Merge branch 'develop' into bugfix/plugin_dependency_context

2026-03-05 03:40:56 +01:00 · 2020-08-26 10:28:45 +02:00
parent a36c0e2a16 4856171ead
commit 0b6ff0c500
32 changed files with 711 additions and 79 deletions
--- a/scm-webapp/src/main/java/sonia/scm/TemplatingPushStateDispatcher.java
+++ b/scm-webapp/src/main/java/sonia/scm/TemplatingPushStateDispatcher.java
@@ -21,7 +21,7 @@
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
-    
+
 package sonia.scm;

 import com.google.common.annotations.VisibleForTesting;
@@ -46,15 +46,17 @@ public class TemplatingPushStateDispatcher implements PushStateDispatcher {
  static final String TEMPLATE = "/index.mustache";

  private final TemplateEngine templateEngine;
+  private final SCMContextProvider context;

  @Inject
-  public TemplatingPushStateDispatcher(TemplateEngineFactory templateEngineFactory) {
-    this(templateEngineFactory.getDefaultEngine());
+  public TemplatingPushStateDispatcher(TemplateEngineFactory templateEngineFactory, SCMContextProvider context) {
+    this(templateEngineFactory.getDefaultEngine(), context);
  }

  @VisibleForTesting
-  TemplatingPushStateDispatcher(TemplateEngine templateEngine) {
+  TemplatingPushStateDispatcher(TemplateEngine templateEngine, SCMContextProvider context) {
    this.templateEngine = templateEngine;
+    this.context = context;
  }

  @Override
@@ -64,7 +66,7 @@ public class TemplatingPushStateDispatcher implements PushStateDispatcher {

    Template template = templateEngine.getTemplate(TEMPLATE);
    try (Writer writer = response.getWriter()) {
-      template.execute(writer, new IndexHtmlModel(request));
+      template.execute(writer, new IndexHtmlModel(request, context.getStage()));
    }
  }

@@ -72,15 +74,21 @@ public class TemplatingPushStateDispatcher implements PushStateDispatcher {
  static class IndexHtmlModel {

    private final HttpServletRequest request;
+    private final Stage scmStage;

-    private IndexHtmlModel(HttpServletRequest request) {
+    private IndexHtmlModel(HttpServletRequest request, Stage scmStage) {
      this.request = request;
+      this.scmStage = scmStage;
    }

    public String getContextPath() {
      return request.getContextPath();
    }

+    public String getScmStage() {
+      return scmStage.name();
+    }
+
    public String getLiveReloadURL() {
      return System.getProperty("livereload.url");
    }
--- a/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java
@@ -28,8 +28,11 @@ package sonia.scm.lifecycle.modules;

 import com.google.inject.name.Names;

+import org.apache.shiro.authc.Authenticator;
 import org.apache.shiro.authc.credential.DefaultPasswordService;
 import org.apache.shiro.authc.credential.PasswordService;
+import org.apache.shiro.authc.pam.AuthenticationStrategy;
+import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
 import org.apache.shiro.crypto.hash.DefaultHashService;
 import org.apache.shiro.guice.web.ShiroWebModule;
 import org.apache.shiro.realm.Realm;
@@ -44,6 +47,7 @@ import sonia.scm.plugin.ExtensionProcessor;
 import javax.servlet.ServletContext;
 import org.apache.shiro.mgt.RememberMeManager;
 import sonia.scm.security.DisabledRememberMeManager;
+import sonia.scm.security.ScmAtLeastOneSuccessfulStrategy;

 /**
 *
@@ -94,6 +98,11 @@ public class ScmSecurityModule extends ShiroWebModule
    // disable remember me cookie generation
    bind(RememberMeManager.class).to(DisabledRememberMeManager.class);

+    // bind authentication strategy
+    bind(ModularRealmAuthenticator.class);
+    bind(Authenticator.class).to(ModularRealmAuthenticator.class);
+    bind(AuthenticationStrategy.class).to(ScmAtLeastOneSuccessfulStrategy.class);
+
    // bind realm
    for (Class<? extends Realm> realm : extensionProcessor.byExtensionPoint(Realm.class))
    {
--- a/scm-webapp/src/main/java/sonia/scm/security/DefaultAccessTokenCookieIssuer.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultAccessTokenCookieIssuer.java
@@ -51,6 +51,10 @@ public final class DefaultAccessTokenCookieIssuer implements AccessTokenCookieIs
   * the logger for DefaultAccessTokenCookieIssuer
   */
  private static final Logger LOG = LoggerFactory.getLogger(DefaultAccessTokenCookieIssuer.class);
+
+  private static final int DEFAULT_COOKIE_EXPIRATION_AMOUNT = 365;
+  private static final TimeUnit DEFAULT_COOKIE_EXPIRATION_UNIT = TimeUnit.DAYS;
+  private static final int DEFAULT_COOKIE_EXPIRATION = (int) TimeUnit.SECONDS.convert(DEFAULT_COOKIE_EXPIRATION_AMOUNT, DEFAULT_COOKIE_EXPIRATION_UNIT);
  
  private final ScmConfiguration configuration;

@@ -75,7 +79,7 @@ public final class DefaultAccessTokenCookieIssuer implements AccessTokenCookieIs
    LOG.trace("create and attach cookie for access token {}", accessToken.getId());
    Cookie c = new Cookie(HttpUtil.COOKIE_BEARER_AUTHENTICATION, accessToken.compact());
    c.setPath(contextPath(request));
-    c.setMaxAge(getMaxAge(accessToken));
+    c.setMaxAge(DEFAULT_COOKIE_EXPIRATION);
    c.setHttpOnly(isHttpOnly());
    c.setSecure(isSecure(request));
    
