From f3b625d298bab922c64192c25914e352bd87e59e Mon Sep 17 00:00:00 2001
From: John Crygier <john.crygier@aon.com>
Date: Tue, 10 Apr 2012 13:48:06 -0400
Subject: [PATCH] Rework LDAP implementation with unboundid. Also allows for an LDAP server to be started with Gitblit GO (backed by an LDIF file).
---
src/com/gitblit/utils/StringUtils.java | 28 ++
NOTICE | 10
.classpath | 1
src/com/gitblit/LdapUserService.java | 238 ++++++++++++-------
tests/com/gitblit/tests/resources/ldapUserServiceSampleData.ldif | 80 ++++++
tests/com/gitblit/tests/mock/MemorySettings.java | 50 ++++
src/com/gitblit/wicket/pages/EditUserPage.java | 64 ++--
distrib/gitblit.properties | 52 +++
src/com/gitblit/build/Build.java | 6
src/com/gitblit/GitBlitServer.java | 35 ++
docs/04_design.mkd | 1
src/com/gitblit/GitblitUserService.java | 15 +
tests/com/gitblit/tests/LdapUserServiceTest.java | 104 ++++++++
13 files changed, 557 insertions(+), 127 deletions(-)
diff --git a/.classpath b/.classpath
index b0f1f86..f636f49 100644
--- a/.classpath
+++ b/.classpath
@@ -30,5 +30,6 @@
<classpathentry kind="lib" path="ext/org.eclipse.jgit.http.server-1.3.0.201202151440-r.jar" sourcepath="ext/org.eclipse.jgit.http.server-1.3.0.201202151440-r-sources.jar"/>
<classpathentry kind="lib" path="ext/lucene-highlighter-3.5.0.jar" sourcepath="ext/lucene-highlighter-3.5.0-sources.jar"/>
<classpathentry kind="lib" path="ext/lucene-memory-3.5.0.jar" sourcepath="ext/lucene-memory-3.5.0-sources.jar"/>
+ <classpathentry kind="lib" path="ext/unboundid-ldapsdk-2.3.0.jar" sourcepath="ext/unboundid-ldapsdk-2.3.0-sources.jar"/>
<classpathentry kind="output" path="bin"/>
</classpath>
diff --git a/NOTICE b/NOTICE
index f394d86..022ddd7 100644
--- a/NOTICE
+++ b/NOTICE
@@ -214,4 +214,12 @@
Creative Commons CC-BY License.
http://glyphicons.com
-
\ No newline at end of file
+
+---------------------------------------------------------------------------
+UnboundID
+---------------------------------------------------------------------------
+ UnboundID, released under the
+ GNU LESSER GENERAL PUBLIC LICENSE. (http://www.unboundid.com/products/ldap-sdk/docs/LICENSE-LGPLv2.1.txt)
+
+ http://www.unboundid.com
+
\ No newline at end of file
diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties
index acceb88..147f2a1 100644
--- a/distrib/gitblit.properties
+++ b/distrib/gitblit.properties
@@ -141,13 +141,6 @@
# SINCE 1.0.0
realm.ldap.server = ldap://my.ldap.server
-# The LDAP domain to prepend to all usernames during authentication. If
-# unspecified, all logins must prepend the domain to their username.
-# e.g. mydomain
-#
-# SINCE 1.0.0
-realm.ldap.domain =
-
# Login username for LDAP searches.
# The domain prefix may be omitted if it matches the domain specified in
# *realm.ldap.domain*. If this value is unspecified, anonymous LDAP login will
@@ -182,6 +175,51 @@
# SINCE 1.0.0
realm.ldap.maintainTeams = false
+# Root node that all Users sit under in LDAP
+#
+# This is the node that searches for user information will begin from in LDAP
+# If blank, it will search ALL of ldap.
+#
+# SINCE 1.0.0
+realm.ldap.accountBase = ou=people,dc=example,dc=com
+
+# Filter Criteria for Users in LDAP
+#
+# Query pattern to use when searching for a user account. This may be any valid
+# LDAP query expression, including the standard (&) and (|) operators.
