scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java

/*
 * MIT License
 *
 * Copyright (c) 2020-present Cloudogu GmbH and Contributors
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

package sonia.scm.lifecycle.modules;

//~--- non-JDK imports --------------------------------------------------------

import com.google.inject.name.Names;
import org.apache.shiro.authc.Authenticator;
import org.apache.shiro.authc.credential.DefaultPasswordService;
import org.apache.shiro.authc.credential.PasswordService;
import org.apache.shiro.authc.pam.AuthenticationStrategy;
import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.apache.shiro.crypto.hash.DefaultHashService;
import org.apache.shiro.guice.web.ShiroWebModule;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.mgt.SubjectDAO;
import org.apache.shiro.realm.Realm;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import sonia.scm.plugin.ExtensionProcessor;

//~--- JDK imports ------------------------------------------------------------

import javax.servlet.ServletContext;
import org.apache.shiro.mgt.RememberMeManager;
import sonia.scm.security.DisabledRememberMeManager;
import sonia.scm.security.ScmAtLeastOneSuccessfulStrategy;
import sonia.scm.security.ScmPermissionResolver;

/**
 *
 * @author Sebastian Sdorra
 */
public class ScmSecurityModule extends ShiroWebModule
{

  /** Field description */
  private static final int ITERATIONS = 8192;

  /**
   *   the logger for ScmSecurityModule
   */
  private static final Logger logger =
    LoggerFactory.getLogger(ScmSecurityModule.class);

  //~--- constructors ---------------------------------------------------------

  /**
   * Constructs ...
   *
   *
   * @param servletContext
   * @param extensionProcessor
   */
  public ScmSecurityModule(ServletContext servletContext, ExtensionProcessor extensionProcessor)
  {
    super(servletContext);
    this.extensionProcessor = extensionProcessor;
  }

  //~--- methods --------------------------------------------------------------

  /**
   * Method description
   *
   */
  @Override
  @SuppressWarnings("unchecked")
  protected void configureShiroWeb()
  {
    bind(PasswordService.class).toInstance(createPasswordService());

    // expose password service to global injector
    expose(PasswordService.class);

    // disable remember me cookie generation
    bind(RememberMeManager.class).to(DisabledRememberMeManager.class);

    // bind authentication strategy
    bind(ModularRealmAuthenticator.class);
    bind(Authenticator.class).to(ModularRealmAuthenticator.class);
    bind(AuthenticationStrategy.class).to(ScmAtLeastOneSuccessfulStrategy.class);
    bind(PermissionResolver.class).to(ScmPermissionResolver.class);

    // bind realm
    for (Class<? extends Realm> realm : extensionProcessor.byExtensionPoint(Realm.class))
    {
      logger.info("bind security realm {}", realm);
      bindRealm().to(realm);
    }

    // bind constant
    bindConstant().annotatedWith(Names.named("shiro.loginUrl")).to("/index.html");

    // do not block non ascii character,
    // because this would exclude languages which are non ascii based
    bindConstant().annotatedWith(Names.named("shiro.blockNonAscii")).to(false);

    // disable access to mustache resources
    addFilterChain("/**.mustache", filterConfig(ROLES, "nobody"));

    // disable session
    disableSession();
  }

  private void disableSession() {
    addFilterChain("/**", NO_SESSION_CREATION);
    bindConstant().annotatedWith(Names.named("shiro.sessionStorageEnabled")).to(false);

    DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
    DefaultSessionStorageEvaluator sessionStorageEvaluator = new DefaultSessionStorageEvaluator();
    sessionStorageEvaluator.setSessionStorageEnabled(false);
    subjectDAO.setSessionStorageEvaluator(sessionStorageEvaluator);
    bind(SubjectDAO.class).toInstance(subjectDAO);
  }

