Merge branch 'ldap-auth'

2025-11-03 03:55:58 +01:00 · 2013-08-22 02:31:24 +09:00
parent c841d4a77a e0bd5a24f4
commit 6b57cca64d
10 changed files with 329 additions and 52 deletions
--- a/project/build.scala
+++ b/project/build.scala
@@ -36,6 +36,7 @@ object MyBuild extends Build {
        "org.pegdown" % "pegdown" % "1.3.0",
        "org.apache.commons" % "commons-compress" % "1.5",
        "com.typesafe.slick" %% "slick" % "1.0.1",
        "com.novell.ldap" % "jldap" % "2009-10-07",
        "com.h2database" % "h2" % "1.3.171",
        "ch.qos.logback" % "logback-classic" % "1.0.6" % "runtime",
        "org.eclipse.jetty" % "jetty-webapp" % "8.1.8.v20121106" % "container",
--- a/src/main/scala/app/SignInController.scala
+++ b/src/main/scala/app/SignInController.scala
@@ -1,7 +1,6 @@
 package app
 import service._
 import util.StringUtil._
 import jp.sf.amateras.scalatra.forms._
 class SignInController extends SignInControllerBase with SystemSettingsService with AccountService
@@ -24,19 +23,11 @@ trait SignInControllerBase extends ControllerBase { self: SystemSettingsService
  }
  post("/signin", form){ form =>
-    getAccountByUserName(form.userName).collect {
+    val settings = loadSystemSettings()
-      case account if(!account.isGroupAccount && account.password == sha1(form.password)) => {
+    authenticate(loadSystemSettings(), form.userName, form.password) match {
-        session.setAttribute("LOGIN_ACCOUNT", account)
+      case Some(account) => signin(account)
-        updateLastLoginDate(account.userName)
+      case None => redirect("/signin")
-
+    }
        session.get("REDIRECT").map { redirectUrl =>
          session.removeAttribute("REDIRECT")
          redirect(redirectUrl.asInstanceOf[String])
        }.getOrElse {
          redirect("/")
        }
      }
    } getOrElse redirect("/signin")
  }
  get("/signout"){
@@ -44,4 +35,19 @@ trait SignInControllerBase extends ControllerBase { self: SystemSettingsService
    redirect("/")
  }
  /**
   * Set account information into HttpSession and redirect.
   */
  private def signin(account: model.Account) = {
    session.setAttribute("LOGIN_ACCOUNT", account)
    updateLastLoginDate(account.userName)
    session.get("REDIRECT").map { redirectUrl =>
      session.removeAttribute("REDIRECT")
      redirect(redirectUrl.asInstanceOf[String])
    }.getOrElse {
      redirect("/")
    }
  }
 }
--- a/src/main/scala/app/SystemSettingsController.scala
+++ b/src/main/scala/app/SystemSettingsController.scala
@@ -17,12 +17,22 @@ trait SystemSettingsControllerBase extends ControllerBase with FlashMapSupport {
    "gravatar"                 -> trim(label("Gravatar", boolean())),
    "notification"             -> trim(label("Notification", boolean())),
    "smtp"                     -> optionalIfNotChecked("notification", mapping(
-        "host"     -> trim(label("SMTP Host", text(required))),
+        "host"                     -> trim(label("SMTP Host", text(required))),
-        "port"     -> trim(label("SMTP Port", optional(number()))),
+        "port"                     -> trim(label("SMTP Port", optional(number()))),
-        "user"     -> trim(label("SMTP User", optional(text()))),
+        "user"                     -> trim(label("SMTP User", optional(text()))),
-        "password" -> trim(label("SMTP Password", optional(text()))),
+        "password"                 -> trim(label("SMTP Password", optional(text()))),
-        "ssl"      -> trim(label("Enable SSL", optional(boolean())))
+        "ssl"                      -> trim(label("Enable SSL", optional(boolean())))
-    )(Smtp.apply))
+    )(Smtp.apply)),
    "ldapAuthentication"       -> trim(label("LDAP", boolean())),
    "ldap"                     -> optionalIfNotChecked("ldapAuthentication", mapping(
        "host"                     -> trim(label("LDAP host", text(required))),
        "port"                     -> trim(label("LDAP port", optional(number()))),
        "bindDN"                   -> trim(label("Bind DN", text(required))),
        "bindPassword"             -> trim(label("Bind Password", text(required))),
        "baseDN"                   -> trim(label("Base DN", text(required))),
        "userNameAttribute"        -> trim(label("User name attribute", text(required))),
        "mailAttribute"            -> trim(label("Mail address attribute", text(required)))
    )(Ldap.apply))
  )(SystemSettings.apply)
--- a/src/main/scala/service/AccountService.scala
+++ b/src/main/scala/service/AccountService.scala
@@ -3,9 +3,48 @@ package service
 import model._
 import scala.slick.driver.H2Driver.simple._
 import Database.threadLocalSession
 import service.SystemSettingsService.SystemSettings
 import util.StringUtil._
 import model.GroupMember
 import scala.Some
 import model.Account
 import util.LDAPUtil
 trait AccountService {
  def authenticate(settings: SystemSettings, userName: String, password: String): Option[Account] =
    if(settings.ldapAuthentication){
      ldapAuthentication(settings, userName, password)
    } else {
      defaultAuthentication(userName, password)
    }
  /**
   * Authenticate by internal database.
