From 269a0f3f5590f918332eb1e84f39537a651b6ca7 Mon Sep 17 00:00:00 2001 From: Antoine Musso Date: Wed, 12 May 2021 21:07:26 +0200 Subject: [PATCH 1/9] download_bower: download to GERRIT_CACHE_HOME Similar to Ie4fac83928527e0e71b159b9500983234c2261ac which lets one relocate download_file.py downloaded artifacts by setting the `GERRIT_CACHE_HOME` environment variable. The default behavior is unchanged. Change-Id: I9e223acff29ed4da6fda39589282a107420b9795 --- tools/js/download_bower.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/js/download_bower.py b/tools/js/download_bower.py index 1df4b826bc..d541b565a9 100755 --- a/tools/js/download_bower.py +++ b/tools/js/download_bower.py @@ -25,8 +25,12 @@ import sys import bowerutil -CACHE_DIR = os.path.expanduser(os.path.join( - '~', '.gerritcodereview', 'bazel-cache', 'downloaded-artifacts')) +CACHE_DIR = os.environ.get( + 'GERRIT_CACHE_HOME', + os.path.expanduser(os.path.join( + '~', '.gerritcodereview', 'bazel-cache', 'downloaded-artifacts' + )) +) def bower_cmd(bower, *args): From 01d0b2906356a0bb66bf000349b1573668391bb5 Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Fri, 14 May 2021 17:17:45 +0200 Subject: [PATCH 2/9] Set version to 3.1.14 Change-Id: Icae8468aec805a75aa9092bca58c7070b396e025 --- tools/maven/gerrit-acceptance-framework_pom.xml | 2 +- tools/maven/gerrit-extension-api_pom.xml | 2 +- tools/maven/gerrit-plugin-api_pom.xml | 2 +- tools/maven/gerrit-war_pom.xml | 2 +- version.bzl | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/maven/gerrit-acceptance-framework_pom.xml b/tools/maven/gerrit-acceptance-framework_pom.xml index 8c3a212358..3eec480262 100644 --- a/tools/maven/gerrit-acceptance-framework_pom.xml +++ b/tools/maven/gerrit-acceptance-framework_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-acceptance-framework - 3.1.14-SNAPSHOT + 3.1.14 jar Gerrit Code Review - Acceptance Test Framework Framework for Gerrit's acceptance tests diff --git a/tools/maven/gerrit-extension-api_pom.xml b/tools/maven/gerrit-extension-api_pom.xml index eb9ea87190..99b6cee3af 100644 --- a/tools/maven/gerrit-extension-api_pom.xml +++ b/tools/maven/gerrit-extension-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-extension-api - 3.1.14-SNAPSHOT + 3.1.14 jar Gerrit Code Review - Extension API API for Gerrit Extensions diff --git a/tools/maven/gerrit-plugin-api_pom.xml b/tools/maven/gerrit-plugin-api_pom.xml index dc37a723a9..e7e1814a25 100644 --- a/tools/maven/gerrit-plugin-api_pom.xml +++ b/tools/maven/gerrit-plugin-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-api - 3.1.14-SNAPSHOT + 3.1.14 jar Gerrit Code Review - Plugin API API for Gerrit Plugins diff --git a/tools/maven/gerrit-war_pom.xml b/tools/maven/gerrit-war_pom.xml index e3adf65947..1a229f00a7 100644 --- a/tools/maven/gerrit-war_pom.xml +++ b/tools/maven/gerrit-war_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-war - 3.1.14-SNAPSHOT + 3.1.14 war Gerrit Code Review - WAR Gerrit WAR diff --git a/version.bzl b/version.bzl index c4bf89b9c7..ebdb00a9d3 100644 --- a/version.bzl +++ b/version.bzl @@ -2,4 +2,4 @@ # Used by :api_install and :api_deploy targets # when talking to the destination repository. # -GERRIT_VERSION = "3.1.14-SNAPSHOT" +GERRIT_VERSION = "3.1.14" From 269ccc5b560bf577c5e24e0769948ad3ec0338b2 Mon Sep 17 00:00:00 2001 From: Luca Milanesio Date: Sat, 15 May 2021 00:40:02 +0000 Subject: [PATCH 3/9] Set version to 3.2.9 Change-Id: I4b79b4ac358eb7ed98542044566fc1a45fb74df2 --- tools/maven/gerrit-acceptance-framework_pom.xml | 2 +- tools/maven/gerrit-extension-api_pom.xml | 2 +- tools/maven/gerrit-plugin-api_pom.xml | 2 +- tools/maven/gerrit-war_pom.xml | 2 +- version.bzl | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/maven/gerrit-acceptance-framework_pom.xml b/tools/maven/gerrit-acceptance-framework_pom.xml index 0c45369d03..b288050802 100644 --- a/tools/maven/gerrit-acceptance-framework_pom.xml +++ b/tools/maven/gerrit-acceptance-framework_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-acceptance-framework - 3.2.9-SNAPSHOT + 3.2.9 jar Gerrit Code Review - Acceptance Test Framework Framework for Gerrit's acceptance tests diff --git a/tools/maven/gerrit-extension-api_pom.xml b/tools/maven/gerrit-extension-api_pom.xml index 4fbe09e1f6..62ed81c323 100644 --- a/tools/maven/gerrit-extension-api_pom.xml +++ b/tools/maven/gerrit-extension-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-extension-api - 3.2.9-SNAPSHOT + 3.2.9 jar Gerrit Code Review - Extension API API for Gerrit Extensions diff --git a/tools/maven/gerrit-plugin-api_pom.xml b/tools/maven/gerrit-plugin-api_pom.xml index a17664bccf..b9687f7108 100644 --- a/tools/maven/gerrit-plugin-api_pom.xml +++ b/tools/maven/gerrit-plugin-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-api - 3.2.9-SNAPSHOT + 3.2.9 jar Gerrit Code Review - Plugin API API for Gerrit Plugins diff --git a/tools/maven/gerrit-war_pom.xml b/tools/maven/gerrit-war_pom.xml index b56640cca1..73265db2ed 100644 --- a/tools/maven/gerrit-war_pom.xml +++ b/tools/maven/gerrit-war_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-war - 3.2.9-SNAPSHOT + 3.2.9 war Gerrit Code Review - WAR Gerrit WAR diff --git a/version.bzl b/version.bzl index 45f5e887ec..bd00f980db 100644 --- a/version.bzl +++ b/version.bzl @@ -2,4 +2,4 @@ # Used by :api_install and :api_deploy targets # when talking to the destination repository. # -GERRIT_VERSION = "3.2.9-SNAPSHOT" +GERRIT_VERSION = "3.2.9" From 9f56f399957f3316e6ee2f05b932010742144bff Mon Sep 17 00:00:00 2001 From: Luca Milanesio Date: Sat, 15 May 2021 00:56:20 +0000 Subject: [PATCH 4/9] Set version to 3.2.10-SNAPSHOT Change-Id: I79c7a520170f4fd96f1c5ce5173ceb29ea0d0a81 --- tools/maven/gerrit-acceptance-framework_pom.xml | 2 +- tools/maven/gerrit-extension-api_pom.xml | 2 +- tools/maven/gerrit-plugin-api_pom.xml | 2 +- tools/maven/gerrit-war_pom.xml | 2 +- version.bzl | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/maven/gerrit-acceptance-framework_pom.xml b/tools/maven/gerrit-acceptance-framework_pom.xml index b288050802..7b20b4e747 100644 --- a/tools/maven/gerrit-acceptance-framework_pom.xml +++ b/tools/maven/gerrit-acceptance-framework_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-acceptance-framework - 3.2.9 + 3.2.10-SNAPSHOT jar Gerrit Code Review - Acceptance Test Framework Framework for Gerrit's acceptance tests diff --git a/tools/maven/gerrit-extension-api_pom.xml b/tools/maven/gerrit-extension-api_pom.xml index 62ed81c323..d3dbdfb1fe 100644 --- a/tools/maven/gerrit-extension-api_pom.xml +++ b/tools/maven/gerrit-extension-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-extension-api - 3.2.9 + 3.2.10-SNAPSHOT jar Gerrit Code Review - Extension API API for Gerrit Extensions diff --git a/tools/maven/gerrit-plugin-api_pom.xml b/tools/maven/gerrit-plugin-api_pom.xml index b9687f7108..3096dbd25f 100644 --- a/tools/maven/gerrit-plugin-api_pom.xml +++ b/tools/maven/gerrit-plugin-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-api - 3.2.9 + 3.2.10-SNAPSHOT jar Gerrit Code Review - Plugin API API for Gerrit Plugins diff --git a/tools/maven/gerrit-war_pom.xml b/tools/maven/gerrit-war_pom.xml index 73265db2ed..37caa29a8d 100644 --- a/tools/maven/gerrit-war_pom.xml +++ b/tools/maven/gerrit-war_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-war - 3.2.9 + 3.2.10-SNAPSHOT war Gerrit Code Review - WAR Gerrit WAR diff --git