diff options
Diffstat (limited to 'gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java')
-rw-r--r-- | gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java | 77 |
1 files changed, 47 insertions, 30 deletions
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java index de33b4497f..e085d1efc2 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java @@ -14,27 +14,31 @@ package com.google.gerrit.server.auth.ldap; -import static com.google.gerrit.reviewdb.AccountExternalId.SCHEME_GERRIT; - -import com.google.gerrit.common.data.ParamertizedString; -import com.google.gerrit.reviewdb.Account; -import com.google.gerrit.reviewdb.AccountExternalId; -import com.google.gerrit.reviewdb.AccountGroup; -import com.google.gerrit.reviewdb.AuthType; -import com.google.gerrit.reviewdb.ReviewDb; +import static com.google.gerrit.reviewdb.client.AccountExternalId.SCHEME_GERRIT; + +import com.google.common.collect.Iterables; +import com.google.gerrit.common.data.ParameterizedString; +import com.google.gerrit.reviewdb.client.Account; +import com.google.gerrit.reviewdb.client.AccountExternalId; +import com.google.gerrit.reviewdb.client.AccountGroup; +import com.google.gerrit.reviewdb.client.AuthType; +import com.google.gerrit.reviewdb.server.ReviewDb; import com.google.gerrit.server.account.AccountException; import com.google.gerrit.server.account.AccountState; import com.google.gerrit.server.account.AuthRequest; import com.google.gerrit.server.account.EmailExpander; +import com.google.gerrit.server.account.GroupMembership; +import com.google.gerrit.server.account.MaterializedGroupMembership; import com.google.gerrit.server.account.Realm; +import com.google.gerrit.server.auth.AuthenticationUnavailableException; import com.google.gerrit.server.auth.ldap.Helper.LdapSchema; import com.google.gerrit.server.cache.Cache; import com.google.gerrit.server.cache.EntryCreator; import com.google.gerrit.server.config.AuthConfig; import com.google.gerrit.server.config.ConfigUtil; import com.google.gerrit.server.config.GerritServerConfig; -import com.google.gwtorm.client.OrmException; -import com.google.gwtorm.client.SchemaFactory; +import com.google.gwtorm.server.OrmException; +import com.google.gwtorm.server.SchemaFactory; import com.google.inject.Inject; import com.google.inject.Singleton; import com.google.inject.name.Named; @@ -49,6 +53,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Set; @@ -67,22 +72,27 @@ class LdapRealm implements Realm { private final EmailExpander emailExpander; private final Cache<String, Account.Id> usernameCache; private final Set<Account.FieldName> readOnlyAccountFields; + private final Config config; - private final Cache<String, Set<AccountGroup.Id>> membershipCache; + private final Cache<String, Set<AccountGroup.UUID>> membershipCache; + private final MaterializedGroupMembership.Factory groupMembershipFactory; @Inject LdapRealm( final Helper helper, final AuthConfig authConfig, final EmailExpander emailExpander, - @Named(LdapModule.GROUP_CACHE) final Cache<String, Set<AccountGroup.Id>> membershipCache, + @Named(LdapModule.GROUP_CACHE) final Cache<String, Set<AccountGroup.UUID>> membershipCache, @Named(LdapModule.USERNAME_CACHE) final Cache<String, Account.Id> usernameCache, - @GerritServerConfig final Config config) { + @GerritServerConfig final Config config, + final MaterializedGroupMembership.Factory groupMembershipFactory) { this.helper = helper; this.authConfig = authConfig; this.emailExpander = emailExpander; this.usernameCache = usernameCache; this.membershipCache = membershipCache; + this.config = config; + this.groupMembershipFactory = groupMembershipFactory; this.readOnlyAccountFields = new HashSet<Account.FieldName>(); @@ -148,14 +158,14 @@ class LdapRealm implements Realm { return v; } - static ParamertizedString paramString(Config