  /**
   * Creates a {@link PasswordService} with a smaller size of iteration, because
   * large iterations will slow down subversion.
   *
   * @return instance of {@link PasswordService}
   */
  private PasswordService createPasswordService()
  {
    DefaultPasswordService passwordService = new IdempotentPasswordService();
    DefaultHashService hashService = new DefaultHashService();
    hashService.setHashIterations(ITERATIONS);
    passwordService.setHashService(hashService);

    return passwordService;
  }

  //~--- fields ---------------------------------------------------------------

  /** Field description */
  private final ExtensionProcessor extensionProcessor;

  static class IdempotentPasswordService extends DefaultPasswordService {

    private boolean isEncrypted(Object password) {
      return password instanceof String && ((String) password).startsWith("$shiro1$SHA-512$");
    }

    @Override
    public String encryptPassword(Object plaintext) {
      if (isEncrypted(plaintext)) {
        return plaintext.toString();
      }
      return super.encryptPassword(plaintext);
    }
  }
}
Changeover to MIT license (#1066) * prepare license-maven-plugin for license migration * added license mapping for tsx files and added some more excludes * Changeover to MIT license * Fix build problems * Delete old remaining licenses * Add more exclude path for license checker * Rename included netbeans license, add exclude .m2/repository/ * Specify .m2 exclude because not only repository/, also wrapper/ must match * Add .cache/ exclude for license check * Modify formatting of license in java classes to comply with convention and IDE * Add IntelliJ documentation for license configuration * Update CHANGELOG.md * Exclude tmp/workspace/ dir for license check * Edit README.md Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com> 2020-03-23 15:35:58 +01:00			`/*`
			`* MIT License`
bind new security api 2012-08-27 08:04:44 +02:00			`*`
Changeover to MIT license (#1066) * prepare license-maven-plugin for license migration * added license mapping for tsx files and added some more excludes * Changeover to MIT license * Fix build problems * Delete old remaining licenses * Add more exclude path for license checker * Rename included netbeans license, add exclude .m2/repository/ * Specify .m2 exclude because not only repository/, also wrapper/ must match * Add .cache/ exclude for license check * Modify formatting of license in java classes to comply with convention and IDE * Add IntelliJ documentation for license configuration * Update CHANGELOG.md * Exclude tmp/workspace/ dir for license check * Edit README.md Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com> 2020-03-23 15:35:58 +01:00			`* Copyright (c) 2020-present Cloudogu GmbH and Contributors`
bind new security api 2012-08-27 08:04:44 +02:00			`*`
Changeover to MIT license (#1066) * prepare license-maven-plugin for license migration * added license mapping for tsx files and added some more excludes * Changeover to MIT license * Fix build problems * Delete old remaining licenses * Add more exclude path for license checker * Rename included netbeans license, add exclude .m2/repository/ * Specify .m2 exclude because not only repository/, also wrapper/ must match * Add .cache/ exclude for license check * Modify formatting of license in java classes to comply with convention and IDE * Add IntelliJ documentation for license configuration * Update CHANGELOG.md * Exclude tmp/workspace/ dir for license check * Edit README.md Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com> 2020-03-23 15:35:58 +01:00			`* Permission is hereby granted, free of charge, to any person obtaining a copy`
			`* of this software and associated documentation files (the "Software"), to deal`
			`* in the Software without restriction, including without limitation the rights`
			`* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell`
			`* copies of the Software, and to permit persons to whom the Software is`
			`* furnished to do so, subject to the following conditions:`
bind new security api 2012-08-27 08:04:44 +02:00			`*`
Changeover to MIT license (#1066) * prepare license-maven-plugin for license migration * added license mapping for tsx files and added some more excludes * Changeover to MIT license * Fix build problems * Delete old remaining licenses * Add more exclude path for license checker * Rename included netbeans license, add exclude .m2/repository/ * Specify .m2 exclude because not only repository/, also wrapper/ must match * Add .cache/ exclude for license check * Modify formatting of license in java classes to comply with convention and IDE * Add IntelliJ documentation for license configuration * Update CHANGELOG.md * Exclude tmp/workspace/ dir for license check * Edit README.md Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com> 2020-03-23 15:35:58 +01:00			`* The above copyright notice and this permission notice shall be included in all`
			`* copies or substantial portions of the Software.`
bind new security api 2012-08-27 08:04:44 +02:00			`*`
Changeover to MIT license (#1066) * prepare license-maven-plugin for license migration * added license mapping for tsx files and added some more excludes * Changeover to MIT license * Fix build problems * Delete old remaining licenses * Add more exclude path for license checker * Rename included netbeans license, add exclude .m2/repository/ * Specify .m2 exclude because not only repository/, also wrapper/ must match * Add .cache/ exclude for license check * Modify formatting of license in java classes to comply with convention and IDE * Add IntelliJ documentation for license configuration * Update CHANGELOG.md * Exclude tmp/workspace/ dir for license check * Edit README.md Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com> 2020-03-23 15:35:58 +01:00			`* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR`
			`* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,`
			`* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE`
			`* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER`
			`* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,`
			`* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE`
			`* SOFTWARE.`
bind new security api 2012-08-27 08:04:44 +02:00			`*/`
Add scope from role for api token realm 2020-10-01 09:39:51 +02:00
added modules, classloading and view packages to sonia.scm.lifecycle 2019-06-25 09:49:52 +02:00			`package sonia.scm.lifecycle.modules;`
bind new security api 2012-08-27 08:04:44 +02:00
			`//~--- non-JDK imports --------------------------------------------------------`

