Add an AuthMethod to WebSession

For purpose of skipping/using xsrf validation, we need to know how a user authenticated. This change adds an AuthMethod enum value to WebSession. Change-Id: I26bc8ea2ba80d8c7cac0d124d7e76ca55da62716
2012-06-19 09:58:19 -07:00 · 2012-06-19 09:58:19 -07:00 · 9aa7d62ec5
commit 9aa7d62ec5
parent bbb8e738bb
8 changed files with 57 additions and 8 deletions
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java
@ -25,6 +25,7 @@ import com.google.gerrit.server.AccessPath;
 import com.google.gerrit.server.AnonymousUser;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
+import com.google.gerrit.server.account.AuthMethod;
 import com.google.gerrit.server.account.AuthResult;
 import com.google.gerrit.server.cache.CacheModule;
 import com.google.gerrit.server.config.AuthConfig;
@ -66,6 +67,7 @@ public final class CacheBasedWebSession implements WebSession {
  private final IdentifiedUser.RequestFactory identified;
  private AccessPath accessPath = AccessPath.WEB_UI;
  private Cookie outCookie;
+  private AuthMethod authMethod;

  private Key key;
  private Val val;
@ -142,7 +144,8 @@ public final class CacheBasedWebSession implements WebSession {
    return anonymousProvider.get();
  }

-  public void login(final AuthResult res, final boolean rememberMe) {
+  public void login(final AuthResult res, final AuthMethod meth,
+                    final boolean rememberMe) {
    final Account.Id id = res.getAccountId();
    final AccountExternalId.Key identity = res.getExternalId();

@ -153,6 +156,8 @@ public final class CacheBasedWebSession implements WebSession {
    key = manager.createKey(id);
    val = manager.createVal(key, id, rememberMe, identity, null);
    saveCookie();
+
+    authMethod = meth;
  }

  /** Change the access path from the default of {@link AccessPath#WEB_UI}. */
@ -210,4 +215,8 @@ public final class CacheBasedWebSession implements WebSession {
  private static boolean isSecure(final HttpServletRequest req) {
    return req.isSecure() || "https".equals(req.getScheme());
  }
+
+  public AuthMethod getAuthMethod() {
+    return authMethod;
+  }
 }
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSession.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSession.java
@ -18,9 +18,12 @@ import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.reviewdb.client.AccountExternalId;
 import com.google.gerrit.server.AccessPath;
 import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.account.AuthMethod;
 import com.google.gerrit.server.account.AuthResult;

 public interface WebSession {
+  public AuthMethod getAuthMethod();
+
  public boolean isSignedIn();

  public String getToken();
@ -31,7 +34,7 @@ public interface WebSession {

  public CurrentUser getCurrentUser();

-  public void login(AuthResult res, boolean rememberMe);
+  public void login(AuthResult res, AuthMethod meth, boolean rememberMe);

  /** Change the access path from the default of {@link AccessPath#WEB_UI}. */
  public void setAccessPath(AccessPath path);
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/become/BecomeAnyAccountLoginServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/become/BecomeAnyAccountLoginServlet.java
@ -24,6 +24,7 @@ import com.google.gerrit.reviewdb.client.AccountExternalId;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.account.AccountException;
 import com.google.gerrit.server.account.AccountManager;
+import com.google.gerrit.server.account.AuthMethod;
 import com.google.gerrit.server.account.AuthRequest;
 import com.google.gerrit.server.account.AuthResult;
 import com.google.gwtorm.server.OrmException;
@ -113,7 +114,7 @@ public class BecomeAnyAccountLoginServlet extends HttpServlet {
    }

    if (res != null) {
-      webSession.get().login(res, false);
+      webSession.get().login(res, AuthMethod.BACKDOOR, false);
      final StringBuilder rdr = new StringBuilder();
      rdr.append(req.getContextPath());
      if (IS_DEV && req.getParameter("gwt.codesvr") != null) {
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpLoginServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpLoginServlet.java
@ -19,6 +19,7 @@ import com.google.gerrit.httpd.HtmlDomUtil;
 import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.server.account.AccountException;
 import com.google.gerrit.server.account.AccountManager;
+import com.google.gerrit.server.account.AuthMethod;
 import com.google.gerrit.server.account.AuthRequest;
 import com.google.gerrit.server.account.AuthResult;
 import com.google.gerrit.server.config.AuthConfig;
@ -135,7 +136,8 @@ class HttpLoginServlet extends HttpServlet {
    }
    rdr.append(token);

