opendev/gerrit
Code Issues Proposed changes

Allow HTTP password when using LDAP and basic authentication

Browse Source 
So far, it was not possible to use HTTP password to validate git over
HTTP and REST API requests if LDAP was used along with HTTP basic
authentication. There is a use case, though, where users do not want to
use their LDAP password for the aforementioned requests as in, for
example, automation scripts.

Introduce a new configuration parameter, `gitBasicAuthPolicy`, to allow
LDAP users to authenticate using either the HTTP or the LDAP passwords
when doing git over HTTP and REST API requests. When this new parameter
is set to LDAP, the password in the request is checked against the LDAP
password only. When set to HTTP, the password is validated against the
randomly generated HTTP password. Finally, when set to HTTP_LDAP, the
password in the request is checked first against the HTTP password and,
if it does not match, it is checked against the LDAP password.

If the new parameter is not specified or if is set to LDAP, the current
behavior is preserved, i.e., only LDAP password is allowed when using
basic authentication.

Change-Id: I8846cd89dfdb98ab2fc36ba754d8302cf40527e9
This commit is contained in:
Hector Oswaldo Caballero
2016-09-15 18:24:42 -04:00
committed by Hugo Arès
parent ff7679320a
commit 2a9ad1fdca
9 changed files with 120 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
gerrit-gwtui-common/src/main/java/com/google/gerrit/client/info/AuthInfo.java
View File

@@ -17,6 +17,7 @@ package com.google.gerrit.client.info;
import com.google.gerrit.client.rpc.Natives;
import com.google.gerrit.extensions.client.AccountFieldName;
import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.extensions.client.GitBasicAuthPolicy;
import com.google.gwt.core.client.JavaScriptObject;
import com.google.gwt.core.client.JsArray;
import com.google.gwt.core.client.JsArrayString;
@@ -82,12 +83,16 @@ public class AuthInfo extends JavaScriptObject {
}
public final boolean isHttpPasswordSettingsEnabled() {
if (isLdap() && isGitBasicAuth()) {
if (isGitBasicAuth() && gitBasicAuthPolicy() == GitBasicAuthPolicy.LDAP) {
return false;
}
return true;
}
public final GitBasicAuthPolicy gitBasicAuthPolicy() {
return GitBasicAuthPolicy.valueOf(gitBasicAuthPolicyRaw());
}
public final native boolean useContributorAgreements()
/*-{ return this.use_contributor_agreements || false; }-*/;
public final native String loginUrl() /*-{ return this.login_url; }-*/;
@@ -98,6 +103,8 @@ public class AuthInfo extends JavaScriptObject {
public final native String editFullNameUrl() /*-{ return this.edit_full_name_url; }-*/;
public final native String httpPasswordUrl() /*-{ return this.http_password_url; }-*/;
public final native boolean isGitBasicAuth() /*-{ return this.is_git_basic_auth || false; }-*/;
private native String gitBasicAuthPolicyRaw()
/*-{ return this.git_basic_auth_policy; }-*/;
private native String authTypeRaw() /*-{ return this.auth_type; }-*/;
private native JsArrayString _editableAccountFields()
/*-{ return this.editable_account_fields; }-*/;