Moving keystore definition into settings

contrib/redhat/gitbucket.conf

@@ -16,8 +16,5 @@
 # URL prefix for the GitBucket page (http://<host>:<port>/<prefix>/)
 #GITBUCKET_PREFIX=
 
-# Java keystore (for LDAP StartTLS)
-#GITBUCKET_KEYSTORE=/var/lib/gitbucket/keystore
-
 # Other Java option
 #GITBUCKET_JVM_OPTS=

contrib/redhat/gitbucket.init

@@ -14,7 +14,6 @@
 # Default values
 GITBUCKET_HOME=/var/lib/gitbucket
 GITBUCKET_WAR_FILE=/usr/share/gitbucket/lib/gitbucket.war
-GITBUCKET_KEYSTORE=/var/lib/gitbucket/keystore
 
 # Pull in cq settings
 [ -f /etc/sysconfig/gitbucket ] && . /etc/sysconfig/gitbucket
@@ -30,8 +29,6 @@ RETVAL=0
 start() {
 	echo -n $"Starting GitBucket server: "
 
-	GITBUCKET_JVM_OPTS="${GITBUCKET_JVM_OPTS} -Djavax.net.ssl.trustStore=${GITBUCKET_KEYSTORE}"
-
 	# Compile statup parameters
 	if [ $GITBUCKET_PORT ]; then
 		START_OPTS="${START_OPTS} --port=${GITBUCKET_PORT}"

src/main/scala/app/SystemSettingsController.scala

@@ -34,7 +34,8 @@ trait SystemSettingsControllerBase extends ControllerBase with FlashMapSupport {
         "baseDN"                   -> trim(label("Base DN", text(required))),
         "userNameAttribute"        -> trim(label("User name attribute", text(required))),
         "mailAttribute"            -> trim(label("Mail address attribute", text(required))),
-        "tls"                      -> trim(label("Enable StartTLS", optional(boolean())))
+        "tls"                      -> trim(label("Enable StartTLS", optional(boolean()))),
+        "keystore"                 -> trim(label("Keystore", optional(text())))
     )(Ldap.apply))
   )(SystemSettings.apply)
 

src/main/scala/service/SystemSettingsService.scala

@@ -33,6 +33,7 @@ trait SystemSettingsService {
           props.setProperty(LdapUserNameAttribute, ldap.userNameAttribute)
           props.setProperty(LdapMailAddressAttribute, ldap.mailAttribute)
           ldap.tls.foreach(x => props.setProperty(LdapTls, x.toString))
+          ldap.keystore.foreach(x => props.setProperty(LdapKeystore, x))
         }
       }
       props.store(new java.io.FileOutputStream(GitBucketConf), null)
@@ -71,7 +72,8 @@ trait SystemSettingsService {
             getValue(props, LdapBaseDN, ""),
             getValue(props, LdapUserNameAttribute, ""),
             getValue(props, LdapMailAddressAttribute, ""),
-            getOptionValue[Boolean](props, LdapTls, None)))
+            getOptionValue[Boolean](props, LdapTls, None),
+            getOptionValue(props, LdapKeystore, None)))
         } else {
           None
         }
@@ -100,7 +102,8 @@ object SystemSettingsService {
     baseDN: String,
     userNameAttribute: String,
     mailAttribute: String,
-    tls: Option[Boolean])
+    tls: Option[Boolean],
+    keystore: Option[String])
 
   case class Smtp(
     host: String,
@@ -113,6 +116,7 @@ object SystemSettingsService {
 
   val DefaultSmtpPort = 25
   val DefaultLdapPort = 389
+  val DefaultLdapKeystore = "/var/lib/gitbucket/keystore"
 
   private val AllowAccountRegistration = "allow_account_registration"
   private val Gravatar = "gravatar"
@@ -133,6 +137,7 @@ object SystemSettingsService {
   private val LdapUserNameAttribute = "ldap.username_attribute"
   private val LdapMailAddressAttribute = "ldap.mail_attribute"
   private val LdapTls = "ldap.tls"
+  private val LdapKeystore = "ldap.keystore"
 
   private def getValue[A: ClassTag](props: java.util.Properties, key: String, default: A): A =
     defining(props.getProperty(key)){ value =>

src/main/scala/util/LDAPUtil.scala

@@ -26,7 +26,8 @@ object LDAPUtil {
       ldapSettings.port.getOrElse(SystemSettingsService.DefaultLdapPort),
       ldapSettings.bindDN.getOrElse(""),
       ldapSettings.bindPassword.getOrElse(""),
-      ldapSettings.tls.getOrElse(false)
+      ldapSettings.tls.getOrElse(false),
+      ldapSettings.keystore.getOrElse(SystemSettingsService.DefaultLdapKeystore)
     ) match {
       case Some(conn) => {
         withConnection(conn) { conn =>
@@ -46,7 +47,8 @@ object LDAPUtil {
       ldapSettings.port.getOrElse(SystemSettingsService.DefaultLdapPort),
       userDN,
       password,
-      ldapSettings.tls.getOrElse(false)
+      ldapSettings.tls.getOrElse(false),
+      ldapSettings.keystore.getOrElse(SystemSettingsService.DefaultLdapKeystore)
     ) match {
       case Some(conn) => {
         withConnection(conn) { conn =>
@@ -60,10 +62,14 @@ object LDAPUtil {
     }
   }
 
-  private def bind(host: String, port: Int, dn: String, password: String, tls: Boolean): Option[LDAPConnection] = {
+  private def bind(host: String, port: Int, dn: String, password: String, tls: Boolean, keystore: String): Option[LDAPConnection] = {
     if (tls) {
       // Dynamically set Sun as the security provider
       Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider())
+
+      // Dynamically set the property that JSSE uses to identify
+      // the keystore that holds trusted root certificates
+      System.setProperty("javax.net.ssl.trustStore", keystore);
     }
 
     val conn: LDAPConnection = new LDAPConnection(new LDAPJSSEStartTLSFactory())

src/main/twirl/admin/system.scala.html

@@ -101,6 +101,13 @@
                 </label>
               </div>
             </div>
+            <div class="control-group">
+              <label class="control-label" for="ldapBindDN">Keystore</label>
+              <div class="controls">
+                <input type="text" id="ldapKeystore" name="ldap.keystore" value="@settings.ldap.map(_.keystore)"/>
+                <span id="error-ldap_keystore" class="error"></span>
+              </div>
+            </div>
           </div>
           <!--====================================================================-->
           <!-- Notification email -->