mirrors
/
gitblit
mirror of https://github.com/gitblit/gitblit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 43 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
571 Commits
11 Branches
Tree: f3b625d298
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f3b625d298'
${ noResults }
gitblit/src/com/gitblit/LdapUserService.java

LdapUserService.java 9.0KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268 
  1. /*

  2.  * Copyright 2012 John Crygier

  3.  * Copyright 2012 gitblit.com

  4.  *

  5.  * Licensed under the Apache License, Version 2.0 (the "License");

  6.  * you may not use this file except in compliance with the License.

  7.  * You may obtain a copy of the License at

  8.  *

  9.  *     http://www.apache.org/licenses/LICENSE-2.0

  10.  *

  11.  * Unless required by applicable law or agreed to in writing, software

  12.  * distributed under the License is distributed on an "AS IS" BASIS,

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.  * See the License for the specific language governing permissions and

  15.  * limitations under the License.

  16.  */

  17. package com.gitblit;

  18. 

  19. import java.io.File;

  20. import java.net.URI;

  21. import java.net.URISyntaxException;

  22. import java.security.GeneralSecurityException;

  23. 

  24. import org.slf4j.Logger;

  25. import org.slf4j.LoggerFactory;

  26. 

  27. import com.gitblit.models.TeamModel;

  28. import com.gitblit.models.UserModel;

  29. import com.gitblit.utils.StringUtils;

  30. import com.unboundid.ldap.sdk.Attribute;

  31. import com.unboundid.ldap.sdk.LDAPConnection;

  32. import com.unboundid.ldap.sdk.LDAPException;

  33. import com.unboundid.ldap.sdk.LDAPSearchException;

  34. import com.unboundid.ldap.sdk.SearchResult;

  35. import com.unboundid.ldap.sdk.SearchResultEntry;

  36. import com.unboundid.ldap.sdk.SearchScope;

  37. import com.unboundid.util.ssl.SSLUtil;

  38. import com.unboundid.util.ssl.TrustAllTrustManager;

  39. 

  40. /**

  41.  * Implementation of an LDAP user service.

  42.  * 

  43.  * @author John Crygier

  44.  */

  45. public class LdapUserService extends GitblitUserService {

  46. 

  47. 	public static final Logger logger = LoggerFactory.getLogger(LdapUserService.class);

  48. 	

  49. 	private IStoredSettings settings;

  50. 

  51. 	public LdapUserService() {

  52. 		super();

  53. 	}

  54. 

  55. 	@Override

  56. 	public void setup(IStoredSettings settings) {

  57. 		this.settings = settings;

  58. 		String file = settings.getString(Keys.realm.ldap_backingUserService, "users.conf");

  59. 		File realmFile = GitBlit.getFileOrFolder(file);

  60. 

  61. 		serviceImpl = createUserService(realmFile);

  62. 		logger.info("LDAP User Service backed by " + serviceImpl.toString());

  63. 	}

  64. 	

  65. 	private LDAPConnection getLdapConnection() {

  66. 		try {

  67. 			URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap_server));

  68. 			String bindUserName = settings.getString(Keys.realm.ldap_username, "");

  69. 			String bindPassword = settings.getString(Keys.realm.ldap_password, "");

  70. 			int ldapPort = ldapUrl.getPort();

  71. 			

  72. 			if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {	// SSL

  73. 				if (ldapPort == -1)	// Default Port

  74. 					ldapPort = 636;

  75. 				

  76. 				SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); 

  77. 				return new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);

  78. 			} else {

  79. 				if (ldapPort == -1)	// Default Port

  80. 					ldapPort = 389;

  81. 				

  82. 				return new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);

  83. 			}

  84. 		} catch (URISyntaxException e) {

  85. 			logger.error("Bad LDAP URL, should be in the form: ldap(s)://<server>:<port>", e);

  86. 		} catch (GeneralSecurityException e) {

  87. 			logger.error("Unable to create SSL Connection", e);

  88. 		} catch (LDAPException e) {

  89. 			logger.error("Error Connecting to LDAP", e);

  90. 		}

  91. 		

  92. 		return null;

  93. 	}

  94. 	

  95. 	/**

  96. 	 * Credentials are defined in the LDAP server and can not be manipulated

  97. 	 * from Gitblit.

  98. 	 *

  99. 	 * @return false

  100. 	 * @since 1.0.0

  101. 	 */

  102. 	@Override

  103. 	public boolean supportsCredentialChanges() {

  104. 		return false;

  105. 	}

  106. 	

  107. 	/**

  108. 	 * If the LDAP server will maintain team memberships then LdapUserService

  109. 	 * will not allow team membership changes.  In this scenario all team

  110. 	 * changes must be made on the LDAP server by the LDAP administrator.

  111. 	 * 

  112. 	 * @return true or false

  113. 	 * @since 1.0.0

  114. 	 */	

  115. 	public boolean supportsTeamMembershipChanges() {

  116. 		return !settings.getBoolean(Keys.realm.ldap_maintainTeams, false);

  117. 	}

  118. 

  119. 	/**

  120. 	 * Does the user service support cookie authentication?

  121. 	 * 

  122. 	 * @return true or false

  123. 	 */

  124. 	@Override

  125. 	public boolean supportsCookies() {

  126. 		// TODO cookies need to be reviewed

  127. 		return false;

  128. 	}

  129. 

