Search in sources :

Example 1 with NewCertificateConfig

use of com.gitblit.authority.NewCertificateConfig in project gitblit by gitblit.

the class GitBlitServer method start.

/**
	 * Start Gitblit GO.
	 */
protected final void start(Params params) {
    final File baseFolder = getBaseFolder(params);
    FileSettings settings = params.FILESETTINGS;
    if (!StringUtils.isEmpty(params.settingsfile)) {
        if (new File(params.settingsfile).exists()) {
            settings = new FileSettings(params.settingsfile);
        }
    }
    if (params.dailyLogFile) {
        // Configure log4j for daily log file generation
        InputStream is = null;
        try {
            is = getClass().getResourceAsStream("/log4j.properties");
            Properties loggingProperties = new Properties();
            loggingProperties.load(is);
            loggingProperties.put("log4j.appender.R.File", new File(baseFolder, "logs/gitblit.log").getAbsolutePath());
            loggingProperties.put("log4j.rootCategory", "INFO, R");
            if (settings.getBoolean(Keys.web.debugMode, false)) {
                loggingProperties.put("log4j.logger.com.gitblit", "DEBUG");
            }
            PropertyConfigurator.configure(loggingProperties);
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            try {
                if (is != null) {
                    is.close();
                }
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }
    logger = LoggerFactory.getLogger(GitBlitServer.class);
    logger.info("\n" + Constants.getASCIIArt());
    System.setProperty("java.awt.headless", "true");
    String osname = System.getProperty("os.name");
    String osversion = System.getProperty("os.version");
    logger.info("Running on " + osname + " (" + osversion + ")");
    QueuedThreadPool threadPool = new QueuedThreadPool();
    int maxThreads = settings.getInteger(Keys.server.threadPoolSize, 50);
    if (maxThreads > 0) {
        threadPool.setMaxThreads(maxThreads);
    }
    Server server = new Server(threadPool);
    server.setStopAtShutdown(true);
    // conditionally configure the https connector
    if (params.securePort > 0) {
        File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG);
        File serverKeyStore = new File(baseFolder, X509Utils.SERVER_KEY_STORE);
        File serverTrustStore = new File(baseFolder, X509Utils.SERVER_TRUST_STORE);
        File caRevocationList = new File(baseFolder, X509Utils.CA_REVOCATION_LIST);
        // generate CA & web certificates, create certificate stores
        X509Metadata metadata = new X509Metadata("localhost", params.storePassword);
        // set default certificate values from config file
        if (certificatesConf.exists()) {
            FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect());
            try {
                config.load();
            } catch (Exception e) {
                logger.error("Error parsing " + certificatesConf, e);
            }
            NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config);
            certificateConfig.update(metadata);
        }
        metadata.notAfter = new Date(System.currentTimeMillis() + 10 * TimeUtils.ONEYEAR);
        X509Utils.prepareX509Infrastructure(metadata, baseFolder, new X509Log() {

