Support serving repositories over the SSH transport
Gitblit would greatly benefit from an integrated SSH server. This would
complete the transport trifecta.
Change-Id: I6fb95abe65655fa74d47ea71522d8d9a1541450c
diff --git a/.classpath b/.classpath
index fd38d56..52377e2 100644
--- a/.classpath
+++ b/.classpath
@@ -52,6 +52,8 @@
<classpathentry kind="lib" path="ext/bcprov-jdk15on-1.49.jar" sourcepath="ext/src/bcprov-jdk15on-1.49.jar" />
<classpathentry kind="lib" path="ext/bcmail-jdk15on-1.49.jar" sourcepath="ext/src/bcmail-jdk15on-1.49.jar" />
<classpathentry kind="lib" path="ext/bcpkix-jdk15on-1.49.jar" sourcepath="ext/src/bcpkix-jdk15on-1.49.jar" />
+ <classpathentry kind="lib" path="ext/sshd-core-0.6.0.jar" sourcepath="ext/src/sshd-core-0.6.0.jar" />
+ <classpathentry kind="lib" path="ext/mina-core-2.0.2.jar" sourcepath="ext/src/mina-core-2.0.2.jar" />
<classpathentry kind="lib" path="ext/rome-0.9.jar" sourcepath="ext/src/rome-0.9.jar" />
<classpathentry kind="lib" path="ext/jdom-1.0.jar" sourcepath="ext/src/jdom-1.0.jar" />
<classpathentry kind="lib" path="ext/gson-1.7.2.jar" sourcepath="ext/src/gson-1.7.2.jar" />
diff --git a/build.moxie b/build.moxie
index 19a9027..7c39226 100644
--- a/build.moxie
+++ b/build.moxie
@@ -109,6 +109,7 @@
bouncycastle.version : 1.49
selenium.version : 2.28.0
wikitext.version : 1.4
+ sshd.version: 0.6.0
}
# Dependencies
@@ -155,6 +156,7 @@
- compile 'org.bouncycastle:bcprov-jdk15on:${bouncycastle.version}' :war :authority
- compile 'org.bouncycastle:bcmail-jdk15on:${bouncycastle.version}' :war :authority
- compile 'org.bouncycastle:bcpkix-jdk15on:${bouncycastle.version}' :war :authority
+- compile 'org.apache.sshd:sshd-core:${sshd.version}' :war !org.easymock
- compile 'rome:rome:0.9' :war :manager :api
- compile 'com.google.code.gson:gson:1.7.2' :war :fedclient :manager :api
- compile 'org.codehaus.groovy:groovy-all:${groovy.version}' :war
diff --git a/gitblit.iml b/gitblit.iml
index 8e787cb..c114d4d 100644
--- a/gitblit.iml
+++ b/gitblit.iml
@@ -529,6 +529,28 @@
</library>
</orderEntry>
<orderEntry type="module-library">
+ <library name="sshd-core-0.6.0.jar">
+ <CLASSES>
+ <root url="jar://$MODULE_DIR$/ext/sshd-core-0.6.0.jar!/" />
+ </CLASSES>
+ <JAVADOC />
+ <SOURCES>
+ <root url="jar://$MODULE_DIR$/ext/src/sshd-core-0.6.0.jar!/" />
+ </SOURCES>
+ </library>
+ </orderEntry>
+ <orderEntry type="module-library">
+ <library name="mina-core-2.0.2.jar">
+ <CLASSES>
+ <root url="jar://$MODULE_DIR$/ext/mina-core-2.0.2.jar!/" />
+ </CLASSES>
+ <JAVADOC />
+ <SOURCES>
+ <root url="jar://$MODULE_DIR$/ext/src/mina-core-2.0.2.jar!/" />
+ </SOURCES>
+ </library>
+ </orderEntry>
+ <orderEntry type="module-library">
<library name="rome-0.9.jar">
<CLASSES>
<root url="jar://$MODULE_DIR$/ext/rome-0.9.jar!/" />
diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties
index 3c60539..5bc28fd 100644
--- a/src/main/distrib/data/gitblit.properties
+++ b/src/main/distrib/data/gitblit.properties
@@ -93,6 +93,23 @@
# RESTART REQUIRED
git.daemonPort = 9418
+# The port for serving the SSH service. <= 0 disables this service.
+# On Unix/Linux systems, ports < 1024 require root permissions.
+# Recommended value: 29418
+#
+# SINCE 1.5.0
+# RESTART REQUIRED
+git.sshPort = 29418
+
+# Specify the interface for the SSH daemon to bind its service.
+# You may specify an ip or an empty value to bind to all interfaces.
+# Specifying localhost will result in Gitblit ONLY listening to requests to
+# localhost.
+#
+# SINCE 1.5.0
+# RESTART REQUIRED
+git.sshBindInterface = localhost
+
# Allow push/pull over http/https with JGit servlet.
# If you do NOT want to allow Git clients to clone/push to Gitblit set this
# to false. You might want to do this if you are only using ssh:// or git://.
diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java
index 64d3cad..c37bc3a 100644
--- a/src/main/java/com/gitblit/GitBlitServer.java
+++ b/src/main/java/com/gitblit/GitBlitServer.java
@@ -1,703 +1,707 @@
-/*
- * Copyright 2011 gitblit.com.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gitblit;
-
-import java.io.BufferedReader;
-import java.io.BufferedWriter;
-import java.io.File;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
-import java.net.InetAddress;
-import java.net.ServerSocket;
-import java.net.Socket;
-import java.net.URI;
-import java.net.URL;
-import java.net.UnknownHostException;
-import java.security.ProtectionDomain;
-import java.text.MessageFormat;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.Properties;
-import java.util.Scanner;
-
-import org.apache.log4j.PropertyConfigurator;
-import org.eclipse.jetty.ajp.Ajp13SocketConnector;
-import org.eclipse.jetty.security.ConstraintMapping;
-import org.eclipse.jetty.security.ConstraintSecurityHandler;
-import org.eclipse.jetty.server.Connector;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.bio.SocketConnector;
-import org.eclipse.jetty.server.nio.SelectChannelConnector;
-import org.eclipse.jetty.server.session.HashSessionManager;
-import org.eclipse.jetty.server.ssl.SslConnector;
-import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
-import org.eclipse.jetty.server.ssl.SslSocketConnector;
-import org.eclipse.jetty.util.security.Constraint;
-import org.eclipse.jetty.util.thread.QueuedThreadPool;
-import org.eclipse.jetty.webapp.WebAppContext;
-import org.eclipse.jgit.storage.file.FileBasedConfig;
-import org.eclipse.jgit.util.FS;
-import org.eclipse.jgit.util.FileUtils;
-import org.kohsuke.args4j.CmdLineException;
-import org.kohsuke.args4j.CmdLineParser;
-import org.kohsuke.args4j.Option;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.gitblit.authority.GitblitAuthority;
-import com.gitblit.authority.NewCertificateConfig;
-import com.gitblit.servlet.GitblitContext;
-import com.gitblit.utils.StringUtils;
-import com.gitblit.utils.TimeUtils;
-import com.gitblit.utils.X509Utils;
-import com.gitblit.utils.X509Utils.X509Log;
-import com.gitblit.utils.X509Utils.X509Metadata;
-import com.unboundid.ldap.listener.InMemoryDirectoryServer;
-import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
-import com.unboundid.ldap.listener.InMemoryListenerConfig;
-import com.unboundid.ldif.LDIFReader;
-
-/**
- * GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts
- * and stops an instance of Jetty that is configured from a combination of the
- * gitblit.properties file and command line parameters. JCommander is used to
- * simplify command line parameter processing. This class also automatically
- * generates a self-signed certificate for localhost, if the keystore does not
- * already exist.
- *
- * @author James Moger
- *
- */
-public class GitBlitServer {
-
- private static Logger logger;
-
- public static void main(String... args) {
- GitBlitServer server = new GitBlitServer();
-
- // filter out the baseFolder parameter
- List<String> filtered = new ArrayList<String>();
- String folder = "data";
- for (int i = 0; i < args.length; i++) {
- String arg = args[i];
- if (arg.equals("--baseFolder")) {
- if (i + 1 == args.length) {
- System.out.println("Invalid --baseFolder parameter!");
- System.exit(-1);
- } else if (!".".equals(args[i + 1])) {
- folder = args[i + 1];
- }
- i = i + 1;
- } else {
- filtered.add(arg);
- }
- }
-
- Params.baseFolder = folder;
- Params params = new Params();
- CmdLineParser parser = new CmdLineParser(params);
- try {
- parser.parseArgument(filtered);
- if (params.help) {
- server.usage(parser, null);
- }
- } catch (CmdLineException t) {
- server.usage(parser, t);
- }
-
- if (params.stop) {
- server.stop(params);
- } else {
- server.start(params);
- }
- }
-
- /**
- * Display the command line usage of Gitblit GO.