c, String n, String d) { + static ParameterizedString paramString(Config c, String n, String d) { String expression = optdef(c, n, d); if (expression == null) { return null; } else if (expression.contains("${")) { - return new ParamertizedString(expression); + return new ParameterizedString(expression); } else { - return new ParamertizedString("${" + expression + "}"); + return new ParameterizedString("${" + expression + "}"); } } @@ -164,7 +174,7 @@ class LdapRealm implements Realm { return !readOnlyAccountFields.contains(field); } - private static String apply(ParamertizedString p, LdapQuery.Result m) + private static String apply(ParameterizedString p, LdapQuery.Result m) throws NamingException { if (p == null) { return null; @@ -181,6 +191,10 @@ class LdapRealm implements Realm { public AuthRequest authenticate(final AuthRequest who) throws AccountException { + if (config.getBoolean("ldap", "localUsernameToLowerCase", false)) { + who.setLocalUser(who.getLocalUser().toLowerCase(Locale.US)); + } + final String username = who.getLocalUser(); try { final DirContext ctx; @@ -193,7 +207,7 @@ class LdapRealm implements Realm { final Helper.LdapSchema schema = helper.getSchema(ctx); final LdapQuery.Result m = helper.findAccount(schema, ctx, username); - if (authConfig.getAuthType() == AuthType.LDAP) { + if (authConfig.getAuthType() == AuthType.LDAP && !who.isSkipAuthentication()) { // We found the user account, but we need to verify // the password matches it before we can continue. // @@ -231,24 +245,27 @@ class LdapRealm implements Realm { } } catch (NamingException e) { log.error("Cannot query LDAP to autenticate user", e); - throw new AccountException("Cannot query LDAP for account", e); + throw new AuthenticationUnavailableException("Cannot query LDAP for account", e); } } @Override + public AuthRequest link(ReviewDb db, Account.Id to, AuthRequest who) { + return who; + } + + @Override public void onCreateAccount(final AuthRequest who, final Account account) { usernameCache.put(who.getLocalUser(), account.getId()); } @Override - public Set<AccountGroup.Id> groups(final AccountState who) { - final HashSet<AccountGroup.Id> r = new HashSet<AccountGroup.Id>(); - r.addAll(membershipCache.get(findId(who.getExternalIds()))); - r.addAll(who.getInternalGroups()); - return r; + public GroupMembership groups(final AccountState who) { + return groupMembershipFactory.create(Iterables.concat( + membershipCache.get(findId(who.getExternalIds())), + who.getInternalGroups())); } - private static String findId(final Collection<AccountExternalId> ids) { for (final AccountExternalId i : ids) { if (i.isScheme(AccountExternalId.SCHEME_GERRIT)) { @@ -273,8 +290,8 @@ class LdapRealm implements Realm { final DirContext ctx = helper.open(); try { final LdapSchema schema = helper.getSchema(ctx); - final ParamertizedString filter = - ParamertizedString.asis(schema.groupPattern + final ParameterizedString filter = + ParameterizedString.asis(schema.groupPattern .replace(GROUPNAME, name).toString()); for (String groupBase : schema.groupBases) { final LdapQuery query = @@ -324,7 +341,7 @@ class LdapRealm implements Realm { } } - static class MemberLoader extends EntryCreator<String, Set<AccountGroup.Id>> { + static class MemberLoader extends EntryCreator<String, Set<AccountGroup.UUID>> { private final Helper helper; @Inject @@ -333,7 +350,7 @@ class LdapRealm implements Realm { } @Override - public Set<AccountGroup.Id> createEntry(final String username) + public Set<AccountGroup.UUID> createEntry(final String username) throws Exception { final DirContext ctx = helper.open(); try { @@ -348,7 +365,7 @@ class LdapRealm implements Realm { } @Override - public Set<AccountGroup.Id> missing(final String key) { + public Set<AccountGroup.UUID> missing(final String key) { return Collections.emptySet(); } } |