Merge "suexec: Honor Run As capability like HTTP REST API"

Documentation/access-control.txt

@@ -1270,9 +1270,10 @@ command, but also to the web UI results pagination size.
 Run As
 ~~~~~~
 
-Allow users to impersonate any other user with the X-Gerrit-RunAs
+Allow users to impersonate any other user with the X-Gerrit-RunAs HTTP
-HTTP header on REST API calls. Site administrators do not inherit
+header on REST API calls or the link:cmd-suexec.html[suexec] SSH
-this capability; it must be granted explicitly.
+command.  Site administrators do not inherit this capability; it must
+be granted explicitly.
 
 
 [[capability_runGC]]

Documentation/cmd-suexec.txt

@@ -19,10 +19,14 @@ SYNOPSIS
 
 DESCRIPTION
 -----------
-The suexec command can only be invoked by the magic user `Gerrit
+The suexec command permits executing any other command as any other
-Code Review` and permits executing any other command as any other
 registered user account.
 
+suexec can only be invoked by the magic user `Gerrit Code Review`,
+or any user granted granted the link:access-control.html#capability_runAs[Run As]
+capability. The run as capability is permitted to be used only if
+link:config-gerrit.html[auth.enableRunAs] is true.
+
 OPTIONS
 -------
 
@@ -39,7 +43,8 @@ COMMAND::
 ACCESS
 ------
 Caller must be the magic user Gerrit Code Review using the SSH
-daemon's host key or a key on this daemon's peer host key ring.
+daemon's host key, or a key on this daemon's peer host key ring,
+or a user granted the Run As capability.
 
 SCRIPTING
 ---------

gerrit-httpd/src/main/java/com/google/gerrit/httpd/RunAsFilter.java

@@ -21,14 +21,13 @@ import com.google.gerrit.httpd.restapi.RestApiServlet;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.account.AccountResolver;
-import com.google.gerrit.server.config.GerritServerConfig;
+import com.google.gerrit.server.config.AuthConfig;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 import com.google.inject.servlet.ServletModule;
 
-import org.eclipse.jgit.lib.Config;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -61,10 +60,10 @@ class RunAsFilter implements Filter {
   private final AccountResolver accountResolver;
 
   @Inject
-  RunAsFilter(@GerritServerConfig Config config,
+  RunAsFilter(AuthConfig config,
       Provider<WebSession> session,
       AccountResolver accountResolver) {
-    this.enabled = config.getBoolean("auth", null, "enableRunAs", true);
+    this.enabled = config.isRunAsEnabled();
     this.session = session;
     this.accountResolver = accountResolver;
   }

gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java

@@ -37,6 +37,7 @@ public class AuthConfig {
   private final AuthType authType;
   private final String httpHeader;
   private final boolean trustContainerAuth;
+  private final boolean enableRunAs;
   private final boolean userNameToLowerCase;
   private final boolean gitBasicAuth;
   private final String logoutUrl;
@@ -64,6 +65,7 @@ public class AuthConfig {
     cookiePath = cfg.getString("auth", null, "cookiepath");
     cookieSecure = cfg.getBoolean("auth", "cookiesecure", false);
     trustContainerAuth = cfg.getBoolean("auth", "trustContainerAuth", false);
+    enableRunAs = cfg.getBoolean("auth", null, "enableRunAs", true);
     gitBasicAuth = cfg.getBoolean("auth", "gitBasicAuth", false);
     userNameToLowerCase = cfg.getBoolean("auth", "userNameToLowerCase", false);
 
@@ -164,6 +166,11 @@ public class AuthConfig {
     return trustContainerAuth;
   }
 
+  /** @return true if users with Run As capability can impersonate others. */
+  public boolean isRunAsEnabled() {
+    return enableRunAs;
+  }
+
   /** Whether user name should be converted to lower-case before validation */
   public boolean isUserNameToLowerCase() {
     return userNameToLowerCase;

gerrit-sshd/src/main/java/com/google/gerrit/sshd/SuExec.java

@@ -19,6 +19,7 @@ import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.PeerDaemonUser;
+import com.google.gerrit.server.config.AuthConfig;
 import com.google.gerrit.sshd.SshScope.Context;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -45,6 +46,7 @@ public final class SuExec extends BaseCommand {
   private final SshScope sshScope;
   private final DispatchCommandProvider dispatcher;
 
+  private boolean enableRunAs;
   private Provider<CurrentUser> caller;
   private Provider<SshSession> session;
   private IdentifiedUser.GenericFactory userFactory;
@@ -66,36 +68,34 @@ public final class SuExec extends BaseCommand {
       @CommandName(Commands.ROOT) final DispatchCommandProvider dispatcher,
       final Provider<CurrentUser> caller, final Provider<SshSession> session,
       final IdentifiedUser.GenericFactory userFactory,
-      final SshScope.Context callingContext) {
+      final SshScope.Context callingContext,
+      AuthConfig config) {
     this.sshScope = sshScope;
     this.dispatcher = dispatcher;
     this.caller = caller;
     this.session = session;
     this.userFactory = userFactory;
     this.callingContext = callingContext;
+    this.enableRunAs = config.isRunAsEnabled();
     atomicCmd = Atomics.newReference();
   }
 
   @Override
   public void start(Environment env) throws IOException {
     try {
-      if (caller.get() instanceof PeerDaemonUser) {
+      checkCanRunAs();
-        parseCommandLine();
+      parseCommandLine();
 
-        final Context ctx = callingContext.subContext(newSession(), join(args));
+      final Context ctx = callingContext.subContext(newSession(), join(args));
-        final Context old = sshScope.set(ctx);
+      final Context old = sshScope.set(ctx);
-        try {
+      try {
-          final BaseCommand cmd = dispatcher.get();
+        final BaseCommand cmd = dispatcher.get();
-          cmd.setArguments(args.toArray(new String[args.size()]));
+        cmd.setArguments(args.toArray(new String[args.size()]));
-          provideStateTo(cmd);
+        provideStateTo(cmd);
-          atomicCmd.set(cmd);
+        atomicCmd.set(cmd);
-          cmd.start(env);
+        cmd.start(env);
-        } finally {
+      } finally {
-          sshScope.set(old);
+        sshScope.set(old);
-        }
-
-      } else {
-        throw new UnloggedFailure(1, "fatal: Not a peer daemon");
       }
     } catch (UnloggedFailure e) {
       String msg = e.getMessage();
@@ -108,6 +108,17 @@ public final class SuExec extends BaseCommand {
     }
   }
 
+  private void checkCanRunAs() throws UnloggedFailure {
+    if (caller.get() instanceof PeerDaemonUser) {
+      // OK.
+    } else if (!enableRunAs) {
+      throw new UnloggedFailure(1,
+          "fatal: suexec disabled by auth.enableRunAs = false");
+    } else if (!caller.get().getCapabilities().canRunAs()) {
+      throw new UnloggedFailure(1, "fatal: suexec not permitted");
+    }
+  }
+
   private SshSession newSession() {
     final SocketAddress peer;
     if (peerAddress == null) {