- *
- * @param parser
- * @param t
- */
- protected final void usage(CmdLineParser parser, CmdLineException t) {
- System.out.println(Constants.BORDER);
- System.out.println(Constants.getGitBlitVersion());
- System.out.println(Constants.BORDER);
- System.out.println();
- if (t != null) {
- System.out.println(t.getMessage());
- System.out.println();
- }
- if (parser != null) {
- parser.printUsage(System.out);
- System.out
- .println("\nExample:\n java -server -Xmx1024M -jar gitblit.jar --repositoriesFolder c:\\git --httpPort 80 --httpsPort 443");
- }
- System.exit(0);
- }
-
- /**
- * Stop Gitblt GO.
- */
- public void stop(Params params) {
- try {
- Socket s = new Socket(InetAddress.getByName("127.0.0.1"), params.shutdownPort);
- OutputStream out = s.getOutputStream();
- System.out.println("Sending Shutdown Request to " + Constants.NAME);
- out.write("\r\n".getBytes());
- out.flush();
- s.close();
- } catch (UnknownHostException e) {
- e.printStackTrace();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
-
- /**
- * Start Gitblit GO.
- */
- protected final void start(Params params) {
- final File baseFolder = new File(Params.baseFolder).getAbsoluteFile();
- FileSettings settings = params.FILESETTINGS;
- if (!StringUtils.isEmpty(params.settingsfile)) {
- if (new File(params.settingsfile).exists()) {
- settings = new FileSettings(params.settingsfile);
- }
- }
-
- if (params.dailyLogFile) {
- // Configure log4j for daily log file generation
- InputStream is = null;
- try {
- is = getClass().getResourceAsStream("/log4j.properties");
- Properties loggingProperties = new Properties();
- loggingProperties.load(is);
-
- loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath());
- loggingProperties.put("log4j.rootCategory", "INFO, R");
-
- if (settings.getBoolean(Keys.web.debugMode, false)) {
- loggingProperties.put("log4j.logger.com.gitblit", "DEBUG");
- }
-
- PropertyConfigurator.configure(loggingProperties);
- } catch (Exception e) {
- e.printStackTrace();
- } finally {
- try {
- is.close();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- }
-
- logger = LoggerFactory.getLogger(GitBlitServer.class);
- logger.info(Constants.BORDER);
- logger.info(" _____ _ _ _ _ _ _");
- logger.info(" | __ \\(_)| | | | | |(_)| |");
- logger.info(" | | \\/ _ | |_ | |__ | | _ | |_");
- logger.info(" | | __ | || __|| '_ \\ | || || __|");
- logger.info(" | |_\\ \\| || |_ | |_) || || || |_");
- logger.info(" \\____/|_| \\__||_.__/ |_||_| \\__|");
- int spacing = (Constants.BORDER.length() - Constants.getGitBlitVersion().length()) / 2;
- StringBuilder sb = new StringBuilder();
- while (spacing > 0) {
- spacing--;
- sb.append(' ');
- }
- logger.info(sb.toString() + Constants.getGitBlitVersion());
- logger.info("");
- logger.info(Constants.BORDER);
-
- System.setProperty("java.awt.headless", "true");
-
- String osname = System.getProperty("os.name");
- String osversion = System.getProperty("os.version");
- logger.info("Running on " + osname + " (" + osversion + ")");
-
- List<Connector> connectors = new ArrayList<Connector>();
-
- // conditionally configure the http connector
- if (params.port > 0) {
- Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50));
- String bindInterface = settings.getString(Keys.server.httpBindInterface, null);
- if (!StringUtils.isEmpty(bindInterface)) {
- logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
- params.port, bindInterface));
- httpConnector.setHost(bindInterface);
- }
- if (params.port < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
- if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
- // redirect HTTP requests to HTTPS
- if (httpConnector instanceof SelectChannelConnector) {
- ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort);
- } else {
- ((SocketConnector) httpConnector).setConfidentialPort(params.securePort);
- }
- }
- connectors.add(httpConnector);
- }
-
- // conditionally configure the https connector
- if (params.securePort > 0) {
- File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG);
- File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE);
- File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE);
- File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST);
-
- // generate CA & web certificates, create certificate stores
- X509Metadata metadata = new X509Metadata("localhost", params.storePassword);
- // set default certificate values from config file
- if (certificatesConf.exists()) {
- FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect());
- try {
- config.load();
- } catch (Exception e) {
- logger.error("Error parsing " + certificatesConf, e);
- }
- NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config);
- certificateConfig.update(metadata);
- }
-
- metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR);
- X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() {
- @Override
- public void log(String message) {
- BufferedWriter writer = null;
- try {
- writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true));
- writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message));
- writer.newLine();
- writer.flush();
- } catch (Exception e) {
- LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e);
- } finally {
- if (writer != null) {
- try {
- writer.close();
- } catch (IOException e) {
- }
- }
- }
- }
- });
-
- if (serverKeyStore.exists()) {
- Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
- caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates);
- String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
- if (!StringUtils.isEmpty(bindInterface)) {
- logger.warn(MessageFormat.format(
- "Binding ssl connector on port {0,number,0} to {1}", params.securePort,
- bindInterface));
- secureConnector.setHost(bindInterface);
- }
- if (params.securePort < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
- connectors.add(secureConnector);
- } else {
- logger.warn("Failed to find or load Keystore?");
- logger.warn("SSL connector DISABLED.");
- }
- }
-
- // conditionally configure the ajp connector
- if (params.ajpPort > 0) {
- Connector ajpConnector = createAJPConnector(params.ajpPort);
- String bindInterface = settings.getString(Keys.server.ajpBindInterface, null);
- if (!StringUtils.isEmpty(bindInterface)) {
- logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
- params.ajpPort, bindInterface));
- ajpConnector.setHost(bindInterface);
- }
- if (params.ajpPort < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
- connectors.add(ajpConnector);
- }
-
- // tempDir is where the embedded Gitblit web application is expanded and
- // where Jetty creates any necessary temporary files
- File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp);
- if (tempDir.exists()) {
- try {
- FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY);
- } catch (IOException x) {
- logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x);
- }
- }
- if (!tempDir.mkdirs()) {
- logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath());
- }
-
- Server server = new Server();
- server.setStopAtShutdown(true);
- server.setConnectors(connectors.toArray(new Connector[connectors.size()]));
-
- // Get the execution path of this class
- // We use this to set the WAR path.
- ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain();
- URL location = protectionDomain.getCodeSource().getLocation();
-
- // Root WebApp Context
- WebAppContext rootContext = new WebAppContext();
- rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/"));
- rootContext.setServer(server);
- rootContext.setWar(location.toExternalForm());
- rootContext.setTempDirectory(tempDir);
-
- // Set cookies HttpOnly so they are not accessible to JavaScript engines
- HashSessionManager sessionManager = new HashSessionManager();
- sessionManager.setHttpOnly(true);
- // Use secure cookies if only serving https
- sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
- rootContext.getSessionHandler().setSessionManager(sessionManager);
-
- // Ensure there is a defined User Service
- String realmUsers = params.userService;
- if (StringUtils.isEmpty(realmUsers)) {
- logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService));
- return;
- }
-
- // Override settings from the command-line
- settings.overrideSetting(Keys.realm.userService, params.userService);
- settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder);
- settings.overrideSetting(Keys.git.daemonPort, params.gitPort);
-
- // Start up an in-memory LDAP server, if configured
- try {
- if (!StringUtils.isEmpty(params.ldapLdifFile)) {
- File ldifFile = new File(params.ldapLdifFile);
- if (ldifFile != null && ldifFile.exists()) {
- URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
- String firstLine = new Scanner(ldifFile).nextLine();
- String rootDN = firstLine.substring(4);
- String bindUserName = settings.getString(Keys.realm.ldap.username, "");
- String bindPassword = settings.getString(Keys.realm.ldap.password, "");
-
- // Get the port
- int port = ldapUrl.getPort();
- if (port == -1)
- port = 389;
-
- InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN);
- config.addAdditionalBindCredentials(bindUserName, bindPassword);
- config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port));
- config.setSchema(null);
-
- InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
- ds.importFromLDIF(true, new LDIFReader(ldifFile));
- ds.startListening();
-
- logger.info("LDAP Server started at ldap://localhost:" + port);
- }
- }
- } catch (Exception e) {
- // Completely optional, just show a warning
- logger.warn("Unable to start LDAP server", e);
- }
-
- // Set the server's contexts
- server.setHandler(rootContext);
-
- // redirect HTTP requests to HTTPS
- if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
- logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort));
- // Create the internal mechanisms to handle secure connections and redirects
- Constraint constraint = new Constraint();
- constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
-
- ConstraintMapping cm = new ConstraintMapping();
- cm.setConstraint(constraint);
- cm.setPathSpec("/*");
-
- ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
- sh.setConstraintMappings(new ConstraintMapping[] { cm });
-
- // Configure this context to use the Security Handler defined before
- rootContext.setHandler(sh);
- }
-
- // Setup the Gitblit context
- GitblitContext gitblit = newGitblit(settings, baseFolder);
- rootContext.addEventListener(gitblit);
-
- try {
- // start the shutdown monitor
- if (params.shutdownPort > 0) {
- Thread shutdownMonitor = new ShutdownMonitorThread(server, params);
- shutdownMonitor.start();
- }
-
- // start Jetty
- server.start();
- server.join();
- } catch (Exception e) {
- e.printStackTrace();
- System.exit(100);
- }
- }
-
- protected GitblitContext newGitblit(IStoredSettings settings, File baseFolder) {
- return new GitblitContext(settings, baseFolder);
- }
-
- /**
- * Creates an http connector.
