From 0e44acbb2fec928a1606dc60f427a148fff405c9 Mon Sep 17 00:00:00 2001
From: Mohamed Ragab <moragab@gmail.com>
Date: Wed, 02 May 2012 11:15:01 -0400
Subject: [PATCH] Added a script to facilitate setting the proxy host and port and no proxy hosts, and then it concatenates all the java system properties for setting the java proxy configurations and puts the resulting string in an environment variable JAVA_PROXY_CONFIG, modified the scirpts gitblit,  gitblit-ubuntu, and gitblit-centos to source the java-proxy-config.sh script and then include the resulting java proxy configuration in the java command

---
 src/com/gitblit/AccessRestrictionFilter.java |  237 ++++++++++++++++-------------------------------------------
 1 files changed, 65 insertions(+), 172 deletions(-)

diff --git a/src/com/gitblit/AccessRestrictionFilter.java b/src/com/gitblit/AccessRestrictionFilter.java
index 25adc52..e9b6587 100644
--- a/src/com/gitblit/AccessRestrictionFilter.java
+++ b/src/com/gitblit/AccessRestrictionFilter.java
@@ -16,34 +16,22 @@
 package com.gitblit;
 
 import java.io.IOException;
-import java.nio.charset.Charset;
-import java.security.Principal;
 import java.text.MessageFormat;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
 
-import javax.servlet.Filter;
 import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
-import org.eclipse.jgit.util.Base64;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
 import com.gitblit.utils.StringUtils;
 
 /**
- * The AccessRestrictionFilter is a servlet filter that preprocesses requests
- * that match its url pattern definition in the web.xml file.
+ * The AccessRestrictionFilter is an AuthenticationFilter that confirms that the
+ * requested repository can be accessed by the anonymous or named user.
  * 
  * The filter extracts the name of the repository from the url and determines if
  * the requested action for the repository requires a Basic authentication
@@ -55,19 +43,7 @@
  * @author James Moger
  * 
  */
-public abstract class AccessRestrictionFilter implements Filter {
-
-	private static final String BASIC = "Basic";
-
-	private static final String CHALLENGE = BASIC + " realm=\"" + Constants.NAME + "\"";
-
-	private static final String SESSION_SECURED = "com.gitblit.secured";
-
-	protected transient Logger logger;
-
-	public AccessRestrictionFilter() {
-		logger = LoggerFactory.getLogger(getClass());
-	}
+public abstract class AccessRestrictionFilter extends AuthenticationFilter {
 
 	/**
 	 * Extract the repository name from the url.
@@ -84,6 +60,15 @@
 	 * @return action of the request
 	 */
 	protected abstract String getUrlRequestAction(String url);
+
+	/**
+	 * Determine if the action may be executed on the repository.
+	 * 
+	 * @param repository
+	 * @param action
+	 * @return true if the action may be performed
+	 */
+	protected abstract boolean isActionAllowed(RepositoryModel repository, String action);
 
 	/**
 	 * Determine if the repository requires authentication.
@@ -118,26 +103,7 @@
 		HttpServletRequest httpRequest = (HttpServletRequest) request;
 		HttpServletResponse httpResponse = (HttpServletResponse) response;
 
-		// Wrap the HttpServletRequest with the AccessRestrictionRequest which
-		// overrides the servlet container user principal methods.
-		// JGit requires either:
-		//
-		// 1. servlet container authenticated user
-		// 2. http.receivepack = true in each repository's config
-		//
-		// Gitblit must conditionally authenticate users per-repository so just
-		// enabling http.receivepack is insufficient.
-
-		AccessRestrictionRequest accessRequest = new AccessRestrictionRequest(httpRequest);
-
-		String servletUrl = httpRequest.getContextPath() + httpRequest.getServletPath();
-		String url = httpRequest.getRequestURI().substring(servletUrl.length());
-		String params = httpRequest.getQueryString();
-		if (url.length() > 0 && url.charAt(0) == '/') {
-			url = url.substring(1);
-		}
-		String fullUrl = url + (StringUtils.isEmpty(params) ? "" : ("?" + params));
-
+		String fullUrl = getFullUrl(httpRequest);
 		String repository = extractRepositoryName(fullUrl);
 
 		// Determine if the request URL is restricted
@@ -148,145 +114,72 @@
 		RepositoryModel model = GitBlit.self().getRepositoryModel(repository);
 		if (model == null) {
 			// repository not found. send 404.
-			logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_NOT_FOUND + ")");
+			logger.info(MessageFormat.format("ARF: {0} ({1})", fullUrl,
+					HttpServletResponse.SC_NOT_FOUND));
 			httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
 			return;
+		}
+		
+		// Confirm that the action may be executed on the repository
+		if (!isActionAllowed(model, urlRequestType)) {
+			logger.info(MessageFormat.format("ARF: action {0} on {1} forbidden ({2})",
+					urlRequestType, model, HttpServletResponse.SC_FORBIDDEN));
+			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+			return;
+		}
+
+		// Wrap the HttpServletRequest with the AccessRestrictionRequest which
+		// overrides the servlet container user principal methods.
+		// JGit requires either:
+		//
+		// 1. servlet container authenticated user
+		// 2. http.receivepack = true in each repository's config
+		//
+		// Gitblit must conditionally authenticate users per-repository so just
+		// enabling http.receivepack is insufficient.
+		AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest);
+		UserModel user = getUser(httpRequest);
+		if (user != null) {
+			authenticatedRequest.setUser(user);
 		}
 