a/version.bzl b/version.bzl index bd00f980db..c69b5785c9 100644 --- a/version.bzl +++ b/version.bzl @@ -2,4 +2,4 @@ # Used by :api_install and :api_deploy targets # when talking to the destination repository. # -GERRIT_VERSION = "3.2.9" +GERRIT_VERSION = "3.2.10-SNAPSHOT" From 9196855d0fad68dd6de00176117cb40da54c21ee Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Mon, 17 May 2021 18:10:09 +0200 Subject: [PATCH 5/9] NoShellIT: Increase the timeout to avoid failures With 30 seconds timeout the test appears to be flaky. Change-Id: Icc900ad6f108221d2e2dabb7e05c12d6772bd88b --- javatests/com/google/gerrit/integration/ssh/NoShellIT.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javatests/com/google/gerrit/integration/ssh/NoShellIT.java b/javatests/com/google/gerrit/integration/ssh/NoShellIT.java index ccaf085299..2bbbf1a30e 100644 --- a/javatests/com/google/gerrit/integration/ssh/NoShellIT.java +++ b/javatests/com/google/gerrit/integration/ssh/NoShellIT.java @@ -41,7 +41,7 @@ public class NoShellIT extends StandaloneSiteTest { private String identityPath; - @Test(timeout = 30000) + @Test(timeout = 60000) public void verifyCommandsIsClosed() throws Exception { try (ServerContext ctx = startServer()) { setUpTestHarness(ctx); From e85209051d3ba118e339f076b2ffee14d042a151 Mon Sep 17 00:00:00 2001 From: Luca Milanesio Date: Sun, 16 May 2021 11:15:47 +0100 Subject: [PATCH 6/9] Fix PUT/POST/DELETE REST-API with cookie authentication Change-Id: I2a56197ee0 has broken existing Python (or other) scripting when performing automation with Gerrit REST-API. That is due to the generation of the GerritAccount cookie in the HTTP response, which Python automatically manages to reuse in subsequent calls. Gerrit REST-API have a stricter requirement for incoming calls that are not GET or HEAD requests: they need the X-Gerrit-Auth HTTP header matching the associated attribute in the user's session. When the X-Gerrit-Auth header isn't there OR does not correspond to the user's session, the REST-API execution fails with 403 FORBIDDEN even though the user has an active session associated with the cookie. Python has no way to manage that logic out of the box and therefore it is the responsibility of the Gerrit backend to request explicit authentication when the incoming call isn't from a Git/HTTP client. For the Git/HTTP requests instead, the requirement for X-Gerrit-Auth isn't there and therefore, the current cookie-based authentication can continue to be used as usual and won't cause any trouble. Bug: Issue 14553 Change-Id: I62a7a59b07333eeb1a36d4a6b8b67edd5da76440 --- .../gerrit/httpd/ProjectBasicAuthFilter.java | 18 +++- .../httpd/ProjectBasicAuthFilterTest.java | 101 +++++++++++------- .../http/testutil/FakeHttpServletRequest.java | 13 ++- 3 files changed, 93 insertions(+), 39 deletions(-) diff --git a/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java b/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java index c1931157fc..1974ba78b1 100644 --- a/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java +++ b/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java @@ -52,6 +52,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponseWrapper; import org.apache.commons.codec.binary.Base64; +import org.eclipse.jgit.http.server.GitSmartHttpTools; /** * Authenticates the current user by HTTP basic authentication. @@ -100,11 +101,21 @@ class ProjectBasicAuthFilter implements Filter { HttpServletRequest req = (HttpServletRequest) request; Response rsp = new Response((HttpServletResponse) response); - if (session.get().isSignedIn() || verify(req, rsp)) { + if (isSignedInGitRequest(req) || verify(req, rsp)) { chain.doFilter(req, rsp); } } + private