRequest(HttpServletRequest req) { | |||
super(req); | |||
user = new UserModel("anonymous"); | |||
} | |||
void setUser(UserModel user) { | |||
this.user = user; | |||
} | |||
@Override | |||
public String getRemoteUser() { | |||
return user.username; | |||
} | |||
@Override | |||
public boolean isUserInRole(String role) { | |||
if (role.equals(Constants.ADMIN_ROLE)) { | |||
return user.canAdmin; | |||
} | |||
return user.canAccessRepository(role); | |||
} | |||
@Override | |||
public Principal getUserPrincipal() { | |||
return user; | |||
} | |||
chain.doFilter(authenticatedRequest, httpResponse); | |||
} | |||
} |
@@ -0,0 +1,201 @@ | |||
/* | |||
* Copyright 2011 gitblit.com. | |||
* | |||
* Licensed under the Apache License, Version 2.0 (the "License"); | |||
* you may not use this file except in compliance with the License. | |||
* You may obtain a copy of the License at | |||
* | |||
* http://www.apache.org/licenses/LICENSE-2.0 | |||
* | |||
* Unless required by applicable law or agreed to in writing, software | |||
* distributed under the License is distributed on an "AS IS" BASIS, | |||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |||
* See the License for the specific language governing permissions and | |||
* limitations under the License. | |||
*/ | |||
package com.gitblit; | |||
import java.io.IOException; | |||
import java.nio.charset.Charset; | |||
import java.security.Principal; | |||
import java.text.MessageFormat; | |||
import java.util.Enumeration; | |||
import java.util.HashMap; | |||
import java.util.Map; | |||
import javax.servlet.Filter; | |||
import javax.servlet.FilterChain; | |||
import javax.servlet.FilterConfig; | |||
import javax.servlet.ServletException; | |||
import javax.servlet.ServletRequest; | |||
import javax.servlet.ServletResponse; | |||
import javax.servlet.http.HttpServletRequest; | |||
import javax.servlet.http.HttpServletResponse; | |||
import javax.servlet.http.HttpSession; | |||
import org.eclipse.jgit.util.Base64; | |||
import org.slf4j.Logger; | |||
import org.slf4j.LoggerFactory; | |||
import com.gitblit.models.UserModel; | |||
import com.gitblit.utils.StringUtils; | |||
/** | |||
* The AuthenticationFilter is a servlet filter that preprocesses requests that | |||
* match its url pattern definition in the web.xml file. | |||
* | |||
* http://en.wikipedia.org/wiki/Basic_access_authentication | |||
* | |||
* @author James Moger | |||
* | |||
*/ | |||
public abstract class AuthenticationFilter implements Filter { | |||
protected static final String BASIC = "Basic"; | |||
protected static final String CHALLENGE = BASIC + " realm=\"" + Constants.NAME + "\""; | |||
protected static final String SESSION_SECURED = "com.gitblit.secured"; | |||
protected transient Logger logger = LoggerFactory.getLogger(getClass()); | |||
/** | |||
* doFilter does the actual work of preprocessing the request to ensure that | |||
* the user may proceed. | |||
* | |||
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, | |||
* javax.servlet.ServletResponse, javax.servlet.FilterChain) | |||
*/ | |||
@Override | |||
public abstract void doFilter(final ServletRequest request, final ServletResponse response, | |||
final FilterChain chain) throws IOException, ServletException; | |||
/** | |||
* Returns the full relative url of the request. | |||
* | |||
* @param httpRequest | |||
* @return url | |||
*/ | |||
protected String getFullUrl(HttpServletRequest httpRequest) { | |||
String servletUrl = httpRequest.getContextPath() + httpRequest.getServletPath(); | |||
String url = httpRequest.getRequestURI().substring(servletUrl.length()); | |||
String params = httpRequest.getQueryString(); | |||
if (url.length() > 0 && url.charAt(0) == '/') { | |||
url = url.substring(1); | |||
} | |||
