diff options
Diffstat (limited to 'java/com/google/gerrit/httpd/RemoteUserUtil.java')
-rw-r--r-- | java/com/google/gerrit/httpd/RemoteUserUtil.java | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/java/com/google/gerrit/httpd/RemoteUserUtil.java b/java/com/google/gerrit/httpd/RemoteUserUtil.java new file mode 100644 index 0000000000..a02b5a017c --- /dev/null +++ b/java/com/google/gerrit/httpd/RemoteUserUtil.java @@ -0,0 +1,90 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.httpd; + +import static com.google.common.base.Strings.emptyToNull; +import static com.google.common.net.HttpHeaders.AUTHORIZATION; +import static java.nio.charset.StandardCharsets.UTF_8; + +import javax.servlet.http.HttpServletRequest; +import org.eclipse.jgit.util.Base64; + +public class RemoteUserUtil { + /** + * Tries to get username from a request with following strategies: + * + * <ul> + * <li>ServletRequest#getRemoteUser + * <li>HTTP 'Authorization' header + * <li>Custom HTTP header + * </ul> + * + * @param req request to extract username from. + * @param loginHeader name of header which is used for extracting username. + * @return the extracted username or null. + */ + public static String getRemoteUser(HttpServletRequest req, String loginHeader) { + if (AUTHORIZATION.equals(loginHeader)) { + String user = emptyToNull(req.getRemoteUser()); + if (user != null) { + // The container performed the authentication, and has the user + // identity already decoded for us. Honor that as we have been + // configured to honor HTTP authentication. + return user; + } + + // If the container didn't do the authentication we might + // have done it in the front-end web server. Try to split + // the identity out of the Authorization header and honor it. + String auth = req.getHeader(AUTHORIZATION); + return extractUsername(auth); + } + // Nonstandard HTTP header. We have been told to trust this + // header blindly as-is. + return emptyToNull(req.getHeader(loginHeader)); + } + + /** + * Extracts username from an HTTP Basic or Digest authentication header. + * + * @param auth header value which is used for extracting. + * @return username if available or null. + */ + public static String extractUsername(String auth) { + auth = emptyToNull(auth); + + if (auth == null) { + return null; + + } else if (auth.startsWith("Basic ")) { + auth = auth.substring("Basic ".length()); + auth = new String(Base64.decode(auth), UTF_8); + final int c = auth.indexOf(':'); + return c > 0 ? auth.substring(0, c) : null; + + } else if (auth.startsWith("Digest ")) { + final int u = auth.indexOf("username=\""); + if (u <= 0) { + return null; + } + auth = auth.substring(u + 10); + final int e = auth.indexOf('"'); + return e > 0 ? auth.substring(0, e) : null; + + } else { + return null; + } + } +} |