mirrors
/
gitblit
mirror of https://github.com/gitblit/gitblit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 43 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2391 Commits
11 Branches
Tree: a40cbcfc4f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a40cbcfc4f'
${ noResults }
gitblit/src/main/java/com/gitblit/servlet/RpcFilter.java

RpcFilter.java 5.8KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167 
  1. /*

  2.  * Copyright 2011 gitblit.com.

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *     http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. package com.gitblit.servlet;

  17. 

  18. import java.io.IOException;

  19. import java.text.MessageFormat;

  20. 

  21. import com.google.inject.Inject;

  22. import com.google.inject.Singleton;

  23. import javax.servlet.FilterChain;

  24. import javax.servlet.ServletException;

  25. import javax.servlet.ServletRequest;

  26. import javax.servlet.ServletResponse;

  27. import javax.servlet.http.HttpServletRequest;

  28. import javax.servlet.http.HttpServletResponse;

  29. 

  30. import com.gitblit.Constants.RpcRequest;

  31. import com.gitblit.IStoredSettings;

  32. import com.gitblit.Keys;

  33. import com.gitblit.manager.IAuthenticationManager;

  34. import com.gitblit.manager.IRuntimeManager;

  35. import com.gitblit.models.UserModel;

  36. 

  37. /**

  38.  * The RpcFilter is a servlet filter that secures the RpcServlet.

  39.  *

  40.  * The filter extracts the rpc request type from the url and determines if the

  41.  * requested action requires a Basic authentication prompt. If authentication is

  42.  * required and no credentials are stored in the "Authorization" header, then a

  43.  * basic authentication challenge is issued.

  44.  *

  45.  * http://en.wikipedia.org/wiki/Basic_access_authentication

  46.  *

  47.  * @author James Moger

  48.  *

  49.  */

  50. @Singleton

  51. public class RpcFilter extends AuthenticationFilter {

  52. 

  53. 	private IStoredSettings settings;

  54. 

  55. 	private IRuntimeManager runtimeManager;

  56. 

  57. 	@Inject

  58. 	public RpcFilter(

  59. 			IStoredSettings settings,

  60. 			IRuntimeManager runtimeManager,

  61. 			IAuthenticationManager authenticationManager) {

  62. 

  63. 		super(authenticationManager);

  64. 

  65. 		this.settings = settings;

  66. 		this.runtimeManager = runtimeManager;

  67. 	}

  68. 

  69. 	/**

  70. 	 * doFilter does the actual work of preprocessing the request to ensure that

  71. 	 * the user may proceed.

  72. 	 *

  73. 	 * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,

  74. 	 *      javax.servlet.ServletResponse, javax.servlet.FilterChain)

  75. 	 */

  76. 	@Override

  77. 	public void doFilter(final ServletRequest request, final ServletResponse response,

  78. 			final FilterChain chain) throws IOException, ServletException {

  79. 

  80. 		HttpServletRequest httpRequest = (HttpServletRequest) request;

  81. 		HttpServletResponse httpResponse = (HttpServletResponse) response;

  82. 

  83. 		String fullUrl = getFullUrl(httpRequest);

  84. 		RpcRequest requestType = RpcRequest.fromName(httpRequest.getParameter("req"));

  85. 		if (requestType == null) {

  86. 			httpResponse.sendError(HttpServletResponse.SC_NOT_IMPLEMENTED);

  87. 			return;

  88. 		}

  89. 

  90. 		boolean adminRequest = requestType.exceeds(RpcRequest.LIST_SETTINGS);

  91. 

  92. 		// conditionally reject all rpc requests

  93. 		if (!settings.getBoolean(Keys.web.enableRpcServlet, true)) {

  94. 			logger.warn(Keys.web.enableRpcServlet + " must be set TRUE for rpc requests.");

  95. 			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);

  96. 			return;

  97. 		}

  98. 

  99. 		boolean authenticateView = settings.getBoolean(Keys.web.authenticateViewPages, false);

  100. 		boolean authenticateAdmin = settings.getBoolean(Keys.web.authenticateAdminPages, true);

  101. 

  102. 		// Wrap the HttpServletRequest with the RpcServletRequest which

  103. 		// overrides the servlet container user principal methods.

  104. 		AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest);

  105. 		UserModel user = getUser(httpRequest);

  106. 		if (user != null) {

  107. 			authenticatedRequest.setUser(user);

  108. 		}

  109. 

  110. 		// conditionally reject rpc management/administration requests

  111. 		if (adminRequest && !settings.getBoolean(Keys.web.enableRpcManagement, false)) {

  112. 			logger.warn(MessageFormat.format("{0} must be set TRUE for {1} rpc requests.",

  113. 					Keys.web.enableRpcManagement, requestType.toString()));

  114. 			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);

  115. 			return;

  116. 		}

  117. 

  118. 		// BASIC authentication challenge and response processing

  119. 		if ((adminRequest && authenticateAdmin) || (!adminRequest && authenticateView)) {

  120. 			if (user == null) {

  121. 				// challenge client to provide credentials. send 401.

  122. 				if (runtimeManager.isDebugMode()) {

  123. 					logger.info(MessageFormat.format("RPC: CHALLENGE {0}", fullUrl));

  124. 

  125. 				}

  126. 				httpResponse.setHeader("WWW-Authenticate", CHALLENGE);

  127. 				httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);

  128. 				return;

  129. 			} else {

  130. 				// check user access for request

  131. 				if (user.canAdmin() || canAccess(user, requestType)) {

  132. 					// authenticated request permitted.

  133. 					// pass processing to the restricted servlet.

  134. 					newSession(authenticatedRequest, httpResponse);

  135. 					logger.info(MessageFormat.format("RPC: {0} ({1}) authenticated", fullUrl,

  136. 							HttpServletResponse.SC_CONTINUE));

  137. 					chain.doFilter(authenticatedRequest, httpResponse);

  138. 					return;

  139. 				}

  140. 				// valid user, but not for requested access. send 403.

  141. 				logger.warn(MessageFormat.format("RPC: {0} forbidden to access {1}",

  142. 							user.username, fullUrl));

  143. 				httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);

  144. 				return;

  145. 			}

  146. 		}

  147. 

  148. 		if (runtimeManager.isDebugMode()) {

  149. 			logger.info(MessageFormat.format("RPC: {0} ({1}) unauthenticated", fullUrl,

  150. 					HttpServletResponse.SC_CONTINUE));

  151. 		}

  152. 		// unauthenticated request permitted.

  153. 		// pass processing to the restricted servlet.

  154. 		chain.doFilter(authenticatedRequest, httpResponse);

  155. 	}

  156. 

  157. 	private boolean canAccess(UserModel user, RpcRequest requestType) {

  158. 		switch (requestType) {

  159. 		case GET_PROTOCOL:

  160. 			return true;

  161. 		case LIST_REPOSITORIES:

  162. 			return true;

  163. 		default:

  164. 			return user.canAdmin();

  165. 		}

  166. 	}

  167. }