  130. 	@Override

  131. 	public UserModel authenticate(String username, char[] password) {

  132. 		String simpleUsername = getSimpleUsername(username);

  133. 		

  134. 		LDAPConnection ldapConnection = getLdapConnection();		

  135. 		if (ldapConnection != null) {

  136. 			// Find the logging in user's DN

  137. 			String accountBase = settings.getString(Keys.realm.ldap_accountBase, "");

  138. 			String accountPattern = settings.getString(Keys.realm.ldap_accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");

  139. 			accountPattern = StringUtils.replace(accountPattern, "${username}", simpleUsername);

  140. 

  141. 			SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);

  142. 			if (result != null && result.getEntryCount() == 1) {

  143. 				SearchResultEntry loggingInUser = result.getSearchEntries().get(0);

  144. 				String loggingInUserDN = loggingInUser.getDN();

  145. 				

  146. 				if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {

  147. 					logger.debug("Authenitcated: " + username);

  148. 					

  149. 					UserModel user = getUserModel(simpleUsername);

  150. 					if (user == null)	// create user object for new authenticated user

  151. 						user = createUserFromLdap(loggingInUser);

  152. 					

  153. 					user.password = "StoredInLDAP";

  154. 					

  155. 					if (!supportsTeamMembershipChanges())

  156. 						getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);

  157. 					

  158. 					// Get Admin Attributes

  159. 					setAdminAttribute(user);

  160. 

  161. 					// Push the ldap looked up values to backing file

  162. 					super.updateUserModel(user);

  163. 					if (!supportsTeamMembershipChanges()) {

  164. 						for (TeamModel userTeam : user.teams)

  165. 							updateTeamModel(userTeam);

  166. 					}

  167. 							

  168. 					return user;

  169. 				}

  170. 			}

  171. 		}

  172. 		

  173. 		return null;		

  174. 	}

  175. 

  176. 	private void setAdminAttribute(UserModel user) {

  177. 		String adminString = settings.getString(Keys.realm.ldap_admins, "");

  178. 		String[] admins = adminString.split(" ");

  179. 		user.canAdmin = false;

  180. 		for (String admin : admins) {

  181. 			if (admin.startsWith("@")) { // Team

  182. 				if (user.getTeam(admin.substring(1)) != null)

  183. 					user.canAdmin = true;

  184. 			} else

  185. 				if (user.getName().equalsIgnoreCase(admin))

  186. 					user.canAdmin = true;

  187. 		}

  188. 	}

  189. 

  190. 	private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) {

  191. 		String loggingInUserDN = loggingInUser.getDN();

  192. 		

  193. 		user.teams.clear();		// Clear the users team memberships - we're going to get them from LDAP

  194. 		String groupBase = settings.getString(Keys.realm.ldap_groupBase, "");

  195. 		String groupMemberPattern = settings.getString(Keys.realm.ldap_groupMemberPattern, "(&(objectClass=group)(member=${dn}))");

  196. 		

  197. 		groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", loggingInUserDN);

  198. 		groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", simpleUsername);

  199. 		

  200. 		// Fill in attributes into groupMemberPattern

  201. 		for (Attribute userAttribute : loggingInUser.getAttributes())

  202. 			groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", userAttribute.getValue());

  203. 		

  204. 		SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);

  205. 		if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {

  206. 			for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {

  207. 				SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);

  208. 				String teamName = teamEntry.getAttribute("cn").getValue();

  209. 				

  210. 				TeamModel teamModel = getTeamModel(teamName);

  211. 				if (teamModel == null)

  212. 					teamModel = createTeamFromLdap(teamEntry);

  213. 					

  214. 				user.teams.add(teamModel);

  215. 				teamModel.addUser(user.getName());

  216. 			}

  217. 		}

  218. 	}

  219. 	

  220. 	private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) {

  221. 		TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn"));

  222. 		// If attributes other than team name ever from from LDAP, this is where to get them

  223. 		

  224. 		return answer;		

  225. 	}

  226. 	

  227. 	private UserModel createUserFromLdap(SearchResultEntry userEntry) {

  228. 		UserModel answer = new UserModel(userEntry.getAttributeValue("cn"));

  229. 		//If attributes other than user name ever from from LDAP, this is where to get them

  230. 		

  231. 		return answer;

  232. 	}

  233. 

  234. 	private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) {

  235. 		try {

  236. 			return ldapConnection.search(base, SearchScope.SUB, filter);

  237. 		} catch (LDAPSearchException e) {

  238. 			logger.error("Problem Searching LDAP", e);

  239. 			

  240. 			return null;

  241. 		}

  242. 	}

  243. 	

  244. 	private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {

  245. 		try {

  246. 			ldapConnection.bind(userDn, password);

  247. 			return true;

  248. 		} catch (LDAPException e) {

  249. 			logger.error("Error authenitcating user", e);

  250. 			return false;

  251. 		}

  252. 	}

  253. 

  254. 	

  255. 	/**

  256. 	 * Returns a simple username without any domain prefixes.

  257. 	 * 

  258. 	 * @param username

  259. 	 * @return a simple username

  260. 	 */

  261. 	protected String getSimpleUsername(String username) {

  262. 		int lastSlash = username.lastIndexOf('\\');

  263. 		if (lastSlash > -1) {

  264. 			username = username.substring(lastSlash + 1);

  265. 		}

  266. 		return username;

  267. 	}

  268. }