   */
  private def defaultAuthentication(userName: String, password: String) = {
    getAccountByUserName(userName).collect {
      case account if(!account.isGroupAccount && account.password == sha1(password)) => Some(account)
    } getOrElse None
  }
  /**
   * Authenticate by LDAP.
   */
  private def ldapAuthentication(settings: SystemSettings, userName: String, password: String) = {
    LDAPUtil.authenticate(settings.ldap.get, userName, password) match {
      case Right(mailAddress) => {
        // Create or update account by LDAP information
        getAccountByUserName(userName) match {
          case Some(x) => updateAccount(x.copy(mailAddress = mailAddress))
          case None    => createAccount(userName, "", mailAddress, false, None)
        }
        getAccountByUserName(userName)
      }
      case Left(errorMessage) => defaultAuthentication(userName, password)
    }
  }
  def getAccountByUserName(userName: String): Option[Account] = 
    Query(Accounts) filter(_.userName is userName.bind) firstOption
--- a/src/main/scala/service/SystemSettingsService.scala
+++ b/src/main/scala/service/SystemSettingsService.scala
@@ -19,6 +19,18 @@ trait SystemSettingsService {
        smtp.ssl.foreach(x => props.setProperty(SmtpSsl, x.toString))
      }
    }
    props.setProperty(LdapAuthentication, settings.ldapAuthentication.toString)
    if(settings.ldapAuthentication){
      settings.ldap.map { ldap =>
        props.setProperty(LdapHost, ldap.host)
        ldap.port.foreach(x => props.setProperty(LdapPort, x.toString))
        props.setProperty(LdapBindDN, ldap.bindDN)
        props.setProperty(LdapBindPassword, ldap.bindPassword)
        props.setProperty(LdapBaseDN, ldap.baseDN)
        props.setProperty(LdapUserNameAttribute, ldap.userNameAttribute)
        props.setProperty(LdapMailAddressAttribute, ldap.mailAttribute)
      }
    }
    props.store(new java.io.FileOutputStream(GitBucketConf), null)
  }
@@ -41,6 +53,19 @@ trait SystemSettingsService {
          getOptionValue[Boolean](props, SmtpSsl, None)))
      } else {
        None
      },
      getValue(props, LdapAuthentication, false),
      if(getValue(props, LdapAuthentication, false)){
        Some(Ldap(
          getValue(props, LdapHost, ""),
          getOptionValue(props, LdapPort, Some(DefaultLdapPort)),
          getValue(props, LdapBindDN, ""),
          getValue(props, LdapBindPassword, ""),
          getValue(props, LdapBaseDN, ""),
          getValue(props, LdapUserNameAttribute, ""),
          getValue(props, LdapMailAddressAttribute, "")))
      } else {
        None
      }
    )
  }
@@ -54,8 +79,19 @@ object SystemSettingsService {
    allowAccountRegistration: Boolean,
    gravatar: Boolean,
    notification: Boolean,
-    smtp: Option[Smtp]
+    smtp: Option[Smtp],
-  )
+    ldapAuthentication: Boolean,
    ldap: Option[Ldap])
  case class Ldap(
    host: String,
    port: Option[Int],
    bindDN: String,
    bindPassword: String,
    baseDN: String,
    userNameAttribute: String,
    mailAttribute: String)
  case class Smtp(
    host: String,
    port: Option[Int],
@@ -63,6 +99,8 @@ object SystemSettingsService {
    password: Option[String],
    ssl: Option[Boolean])
  val DefaultLdapPort = 389
  private val AllowAccountRegistration = "allow_account_registration"
  private val Gravatar = "gravatar"
  private val Notification = "notification"
@@ -71,6 +109,14 @@ object SystemSettingsService {
  private val SmtpUser = "smtp.user"
  private val SmtpPassword = "smtp.password"
