opendev/gerrit
Code Issues Proposed changes

Allow service users to access REST API if auth.gitBasicAuth = true

Browse Source 
If auth.gitBasicAuth is set to true in the gerrit.config file all HTTP
traffic is authenticated using standard BasicAuth and the credentials
are validated using the same auth method as configured for the Gerrit
Web UI. E.g. for LDAP this means that users must use their LDAP
password for Git over HTTP and for accessing the REST API.

Service users are technical users that were created by the
create-account SSH command. These users only exist in Gerrit and hence
they do not have any LDAP password. This is why at the moment service
users are not able to make use of the REST API if auth.gitBasicAuth is
set to true.

With this change users that exist only in Gerrit but not in LDAP are
authenticated with their HTTP password from the Gerrit database if
auth.gitBasicAuth is set to true.

Change-Id: I030c8810807ba678c148f7785a64cc5ff25308b8
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
This commit is contained in:
Edwin Kempin
2014-04-16 11:09:58 +02:00
committed by Martin Fick
parent 4b9d998bb4
commit c5eb00387b
4 changed files with 44 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
gerrit-server/src/main/java/com/google/gerrit/server/auth/NoSuchUserException.java Normal file
View File

@@ -0,0 +1,26 @@
// Copyright (C) 2014 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.auth;
import com.google.gerrit.server.account.AccountException;
/** The user does not exist on the authentication server */
public class NoSuchUserException extends AccountException {
private static final long serialVersionUID = 1L;
public NoSuchUserException(String username) {
super(String.format("No such user: %s", username));
}
}

3
gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
View File

@@ -20,6 +20,7 @@ import com.google.common.collect.ImmutableSet;
import com.google.gerrit.common.data.ParameterizedString;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.auth.NoSuchUserException;
import com.google.gerrit.server.config.ConfigUtil;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.util.ssl.BlindSSLSocketFactory;
@@ -178,7 +179,7 @@ import javax.security.auth.login.LoginException;
switch (res.size()) {
case 0:
throw new AccountException("No such user:" + username);
throw new NoSuchUserException(username);
case 1:
return res.get(0);