Gitblit devel
blame | history | patch | commit | commitdiff | ignore whitespace
James Moger
2013-11-17 db4f6b5740c6ea45d9e2209dc569bc18904a8b4d 
 src/main/java/com/gitblit/LdapUserService.java


@@ -20,6 +20,7 @@


import java.net.URI;



import java.net.URISyntaxException;



import java.security.GeneralSecurityException;



import java.util.Arrays;



import java.util.HashMap;



import java.util.List;



import java.util.Map;



@@ -30,19 +31,23 @@


import org.slf4j.LoggerFactory;







import com.gitblit.Constants.AccountType;



import com.gitblit.manager.IRuntimeManager;



import com.gitblit.models.TeamModel;



import com.gitblit.models.UserModel;



import com.gitblit.utils.ArrayUtils;



import com.gitblit.utils.StringUtils;



import com.unboundid.ldap.sdk.Attribute;



import com.unboundid.ldap.sdk.DereferencePolicy;



import com.unboundid.ldap.sdk.ExtendedResult;



import com.unboundid.ldap.sdk.LDAPConnection;



import com.unboundid.ldap.sdk.LDAPException;



import com.unboundid.ldap.sdk.LDAPSearchException;



import com.unboundid.ldap.sdk.ResultCode;



import com.unboundid.ldap.sdk.SearchRequest;



import com.unboundid.ldap.sdk.SearchResult;



import com.unboundid.ldap.sdk.SearchResultEntry;



import com.unboundid.ldap.sdk.SearchScope;



import com.unboundid.ldap.sdk.SimpleBindRequest;



import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;



import com.unboundid.util.ssl.SSLUtil;



import com.unboundid.util.ssl.TrustAllTrustManager;



@@ -79,7 +84,8 @@


   public void setup(IStoredSettings settings) {



      this.settings = settings;



      String file = settings.getString(Keys.realm.ldap.backingUserService, "${baseFolder}/users.conf");



      File realmFile = GitBlit.getFileOrFolder(file);



      IRuntimeManager runtimeManager = GitBlit.getManager(IRuntimeManager.class);



      File realmFile = runtimeManager.getFileOrFolder(file);







      serviceImpl = createUserService(realmFile);



      logger.info("LDAP User Service backed by " + serviceImpl.toString());



@@ -161,46 +167,42 @@






   private LDAPConnection getLdapConnection() {



      try {



			


         URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));



         String ldapHost = ldapUrl.getHost();



         int ldapPort = ldapUrl.getPort();



         String bindUserName = settings.getString(Keys.realm.ldap.username, "");



         String bindPassword = settings.getString(Keys.realm.ldap.password, "");



         int ldapPort = ldapUrl.getPort();







			


         LDAPConnection conn;



         if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {   // SSL



            if (ldapPort == -1)   // Default Port



               ldapPort = 636;







            LDAPConnection conn;



            SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());



            if (StringUtils.isEmpty(bindUserName) && StringUtils.isEmpty(bindPassword)) {



                conn = new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort);



            } else {



                conn = new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);



            }



            return conn;



            conn = new LDAPConnection(sslUtil.createSSLSocketFactory());



         } else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {   // no encryption or StartTLS



            conn = new LDAPConnection();



         } else {



            if (ldapPort == -1)   // Default Port



               ldapPort = 389;







            LDAPConnection conn;



            if (StringUtils.isEmpty(bindUserName) && StringUtils.isEmpty(bindPassword)) {



               conn = new LDAPConnection(ldapUrl.getHost(), ldapPort);



            } else {



               conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);



            }







            if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {



               SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());







               ExtendedResult extendedResult = conn.processExtendedOperation(



                  new StartTLSExtendedRequest(sslUtil.createSSLContext()));







               if (extendedResult.getResultCode() != ResultCode.SUCCESS) {



                  throw new LDAPException(extendedResult.getResultCode());



               }



            }



            return conn;



            logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme());



            return null;



         }



			


         conn.connect(ldapHost, ldapPort);



			


         if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {



            SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());



            ExtendedResult extendedResult = conn.processExtendedOperation(



                  new StartTLSExtendedRequest(sslUtil.createSSLContext()));



            if (extendedResult.getResultCode() != ResultCode.SUCCESS) {



               throw new LDAPException(extendedResult.getResultCode());



            }



         }







         if ( ! StringUtils.isEmpty(bindUserName) || ! StringUtils.isEmpty(bindPassword)) {



            conn.bind(new SimpleBindRequest(bindUserName, bindPassword));



         }



			


         return conn;







      } catch (URISyntaxException e) {



         logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);



      } catch (GeneralSecurityException e) {



@@ -407,7 +409,7 @@


      for (Attribute userAttribute : loggingInUser.getAttributes())



         groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));







      SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);



      SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn"));



      if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {



         for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {



            SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);



@@ -439,7 +441,28 @@


         return null;



      }



   }



	


   private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List<String> attributes) {



      try {



         SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter);



         if ( dereferenceAliases ) {



            searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING);



         }



         if (attributes != null) {



            searchRequest.setAttributes(attributes);



         }



         return ldapConnection.search(searchRequest);







      } catch (LDAPSearchException e) {



         logger.error("Problem Searching LDAP", e);







         return null;



      } catch (LDAPException e) {



         logger.error("Problem creating LDAP search", e);



         return null;



      }



   }



	


   private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {



      try {



         // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN