From 5185b040d35040c3485708cc95aee59ec0fabfec Mon Sep 17 00:00:00 2001 From: Luca Milanesio Date: Sat, 27 Jul 2013 22:03:06 +0100 Subject: [PATCH] Allows explicit login with auth.type = HTTP* When auth.type = HTTP or HTTP_LDAP, allows the configuration of an explicit login URL in order to trigger the authentication process of the front-end SSO system. URL and link name are customizable using: * auth.loginUrl * auth.loginText Configuring a server with auth.loginUrl allows an unknown user not yet logged in to perform anonymous browsing of Gerrit, as allowed by other auth.type methods. Change-Id: I52aa7950fdf0ba23a55a7d4eb5f1f1e3f6be6b38 --- Documentation/config-gerrit.txt | 20 +++++++++++++++++++ .../gerrit/common/data/GerritConfig.java | 18 +++++++++++++++++ .../java/com/google/gerrit/client/Gerrit.java | 10 ++++++++-- .../gerrit/httpd/GerritConfigProvider.java | 8 ++++++-- .../com/google/gerrit/httpd/WebModule.java | 2 +- .../httpd/auth/container/HttpAuthModule.java | 11 +++++++++- .../gerrit/server/config/AuthConfig.java | 6 ++++++ 7 files changed, 69 insertions(+), 6 deletions(-) diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt index 49472df1bc..b6867b42c1 100644 --- a/Documentation/config-gerrit.txt +++ b/Documentation/config-gerrit.txt @@ -255,6 +255,26 @@ The "Sign In" link will send users directly to this URL. HTTP header to trust the username from, or unset to select HTTP basic or digest authentication. Only used if `auth.type` is set to HTTP. +[[auth.loginUrl]]auth.loginUrl:: ++ +URL to redirect a browser to after the end-user has clicked on the +login link in the upper right corner. Only used if 'auth.type' was set +to HTTP or HTTP_LDAP. +Organizations using an enterprise single-sign-on solution may want to +redirect the browser to the SSO product's sign-in page for completing the +login process and validate their credentials. ++ +If set, Gerrit allows to access anonymously until the end-user performs the login +and then provides a trusted identity through the HTTP header. +If not set, Gerrit requires the HTTP header with a trusted identity +otherwise returns the error page LoginRedirect.html. + +[[auth.loginText]]auth.loginText:: ++ +Text displayed in the loginUrl link. Only used if 'auth.loginUrl' was set. ++ +If not set, the 'Sign In' text is used. + [[auth.logoutUrl]]auth.logoutUrl:: + URL to redirect a browser to after the end-user has clicked on the diff --git a/gerrit-common/src/main/java/com/google/gerrit/common/data/GerritConfig.java b/gerrit-common/src/main/java/com/google/gerrit/common/data/GerritConfig.java index dd90400bc8..38901c7072 100644 --- a/gerrit-common/src/main/java/com/google/gerrit/common/data/GerritConfig.java +++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/GerritConfig.java @@ -26,6 +26,8 @@ import java.util.Set; public class GerritConfig implements Cloneable { protected String registerUrl; protected String registerText; + protected String loginUrl; + protected String loginText; protected String httpPasswordUrl; protected String reportBugUrl; @@ -48,6 +50,22 @@ public class GerritConfig implements Cloneable { protected int suggestFrom; protected int changeUpdateDelay; + public String getLoginUrl() { + return loginUrl; + } + + public void setLoginUrl(final String u) { + loginUrl = u; + } + + public String getLoginText() { + return loginText; + } + + public void setLoginText(String signinText) { + this.loginText = signinText; + } + public String getRegisterUrl() { return registerUrl; } diff --git a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java index 864b2c933b..d3ba3e8eda 100644 --- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java +++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java @@ -729,8 +729,6 @@ public class Gerrit implements EntryPoint { whoAmI(cfg.getAuthType() != AuthType.CLIENT_SSL_CERT_LDAP); } else { switch (cfg.getAuthType()) { - case HTTP: - case HTTP_LDAP: case CLIENT_SSL_CERT_LDAP: break; @@ -759,6 +757,14 @@ public class Gerrit implements EntryPoint { }); break; + case HTTP: + case HTTP_LDAP: + if (cfg.getLoginUrl() != null) { + final String signinText = cfg.getLoginText() == null ? C.menuSignIn() : cfg.getLoginText(); + menuRight.add(anchor(signinText, cfg.getLoginUrl())); + } + break; + case LDAP: case LDAP_BIND: case CUSTOM_EXTENSION: diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritConfigProvider.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritConfigProvider.java index 3966bc5fbc..9a428667e7 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritConfigProvider.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritConfigProvider.java @@ -94,10 +94,14 @@ class GerritConfigProvider implements Provider { config.setHttpPasswordUrl(cfg.getString("auth", null, "httpPasswordUrl")); break; - case CLIENT_SSL_CERT_LDAP: - case DEVELOPMENT_BECOME_ANY_ACCOUNT: case HTTP: case HTTP_LDAP: + config.setLoginUrl(cfg.getString("auth", null, "loginurl")); + config.setLoginText(cfg.getString("auth", null, "logintext")); + break; + + case CLIENT_SSL_CERT_LDAP: + case DEVELOPMENT_BECOME_ANY_ACCOUNT: case OPENID: case OPENID_SSO: break; diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebModule.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebModule.java index efd8e242b5..b46e6d7a49 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebModule.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebModule.java @@ -88,7 +88,7 @@ public class WebModule extends FactoryModule { switch (authConfig.getAuthType()) { case HTTP: case HTTP_LDAP: - install(new HttpAuthModule()); + install(new HttpAuthModule(authConfig)); break; case CLIENT_SSL_CERT_LDAP: diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthModule.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthModule.java index daaa7e23f2..638d527720 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthModule.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthModule.java @@ -14,13 +14,22 @@ package com.google.gerrit.httpd.auth.container; +import com.google.gerrit.server.config.AuthConfig; import com.google.inject.servlet.ServletModule; /** Servlets and support related to HTTP authentication. */ public class HttpAuthModule extends ServletModule { + private final AuthConfig authConfig; + + public HttpAuthModule(final AuthConfig authConfig) { + this.authConfig = authConfig; + } + @Override protected void configureServlets() { - filter("/").through(HttpAuthFilter.class); + if (authConfig.getLoginUrl() == null) { + filter("/").through(HttpAuthFilter.class); + } serve("/login", "/login/*").with(HttpLoginServlet.class); } } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java index 06d2a7193c..f1c24cbf72 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java @@ -40,6 +40,7 @@ public class AuthConfig { private final boolean enableRunAs; private final boolean userNameToLowerCase; private final boolean gitBasicAuth; + private final String loginUrl; private final String logoutUrl; private final String openIdSsoUrl; private final List openIdDomains; @@ -57,6 +58,7 @@ public class AuthConfig { throws XsrfException { authType = toType(cfg); httpHeader = cfg.getString("auth", null, "httpheader"); + loginUrl = cfg.getString("auth", null, "loginurl"); logoutUrl = cfg.getString("auth", null, "logouturl"); openIdSsoUrl = cfg.getString("auth", null, "openidssourl"); openIdDomains = Arrays.asList(cfg.getStringList("auth", null, "openIdDomain")); @@ -124,6 +126,10 @@ public class AuthConfig { return httpHeader; } + public String getLoginUrl() { + return loginUrl; + } + public String getLogoutURL() { return logoutUrl; }