From 0e44acbb2fec928a1606dc60f427a148fff405c9 Mon Sep 17 00:00:00 2001
From: Mohamed Ragab <moragab@gmail.com>
Date: Wed, 02 May 2012 11:15:01 -0400
Subject: [PATCH] Added a script to facilitate setting the proxy host and port and no proxy hosts, and then it concatenates all the java system properties for setting the java proxy configurations and puts the resulting string in an environment variable JAVA_PROXY_CONFIG, modified the scirpts gitblit, gitblit-ubuntu, and gitblit-centos to source the java-proxy-config.sh script and then include the resulting java proxy configuration in the java command
---
src/com/gitblit/LdapUserService.java | 155 +++++++++++++++++++++++++++++++++++++++------------
1 files changed, 118 insertions(+), 37 deletions(-)
diff --git a/src/com/gitblit/LdapUserService.java b/src/com/gitblit/LdapUserService.java
index 9fcef9d..78b5f99 100644
--- a/src/com/gitblit/LdapUserService.java
+++ b/src/com/gitblit/LdapUserService.java
@@ -20,6 +20,7 @@
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
+import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -55,7 +56,7 @@
@Override
public void setup(IStoredSettings settings) {
this.settings = settings;
- String file = settings.getString(Keys.realm.ldap_backingUserService, "users.conf");
+ String file = settings.getString(Keys.realm.ldap.backingUserService, "users.conf");
File realmFile = GitBlit.getFileOrFolder(file);
serviceImpl = createUserService(realmFile);
@@ -64,9 +65,9 @@
private LDAPConnection getLdapConnection() {
try {
- URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap_server));
- String bindUserName = settings.getString(Keys.realm.ldap_username, "");
- String bindPassword = settings.getString(Keys.realm.ldap_password, "");
+ URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
+ String bindUserName = settings.getString(Keys.realm.ldap.username, "");
+ String bindPassword = settings.getString(Keys.realm.ldap.password, "");
int ldapPort = ldapUrl.getPort();
if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) { // SSL
@@ -105,6 +106,29 @@
}
/**
+ * If no displayName pattern is defined then Gitblit can manage the display name.
+ *
+ * @return true if Gitblit can manage the user display name
+ * @since 1.0.0
+ */
+ @Override
+ public boolean supportsDisplayNameChanges() {
+ return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.displayName, ""));
+ }
+
+ /**
+ * If no email pattern is defined then Gitblit can manage the email address.
+ *
+ * @return true if Gitblit can manage the user email address
+ * @since 1.0.0
+ */
+ @Override
+ public boolean supportsEmailAddressChanges() {
+ return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, ""));
+ }
+
+
+ /**
* If the LDAP server will maintain team memberships then LdapUserService
* will not allow team membership changes. In this scenario all team
* changes must be made on the LDAP server by the LDAP administrator.
@@ -113,7 +137,7 @@
* @since 1.0.0
*/
public boolean supportsTeamMembershipChanges() {
- return !settings.getBoolean(Keys.realm.ldap_maintainTeams, false);
+ return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false);
}
/**
@@ -134,9 +158,9 @@
LDAPConnection ldapConnection = getLdapConnection();
if (ldapConnection != null) {
// Find the logging in user's DN
- String accountBase = settings.getString(Keys.realm.ldap_accountBase, "");
- String accountPattern = settings.getString(Keys.realm.ldap_accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
- accountPattern = StringUtils.replace(accountPattern, "${username}", simpleUsername);
+ String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");
+ String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
+ accountPattern = StringUtils.replace(accountPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));
SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);
if (result != null && result.getEntryCount() == 1) {
@@ -144,19 +168,19 @@
String loggingInUserDN = loggingInUser.getDN();
if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {
- logger.debug("Authenitcated: " + username);
+ logger.debug("LDAP authenticated: " + username);
UserModel user = getUserModel(simpleUsername);
if (user == null) // create user object for new authenticated user
- user = createUserFromLdap(simpleUsername, loggingInUser);
+ user = new UserModel(simpleUsername);
- user.password = "StoredInLDAP";
+
if (!supportsTeamMembershipChanges())
getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);
- // Get Admin Attributes
- setAdminAttribute(user);
+ // Get User Attributes
+ setUserAttributes(user, loggingInUser);
// Push the ldap looked up values to backing file
super.updateUserModel(user);
@@ -174,16 +198,50 @@
}
private void setAdminAttribute(UserModel user) {
- String adminString = settings.getString(Keys.realm.ldap_admins, "");
- String[] admins = adminString.split(" ");
- user.canAdmin = false;
- for (String admin : admins) {
- if (admin.startsWith("@")) { // Team
- if (user.getTeam(admin.substring(1)) != null)
- user.canAdmin = true;
- } else
- if (user.getName().equalsIgnoreCase(admin))
- user.canAdmin = true;
+ user.canAdmin = false;
+ List<String> admins = settings.getStrings(Keys.realm.ldap.admins);
+ for (String admin : admins) {
+ if (admin.startsWith("@")) { // Team
+ if (user.getTeam(admin.substring(1)) != null)
+ user.canAdmin = true;
+ } else
+ if (user.getName().equalsIgnoreCase(admin))
+ user.canAdmin = true;
+ }
+ }
+
+ private void setUserAttributes(UserModel user, SearchResultEntry userEntry) {
+ // Is this user an admin?
