Merge "Make plugin servlet's context path authorization aware" into stable-2.6

2013-11-06 20:49:36 +00:00
parent c5960a8b8f a716d228d4
commit 8fd6799da8
1 changed files with 12 additions and 2 deletions
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/plugins/HttpPluginServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/plugins/HttpPluginServlet.java
@@ -78,6 +78,8 @@ class HttpPluginServlet extends HttpServlet
  private static final long serialVersionUID = 1L;
  private static final Logger log
      = LoggerFactory.getLogger(HttpPluginServlet.class);
+  private static final String PLUGINS_PREFIX = "/plugins/";
+  private static final String AUTHORIZED_PREFIX = "/a" + PLUGINS_PREFIX;

  private final MimeUtilFileTypeRegistry mimeUtil;
  private final Provider<String> webUrl;
@@ -88,6 +90,7 @@ class HttpPluginServlet extends HttpServlet

  private List<Plugin> pending = Lists.newArrayList();
  private String base;
+  private String authorizedBase;
  private final ConcurrentMap<String, PluginHolder> plugins
      = Maps.newConcurrentMap();

@@ -126,7 +129,8 @@ class HttpPluginServlet extends HttpServlet
    super.init(config);

    String path = config.getServletContext().getContextPath();
-    base = Strings.nullToEmpty(path) + "/plugins/";
+    base = Strings.nullToEmpty(path) + PLUGINS_PREFIX;
+    authorizedBase = Strings.nullToEmpty(path) + AUTHORIZED_PREFIX;
    for (Plugin plugin : pending) {
      install(plugin);
    }
@@ -210,7 +214,8 @@ class HttpPluginServlet extends HttpServlet
      return;
    }

-    WrappedRequest wr = new WrappedRequest(req, base + name);
+    WrappedRequest wr = new WrappedRequest(req,
+        (isAuthorizedCall(req) ? authorizedBase : base) + name);
    FilterChain chain = new FilterChain() {
      @Override
      public void doFilter(ServletRequest req, ServletResponse res)
@@ -225,6 +230,11 @@ class HttpPluginServlet extends HttpServlet
    }
  }

+  private boolean isAuthorizedCall(HttpServletRequest req) {
+    return !Strings.isNullOrEmpty(req.getServletPath())
+        && req.getServletPath().startsWith(AUTHORIZED_PREFIX);
+  }
+
  private static boolean isApiCall(HttpServletRequest req, List<String> parts) {
    String method = req.getMethod();
    int cnt = parts.size();