protect mustache resources 2013-02-17 13:59:00 +01:00			`import com.google.inject.name.Names;`
initial implementation 2020-08-20 17:44:36 +02:00			`import org.apache.shiro.authc.Authenticator;`
replace scm-manager 1.x security api with apache shiro and use PasswordService for stronger password hashes 2014-12-14 12:26:03 +01:00			`import org.apache.shiro.authc.credential.DefaultPasswordService;`
			`import org.apache.shiro.authc.credential.PasswordService;`
initial implementation 2020-08-20 17:44:36 +02:00			`import org.apache.shiro.authc.pam.AuthenticationStrategy;`
			`import org.apache.shiro.authc.pam.ModularRealmAuthenticator;`
Add scope from role for api token realm 2020-10-01 09:39:51 +02:00			`import org.apache.shiro.authz.permission.PermissionResolver;`
replace scm-manager 1.x security api with apache shiro and use PasswordService for stronger password hashes 2014-12-14 12:26:03 +01:00			`import org.apache.shiro.crypto.hash.DefaultHashService;`
bind new security api 2012-08-27 08:04:44 +02:00			`import org.apache.shiro.guice.web.ShiroWebModule;`
Disable shiro session storage We use JWT for session management, so we can disable shiro session management and this allows usage of SecurityManager outside of a http request. 2020-11-08 12:25:25 +01:00			`import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;`
			`import org.apache.shiro.mgt.DefaultSubjectDAO;`
			`import org.apache.shiro.mgt.SubjectDAO;`
added extension point for shiro realms 2014-12-19 17:52:44 +01:00			`import org.apache.shiro.realm.Realm;`
bind new security api 2012-08-27 08:04:44 +02:00
added extension point for shiro realms 2014-12-19 17:52:44 +01:00			`import org.slf4j.Logger;`
			`import org.slf4j.LoggerFactory;`

			`import sonia.scm.plugin.ExtensionProcessor;`
bind new security api 2012-08-27 08:04:44 +02:00
			`//~--- JDK imports ------------------------------------------------------------`

			`import javax.servlet.ServletContext;`
disable apache shiro remember me function 2015-03-21 17:03:23 +01:00			`import org.apache.shiro.mgt.RememberMeManager;`
			`import sonia.scm.security.DisabledRememberMeManager;`
initial implementation 2020-08-20 17:44:36 +02:00			`import sonia.scm.security.ScmAtLeastOneSuccessfulStrategy;`
Add scope from role for api token realm 2020-10-01 09:39:51 +02:00			`import sonia.scm.security.ScmPermissionResolver;`
bind new security api 2012-08-27 08:04:44 +02:00
			`/**`
			`*`
			`* @author Sebastian Sdorra`
			`*/`
			`public class ScmSecurityModule extends ShiroWebModule`
			`{`