+# The variable ${username} is replaced by the string entered by the end user
+#
+# SINCE 1.0.0
+realm.ldap.accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
+
+# Root node that all Teams sit under in LDAP
+#
+# This is the node that searches for user information will begin from in LDAP
+# If blank, it will search ALL of ldap.
+#
+# SINCE 1.0.0
+realm.ldap.groupBase = ou=groups,dc=example,dc=com
+
+# Filter Criteria for Teams in LDAP
+#
+# Query pattern to use when searching for a team. This may be any valid
+# LDAP query expression, including the standard (&) and (|) operators.
+# The variable ${username} is replaced by the string entered by the end user.
+# Other variables appearing in the pattern, such as ${fooBarAttribute},
+# are replaced with the value of the corresponding attribute (in this case, fooBarAttribute)
+# as read from the user's account object matched under realm.ldap.accountBase. Attributes such
+# as ${dn} or ${uidNumber} may be useful.
+#
+# SINCE 1.0.0
+realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn}))
+
+# Users and or teams that are Admins, read from LDAP
+#
+# This is a space delimited list. If it starts with @, it indicates a Team Name
+#
+# SINCE 1.0.0
+realm.ldap.admins= @Git_Admins
+
#
# Gitblit Web Settings
#
diff --git a/docs/04_design.mkd b/docs/04_design.mkd
index a439edf..64dce43 100644
--- a/docs/04_design.mkd
+++ b/docs/04_design.mkd
@@ -38,6 +38,7 @@
- [javamail](http://kenai.com/projects/javamail) (CDDL-1.0, BSD, GPL-2.0, GNU-Classpath)
- [Groovy](http://groovy.codehaus.org) (Apache 2.0)
- [Lucene](http://lucene.apache.org) (Apache 2.0)
+- [UnboundID](http://www.unboundid.com) (LGPL 2.1)
### Other Build Dependencies
- [Fancybox image viewer](http://fancybox.net) (MIT and GPL dual-licensed)
diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index 3f996fc..e8ee89c 100644
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -29,6 +29,7 @@
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.List;
+import java.util.Scanner;
import org.eclipse.jetty.ajp.Ajp13SocketConnector;
import org.eclipse.jetty.server.Connector;
@@ -50,6 +51,10 @@
import com.beust.jcommander.ParameterException;
import com.beust.jcommander.Parameters;
import com.gitblit.utils.StringUtils;
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldif.LDIFReader;
/**
* GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts
@@ -266,6 +271,33 @@
// Override settings from the command-line
settings.overrideSetting(Keys.realm.userService, params.userService);
settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder);
+
+ // Start up an in-memory LDAP server, if configured
+ try {
+ if (StringUtils.isEmpty(params.ldapLdifFile) == false) {
+ File ldifFile = new File(params.ldapLdifFile);
+ if (ldifFile != null && ldifFile.exists()) {
+ String firstLine = new Scanner(ldifFile).nextLine();
+ String rootDN = firstLine.substring(4);
+ String bindUserName = settings.getString(Keys.realm.ldap_username, "");
+ String bindPassword = settings.getString(Keys.realm.ldap_password, "");
+
+ InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN);
+ config.addAdditionalBindCredentials(bindUserName, bindPassword);
+ config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", 389));
+ config.setSchema(null);
+
+ InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
+ ds.importFromLDIF(true, new LDIFReader(ldifFile));
+ ds.startListening();
+
+ logger.info("LDAP Server started at ldap://localhost:389");
+ }
+ }
+ } catch (Exception e) {
+ // Completely optional, just show a warning
+ logger.warn("Unable to start LDAP server", e);
+ }
// Set the server's contexts
server.setHandler(rootContext);
@@ -504,6 +536,9 @@
*/
@Parameter(names = { "--settings" }, description = "Path to alternative settings")
public String settingsfile;
+
+ @Parameter(names = { "--ldapLdifFile" }, description = "Path to LDIF file. This will cause an in-memory LDAP server to be started according to gitblit settings")
+ public String ldapLdifFile;
}
}
\ No newline at end of file
diff --git a/src/com/gitblit/GitblitUserService.java b/src/com/gitblit/GitblitUserService.java
index 1514b6b..ddb3ca7 100644
--- a/src/com/gitblit/GitblitUserService.java
+++ b/src/com/gitblit/GitblitUserService.java
@@ -156,9 +156,12 @@
public boolean updateUserModel(String username, UserModel model) {