boolean isSignedInGitRequest(HttpServletRequest req) { + boolean isGitRequest = req.getRequestURI() != null && GitSmartHttpTools.isGitClient(req); + boolean isAlreadySignedIn = session.get().isSignedIn(); + boolean res = isAlreadySignedIn && isGitRequest; + logger.atFine().log( + "HTTP:%s %s signedIn=%s (isAlreadySignedIn=%s, isGitRequest=%s)", + req.getMethod(), req.getRequestURI(), res, isAlreadySignedIn, isGitRequest); + return res; + } + private boolean verify(HttpServletRequest req, Response rsp) throws IOException { final String hdr = req.getHeader(AUTHORIZATION); if (hdr == null || !hdr.startsWith(LIT_BASIC)) { @@ -145,6 +156,9 @@ class ProjectBasicAuthFilter implements Filter { if (gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP || gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP_LDAP) { if (PasswordVerifier.checkPassword(who.externalIds(), username, password)) { + logger.atFine().log( + "HTTP:%s %s username/password authentication succeeded", + req.getMethod(), req.getRequestURI()); return succeedAuthentication(who, null); } } @@ -159,6 +173,8 @@ class ProjectBasicAuthFilter implements Filter { try { AuthResult whoAuthResult = accountManager.authenticate(whoAuth); setUserIdentified(whoAuthResult.getAccountId(), whoAuthResult); + logger.atFine().log( + "HTTP:%s %s Realm authentication succeeded", req.getMethod(), req.getRequestURI()); return true; } catch (NoSuchUserException e) { if (PasswordVerifier.checkPassword(who.externalIds(), username, password)) { diff --git a/javatests/com/google/gerrit/httpd/ProjectBasicAuthFilterTest.java b/javatests/com/google/gerrit/httpd/ProjectBasicAuthFilterTest.java index 735abbf66d..2f0fafa00b 100644 --- a/javatests/com/google/gerrit/httpd/ProjectBasicAuthFilterTest.java +++ b/javatests/com/google/gerrit/httpd/ProjectBasicAuthFilterTest.java @@ -37,10 +37,12 @@ import com.google.gerrit.server.account.externalids.ExternalId; import com.google.gerrit.server.config.AuthConfig; import com.google.gerrit.util.http.testutil.FakeHttpServletRequest; import com.google.gerrit.util.http.testutil.FakeHttpServletResponse; +import java.io.IOException; import java.nio.charset.StandardCharsets; import java.util.Base64; import java.util.Optional; import javax.servlet.FilterChain; +import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; import org.junit.Before; import org.junit.Test; @@ -94,7 +96,7 @@ public class ProjectBasicAuthFilterTest { @Before public void setUp() throws Exception { - req = new FakeHttpServletRequest(); + req = new FakeHttpServletRequest("gerrit.example.com", 80, "", ""); res = new FakeHttpServletResponse(); authSuccessful = @@ -102,9 +104,8 @@ public class ProjectBasicAuthFilterTest { doReturn(Optional.of(accountState)).when(accountCache).getByUsername(AUTH_USER); doReturn(Optional.of(accountState)).when(accountCache).get(AUTH_ACCOUNT_ID); doReturn(account).when(accountState).account(); - doReturn(ImmutableSet.builder().add(AUTH_USER_PASSWORD_EXTERNAL_ID).build()) - .when(accountState) - .externalIds(); + doReturn(true).when(account).isActive(); + doReturn(authSuccessful).when(accountManager).authenticate(any()); doReturn(new WebSessionManager.Key(AUTH_COOKIE_VALUE)).when(webSessionManager).createKey(any()); WebSessionManager.Val webSessionValue = @@ -114,23 +115,6 @@ public class ProjectBasicAuthFilterTest { .createVal(any(), any(), eq(false), any(), any(), any()); } - private void initWebSessionWithCookie(String cookie) { - req.addHeader("Cookie", cookie); - initWebSessionWithoutCookie(); - } - - private void initWebSessionWithoutCookie() { - webSession = - new CacheBasedWebSession( - req, res, webSessionManager, authConfig, null, userRequestFactory, accountCache) {}; - doReturn(webSession).when(webSessionItem).get(); - } - - private