replace scm-manager 1.x security api with apache shiro and use PasswordService for stronger password hashes 2014-12-14 12:26:03 +01:00			`/** Field description */`
			`private static final int ITERATIONS = 8192;`

added extension point for shiro realms 2014-12-19 17:52:44 +01:00			`/**`
			`* the logger for ScmSecurityModule`
			`*/`
			`private static final Logger logger =`
			`LoggerFactory.getLogger(ScmSecurityModule.class);`

replace scm-manager 1.x security api with apache shiro and use PasswordService for stronger password hashes 2014-12-14 12:26:03 +01:00			`//~--- constructors ---------------------------------------------------------`

bind new security api 2012-08-27 08:04:44 +02:00			`/**`
			`* Constructs ...`
			`*`
			`*`
			`* @param servletContext`
added extension point for shiro realms 2014-12-19 17:52:44 +01:00			`* @param extensionProcessor`
bind new security api 2012-08-27 08:04:44 +02:00			`*/`
simplify scm-manager bootstrap We have simplified the scm-manager bootstrap process, by replacing the ServletContextListener call hierarchy with much simpler ModuleProviders. We have also removed the parent injector. Now we create always a new injector. If something goes wrong in the process of injector creation, we will show a nicely styled error page instead of stacktrace on a white page. 2019-06-24 16:59:28 +02:00			`public ScmSecurityModule(ServletContext servletContext, ExtensionProcessor extensionProcessor)`
bind new security api 2012-08-27 08:04:44 +02:00			`{`
			`super(servletContext);`
added extension point for shiro realms 2014-12-19 17:52:44 +01:00			`this.extensionProcessor = extensionProcessor;`
bind new security api 2012-08-27 08:04:44 +02:00			`}`

			`//~--- methods --------------------------------------------------------------`

			`/**`
			`* Method description`
			`*`
			`*/`
			`@Override`
suppress unchecked warnings 2014-01-11 15:17:44 +01:00			`@SuppressWarnings("unchecked")`
bind new security api 2012-08-27 08:04:44 +02:00			`protected void configureShiroWeb()`
			`{`
replace scm-manager 1.x security api with apache shiro and use PasswordService for stronger password hashes 2014-12-14 12:26:03 +01:00			`bind(PasswordService.class).toInstance(createPasswordService());`

			`// expose password service to global injector`
			`expose(PasswordService.class);`
Add scope from role for api token realm 2020-10-01 09:39:51 +02:00
disable apache shiro remember me function 2015-03-21 17:03:23 +01:00			`// disable remember me cookie generation`
			`bind(RememberMeManager.class).to(DisabledRememberMeManager.class);`
protect mustache resources 2013-02-17 13:59:00 +01:00
initial implementation 2020-08-20 17:44:36 +02:00			`// bind authentication strategy`
			`bind(ModularRealmAuthenticator.class);`
			`bind(Authenticator.class).to(ModularRealmAuthenticator.class);`
			`bind(AuthenticationStrategy.class).to(ScmAtLeastOneSuccessfulStrategy.class);`
Add scope from role for api token realm 2020-10-01 09:39:51 +02:00			`bind(PermissionResolver.class).to(ScmPermissionResolver.class);`
initial implementation 2020-08-20 17:44:36 +02:00
protect mustache resources 2013-02-17 13:59:00 +01:00			`// bind realm`
fix generic handling of extension processor 2014-12-21 00:42:21 +01:00			`for (Class<? extends Realm> realm : extensionProcessor.byExtensionPoint(Realm.class))`
added extension point for shiro realms 2014-12-19 17:52:44 +01:00			`{`
			`logger.info("bind security realm {}", realm);`
			`bindRealm().to(realm);`
			`}`
protect mustache resources 2013-02-17 13:59:00 +01:00
			`// bind constant`
Refactor nearly the whole scm-hg-plugin for new hook implementation 2020-11-07 15:52:22 +01:00			`bindConstant().annotatedWith(Names.named("shiro.loginUrl")).to("/index.html");`
protect mustache resources 2013-02-17 13:59:00 +01:00
Fix accidentally blocked requests with non ascii characters (#1480) 2020-12-17 12:03:31 +01:00			`// do not block non ascii character,`
			`// because this would exclude languages which are non ascii based`
			`bindConstant().annotatedWith(Names.named("shiro.blockNonAscii")).to(false);`