String fullUrl = url + (StringUtils.isEmpty(params) ? "" : ("?" + params)); | |||
return fullUrl; | |||
} | |||
/** | |||
* Returns the user making the request, if the user has authenticated. | |||
* | |||
* @param httpRequest | |||
* @return user | |||
*/ | |||
protected UserModel getUser(HttpServletRequest httpRequest) { | |||
UserModel user = null; | |||
// look for client authorization credentials in header | |||
final String authorization = httpRequest.getHeader("Authorization"); | |||
if (authorization != null && authorization.startsWith(BASIC)) { | |||
// Authorization: Basic base64credentials | |||
String base64Credentials = authorization.substring(BASIC.length()).trim(); | |||
String credentials = new String(Base64.decode(base64Credentials), | |||
Charset.forName("UTF-8")); | |||
// credentials = username:password | |||
final String[] values = credentials.split(":"); | |||
if (values.length == 2) { | |||
String username = values[0]; | |||
char[] password = values[1].toCharArray(); | |||
user = GitBlit.self().authenticate(username, password); | |||
if (user != null) { | |||
return user; | |||
} | |||
} | |||
if (GitBlit.isDebugMode()) { | |||
logger.info(MessageFormat.format("AUTH: invalid credentials ({0})", credentials)); | |||
} | |||
} | |||
return null; | |||
} | |||
/** | |||
* Taken from Jetty's LoginAuthenticator.renewSessionOnAuthentication() | |||
*/ | |||
@SuppressWarnings("unchecked") | |||
protected void newSession(HttpServletRequest request, HttpServletResponse response) { | |||
HttpSession oldSession = request.getSession(false); | |||
if (oldSession != null && oldSession.getAttribute(SESSION_SECURED) == null) { | |||
synchronized (this) { | |||
Map<String, Object> attributes = new HashMap<String, Object>(); | |||
Enumeration<String> e = oldSession.getAttributeNames(); | |||
while (e.hasMoreElements()) { | |||
String name = e.nextElement(); | |||
attributes.put(name, oldSession.getAttribute(name)); | |||
oldSession.removeAttribute(name); | |||
} | |||
oldSession.invalidate(); | |||
HttpSession newSession = request.getSession(true); | |||
newSession.setAttribute(SESSION_SECURED, Boolean.TRUE); | |||
for (Map.Entry<String, Object> entry : attributes.entrySet()) { | |||
newSession.setAttribute(entry.getKey(), entry.getValue()); | |||
} | |||
} | |||
} | |||
} | |||
/** | |||
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig) | |||
*/ | |||
@Override | |||
public void init(final FilterConfig config) throws ServletException { | |||
} | |||
/** | |||
* @see javax.servlet.Filter#destroy() | |||
*/ | |||
@Override | |||
public void destroy() { | |||
} | |||
/** | |||
* Wraps a standard HttpServletRequest and overrides user principal methods. | |||
*/ | |||
public static class AuthenticatedRequest extends ServletRequestWrapper { | |||
private UserModel user; | |||
public AuthenticatedRequest(HttpServletRequest req) { | |||
super(req); | |||
user = new UserModel("anonymous"); | |||
} | |||
UserModel getUser() { | |||
return user; | |||
} | |||
void setUser(UserModel user) { | |||
this.user = user; | |||
} | |||
@Override | |||
public String getRemoteUser() { | |||
return user.username; | |||
} | |||
@Override | |||
public boolean isUserInRole(String role) { | |||
if (role.equals(Constants.ADMIN_ROLE)) { | |||
return user.canAdmin; | |||
} | |||
return user.canAccessRepository(role); | |||
} | |||
@Override | |||
public Principal getUserPrincipal() { | |||
return user; | |||
} | |||
} | |||
} |
@@ -213,6 +213,10 @@ public class Constants { | |||
return LIST_REPOSITORIES; | |||
} | |||
public boolean exceeds(RpcRequest type) { | |||
return this.ordinal() > type.ordinal(); | |||
} | |||
@Override | |||
public String toString() { | |||
return name(); |
@@ -0,0 +1,131 @@ | |||
/* | |||
* Copyright 2011 gitblit.com. | |||
* | |||
