opendev/gerrit
Code Issues Proposed changes

Merge "Make plugin servlet's context path authorization aware" into stable-2.6

Browse Source
This commit is contained in:
Shawn Pearce
2013-11-06 20:49:36 +00:00
committed by Gerrit Code Review
parent c5960a8b8f a716d228d4
commit 8fd6799da8
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
gerrit-httpd/src/main/java/com/google/gerrit/httpd/plugins/HttpPluginServlet.java
View File

@@ -78,6 +78,8 @@ class HttpPluginServlet extends HttpServlet
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
private static final Logger log private static final Logger log
= LoggerFactory.getLogger(HttpPluginServlet.class); = LoggerFactory.getLogger(HttpPluginServlet.class);
private static final String PLUGINS_PREFIX = "/plugins/";
private static final String AUTHORIZED_PREFIX = "/a" + PLUGINS_PREFIX;
private final MimeUtilFileTypeRegistry mimeUtil; private final MimeUtilFileTypeRegistry mimeUtil;
private final Provider<String> webUrl; private final Provider<String> webUrl;
@@ -88,6 +90,7 @@ class HttpPluginServlet extends HttpServlet
private List<Plugin> pending = Lists.newArrayList(); private List<Plugin> pending = Lists.newArrayList();
private String base; private String base;
private String authorizedBase;
private final ConcurrentMap<String, PluginHolder> plugins private final ConcurrentMap<String, PluginHolder> plugins
= Maps.newConcurrentMap(); = Maps.newConcurrentMap();
@@ -126,7 +129,8 @@ class HttpPluginServlet extends HttpServlet
super.init(config); super.init(config);
String path = config.getServletContext().getContextPath(); String path = config.getServletContext().getContextPath();
base = Strings.nullToEmpty(path) + "/plugins/"; base = Strings.nullToEmpty(path) + PLUGINS_PREFIX;
authorizedBase = Strings.nullToEmpty(path) + AUTHORIZED_PREFIX;
for (Plugin plugin : pending) { for (Plugin plugin : pending) {
install(plugin); install(plugin);
} }
@@ -210,7 +214,8 @@ class HttpPluginServlet extends HttpServlet
return; return;
} }
WrappedRequest wr = new WrappedRequest(req, base + name); WrappedRequest wr = new WrappedRequest(req,
(isAuthorizedCall(req) ? authorizedBase : base) + name);
FilterChain chain = new FilterChain() { FilterChain chain = new FilterChain() {
@Override @Override
public void doFilter(ServletRequest req, ServletResponse res) public void doFilter(ServletRequest req, ServletResponse res)
@@ -225,6 +230,11 @@ class HttpPluginServlet extends HttpServlet
} }
} }
private boolean isAuthorizedCall(HttpServletRequest req) {
return !Strings.isNullOrEmpty(req.getServletPath())
&& req.getServletPath().startsWith(AUTHORIZED_PREFIX);
}
private static boolean isApiCall(HttpServletRequest req, List<String> parts) { private static boolean isApiCall(HttpServletRequest req, List<String> parts) {
String method = req.getMethod(); String method = req.getMethod();
int cnt = parts.size(); int cnt = parts.size();