- *
- * @param useNIO
- * @param port
- * @param threadPoolSize
- * @return an http connector
- */
- private Connector createConnector(boolean useNIO, int port, int threadPoolSize) {
- Connector connector;
- if (useNIO) {
- logger.info("Setting up NIO SelectChannelConnector on port " + port);
- SelectChannelConnector nioconn = new SelectChannelConnector();
- nioconn.setSoLingerTime(-1);
- if (threadPoolSize > 0) {
- nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
- }
- connector = nioconn;
- } else {
- logger.info("Setting up SocketConnector on port " + port);
- SocketConnector sockconn = new SocketConnector();
- if (threadPoolSize > 0) {
- sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
- }
- connector = sockconn;
- }
-
- connector.setPort(port);
- connector.setMaxIdleTime(30000);
- return connector;
- }
-
- /**
- * Creates an https connector.
- *
- * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
- * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
- *
- * @param certAlias
- * @param keyStore
- * @param clientTrustStore
- * @param storePassword
- * @param caRevocationList
- * @param useNIO
- * @param port
- * @param threadPoolSize
- * @param requireClientCertificates
- * @return an https connector
- */
- private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
- String storePassword, File caRevocationList, boolean useNIO, int port, int threadPoolSize,
- boolean requireClientCertificates) {
- GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,
- keyStore, clientTrustStore, storePassword, caRevocationList);
- SslConnector connector;
- if (useNIO) {
- logger.info("Setting up NIO SslSelectChannelConnector on port " + port);
- SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);
- ssl.setSoLingerTime(-1);
- if (requireClientCertificates) {
- factory.setNeedClientAuth(true);
- } else {
- factory.setWantClientAuth(true);
- }
- if (threadPoolSize > 0) {
- ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
- }
- connector = ssl;
- } else {
- logger.info("Setting up NIO SslSocketConnector on port " + port);
- SslSocketConnector ssl = new SslSocketConnector(factory);
- if (threadPoolSize > 0) {
- ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
- }
- connector = ssl;
- }
- connector.setPort(port);
- connector.setMaxIdleTime(30000);
-
- return connector;
- }
-
- /**
- * Creates an ajp connector.
- *
- * @param port
- * @return an ajp connector
- */
- private Connector createAJPConnector(int port) {
- logger.info("Setting up AJP Connector on port " + port);
- Ajp13SocketConnector ajp = new Ajp13SocketConnector();
- ajp.setPort(port);
- if (port < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
- return ajp;
- }
-
- /**
- * Tests to see if the operating system is Windows.
- *
- * @return true if this is a windows machine
- */
- private boolean isWindows() {
- return System.getProperty("os.name").toLowerCase().indexOf("windows") > -1;
- }
-
- /**
- * The ShutdownMonitorThread opens a socket on a specified port and waits
- * for an incoming connection. When that connection is accepted a shutdown
- * message is issued to the running Jetty server.
- *
- * @author James Moger
- *
- */
- private static class ShutdownMonitorThread extends Thread {
-
- private final ServerSocket socket;
-
- private final Server server;
-
- private final Logger logger = LoggerFactory.getLogger(ShutdownMonitorThread.class);
-
- public ShutdownMonitorThread(Server server, Params params) {
- this.server = server;
- setDaemon(true);
- setName(Constants.NAME + " Shutdown Monitor");
- ServerSocket skt = null;
- try {
- skt = new ServerSocket(params.shutdownPort, 1, InetAddress.getByName("127.0.0.1"));
- } catch (Exception e) {
- logger.warn("Could not open shutdown monitor on port " + params.shutdownPort, e);
- }
- socket = skt;
- }
-
- @Override
- public void run() {
- logger.info("Shutdown Monitor listening on port " + socket.getLocalPort());
- Socket accept;
- try {
- accept = socket.accept();
- BufferedReader reader = new BufferedReader(new InputStreamReader(
- accept.getInputStream()));
- reader.readLine();
- logger.info(Constants.BORDER);
- logger.info("Stopping " + Constants.NAME);
- logger.info(Constants.BORDER);
- server.stop();
- server.setStopAtShutdown(false);
- accept.close();
- socket.close();
- } catch (Exception e) {
- logger.warn("Failed to shutdown Jetty", e);
- }
- }
- }
-
- /**
- * Parameters class for GitBlitServer.
- */
- public static class Params {
-
- public static String baseFolder;
-
- private final FileSettings FILESETTINGS = new FileSettings(new File(baseFolder, Constants.PROPERTIES_FILE).getAbsolutePath());
-
- /*
- * Server parameters
- */
- @Option(name = "--help", aliases = { "-h"}, usage = "Show this help")
- public Boolean help = false;
-
- @Option(name = "--stop", usage = "Stop Server")
- public Boolean stop = false;
-
- @Option(name = "--tempFolder", usage = "Folder for server to extract built-in webapp", metaVar="PATH")
- public String temp = FILESETTINGS.getString(Keys.server.tempFolder, "temp");
-
- @Option(name = "--dailyLogFile", usage = "Log to a rolling daily log file INSTEAD of stdout.")
- public Boolean dailyLogFile = false;
-
- /*
- * GIT Servlet Parameters
- */
- @Option(name = "--repositoriesFolder", usage = "Git Repositories Folder", metaVar="PATH")
- public String repositoriesFolder = FILESETTINGS.getString(Keys.git.repositoriesFolder,
- "git");
-
- /*
- * Authentication Parameters
- */
- @Option(name = "--userService", usage = "Authentication and Authorization Service (filename or fully qualified classname)")
- public String userService = FILESETTINGS.getString(Keys.realm.userService,
- "users.conf");
-
- /*
- * JETTY Parameters
- */
- @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.")
- public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true);
-
- @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT")
- public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0);
-
- @Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
- public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443);
-
- @Option(name = "--ajpPort", usage = "AJP port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
- public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
-
- @Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
- public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418);
-
- @Option(name = "--alias", usage = "Alias of SSL certificate in keystore for serving https.", metaVar="ALIAS")
- public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");
-
- @Option(name = "--storePassword", usage = "Password for SSL (https) keystore.", metaVar="PASSWORD")
- public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
-
- @Option(name = "--shutdownPort", usage = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)", metaVar="PORT")
- public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081);
-
- @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.")
