/* | |
* Copyright 2011 gitblit.com. | |
* | |
* Licensed under the Apache License, Version 2.0 (the "License"); | |
* you may not use this file except in compliance with the License. | |
* You may obtain a copy of the License at | |
* | |
* http://www.apache.org/licenses/LICENSE-2.0 | |
* | |
* Unless required by applicable law or agreed to in writing, software | |
* distributed under the License is distributed on an "AS IS" BASIS, | |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
* See the License for the specific language governing permissions and | |
* limitations under the License. | |
*/ | |
package com.gitblit.servlet; | |
import java.io.IOException; | |
import java.text.MessageFormat; | |
import com.google.inject.Inject; | |
import com.google.inject.Singleton; | |
import javax.servlet.FilterChain; | |
import javax.servlet.ServletException; | |
import javax.servlet.ServletRequest; | |
import javax.servlet.ServletResponse; | |
import javax.servlet.http.HttpServletRequest; | |
import javax.servlet.http.HttpServletResponse; | |
import com.gitblit.Constants.AccessRestrictionType; | |
import com.gitblit.manager.IAuthenticationManager; | |
import com.gitblit.manager.IProjectManager; | |
import com.gitblit.manager.IRepositoryManager; | |
import com.gitblit.manager.IRuntimeManager; | |
import com.gitblit.models.ProjectModel; | |
import com.gitblit.models.RepositoryModel; | |
import com.gitblit.models.UserModel; | |
/** | |
* The SyndicationFilter is an AuthenticationFilter which ensures that feed | |
* requests for projects or view-restricted repositories have proper authentication | |
* credentials and are authorized for the requested feed. | |
* | |
* @author James Moger | |
* | |
*/ | |
@Singleton | |
public class SyndicationFilter extends AuthenticationFilter { | |
private IRuntimeManager runtimeManager; | |
private IRepositoryManager repositoryManager; | |
private IProjectManager projectManager; | |
@Inject | |
public SyndicationFilter( | |
IRuntimeManager runtimeManager, | |
IAuthenticationManager authenticationManager, | |
IRepositoryManager repositoryManager, | |
IProjectManager projectManager) { | |
super(authenticationManager); | |
this.runtimeManager = runtimeManager; | |
this.repositoryManager = repositoryManager; | |
this.projectManager = projectManager; | |
} | |
/** | |
* Extract the repository name from the url. | |
* | |
* @param url | |
* @return repository name | |
*/ | |
protected String extractRequestedName(String url) { | |
if (url.indexOf('?') > -1) { | |
return url.substring(0, url.indexOf('?')); | |
} | |
return url; | |
} | |
/** | |
* doFilter does the actual work of preprocessing the request to ensure that | |
* the user may proceed. | |
* | |
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, | |
* javax.servlet.ServletResponse, javax.servlet.FilterChain) | |
*/ | |
@Override | |
public void doFilter(final ServletRequest request, final ServletResponse response, | |
final FilterChain chain) throws IOException, ServletException { | |
HttpServletRequest httpRequest = (HttpServletRequest) request; | |
HttpServletResponse httpResponse = (HttpServletResponse) response; | |
String fullUrl = getFullUrl(httpRequest); | |
String name = extractRequestedName(fullUrl); | |
ProjectModel project = projectManager.getProjectModel(name); | |
RepositoryModel model = null; | |
if (project == null) { | |
// try loading a repository model | |
model = repositoryManager.getRepositoryModel(name); | |
if (model == null) { | |
// repository not found. send 404. | |
logger.info(MessageFormat.format("ARF: {0} ({1})", fullUrl, | |
HttpServletResponse.SC_NOT_FOUND)); | |
httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND); | |
return; | |
} | |
} | |
// Wrap the HttpServletRequest with the AccessRestrictionRequest which | |
// overrides the servlet container user principal methods. | |
// JGit requires either: | |
// | |
// 1. servlet container authenticated user | |
// 2. http.receivepack = true in each repository's config | |
// | |
// Gitblit must conditionally authenticate users per-repository so just | |
// enabling http.receivepack is insufficient. | |
AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest); | |
UserModel user = getUser(httpRequest); | |
if (user != null) { | |
authenticatedRequest.setUser(user); | |
} | |
// BASIC authentication challenge and response processing | |
if (model != null) { | |
if (model.accessRestriction.atLeast(AccessRestrictionType.VIEW)) { | |
if (user == null) { | |
// challenge client to provide credentials. send 401. | |
if (runtimeManager.isDebugMode()) { | |
logger.info(MessageFormat.format("ARF: CHALLENGE {0}", fullUrl)); | |
} | |
httpResponse.setHeader("WWW-Authenticate", CHALLENGE); | |
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); | |
return; | |
} else { | |
// check user access for request | |
if (user.canView(model)) { | |
// authenticated request permitted. | |
// pass processing to the restricted servlet. | |
newSession(authenticatedRequest, httpResponse); | |
logger.info(MessageFormat.format("ARF: {0} ({1}) authenticated", fullUrl, | |
HttpServletResponse.SC_CONTINUE)); | |
chain.doFilter(authenticatedRequest, httpResponse); | |
return; | |
} | |
// valid user, but not for requested access. send 403. | |
if (runtimeManager.isDebugMode()) { | |
logger.info(MessageFormat.format("ARF: {0} forbidden to access {1}", | |
user.username, fullUrl)); | |
} | |
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); | |
return; | |
} | |
} | |
} | |
if (runtimeManager.isDebugMode()) { | |
logger.info(MessageFormat.format("ARF: {0} ({1}) unauthenticated", fullUrl, | |
HttpServletResponse.SC_CONTINUE)); | |
} | |
// unauthenticated request permitted. | |
// pass processing to the restricted servlet. | |
chain.doFilter(authenticatedRequest, httpResponse); | |
} | |
} |