Allow getting displayName/e-mail with auth.type=HTTP

When using HTTP-based authentication, the SSO can be delegated to check not only the user credentials but also to fetch the full user-profile (e.g. SiteMinder does). With the config properties auth.httpDisplaynameHeader and auth.httpEmailHeader it is possible to configure the name of the headers used for propagating this extra information and enforce them on the user profile during login and beyond. This allows the company to take full control of the user profile through a unique entry point using HTTP authentication. This is particularly useful if we consider all the existing authentication mechanisms available with an HTTP front-end reverse proxy: - Kerberos - Radius - Generic SQL Database - SiteMinder - OAuth Change-Id: I12f9cc0386acd11c03eeaa7475e4e9e8ab94a555
2013-07-30 09:10:07 +01:00
parent 09471488f0
commit 384ed6c298
6 changed files with 74 additions and 3 deletions
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritConfigProvider.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritConfigProvider.java
@@ -137,7 +137,8 @@ class GerritConfigProvider implements Provider<GerritConfig> {
        fields.add(n);
      }
    }
-    if (emailSender != null && emailSender.isEnabled()) {
+    if (emailSender != null && emailSender.isEnabled()
+        && realm.allowsEdit(Account.FieldName.REGISTER_NEW_EMAIL)) {
      fields.add(Account.FieldName.REGISTER_NEW_EMAIL);
    }
    config.setEditableAccountFields(fields);
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthFilter.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthFilter.java
@@ -61,6 +61,8 @@ class HttpAuthFilter implements Filter {
  private final byte[] signInRaw;
  private final byte[] signInGzip;
  private final String loginHeader;
+  private final String displaynameHeader;
+  private final String emailHeader;

  @Inject
  HttpAuthFilter(final Provider<WebSession> webSession,
@@ -78,6 +80,8 @@ class HttpAuthFilter implements Filter {
    loginHeader = firstNonNull(
        emptyToNull(authConfig.getLoginHttpHeader()),
        AUTHORIZATION);
+    displaynameHeader = emptyToNull(authConfig.getHttpDisplaynameHeader());
+    emailHeader = emptyToNull(authConfig.getHttpEmailHeader());
  }

  @Override
@@ -174,6 +178,22 @@ class HttpAuthFilter implements Filter {
    }
  }

+  String getRemoteDisplayname(HttpServletRequest req) {
+    if (displaynameHeader != null) {
+      return emptyToNull(req.getHeader(displaynameHeader));
+    } else {
+      return null;
+    }
+  }
+
+  String getRemoteEmail(HttpServletRequest req) {
+    if (emailHeader != null) {
+      return emptyToNull(req.getHeader(emailHeader));
+    } else {
+      return null;
+    }
+  }
+
  String getLoginHeader() {
    return loginHeader;
  }
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpLoginServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpLoginServlet.java
@@ -110,6 +110,8 @@ class HttpLoginServlet extends HttpServlet {
    }

    final AuthRequest areq = AuthRequest.forUser(user);
+    areq.setDisplayName(authFilter.getRemoteDisplayname(req));
+    areq.setEmailAddress(authFilter.getRemoteEmail(req));
    final AuthResult arsp;
    try {
      arsp = accountManager.authenticate(areq);