move authentication logic from BasicSecurityContext to ScmRealm

2025-11-10 15:35:49 +01:00 · 2012-08-26 17:27:13 +02:00
parent 440542f55e
commit e9a08fbec6
1 changed files with 315 additions and 4 deletions
--- a/scm-webapp/src/main/java/sonia/scm/security/ScmRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ScmRealm.java
@@ -40,6 +40,7 @@ import org.apache.shiro.authc.AccountException;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.DisabledAccountException;
 import org.apache.shiro.authc.SimpleAuthenticationInfo;
 import org.apache.shiro.authc.UnknownAccountException;
 import org.apache.shiro.authc.pam.UnsupportedTokenException;
@@ -55,24 +56,34 @@ import org.slf4j.LoggerFactory;
 import sonia.scm.HandlerEvent;
 import sonia.scm.cache.Cache;
 import sonia.scm.cache.CacheManager;
+import sonia.scm.config.ScmConfiguration;
+import sonia.scm.group.Group;
+import sonia.scm.group.GroupManager;
 import sonia.scm.repository.Permission;
 import sonia.scm.repository.Repository;
 import sonia.scm.repository.RepositoryDAO;
 import sonia.scm.repository.RepositoryListener;
 import sonia.scm.repository.RepositoryManager;
 import sonia.scm.user.User;
+import sonia.scm.user.UserException;
 import sonia.scm.user.UserListener;
 import sonia.scm.user.UserManager;
+import sonia.scm.util.Util;
 import sonia.scm.web.security.AuthenticationManager;
 import sonia.scm.web.security.AuthenticationResult;
 import sonia.scm.web.security.AuthenticationState;

 //~--- JDK imports ------------------------------------------------------------

+import java.io.IOException;
+
 import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Set;

+import javax.servlet.http.HttpServletRequest;
+
 /**
 *
 * @author Sebastian Sdorra
@@ -93,6 +104,9 @@ public class ScmRealm extends AuthorizingRealm
  /** Field description */
  private static final String ROLE_USER = "user";

+  /** Field description */
+  private static final String SCM_CREDENTIALS = "SCM_CREDENTIALS";
+
  /**
   * the logger for ScmRealm
   */
@@ -104,16 +118,22 @@ public class ScmRealm extends AuthorizingRealm
   * Constructs ...
   *
   *
+   *
+   * @param configuration
   * @param cacheManager
   * @param userManager
+   * @param groupManager
   * @param repositoryManager
   * @param repositoryDAO
   * @param authenticator
   */
-  public ScmRealm(CacheManager cacheManager, UserManager userManager,
+  public ScmRealm(ScmConfiguration configuration, CacheManager cacheManager,
+    UserManager userManager, GroupManager groupManager,
    RepositoryManager repositoryManager, RepositoryDAO repositoryDAO,
    AuthenticationManager authenticator)
  {
+    this.configuration = configuration;
+    this.userManager = userManager;
    this.repositoryDAO = repositoryDAO;
    this.authenticator = authenticator;
    this.cache = cacheManager.getCache(String.class, AuthorizationInfo.class,
@@ -260,6 +280,169 @@ public class ScmRealm extends AuthorizingRealm
    return info;
  }

+  /**
+   * Method description
+   *
+   *
+   * @param request
+   * @param password
+   * @param ar
+   *
+   * @return
+   */
+  private Set<String> authenticate(HttpServletRequest request, String password,
+    AuthenticationResult ar)
+  {
+    Set<String> groupSet = null;
+    User user = ar.getUser();
+
+    try
+    {
+      groupSet = createGroupSet(ar);
+
+      // check for admin user
+      checkForAuthenticatedAdmin(user, groupSet);
+
+      // store user
+      User dbUser = userManager.get(user.getName());
+
+      if (dbUser != null)
+      {
+        checkDBForAdmin(user, dbUser);
+        checkDBForActive(user, dbUser);
+      }
+
+      // create new user
+      else
+      {
+        userManager.create(user);
+      }
+
+      if (user.isActive())
+      {
+
+        if (logger.isDebugEnabled())
+        {
+          logGroups(user, groupSet);
+        }
+
+        // store encrypted credentials in session
+        String credentials = user.getName();
+
+        if (Util.isNotEmpty(password))
+        {
+          credentials = credentials.concat(":").concat(password);
+        }
+
+        credentials = CipherUtil.getInstance().encode(credentials);
+        request.getSession(true).setAttribute(SCM_CREDENTIALS, credentials);
+      }
+      else
+      {
+
+        String msg = "user ".concat(user.getName()).concat(" is deactivated");
+
+        if (logger.isWarnEnabled())
+        {
+          logger.warn(msg);
+        }
+
+        throw new DisabledAccountException(msg);
+
+      }
+    }
+    catch (Exception ex)
+    {
+      logger.error("authentication failed", ex);
+
+      throw new AuthenticationException("authentication failed", ex);
+    }
+
+    return groupSet;
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param user
+   * @param dbUser
+   */
+  private void checkDBForActive(User user, User dbUser)
+  {
+
+    // user is deactivated by database
+    if (!dbUser.isActive())
+    {
+      if (logger.isDebugEnabled())
+      {
+        logger.debug("user {} is marked as deactivated by local database",
+          user.getName());
+      }
+
+      user.setActive(false);
+    }
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param user
+   * @param dbUser
+   *
+   * @throws IOException
+   * @throws UserException
+   */
+  private void checkDBForAdmin(User user, User dbUser)
+    throws UserException, IOException
+  {
+
+    // if database user is an admin, set admin for the current user
+    if (dbUser.isAdmin())
+    {
+      if (logger.isDebugEnabled())
+      {
+        logger.debug("user {} of type {} is marked as admin by local database",
+          user.getName(), user.getType());
+      }
+
+      user.setAdmin(true);
+    }
+
+    // modify existing user, copy properties except password and admin
+    if (user.copyProperties(dbUser, false))
+    {
+      userManager.modify(dbUser);
+    }
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param user
+   * @param groupSet
+   */
+  private void checkForAuthenticatedAdmin(User user, Set<String> groupSet)
+  {
+    if (!user.isAdmin())
+    {
+      user.setAdmin(isAdmin(user, groupSet));
+
+      if (logger.isDebugEnabled() && user.isAdmin())
+      {
+        logger.debug("user {} is marked as admin by configuration",
+          user.getName());
+      }
+    }
+    else if (logger.isDebugEnabled())
+    {
+      logger.debug("authenticator {} marked user {} as admin", user.getType(),
+        user.getName());
+    }
+  }
+
  /**
   * Method description
   *
@@ -315,7 +498,8 @@ public class ScmRealm extends AuthorizingRealm
    ScmAuthenticationToken token, AuthenticationResult result)
  {
    User user = result.getUser();
-    Collection<String> groups = result.getGroups();
+    Collection<String> groups = authenticate(token.getRequest(),
+                                  token.getPassword(), result);

    SimplePrincipalCollection collection = new SimplePrincipalCollection();

@@ -358,7 +542,125 @@ public class ScmRealm extends AuthorizingRealm
    return info;
  }

+  /**
+   * Method description
+   *
+   *
+   * @param ar
+   *
+   * @return
+   */
+  private Set<String> createGroupSet(AuthenticationResult ar)
+  {
+    Set<String> groupSet = Sets.newHashSet();

+    // load external groups
+    Collection<String> extGroups = ar.getGroups();
+
+    if (extGroups != null)
+    {
+      groupSet.addAll(extGroups);
+    }
+
+    // load internal groups
+    loadGroups(ar.getUser(), groupSet);
+
+    return groupSet;
+  }
+
+  /**
+   * Method description
+   *
+   *
+   *
+   * @param user
+   * @param groupSet
+   */
+  private void loadGroups(User user, Set<String> groupSet)
+  {
+    Collection<Group> groupCollection =
+      groupManager.getGroupsForMember(user.getName());
+
+    if (groupCollection != null)
+    {
+      for (Group group : groupCollection)
+      {
+        groupSet.add(group.getName());
+      }
+    }
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param user
+   * @param groups
+   */
+  private void logGroups(User user, Set<String> groups)
+  {
+    StringBuilder msg = new StringBuilder("user ");
+
+    msg.append(user.getName());
+
+    if (Util.isNotEmpty(groups))
+    {
+      msg.append(" is member of ");
+
+      Iterator<String> groupIt = groups.iterator();
+
+      while (groupIt.hasNext())
+      {
+        msg.append(groupIt.next());
+
+        if (groupIt.hasNext())
+        {
+          msg.append(", ");
+        }
+      }
+    }
+    else
+    {
+      msg.append(" is not a member of a group");
+    }
+
+    logger.debug(msg.toString());
+  }
+
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   *
+   *
+   * @param user
+   * @param groups
+   * @return
+   */
+  private boolean isAdmin(User user, Collection<String> groups)
+  {
+    boolean result = false;
+    Set<String> adminUsers = configuration.getAdminUsers();
+
+    if (adminUsers != null)
+    {
+      result = adminUsers.contains(user.getName());
+    }
+
+    if (!result)
+    {
+      Set<String> adminGroups = configuration.getAdminGroups();
+
+      if (adminGroups != null)
+      {
+        result = Util.containsOne(adminGroups, groups);
+      }
+    }
+
+    return result;
+  }

  //~--- fields ---------------------------------------------------------------

@@ -368,6 +670,15 @@ public class ScmRealm extends AuthorizingRealm
  /** Field description */
  private Cache<String, AuthorizationInfo> cache;

+  /** Field description */
+  private ScmConfiguration configuration;
+
+  /** Field description */
+  private GroupManager groupManager;
+
  /** Field description */
  private RepositoryDAO repositoryDAO;
+
+  /** Field description */
+  private UserManager userManager;
 }