Merge "Implements OpenID domain filtering"

This commit is contained in:
Shawn Pearce 2013-01-15 01:40:33 +00:00 committed by Gerrit Code Review
commit c7abbfbbc1
3 changed files with 45 additions and 0 deletions

View File

@ -193,6 +193,16 @@ end with `$`) or be a simple prefix (any other string).
By default, the list contains two values, `http://` and `https://`,
allowing Gerrit to trust any OpenID it receives.
[[auth.openIdDomain]]auth.openIdDomain::
+
List of allowed OpenID email address domains. Only used if
`auth.type` is set to "OPENID" or "OPENID_SSO".
+
Domain is case insensitive and must be in the same form as it
appears in the email address, for example, "example.com".
+
By default, any domain is accepted.
[[auth.maxOpenIdSessionAge]]auth.maxOpenIdSessionAge::
+
Time in seconds before an OpenID provider must force the user

View File

@ -101,6 +101,7 @@ class OpenIdServiceImpl implements OpenIdService {
private final AccountManager accountManager;
private final ConsumerManager manager;
private final List<OpenIdProviderPattern> allowedOpenIDs;
private final List<String> openIdDomains;
/** Maximum age, in seconds, before forcing re-authentication of account. */
private final int papeMaxAuthAge;
@ -142,6 +143,7 @@ class OpenIdServiceImpl implements OpenIdService {
accountManager = am;
manager = new ConsumerManager();
allowedOpenIDs = ac.getAllowedOpenIDs();
openIdDomains = ac.getOpenIdDomains();
papeMaxAuthAge = (int) ConfigUtil.getTimeUnit(config, //
"auth", null, "maxOpenIdSessionAge", -1, TimeUnit.SECONDS);
}
@ -355,6 +357,32 @@ class OpenIdServiceImpl implements OpenIdService {
areq.setEmailAddress(fetchRsp.getAttributeValue("Email"));
}
if (openIdDomains != null && openIdDomains.size() > 0) {
// Administrator limited email domains, which can be used for OpenID.
// Login process will only work if the passed email matches one
// of these domains.
//
final String email = areq.getEmailAddress();
int emailAtIndex = email.lastIndexOf("@");
if (emailAtIndex >= 0 && emailAtIndex < email.length() - 1) {
final String emailDomain = email.substring(emailAtIndex);
boolean match = false;
for (String domain : openIdDomains) {
if (emailDomain.equalsIgnoreCase(domain)) {
match = true;
break;
}
}
if (!match) {
log.error("Domain disallowed: " + emailDomain);
cancelWithError(req, rsp, "Domain disallowed");
return;
}
}
}
if (claimedIdentifier != null) {
// The user used a claimed identity which has delegated to the verified
// identity we have in our AuthRequest above. We still should have a

View File

@ -25,6 +25,7 @@ import com.google.inject.Singleton;
import org.eclipse.jgit.lib.Config;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
@ -40,6 +41,7 @@ public class AuthConfig {
private final boolean gitBasicAuth;
private final String logoutUrl;
private final String openIdSsoUrl;
private final List<String> openIdDomains;
private final List<OpenIdProviderPattern> trustedOpenIDs;
private final List<OpenIdProviderPattern> allowedOpenIDs;
private final String cookiePath;
@ -56,6 +58,7 @@ public class AuthConfig {
httpHeader = cfg.getString("auth", null, "httpheader");
logoutUrl = cfg.getString("auth", null, "logouturl");
openIdSsoUrl = cfg.getString("auth", null, "openidssourl");
openIdDomains = Arrays.asList(cfg.getStringList("auth", null, "openIdDomain"));
trustedOpenIDs = toPatterns(cfg, "trustedOpenID");
allowedOpenIDs = toPatterns(cfg, "allowedOpenID");
cookiePath = cfg.getString("auth", null, "cookiepath");
@ -127,6 +130,10 @@ public class AuthConfig {
return openIdSsoUrl;
}
public List<String> getOpenIdDomains() {
return openIdDomains;
}
public String getCookiePath() {
return cookiePath;
}