  private val SmtpSsl = "smtp.ssl"
  private val LdapAuthentication = "ldap_authentication"
  private val LdapHost = "ldap.host"
  private val LdapPort = "ldap.port"
  private val LdapBindDN = "ldap.bindDN"
  private val LdapBindPassword = "ldap.bind_password"
  private val LdapBaseDN = "ldap.baseDN"
  private val LdapUserNameAttribute = "ldap.username_attribute"
  private val LdapMailAddressAttribute = "ldap.mail_attribute"
  private def getValue[A: ClassTag](props: java.util.Properties, key: String, default: A): A = {
    val value = props.getProperty(key)
--- a/src/main/scala/servlet/BasicAuthenticationFilter.scala
+++ b/src/main/scala/servlet/BasicAuthenticationFilter.scala
@@ -2,14 +2,13 @@ package servlet
 import javax.servlet._
 import javax.servlet.http._
-import util.StringUtil._
+import service.{SystemSettingsService, AccountService, RepositoryService}
 import service.{AccountService, RepositoryService}
 import org.slf4j.LoggerFactory
 /**
 * Provides BASIC Authentication for [[servlet.GitRepositoryServlet]].
 */
-class BasicAuthenticationFilter extends Filter with RepositoryService with AccountService {
+class BasicAuthenticationFilter extends Filter with RepositoryService with AccountService with SystemSettingsService {
  private val logger = LoggerFactory.getLogger(classOf[BasicAuthenticationFilter])
@@ -58,12 +57,12 @@ class BasicAuthenticationFilter extends Filter with RepositoryService with Accou
    }
  }
-  private def isWritableUser(username: String, password: String, repository: RepositoryService.RepositoryInfo): Boolean = {
+  private def isWritableUser(username: String, password: String, repository: RepositoryService.RepositoryInfo): Boolean =
-    getAccountByUserName(username).map { account =>
+    authenticate(loadSystemSettings(), username, password) match {
-      account.password == sha1(password) && hasWritePermission(repository.owner, repository.name, Some(account))
+      case Some(account) => hasWritePermission(repository.owner, repository.name, Some(account))
-    } getOrElse false
+      case None => false
-  }
+    }
-  
+
  private def requireAuth(response: HttpServletResponse): Unit = {
    response.setHeader("WWW-Authenticate", "BASIC realm=\"GitBucket\"")
    response.sendError(HttpServletResponse.SC_UNAUTHORIZED)
--- a/src/main/scala/util/LDAPUtil.scala
+++ b/src/main/scala/util/LDAPUtil.scala
@@ -0,0 +1,97 @@
 package util
 import service.SystemSettingsService.Ldap
 import service.SystemSettingsService
 import com.novell.ldap.{LDAPReferralException, LDAPEntry, LDAPConnection}
 /**
 * Utility for LDAP authentication.
 */
 object LDAPUtil {
  private val LDAP_VERSION: Int = 3
  /**
   * Try authentication by LDAP using given configuration.
   * Returns Right(mailAddress) if authentication is successful, otherwise  Left(errorMessage).
   */
  def authenticate(ldapSettings: Ldap, userName: String, password: String): Either[String, String] = {
    bind(
      ldapSettings.host,
      ldapSettings.port.getOrElse(SystemSettingsService.DefaultLdapPort),
      ldapSettings.bindDN,
      ldapSettings.bindPassword
    ) match {
      case Some(conn) => {
        withConnection(conn) { conn =>
          findUser(conn, userName, ldapSettings.baseDN, ldapSettings.userNameAttribute) match {
            case Some(userDN) => userAuthentication(ldapSettings, userDN, password)
            case None => Left("User does not exist")
          }
        }
      }
      case None => Left("System LDAP authentication failed.")
