From f1c3a882d12aede461e3c8ca3ebd298bdb28bc5d Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Sun, 02 Dec 2012 13:16:39 -0500
Subject: [PATCH] Corrected certificatge bundle unit test
---
src/com/gitblit/GitBlit.java | 153 +++++++++++++++++++++++++++++++++++++++++++++++----
1 files changed, 141 insertions(+), 12 deletions(-)
diff --git a/src/com/gitblit/GitBlit.java b/src/com/gitblit/GitBlit.java
index a5d8b9e..69135c4 100644
--- a/src/com/gitblit/GitBlit.java
+++ b/src/com/gitblit/GitBlit.java
@@ -58,6 +58,7 @@
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
+import org.apache.wicket.RequestCycle;
import org.apache.wicket.protocol.http.WebResponse;
import org.apache.wicket.resource.ContextRelativeResource;
import org.apache.wicket.util.resource.ResourceStreamNotFoundException;
@@ -75,11 +76,13 @@
import com.gitblit.Constants.AccessPermission;
import com.gitblit.Constants.AccessRestrictionType;
+import com.gitblit.Constants.AuthenticationType;
import com.gitblit.Constants.AuthorizationControl;
import com.gitblit.Constants.FederationRequest;
import com.gitblit.Constants.FederationStrategy;
import com.gitblit.Constants.FederationToken;
import com.gitblit.Constants.PermissionType;
+import com.gitblit.Constants.RegistrantType;
import com.gitblit.models.FederationModel;
import com.gitblit.models.FederationProposal;
import com.gitblit.models.FederationSet;
@@ -99,12 +102,15 @@
import com.gitblit.utils.ContainerUtils;
import com.gitblit.utils.DeepCopier;
import com.gitblit.utils.FederationUtils;
+import com.gitblit.utils.HttpUtils;
import com.gitblit.utils.JGitUtils;
import com.gitblit.utils.JsonUtils;
import com.gitblit.utils.MetricUtils;
import com.gitblit.utils.ObjectCache;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.TimeUtils;
+import com.gitblit.utils.X509Utils.X509Metadata;
+import com.gitblit.wicket.GitBlitWebSession;
import com.gitblit.wicket.WicketUtils;
/**
@@ -535,7 +541,7 @@
* @param cookies
* @return a user object or null
*/
- public UserModel authenticate(Cookie[] cookies) {
+ protected UserModel authenticate(Cookie[] cookies) {
if (userService == null) {
return null;
}
@@ -553,13 +559,52 @@
}
/**
- * Authenticate a user based on HTTP request paramters.
- * This method is inteded to be used as fallback when other
- * means of authentication are failing (username / password or cookies).
+ * Authenticate a user based on HTTP request parameters.
+ *
+ * Authentication by X509Certificate is tried first and then by cookie.
+ *
* @param httpRequest
* @return a user object or null
*/
public UserModel authenticate(HttpServletRequest httpRequest) {
+ // try to authenticate by certificate
+ boolean checkValidity = settings.getBoolean(Keys.git.enforceCertificateValidity, true);
+ String [] oids = getStrings(Keys.git.certificateUsernameOIDs).toArray(new String[0]);
+ UserModel model = HttpUtils.getUserModelFromCertificate(httpRequest, checkValidity, oids);
+ if (model != null) {
+ // grab real user model and preserve certificate serial number
+ UserModel user = getUserModel(model.username);
+ if (user != null) {
+ RequestCycle requestCycle = RequestCycle.get();
+ if (requestCycle != null) {
+ // flag the Wicket session, if this is a Wicket request
+ GitBlitWebSession session = GitBlitWebSession.get();
+ session.authenticationType = AuthenticationType.CERTIFICATE;
+ }
+ X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest);
+ logger.info(MessageFormat.format("{0} authenticated by client certificate {1} from {2}",
+ user.username, metadata.serialNumber, httpRequest.getRemoteAddr()));
+ return user;
+ }
+ }
+
+ // try to authenticate by cookie
+ Cookie[] cookies = httpRequest.getCookies();
+ if (allowCookieAuthentication() && cookies != null && cookies.length > 0) {
+ // Grab cookie from Browser Session
+ UserModel user = authenticate(cookies);
+ if (user != null) {
+ RequestCycle requestCycle = RequestCycle.get();
+ if (requestCycle != null) {
+ // flag the Wicket session, if this is a Wicket request
+ GitBlitWebSession session = GitBlitWebSession.get();
+ session.authenticationType = AuthenticationType.COOKIE;
+ }
+ logger.info(MessageFormat.format("{0} authenticated by cookie from {1}",
+ user.username, httpRequest.getRemoteAddr()));
+ return user;
+ }
+ }
return null;
}
@@ -659,8 +704,48 @@
* @return a user object or null
*/
public UserModel getUserModel(String username) {
- UserModel user = userService.getUserModel(username);
+ UserModel user = userService.getUserModel(username);
return user;
+ }
+
+ /**
+ * Returns the effective list of permissions for this user, taking into account
+ * team memberships, ownerships.