 		// BASIC authentication challenge and response processing
 		if (!StringUtils.isEmpty(urlRequestType) && requiresAuthentication(model)) {
-			// look for client authorization credentials in header
-			final String authorization = httpRequest.getHeader("Authorization");
-			if (authorization != null && authorization.startsWith(BASIC)) {
-				// Authorization: Basic base64credentials
-				String base64Credentials = authorization.substring(BASIC.length()).trim();
-				String credentials = new String(Base64.decode(base64Credentials),
-						Charset.forName("UTF-8"));
-				// credentials = username:password
-				final String[] values = credentials.split(":");
-
-				if (values.length == 2) {
-					String username = values[0];
-					char[] password = values[1].toCharArray();
-					UserModel user = GitBlit.self().authenticate(username, password);
-					if (user != null) {
-						accessRequest.setUser(user);
-						if (user.canAdmin || canAccess(model, user, urlRequestType)) {
-							// authenticated request permitted.
-							// pass processing to the restricted servlet.
-							newSession(accessRequest, httpResponse);
-							logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_CONTINUE
-									+ ") authenticated");
-							chain.doFilter(accessRequest, httpResponse);
-							return;
-						}
-						// valid user, but not for requested access. send 403.
-						if (GitBlit.isDebugMode()) {
-							logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_FORBIDDEN
-									+ ")");
-							logger.info(MessageFormat.format("AUTH: {0} forbidden to access {1}",
-									user.username, url));
-						}
-						httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
-						return;
-					}
-				}
+			if (user == null) {
+				// challenge client to provide credentials. send 401.
 				if (GitBlit.isDebugMode()) {
-					logger.info(MessageFormat
-							.format("AUTH: invalid credentials ({0})", credentials));
+					logger.info(MessageFormat.format("ARF: CHALLENGE {0}", fullUrl));
 				}
+				httpResponse.setHeader("WWW-Authenticate", CHALLENGE);
+				httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+				return;
+			} else {
+				// check user access for request
+				if (user.canAdmin || canAccess(model, user, urlRequestType)) {
+					// authenticated request permitted.
+					// pass processing to the restricted servlet.
+					newSession(authenticatedRequest, httpResponse);
+					logger.info(MessageFormat.format("ARF: {0} ({1}) authenticated", fullUrl,
+							HttpServletResponse.SC_CONTINUE));
+					chain.doFilter(authenticatedRequest, httpResponse);
+					return;
+				}
+				// valid user, but not for requested access. send 403.
+				if (GitBlit.isDebugMode()) {
+					logger.info(MessageFormat.format("ARF: {0} forbidden to access {1}",
+							user.username, fullUrl));
+				}
+				httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+				return;
 			}
-
-			// challenge client to provide credentials. send 401.
-			if (GitBlit.isDebugMode()) {
-				logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_UNAUTHORIZED + ")");
-				logger.info("AUTH: Challenge " + CHALLENGE);
-			}
-			httpResponse.setHeader("WWW-Authenticate", CHALLENGE);
-			httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
-			return;
 		}
 
 		if (GitBlit.isDebugMode()) {
-			logger.info("ARF: " + fullUrl + " (" + HttpServletResponse.SC_CONTINUE
-					+ ") unauthenticated");
+			logger.info(MessageFormat.format("ARF: {0} ({1}) unauthenticated", fullUrl,
+					HttpServletResponse.SC_CONTINUE));
 		}
 		// unauthenticated request permitted.
 		// pass processing to the restricted servlet.
-		chain.doFilter(accessRequest, httpResponse);
-	}
-
-	/**
-	 * Taken from Jetty's LoginAuthenticator.renewSessionOnAuthentication()
-	 */
-	protected void newSession(HttpServletRequest request, HttpServletResponse response) {
-		HttpSession oldSession = request.getSession(false);
-		if (oldSession != null && oldSession.getAttribute(SESSION_SECURED) == null) {
-			synchronized (this) {
-				Map<String, Object> attributes = new HashMap<String, Object>();
-				Enumeration<String> e = oldSession.getAttributeNames();
-				while (e.hasMoreElements()) {
-					String name = e.nextElement();
-					attributes.put(name, oldSession.getAttribute(name));
-					oldSession.removeAttribute(name);
-				}
-				oldSession.invalidate();
-
-				HttpSession newSession = request.getSession(true);
-				newSession.setAttribute(SESSION_SECURED, Boolean.TRUE);
-				for (Map.Entry<String, Object> entry : attributes.entrySet()) {
-					newSession.setAttribute(entry.getKey(), entry.getValue());
-				}
-			}
-		}
-	}
-
-	/**
-	 * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
-	 */
-	@Override
-	public void init(final FilterConfig config) throws ServletException {
-	}
-
-	/**
-	 * @see javax.servlet.Filter#destroy()
-	 */
-	@Override
-	public void destroy() {
-	}
-
-	/**
-	 * Wraps a standard HttpServletRequest and overrides user principal methods.
-	 */
-	public static class AccessRestrictionRequest extends ServletRequestWrapper {
-
-		private UserModel user;
-
-		public AccessRestrictionRequest(HttpServletRequest req) {
-			super(req);
-			user = new UserModel("anonymous");
-		}
-
-		void setUser(UserModel user) {
-			this.user = user;
-		}
-
-		@Override
-		public String getRemoteUser() {
-			return user.username;
-		}
-
-		@Override
-		public boolean isUserInRole(String role) {
-			if (role.equals(Constants.ADMIN_ROLE)) {
-				return user.canAdmin;
-			}
-			return user.canAccessRepository(role);
-		}
-
-		@Override
-		public Principal getUserPrincipal() {
-			return user;
-		}
+		chain.doFilter(authenticatedRequest, httpResponse);
 	}
 }
\ No newline at end of file

--
Gitblit v1.9.1