Allow HTTP password when using LDAP and basic authentication
So far, it was not possible to use HTTP password to validate git over HTTP and REST API requests if LDAP was used along with HTTP basic authentication. There is a use case, though, where users do not want to use their LDAP password for the aforementioned requests as in, for example, automation scripts. Introduce a new configuration parameter, `gitBasicAuthPolicy`, to allow LDAP users to authenticate using either the HTTP or the LDAP passwords when doing git over HTTP and REST API requests. When this new parameter is set to LDAP, the password in the request is checked against the LDAP password only. When set to HTTP, the password is validated against the randomly generated HTTP password. Finally, when set to HTTP_LDAP, the password in the request is checked first against the HTTP password and, if it does not match, it is checked against the LDAP password. If the new parameter is not specified or if is set to LDAP, the current behavior is preserved, i.e., only LDAP password is allowed when using basic authentication. Change-Id: I8846cd89dfdb98ab2fc36ba754d8302cf40527e9
This commit is contained in:
Hector Oswaldo Caballero
committed by
Luca Milanesio
Luca Milanesio
parent
b10848ee83
commit
d0bf015308
@@ -19,6 +19,7 @@ import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
|
||||
|
||||
import com.google.common.base.MoreObjects;
|
||||
import com.google.common.base.Strings;
|
||||
import com.google.gerrit.extensions.client.GitBasicAuthPolicy;
|
||||
import com.google.gerrit.extensions.registration.DynamicItem;
|
||||
import com.google.gerrit.reviewdb.client.Account;
|
||||
import com.google.gerrit.server.AccessPath;
|
||||
@@ -141,12 +142,16 @@ class ProjectBasicAuthFilter implements Filter {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!authConfig.isLdapAuthType()
|
||||
&& !passwordMatchesTheUserGeneratedOne(who, username, password)) {
|
||||
log.warn("Authentication failed for " + username
|
||||
+ ": password does not match the one stored in Gerrit");
|
||||
rsp.sendError(SC_UNAUTHORIZED);
|
||||
return false;
|
||||
GitBasicAuthPolicy gitBasicAuthPolicy = authConfig.getGitBasicAuthPolicy();
|
||||
if (gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP
|
||||
|| gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP_LDAP) {
|
||||
if (passwordMatchesTheUserGeneratedOne(who, username, password)) {
|
||||
return succeedAuthentication(who);
|
||||
}
|
||||
}
|
||||
|
||||
if (gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP) {
|
||||
return failAuthentication(rsp, username);
|
||||
}
|
||||
|
||||
AuthRequest whoAuth = AuthRequest.forUser(username);
|
||||
@@ -158,8 +163,7 @@ class ProjectBasicAuthFilter implements Filter {
|
||||
return true;
|
||||
} catch (NoSuchUserException e) {
|
||||
if (password.equals(who.getPassword(who.getUserName()))) {
|
||||
setUserIdentified(who.getAccount().getId());
|
||||
return true;
|
||||
return succeedAuthentication(who);
|
||||
}
|
||||
log.warn("Authentication failed for " + username, e);
|
||||
rsp.sendError(SC_UNAUTHORIZED);
|
||||
@@ -175,6 +179,19 @@ class ProjectBasicAuthFilter implements Filter {
|
||||
}
|
||||
}
|
||||
|
||||
private boolean succeedAuthentication(final AccountState who) {
|
||||
setUserIdentified(who.getAccount().getId());
|
||||
return true;
|
||||
}
|
||||
|
||||
private boolean failAuthentication(Response rsp, String username)
|
||||
throws IOException {
|
||||
log.warn("Authentication failed for {}: password does not match the one"
|
||||
+ " stored in Gerrit", username);
|
||||
rsp.sendError(SC_UNAUTHORIZED);
|
||||
return false;
|
||||
}
|
||||
|
||||
private void setUserIdentified(Account.Id id) {
|
||||
WebSession ws = session.get();
|
||||
ws.setUserAccountId(id);
|
||||
|
||||
Reference in New Issue
Block a user