void initMockedWebSession() { - webSession = mock(WebSession.class); - doReturn(webSession).when(webSessionItem).get(); - } - @Test public void shouldAllowAnonymousRequest() throws Exception { initMockedWebSession(); @@ -168,7 +152,6 @@ public class ProjectBasicAuthFilterTest { res.setStatus(HttpServletResponse.SC_OK); doReturn(true).when(account).isActive(); - doReturn(authSuccessful).when(accountManager).authenticate(any()); doReturn(GitBasicAuthPolicy.LDAP).when(authConfig).getGitBasicAuthPolicy(); ProjectBasicAuthFilter basicAuthFilter = @@ -187,10 +170,9 @@ public class ProjectBasicAuthFilterTest { public void shouldValidateUserPasswordAndNotReturnCookie() throws Exception { initWebSessionWithoutCookie(); requestBasicAuth(req); - res.setStatus(HttpServletResponse.SC_OK); - - doReturn(true).when(account).isActive(); + initMockedUsernamePasswordExternalId(); doReturn(GitBasicAuthPolicy.HTTP).when(authConfig).getGitBasicAuthPolicy(); + res.setStatus(HttpServletResponse.SC_OK); ProjectBasicAuthFilter basicAuthFilter = new ProjectBasicAuthFilter(webSessionItem, accountCache, accountManager, authConfig); @@ -205,16 +187,11 @@ public class ProjectBasicAuthFilterTest { } @Test - public void shouldNotReauthenticateIfAlreadySignedIn() throws Exception { - initMockedWebSession(); - doReturn(true).when(webSession).isSignedIn(); - requestBasicAuth(req); - res.setStatus(HttpServletResponse.SC_OK); - - ProjectBasicAuthFilter basicAuthFilter = - new ProjectBasicAuthFilter(webSessionItem, accountCache, accountManager, authConfig); - - basicAuthFilter.doFilter(req, res, chain); + public void shouldNotReauthenticateForGitPostRequest() throws Exception { + req.setPathInfo("/a/project.git/git-upload-pack"); + req.setMethod("POST"); + req.addHeader("Content-Type", "application/x-git-upload-pack-request"); + doFilterForRequestWhenAlreadySignedIn(); verify(accountManager, never()).authenticate(any()); verify(chain).doFilter(eq(req), any()); @@ -222,16 +199,28 @@ public class ProjectBasicAuthFilterTest { } @Test - public void shouldNotReauthenticateIfHasExistingCookie() throws Exception { + public void shouldReauthenticateForRegularRequestEvenIfAlreadySignedIn() throws Exception { + doReturn(GitBasicAuthPolicy.LDAP).when(authConfig).getGitBasicAuthPolicy(); + doFilterForRequestWhenAlreadySignedIn(); + + verify(accountManager).authenticate(any()); + verify(chain).doFilter(eq(req), any()); + assertThat(res.getStatus()).isEqualTo(HttpServletResponse.SC_OK); + } + + @Test + public void shouldReauthenticateEvenIfHasExistingCookie() throws Exception { initWebSessionWithCookie("GerritAccount=" + AUTH_COOKIE_VALUE); res.setStatus(HttpServletResponse.SC_OK); + requestBasicAuth(req); + doReturn(GitBasicAuthPolicy.LDAP).when(authConfig).getGitBasicAuthPolicy(); ProjectBasicAuthFilter basicAuthFilter = new ProjectBasicAuthFilter(webSessionItem, accountCache, accountManager, authConfig); basicAuthFilter.doFilter(req, res, chain); - verify(accountManager, never()).authenticate(any()); + verify(accountManager).authenticate(any()); verify(chain).doFilter(eq(req), any()); assertThat(res.getStatus()).isEqualTo(HttpServletResponse.SC_OK); } @@ -256,6 +245,44 @@ public class ProjectBasicAuthFilterTest { assertThat(res.getStatus()).isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); } + private void doFilterForRequestWhenAlreadySignedIn() + throws IOException, ServletException, AccountException { + initMockedWebSession(); + doReturn(true).when(account).isActive(); + doReturn(true).when(webSession).isSignedIn(); + doReturn(authSuccessful).when(accountManager).authenticate(any()); + requestBasicAuth(req); + res.setStatus(HttpServletResponse.SC_OK); + + ProjectBasicAuthFilter