opendev/gerrit
Code Issues Proposed changes

Merge "XsrfCookieFilter: handle null XGerritAuth"

Browse Source
This commit is contained in:
David Pursehouse 2016-09-23 06:52:56 +00:00 committed by Gerrit Code Review
commit 53aa25a041
4 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
View File

@ -44,6 +44,7 @@ import com.google.gerrit.client.ui.LinkMenuItem;
import com.google.gerrit.client.ui.MorphingTabPanel;
import com.google.gerrit.client.ui.ProjectLinkMenuItem;
import com.google.gerrit.client.ui.Screen;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.common.PageLinks;
import com.google.gerrit.common.data.HostPageData;
import com.google.gerrit.common.data.SystemInfoService;
@ -287,6 +288,7 @@ public class Gerrit implements EntryPoint {
}
/** @return access token to prove user identity during REST API calls. */
@Nullable
public static String getXGerritAuth() {
return xGerritAuth;
}

2
gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java
View File

@ -18,6 +18,7 @@ import static java.util.concurrent.TimeUnit.HOURS;
import com.google.common.base.Strings;
import com.google.gerrit.common.data.HostPageData;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.httpd.WebSessionManager.Key;
import com.google.gerrit.httpd.WebSessionManager.Val;
import com.google.gerrit.reviewdb.client.Account;
@ -109,6 +110,7 @@ public abstract class CacheBasedWebSession implements WebSession {
}
@Override
@Nullable
public String getXGerritAuth() {
return isSignedIn() ? val.getAuth() : null;
}

3
gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSession.java
View File

@ -14,6 +14,7 @@
package com.google.gerrit.httpd;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.AccountExternalId;
import com.google.gerrit.server.AccessPath;
@ -22,7 +23,7 @@ import com.google.gerrit.server.account.AuthResult;
public interface WebSession {
boolean isSignedIn();
String getXGerritAuth();
@Nullable String getXGerritAuth();
boolean isValidXGerritAuth(String keyIn);
AccountExternalId.Key getLastLoginExternalId();
CurrentUser getUser();

8
gerrit-httpd/src/main/java/com/google/gerrit/httpd/XsrfCookieFilter.java
View File

@ -14,6 +14,8 @@
package com.google.gerrit.httpd;
import static com.google.common.base.Strings.nullToEmpty;
import com.google.gerrit.common.data.HostPageData;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.server.CurrentUser;
@ -61,11 +63,11 @@ public class XsrfCookieFilter implements Filter {
private void setXsrfTokenCookie(HttpServletRequest req,
HttpServletResponse rsp, WebSession session) {
String v = session != null ? session.getXGerritAuth() : "";
Cookie c = new Cookie(HostPageData.XSRF_COOKIE_NAME, v);
String v = session != null ? session.getXGerritAuth() : null;
Cookie c = new Cookie(HostPageData.XSRF_COOKIE_NAME, nullToEmpty(v));
c.setPath("/");
c.setSecure(authConfig.getCookieSecure() && isSecure(req));
c.setMaxAge(session != null
c.setMaxAge(v != null
? -1 // Set the cookie for this browser session.
: 0); // Remove the cookie (expire immediately).
rsp.addCookie(c);