if (supportsCredentialChanges()) {
if (!supportsTeamMembershipChanges()) {
- // teams are externally controlled
+ // teams are externally controlled - copy from original model
+ UserModel existingModel = getUserModel(username);
+
model = DeepCopier.copy(model);
model.teams.clear();
+ model.teams.addAll(existingModel.teams);
}
return serviceImpl.updateUserModel(username, model);
}
@@ -166,9 +169,12 @@
// passwords are not persisted by the backing user service
model.password = null;
if (!supportsTeamMembershipChanges()) {
- // teams are externally controlled
+ // teams are externally controlled- copy from original model
+ UserModel existingModel = getUserModel(username);
+
model = DeepCopier.copy(model);
model.teams.clear();
+ model.teams.addAll(existingModel.teams);
}
return serviceImpl.updateUserModel(username, model);
}
@@ -228,9 +234,12 @@
@Override
public boolean updateTeamModel(String teamname, TeamModel model) {
if (!supportsTeamMembershipChanges()) {
- // teams are externally controlled
+ // teams are externally controlled - copy from original model
+ TeamModel existingModel = getTeamModel(teamname);
+
model = DeepCopier.copy(model);
model.users.clear();
+ model.users.addAll(existingModel.users);
}
return serviceImpl.updateTeamModel(teamname, model);
}
diff --git a/src/com/gitblit/LdapUserService.java b/src/com/gitblit/LdapUserService.java
index 3ec45e1..c67d17b 100644
--- a/src/com/gitblit/LdapUserService.java
+++ b/src/com/gitblit/LdapUserService.java
@@ -17,23 +17,25 @@
package com.gitblit;
import java.io.File;
-import java.text.MessageFormat;
-import java.util.HashSet;
-import java.util.Hashtable;
-import java.util.Set;
-
-import javax.naming.Context;
-import javax.naming.NamingException;
-import javax.naming.directory.DirContext;
-import javax.naming.directory.InitialDirContext;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.GeneralSecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.gitblit.models.TeamModel;
import com.gitblit.models.UserModel;
-import com.gitblit.utils.ConnectionUtils.BlindSSLSocketFactory;
import com.gitblit.utils.StringUtils;
+import com.unboundid.ldap.sdk.Attribute;
+import com.unboundid.ldap.sdk.LDAPConnection;
+import com.unboundid.ldap.sdk.LDAPException;
+import com.unboundid.ldap.sdk.LDAPSearchException;
+import com.unboundid.ldap.sdk.SearchResult;
+import com.unboundid.ldap.sdk.SearchResultEntry;
+import com.unboundid.ldap.sdk.SearchScope;
+import com.unboundid.util.ssl.SSLUtil;
+import com.unboundid.util.ssl.TrustAllTrustManager;
/**
* Implementation of an LDAP user service.
@@ -43,8 +45,7 @@
public class LdapUserService extends GitblitUserService {
public static final Logger logger = LoggerFactory.getLogger(LdapUserService.class);
- private final String CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
-
+
private IStoredSettings settings;
public LdapUserService() {
@@ -59,6 +60,36 @@
serviceImpl = createUserService(realmFile);
logger.info("LDAP User Service backed by " + serviceImpl.toString());
+ }
+
+ private LDAPConnection getLdapConnection() {
+ try {
+ URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap_server));
+ String bindUserName = settings.getString(Keys.realm.ldap_username, "");
+ String bindPassword = settings.getString(Keys.realm.ldap_password, "");
+ int ldapPort = ldapUrl.getPort();
+
+ if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) { // SSL
+ if (ldapPort == -1) // Default Port
+ ldapPort = 636;
+
+ SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
+ return new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);
+ } else {
+ if (ldapPort == -1) // Default Port
+ ldapPort = 389;
+
+ return new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);
+ }
+ } catch (URISyntaxException e) {
+ logger.error("Bad LDAP URL, should be in the form: ldap(s)://<server>:<port>", e);
+ } catch (GeneralSecurityException e) {
+ logger.error("Unable to create SSL Connection", e);
+ } catch (LDAPException e) {
+ logger.error("Error Connecting to LDAP", e);
+ }
+
+ return null;
}
/**
@@ -98,75 +129,128 @@
@Override
public UserModel authenticate(String username, char[] password) {
- String domainUser = getDomainUsername(username);
- DirContext ctx = getDirContext(domainUser, new String(password));
- // TODO do we need a bind here?