+ *
+ * @param user
+ * @return the effective list of permissions for the user
+ */
+ public List<RegistrantAccessPermission> getUserAccessPermissions(UserModel user) {
+ Set<RegistrantAccessPermission> set = new LinkedHashSet<RegistrantAccessPermission>();
+ set.addAll(user.getRepositoryPermissions());
+ // Flag missing repositories
+ for (RegistrantAccessPermission permission : set) {
+ if (permission.mutable && PermissionType.EXPLICIT.equals(permission.permissionType)) {
+ RepositoryModel rm = GitBlit.self().getRepositoryModel(permission.registrant);
+ if (rm == null) {
+ permission.permissionType = PermissionType.MISSING;
+ permission.mutable = false;
+ continue;
+ }
+ }
+ }
+
+ // TODO reconsider ownership as a user property
+ // manually specify personal repository ownerships
+ for (RepositoryModel rm : repositoryListCache.values()) {
+ if (rm.isUsersPersonalRepository(user.username) || rm.isOwner(user.username)) {
+ RegistrantAccessPermission rp = new RegistrantAccessPermission(rm.name, AccessPermission.REWIND,
+ PermissionType.OWNER, RegistrantType.REPOSITORY, null, false);
+ // user may be owner of a repository to which they've inherited
+ // a team permission, replace any existing perm with owner perm
+ set.remove(rp);
+ set.add(rp);
+ }
+ }
+
+ List<RegistrantAccessPermission> list = new ArrayList<RegistrantAccessPermission>(set);
+ Collections.sort(list);
+ return list;
}
/**
@@ -672,7 +757,16 @@
* @return a list of RegistrantAccessPermissions
*/
public List<RegistrantAccessPermission> getUserAccessPermissions(RepositoryModel repository) {
- List<RegistrantAccessPermission> list = new ArrayList<RegistrantAccessPermission>();
+ List<RegistrantAccessPermission> list = new ArrayList<RegistrantAccessPermission>();
+ if (AccessRestrictionType.NONE.equals(repository.accessRestriction)) {
+ // no permissions needed, REWIND for everyone!
+ return list;
+ }
+ if (AuthorizationControl.AUTHENTICATED.equals(repository.authorizationControl)) {
+ // no permissions needed, REWIND for authenticated!
+ return list;
+ }
+ // NAMED users and teams
for (UserModel user : userService.getAllUsers()) {
RegistrantAccessPermission ap = user.getRepositoryPermission(repository);
if (ap.permission.exceeds(AccessPermission.NONE)) {
@@ -692,7 +786,7 @@
public boolean setUserAccessPermissions(RepositoryModel repository, Collection<RegistrantAccessPermission> permissions) {
List<UserModel> users = new ArrayList<UserModel>();
for (RegistrantAccessPermission up : permissions) {
- if (up.isEditable) {
+ if (up.mutable) {
// only set editable defined permissions
UserModel user = userService.getUserModel(up.registrant);
user.setRepositoryPermission(repository.name, up.permission);
@@ -832,7 +926,7 @@
public boolean setTeamAccessPermissions(RepositoryModel repository, Collection<RegistrantAccessPermission> permissions) {
List<TeamModel> teams = new ArrayList<TeamModel>();
for (RegistrantAccessPermission tp : permissions) {
- if (tp.isEditable) {
+ if (tp.mutable) {
// only set explicitly defined access permissions
TeamModel team = userService.getTeamModel(tp.registrant);
team.setRepositoryPermission(repository.name, tp.permission);
@@ -2204,6 +2298,8 @@
case PULL_SETTINGS:
case PULL_SCRIPTS:
return token.equals(all);
+ default:
+ break;
}
return false;
}
@@ -2346,6 +2442,8 @@
if (!StringUtils.isEmpty(model.origin)) {
url = model.origin;
}
+ break;
+ default:
break;
}
@@ -2604,6 +2702,37 @@
}
/**
+ * Notify users by email of something.
+ *
+ * @param subject
+ * @param message
+ * @param toAddresses
+ */
+ public void sendHtmlMail(String subject, String message, Collection<String> toAddresses) {
+ this.sendHtmlMail(subject, message, toAddresses.toArray(new String[0]));
+ }
+
+ /**
+ * Notify users by email of something.
+ *
+ * @param subject
+ * @param message
+ * @param toAddresses
+ */
+ public void sendHtmlMail(String subject, String message, String... toAddresses) {
+ try {
+ Message mail = mailExecutor.createMessage(toAddresses);
+ if (mail != null) {
+ mail.setSubject(subject);
+ mail.setContent(message, "text/html");
+ mailExecutor.queue(mail);
+ }
+ } catch (MessagingException e) {
+ logger.error("Messaging error", e);
+ }
+ }
+
+ /**
* Returns the descriptions/comments of the Gitblit config settings.
*
* @return SettingsModel
@@ -2704,15 +2833,15 @@
public void configureContext(IStoredSettings settings, boolean startFederation) {
logger.info("Reading configuration from " + settings.toString());
this.settings = settings;
-
+
+ repositoriesFolder = getRepositoriesFolder();
+ logger.info("Git repositories folder " + repositoriesFolder.getAbsolutePath());
+
// prepare service executors
mailExecutor = new MailExecutor(settings);
luceneExecutor = new LuceneExecutor(settings, repositoriesFolder);
gcExecutor = new GCExecutor(settings);
- repositoriesFolder = getRepositoriesFolder();
- logger.info("Git repositories folder " + repositoriesFolder.getAbsolutePath());
-
// calculate repository list settings checksum for future config changes
repositoryListSettingsChecksum.set(getRepositoryListSettingsChecksum());
--
Gitblit v1.9.1