Merge "Don't expose repository existence when user has no access" into stable-3.4
This commit is contained in:
commit
8b4b9abda3
|
@ -300,7 +300,7 @@ public class GitOverHttpServlet extends GitServlet {
|
||||||
if (user instanceof AnonymousUser) {
|
if (user instanceof AnonymousUser) {
|
||||||
throw new ServiceNotAuthorizedException();
|
throw new ServiceNotAuthorizedException();
|
||||||
}
|
}
|
||||||
throw new ServiceNotEnabledException(e.getMessage());
|
throw new RepositoryNotFoundException(nameKey.get(), e);
|
||||||
}
|
}
|
||||||
|
|
||||||
return manager.openRepository(nameKey);
|
return manager.openRepository(nameKey);
|
||||||
|
|
|
@ -0,0 +1,100 @@
|
||||||
|
// Copyright (C) 2021 The Android Open Source Project
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package com.google.gerrit.integration.git;
|
||||||
|
|
||||||
|
import static com.google.common.truth.Truth.assertThat;
|
||||||
|
import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.block;
|
||||||
|
|
||||||
|
import com.google.common.collect.ImmutableList;
|
||||||
|
import com.google.common.collect.ImmutableMap;
|
||||||
|
import com.google.gerrit.acceptance.AccountCreator;
|
||||||
|
import com.google.gerrit.acceptance.StandaloneSiteTest;
|
||||||
|
import com.google.gerrit.acceptance.TestAccount;
|
||||||
|
import com.google.gerrit.acceptance.testsuite.project.ProjectOperations;
|
||||||
|
import com.google.gerrit.entities.Permission;
|
||||||
|
import com.google.gerrit.entities.Project;
|
||||||
|
import com.google.gerrit.extensions.api.GerritApi;
|
||||||
|
import com.google.gerrit.extensions.restapi.RestApiException;
|
||||||
|
import com.google.gerrit.server.config.GerritServerConfig;
|
||||||
|
import com.google.gerrit.server.group.SystemGroupBackend;
|
||||||
|
import com.google.inject.Inject;
|
||||||
|
import org.eclipse.jgit.lib.Config;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
public class NoAccessSameAsNotFoundIT extends StandaloneSiteTest {
|
||||||
|
private static final String PASSWORD = "secret";
|
||||||
|
private static final String REPO = "foo";
|
||||||
|
|
||||||
|
@Inject private @GerritServerConfig Config config;
|
||||||
|
@Inject private AccountCreator accountCreator;
|
||||||
|
@Inject private GerritApi gApi;
|
||||||
|
@Inject private ProjectOperations projectOperations;
|
||||||
|
|
||||||
|
private String repoUrl;
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void sameResponseForNonExistingAndNonAccessibleRepo() throws Exception {
|
||||||
|
try (ServerContext ctx = startServer()) {
|
||||||
|
setup(ctx);
|
||||||
|
|
||||||
|
// clone non-existing REPO
|
||||||
|
String nonExistingResponse = cloneRepo();
|
||||||
|
|
||||||
|
// create REPO and make it non-accessible then clone it again
|
||||||
|
createNonAccessibleRepo();
|
||||||
|
String noAccessResponse = cloneRepo();
|
||||||
|
|
||||||
|
// make sure the response is identical in both cases
|
||||||
|
assertThat(noAccessResponse).isEqualTo(nonExistingResponse);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void setup(ServerContext ctx) throws Exception {
|
||||||
|
ctx.getInjector().injectMembers(this);
|
||||||
|
|
||||||
|
TestAccount user = accountCreator.user();
|
||||||
|
gApi.accounts().id(user.username()).setHttpPassword(PASSWORD);
|
||||||
|
|
||||||
|
String canonical = config.getString("gerrit", null, "canonicalweburl");
|
||||||
|
repoUrl =
|
||||||
|
String.format(
|
||||||
|
"http://%s:%s@%s/a/%s", user.username(), PASSWORD, canonical.substring(7), REPO);
|
||||||
|
}
|
||||||
|
|
||||||
|
private String cloneRepo() {
|
||||||
|
try {
|
||||||
|
return execute(ImmutableList.of("git", "clone", repoUrl));
|
||||||
|
} catch (Exception e) {
|
||||||
|
return e.getMessage();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void createNonAccessibleRepo() throws RestApiException {
|
||||||
|
// Create project
|
||||||
|
Project.NameKey project = Project.nameKey(REPO);
|
||||||
|
gApi.projects().create(project.get());
|
||||||
|
|
||||||
|
// Block access for everyone
|
||||||
|
projectOperations
|
||||||
|
.project(project)
|
||||||
|
.forUpdate()
|
||||||
|
.add(block(Permission.READ).ref("refs/*").group(SystemGroupBackend.ANONYMOUS_USERS))
|
||||||
|
.update();
|
||||||
|
}
|
||||||
|
|
||||||
|
private String execute(ImmutableList<String> cmd) throws Exception {
|
||||||
|
return execute(cmd, sitePaths.data_dir.toFile(), ImmutableMap.of());
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue