Add an AuthMethod to WebSession
For purpose of skipping/using xsrf validation, we need to know how a user authenticated. This change adds an AuthMethod enum value to WebSession. Change-Id: I26bc8ea2ba80d8c7cac0d124d7e76ca55da62716
This commit is contained in:
Conley Owens
parent
bbb8e738bb
commit
9aa7d62ec5
@ -25,6 +25,7 @@ import com.google.gerrit.server.AccessPath;
|
|||||||
import com.google.gerrit.server.AnonymousUser;
|
import com.google.gerrit.server.AnonymousUser;
|
||||||
import com.google.gerrit.server.CurrentUser;
|
import com.google.gerrit.server.CurrentUser;
|
||||||
import com.google.gerrit.server.IdentifiedUser;
|
import com.google.gerrit.server.IdentifiedUser;
|
||||||
|
import com.google.gerrit.server.account.AuthMethod;
|
||||||
import com.google.gerrit.server.account.AuthResult;
|
import com.google.gerrit.server.account.AuthResult;
|
||||||
import com.google.gerrit.server.cache.CacheModule;
|
import com.google.gerrit.server.cache.CacheModule;
|
||||||
import com.google.gerrit.server.config.AuthConfig;
|
import com.google.gerrit.server.config.AuthConfig;
|
||||||
@ -66,6 +67,7 @@ public final class CacheBasedWebSession implements WebSession {
|
|||||||
private final IdentifiedUser.RequestFactory identified;
|
private final IdentifiedUser.RequestFactory identified;
|
||||||
private AccessPath accessPath = AccessPath.WEB_UI;
|
private AccessPath accessPath = AccessPath.WEB_UI;
|
||||||
private Cookie outCookie;
|
private Cookie outCookie;
|
||||||
|
private AuthMethod authMethod;
|
||||||
|
|
||||||
private Key key;
|
private Key key;
|
||||||
private Val val;
|
private Val val;
|
||||||
@ -142,7 +144,8 @@ public final class CacheBasedWebSession implements WebSession {
|
|||||||
return anonymousProvider.get();
|
return anonymousProvider.get();
|
||||||
}
|
}
|
||||||
|
|
||||||
public void login(final AuthResult res, final boolean rememberMe) {
|
public void login(final AuthResult res, final AuthMethod meth,
|
||||||
|
final boolean rememberMe) {
|
||||||
final Account.Id id = res.getAccountId();
|
final Account.Id id = res.getAccountId();
|
||||||
final AccountExternalId.Key identity = res.getExternalId();
|
final AccountExternalId.Key identity = res.getExternalId();
|
||||||
|
|
||||||
@ -153,6 +156,8 @@ public final class CacheBasedWebSession implements WebSession {
|
|||||||
key = manager.createKey(id);
|
key = manager.createKey(id);
|
||||||
val = manager.createVal(key, id, rememberMe, identity, null);
|
val = manager.createVal(key, id, rememberMe, identity, null);
|
||||||
saveCookie();
|
saveCookie();
|
||||||
|
|
||||||
|
authMethod = meth;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Change the access path from the default of {@link AccessPath#WEB_UI}. */
|
/** Change the access path from the default of {@link AccessPath#WEB_UI}. */
|
||||||
@ -210,4 +215,8 @@ public final class CacheBasedWebSession implements WebSession {
|
|||||||
private static boolean isSecure(final HttpServletRequest req) {
|
private static boolean isSecure(final HttpServletRequest req) {
|
||||||
return req.isSecure() || "https".equals(req.getScheme());
|
return req.isSecure() || "https".equals(req.getScheme());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public AuthMethod getAuthMethod() {
|
||||||
|
return authMethod;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -18,9 +18,12 @@ import com.google.gerrit.reviewdb.client.Account;
|
|||||||
import com.google.gerrit.reviewdb.client.AccountExternalId;
|
import com.google.gerrit.reviewdb.client.AccountExternalId;
|
||||||
import com.google.gerrit.server.AccessPath;
|
import com.google.gerrit.server.AccessPath;
|
||||||
import com.google.gerrit.server.CurrentUser;
|
import com.google.gerrit.server.CurrentUser;
|
||||||
|
import com.google.gerrit.server.account.AuthMethod;
|
||||||
import com.google.gerrit.server.account.AuthResult;
|
import com.google.gerrit.server.account.AuthResult;
|
||||||
|
|
||||||
public interface WebSession {
|
public interface WebSession {
|
||||||
|
public AuthMethod getAuthMethod();
|
||||||
|
|
||||||
public boolean isSignedIn();
|
public boolean isSignedIn();
|
||||||
|
|
||||||
public String getToken();
|
public String getToken();
|
||||||
@ -31,7 +34,7 @@ public interface WebSession {
|
|||||||
|
|
||||||
public CurrentUser getCurrentUser();
|
public CurrentUser getCurrentUser();
|
||||||
|
|
||||||
public void login(AuthResult res, boolean rememberMe);
|
public void login(AuthResult res, AuthMethod meth, boolean rememberMe);
|
||||||
|
|
||||||
/** Change the access path from the default of {@link AccessPath#WEB_UI}. */
|
/** Change the access path from the default of {@link AccessPath#WEB_UI}. */
|
||||||
public void setAccessPath(AccessPath path);
|
public void setAccessPath(AccessPath path);
|
||||||
|
|||||||
@ -24,6 +24,7 @@ import com.google.gerrit.reviewdb.client.AccountExternalId;
|
|||||||
import com.google.gerrit.reviewdb.server.ReviewDb;
|
import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||||
import com.google.gerrit.server.account.AccountException;
|
import com.google.gerrit.server.account.AccountException;
|
||||||
import com.google.gerrit.server.account.AccountManager;
|
import com.google.gerrit.server.account.AccountManager;
|
||||||
|
import com.google.gerrit.server.account.AuthMethod;
|
||||||
import com.google.gerrit.server.account.AuthRequest;
|
import com.google.gerrit.server.account.AuthRequest;
|
||||||
import com.google.gerrit.server.account.AuthResult;
|
import com.google.gerrit.server.account.AuthResult;
|
||||||
import com.google.gwtorm.server.OrmException;
|
import com.google.gwtorm.server.OrmException;
|
||||||
@ -113,7 +114,7 @@ public class BecomeAnyAccountLoginServlet extends HttpServlet {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (res != null) {
|
if (res != null) {
|
||||||
webSession.get().login(res, false);
|
webSession.get().login(res, AuthMethod.BACKDOOR, false);
|
||||||
final StringBuilder rdr = new StringBuilder();
|
final StringBuilder rdr = new StringBuilder();
|
||||||
rdr.append(req.getContextPath());
|
rdr.append(req.getContextPath());
|
||||||
if (IS_DEV && req.getParameter("gwt.codesvr") != null) {
|
if (IS_DEV && req.getParameter("gwt.codesvr") != null) {
|
||||||
|
|||||||
@ -19,6 +19,7 @@ import com.google.gerrit.httpd.HtmlDomUtil;
|
|||||||
import com.google.gerrit.httpd.WebSession;
|
import com.google.gerrit.httpd.WebSession;
|
||||||
import com.google.gerrit.server.account.AccountException;
|
import com.google.gerrit.server.account.AccountException;
|
||||||
import com.google.gerrit.server.account.AccountManager;
|
import com.google.gerrit.server.account.AccountManager;
|
||||||
|
import com.google.gerrit.server.account.AuthMethod;
|
||||||
import com.google.gerrit.server.account.AuthRequest;
|
import com.google.gerrit.server.account.AuthRequest;
|
||||||
import com.google.gerrit.server.account.AuthResult;
|
import com.google.gerrit.server.account.AuthResult;
|
||||||
import com.google.gerrit.server.config.AuthConfig;
|
import com.google.gerrit.server.config.AuthConfig;
|
||||||
@ -135,7 +136,8 @@ class HttpLoginServlet extends HttpServlet {
|
|||||||
}
|
}
|
||||||
rdr.append(token);
|
rdr.append(token);
|
||||||
|
|
||||||
webSession.get().login(arsp, true /* persistent cookie */);
|
webSession.get().login(arsp, AuthMethod.COOKIE,
|
||||||
|
true /* persistent cookie */);
|
||||||
rsp.sendRedirect(rdr.toString());
|
rsp.sendRedirect(rdr.toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -17,6 +17,7 @@ package com.google.gerrit.httpd.auth.container;
|
|||||||
import com.google.gerrit.httpd.WebSession;
|
import com.google.gerrit.httpd.WebSession;
|
||||||
import com.google.gerrit.server.account.AccountException;
|
import com.google.gerrit.server.account.AccountException;
|
||||||
import com.google.gerrit.server.account.AccountManager;
|
import com.google.gerrit.server.account.AccountManager;
|
||||||
|
import com.google.gerrit.server.account.AuthMethod;
|
||||||
import com.google.gerrit.server.account.AuthRequest;
|
import com.google.gerrit.server.account.AuthRequest;
|
||||||
import com.google.gerrit.server.account.AuthResult;
|
import com.google.gerrit.server.account.AuthResult;
|
||||||
import com.google.inject.Inject;
|
import com.google.inject.Inject;
|
||||||
@ -84,7 +85,7 @@ class HttpsClientSslCertAuthFilter implements Filter {
|
|||||||
log.error(err, e);
|
log.error(err, e);
|
||||||
throw new ServletException(err, e);
|
throw new ServletException(err, e);
|
||||||
}
|
}
|
||||||
webSession.get().login(arsp, true);
|
webSession.get().login(arsp, AuthMethod.COOKIE, true);