* Licensed under the Apache License, Version 2.0 (the "License"); | |||
* you may not use this file except in compliance with the License. | |||
* You may obtain a copy of the License at | |||
* | |||
* http://www.apache.org/licenses/LICENSE-2.0 | |||
* | |||
* Unless required by applicable law or agreed to in writing, software | |||
* distributed under the License is distributed on an "AS IS" BASIS, | |||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |||
* See the License for the specific language governing permissions and | |||
* limitations under the License. | |||
*/ | |||
package com.gitblit; | |||
import java.io.IOException; | |||
import java.text.MessageFormat; | |||
import javax.servlet.FilterChain; | |||
import javax.servlet.ServletException; | |||
import javax.servlet.ServletRequest; | |||
import javax.servlet.ServletResponse; | |||
import javax.servlet.http.HttpServletRequest; | |||
import javax.servlet.http.HttpServletResponse; | |||
import com.gitblit.Constants.RpcRequest; | |||
import com.gitblit.models.UserModel; | |||
/** | |||
* The RpcFilter is a servlet filter that secures the RpcServlet. | |||
* | |||
* The filter extracts the rpc request type from the url and determines if the | |||
* requested action requires a Basic authentication prompt. If authentication is | |||
* required and no credentials are stored in the "Authorization" header, then a | |||
* basic authentication challenge is issued. | |||
* | |||
* http://en.wikipedia.org/wiki/Basic_access_authentication | |||
* | |||
* @author James Moger | |||
* | |||
*/ | |||
public class RpcFilter extends AuthenticationFilter { | |||
/** | |||
* doFilter does the actual work of preprocessing the request to ensure that | |||
* the user may proceed. | |||
* | |||
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, | |||
* javax.servlet.ServletResponse, javax.servlet.FilterChain) | |||
*/ | |||
@Override | |||
public void doFilter(final ServletRequest request, final ServletResponse response, | |||
final FilterChain chain) throws IOException, ServletException { | |||
HttpServletRequest httpRequest = (HttpServletRequest) request; | |||
HttpServletResponse httpResponse = (HttpServletResponse) response; | |||
if (!GitBlit.getBoolean(Keys.web.enableRpcServlet, false)) { | |||
logger.warn(Keys.web.enableRpcServlet + " must be set TRUE for rpc requests."); | |||
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); | |||
return; | |||
} | |||
String fullUrl = getFullUrl(httpRequest); | |||
RpcRequest requestType = RpcRequest.fromName(httpRequest.getParameter("req")); | |||
boolean adminRequest = requestType.exceeds(RpcRequest.LIST_REPOSITORIES); | |||
boolean authenticateView = GitBlit.getBoolean(Keys.web.authenticateViewPages, false); | |||
boolean authenticateAdmin = GitBlit.getBoolean(Keys.web.authenticateAdminPages, true); | |||
// Wrap the HttpServletRequest with the RpcServletnRequest which | |||
// overrides the servlet container user principal methods. | |||
AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest); | |||
UserModel user = getUser(httpRequest); | |||
if (user != null) { | |||
authenticatedRequest.setUser(user); | |||
} | |||
// BASIC authentication challenge and response processing | |||
if ((adminRequest && authenticateAdmin) || (!adminRequest && authenticateView)) { | |||
if (user == null) { | |||
// challenge client to provide credentials. send 401. | |||
if (GitBlit.isDebugMode()) { | |||
logger.info(MessageFormat.format("RPC: CHALLENGE {0}", fullUrl)); | |||
} | |||
httpResponse.setHeader("WWW-Authenticate", CHALLENGE); | |||
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); | |||
return; | |||
} else { | |||
// check user access for request | |||
if (user.canAdmin || canAccess(user, requestType)) { | |||
