Fix disabling of git ssh 'download' scheme within DefaultCommandModule
Without this fix, corporate /global gerrit users (like ours) can still use ssh despite the latter commands being disabled by instance admins. That keeps the ssh door wide open, while only the http one shall work. (Such deployments are then unable to restrain ssh traffic.) Change Daemon and WebAppInitializer so they construct DefaultCommandModule with the DownloadConfig singleton. DefaultCommandModule can then use the latter to skip the binding of the git ssh (receive and upload) commands, if ssh [download] scheme is not enabled in gerrit.config. Change-Id: Ica4e0ffeea1f34bc5411b6863a90fb0450c9e874
This commit is contained in:
parent
9b8240b0f6
commit
44cf8868e3
@ -47,6 +47,7 @@ import com.google.gerrit.server.config.AuthConfig;
|
|||||||
import com.google.gerrit.server.config.AuthConfigModule;
|
import com.google.gerrit.server.config.AuthConfigModule;
|
||||||
import com.google.gerrit.server.config.CanonicalWebUrlModule;
|
import com.google.gerrit.server.config.CanonicalWebUrlModule;
|
||||||
import com.google.gerrit.server.config.CanonicalWebUrlProvider;
|
import com.google.gerrit.server.config.CanonicalWebUrlProvider;
|
||||||
|
import com.google.gerrit.server.config.DownloadConfig;
|
||||||
import com.google.gerrit.server.config.GerritGlobalModule;
|
import com.google.gerrit.server.config.GerritGlobalModule;
|
||||||
import com.google.gerrit.server.config.GerritServerConfig;
|
import com.google.gerrit.server.config.GerritServerConfig;
|
||||||
import com.google.gerrit.server.config.MasterNodeStartup;
|
import com.google.gerrit.server.config.MasterNodeStartup;
|
||||||
@ -396,8 +397,8 @@ public class Daemon extends SiteProgram {
|
|||||||
if (!test) {
|
if (!test) {
|
||||||
modules.add(new SshHostKeyModule());
|
modules.add(new SshHostKeyModule());
|
||||||
}
|
}
|
||||||
modules.add(new DefaultCommandModule(slave));
|
modules.add(new DefaultCommandModule(slave,
|
||||||
|
sysInjector.getInstance(DownloadConfig.class)));
|
||||||
return sysInjector.createChildInjector(modules);
|
return sysInjector.createChildInjector(modules);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -14,6 +14,8 @@
|
|||||||
|
|
||||||
package com.google.gerrit.sshd.commands;
|
package com.google.gerrit.sshd.commands;
|
||||||
|
|
||||||
|
import com.google.gerrit.reviewdb.client.AccountGeneralPreferences.DownloadScheme;
|
||||||
|
import com.google.gerrit.server.config.DownloadConfig;
|
||||||
import com.google.gerrit.sshd.CommandModule;
|
import com.google.gerrit.sshd.CommandModule;
|
||||||
import com.google.gerrit.sshd.CommandName;
|
import com.google.gerrit.sshd.CommandName;
|
||||||
import com.google.gerrit.sshd.Commands;
|
import com.google.gerrit.sshd.Commands;
|
||||||
@ -23,8 +25,11 @@ import com.google.gerrit.sshd.SuExec;
|
|||||||
|
|
||||||
/** Register the commands a Gerrit server supports. */
|
/** Register the commands a Gerrit server supports. */
|
||||||
public class DefaultCommandModule extends CommandModule {
|
public class DefaultCommandModule extends CommandModule {
|
||||||
public DefaultCommandModule(boolean slave) {
|
private final DownloadConfig downloadConfig;
|
||||||
|
|
||||||
|
public DefaultCommandModule(boolean slave, DownloadConfig downloadCfg) {
|
||||||
slaveMode = slave;
|
slaveMode = slave;
|
||||||
|
downloadConfig = downloadCfg;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@ -68,8 +73,10 @@ public class DefaultCommandModule extends CommandModule {
|
|||||||
command("scp").to(ScpCommand.class);
|
command("scp").to(ScpCommand.class);
|
||||||
|
|
||||||
// Honor the legacy hyphenated forms as aliases for the non-hyphenated forms
|
// Honor the legacy hyphenated forms as aliases for the non-hyphenated forms
|
||||||
|
if (sshEnabled()) {
|
||||||
command("git-upload-pack").to(Commands.key(git, "upload-pack"));