protect mustache resources 2013-02-17 13:59:00 +01:00			`// disable access to mustache resources`
fix injection with java 8 2016-12-11 21:30:33 +01:00			`addFilterChain("/**.mustache", filterConfig(ROLES, "nobody"));`
Add scope from role for api token realm 2020-10-01 09:39:51 +02:00
added restful endpoint for jwt authentication 2015-03-15 11:40:29 +01:00			`// disable session`
Disable shiro session storage We use JWT for session management, so we can disable shiro session management and this allows usage of SecurityManager outside of a http request. 2020-11-08 12:25:25 +01:00			`disableSession();`
			`}`

			`private void disableSession() {`
disable http session creation 2015-03-21 16:06:17 +01:00			`addFilterChain("/**", NO_SESSION_CREATION);`
Refactor nearly the whole scm-hg-plugin for new hook implementation 2020-11-07 15:52:22 +01:00			`bindConstant().annotatedWith(Names.named("shiro.sessionStorageEnabled")).to(false);`
Disable shiro session storage We use JWT for session management, so we can disable shiro session management and this allows usage of SecurityManager outside of a http request. 2020-11-08 12:25:25 +01:00
			`DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();`
			`DefaultSessionStorageEvaluator sessionStorageEvaluator = new DefaultSessionStorageEvaluator();`
			`sessionStorageEvaluator.setSessionStorageEnabled(false);`
			`subjectDAO.setSessionStorageEvaluator(sessionStorageEvaluator);`
			`bind(SubjectDAO.class).toInstance(subjectDAO);`
bind new security api 2012-08-27 08:04:44 +02:00			`}`
replace scm-manager 1.x security api with apache shiro and use PasswordService for stronger password hashes 2014-12-14 12:26:03 +01:00
			`/**`
			`* Creates a {@link PasswordService} with a smaller size of iteration, because`
			`* large iterations will slow down subversion.`
			`*`
			`* @return instance of {@link PasswordService}`
			`*/`
			`private PasswordService createPasswordService()`
			`{`
Always encrypt password (#2085) First, we make "encryptPassword" in the PasswordService idempotent, so that the method will not change the password when the method is called with an already encrypted string. Then, in the user manager, we will always call this method to encrypt the password, if this is not already the case. Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com> 2022-07-15 15:02:52 +02:00			`DefaultPasswordService passwordService = new IdempotentPasswordService();`
replace scm-manager 1.x security api with apache shiro and use PasswordService for stronger password hashes 2014-12-14 12:26:03 +01:00			`DefaultHashService hashService = new DefaultHashService();`
			`hashService.setHashIterations(ITERATIONS);`
			`passwordService.setHashService(hashService);`

			`return passwordService;`
			`}`
added extension point for shiro realms 2014-12-19 17:52:44 +01:00
			`//~--- fields ---------------------------------------------------------------`

			`/** Field description */`
			`private final ExtensionProcessor extensionProcessor;`
Always encrypt password (#2085) First, we make "encryptPassword" in the PasswordService idempotent, so that the method will not change the password when the method is called with an already encrypted string. Then, in the user manager, we will always call this method to encrypt the password, if this is not already the case. Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com> 2022-07-15 15:02:52 +02:00
			`static class IdempotentPasswordService extends DefaultPasswordService {`

			`private boolean isEncrypted(Object password) {`
			`return password instanceof String && ((String) password).startsWith("$shiro1$SHA-512$");`
			`}`

			`@Override`
			`public String encryptPassword(Object plaintext) {`
			`if (isEncrypted(plaintext)) {`
			`return plaintext.toString();`
			`}`
			`return super.encryptPassword(plaintext);`
			`}`
			`}`
bind new security api 2012-08-27 08:04:44 +02:00			`}`