Use auth.allowedOpenID to limit which providers can be used

Setting allowedOpenID permits an administrator to require that only recognized OpenID providers be used to authenticate to the server. Unlike trustedOpenID, users with providers not on the list are simply not permitted to login. Change-Id: I56106f2d92d100a3085b8738d556717da03ae5d7 Signed-off-by: Shawn O. Pearce <sop@google.com>
2010-05-11 16:05:27 -07:00
parent 649c6205e7
commit 533cafc64c
9 changed files with 149 additions and 41 deletions
--- a/gerrit-common/src/main/java/com/google/gerrit/common/auth/openid/DiscoveryResult.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/auth/openid/DiscoveryResult.java
@@ -17,21 +17,34 @@ package com.google.gerrit.common.auth.openid;
 import java.util.Map;

 public final class DiscoveryResult {
-  public boolean validProvider;
+  public static enum Status {
+    /** Provider was discovered and {@code providerUrl} is valid. */
+    VALID,
+
+    /** The identifier is not allowed to be used, by site configuration. */
+    NOT_ALLOWED,
+
+    /** Identifier isn't for an OpenID provider. */
+    NO_PROVIDER,
+
+    /** The provider was discovered, but something else failed. */
+    ERROR;
+  }
+
+  public Status status;
  public String providerUrl;
  public Map<String, String> providerArgs;

  protected DiscoveryResult() {
  }

-  public DiscoveryResult(final boolean valid, final String redirect,
-      final Map<String, String> args) {
-    validProvider = valid;
+  public DiscoveryResult(final String redirect, final Map<String, String> args) {
+    status = Status.VALID;
    providerUrl = redirect;
    providerArgs = args;
  }

-  public DiscoveryResult(final boolean fail) {
-    this(false, null, null);
+  public DiscoveryResult(final Status s) {
+    status = s;
  }
 }
--- a/gerrit-common/src/main/java/com/google/gerrit/common/data/GerritConfig.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/GerritConfig.java
@@ -14,6 +14,7 @@

 package com.google.gerrit.common.data;

+import com.google.gerrit.common.auth.openid.OpenIdProviderPattern;
 import com.google.gerrit.reviewdb.Account;
 import com.google.gerrit.reviewdb.AuthType;
 import com.google.gerrit.reviewdb.Project;
@@ -24,6 +25,8 @@ import java.util.Set;

 public class GerritConfig implements Cloneable {
  protected String registerUrl;
+  protected List<OpenIdProviderPattern> allowedOpenIDs;
+
  protected GitwebLink gitweb;
  protected boolean useContributorAgreements;
  protected boolean useContactInfo;
@@ -52,6 +55,14 @@ public class GerritConfig implements Cloneable {
    registerUrl = u;
  }

+  public List<OpenIdProviderPattern> getAllowedOpenIDs() {
+    return allowedOpenIDs;
+  }
+
+  public void setAllowedOpenIDs(List<OpenIdProviderPattern> l) {
+    allowedOpenIDs = l;
+  }
+
  public AuthType getAuthType() {
    return authType;
  }