- if (ctx != null) {
- String simpleUsername = getSimpleUsername(username);
- UserModel user = getUserModel(simpleUsername);
- if (user == null) {
- // create user object for new authenticated user
- user = new UserModel(simpleUsername.toLowerCase());
- }
- user.password = new String(password);
+ String simpleUsername = getSimpleUsername(username);
+
+ LDAPConnection ldapConnection = getLdapConnection();
+ if (ldapConnection != null) {
+ // Find the logging in user's DN
+ String accountBase = settings.getString(Keys.realm.ldap_accountBase, "");
+ String accountPattern = settings.getString(Keys.realm.ldap_accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
+ accountPattern = StringUtils.replace(accountPattern, "${username}", simpleUsername);
- if (!supportsTeamMembershipChanges()) {
- // Teams are specified in LDAP server
- // TODO search LDAP for team memberships
- Set<String> foundTeams = new HashSet<String>();
- for (String team : foundTeams) {
- TeamModel model = getTeamModel(team);
- if (model == null) {
- // create the team
- model = new TeamModel(team.toLowerCase());
- updateTeamModel(model);
+ SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);
+ if (result != null && result.getEntryCount() == 1) {
+ SearchResultEntry loggingInUser = result.getSearchEntries().get(0);
+ String loggingInUserDN = loggingInUser.getDN();
+
+ if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {
+ logger.debug("Authenitcated: " + username);
+
+ UserModel user = getUserModel(simpleUsername);
+ if (user == null) // create user object for new authenticated user
+ user = createUserFromLdap(loggingInUser);
+
+ user.password = "StoredInLDAP";
+
+ if (!supportsTeamMembershipChanges())
+ getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);
+
+ // Get Admin Attributes
+ setAdminAttribute(user);
+
+ // Push the ldap looked up values to backing file
+ super.updateUserModel(user);
+ if (!supportsTeamMembershipChanges()) {
+ for (TeamModel userTeam : user.teams)
+ updateTeamModel(userTeam);
}
- // add team to the user
- user.teams.add(model);
+
+ return user;
}
}
-
- try {
- ctx.close();
- } catch (NamingException e) {
- logger.error("Can not close context", e);
- }
- return user;
- }
+ }
+
return null;
- }
-
- protected DirContext getDirContext() {
- String username = settings.getString(Keys.realm.ldap_username, "");
- String password = settings.getString(Keys.realm.ldap_password, "");
- return getDirContext(username, password);
}
- protected DirContext getDirContext(String username, String password) {
- try {
- String server = settings.getRequiredString(Keys.realm.ldap_server);
- Hashtable<String, String> env = new Hashtable<String, String>();
- env.put(Context.INITIAL_CONTEXT_FACTORY, CONTEXT_FACTORY);
- env.put(Context.PROVIDER_URL, server);
- if (server.startsWith("ldaps:")) {
- env.put("java.naming.ldap.factory.socket", BlindSSLSocketFactory.class.getName());
- }
- // TODO consider making this a setting
- env.put("com.sun.jndi.ldap.read.timeout", "5000");
+ private void setAdminAttribute(UserModel user) {
+ String adminString = settings.getString(Keys.realm.ldap_admins, "");
+ String[] admins = adminString.split(" ");
+ user.canAdmin = false;
+ for (String admin : admins) {
+ if (admin.startsWith("@")) { // Team
+ if (user.getTeam(admin.substring(1)) != null)
+ user.canAdmin = true;
+ } else
+ if (user.getName().equalsIgnoreCase(admin))
+ user.canAdmin = true;
+ }
+ }
- if (!StringUtils.isEmpty(username)) {
- // authenticated login
- env.put(Context.SECURITY_AUTHENTICATION, "simple");
- env.put(Context.SECURITY_PRINCIPAL, getDomainUsername(username));
- env.put(Context.SECURITY_CREDENTIALS, password == null ? "":password.trim());
+ private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) {
+ String loggingInUserDN = loggingInUser.getDN();
+
+ user.teams.clear(); // Clear the users team memberships - we're going to get them from LDAP