|
||||||
chain.doFilter(req, rsp);
|
chain.doFilter(req, rsp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -21,6 +21,7 @@ import com.google.gerrit.reviewdb.client.AuthType;
|
|||||||
import com.google.gerrit.server.account.AccountException;
|
import com.google.gerrit.server.account.AccountException;
|
||||||
import com.google.gerrit.server.account.AccountManager;
|
import com.google.gerrit.server.account.AccountManager;
|
||||||
import com.google.gerrit.server.account.AccountUserNameException;
|
import com.google.gerrit.server.account.AccountUserNameException;
|
||||||
|
import com.google.gerrit.server.account.AuthMethod;
|
||||||
import com.google.gerrit.server.account.AuthRequest;
|
import com.google.gerrit.server.account.AuthRequest;
|
||||||
import com.google.gerrit.server.account.AuthResult;
|
import com.google.gerrit.server.account.AuthResult;
|
||||||
import com.google.gerrit.server.auth.AuthenticationUnavailableException;
|
import com.google.gerrit.server.auth.AuthenticationUnavailableException;
|
||||||
@ -79,7 +80,8 @@ class UserPassAuthServiceImpl implements UserPassAuthService {
|
|||||||
|
|
||||||
result.success = true;
|
result.success = true;
|
||||||
result.isNew = res.isNew();
|
result.isNew = res.isNew();
|
||||||
webSession.get().login(res, true /* persistent cookie */);
|
webSession.get().login(res, AuthMethod.PASSWORD,
|
||||||
|
true /* persistent cookie */);
|
||||||
callback.onSuccess(result);
|
callback.onSuccess(result);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -26,6 +26,7 @@ import com.google.gerrit.server.IdentifiedUser;
|
|||||||
import com.google.gerrit.server.UrlEncoded;
|
import com.google.gerrit.server.UrlEncoded;
|
||||||
import com.google.gerrit.server.account.AccountException;
|
import com.google.gerrit.server.account.AccountException;
|
||||||
import com.google.gerrit.server.account.AccountManager;
|
import com.google.gerrit.server.account.AccountManager;
|
||||||
|
import com.google.gerrit.server.account.AuthMethod;
|
||||||
import com.google.gerrit.server.config.AuthConfig;
|
import com.google.gerrit.server.config.AuthConfig;
|
||||||
import com.google.gerrit.server.config.CanonicalWebUrl;
|
import com.google.gerrit.server.config.CanonicalWebUrl;
|
||||||
import com.google.gerrit.server.config.ConfigUtil;
|
import com.google.gerrit.server.config.ConfigUtil;
|
||||||
@ -416,7 +417,7 @@ class OpenIdServiceImpl implements OpenIdService {
|
|||||||
lastId.setMaxAge(0);
|
lastId.setMaxAge(0);
|
||||||
}
|
}
|
||||||
rsp.addCookie(lastId);
|
rsp.addCookie(lastId);
|
||||||
webSession.get().login(arsp, remember);
|
webSession.get().login(arsp, AuthMethod.COOKIE, remember);
|
||||||
if (arsp.isNew() && claimedIdentifier != null) {
|
if (arsp.isNew() && claimedIdentifier != null) {
|
||||||
final com.google.gerrit.server.account.AuthRequest linkReq =
|
final com.google.gerrit.server.account.AuthRequest linkReq =
|
||||||
new com.google.gerrit.server.account.AuthRequest(
|
new com.google.gerrit.server.account.AuthRequest(
|
||||||
@ -430,7 +431,7 @@ class OpenIdServiceImpl implements OpenIdService {
|
|||||||
|
|
||||||
case LINK_IDENTIY: {
|
case LINK_IDENTIY: {
|
||||||
arsp = accountManager.link(identifiedUser.get().getAccountId(), areq);
|
arsp = accountManager.link(identifiedUser.get().getAccountId(), areq);
|
||||||
webSession.get().login(arsp, remember);
|
webSession.get().login(arsp, AuthMethod.COOKIE, remember);
|
||||||
callback(false, req, rsp);
|
callback(false, req, rsp);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -0,0 +1,30 @@
|
|||||||
|
// Copyright (C) 2012 The Android Open Source Project
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package com.google.gerrit.server.account;
|
||||||
|
|
||||||
|
/** Method by which a user has authenticated for a given request. */
|
||||||
|
public enum AuthMethod {
|
||||||
|
/** The user is not authenticated */
|
||||||
|
NONE,
|
||||||
|
|
||||||
|
/** The user is authenticated via a cookie. */
|
||||||
|
COOKIE,
|
||||||
|
|
||||||
|
/** The user authenticated with a password for this request. */
|
||||||
|
PASSWORD,
|
||||||
|
|
||||||
|
/** The user has used a credentialess development feature to login. */
|
||||||
|
BACKDOOR;
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user