|
command("git-upload-pack").to(Commands.key(git, "upload-pack"));
|
||||||
command(git, "upload-pack").to(Upload.class);
|
command(git, "upload-pack").to(Upload.class);
|
||||||
|
}
|
||||||
command("suexec").to(SuExec.class);
|
command("suexec").to(SuExec.class);
|
||||||
listener().to(ShowCaches.StartupListener.class);
|
listener().to(ShowCaches.StartupListener.class);
|
||||||
|
|
||||||
@ -78,10 +85,13 @@ public class DefaultCommandModule extends CommandModule {
|
|||||||
command(gerrit, CreateGroupCommand.class);
|
command(gerrit, CreateGroupCommand.class);
|
||||||
command(gerrit, CreateProjectCommand.class);
|
command(gerrit, CreateProjectCommand.class);
|
||||||
command(gerrit, AdminQueryShell.class);
|
command(gerrit, AdminQueryShell.class);
|
||||||
|
|
||||||
if (!slaveMode) {
|
if (!slaveMode) {
|
||||||
|
if (sshEnabled()) {
|
||||||
command("git-receive-pack").to(Commands.key(git, "receive-pack"));
|
command("git-receive-pack").to(Commands.key(git, "receive-pack"));
|
||||||
command("gerrit-receive-pack").to(Commands.key(git, "receive-pack"));
|
command("gerrit-receive-pack").to(Commands.key(git, "receive-pack"));
|
||||||
command(git, "receive-pack").to(Commands.key(gerrit, "receive-pack"));
|
command(git, "receive-pack").to(Commands.key(gerrit, "receive-pack"));
|
||||||
|
}
|
||||||
command(gerrit, "test-submit").toProvider(
|
command(gerrit, "test-submit").toProvider(
|
||||||
new DispatchCommandProvider(testSubmit));
|
new DispatchCommandProvider(testSubmit));
|
||||||
}
|
}
|
||||||
@ -107,4 +117,10 @@ public class DefaultCommandModule extends CommandModule {
|
|||||||
alias(logging, "ls", ListLoggingLevelCommand.class);
|
alias(logging, "ls", ListLoggingLevelCommand.class);
|
||||||
alias(logging, "set", SetLoggingLevelCommand.class);
|
alias(logging, "set", SetLoggingLevelCommand.class);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private boolean sshEnabled() {
|
||||||
|
return downloadConfig.getDownloadSchemes().contains(DownloadScheme.SSH)
|
||||||
|
|| downloadConfig.getDownloadSchemes().contains(
|
||||||
|
DownloadScheme.DEFAULT_DOWNLOADS);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -31,6 +31,7 @@ import com.google.gerrit.server.cache.h2.DefaultCacheFactory;
|
|||||||
import com.google.gerrit.server.config.AuthConfig;
|
import com.google.gerrit.server.config.AuthConfig;
|
||||||
import com.google.gerrit.server.config.AuthConfigModule;
|
import com.google.gerrit.server.config.AuthConfigModule;
|
||||||
import com.google.gerrit.server.config.CanonicalWebUrlModule;
|
import com.google.gerrit.server.config.CanonicalWebUrlModule;
|
||||||
|
import com.google.gerrit.server.config.DownloadConfig;
|
||||||
import com.google.gerrit.server.config.GerritGlobalModule;
|
import com.google.gerrit.server.config.GerritGlobalModule;
|
||||||
import com.google.gerrit.server.config.GerritServerConfig;
|
import com.google.gerrit.server.config.GerritServerConfig;
|
||||||
import com.google.gerrit.server.config.GerritServerConfigModule;
|
import com.google.gerrit.server.config.GerritServerConfigModule;
|
||||||
@ -329,7 +330,8 @@ public class WebAppInitializer extends GuiceServletContextListener
|
|||||||
final List<Module> modules = new ArrayList<>();
|
final List<Module> modules = new ArrayList<>();
|
||||||
modules.add(sysInjector.getInstance(SshModule.class));
|
modules.add(sysInjector.getInstance(SshModule.class));
|
||||||
modules.add(new SshHostKeyModule());
|
modules.add(new SshHostKeyModule());
|
||||||
modules.add(new DefaultCommandModule(false));
|
modules.add(new DefaultCommandModule(false,
|
||||||
|
sysInjector.getInstance(DownloadConfig.class)));
|
||||||
return sysInjector.createChildInjector(modules);
|
return sysInjector.createChildInjector(modules);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user