+ String groupBase = settings.getString(Keys.realm.ldap_groupBase, "");
+ String groupMemberPattern = settings.getString(Keys.realm.ldap_groupMemberPattern, "(&(objectClass=group)(member=${dn}))");
+
+ groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", loggingInUserDN);
+ groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", simpleUsername);
+
+ // Fill in attributes into groupMemberPattern
+ for (Attribute userAttribute : loggingInUser.getAttributes())
+ groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", userAttribute.getValue());
+
+ SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);
+ if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {
+ for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {
+ SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);
+ String teamName = teamEntry.getAttribute("cn").getValue();
+
+ TeamModel teamModel = getTeamModel(teamName);
+ if (teamModel == null)
+ teamModel = createTeamFromLdap(teamEntry);
+
+ user.teams.add(teamModel);
+ teamModel.addUser(user.getName());
}
- return new InitialDirContext(env);
- } catch (NamingException e) {
- logger.warn(MessageFormat.format("Error connecting to LDAP with credentials. Please check {0}, {1}, and {2}",
- Keys.realm.ldap_server, Keys.realm.ldap_username, Keys.realm.ldap_password), e);
+ }
+ }
+
+ private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) {
+ TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn"));
+ // If attributes other than team name ever from from LDAP, this is where to get them
+
+ return answer;
+ }
+
+ private UserModel createUserFromLdap(SearchResultEntry userEntry) {
+ UserModel answer = new UserModel(userEntry.getAttributeValue("cn"));
+ //If attributes other than user name ever from from LDAP, this is where to get them
+
+ return answer;
+ }
+
+ private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) {
+ try {
+ return ldapConnection.search(base, SearchScope.SUB, filter);
+ } catch (LDAPSearchException e) {
+ logger.error("Problem Searching LDAP", e);
+
return null;
}
}
+
+ private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {
+ try {
+ ldapConnection.bind(userDn, password);
+ return true;
+ } catch (LDAPException e) {
+ logger.error("Error authenitcating user", e);
+ return false;
+ }
+ }
+
/**
* Returns a simple username without any domain prefixes.
@@ -180,21 +264,5 @@
username = username.substring(lastSlash + 1);
}
return username;
- }
-
- /**
- * Returns a username with a domain prefix as long as the username does not
- * already have a comain prefix.
- *
- * @param username
- * @return a domain username
- */
- protected String getDomainUsername(String username) {
- String domain = settings.getString(Keys.realm.ldap_domain, null);
- String domainUsername = username;
- if (!StringUtils.isEmpty(domain) && (domainUsername.indexOf('\\') == -1)) {
- domainUsername = domain + "\\" + username;
- }
- return domainUsername.trim();
}
}
diff --git a/src/com/gitblit/build/Build.java b/src/com/gitblit/build/Build.java
index 96f848b..cbe09a9 100644
--- a/src/com/gitblit/build/Build.java
+++ b/src/com/gitblit/build/Build.java
@@ -94,6 +94,7 @@
downloadFromApache(MavenObject.LUCENE, BuildType.RUNTIME);
downloadFromApache(MavenObject.LUCENE_HIGHLIGHTER, BuildType.RUNTIME);
downloadFromApache(MavenObject.LUCENE_MEMORY, BuildType.RUNTIME);
+ downloadFromApache(MavenObject.UNBOUND_ID, BuildType.RUNTIME);
downloadFromEclipse(MavenObject.JGIT, BuildType.RUNTIME);
downloadFromEclipse(MavenObject.JGIT_HTTP, BuildType.RUNTIME);
@@ -124,6 +125,7 @@
downloadFromApache(MavenObject.LUCENE, BuildType.COMPILETIME);
downloadFromApache(MavenObject.LUCENE_HIGHLIGHTER, BuildType.COMPILETIME);
downloadFromApache(MavenObject.LUCENE_MEMORY, BuildType.COMPILETIME);
+ downloadFromApache(MavenObject.UNBOUND_ID, BuildType.COMPILETIME);
downloadFromEclipse(MavenObject.JGIT, BuildType.COMPILETIME);
