mirrors
/
gitblit
mirror of https://github.com/gitblit/gitblit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 43 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1550 Commits
11 Branches
Tree: 04a98505a4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '04a98505a4'
${ noResults }
gitblit/src/main/java/com/gitblit/servlet/RpcFilter.java

RpcFilter.java 5.8KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165 
  1. /*

  2.  * Copyright 2011 gitblit.com.

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *     http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. package com.gitblit.servlet;

  17. 

  18. import java.io.IOException;

  19. import java.text.MessageFormat;

  20. 

  21. import javax.inject.Inject;

  22. import javax.inject.Singleton;

  23. import javax.servlet.FilterChain;

  24. import javax.servlet.ServletException;

  25. import javax.servlet.ServletRequest;

  26. import javax.servlet.ServletResponse;

  27. import javax.servlet.http.HttpServletRequest;

  28. import javax.servlet.http.HttpServletResponse;

  29. 

  30. import com.gitblit.Constants.RpcRequest;

  31. import com.gitblit.IStoredSettings;

  32. import com.gitblit.Keys;

  33. import com.gitblit.manager.IRuntimeManager;

  34. import com.gitblit.manager.IAuthenticationManager;

  35. import com.gitblit.models.UserModel;

  36. 

  37. /**

  38.  * The RpcFilter is a servlet filter that secures the RpcServlet.

  39.  *

  40.  * The filter extracts the rpc request type from the url and determines if the

  41.  * requested action requires a Basic authentication prompt. If authentication is

  42.  * required and no credentials are stored in the "Authorization" header, then a

  43.  * basic authentication challenge is issued.

  44.  *

  45.  * http://en.wikipedia.org/wiki/Basic_access_authentication

  46.  *

  47.  * @author James Moger

  48.  *

  49.  */

  50. @Singleton

  51. public class RpcFilter extends AuthenticationFilter {

  52. 

  53. 	private final IStoredSettings settings;

  54. 

  55. 	private final IRuntimeManager runtimeManager;

  56. 

  57. 	@Inject

  58. 	public RpcFilter(

  59. 			IRuntimeManager runtimeManager,

  60. 			IAuthenticationManager authenticationManager) {

  61. 

  62. 		super(authenticationManager);

  63. 		this.settings = runtimeManager.getSettings();

  64. 		this.runtimeManager = runtimeManager;

  65. 	}

  66. 

  67. 	/**

  68. 	 * doFilter does the actual work of preprocessing the request to ensure that

  69. 	 * the user may proceed.

  70. 	 *

  71. 	 * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,

  72. 	 *      javax.servlet.ServletResponse, javax.servlet.FilterChain)

  73. 	 */

  74. 	@Override

  75. 	public void doFilter(final ServletRequest request, final ServletResponse response,

  76. 			final FilterChain chain) throws IOException, ServletException {

  77. 

  78. 		HttpServletRequest httpRequest = (HttpServletRequest) request;

  79. 		HttpServletResponse httpResponse = (HttpServletResponse) response;

  80. 

  81. 		String fullUrl = getFullUrl(httpRequest);

  82. 		RpcRequest requestType = RpcRequest.fromName(httpRequest.getParameter("req"));

  83. 		if (requestType == null) {

  84. 			httpResponse.sendError(HttpServletResponse.SC_NOT_IMPLEMENTED);

  85. 			return;

  86. 		}

  87. 

  88. 		boolean adminRequest = requestType.exceeds(RpcRequest.LIST_SETTINGS);

  89. 

  90. 		// conditionally reject all rpc requests

  91. 		if (!settings.getBoolean(Keys.web.enableRpcServlet, true)) {

  92. 			logger.warn(Keys.web.enableRpcServlet + " must be set TRUE for rpc requests.");

  93. 			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);

  94. 			return;

  95. 		}

  96. 

  97. 		boolean authenticateView = settings.getBoolean(Keys.web.authenticateViewPages, false);

  98. 		boolean authenticateAdmin = settings.getBoolean(Keys.web.authenticateAdminPages, true);

  99. 

  100. 		// Wrap the HttpServletRequest with the RpcServletRequest which

  101. 		// overrides the servlet container user principal methods.

  102. 		AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest);

  103. 		UserModel user = getUser(httpRequest);

  104. 		if (user != null) {

  105. 			authenticatedRequest.setUser(user);

  106. 		}

  107. 

  108. 		// conditionally reject rpc management/administration requests

  109. 		if (adminRequest && !settings.getBoolean(Keys.web.enableRpcManagement, false)) {

  110. 			logger.warn(MessageFormat.format("{0} must be set TRUE for {1} rpc requests.",

  111. 					Keys.web.enableRpcManagement, requestType.toString()));

  112. 			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);

  113. 			return;

  114. 		}

  115. 

  116. 		// BASIC authentication challenge and response processing

  117. 		if ((adminRequest && authenticateAdmin) || (!adminRequest && authenticateView)) {

  118. 			if (user == null) {

  119. 				// challenge client to provide credentials. send 401.

  120. 				if (runtimeManager.isDebugMode()) {

  121. 					logger.info(MessageFormat.format("RPC: CHALLENGE {0}", fullUrl));

  122. 

  123. 				}

  124. 				httpResponse.setHeader("WWW-Authenticate", CHALLENGE);

  125. 				httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);

  126. 				return;

  127. 			} else {

  128. 				// check user access for request

  129. 				if (user.canAdmin() || canAccess(user, requestType)) {

  130. 					// authenticated request permitted.

  131. 					// pass processing to the restricted servlet.

  132. 					newSession(authenticatedRequest, httpResponse);

  133. 					logger.info(MessageFormat.format("RPC: {0} ({1}) authenticated", fullUrl,

  134. 							HttpServletResponse.SC_CONTINUE));

  135. 					chain.doFilter(authenticatedRequest, httpResponse);

  136. 					return;

  137. 				}

  138. 				// valid user, but not for requested access. send 403.

  139. 				logger.warn(MessageFormat.format("RPC: {0} forbidden to access {1}",

  140. 							user.username, fullUrl));

  141. 				httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);

  142. 				return;

  143. 			}

  144. 		}

  145. 

  146. 		if (runtimeManager.isDebugMode()) {

  147. 			logger.info(MessageFormat.format("RPC: {0} ({1}) unauthenticated", fullUrl,

  148. 					HttpServletResponse.SC_CONTINUE));

  149. 		}

  150. 		// unauthenticated request permitted.

  151. 		// pass processing to the restricted servlet.

  152. 		chain.doFilter(authenticatedRequest, httpResponse);

  153. 	}

  154. 

  155. 	private boolean canAccess(UserModel user, RpcRequest requestType) {

  156. 		switch (requestType) {

  157. 		case GET_PROTOCOL:

  158. 			return true;

  159. 		case LIST_REPOSITORIES:

  160. 			return true;

  161. 		default:

  162. 			return user.canAdmin();

  163. 		}

  164. 	}

  165. }