@@ -111,11 +115,6 @@ public final class DefaultAccessTokenCookieIssuer implements AccessTokenCookieIs
    return contextPath;
  }
  
-  private int getMaxAge(AccessToken accessToken){
-    long maxAgeMs = accessToken.getExpiration().getTime() - new Date().getTime();
-    return (int) TimeUnit.MILLISECONDS.toSeconds(maxAgeMs);
-  }
-  
  private boolean isSecure(HttpServletRequest request){
    boolean secure = request.isSecure();
    if (!secure) {
--- a/scm-webapp/src/main/java/sonia/scm/security/ScmAtLeastOneSuccessfulStrategy.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ScmAtLeastOneSuccessfulStrategy.java
@@ -0,0 +1,91 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.security;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.pam.AbstractAuthenticationStrategy;
+import org.apache.shiro.realm.Realm;
+import org.apache.shiro.subject.PrincipalCollection;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Optional;
+
+public class ScmAtLeastOneSuccessfulStrategy extends AbstractAuthenticationStrategy {
+
+  final ThreadLocal<List<Throwable>> threadLocal = new ThreadLocal<>();
+
+  @Override
+  public AuthenticationInfo beforeAllAttempts(Collection<? extends Realm> realms, AuthenticationToken token) throws AuthenticationException {
+    this.threadLocal.set(new ArrayList<>());
+    return super.beforeAllAttempts(realms, token);
+  }
+
+  @Override
+  public AuthenticationInfo afterAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo singleRealmInfo, AuthenticationInfo aggregateInfo, Throwable t) throws AuthenticationException {
+    if (t != null) {
+      this.threadLocal.get().add(t);
+    }
+    return super.afterAttempt(realm, token, singleRealmInfo, aggregateInfo, t);
+  }
+
+  @Override
+  public AuthenticationInfo afterAllAttempts(AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException {
+    final List<Throwable> throwables = threadLocal.get();
+    threadLocal.remove();
+    if (isAuthenticationSuccessful(aggregate)) {
+      return aggregate;
+    }
+    Optional<TokenExpiredException> tokenExpiredException = findTokenExpiredException(throwables);
+
+    if (tokenExpiredException.isPresent()) {
+      throw tokenExpiredException.get();
+    } else {
+      throw createAuthenticationException(token);
+    }
+  }
+
+  private static boolean isAuthenticationSuccessful(AuthenticationInfo aggregate) {
+    return aggregate != null && isNotEmpty(aggregate.getPrincipals());
+  }
+
+  private static boolean isNotEmpty(PrincipalCollection pc) {
+    return pc != null && !pc.isEmpty();
+  }
+
+  private static Optional<TokenExpiredException> findTokenExpiredException(List<Throwable> throwables) {
+    return throwables.stream().filter(t -> t instanceof TokenExpiredException).findFirst().map(t -> (TokenExpiredException) t);
+  }
+
+  private static AuthenticationException createAuthenticationException(AuthenticationToken token) {
+    return new AuthenticationException("Authentication token of type [" + token.getClass() + "] " +
+      "could not be authenticated by any configured realms.  Please ensure that at least one realm can " +
+      "authenticate these tokens.");
+  }
+
+}
--- a/scm-webapp/src/main/java/sonia/scm/security/TokenExpiredFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/TokenExpiredFilter.java
@@ -0,0 +1,90 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Inject;
+import com.google.inject.Singleton;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.slf4j.MDC;
+import sonia.scm.Priority;
+import sonia.scm.api.v2.resources.ErrorDto;
+import sonia.scm.filter.Filters;
+import sonia.scm.filter.WebElement;
+import sonia.scm.web.VndMediaType;
+import sonia.scm.web.filter.HttpFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@WebElement("/*")
+@Priority(Filters.PRIORITY_PRE_AUTHENTICATION)
+@Singleton
+public class TokenExpiredFilter extends HttpFilter {
+  static final String TOKEN_EXPIRED_ERROR_CODE = "DDS8D8unr1";
+  private static final Logger LOG = LoggerFactory.getLogger(TokenExpiredFilter.class);
+
+  private final AccessTokenCookieIssuer accessTokenCookieIssuer;
+  private final ObjectMapper objectMapper;
+
+  @Inject
+  public TokenExpiredFilter(AccessTokenCookieIssuer accessTokenCookieIssuer, ObjectMapper objectMapper) {
+    this.accessTokenCookieIssuer = accessTokenCookieIssuer;
+    this.objectMapper = objectMapper;
+  }
+
+  @Override
+  protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+    try {
+      chain.doFilter(request, response);
+    } catch (TokenExpiredException ex) {
+      if (LOG.isTraceEnabled()) {
+        LOG.trace("Token expired", ex);
+      } else {
+        LOG.debug("Token expired");
+      }
+      handleTokenExpired(request, response);
+    }
+  }
+
+  protected void handleTokenExpired(HttpServletRequest request,
+                                    HttpServletResponse response) throws IOException {
+    accessTokenCookieIssuer.invalidate(request, response);
+    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+    response.setContentType(VndMediaType.ERROR_TYPE);
+    final ErrorDto errorDto = new ErrorDto();
+    errorDto.setMessage("Token Expired");
+    errorDto.setErrorCode(TOKEN_EXPIRED_ERROR_CODE);
+    errorDto.setTransactionId(MDC.get("transaction_id"));
+    try (ServletOutputStream stream = response.getOutputStream()) {
+      objectMapper.writeValue(stream, errorDto);
+    }
+  }
+}