downloadFromEclipse(MavenObject.JGIT_HTTP, BuildType.COMPILETIME);
@@ -524,6 +526,10 @@
public static final MavenObject LUCENE_MEMORY = new MavenObject("lucene memory", "org/apache/lucene", "lucene-memory",
"3.5.0", 30000, 23000, 0, "7908e954e8c1b4b2463aa712b34fa4a5612e241d",
"69b19b38d78cc3b27ea5542a14f0ebbb1625ffdd", "");
+
+ public static final MavenObject UNBOUND_ID = new MavenObject("unbound id", "com/unboundid", "unboundid-ldapsdk",
+ "2.3.0", 1383417, 1439721, 0, "6fde8d9fb4ee3e7e3d7e764e3ea57195971e2eb2",
+ "5276d3d29630693dba99ab9f7ea54f4c471d3af1", "");
public final String name;
diff --git a/src/com/gitblit/utils/StringUtils.java b/src/com/gitblit/utils/StringUtils.java
index d644182..0460ac9 100644
--- a/src/com/gitblit/utils/StringUtils.java
+++ b/src/com/gitblit/utils/StringUtils.java
@@ -518,4 +518,32 @@
}
return "";
}
+
+ /**
+ * Replace all occurences of a substring within a string with
+ * another string.
+ *
+ * From Spring StringUtils.
+ *
+ * @param inString String to examine
+ * @param oldPattern String to replace
+ * @param newPattern String to insert
+ * @return a String with the replacements
+ */
+ public static String replace(String inString, String oldPattern, String newPattern) {
+ StringBuilder sb = new StringBuilder();
+ int pos = 0; // our position in the old string
+ int index = inString.indexOf(oldPattern);
+ // the index of an occurrence we've found, or -1
+ int patLen = oldPattern.length();
+ while (index >= 0) {
+ sb.append(inString.substring(pos, index));
+ sb.append(newPattern);
+ pos = index + patLen;
+ index = inString.indexOf(oldPattern, pos);
+ }
+ sb.append(inString.substring(pos));
+ // remember to append any characters to the right of a match
+ return sb.toString();
+ }
}
\ No newline at end of file
diff --git a/src/com/gitblit/wicket/pages/EditUserPage.java b/src/com/gitblit/wicket/pages/EditUserPage.java
index e7b4287..103d672 100644
--- a/src/com/gitblit/wicket/pages/EditUserPage.java
+++ b/src/com/gitblit/wicket/pages/EditUserPage.java
@@ -129,40 +129,42 @@
}
boolean rename = !StringUtils.isEmpty(oldName)
&& !oldName.equalsIgnoreCase(username);
- if (!userModel.password.equals(confirmPassword.getObject())) {
- error(getString("gb.passwordsDoNotMatch"));
- return;
- }
- String password = userModel.password;
- if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)
- && !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) {
- // This is a plain text password.
- // Check length.
- int minLength = GitBlit.getInteger(Keys.realm.minPasswordLength, 5);
- if (minLength < 4) {
- minLength = 4;
- }
- if (password.trim().length() < minLength) {
- error(MessageFormat.format(getString("gb.passwordTooShort"),
- minLength));
+ if (GitBlit.self().supportsCredentialChanges()) {
+ if (!userModel.password.equals(confirmPassword.getObject())) {
+ error(getString("gb.passwordsDoNotMatch"));
return;
}
-
- // Optionally store the password MD5 digest.
- String type = GitBlit.getString(Keys.realm.passwordStorage, "md5");
- if (type.equalsIgnoreCase("md5")) {
- // store MD5 digest of password
- userModel.password = StringUtils.MD5_TYPE
- + StringUtils.getMD5(userModel.password);
- } else if (type.equalsIgnoreCase("combined-md5")) {
- // store MD5 digest of username+password
- userModel.password = StringUtils.COMBINED_MD5_TYPE
- + StringUtils.getMD5(username + userModel.password);
+ String password = userModel.password;
+ if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)
+ && !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) {
+ // This is a plain text password.
+ // Check length.
+ int minLength = GitBlit.getInteger(Keys.realm.minPasswordLength, 5);
+ if (minLength < 4) {
+ minLength = 4;
+ }
+ if (password.trim().length() < minLength) {
+ error(MessageFormat.format(getString("gb.passwordTooShort"),
+ minLength));
+ return;
+ }
+
+ // Optionally store the password MD5 digest.