            @Override
            public void log(String message) {
                BufferedWriter writer = null;
                try {
                    writer = new BufferedWriter(new FileWriter(new File(baseFolder, X509Utils.CERTS + File.separator + "log.txt"), true));
                    writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message));
                    writer.newLine();
                    writer.flush();
                } catch (Exception e) {
                    LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e);
                } finally {
                    if (writer != null) {
                        try {
                            writer.close();
                        } catch (IOException e) {
                        }
                    }
                }
            }
        });
        if (serverKeyStore.exists()) {
            /*
				 * HTTPS
				 */
            logger.info("Setting up HTTPS transport on port " + params.securePort);
            GitblitSslContextFactory factory = new GitblitSslContextFactory(params.alias, serverKeyStore, serverTrustStore, params.storePassword, caRevocationList);
            if (params.requireClientCertificates) {
                factory.setNeedClientAuth(true);
            } else {
                factory.setWantClientAuth(true);
            }
            ServerConnector connector = new ServerConnector(server, factory);
            connector.setSoLingerTime(-1);
            connector.setIdleTimeout(30000);
            connector.setPort(params.securePort);
            String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
            if (!StringUtils.isEmpty(bindInterface)) {
                logger.warn(MessageFormat.format("Binding HTTPS transport on port {0,number,0} to {1}", params.securePort, bindInterface));
                connector.setHost(bindInterface);
            }
            if (params.securePort < 1024 && !isWindows()) {
                logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
            }
            server.addConnector(connector);
        } else {
            logger.warn("Failed to find or load Keystore?");
            logger.warn("HTTPS transport DISABLED.");
        }
    }
    // conditionally configure the http transport
    if (params.port > 0) {
        /*
			 * HTTP
			 */
        logger.info("Setting up HTTP transport on port " + params.port);
        HttpConfiguration httpConfig = new HttpConfiguration();
        if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
            httpConfig.setSecureScheme("https");
            httpConfig.setSecurePort(params.securePort);
        }
        httpConfig.setSendServerVersion(false);
        httpConfig.setSendDateHeader(false);
        ServerConnector connector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
        connector.setSoLingerTime(-1);
        connector.setIdleTimeout(30000);
        connector.setPort(params.port);
        String bindInterface = settings.getString(Keys.server.httpBindInterface, null);
        if (!StringUtils.isEmpty(bindInterface)) {
            logger.warn(MessageFormat.format("Binding HTTP transport on port {0,number,0} to {1}", params.port, bindInterface));
            connector.setHost(bindInterface);
        }
        if (params.port < 1024 && !isWindows()) {
            logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
        }
        server.addConnector(connector);
    }
    // tempDir is where the embedded Gitblit web application is expanded and
    // where Jetty creates any necessary temporary files
    File tempDir = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, baseFolder, params.temp);
    if (tempDir.exists()) {
        try {
            FileUtils.delete(tempDir, FileUtils.RECURSIVE | FileUtils.RETRY);
        } catch (IOException x) {
            logger.warn("Failed to delete temp dir " + tempDir.getAbsolutePath(), x);
        }
    }
    if (!tempDir.mkdirs()) {
        logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath());
    }
    // Get the execution path of this class
    // We use this to set the WAR path.
    ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain();
    URL location = protectionDomain.getCodeSource().getLocation();
    // Root WebApp Context
    WebAppContext rootContext = new WebAppContext();
    rootContext.setContextPath(settings.getString(Keys.server.contextPath, "/"));
    rootContext.setServer(server);
    rootContext.setWar(location.toExternalForm());
    rootContext.setTempDirectory(tempDir);
    // Set cookies HttpOnly so they are not accessible to JavaScript engines
    HashSessionManager sessionManager = new HashSessionManager();
    sessionManager.setHttpOnly(true);
    // Use secure cookies if only serving https
    sessionManager.setSecureRequestOnly((params.port <= 0 && params.securePort > 0) || (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)));
    rootContext.getSessionHandler().setSessionManager(sessionManager);
    // Ensure there is a defined User Service
    String realmUsers = params.userService;
    if (StringUtils.isEmpty(realmUsers)) {
        logger.error(MessageFormat.format("PLEASE SPECIFY {0}!!", Keys.realm.userService));
        return;
    }
    // Override settings from the command-line
    settings.overrideSetting(Keys.realm.userService, params.userService);
    settings.overrideSetting(Keys.git.repositoriesFolder, params.repositoriesFolder);
    settings.overrideSetting(Keys.git.daemonPort, params.gitPort);
    settings.overrideSetting(Keys.git.sshPort, params.sshPort);
    // Start up an in-memory LDAP server, if configured
    try {
        if (!StringUtils.isEmpty(params.ldapLdifFile)) {
            File ldifFile = new File(params.ldapLdifFile);
            if (ldifFile != null && ldifFile.exists()) {
                URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
                String firstLine = new Scanner(ldifFile).nextLine();
                String rootDN = firstLine.substring(4);
                String bindUserName = settings.getString(Keys.realm.ldap.username, "");
                String bindPassword = settings.getString(Keys.realm.ldap.password, "");
                // Get the port
                int port = ldapUrl.getPort();
                if (port == -1)
                    port = 389;
                InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(rootDN);
                config.addAdditionalBindCredentials(bindUserName, bindPassword);
                config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", port));
                config.setSchema(null);
                InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
                ds.importFromLDIF(true, new LDIFReader(ldifFile));
                ds.startListening();
                logger.info("LDAP Server started at ldap://localhost:" + port);
            }
        }
    } catch (Exception e) {
        // Completely optional, just show a warning
        logger.warn("Unable to start LDAP server", e);
    }
    // Set the server's contexts
    server.setHandler(rootContext);
    // redirect HTTP requests to HTTPS
    if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
        logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort));
        // Create the internal mechanisms to handle secure connections and redirects
        Constraint constraint = new Constraint();
        constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
        ConstraintMapping cm = new ConstraintMapping();
        cm.setConstraint(constraint);
        cm.setPathSpec("/*");
        ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
        sh.setConstraintMappings(new ConstraintMapping[] { cm });
        // Configure this context to use the Security Handler defined before
        rootContext.setHandler(sh);
    }
    // Setup the Gitblit context
    GitblitContext gitblit = newGitblit(settings, baseFolder);
    rootContext.addEventListener(gitblit);
    try {
        // start the shutdown monitor
        if (params.shutdownPort > 0) {
            Thread shutdownMonitor = new ShutdownMonitorThread(server, params);
            shutdownMonitor.start();
        }
        // start Jetty
        server.start();
        server.join();
    } catch (Exception e) {
        e.printStackTrace();
        System.exit(100);
    }
}
Also used : ProtectionDomain(java.security.ProtectionDomain) Scanner(java.util.Scanner) InMemoryDirectoryServer(com.unboundid.ldap.listener.InMemoryDirectoryServer) Server(org.eclipse.jetty.server.Server) HashSessionManager(org.eclipse.jetty.server.session.HashSessionManager) Constraint(org.eclipse.jetty.util.security.Constraint) X509Metadata(com.gitblit.utils.X509Utils.X509Metadata) FileWriter(java.io.FileWriter) InMemoryDirectoryServerConfig(com.unboundid.ldap.listener.InMemoryDirectoryServerConfig) HttpConfiguration(org.eclipse.jetty.server.HttpConfiguration) Properties(java.util.Properties) URI(java.net.URI) URL(java.net.URL) BufferedWriter(java.io.BufferedWriter) ServerConnector(org.eclipse.jetty.server.ServerConnector) WebAppContext(org.eclipse.jetty.webapp.WebAppContext) QueuedThreadPool(org.eclipse.jetty.util.thread.QueuedThreadPool) ConstraintSecurityHandler(org.eclipse.jetty.security.ConstraintSecurityHandler) GitblitContext(com.gitblit.servlet.GitblitContext) GitblitAuthority(com.gitblit.authority.GitblitAuthority) FileBasedConfig(org.eclipse.jgit.storage.file.FileBasedConfig) NewCertificateConfig(com.gitblit.authority.NewCertificateConfig) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) HttpConnectionFactory(org.eclipse.jetty.server.HttpConnectionFactory) InputStream(java.io.InputStream) InMemoryDirectoryServer(com.unboundid.ldap.listener.InMemoryDirectoryServer) X509Log(com.gitblit.utils.X509Utils.X509Log) IOException(java.io.IOException) CmdLineException(org.kohsuke.args4j.CmdLineException) IOException(java.io.IOException) UnknownHostException(java.net.UnknownHostException) Constraint(org.eclipse.jetty.util.security.Constraint) Date(java.util.Date) LDIFReader(com.unboundid.ldif.LDIFReader) File(java.io.File)

Aggregations

GitblitAuthority (com.gitblit.authority.GitblitAuthority)1 NewCertificateConfig (com.gitblit.authority.NewCertificateConfig)1 GitblitContext (com.gitblit.servlet.GitblitContext)1 X509Log (com.gitblit.utils.X509Utils.X509Log)1 X509Metadata (com.gitblit.utils.X509Utils.X509Metadata)1 InMemoryDirectoryServer (com.unboundid.ldap.listener.InMemoryDirectoryServer)1 InMemoryDirectoryServerConfig (com.unboundid.ldap.listener.InMemoryDirectoryServerConfig)1 LDIFReader (com.unboundid.ldif.LDIFReader)1 BufferedWriter (java.io.BufferedWriter)1 File (java.io.File)1 FileWriter (java.io.FileWriter)1 IOException (java.io.IOException)1 InputStream (java.io.InputStream)1 URI (java.net.URI)1 URL (java.net.URL)1 UnknownHostException (java.net.UnknownHostException)1 ProtectionDomain (java.security.ProtectionDomain)1 Date (java.util.Date)1 Properties (java.util.Properties)1 Scanner (java.util.Scanner)1