- public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false);
-
- /*
- * Setting overrides
- */
- @Option(name = "--settings", usage = "Path to alternative settings", metaVar="FILE")
- public String settingsfile;
-
- @Option(name = "--ldapLdifFile", usage = "Path to LDIF file. This will cause an in-memory LDAP server to be started according to gitblit settings", metaVar="FILE")
- public String ldapLdifFile;
-
- }
+/*
+ * Copyright 2011 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit;
+
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.URI;
+import java.net.URL;
+import java.net.UnknownHostException;
+import java.security.ProtectionDomain;
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Properties;
+import java.util.Scanner;
+
+import org.apache.log4j.PropertyConfigurator;
+import org.eclipse.jetty.ajp.Ajp13SocketConnector;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
+import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.bio.SocketConnector;
+import org.eclipse.jetty.server.nio.SelectChannelConnector;
+import org.eclipse.jetty.server.session.HashSessionManager;
+import org.eclipse.jetty.server.ssl.SslConnector;
+import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
+import org.eclipse.jetty.server.ssl.SslSocketConnector;
+import org.eclipse.jetty.util.security.Constraint;
+import org.eclipse.jetty.util.thread.QueuedThreadPool;
+import org.eclipse.jetty.webapp.WebAppContext;
+import org.eclipse.jgit.storage.file.FileBasedConfig;
+import org.eclipse.jgit.util.FS;
+import org.eclipse.jgit.util.FileUtils;
+import org.kohsuke.args4j.CmdLineException;
+import org.kohsuke.args4j.CmdLineParser;
+import org.kohsuke.args4j.Option;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.gitblit.authority.GitblitAuthority;
+import com.gitblit.authority.NewCertificateConfig;
+import com.gitblit.servlet.GitblitContext;
+import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.TimeUtils;
+import com.gitblit.utils.X509Utils;
+import com.gitblit.utils.X509Utils.X509Log;
+import com.gitblit.utils.X509Utils.X509Metadata;
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldif.LDIFReader;
+
+/**
+ * GitBlitServer is the embedded Jetty server for Gitblit GO. This class starts
+ * and stops an instance of Jetty that is configured from a combination of the
+ * gitblit.properties file and command line parameters. JCommander is used to
+ * simplify command line parameter processing. This class also automatically
+ * generates a self-signed certificate for localhost, if the keystore does not
+ * already exist.
+ *
+ * @author James Moger
+ *
+ */
+public class GitBlitServer {
+
+ private static Logger logger;
+
+ public static void main(String... args) {
+ GitBlitServer server = new GitBlitServer();
+
+ // filter out the baseFolder parameter
+ List<String> filtered = new ArrayList<String>();
+ String folder = "data";
+ for (int i = 0; i < args.length; i++) {
+ String arg = args[i];
+ if (arg.equals("--baseFolder")) {
+ if (i + 1 == args.length) {
+ System.out.println("Invalid --baseFolder parameter!");
+ System.exit(-1);
+ } else if (!".".equals(args[i + 1])) {
+ folder = args[i + 1];
+ }
+ i = i + 1;
+ } else {
+ filtered.add(arg);
+ }
+ }
+
+ Params.baseFolder = folder;
+ Params params = new Params();
+ CmdLineParser parser = new CmdLineParser(params);
+ try {
+ parser.parseArgument(filtered);
+ if (params.help) {
+ server.usage(parser, null);
+ }
+ } catch (CmdLineException t) {
+ server.usage(parser, t);
+ }
+
+ if (params.stop) {
+ server.stop(params);
+ } else {
+ server.start(params);
+ }
+ }
+
+ /**
+ * Display the command line usage of Gitblit GO.
+ *
+ * @param parser
+ * @param t
+ */
+ protected final void usage(CmdLineParser parser, CmdLineException t) {
+ System.out.println(Constants.BORDER);
+ System.out.println(Constants.getGitBlitVersion());
+ System.out.println(Constants.BORDER);
+ System.out.println();
+ if (t != null) {
+ System.out.println(t.getMessage());
+ System.out.println();
+ }
+ if (parser != null) {
+ parser.printUsage(System.out);
+ System.out
+ .println("\nExample:\n java -server -Xmx1024M -jar gitblit.jar --repositoriesFolder c:\\git --httpPort 80 --httpsPort 443");
+ }
+ System.exit(0);
+ }
+
+ /**
+ * Stop Gitblt GO.
+ */
+ public void stop(Params params) {
+ try {
+ Socket s = new Socket(InetAddress.getByName("127.0.0.1"), params.shutdownPort);
+ OutputStream out = s.getOutputStream();
+ System.out.println("Sending Shutdown Request to " + Constants.NAME);
+ out.write("\r\n".getBytes());
+ out.flush();
+ s.close();
+ } catch (UnknownHostException e) {
+ e.printStackTrace();
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+
+ /**
+ * Start Gitblit GO.
+ */
+ protected final void start(Params params) {
+ final File baseFolder = new File(Params.baseFolder).getAbsoluteFile();
+ FileSettings settings = params.FILESETTINGS;
+ if (!StringUtils.isEmpty(params.settingsfile)) {
+ if (new File(params.settingsfile).exists()) {
+ settings = new FileSettings(params.settingsfile);
+ }
+ }
+
+ if (params.dailyLogFile) {
+ // Configure log4j for daily log file generation
+ InputStream is = null;
+ try {
+ is = getClass().getResourceAsStream("/log4j.properties");
+ Properties loggingProperties = new Properties();
+ loggingProperties.load(is);
+
+ loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath());
+ loggingProperties.put("log4j.rootCategory", "INFO, R");
+
+ if (settings.getBoolean(Keys.web.debugMode, false)) {
+ loggingProperties.put("log4j.logger.com.gitblit", "DEBUG");
+ }
+
+ PropertyConfigurator.configure(loggingProperties);
+ } catch (Exception e) {
+ e.printStackTrace();
+ } finally {
+ try {
+ is.close();
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+ }
+
+ logger = LoggerFactory.getLogger(GitBlitServer.class);
+ logger.info(Constants.BORDER);
+ logger.info(" _____ _ _ _ _ _ _");
+ logger.info(" | __ \\(_)| | | | | |(_)| |");
+ logger.info(" | | \\/ _ | |_ | |__ | | _ | |_");
+ logger.info(" | | __ | || __|| '_ \\ | || || __|");
+ logger.info(" | |_\\ \\| || |_ | |_) || || || |_");
+ logger.info(" \\____/|_| \\__||_.__/ |_||_| \\__|");
+ int spacing = (Constants.BORDER.length() - Constants.getGitBlitVersion().length()) / 2;
+ StringBuilder sb = new StringBuilder();
+ while (spacing > 0) {
+ spacing--;
+ sb.append(' ');
+ }
+ logger.info(sb.toString() + Constants.getGitBlitVersion());
+ logger.info("");
+ logger.info(Constants.BORDER);
+
+ System.setProperty("java.awt.headless", "true");
+
+ String osname = System.getProperty("os.name");
+ String osversion = System.getProperty("os.version");
+ logger.info("Running on " + osname + " (" + osversion + ")");
+
+ List<Connector> connectors = new ArrayList<Connector>();
+
+ // conditionally configure the http connector
+ if (params.port > 0) {
+ Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50));
+ String bindInterface = settings.getString(Keys.server.httpBindInterface, null);
+ if (!StringUtils.isEmpty(bindInterface)) {
+ logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
+ params.port, bindInterface));
+ httpConnector.setHost(bindInterface);
+ }
+ if (params.port < 1024 && !isWindows()) {
+ logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+ }
+ if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+ // redirect HTTP requests to HTTPS
+ if (httpConnector instanceof SelectChannelConnector) {
+ ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort);
+ } else {
+ ((SocketConnector) httpConnector).setConfidentialPort(params.securePort);
+ }
+ }
+ connectors.add(httpConnector);
+ }
+
+ // conditionally configure the https connector
+ if (params.securePort > 0) {
+ File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG);
+ File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE);
+ File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE);
+ File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST);
+
+ // generate CA & web certificates, create certificate stores
+ X509Metadata metadata = new X509Metadata("localhost", params.storePassword);
+ // set default certificate values from config file
+ if (certificatesConf.exists()) {
+ FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect());
+ try {
+ config.load();
+ } catch (Exception e) {
+ logger.error("Error parsing " + certificatesConf, e);
+ }
+ NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config);
+ certificateConfig.update(metadata);
+ }
+
+ metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR);
+ X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() {
+ @Override
+ public void log(String message) {
+ BufferedWriter writer = null;
+ try {
+ writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true));
+ writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message));
+ writer.newLine();
+ writer.flush();
+ } catch (Exception e) {
+ LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e);
+ } finally {
+ if (writer != null) {
+ try {
+ writer.close();
+ } catch (IOException e) {
+ }
+ }
+ }
+ }
+ });
+
+ if (serverKeyStore.exists()) {
+ Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
+ caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates);
+ String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
+ if (!StringUtils.isEmpty(bindInterface)) {
+ logger.warn(MessageFormat.format(
+ "Binding ssl connector on port {0,number,0} to {1}", params.securePort,
+ bindInterface));
+ secureConnector.setHost(bindInterface);
+ }
+ if (params.securePort < 1024 && !isWindows()) {
+ logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+ }
+ connectors.add(secureConnector);
+ } else {
+ logger.warn("Failed to find or load Keystore?");
+ logger.warn("SSL connector DISABLED.");
+ }
+ }
+
+ // conditionally configure the ajp connector
+ if (params.ajpPort > 0) {
+ Connector ajpConnector = createAJPConnector(params.ajpPort);
+ String bindInterface = settings.getString(Keys.server.ajpBindInterface, null);
+ if (!StringUtils.isEmpty(bindInterface)) {
+ logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
+ params.ajpPort, bindInterface));
+ ajpConnector.setHost(bindInterface);
+ }
+ if (params.ajpPort < 1024 && !isWindows()) {
+ logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+ }
+ connectors.add(ajpConnector);
+ }
+
+ // tempDir is where the embedded Gitblit web application is expanded and
+ // where Jetty creates any necessary temporary files
+ File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp);
+ if (tempDir.exists()) {
+ try {
+ FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY);
+ } catch (IOException x) {
+ logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x);
+ }
+ }
+ if (!tempDir.mkdirs()) {
+ logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath());
+ }
+
+ Server server = new Server();
+ server.setStopAtShutdown(true);
+ server.setConnectors(connectors.toArray(new Connector[connectors.size()]));
+
+ // Get the execution path of this class
+ // We use this to set the WAR path.
+ ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain();
+ URL location = protectionDomain.getCodeSource().getLocation();
+
+ // Root WebApp Context
+ WebAppContext rootContext = new WebAppContext();
+ rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/"));
+ rootContext.setServer(server);
+ rootContext.setWar(location.toExternalForm());
+ rootContext.setTempDirectory(tempDir);
+
+ // Set cookies HttpOnly so they are not accessible to JavaScript engines
+ HashSessionManager sessionManager = new HashSessionManager();
+ sessionManager.setHttpOnly(true);
+ // Use secure cookies if only serving https
+ sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
+ rootContext.getSessionHandler().setSessionManager(sessionManager);
+
+ // Ensure there is a defined User Service
+ String realmUsers = params.userService;
+ if (StringUtils.isEmpty(realmUsers)) {
+ logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService));
+ return;
+ }
+
+ // Override settings from the command-line
+ settings.overrideSetting(Keys.realm.userService, params.userService);
+ settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder);
+ settings.overrideSetting(Keys.git.daemonPort, params.gitPort);
+ settings.overrideSetting(Keys.git.sshPort, params.sshPort);
+
+ // Start up an in-memory LDAP server, if configured
+ try {
+ if (!StringUtils.isEmpty(params.ldapLdifFile)) {
+ File ldifFile = new File(params.ldapLdifFile);
+ if (ldifFile != null && ldifFile.exists()) {
+ URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
+ String firstLine = new Scanner(ldifFile).nextLine();
+ String rootDN = firstLine.substring(4);
+ String bindUserName = settings.getString(Keys.realm.ldap.username, "");
+ String bindPassword = settings.getString(Keys.realm.ldap.password, "");
+
+ // Get the port
+ int port = ldapUrl.getPort();
+ if (port == -1)
+ port = 389;
+
+ InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN);
+ config.addAdditionalBindCredentials(bindUserName, bindPassword);
+ config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port));
+ config.setSchema(null);
+
+ InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
+ ds.importFromLDIF(true, new LDIFReader(ldifFile));
+ ds.startListening();
+
+ logger.info("LDAP Server started at ldap://localhost:" + port);
+ }
+ }
+ } catch (Exception e) {
+ // Completely optional, just show a warning
+ logger.warn("Unable to start LDAP server", e);
+ }
+
+ // Set the server's contexts
+ server.setHandler(rootContext);
+
+ // redirect HTTP requests to HTTPS
+ if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+ logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort));
+ // Create the internal mechanisms to handle secure connections and redirects
+ Constraint constraint = new Constraint();
+ constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
+
+ ConstraintMapping cm = new ConstraintMapping();
+ cm.setConstraint(constraint);
+ cm.setPathSpec("/*");
+
+ ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
+ sh.setConstraintMappings(new ConstraintMapping[] { cm });
+
+ // Configure this context to use the Security Handler defined before
+ rootContext.setHandler(sh);
+ }
+
+ // Setup the Gitblit context
+ GitblitContext gitblit = newGitblit(settings, baseFolder);
+ rootContext.addEventListener(gitblit);
+
+ try {
+ // start the shutdown monitor
+ if (params.shutdownPort > 0) {
+ Thread shutdownMonitor = new ShutdownMonitorThread(server, params);
+ shutdownMonitor.start();
+ }
+
+ // start Jetty
+ server.start();
+ server.join();
+ } catch (Exception e) {
+ e.printStackTrace();
+ System.exit(100);
+ }
+ }
+
+ protected GitblitContext newGitblit(IStoredSettings settings, File baseFolder) {
+ return new GitblitContext(settings, baseFolder);
+ }
+
+ /**
+ * Creates an http connector.
+ *
+ * @param useNIO
+ * @param port
+ * @param threadPoolSize
+ * @return an http connector
+ */
+ private Connector createConnector(boolean useNIO, int port, int threadPoolSize) {
+ Connector connector;
+ if (useNIO) {
+ logger.info("Setting up NIO SelectChannelConnector on port " + port);
+ SelectChannelConnector nioconn = new SelectChannelConnector();
+ nioconn.setSoLingerTime(-1);
+ if (threadPoolSize > 0) {
+ nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
+ }
+ connector = nioconn;
+ } else {
+ logger.info("Setting up SocketConnector on port " + port);
+ SocketConnector sockconn = new SocketConnector();
+ if (threadPoolSize > 0) {
+ sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize));
+ }
+ connector = sockconn;
+ }
+
+ connector.setPort(port);
+ connector.setMaxIdleTime(30000);
+ return connector;
+ }
+
+ /**
+ * Creates an https connector.
+ *
+ * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
+ * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
+ *
+ * @param certAlias
+ * @param keyStore
+ * @param clientTrustStore
+ * @param storePassword
+ * @param caRevocationList
+ * @param useNIO
+ * @param port
+ * @param threadPoolSize
+ * @param requireClientCertificates
+ * @return an https connector
+ */
+ private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
+ String storePassword, File caRevocationList, boolean useNIO, int port, int threadPoolSize,
+ boolean requireClientCertificates) {
+ GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,
+ keyStore, clientTrustStore, storePassword, caRevocationList);
+ SslConnector connector;
+ if (useNIO) {
+ logger.info("Setting up NIO SslSelectChannelConnector on port " + port);
+ SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);
+ ssl.setSoLingerTime(-1);
+ if (requireClientCertificates) {
+ factory.setNeedClientAuth(true);
+ } else {
+ factory.setWantClientAuth(true);
+ }
+ if (threadPoolSize > 0) {
+ ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
+ }
+ connector = ssl;
+ } else {
+ logger.info("Setting up NIO SslSocketConnector on port " + port);
+ SslSocketConnector ssl = new SslSocketConnector(factory);
+ if (threadPoolSize > 0) {
+ ssl.setThreadPool(new QueuedThreadPool(threadPoolSize));
+ }
+ connector = ssl;
+ }
+ connector.setPort(port);
+ connector.setMaxIdleTime(30000);
+
+ return connector;
+ }
+
+ /**
+ * Creates an ajp connector.
+ *
+ * @param port
+ * @return an ajp connector
+ */
+ private Connector createAJPConnector(int port) {
+ logger.info("Setting up AJP Connector on port " + port);
+ Ajp13SocketConnector ajp = new Ajp13SocketConnector();
+ ajp.setPort(port);
+ if (port < 1024 && !isWindows()) {
+ logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+ }
+ return ajp;
+ }
+
+ /**
+ * Tests to see if the operating system is Windows.
+ *
+ * @return true if this is a windows machine
+ */
+ private boolean isWindows() {
+ return System.getProperty("os.name").toLowerCase().indexOf("windows") > -1;
+ }
+
+ /**
+ * The ShutdownMonitorThread opens a socket on a specified port and waits
+ * for an incoming connection. When that connection is accepted a shutdown
+ * message is issued to the running Jetty server.
