opendev/gerrit
Code Issues Proposed changes

SSO via client SSL certificates

Browse Source 
Support for authentication using client side SSL certificate.  This
authentication type is actually kind of SSO. Gerrit will configure Jetty's SSL
channel to request client's SSL certificate. For this authentication to work a
Gerrit administrator has to import the root certificate of the trust chain used
to issue the client's certificate into the <review-site>/etc/keystore.

For the Gerrit's server side SSL certificate one can use a certificate signed
by a CA or a self-signed certificate.

After the authentication is done Gerrit will obtain basic user
registration (name and email) from LDAP, and some group memberships.

Change-Id: Ic076178f844f05b73be5d7c8fe9c8bb29b458f26
This commit is contained in:
Sasa Zivkov
2010-10-04 15:47:08 +02:00
parent e5669acc57
commit eabc89728c
10 changed files with 173 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
gerrit-pgm/src/main/java/com/google/gerrit/pgm/http/jetty/JettyServer.java
View File

@@ -19,7 +19,9 @@ import static java.util.concurrent.TimeUnit.SECONDS;
import com.google.gerrit.launcher.GerritLauncher;
import com.google.gerrit.lifecycle.LifecycleListener;
import com.google.gerrit.reviewdb.AuthType;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.ConfigUtil;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.config.SitePaths;
import com.google.inject.Inject;
@@ -139,6 +141,7 @@ public class JettyServer {
final URI[] listenUrls = listenURLs(cfg);
final boolean reuseAddress = cfg.getBoolean("httpd", "reuseaddress", true);
final int acceptors = cfg.getInt("httpd", "acceptorThreads", 2);
final AuthType authType = ConfigUtil.getEnum(cfg, "auth", null, "type", AuthType.OPENID);
reverseProxy = true;
final Connector[] connectors = new Connector[listenUrls.length];
@@ -147,11 +150,17 @@ public class JettyServer {
final int defaultPort;
final SelectChannelConnector c;
if (AuthType.CLIENT_SSL_CERT_LDAP.equals(authType) && ! "https".equals(u.getScheme())) {
throw new IllegalArgumentException("Protocol '" + u.getScheme()
+ "' " + " not supported in httpd.listenurl '" + u
+ "' when auth.type = '" + AuthType.CLIENT_SSL_CERT_LDAP.name()
+ "'; only 'https' is supported");
}
if ("http".equals(u.getScheme())) {
reverseProxy = false;
defaultPort = 80;
c = new SelectChannelConnector();
} else if ("https".equals(u.getScheme())) {
final SslSelectChannelConnector ssl = new SslSelectChannelConnector();
final File keystore = getFile(cfg, "sslkeystore", "etc/keystore");
@@ -164,6 +173,10 @@ public class JettyServer {
ssl.setKeyPassword(password);
ssl.setTrustPassword(password);
if (AuthType.CLIENT_SSL_CERT_LDAP.equals(authType)) {
ssl.setNeedClientAuth(true);
}
reverseProxy = false;
defaultPort = 443;
c = ssl;