diff options
Diffstat (limited to 'java/com/google/gerrit/server/config/AuthConfig.java')
-rw-r--r-- | java/com/google/gerrit/server/config/AuthConfig.java | 337 |
1 files changed, 337 insertions, 0 deletions
diff --git a/java/com/google/gerrit/server/config/AuthConfig.java b/java/com/google/gerrit/server/config/AuthConfig.java new file mode 100644 index 0000000000..d3f9186106 --- /dev/null +++ b/java/com/google/gerrit/server/config/AuthConfig.java @@ -0,0 +1,337 @@ +// Copyright (C) 2009 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.server.config; + +import static com.google.gerrit.server.account.externalids.ExternalId.SCHEME_MAILTO; +import static com.google.gerrit.server.account.externalids.ExternalId.SCHEME_USERNAME; +import static com.google.gerrit.server.account.externalids.ExternalId.SCHEME_UUID; + +import com.google.gerrit.extensions.client.AuthType; +import com.google.gerrit.extensions.client.GitBasicAuthPolicy; +import com.google.gerrit.server.account.externalids.ExternalId; +import com.google.gerrit.server.auth.openid.OpenIdProviderPattern; +import com.google.gwtjsonrpc.server.SignedToken; +import com.google.gwtjsonrpc.server.XsrfException; +import com.google.inject.Inject; +import com.google.inject.Singleton; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.concurrent.TimeUnit; +import org.eclipse.jgit.lib.Config; + +/** Authentication related settings from {@code gerrit.config}. */ +@Singleton +public class AuthConfig { + private final AuthType authType; + private final String httpHeader; + private final String httpDisplaynameHeader; + private final String httpEmailHeader; + private final String httpExternalIdHeader; + private final String registerPageUrl; + private final String registerUrl; + private final String registerText; + private final boolean trustContainerAuth; + private final boolean enableRunAs; + private final boolean userNameToLowerCase; + private final boolean useContributorAgreements; + private final String loginUrl; + private final String loginText; + private final String logoutUrl; + private final String switchAccountUrl; + private final String editFullNameUrl; + private final String httpPasswordUrl; + private final String openIdSsoUrl; + private final List<String> openIdDomains; + private final List<OpenIdProviderPattern> trustedOpenIDs; + private final List<OpenIdProviderPattern> allowedOpenIDs; + private final String cookiePath; + private final String cookieDomain; + private final boolean cookieSecure; + private final SignedToken emailReg; + private final boolean allowRegisterNewEmail; + private GitBasicAuthPolicy gitBasicAuthPolicy; + + @Inject + AuthConfig(@GerritServerConfig Config cfg) throws XsrfException { + authType = toType(cfg); + httpHeader = cfg.getString("auth", null, "httpheader"); + httpDisplaynameHeader = cfg.getString("auth", null, "httpdisplaynameheader"); + httpEmailHeader = cfg.getString("auth", null, "httpemailheader"); + httpExternalIdHeader = cfg.getString("auth", null, "httpexternalidheader"); + loginUrl = cfg.getString("auth", null, "loginurl"); + loginText = cfg.getString("auth", null, "logintext"); + logoutUrl = cfg.getString("auth", null, "logouturl"); + switchAccountUrl = cfg.getString("auth", null, "switchAccountUrl"); + editFullNameUrl = cfg.getString("auth", null, "editFullNameUrl"); + httpPasswordUrl = cfg.getString("auth", null, "httpPasswordUrl"); + registerPageUrl = cfg.getString("auth", null, "registerPageUrl"); + registerUrl = cfg.getString("auth", null, "registerUrl"); + registerText = cfg.getString("auth", null, "registerText"); + openIdSsoUrl = cfg.getString("auth", null, "openidssourl"); + openIdDomains = Arrays.asList(cfg.getStringList("auth", null, "openIdDomain")); + trustedOpenIDs = toPatterns(cfg, "trustedOpenID"); + allowedOpenIDs = toPatterns(cfg, "allowedOpenID"); + cookiePath = cfg.getString("auth", null, "cookiepath"); + cookieDomain = cfg.getString("auth", null, "cookiedomain"); + cookieSecure = cfg.getBoolean("auth", "cookiesecure", false); + trustContainerAuth = cfg.getBoolean("auth", "trustContainerAuth", false); + enableRunAs = cfg.getBoolean("auth", null, "enableRunAs", true); + gitBasicAuthPolicy = getBasicAuthPolicy(cfg); + useContributorAgreements = cfg.getBoolean("auth", "contributoragreements", false); + userNameToLowerCase = cfg.getBoolean("auth", "userNameToLowerCase", false); + allowRegisterNewEmail = cfg.getBoolean("auth", "allowRegisterNewEmail", true); + + if (gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP_LDAP + && authType != AuthType.LDAP + && authType != AuthType.LDAP_BIND) { + throw new IllegalStateException( + "use auth.gitBasicAuthPolicy HTTP_LDAP only with auth.type LDAP or LDAP_BIND"); + } else if (gitBasicAuthPolicy == GitBasicAuthPolicy.OAUTH && authType != AuthType.OAUTH) { + throw new IllegalStateException( + "use auth.gitBasicAuthPolicy OAUTH only with auth.type OAUTH"); + } + + String key = cfg.getString("auth", null, "registerEmailPrivateKey"); + if (key != null && !key.isEmpty()) { + int