+ *
+ * @author James Moger
+ *
+ */
+ private static class ShutdownMonitorThread extends Thread {
+
+ private final ServerSocket socket;
+
+ private final Server server;
+
+ private final Logger logger = LoggerFactory.getLogger(ShutdownMonitorThread.class);
+
+ public ShutdownMonitorThread(Server server, Params params) {
+ this.server = server;
+ setDaemon(true);
+ setName(Constants.NAME + " Shutdown Monitor");
+ ServerSocket skt = null;
+ try {
+ skt = new ServerSocket(params.shutdownPort, 1, InetAddress.getByName("127.0.0.1"));
+ } catch (Exception e) {
+ logger.warn("Could not open shutdown monitor on port " + params.shutdownPort, e);
+ }
+ socket = skt;
+ }
+
+ @Override
+ public void run() {
+ logger.info("Shutdown Monitor listening on port " + socket.getLocalPort());
+ Socket accept;
+ try {
+ accept = socket.accept();
+ BufferedReader reader = new BufferedReader(new InputStreamReader(
+ accept.getInputStream()));
+ reader.readLine();
+ logger.info(Constants.BORDER);
+ logger.info("Stopping " + Constants.NAME);
+ logger.info(Constants.BORDER);
+ server.stop();
+ server.setStopAtShutdown(false);
+ accept.close();
+ socket.close();
+ } catch (Exception e) {
+ logger.warn("Failed to shutdown Jetty", e);
+ }
+ }
+ }
+
+ /**
+ * Parameters class for GitBlitServer.
+ */
+ public static class Params {
+
+ public static String baseFolder;
+
+ private final FileSettings FILESETTINGS = new FileSettings(new File(baseFolder, Constants.PROPERTIES_FILE).getAbsolutePath());
+
+ /*
+ * Server parameters
+ */
+ @Option(name = "--help", aliases = { "-h"}, usage = "Show this help")
+ public Boolean help = false;
+
+ @Option(name = "--stop", usage = "Stop Server")
+ public Boolean stop = false;
+
+ @Option(name = "--tempFolder", usage = "Folder for server to extract built-in webapp", metaVar="PATH")
+ public String temp = FILESETTINGS.getString(Keys.server.tempFolder, "temp");
+
+ @Option(name = "--dailyLogFile", usage = "Log to a rolling daily log file INSTEAD of stdout.")
+ public Boolean dailyLogFile = false;
+
+ /*
+ * GIT Servlet Parameters
+ */
+ @Option(name = "--repositoriesFolder", usage = "Git Repositories Folder", metaVar="PATH")
+ public String repositoriesFolder = FILESETTINGS.getString(Keys.git.repositoriesFolder,
+ "git");
+
+ /*
+ * Authentication Parameters
+ */
+ @Option(name = "--userService", usage = "Authentication and Authorization Service (filename or fully qualified classname)")
+ public String userService = FILESETTINGS.getString(Keys.realm.userService,
+ "users.conf");
+
+ /*
+ * JETTY Parameters
+ */
+ @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.")
+ public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true);
+
+ @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT")
+ public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0);
+
+ @Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
+ public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443);
+
+ @Option(name = "--ajpPort", usage = "AJP port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
+ public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
+
+ @Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT")
+ public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418);
+
+ @Option(name = "--sshPort", usage = "Git SSH port to serve. (port <= 0 will disable this connector)", metaVar = "PORT")
+ public Integer sshPort = FILESETTINGS.getInteger(Keys.git.sshPort, 29418);
+
+ @Option(name = "--alias", usage = "Alias of SSL certificate in keystore for serving https.", metaVar="ALIAS")
+ public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");
+
+ @Option(name = "--storePassword", usage = "Password for SSL (https) keystore.", metaVar="PASSWORD")
+ public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
+
+ @Option(name = "--shutdownPort", usage = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)", metaVar="PORT")
+ public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081);
+
+ @Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.")
+ public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false);
+
+ /*
+ * Setting overrides
+ */
+ @Option(name = "--settings", usage = "Path to alternative settings", metaVar="FILE")
+ public String settingsfile;
+
+ @Option(name = "--ldapLdifFile", usage = "Path to LDIF file. This will cause an in-memory LDAP server to be started according to gitblit settings", metaVar="FILE")
+ public String ldapLdifFile;
+
+ }
}
\ No newline at end of file
diff --git a/src/main/java/com/gitblit/manager/ServicesManager.java b/src/main/java/com/gitblit/manager/ServicesManager.java
index 8107a7d..2cd583a 100644
--- a/src/main/java/com/gitblit/manager/ServicesManager.java
+++ b/src/main/java/com/gitblit/manager/ServicesManager.java
@@ -42,6 +42,7 @@
import com.gitblit.models.RepositoryModel;
import com.gitblit.models.UserModel;
import com.gitblit.service.FederationPullService;
+import com.gitblit.transport.ssh.SshDaemon;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.TimeUtils;
@@ -67,6 +68,8 @@
private GitDaemon gitDaemon;
+ private SshDaemon sshDaemon;
+
public ServicesManager(IGitblit gitblit) {
this.settings = gitblit.getSettings();
this.gitblit = gitblit;
@@ -77,6 +80,7 @@
configureFederation();
configureFanout();
configureGitDaemon();
+ configureSshDaemon();
return this;
}
@@ -138,6 +142,20 @@
}
}
+ protected void configureSshDaemon() {
+ int port = settings.getInteger(Keys.git.sshPort, 0);
+ String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost");
+ if (port > 0) {
+ try {
+ sshDaemon = new SshDaemon(gitblit);
+ sshDaemon.start();
+ } catch (IOException e) {
+ sshDaemon = null;
+ logger.error(MessageFormat.format("Failed to start SSH daemon on {0}:{1,number,0}", bindInterface, port), e);
+ }
+ }
+ }
+
protected void configureFanout() {
// startup Fanout PubSub service
if (settings.getInteger(Keys.fanout.port, 0) > 0) {
diff --git a/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java b/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java
new file mode 100644
index 0000000..e4741ed
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/AbstractSshCommand.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import org.apache.sshd.server.Command;
+import org.apache.sshd.server.Environment;
+import org.apache.sshd.server.ExitCallback;
+import org.apache.sshd.server.SessionAware;
+import org.apache.sshd.server.session.ServerSession;
+
+/**
+ *
+ * @author Eric Myrhe
+ *
+ */
+abstract class AbstractSshCommand implements Command, SessionAware {
+
+ protected InputStream in;
+
+ protected OutputStream out;
+
+ protected OutputStream err;
+
+ protected ExitCallback exit;
+
+ protected ServerSession session;
+
+ @Override
+ public void setInputStream(InputStream in) {
+ this.in = in;
+ }
+
+ @Override
+ public void setOutputStream(OutputStream out) {
+ this.out = out;
+ }
+
+ @Override
+ public void setErrorStream(OutputStream err) {
+ this.err = err;
+ }
+
+ @Override
+ public void setExitCallback(ExitCallback exit) {
+ this.exit = exit;
+ }
+
+ @Override
+ public void setSession(final ServerSession session) {
+ this.session = session;
+ }
+
+ @Override
+ public void destroy() {}
+
+ @Override
+ public abstract void start(Environment env) throws IOException;
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java b/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java
new file mode 100644
index 0000000..c0b4930
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java
@@ -0,0 +1,164 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.io.IOException;
+import java.util.Scanner;
+
+import org.apache.sshd.server.Command;
+import org.apache.sshd.server.CommandFactory;
+import org.apache.sshd.server.Environment;
+import org.eclipse.jgit.errors.RepositoryNotFoundException;
+import org.eclipse.jgit.lib.Repository;
+import org.eclipse.jgit.transport.PacketLineOut;
+import org.eclipse.jgit.transport.ReceivePack;
+import org.eclipse.jgit.transport.ServiceMayNotContinueException;
+import org.eclipse.jgit.transport.UploadPack;
+import org.eclipse.jgit.transport.resolver.ReceivePackFactory;
+import org.eclipse.jgit.transport.resolver.ServiceNotAuthorizedException;
+import org.eclipse.jgit.transport.resolver.ServiceNotEnabledException;
+import org.eclipse.jgit.transport.resolver.UploadPackFactory;
+
+import com.gitblit.git.RepositoryResolver;
+
+/**
+ *
+ * @author Eric Myhre
+ *
+ */
+public class SshCommandFactory implements CommandFactory {
+ public SshCommandFactory(RepositoryResolver<SshDaemonClient> repositoryResolver, UploadPackFactory<SshDaemonClient> uploadPackFactory, ReceivePackFactory<SshDaemonClient> receivePackFactory) {
+ this.repositoryResolver = repositoryResolver;
+ this.uploadPackFactory = uploadPackFactory;
+ this.receivePackFactory = receivePackFactory;
+ }
+
+ private RepositoryResolver<SshDaemonClient> repositoryResolver;
+
+ private UploadPackFactory<SshDaemonClient> uploadPackFactory;
+
+ private ReceivePackFactory<SshDaemonClient> receivePackFactory;
+
+ @Override
+ public Command createCommand(final String commandLine) {
+ Scanner commandScanner = new Scanner(commandLine);
+ final String command = commandScanner.next();
+ final String argument = commandScanner.nextLine();
+
+ if ("git-upload-pack".equals(command))
+ return new UploadPackCommand(argument);
+ if ("git-receive-pack".equals(command))
+ return new ReceivePackCommand(argument);
+ return new NonCommand();
+ }
+
+ public abstract class RepositoryCommand extends AbstractSshCommand {
+ protected final String repositoryName;
+
+ public RepositoryCommand(String repositoryName) {
+ this.repositoryName = repositoryName;
+ }
+
+ @Override
+ public void start(Environment env) throws IOException {
+ Repository db = null;
+ try {
+ SshDaemonClient client = session.getAttribute(SshDaemonClient.ATTR_KEY);
+ db = selectRepository(client, repositoryName);
+ if (db == null) return;
+ run(client, db);
+ exit.onExit(0);
+ } catch (ServiceNotEnabledException e) {
+ // Ignored. Client cannot use this repository.