basicAuthFilter = + new ProjectBasicAuthFilter(webSessionItem, accountCache, accountManager, authConfig); + + basicAuthFilter.doFilter(req, res, chain); + } + + private void initWebSessionWithCookie(String cookie) { + req.addHeader("Cookie", cookie); + initWebSessionWithoutCookie(); + } + + private void initWebSessionWithoutCookie() { + webSession = + new CacheBasedWebSession( + req, res, webSessionManager, authConfig, null, userRequestFactory, accountCache) {}; + doReturn(webSession).when(webSessionItem).get(); + } + + private void initMockedWebSession() { + webSession = mock(WebSession.class); + doReturn(webSession).when(webSessionItem).get(); + } + + private void initMockedUsernamePasswordExternalId() { + doReturn(ImmutableSet.builder().add(AUTH_USER_PASSWORD_EXTERNAL_ID).build()) + .when(accountState) + .externalIds(); + } + private void requestBasicAuth(FakeHttpServletRequest fakeReq) { fakeReq.addHeader( "Authorization", diff --git a/javatests/com/google/gerrit/util/http/testutil/FakeHttpServletRequest.java b/javatests/com/google/gerrit/util/http/testutil/FakeHttpServletRequest.java index 2efa94b7c3..0bb4de493b 100644 --- a/javatests/com/google/gerrit/util/http/testutil/FakeHttpServletRequest.java +++ b/javatests/com/google/gerrit/util/http/testutil/FakeHttpServletRequest.java @@ -67,6 +67,7 @@ public class FakeHttpServletRequest implements HttpServletRequest { private String contextPath; private String servletPath; private String path; + private String method; public FakeHttpServletRequest() { this("gerrit.example.com", 80, "", SERVLET_PATH); @@ -81,6 +82,7 @@ public class FakeHttpServletRequest implements HttpServletRequest { attributes = Maps.newConcurrentMap(); parameters = LinkedListMultimap.create(); headers = LinkedListMultimap.create(); + method = "GET"; } @Override @@ -105,6 +107,11 @@ public class FakeHttpServletRequest implements HttpServletRequest { @Override public String getContentType() { + List contentType = headers.get("Content-Type"); + if (contentType != null && !contentType.isEmpty()) { + return contentType.get(0); + } + return null; } @@ -297,7 +304,11 @@ public class FakeHttpServletRequest implements HttpServletRequest { @Override public String getMethod() { - return "GET"; + return method; + } + + public void setMethod(String method) { + this.method = method; } @Override From b1f4115304a3820be434a6201da57e4508862f82 Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Wed, 25 Nov 2020 20:56:54 +0100 Subject: [PATCH 7/9] Don't serve polygerrit assets for git requests After migration to PolyGerrit routes are mounted at the root of the gerrit URL. Particularly these path prefixes are reserved: "/c/" "/id/" "/p/" "/q/" "/x/" and would collide with project namespaces, so that the project with these prefixes cannot be served with Git over HTTP protocol. Particularly, the /x prefix restriction is very painful, because quite some gerrit users in the wild are using this prefix in their project names and have problem to update to newer Gerrit releases. To rectify exclude the serving of PolyGerrit assets for git requests. Bug: Issue 13721 Change-Id: Ieb6e9ddab1383fad32ae1763e3a19f03d3a46d01 --- .../google/gerrit/httpd/XsrfCookieFilter.java | 8 ++- .../google/gerrit/httpd/raw/StaticModule.java | 49 ++++++++++--------- 2 files changed, 32 insertions(+), 25 deletions(-) diff --git a/java/com/google/gerrit/httpd/XsrfCookieFilter.java b/java/com/google/gerrit/httpd/XsrfCookieFilter.java index d15ecacd59..079efa4023 100644 --- a/java/com/google/gerrit/httpd/XsrfCookieFilter.java +++ b/java/com/google/gerrit/httpd/XsrfCookieFilter.java @@ -32,6 +32,7 @@ import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.eclipse.jgit.http.server.GitSmartHttpTools; @Singleton public class XsrfCookieFilter implements Filter { @@ -50,8 +51,11 @@ public class XsrfCookieFilter implements Filter { @Override public void doFilter(ServletRequest req, ServletResponse rsp, FilterChain chain) throws IOException, ServletException { - WebSession s = user.get().isIdentifiedUser() ? session.get() : null; - setXsrfTokenCookie((HttpServletRequest) req, (HttpServletResponse) rsp, s); + HttpServletRequest httpRequest = (HttpServletRequest) req; + if (!GitSmartHttpTools.isGitClient(httpRequest)) { + WebSession s = user.get().isIdentifiedUser() ? session.get() : null; + setXsrfTokenCookie(httpRequest, (HttpServletResponse) rsp, s); + } chain.doFilter(req, rsp); } diff --git a/java/com/google/gerrit/httpd/raw/StaticModule.java b/java/com/google/gerrit/httpd/raw/StaticModule.java index 0d4c67e8ee..7f2161d4b2 100644 --- a/java/com/google/gerrit/httpd/raw/StaticModule.java +++ b/java/com/google/gerrit/httpd/raw/StaticModule.java @@ -54,6 +54,7 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; +import org.eclipse.jgit.http.server.GitSmartHttpTools; import org.eclipse.jgit.lib.Config; public class StaticModule extends ServletModule { @@ -405,32 +406,34 @@ public class StaticModule extends ServletModule { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; - GuiceFilterRequestWrapper reqWrapper = new GuiceFilterRequestWrapper(req); - String path = pathInfo(req); + if (!GitSmartHttpTools.isGitClient(req)) { + GuiceFilterRequestWrapper reqWrapper = new GuiceFilterRequestWrapper(req); + String path = pathInfo(req); - // Special case assets during development that are built by Bazel and not - // served out of the source tree. - // - // In the war case, these are either inlined, or live under - // /polygerrit_ui in the war file, so we can just treat them as normal - // assets. - if (paths.isDev()) { - if (path.startsWith("/bower_components/")) { - bowerComponentServlet.service(reqWrapper, res); - return; - } else if (path.startsWith("/fonts/")) { - fontServlet.service(reqWrapper, res); + // Special case assets during development that are built by Bazel and not + // served out of the source tree. + // + // In the war case, these are either inlined, or live under + // /polygerrit_ui in the war file, so we can just treat them as normal + // assets. + if (paths.isDev()) { + if (path.startsWith("/bower_components/")) { + bowerComponentServlet.service(reqWrapper, res); + return; + } else if (path.startsWith("/fonts/")) { + fontServlet.service(reqWrapper, res); + return; + } + } + + if (isPolyGerritIndex(path)) { + polyGerritIndex.service(reqWrapper, res); + return; + } + if (isPolyGerritAsset(path)) { + polygerritUI.service(reqWrapper, res); return; } - } - - if (isPolyGerritIndex(path)) { - polyGerritIndex.service(reqWrapper, res); - return; - } - if (isPolyGerritAsset(path)) { - polygerritUI.service(reqWrapper, res); - return; } chain.doFilter(req, res); From c66dfb9e4d40eb9f0b132ede0c902231924a075a Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Mon, 17 May 2021 20:44:24 +0200 Subject: [PATCH 8/9] Set version to 3.1.15 Change-Id: I64df1dcbbbd4fa1c628ed9b966202568b9999bf4 --- tools/maven/gerrit-acceptance-framework_pom.xml | 2 +- tools/maven/gerrit-extension-api_pom.xml | 2 +- tools/maven/gerrit-plugin-api_pom.xml | 2 +- tools/maven/gerrit-war_pom.xml | 2 +- version.bzl | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/maven/gerrit-acceptance-framework_pom.xml b/tools/maven/gerrit-acceptance-framework_pom.xml index 3eec480262..832db0060f 100644 --- a/tools/maven/gerrit-acceptance-framework_pom.xml +++ b/tools/maven/gerrit-acceptance-framework_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-acceptance-framework - 3.1.14 + 3.1.15 jar Gerrit Code Review - Acceptance Test Framework Framework for Gerrit's acceptance tests diff --git a/tools/maven/gerrit-extension-api_pom.xml b/tools/maven/gerrit-extension-api_pom.xml index 99b6cee3af..aff08b14ac 100644 --- a/tools/maven/gerrit-extension-api_pom.xml +++ b/tools/maven/gerrit-extension-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-extension-api - 3.1.14 + 3.1.15 jar Gerrit Code Review - Extension API API for Gerrit Extensions diff --git a/tools/maven/gerrit-plugin-api_pom.xml b/tools/maven/gerrit-plugin-api_pom.xml index e7e1814a25..9c88bc877e 100644 --- a/tools/maven/gerrit-plugin-api_pom.xml +++ b/tools/maven/gerrit-plugin-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-api - 3.1.14 + 3.1.15 jar Gerrit Code Review - Plugin API API for Gerrit Plugins diff --git a/tools/maven/gerrit-war_pom.xml b/tools/maven/gerrit-war_pom.xml index 1a229f00a7..548d28031b 100644 --- a/tools/maven/gerrit-war_pom.xml +++ b/tools/maven/gerrit-war_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-war - 3.1.14 + 3.1.15 war Gerrit Code Review - WAR Gerrit WAR diff --git a/version.bzl b/version.bzl index ebdb00a9d3..5a06350aaa 100644 --- a/version.bzl +++ b/version.bzl @@ -2,4 +2,4 @@ # Used by :api_install and :api_deploy targets # when talking to the destination repository. # -GERRIT_VERSION = "3.1.14" +GERRIT_VERSION = "3.1.15" From 94e76ed0ba75e529a0e43e4722756a105d0a6ec4 Mon Sep 17 00:00:00 2001 From: Luca Milanesio Date: Mon, 17 May 2021 20:50:21 +0000 Subject: [PATCH 9/9] Set version to 3.2.10 Change-Id: I6ffb688d111c71d11ab1647a3cd26d3809839c70 --- tools/maven/gerrit-acceptance-framework_pom.xml | 2 +- tools/maven/gerrit-extension-api_pom.xml | 2 +- tools/maven/gerrit-plugin-api_pom.xml | 2 +- tools/maven/gerrit-war_pom.xml | 2 +- version.bzl | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/maven/gerrit-acceptance-framework_pom.xml b/tools/maven/gerrit-acceptance-framework_pom.xml index 7b20b4e747..b4f96a1e34 100644 --- a/tools/maven/gerrit-acceptance-framework_pom.xml +++ b/tools/maven/gerrit-acceptance-framework_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-acceptance-framework - 3.2.10-SNAPSHOT + 3.2.10 jar Gerrit Code Review - Acceptance Test Framework Framework for Gerrit's acceptance tests diff --git a/tools/maven/gerrit-extension-api_pom.xml b/tools/maven/gerrit-extension-api_pom.xml index d3dbdfb1fe..437c381d6f 100644 --- a/tools/maven/gerrit-extension-api_pom.xml +++ b/tools/maven/gerrit-extension-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-extension-api - 3.2.10-SNAPSHOT + 3.2.10 jar Gerrit Code Review - Extension API API for Gerrit Extensions diff --git a/tools/maven/gerrit-plugin-api_pom.xml b/tools/maven/gerrit-plugin-api_pom.xml index 3096dbd25f..5bac9c430a 100644 --- a/tools/maven/gerrit-plugin-api_pom.xml +++ b/tools/maven/gerrit-plugin-api_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-api - 3.2.10-SNAPSHOT + 3.2.10 jar Gerrit Code Review - Plugin API API for Gerrit Plugins diff --git a/tools/maven/gerrit-war_pom.xml b/tools/maven/gerrit-war_pom.xml index 37caa29a8d..db26a7e8a0 100644 --- a/tools/maven/gerrit-war_pom.xml +++ b/tools/maven/gerrit-war_pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-war - 3.2.10-SNAPSHOT + 3.2.10 war Gerrit Code Review - WAR Gerrit WAR diff --git a/version.bzl b/version.bzl index c69b5785c9..058c9c6b06 100644 --- a/version.bzl +++ b/version.bzl @@ -2,4 +2,4 @@ # Used by :api_install and :api_deploy targets # when talking to the destination repository. # -GERRIT_VERSION = "3.2.10-SNAPSHOT" +GERRIT_VERSION = "3.2.10"