// authenticated request permitted. | |||
// pass processing to the restricted servlet. | |||
newSession(authenticatedRequest, httpResponse); | |||
logger.info(MessageFormat.format("RPC: {0} ({1}) authenticated", fullUrl, | |||
HttpServletResponse.SC_CONTINUE)); | |||
chain.doFilter(authenticatedRequest, httpResponse); | |||
return; | |||
} | |||
// valid user, but not for requested access. send 403. | |||
if (GitBlit.isDebugMode()) { | |||
logger.info(MessageFormat.format("RPC: {0} forbidden to access {1}", | |||
user.username, fullUrl)); | |||
} | |||
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); | |||
return; | |||
} | |||
} | |||
if (GitBlit.isDebugMode()) { | |||
logger.info(MessageFormat.format("RPC: {0} ({1}) unauthenticated", fullUrl, | |||
HttpServletResponse.SC_CONTINUE)); | |||
} | |||
// unauthenticated request permitted. | |||
// pass processing to the restricted servlet. | |||
chain.doFilter(authenticatedRequest, httpResponse); | |||
} | |||
private boolean canAccess(UserModel user, RpcRequest requestType) { | |||
switch (requestType) { | |||
case LIST_REPOSITORIES: | |||
return true; | |||
default: | |||
return user.canAdmin; | |||
} | |||
} | |||
} |
@@ -15,12 +15,15 @@ | |||
*/ | |||
package com.gitblit; | |||
import java.io.IOException; | |||
import java.text.MessageFormat; | |||
import java.util.ArrayList; | |||
import java.util.HashMap; | |||
import java.util.List; | |||
import java.util.Map; | |||
import javax.servlet.ServletException; | |||
import javax.servlet.http.HttpServletRequest; | |||
import javax.servlet.http.HttpServletResponse; | |||
import com.gitblit.Constants.RpcRequest; | |||
@@ -51,26 +54,16 @@ public class RpcServlet extends JsonServlet { | |||
* @throws java.io.IOException | |||
*/ | |||
@Override | |||
protected void processRequest(javax.servlet.http.HttpServletRequest request, | |||
javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, | |||
java.io.IOException { | |||
protected void processRequest(HttpServletRequest request, HttpServletResponse response) | |||
throws ServletException, IOException { | |||
RpcRequest reqType = RpcRequest.fromName(request.getParameter("req")); | |||
logger.info(MessageFormat.format("Rpc {0} request from {1}", reqType, | |||
request.getRemoteAddr())); | |||
if (!GitBlit.getBoolean(Keys.web.enableRpcServlet, false)) { | |||
logger.warn(Keys.web.enableRpcServlet + " must be set TRUE for rpc requests."); | |||
response.sendError(HttpServletResponse.SC_FORBIDDEN); | |||
return; | |||
} | |||
// TODO user authentication and authorization | |||
UserModel user = null; | |||
UserModel user = (UserModel) request.getUserPrincipal(); | |||
Object result = null; | |||
if (RpcRequest.LIST_REPOSITORIES.equals(reqType)) { | |||
// list repositories | |||
// Determine the Gitblit clone url | |||
String gitblitUrl = HttpUtils.getGitblitURL(request); | |||
StringBuilder sb = new StringBuilder(); | |||
@@ -79,6 +72,7 @@ public class RpcServlet extends JsonServlet { | |||
sb.append("{0}"); | |||
String cloneUrl = sb.toString(); | |||
// list repositories | |||
List<RepositoryModel> list = GitBlit.self().getRepositoryModels(user); | |||
Map<String, RepositoryModel> repositories = new HashMap<String, RepositoryModel>(); | |||
for (RepositoryModel model : list) { | |||
@@ -88,11 +82,6 @@ public class RpcServlet extends JsonServlet { | |||
result = repositories; | |||
} else if (RpcRequest.LIST_USERS.equals(reqType)) { | |||
// list users | |||
if (user == null || !user.canAdmin) { | |||
response.sendError(HttpServletResponse.SC_FORBIDDEN); | |||
return; | |||
} | |||
// user is authorized to retrieve all accounts | |||
List<String> names = GitBlit.self().getAllUsernames(); | |||
List<UserModel> users = new ArrayList<UserModel>(); | |||
for (String name : names) { |