+ } catch (ServiceNotAuthorizedException e) {
+ // Ignored. Client cannot use this repository.
+ } finally {
+ if (db != null)
+ db.close();
+ exit.onExit(1);
+ }
+ }
+
+ protected Repository selectRepository(SshDaemonClient client, String name) throws IOException {
+ try {
+ return openRepository(client, name);
+ } catch (ServiceMayNotContinueException e) {
+ // An error when opening the repo means the client is expecting a ref
+ // advertisement, so use that style of error.
+ PacketLineOut pktOut = new PacketLineOut(out);
+ pktOut.writeString("ERR " + e.getMessage() + "\n"); //$NON-NLS-1$ //$NON-NLS-2$
+ return null;
+ }
+ }
+
+ protected Repository openRepository(SshDaemonClient client, String name)
+ throws ServiceMayNotContinueException {
+ // Assume any attempt to use \ was by a Windows client
+ // and correct to the more typical / used in Git URIs.
+ //
+ name = name.replace('\\', '/');
+
+ // ssh://git@thishost/path should always be name="/path" here
+ //
+ if (!name.startsWith("/")) //$NON-NLS-1$
+ return null;
+
+ try {
+ return repositoryResolver.open(client, name.substring(1));
+ } catch (RepositoryNotFoundException e) {
+ // null signals it "wasn't found", which is all that is suitable
+ // for the remote client to know.
+ return null;
+ } catch (ServiceNotEnabledException e) {
+ // null signals it "wasn't found", which is all that is suitable
+ // for the remote client to know.
+ return null;
+ }
+ }
+
+ protected abstract void run(SshDaemonClient client, Repository db)
+ throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException;
+ }
+
+ public class UploadPackCommand extends RepositoryCommand {
+ public UploadPackCommand(String repositoryName) { super(repositoryName); }
+
+ @Override
+ protected void run(SshDaemonClient client, Repository db)
+ throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException {
+ UploadPack up = uploadPackFactory.create(client, db);
+ up.upload(in, out, null);
+ }
+ }
+
+ public class ReceivePackCommand extends RepositoryCommand {
+ public ReceivePackCommand(String repositoryName) { super(repositoryName); }
+
+ @Override
+ protected void run(SshDaemonClient client, Repository db)
+ throws IOException, ServiceNotEnabledException, ServiceNotAuthorizedException {
+ ReceivePack rp = receivePackFactory.create(client, db);
+ rp.receive(in, out, null);
+ }
+ }
+
+ public static class NonCommand extends AbstractSshCommand {
+ @Override
+ public void start(Environment env) {
+ exit.onExit(127);
+ }
+ }
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java b/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java
new file mode 100644
index 0000000..26e3d67
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshCommandServer.java
@@ -0,0 +1,217 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.security.InvalidKeyException;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.apache.mina.core.future.IoFuture;
+import org.apache.mina.core.future.IoFutureListener;
+import org.apache.mina.core.session.IoSession;
+import org.apache.mina.transport.socket.SocketSessionConfig;
+import org.apache.sshd.SshServer;
+import org.apache.sshd.common.Channel;
+import org.apache.sshd.common.Cipher;
+import org.apache.sshd.common.Compression;
+import org.apache.sshd.common.KeyExchange;
+import org.apache.sshd.common.KeyPairProvider;
+import org.apache.sshd.common.Mac;
+import org.apache.sshd.common.NamedFactory;
+import org.apache.sshd.common.Session;
+import org.apache.sshd.common.Signature;
+import org.apache.sshd.common.cipher.AES128CBC;
+import org.apache.sshd.common.cipher.AES192CBC;
+import org.apache.sshd.common.cipher.AES256CBC;
+import org.apache.sshd.common.cipher.BlowfishCBC;
+import org.apache.sshd.common.cipher.TripleDESCBC;
+import org.apache.sshd.common.compression.CompressionNone;
+import org.apache.sshd.common.mac.HMACMD5;
+import org.apache.sshd.common.mac.HMACMD596;
+import org.apache.sshd.common.mac.HMACSHA1;
+import org.apache.sshd.common.mac.HMACSHA196;
+import org.apache.sshd.common.random.BouncyCastleRandom;
+import org.apache.sshd.common.random.SingletonRandomFactory;
+import org.apache.sshd.common.signature.SignatureDSA;
+import org.apache.sshd.common.signature.SignatureRSA;
+import org.apache.sshd.common.util.SecurityUtils;
+import org.apache.sshd.server.CommandFactory;
+import org.apache.sshd.server.FileSystemFactory;
+import org.apache.sshd.server.FileSystemView;
+import org.apache.sshd.server.ForwardingFilter;
+import org.apache.sshd.server.PublickeyAuthenticator;
+import org.apache.sshd.server.SshFile;
+import org.apache.sshd.server.UserAuth;
+import org.apache.sshd.server.auth.UserAuthPublicKey;
+import org.apache.sshd.server.channel.ChannelDirectTcpip;
+import org.apache.sshd.server.channel.ChannelSession;
+import org.apache.sshd.server.kex.DHG1;
+import org.apache.sshd.server.kex.DHG14;
+import org.apache.sshd.server.session.ServerSession;
+import org.apache.sshd.server.session.SessionFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ *
+ * @author Eric Myhre
+ *
+ */
+public class SshCommandServer extends SshServer {
+
+ private static final Logger log = LoggerFactory.getLogger(SshCommandServer.class);
+
+ public SshCommandServer() {
+ setSessionFactory(new SessionFactory() {
+ @Override
+ protected ServerSession createSession(final IoSession io) throws Exception {
+ log.info("connection accepted on " + io);
+
+ if (io.getConfig() instanceof SocketSessionConfig) {
+ final SocketSessionConfig c = (SocketSessionConfig) io.getConfig();
+ c.setKeepAlive(true);
+ }
+
+ final ServerSession s = (ServerSession) super.createSession(io);
+ s.setAttribute(SshDaemonClient.ATTR_KEY, new SshDaemonClient());
+
+ io.getCloseFuture().addListener(new IoFutureListener<IoFuture>() {
+ @Override
+ public void operationComplete(IoFuture future) {
+ log.info("connection closed on " + io);
+ }
+ });
+ return s;
+ }
+ });
+ }
+
+ /**
+ * Performs most of default configuration (setup random sources, setup ciphers,
+ * etc; also, support for forwarding and filesystem is explicitly disallowed).
+ *
+ * {@link #setKeyPairProvider(KeyPairProvider)} and
+ * {@link #setPublickeyAuthenticator(PublickeyAuthenticator)} are left for you.
+ * And applying {@link #setCommandFactory(CommandFactory)} is probably wise if you
+ * want something to actually happen when users do successfully authenticate.
