SecurityFix: enforce HTTP password checking on gitBasicAuth

When using auth.gitBasicAuth option in gerrit.config, the git over HTTP authentication was using *ONLY* the Gerrit realm for validating the user's credentials. However only the LDAP realm did a real full checking of the user's password, whilst with other realms (i.e. HTTP and HTTP_LDAP) there was only a check on the existence of the user's account. This created a potential security hole when a non-LDAP auth realm was used in conjunction with gitBasicAuth. The fix is to check, for non-LDAP authentication realms, the HTTP Password in the Gerrit external access ids and deny unauthenticated access if password do not match or has not been generated in the user's settings HTTP tab. Change-Id: I620eb780e6d77b45f6bc8a3af42f8b7b1caf821d
2014-03-05 23:46:26 +00:00
parent c72b30cab8
commit b281cd402b
7 changed files with 33 additions and 11 deletions
--- a/Documentation/user-upload.txt
+++ b/Documentation/user-upload.txt
@@ -20,7 +20,8 @@ user must authenticate via HTTP/HTTPS.

 When link:config-gerrit.html#auth.gitBasicAuth[gitBasicAuth] is enabled,
 the user is authenticated using standard BasicAuth and credentials validated
-using the same authentication method configured for the Gerrit Web UI.
+using the randomly generated HTTP password on the `HTTP Password` tab
+in the user settings page or against LDAP when configured for the Gerrit Web UI.

 When gitBasicAuth is not configured, the user's HTTP credentials can be
 accessed within Gerrit by going to `Settings`, and then accessing the `HTTP