-    webSession.get().login(arsp, true /* persistent cookie */);
+    webSession.get().login(arsp, AuthMethod.COOKIE,
+                           true /* persistent cookie */);
    rsp.sendRedirect(rdr.toString());
  }

--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertAuthFilter.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertAuthFilter.java
@ -17,6 +17,7 @@ package com.google.gerrit.httpd.auth.container;
 import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.server.account.AccountException;
 import com.google.gerrit.server.account.AccountManager;
+import com.google.gerrit.server.account.AuthMethod;
 import com.google.gerrit.server.account.AuthRequest;
 import com.google.gerrit.server.account.AuthResult;
 import com.google.inject.Inject;
@ -84,7 +85,7 @@ class HttpsClientSslCertAuthFilter implements Filter {
      log.error(err, e);
      throw new ServletException(err, e);
    }
-    webSession.get().login(arsp, true);
+    webSession.get().login(arsp, AuthMethod.COOKIE, true);
    chain.doFilter(req, rsp);
  }

--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/ldap/UserPassAuthServiceImpl.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/ldap/UserPassAuthServiceImpl.java
@ -21,6 +21,7 @@ import com.google.gerrit.reviewdb.client.AuthType;
 import com.google.gerrit.server.account.AccountException;
 import com.google.gerrit.server.account.AccountManager;
 import com.google.gerrit.server.account.AccountUserNameException;
+import com.google.gerrit.server.account.AuthMethod;
 import com.google.gerrit.server.account.AuthRequest;
 import com.google.gerrit.server.account.AuthResult;
 import com.google.gerrit.server.auth.AuthenticationUnavailableException;
@ -79,7 +80,8 @@ class UserPassAuthServiceImpl implements UserPassAuthService {

    result.success = true;
    result.isNew = res.isNew();
-    webSession.get().login(res, true /* persistent cookie */);
+    webSession.get().login(res, AuthMethod.PASSWORD,
+                           true /* persistent cookie */);
    callback.onSuccess(result);
  }
 }
--- a/gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java
+++ b/gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java
@ -26,6 +26,7 @@ import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.UrlEncoded;
 import com.google.gerrit.server.account.AccountException;
 import com.google.gerrit.server.account.AccountManager;
+import com.google.gerrit.server.account.AuthMethod;
 import com.google.gerrit.server.config.AuthConfig;
 import com.google.gerrit.server.config.CanonicalWebUrl;
 import com.google.gerrit.server.config.ConfigUtil;
@ -416,7 +417,7 @@ class OpenIdServiceImpl implements OpenIdService {
            lastId.setMaxAge(0);
          }
          rsp.addCookie(lastId);
-          webSession.get().login(arsp, remember);
+          webSession.get().login(arsp, AuthMethod.COOKIE, remember);
          if (arsp.isNew() && claimedIdentifier != null) {
            final com.google.gerrit.server.account.AuthRequest linkReq =
                new com.google.gerrit.server.account.AuthRequest(
@ -430,7 +431,7 @@ class OpenIdServiceImpl implements OpenIdService {

        case LINK_IDENTIY: {
          arsp = accountManager.link(identifiedUser.get().getAccountId(), areq);
-          webSession.get().login(arsp, remember);
+          webSession.get().login(arsp, AuthMethod.COOKIE, remember);
          callback(false, req, rsp);
          break;
        }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/AuthMethod.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/AuthMethod.java
@ -0,0 +1,30 @@
+// Copyright (C) 2012 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.server.account;
+
+/** Method by which a user has authenticated for a given request. */
+public enum AuthMethod {
+  /** The user is not authenticated */
+  NONE,
+
+  /** The user is authenticated via a cookie. */
+  COOKIE,
+
+  /** The user authenticated with a password for this request. */
+  PASSWORD,
+
+  /** The user has used a credentialess development feature to login. */
+  BACKDOOR;
+}