+ */
+ @SuppressWarnings("unchecked")
+ public void setup() {
+ if (!SecurityUtils.isBouncyCastleRegistered())
+ throw new RuntimeException("BC crypto not available");
+
+ setKeyExchangeFactories(Arrays.<NamedFactory<KeyExchange>>asList(
+ new DHG14.Factory(),
+ new DHG1.Factory())
+ );
+
+ setRandomFactory(new SingletonRandomFactory(new BouncyCastleRandom.Factory()));
+
+ setupCiphers();
+
+ setCompressionFactories(Arrays.<NamedFactory<Compression>>asList(
+ new CompressionNone.Factory())
+ );
+
+ setMacFactories(Arrays.<NamedFactory<Mac>>asList(
+ new HMACMD5.Factory(),
+ new HMACSHA1.Factory(),
+ new HMACMD596.Factory(),
+ new HMACSHA196.Factory())
+ );
+
+ setChannelFactories(Arrays.<NamedFactory<Channel>>asList(
+ new ChannelSession.Factory(),
+ new ChannelDirectTcpip.Factory())
+ );
+
+ setSignatureFactories(Arrays.<NamedFactory<Signature>>asList(
+ new SignatureDSA.Factory(),
+ new SignatureRSA.Factory())
+ );
+
+ setFileSystemFactory(new FileSystemFactory() {
+ @Override
+ public FileSystemView createFileSystemView(Session session) throws IOException {
+ return new FileSystemView() {
+ @Override
+ public SshFile getFile(SshFile baseDir, String file) {
+ return null;
+ }
+
+ @Override
+ public SshFile getFile(String file) {
+ return null;
+ }
+ };
+ }
+ });
+
+ setForwardingFilter(new ForwardingFilter() {
+ @Override
+ public boolean canForwardAgent(ServerSession session) {
+ return false;
+ }
+
+ @Override
+ public boolean canForwardX11(ServerSession session) {
+ return false;
+ }
+
+ @Override
+ public boolean canConnect(InetSocketAddress address, ServerSession session) {
+ return false;
+ }
+
+ @Override
+ public boolean canListen(InetSocketAddress address, ServerSession session) {
+ return false;
+ }
+ });
+
+ setUserAuthFactories(Arrays.<NamedFactory<UserAuth>>asList(
+ new UserAuthPublicKey.Factory())
+ );
+ }
+
+ protected void setupCiphers() {
+ List<NamedFactory<Cipher>> avail = new LinkedList<NamedFactory<Cipher>>();
+ avail.add(new AES128CBC.Factory());
+ avail.add(new TripleDESCBC.Factory());
+ avail.add(new BlowfishCBC.Factory());
+ avail.add(new AES192CBC.Factory());
+ avail.add(new AES256CBC.Factory());
+
+ for (Iterator<NamedFactory<Cipher>> i = avail.iterator(); i.hasNext();) {
+ final NamedFactory<Cipher> f = i.next();
+ try {
+ final Cipher c = f.create();
+ final byte[] key = new byte[c.getBlockSize()];
+ final byte[] iv = new byte[c.getIVSize()];
+ c.init(Cipher.Mode.Encrypt, key, iv);
+ } catch (InvalidKeyException e) {
+ i.remove();
+ } catch (Exception e) {
+ i.remove();
+ }
+ }
+ setCipherFactories(avail);
+ }
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
new file mode 100644
index 0000000..6f5d5f9
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.text.MessageFormat;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider;
+import org.eclipse.jgit.internal.JGitText;
+import org.eclipse.jgit.transport.resolver.ReceivePackFactory;
+import org.eclipse.jgit.transport.resolver.UploadPackFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.gitblit.IStoredSettings;
+import com.gitblit.Keys;
+import com.gitblit.git.GitblitReceivePackFactory;
+import com.gitblit.git.GitblitUploadPackFactory;
+import com.gitblit.git.RepositoryResolver;
+import com.gitblit.manager.IGitblit;
+import com.gitblit.utils.StringUtils;
+
+/**
+ * Manager for the ssh transport. Roughly analogous to the
+ * {@link com.gitblit.git.GitDaemon} class.
+ *
+ * @author Eric Myhre
+ *
+ */
+public class SshDaemon {
+
+ private final Logger logger = LoggerFactory.getLogger(SshDaemon.class);
+
+ /**
+ * 22: IANA assigned port number for ssh. Note that this is a distinct concept
+ * from gitblit's default conf for ssh port -- this "default" is what the git
+ * protocol itself defaults to if it sees and ssh url without a port.
+ */
+ public static final int DEFAULT_PORT = 22;
+
+ private static final String HOST_KEY_STORE = "sshKeyStore.pem";
+
+ private InetSocketAddress myAddress;
+
+ private AtomicBoolean run;
+
+ private SshCommandServer sshd;
+
+ private RepositoryResolver<SshDaemonClient> repositoryResolver;
+
+ private UploadPackFactory<SshDaemonClient> uploadPackFactory;
+
+ private ReceivePackFactory<SshDaemonClient> receivePackFactory;
+
+ /**
+ * Construct the Gitblit SSH daemon.
+ *
+ * @param gitblit
+ */
+ public SshDaemon(IGitblit gitblit) {
+
+ IStoredSettings settings = gitblit.getSettings();
+ int port = settings.getInteger(Keys.git.sshPort, 0);
+ String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost");
+
+ if (StringUtils.isEmpty(bindInterface)) {
+ myAddress = new InetSocketAddress(port);
+ } else {
+ myAddress = new InetSocketAddress(bindInterface, port);
+ }
+
+ sshd = new SshCommandServer();
+ sshd.setPort(myAddress.getPort());
+ sshd.setHost(myAddress.getHostName());
+ sshd.setup();
+ sshd.setKeyPairProvider(new PEMGeneratorHostKeyProvider(new File(gitblit.getBaseFolder(), HOST_KEY_STORE).getPath()));
+ sshd.setPublickeyAuthenticator(new SshKeyAuthenticator(gitblit));
+
+ run = new AtomicBoolean(false);
+ repositoryResolver = new RepositoryResolver<SshDaemonClient>(gitblit);
+ uploadPackFactory = new GitblitUploadPackFactory<SshDaemonClient>(gitblit);
+ receivePackFactory = new GitblitReceivePackFactory<SshDaemonClient>(gitblit);
+
+ sshd.setCommandFactory(new SshCommandFactory(
+ repositoryResolver,
+ uploadPackFactory,
+ receivePackFactory
+ ));
+ }
+
+ public int getPort() {
+ return myAddress.getPort();
+ }
+
+ public String formatUrl(String gituser, String servername, String repository) {
+ if (getPort() == DEFAULT_PORT) {
+ // standard port
+ return MessageFormat.format("{0}@{1}/{2}", gituser, servername, repository);
+ } else {
+ // non-standard port
+ return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}", gituser, servername, getPort(), repository);
+ }
+ }
+
+ /**
+ * Start this daemon on a background thread.
+ *
+ * @throws IOException
+ * the server socket could not be opened.
+ * @throws IllegalStateException
+ * the daemon is already running.
+ */
+ public synchronized void start() throws IOException {
+ if (run.get()) {
+ throw new IllegalStateException(JGitText.get().daemonAlreadyRunning);
+ }
+
+ sshd.start();
+ run.set(true);
+
+ logger.info(MessageFormat.format("SSH Daemon is listening on {0}:{1,number,0}",
+ myAddress.getAddress().getHostAddress(), myAddress.getPort()));
+ }
+
+ /** @return true if this daemon is receiving connections. */
+ public boolean isRunning() {
+ return run.get();
+ }
+
+ /** Stop this daemon. */
+ public synchronized void stop() {
+ if (run.get()) {
+ logger.info("SSH Daemon stopping...");
+ run.set(false);
+
+ try {
+ sshd.stop();
+ } catch (InterruptedException e) {
+ logger.error("SSH Daemon stop interrupted", e);
+ }
+ }
+ }
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java b/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java
new file mode 100644
index 0000000..2e8008a
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemonClient.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.net.InetAddress;
+
+import org.apache.sshd.common.Session.AttributeKey;
+
+/**
+ *
+ * @author Eric Myrhe
+ *
+ */
+public class SshDaemonClient {
+ public static final AttributeKey<SshDaemonClient> ATTR_KEY = new AttributeKey<SshDaemonClient>();
+
+ public InetAddress getRemoteAddress() {
+ return null;
+ }
+
+ public String getRemoteUser() {
+ return null;
+ }
+}
diff --git a/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java b/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java
new file mode 100644
index 0000000..4c97c58
--- /dev/null
+++ b/src/main/java/com/gitblit/transport/ssh/SshKeyAuthenticator.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.transport.ssh;
+
+import java.security.PublicKey;
+
+import org.apache.sshd.server.PublickeyAuthenticator;
+import org.apache.sshd.server.session.ServerSession;
+
+import com.gitblit.manager.IGitblit;
+
+/**
+ *
+ * @author Eric Myrhe
+ *
+ */
+public class SshKeyAuthenticator implements PublickeyAuthenticator {
+
+ protected final IGitblit gitblit;
+
+ public SshKeyAuthenticator(IGitblit gitblit) {
+ this.gitblit = gitblit;
+ }
+
+ @Override
+ public boolean authenticate(String username, PublicKey key, ServerSession session) {
+ // TODO actually authenticate
+ return true;
+ }
+}
