opendev/gerrit
Code Issues Proposed changes

Merge "Implements OpenID domain filtering"

Browse Source
This commit is contained in:
Shawn Pearce
2013-01-15 01:40:33 +00:00
committed by Gerrit Code Review
parent 1756441516 d2ab0cda62
commit c7abbfbbc1
3 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java
View File

@@ -101,6 +101,7 @@ class OpenIdServiceImpl implements OpenIdService {
private final AccountManager accountManager;
private final ConsumerManager manager;
private final List<OpenIdProviderPattern> allowedOpenIDs;
private final List<String> openIdDomains;
/** Maximum age, in seconds, before forcing re-authentication of account. */
private final int papeMaxAuthAge;
@@ -142,6 +143,7 @@ class OpenIdServiceImpl implements OpenIdService {
accountManager = am;
manager = new ConsumerManager();
allowedOpenIDs = ac.getAllowedOpenIDs();
openIdDomains = ac.getOpenIdDomains();
papeMaxAuthAge = (int) ConfigUtil.getTimeUnit(config, //
"auth", null, "maxOpenIdSessionAge", -1, TimeUnit.SECONDS);
}
@@ -355,6 +357,32 @@ class OpenIdServiceImpl implements OpenIdService {
areq.setEmailAddress(fetchRsp.getAttributeValue("Email"));
}
if (openIdDomains != null && openIdDomains.size() > 0) {
// Administrator limited email domains, which can be used for OpenID.
// Login process will only work if the passed email matches one
// of these domains.
//
final String email = areq.getEmailAddress();
int emailAtIndex = email.lastIndexOf("@");
if (emailAtIndex >= 0 && emailAtIndex < email.length() - 1) {
final String emailDomain = email.substring(emailAtIndex);
boolean match = false;
for (String domain : openIdDomains) {
if (emailDomain.equalsIgnoreCase(domain)) {
match = true;
break;
}
}
if (!match) {
log.error("Domain disallowed: " + emailDomain);
cancelWithError(req, rsp, "Domain disallowed");
return;
}
}
}
if (claimedIdentifier != null) {
// The user used a claimed identity which has delegated to the verified
// identity we have in our AuthRequest above. We still should have a