+ String type = GitBlit.getString(Keys.realm.passwordStorage, "md5");
+ if (type.equalsIgnoreCase("md5")) {
+ // store MD5 digest of password
+ userModel.password = StringUtils.MD5_TYPE
+ + StringUtils.getMD5(userModel.password);
+ } else if (type.equalsIgnoreCase("combined-md5")) {
+ // store MD5 digest of username+password
+ userModel.password = StringUtils.COMBINED_MD5_TYPE
+ + StringUtils.getMD5(username + userModel.password);
+ }
+ } else if (rename
+ && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) {
+ error(getString("gb.combinedMd5Rename"));
+ return;
}
- } else if (rename
- && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) {
- error(getString("gb.combinedMd5Rename"));
- return;
}
Iterator<String> selectedRepositories = repositories.getSelectedChoices();
diff --git a/tests/com/gitblit/tests/LdapUserServiceTest.java b/tests/com/gitblit/tests/LdapUserServiceTest.java
new file mode 100644
index 0000000..777d86c
--- /dev/null
+++ b/tests/com/gitblit/tests/LdapUserServiceTest.java
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2012 John Crygier
+ * Copyright 2012 gitblit.com
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.tests;
+
+import static org.junit.Assert.*;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import com.gitblit.LdapUserService;
+import com.gitblit.models.UserModel;
+import com.gitblit.tests.mock.MemorySettings;
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldap.sdk.LDAPConnection;
+import com.unboundid.ldif.LDIFReader;
+
+/**
+ * An Integration test for LDAP that tests going against an in-memory UnboundID
+ * LDAP server.
+ *
+ * @author jcrygier
+ *
+ */
+public class LdapUserServiceTest {
+
+ private LdapUserService ldapUserService;
+
+ @Before
+ public void createInMemoryLdapServer() throws Exception {
+ InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=MyDomain");
+ config.addAdditionalBindCredentials("cn=Directory Manager", "password");
+ config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", 389));
+ config.setSchema(null);
+
+ InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
+ ds.importFromLDIF(true, new LDIFReader(this.getClass().getResourceAsStream("resources/ldapUserServiceSampleData.ldif")));
+ ds.startListening();
+ }
+
+ @Before
+ public void createLdapUserService() {
+ Map<Object, Object> backingMap = new HashMap<Object, Object>();
+ backingMap.put("realm.ldap.server", "ldap://localhost:389");
+ backingMap.put("realm.ldap.domain", "");
+ backingMap.put("realm.ldap.username", "cn=Directory Manager");
+ backingMap.put("realm.ldap.password", "password");
+ backingMap.put("realm.ldap.backingUserService", "users.conf");
+ backingMap.put("realm.ldap.maintainTeams", "true");
+ backingMap.put("realm.ldap.accountBase", "OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain");
+ backingMap.put("realm.ldap.accountPattern", "(&(objectClass=person)(sAMAccountName=${username}))");
+ backingMap.put("realm.ldap.groupBase", "OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain");
+ backingMap.put("realm.ldap.groupPattern", "(&(objectClass=group)(member=${dn}))");
+ backingMap.put("realm.ldap.admins", "UserThree @Git_Admins");
+
+ MemorySettings ms = new MemorySettings(backingMap);
+
+ ldapUserService = new LdapUserService();
+ ldapUserService.setup(ms);
+ }
+
+ @Test
+ public void testAuthenticate() {
+ UserModel userOneModel = ldapUserService.authenticate("UserOne", "userOnePassword".toCharArray());
+ assertNotNull(userOneModel);
+ assertNotNull(userOneModel.getTeam("git_admins"));
+ assertNotNull(userOneModel.getTeam("git_users"));
+ assertTrue(userOneModel.canAdmin);
+
+ UserModel userOneModelFailedAuth = ldapUserService.authenticate("UserOne", "userTwoPassword".toCharArray());
+ assertNull(userOneModelFailedAuth);
+
+ UserModel userTwoModel = ldapUserService.authenticate("UserTwo", "userTwoPassword".toCharArray());
+ assertNotNull(userTwoModel);
+ assertNotNull(userTwoModel.getTeam("git_users"));
+ assertNull(userTwoModel.getTeam("git_admins"));
+ assertFalse(userTwoModel.canAdmin);
+
