Allow execution of account removal REST API Enable to cookie-based authentication for the sole purpose of invoking the DELETE /accounts/self REST API that allows the self-removal of accounts Change-Id: I9251243b688548e61deb6c463d640ce7b1ffdac6
diff --git a/BUILD b/BUILD index bcaa2f0..487c348 100644 --- a/BUILD +++ b/BUILD
@@ -13,6 +13,7 @@ "Gerrit-PluginName: account", "Gerrit-Module: com.gerritforge.gerrit.plugins.account.Module", "Gerrit-SshModule: com.gerritforge.gerrit.plugins.account.SshModule", + "Gerrit-HttpModule: com.gerritforge.gerrit.plugins.account.HttpModule", ], resources = glob(["src/main/resources/**/*"]), )
diff --git a/src/main/java/com/gerritforge/gerrit/plugins/account/HttpModule.java b/src/main/java/com/gerritforge/gerrit/plugins/account/HttpModule.java new file mode 100644 index 0000000..fe322fc --- /dev/null +++ b/src/main/java/com/gerritforge/gerrit/plugins/account/HttpModule.java
@@ -0,0 +1,27 @@ +// Copyright (C) 2018 GerritForge Ltd +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.gerritforge.gerrit.plugins.account; + +import com.google.gerrit.extensions.registration.DynamicSet; +import com.google.gerrit.httpd.AllRequestFilter; +import com.google.inject.servlet.ServletModule; + +public class HttpModule extends ServletModule { + + @Override + protected void configureServlets() { + DynamicSet.bind(binder(), AllRequestFilter.class).to(XAuthFilter.class); + } +}
diff --git a/src/main/java/com/gerritforge/gerrit/plugins/account/XAuthFilter.java b/src/main/java/com/gerritforge/gerrit/plugins/account/XAuthFilter.java new file mode 100644 index 0000000..25d3df1 --- /dev/null +++ b/src/main/java/com/gerritforge/gerrit/plugins/account/XAuthFilter.java
@@ -0,0 +1,61 @@ +// Copyright (C) 2018 GerritForge Ltd +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.gerritforge.gerrit.plugins.account; + +import com.google.gerrit.extensions.registration.DynamicItem; +import com.google.gerrit.httpd.AllRequestFilter; +import com.google.gerrit.httpd.WebSession; +import com.google.gerrit.server.AccessPath; +import com.google.inject.Inject; +import com.google.inject.Singleton; +import java.io.IOException; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@Singleton +public class XAuthFilter extends AllRequestFilter { + public static final String ALLOWED_URI_SUFFIX = "/a/accounts/self"; + + private static final Logger log = LoggerFactory.getLogger(XAuthFilter.class); + + private DynamicItem<WebSession> webSession; + + @Inject + public XAuthFilter(DynamicItem<WebSession> webSession) { + this.webSession = webSession; + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException { + String uri = ((HttpServletRequest) request).getRequestURI(); + + if (uri.endsWith(ALLOWED_URI_SUFFIX)) { + WebSession session = webSession.get(); + if (session != null && session.isSignedIn() && session.getXGerritAuth() != null) { + String currentUser = session.getUser().getUserName(); + log.info("REST API URI {} allowed for user {}", uri, currentUser); + session.setAccessPathOk(AccessPath.REST_API, true); + } + } + + chain.doFilter(request, response); + } +}