+ setAdminAttribute(user);
+
+ // Don't want visibility into the real password, make up a dummy
+ user.password = "StoredInLDAP";
+
+ // Get full name Attribute
+ String displayName = settings.getString(Keys.realm.ldap.displayName, "");
+ if (!StringUtils.isEmpty(displayName)) {
+ // Replace embedded ${} with attributes
+ if (displayName.contains("${")) {
+ for (Attribute userAttribute : userEntry.getAttributes())
+ displayName = StringUtils.replace(displayName, "${" + userAttribute.getName() + "}", userAttribute.getValue());
+
+ user.displayName = displayName;
+ } else {
+ user.displayName = userEntry.getAttribute(displayName).getValue();
+ }
+ }
+
+ // Get email address Attribute
+ String email = settings.getString(Keys.realm.ldap.email, "");
+ if (!StringUtils.isEmpty(email)) {
+ if (email.contains("${")) {
+ for (Attribute userAttribute : userEntry.getAttributes())
+ email = StringUtils.replace(email, "${" + userAttribute.getName() + "}", userAttribute.getValue());
+
+ user.emailAddress = email;
+ } else {
+ user.emailAddress = userEntry.getAttribute(email).getValue();
+ }
}
}
@@ -191,15 +249,15 @@
String loggingInUserDN = loggingInUser.getDN();
user.teams.clear(); // Clear the users team memberships - we're going to get them from LDAP
- String groupBase = settings.getString(Keys.realm.ldap_groupBase, "");
- String groupMemberPattern = settings.getString(Keys.realm.ldap_groupMemberPattern, "(&(objectClass=group)(member=${dn}))");
+ String groupBase = settings.getString(Keys.realm.ldap.groupBase, "");
+ String groupMemberPattern = settings.getString(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))");
- groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", loggingInUserDN);
- groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", simpleUsername);
+ groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", escapeLDAPSearchFilter(loggingInUserDN));
+ groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));
// Fill in attributes into groupMemberPattern
for (Attribute userAttribute : loggingInUser.getAttributes())
- groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", userAttribute.getValue());
+ groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));
SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);
if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {
@@ -219,16 +277,9 @@
private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) {
TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn"));
- // If attributes other than team name ever from from LDAP, this is where to get them
+ // potentially retrieve other attributes here in the future
return answer;
- }
-
- private UserModel createUserFromLdap(String simpleUserName, SearchResultEntry userEntry) {
- UserModel answer = new UserModel(simpleUserName);
- //If attributes other than user name ever from from LDAP, this is where to get them
-
- return answer;
}
private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) {
@@ -243,10 +294,11 @@
private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {
try {
+ // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN
ldapConnection.bind(userDn, password);
return true;
} catch (LDAPException e) {
- logger.error("Error authenitcating user", e);
+ logger.error("Error authenticating user", e);
return false;
}
}
@@ -263,6 +315,35 @@
if (lastSlash > -1) {
username = username.substring(lastSlash + 1);
}
+
return username;
}
+
+ // From: https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
+ public static final String escapeLDAPSearchFilter(String filter) {
+ StringBuilder sb = new StringBuilder();
+ for (int i = 0; i < filter.length(); i++) {
+ char curChar = filter.charAt(i);
+ switch (curChar) {
+ case '\\':
+ sb.append("\\5c");
+ break;
+ case '*':
+ sb.append("\\2a");
+ break;
+ case '(':
+ sb.append("\\28");
+ break;
+ case ')':
+ sb.append("\\29");
+ break;
+ case '\u0000':
+ sb.append("\\00");
+ break;
+ default:
+ sb.append(curChar);
+ }
+ }
+ return sb.toString();
+ }
}
--
Gitblit v1.9.1