age = + (int) + ConfigUtil.getTimeUnit( + cfg, + "auth", + null, + "maxRegisterEmailTokenAge", + TimeUnit.SECONDS.convert(12, TimeUnit.HOURS), + TimeUnit.SECONDS); + emailReg = new SignedToken(age, key); + } else { + emailReg = null; + } + } + + private static List<OpenIdProviderPattern> toPatterns(Config cfg, String name) { + String[] s = cfg.getStringList("auth", null, name); + if (s.length == 0) { + s = new String[] {"http://", "https://"}; + } + + List<OpenIdProviderPattern> r = new ArrayList<>(); + for (String pattern : s) { + r.add(OpenIdProviderPattern.create(pattern)); + } + return Collections.unmodifiableList(r); + } + + private static AuthType toType(Config cfg) { + return cfg.getEnum("auth", null, "type", AuthType.OPENID); + } + + private GitBasicAuthPolicy getBasicAuthPolicy(Config cfg) { + GitBasicAuthPolicy defaultAuthPolicy = + isLdapAuthType() + ? GitBasicAuthPolicy.LDAP + : isOAuthType() ? GitBasicAuthPolicy.OAUTH : GitBasicAuthPolicy.HTTP; + return cfg.getEnum("auth", null, "gitBasicAuthPolicy", defaultAuthPolicy); + } + + /** Type of user authentication used by this Gerrit server. */ + public AuthType getAuthType() { + return authType; + } + + public String getLoginHttpHeader() { + return httpHeader; + } + + public String getHttpDisplaynameHeader() { + return httpDisplaynameHeader; + } + + public String getHttpEmailHeader() { + return httpEmailHeader; + } + + public String getHttpExternalIdHeader() { + return httpExternalIdHeader; + } + + public String getLoginUrl() { + return loginUrl; + } + + public String getLoginText() { + return loginText; + } + + public String getLogoutURL() { + return logoutUrl; + } + + public String getSwitchAccountUrl() { + return switchAccountUrl; + } + + public String getEditFullNameUrl() { + return editFullNameUrl; + } + + public String getHttpPasswordUrl() { + return httpPasswordUrl; + } + + public String getOpenIdSsoUrl() { + return openIdSsoUrl; + } + + public List<String> getOpenIdDomains() { + return openIdDomains; + } + + public String getCookiePath() { + return cookiePath; + } + + public String getCookieDomain() { + return cookieDomain; + } + + public boolean getCookieSecure() { + return cookieSecure; + } + + public SignedToken getEmailRegistrationToken() { + return emailReg; + } + + /** OpenID identities which the server permits for authentication. */ + public List<OpenIdProviderPattern> getAllowedOpenIDs() { + return allowedOpenIDs; + } + + /** Whether git-over-http should trust authentication done by container. */ + public boolean isTrustContainerAuth() { + return trustContainerAuth; + } + + /** @return true if users with Run As capability can impersonate others. */ + public boolean isRunAsEnabled() { + return enableRunAs; + } + + /** Whether user name should be converted to lower-case before validation */ + public boolean isUserNameToLowerCase() { + return userNameToLowerCase; + } + + public GitBasicAuthPolicy getGitBasicAuthPolicy() { + return gitBasicAuthPolicy; + } + + /** Whether contributor agreements are used. */ + public boolean isUseContributorAgreements() { + return useContributorAgreements; + } + + public boolean isIdentityTrustable(Collection<ExternalId> ids) { + switch (getAuthType()) { + case DEVELOPMENT_BECOME_ANY_ACCOUNT: + case HTTP: + case HTTP_LDAP: + case LDAP: + case LDAP_BIND: + case CLIENT_SSL_CERT_LDAP: + case CUSTOM_EXTENSION: + case OAUTH: + // only way in is through some external system that the admin trusts + // + return true; + + case OPENID_SSO: + // There's only one provider in SSO mode, so it must be okay. + return true; + + case OPENID: + // All identities must be trusted in order to trust the account. + // + for (ExternalId e : ids) { + if (!isTrusted(e)) { + return false; + } + } + return true; + + default: + // Assume not, we don't understand the login format. + // + return false; + } + } + + private boolean isTrusted(ExternalId id) { + if (id.isScheme(SCHEME_MAILTO)) { + // mailto identities are created by sending a unique validation + // token to the address and asking them to come back to the site + // with that token. + // + return true; + } + + if (id.isScheme(SCHEME_UUID)) { + // UUID identities are absolutely meaningless and cannot be + // constructed through any normal login process we use. + // + return true; + } + + if (id.isScheme(SCHEME_USERNAME)) { + // We can trust their username, its local to our server only. + // + return true; + } + + for (OpenIdProviderPattern p : trustedOpenIDs) { + if (p.matches(id)) { + return true; + } + } + return false; + } + + public String getRegisterPageUrl() { + return registerPageUrl; + } + + public String getRegisterUrl() { + return registerUrl; + } + + public String getRegisterText() { + return registerText; + } + + public boolean isLdapAuthType() { + return authType == AuthType.LDAP || authType == AuthType.LDAP_BIND; + } + + public boolean isOAuthType() { + return authType == AuthType.OAUTH; + } + + public boolean isAllowRegisterNewEmail() { + return allowRegisterNewEmail; + } +} |