    }
  }
  private def userAuthentication(ldapSettings: Ldap, userDN: String, password: String): Either[String, String] = {
    bind(
      ldapSettings.host,
      ldapSettings.port.getOrElse(SystemSettingsService.DefaultLdapPort),
      userDN,
      password
    ) match {
      case Some(conn) => {
        withConnection(conn) { conn =>
          findMailAddress(conn, userDN, ldapSettings.mailAttribute) match {
            case Some(mailAddress) => Right(mailAddress)
            case None => Left("Can't find mail address.")
          }
        }
      }
      case None => Left("User LDAP Authentication Failed.")
    }
  }
  private def bind(host: String, port: Int, dn: String, password: String): Option[LDAPConnection] = {
    val conn: LDAPConnection = new LDAPConnection
    try {
      conn.connect(host, port)
      conn.bind(LDAP_VERSION, dn, password.getBytes)
      Some(conn)
    } catch {
      case e: Exception => {
        if (conn.isConnected) conn.disconnect()
        None
      }
    }
  }
  private def withConnection[T](conn: LDAPConnection)(f: LDAPConnection => T): T = {
    try {
      f(conn)
    } finally {
      conn.disconnect()
    }
  }
  private def findUser(conn: LDAPConnection, userName: String, baseDN: String, userNameAttribute: String): Option[String] = {
    val results = conn.search(baseDN, LDAPConnection.SCOPE_SUB, userNameAttribute + "=" + userName, null, false)
    (for(i <- 0 to results.getCount) yield try {
      Some(results.next)
    } catch {
      case ex: LDAPReferralException => None // NOTE(tanacasino): Referral follow is off. so ignores it.(for AD)
    }).flatten.collectFirst {
      case x if(x != null) => x.getDN
    }
  }
  private def findMailAddress(conn: LDAPConnection, userDN: String, mailAttribute: String): Option[String] = {
    val results = conn.search(userDN, LDAPConnection.SCOPE_BASE, null, Array[String](mailAttribute), false)
    if (results.hasMore) {
      Option(results.next.getAttribute(mailAttribute)).map(_.getStringValue)
    } else {
      None
    }
  }
 }
--- a/src/main/twirl/account/edit.scala.html
+++ b/src/main/twirl/account/edit.scala.html
@@ -18,15 +18,17 @@
            <span id="error-userName" class="error"></span>
          </fieldset>
        }
-        <fieldset>
+        @if(account.map(_.password.nonEmpty).getOrElse(true)){
-          <label for="password"><strong>Password</strong>
+          <fieldset>
-            @if(account.nonEmpty){
+            <label for="password"><strong>Password</strong>
-              (Input to change password)
+              @if(account.nonEmpty){
-            }
+                (Input to change password)
-          </label>
+              }
-          <input type="password" name="password" id="password" value=""/>
+            </label>
-          <span id="error-password" class="error"></span>
+            <input type="password" name="password" id="password" value=""/>
-        </fieldset>
+            <span id="error-password" class="error"></span>
          </fieldset>
        }
        <fieldset>
          <label for="mailAddress"><strong>Mail Address</strong></label>
          <input type="text" name="mailAddress" id="mailAddress" value="@account.map(_.mailAddress)"/>
--- a/src/main/twirl/admin/system.scala.html
+++ b/src/main/twirl/admin/system.scala.html
@@ -8,6 +8,9 @@
      <div class="box">
        <div class="box-header">System Settings</div>
        <div class="box-content">
          <!--====================================================================-->
          <!-- Account registration -->
          <!--====================================================================-->
          <label><strong>Account registration</strong></label>
          <fieldset>
            <label>
@@ -19,6 +22,9 @@
              <strong>Deny</strong> - Only administrators can create account.
