/*
|
* Copyright 2013 gitblit.com.
|
*
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
* you may not use this file except in compliance with the License.
|
* You may obtain a copy of the License at
|
*
|
* http://www.apache.org/licenses/LICENSE-2.0
|
*
|
* Unless required by applicable law or agreed to in writing, software
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
* See the License for the specific language governing permissions and
|
* limitations under the License.
|
*/
|
package com.gitblit.manager;
|
|
import java.nio.charset.Charset;
|
import java.security.Principal;
|
import java.text.MessageFormat;
|
import java.util.List;
|
|
import javax.servlet.http.Cookie;
|
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletResponse;
|
|
import org.apache.wicket.RequestCycle;
|
import org.slf4j.Logger;
|
import org.slf4j.LoggerFactory;
|
|
import com.gitblit.Constants;
|
import com.gitblit.Constants.AuthenticationType;
|
import com.gitblit.IStoredSettings;
|
import com.gitblit.Keys;
|
import com.gitblit.models.UserModel;
|
import com.gitblit.utils.Base64;
|
import com.gitblit.utils.HttpUtils;
|
import com.gitblit.utils.StringUtils;
|
import com.gitblit.utils.X509Utils.X509Metadata;
|
import com.gitblit.wicket.GitBlitWebSession;
|
|
/**
|
* The session manager handles user login & logout.
|
*
|
* @author James Moger
|
*
|
*/
|
public class SessionManager implements ISessionManager {
|
|
private final Logger logger = LoggerFactory.getLogger(getClass());
|
|
private final IStoredSettings settings;
|
|
private final IRuntimeManager runtimeManager;
|
|
private final IUserManager userManager;
|
|
public SessionManager(
|
IRuntimeManager runtimeManager,
|
IUserManager userManager) {
|
|
this.settings = runtimeManager.getSettings();
|
this.runtimeManager = runtimeManager;
|
this.userManager = userManager;
|
}
|
|
@Override
|
public SessionManager start() {
|
List<String> services = settings.getStrings("realm.authenticationServices");
|
for (String service : services) {
|
// TODO populate authentication services here
|
}
|
return this;
|
}
|
|
@Override
|
public SessionManager stop() {
|
return this;
|
}
|
|
/**
|
* Authenticate a user based on HTTP request parameters.
|
*
|
* Authentication by X509Certificate is tried first and then by cookie.
|
*
|
* @param httpRequest
|
* @return a user object or null
|
*/
|
@Override
|
public UserModel authenticate(HttpServletRequest httpRequest) {
|
return authenticate(httpRequest, false);
|
}
|
|
/**
|
* Authenticate a user based on HTTP request parameters.
|
*
|
* Authentication by X509Certificate, servlet container principal, cookie,
|
* and BASIC header.
|
*
|
* @param httpRequest
|
* @param requiresCertificate
|
* @return a user object or null
|
*/
|
@Override
|
public UserModel authenticate(HttpServletRequest httpRequest, boolean requiresCertificate) {
|
// try to authenticate by certificate
|
boolean checkValidity = settings.getBoolean(Keys.git.enforceCertificateValidity, true);
|
String [] oids = settings.getStrings(Keys.git.certificateUsernameOIDs).toArray(new String[0]);
|
UserModel model = HttpUtils.getUserModelFromCertificate(httpRequest, checkValidity, oids);
|
if (model != null) {
|
// grab real user model and preserve certificate serial number
|
UserModel user = userManager.getUserModel(model.username);
|
X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest);
|
if (user != null) {
|
flagWicketSession(AuthenticationType.CERTIFICATE);
|
logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}",
|
user.username, metadata.serialNumber, httpRequest.getRemoteAddr()));
|
return user;
|
} else {
|
logger.warn(MessageFormat.format("Failed to find UserModel for {0}, attempted client certificate ({1}) authentication from {2}",
|
model.username, metadata.serialNumber, httpRequest.getRemoteAddr()));
|
}
|
}
|
|
if (requiresCertificate) {
|
// caller requires client certificate authentication (e.g. git servlet)
|
return null;
|
}
|
|
// try to authenticate by servlet container principal
|
Principal principal = httpRequest.getUserPrincipal();
|
if (principal != null) {
|
String username = principal.getName();
|
if (!StringUtils.isEmpty(username)) {
|
boolean internalAccount = isInternalAccount(username);
|
UserModel user = userManager.getUserModel(username);
|
if (user != null) {
|
// existing user
|
flagWicketSession(AuthenticationType.CONTAINER);
|
logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}",
|
user.username, httpRequest.getRemoteAddr()));
|
return user;
|
} else if (settings.getBoolean(Keys.realm.container.autoCreateAccounts, false)
|
&& !internalAccount) {
|
// auto-create user from an authenticated container principal
|
user = new UserModel(username.toLowerCase());
|
user.displayName = username;
|
user.password = Constants.EXTERNAL_ACCOUNT;
|
userManager.updateUserModel(user);
|
flagWicketSession(AuthenticationType.CONTAINER);
|
logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}",
|
user.username, httpRequest.getRemoteAddr()));
|
return user;
|
} else if (!internalAccount) {
|
logger.warn(MessageFormat.format("Failed to find UserModel for {0}, attempted servlet container authentication from {1}",
|
principal.getName(), httpRequest.getRemoteAddr()));
|
}
|
}
|
}
|
|
// try to authenticate by cookie
|
if (userManager.supportsCookies()) {
|
UserModel user = authenticate(httpRequest.getCookies());
|
if (user != null) {
|
flagWicketSession(AuthenticationType.COOKIE);
|
logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}",
|
user.username, httpRequest.getRemoteAddr()));
|
return user;
|
}
|
}
|
|
// try to authenticate by BASIC
|
final String authorization = httpRequest.getHeader("Authorization");
|
if (authorization != null && authorization.startsWith("Basic")) {
|
// Authorization: Basic base64credentials
|
String base64Credentials = authorization.substring("Basic".length()).trim();
|
String credentials = new String(Base64.decode(base64Credentials),
|
Charset.forName("UTF-8"));
|
// credentials = username:password
|
final String[] values = credentials.split(":", 2);
|
|
if (values.length == 2) {
|
String username = values[0];
|
char[] password = values[1].toCharArray();
|
UserModel user = authenticate(username, password);
|
if (user != null) {
|
flagWicketSession(AuthenticationType.CREDENTIALS);
|
logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}",
|
user.username, httpRequest.getRemoteAddr()));
|
return user;
|
} else {
|
logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}",
|
username, httpRequest.getRemoteAddr()));
|
}
|
}
|
}
|
return null;
|
}
|
|
/**
|
* Authenticate a user based on their cookie.