+ UserModel userThreeModel = ldapUserService.authenticate("UserThree", "userThreePassword".toCharArray());
+ assertNotNull(userThreeModel);
+ assertNotNull(userThreeModel.getTeam("git_users"));
+ assertNull(userThreeModel.getTeam("git_admins"));
+ assertTrue(userThreeModel.canAdmin);
+ }
+
+}
diff --git a/tests/com/gitblit/tests/mock/MemorySettings.java b/tests/com/gitblit/tests/mock/MemorySettings.java
new file mode 100644
index 0000000..8b55935
--- /dev/null
+++ b/tests/com/gitblit/tests/mock/MemorySettings.java
@@ -0,0 +1,50 @@
+ /*
+ * Copyright 2012 John Crygier
+ * Copyright 2012 gitblit.com
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.tests.mock;
+
+import java.util.Map;
+import java.util.Properties;
+
+import com.gitblit.IStoredSettings;
+
+public class MemorySettings extends IStoredSettings {
+
+ private Map<Object, Object> backingMap;
+
+ public MemorySettings(Map<Object, Object> backingMap) {
+ super(MemorySettings.class);
+ this.backingMap = backingMap;
+ }
+
+ @Override
+ protected Properties read() {
+ Properties props = new Properties();
+ props.putAll(backingMap);
+
+ return props;
+ }
+
+ public void put(Object key, Object value) {
+ backingMap.put(key, value);
+ }
+
+ @Override
+ public boolean saveSettings(Map<String, String> updatedSettings) {
+ return false;
+ }
+
+}
diff --git a/tests/com/gitblit/tests/resources/ldapUserServiceSampleData.ldif b/tests/com/gitblit/tests/resources/ldapUserServiceSampleData.ldif
new file mode 100644
index 0000000..22d6869
--- /dev/null
+++ b/tests/com/gitblit/tests/resources/ldapUserServiceSampleData.ldif
@@ -0,0 +1,80 @@
+dn: DC=MyDomain
+dc: MyDomain
+objectClass: top
+objectClass: domain
+
+dn: OU=MyOrganization,DC=MyDomain
+objectClass: top
+objectClass: organizationalUnit
+ou: MyOrganization
+
+dn: OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: top
+objectClass: organizationalUnit
+ou: UserControl
+
+dn: OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: top
+objectClass: organizationalUnit
+ou: Groups
+
+dn: CN=Git_Admins,OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: top
+objectClass: group
+cn: Git_Admins
+sAMAccountName: Git_Admins
+member: CN=UserOne,OU=US,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+dn: CN=Git_Users,OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: top
+objectClass: group
+cn: Git_Users
+sAMAccountName: Git_Users
+member: CN=UserOne,OU=US,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+member: CN=UserTwo,OU=US,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+member: CN=UserThree,OU=Canada,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+member: CN=UserFour,OU=Canada,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+dn: OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: top
+objectClass: organizationalUnit
+ou: Users
+
+dn: OU=US,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: top
+objectClass: organizationalUnit
+ou: US
+
+dn: OU=Canada,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: top
+objectClass: organizationalUnit
+ou: Canada
+
+dn: CN=UserOne,OU=US,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: user
+objectClass: person
+sAMAccountName: UserOne
+userPassword: userOnePassword
+memberOf: CN=Git_Admins,OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+memberOf: CN=Git_Users,OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+dn: CN=UserTwo,OU=US,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: user
+objectClass: person
+sAMAccountName: UserTwo
+userPassword: userTwoPassword
+memberOf: CN=Git_Users,OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+dn: CN=UserThree,OU=Canada,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: user
+objectClass: person
+sAMAccountName: UserThree
+userPassword: userThreePassword
+memberOf: CN=Git_Users,OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+dn: CN=UserFour,OU=Canada,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+objectClass: user
+objectClass: person
+sAMAccountName: UserFour
+userPassword: userFourPassword
+memberOf: CN=Git_Users,OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
\ No newline at end of file
--
Gitblit v1.9.1