            </label>
          </fieldset>
          <!--====================================================================-->
          <!-- Services -->
          <!--====================================================================-->
          <hr>
          <label><strong>Services</strong></label>
          <fieldset>
@@ -27,6 +33,71 @@
              Gravatar
            </label>
          </fieldset>
          <!--====================================================================-->
          <!-- Authentication -->
          <!--====================================================================-->
          <hr>
          <label><strong>Authentication</strong></label>
          <fieldset>
            <label>
              <input type="checkbox" id="ldapAuthentication" name="ldapAuthentication"@if(settings.ldap){ checked}/>
              LDAP
            </label>
          </fieldset>
          <div class="form-horizontal ldap">
            <div class="control-group">
              <label class="control-label" for="ldapHost">LDAP Host</label>
              <div class="controls">
                <input type="text" id="ldapHost" name="ldap.host" value="@settings.ldap.map(_.host)"/>
                <span id="error-ldap_host" class="error"></span>
              </div>
            </div>
            <div class="control-group">
              <label class="control-label" for="ldapPort">LDAP Port</label>
              <div class="controls">
                <input type="text" id="ldapPort" name="ldap.port" class="input-mini" value="@settings.ldap.map(_.port)"/>
                <span id="error-ldap_port" class="error"></span>
              </div>
            </div>
            <div class="control-group">
              <label class="control-label" for="ldapBindDN">Bind DN</label>
              <div class="controls">
                <input type="text" id="ldapBindDN" name="ldap.bindDN" value="@settings.ldap.map(_.bindDN)"/>
                <span id="error-ldap_bindDN" class="error"></span>
              </div>
            </div>
            <div class="control-group">
              <label class="control-label" for="ldapBindPassword">Bind Password</label>
              <div class="controls">
                <input type="password" id="ldapBindPassword" name="ldap.bindPassword" value="@settings.ldap.map(_.bindPassword)"/>
                <span id="error-ldap_bindPassword" class="error"></span>
              </div>
            </div>
            <div class="control-group">
              <label class="control-label" for="ldapBaseDN">Base DN</label>
              <div class="controls">
                <input type="text" id="ldapBaseDN" name="ldap.baseDN" value="@settings.ldap.map(_.baseDN)"/>
                <span id="error-ldap_baseDN" class="error"></span>
              </div>
            </div>
            <div class="control-group">
              <label class="control-label" for="ldapUserNameAttribute">User name attribute</label>
              <div class="controls">
                <input type="text" id="ldapUserNameAttribute" name="ldap.userNameAttribute" value="@settings.ldap.map(_.userNameAttribute)"/>
                <span id="error-ldap_userNameAttribute" class="error"></span>
              </div>
            </div>
            <div class="control-group">
              <label class="control-label" for="ldapMailAttribute">Mail address attribute</label>
              <div class="controls">
                <input type="text" id="ldapMailAttribute" name="ldap.mailAttribute" value="@settings.ldap.map(_.mailAttribute)"/>
                <span id="error-ldap_mailAttribute" class="error"></span>
              </div>
            </div>
          </div>
          <!--====================================================================-->
          <!-- Notification email -->
          <!--====================================================================-->
          <hr>
          <label><strong>Notification email</strong></label>
          <fieldset>
@@ -35,7 +106,7 @@
              Send notifications
            </label>
          </fieldset>
-          <div class="form-horizontal">
+          <div class="form-horizontal notification">
            <div class="control-group">
              <label class="control-label" for="smtpHost">SMTP Host</label>
              <div class="controls">
@@ -81,7 +152,11 @@
 <script>
 $(function(){
  $('#notification').change(function(){
-    $('.form-horizontal input').prop('disabled', !$(this).prop('checked'));
+    $('.notification input').prop('disabled', !$(this).prop('checked'));
  }).change();
  $('#ldapAuthentication').change(function(){
    $('.ldap input').prop('disabled', !$(this).prop('checked'));
  }).change();
 });
 </script>
--- a/src/main/twirl/admin/users/user.scala.html
+++ b/src/main/twirl/admin/users/user.scala.html
@@ -10,16 +10,18 @@
            <span id="error-userName" class="error"></span>
            <input type="text" name="userName" id="userName" value="@account.map(_.userName)"@if(account.isDefined){ readonly}/>
          </fieldset>
-          <fieldset>
+          @if(account.map(_.password.nonEmpty).getOrElse(true)){
-            <label for="password">
+            <fieldset>
-              <strong>Password</strong>
+              <label for="password">
-              @if(account.isDefined){
+                <strong>Password</strong>
-                (Input to change password)
+                @if(account.isDefined){
-              }
+                  (Input to change password)
-            </label>
+                }
-            <span id="error-password" class="error"></span>
+              </label>
-            <input type="password" name="password" id="password" value="" autocomplete="off"/>
+              <span id="error-password" class="error"></span>
-          </fieldset>
+              <input type="password" name="password" id="password" value="" autocomplete="off"/>
            </fieldset>
          }
          <fieldset>
            <label for="mailAddress"><strong>Mail Address</strong></label>
            <span id="error-mailAddress" class="error"></span>