|
*
|
* @param cookies
|
* @return a user object or null
|
*/
|
protected UserModel authenticate(Cookie[] cookies) {
|
if (userManager.supportsCookies()) {
|
if (cookies != null && cookies.length > 0) {
|
for (Cookie cookie : cookies) {
|
if (cookie.getName().equals(Constants.NAME)) {
|
String value = cookie.getValue();
|
return userManager.authenticate(value.toCharArray());
|
}
|
}
|
}
|
}
|
return null;
|
}
|
|
protected void flagWicketSession(AuthenticationType authenticationType) {
|
RequestCycle requestCycle = RequestCycle.get();
|
if (requestCycle != null) {
|
// flag the Wicket session, if this is a Wicket request
|
GitBlitWebSession session = GitBlitWebSession.get();
|
session.authenticationType = authenticationType;
|
}
|
}
|
|
/**
|
* Authenticate a user based on a username and password.
|
*
|
* @see IUserService.authenticate(String, char[])
|
* @param username
|
* @param password
|
* @return a user object or null
|
*/
|
@Override
|
public UserModel authenticate(String username, char[] password) {
|
if (StringUtils.isEmpty(username)) {
|
// can not authenticate empty username
|
return null;
|
}
|
|
String usernameDecoded = StringUtils.decodeUsername(username);
|
String pw = new String(password);
|
if (StringUtils.isEmpty(pw)) {
|
// can not authenticate empty password
|
return null;
|
}
|
// check to see if this is the federation user
|
// if (canFederate()) {
|
// if (usernameDecoded.equalsIgnoreCase(Constants.FEDERATION_USER)) {
|
// List<String> tokens = getFederationTokens();
|
// if (tokens.contains(pw)) {
|
// return getFederationUser();
|
// }
|
// }
|
// }
|
|
UserModel user = userManager.authenticate(usernameDecoded, password);
|
|
// try registered external authentication providers
|
if (user == null) {
|
// for (AuthenticationService service : authenticationServices) {
|
// if (service instanceof UsernamePasswordAuthenticationService) {
|
// user = service.authenticate(usernameDecoded, password);
|
// if (user != null) {
|
// // user authenticated
|
// user.accountType = service.getAccountType();
|
// return user;
|
// }
|
// }
|
// }
|
}
|
return user;
|
}
|
|
/**
|
* Sets a cookie for the specified user.
|
*
|
* @param response
|
* @param user
|
*/
|
@Override
|
public void setCookie(HttpServletResponse response, UserModel user) {
|
GitBlitWebSession session = GitBlitWebSession.get();
|
boolean standardLogin = session.authenticationType.isStandard();
|
|
if (userManager.supportsCookies() && standardLogin) {
|
Cookie userCookie;
|
if (user == null) {
|
// clear cookie for logout
|
userCookie = new Cookie(Constants.NAME, "");
|
} else {
|
// set cookie for login
|
String cookie = userManager.getCookie(user);
|
if (StringUtils.isEmpty(cookie)) {
|
// create empty cookie
|
userCookie = new Cookie(Constants.NAME, "");
|
} else {
|
// create real cookie
|
userCookie = new Cookie(Constants.NAME, cookie);
|
userCookie.setMaxAge(Integer.MAX_VALUE);
|
}
|
}
|
userCookie.setPath("/");
|
response.addCookie(userCookie);
|
}
|
}
|
|
/**
|
* Logout a user.
|
*
|
* @param user
|
*/
|
@Override
|
public void logout(HttpServletResponse response, UserModel user) {
|
setCookie(response, null);
|
userManager.logout(user);
|
}
|
|
/**
|
* Returns true if the username represents an internal account
|
*
|
* @param username
|
* @return true if the specified username represents an internal account
|
*/
|
protected boolean isInternalAccount(String username) {
|
return !StringUtils.isEmpty(username)
|
&& (username.equalsIgnoreCase(Constants.FEDERATION_USER)
|
|| username.equalsIgnoreCase(UserModel.ANONYMOUS.username));
|
}
|
|
// protected UserModel getFederationUser() {
|
// // the federation user is an administrator
|
// UserModel federationUser = new UserModel(Constants.FEDERATION_USER);
|
// federationUser.canAdmin = true;
|
// return federationUser;
|
// }
|
}
|
