Implements OpenID domain filtering

Adds ability to only allow email addresses under specific domains to be used for OpenID login. The allowed domains can be configured in etc/gerrit.config under section [auth] as "openIdDomain". The values are then stored across GerritConfig and AuthConfig. If at least one openIdDomain is configured, OpenIdServiceImpl checks for a match on the email address used for login and returns error otherwise. The need for this was described in Google Groups to limit OpenID to Google Apps domain(s) of a company when using Gerrit for internal development. Change-Id: I549059e7ecea827009b632ef2e38d2ccdddf7cfb
2012-12-18 11:20:53 +11:00
parent 2c75536a73
commit d2ab0cda62
3 changed files with 45 additions and 0 deletions
--- a/gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java
+++ b/gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java
@@ -101,6 +101,7 @@ class OpenIdServiceImpl implements OpenIdService {
  private final AccountManager accountManager;
  private final ConsumerManager manager;
  private final List<OpenIdProviderPattern> allowedOpenIDs;
+  private final List<String> openIdDomains;

  /** Maximum age, in seconds, before forcing re-authentication of account. */
  private final int papeMaxAuthAge;
@@ -142,6 +143,7 @@ class OpenIdServiceImpl implements OpenIdService {
    accountManager = am;
    manager = new ConsumerManager();
    allowedOpenIDs = ac.getAllowedOpenIDs();
+    openIdDomains = ac.getOpenIdDomains();
    papeMaxAuthAge = (int) ConfigUtil.getTimeUnit(config, //
        "auth", null, "maxOpenIdSessionAge", -1, TimeUnit.SECONDS);
  }
@@ -355,6 +357,32 @@ class OpenIdServiceImpl implements OpenIdService {
      areq.setEmailAddress(fetchRsp.getAttributeValue("Email"));
    }

+    if (openIdDomains != null && openIdDomains.size() > 0) {
+      // Administrator limited email domains, which can be used for OpenID.
+      // Login process will only work if the passed email matches one
+      // of these domains.
+      //
+      final String email = areq.getEmailAddress();
+      int emailAtIndex = email.lastIndexOf("@");
+      if (emailAtIndex >= 0 && emailAtIndex < email.length() - 1) {
+        final String emailDomain = email.substring(emailAtIndex);
+
+        boolean match = false;
+        for (String domain : openIdDomains) {
+          if (emailDomain.equalsIgnoreCase(domain)) {
+            match = true;
+            break;
+          }
+        }
+
+        if (!match) {
+          log.error("Domain disallowed: " + emailDomain);
+          cancelWithError(req, rsp, "Domain disallowed");
+          return;
+        }
+      }
+    }
+
    if (claimedIdentifier != null) {
      // The user used a claimed identity which has delegated to the verified
      // identity we have in our AuthRequest above. We still should have a