Merge branch 'stable-2.15' into stable-2.16

* stable-2.15: Set version to 2.15.12-SNAPSHOT Set version to 2.15.11 Allow LFS-over-SSH created auth pass through ContainerAuthFilter Upgrade elasticsearch-rest-client to 6.6.1 ElasticContainer: Bump the test server version to 5.6.15 Change-Id: I6a54f5b233cf9fa6053241b729cdd300f83dfdc9
2019-02-26 14:25:46 +09:00 · 2019-02-26 14:25:46 +09:00 · a193aee064
commit a193aee064
parent a73d761b8a 1f4de46456
4 changed files with 25 additions and 5 deletions
--- a/4
+++ b/4
@ -1091,8 +1091,8 @@ maven_jar(
 # and httpasyncclient as necessary.
 maven_jar(
    name = "elasticsearch-rest-client",
-    artifact = "org.elasticsearch.client:elasticsearch-rest-client:6.6.0",
-    sha1 = "f0ce1ea819fedde731511b440b025e4fb5a2f5f7",
+    artifact = "org.elasticsearch.client:elasticsearch-rest-client:6.6.1",
+    sha1 = "dc1c9284ffca28cd169fae2776c3956e90b76c00",
 )

 JACKSON_VERSION = "2.9.8"
--- a/java/com/google/gerrit/httpd/ContainerAuthFilter.java
+++ b/java/com/google/gerrit/httpd/ContainerAuthFilter.java
@ -17,9 +17,12 @@ package com.google.gerrit.httpd;
 import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.base.Strings.emptyToNull;
 import static com.google.common.net.HttpHeaders.AUTHORIZATION;
+import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.CONTENTTYPE_VND_GIT_LFS_JSON;
+import static com.google.gerrit.httpd.GerritAuthModule.NOT_AUTHORIZED_LFS_URL_REGEX;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;

+import com.google.common.base.Strings;
 import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.restapi.RestApiServlet;
 import com.google.gerrit.server.AccessPath;
@ -32,6 +35,7 @@ import com.google.inject.Singleton;
 import java.io.IOException;
 import java.util.Locale;
 import java.util.Optional;
+import java.util.regex.Pattern;
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@ -55,6 +59,9 @@ import org.eclipse.jgit.lib.Config;
 */
@Singleton
 class ContainerAuthFilter implements Filter {
+  private static final String LFS_AUTH_PREFIX = "Ssh: ";
+  private static final Pattern LFS_ENDPOINT = Pattern.compile(NOT_AUTHORIZED_LFS_URL_REGEX);
+
  private final DynamicItem<WebSession> session;
  private final AccountCache accountCache;
  private final Config config;
@ -93,6 +100,11 @@ class ContainerAuthFilter implements Filter {
  private boolean verify(HttpServletRequest req, HttpServletResponse rsp) throws IOException {
    String username = RemoteUserUtil.getRemoteUser(req, loginHttpHeader);
    if (username == null) {
+      if (isLfsOverSshRequest(req)) {
+        // LFS-over-SSH auth request cannot be authorized by container
+        // therefore let it go through the filter
+        return true;
+      }
      rsp.sendError(SC_FORBIDDEN);
      return false;
    }
@ -111,4 +123,12 @@ class ContainerAuthFilter implements Filter {
    ws.setAccessPathOk(AccessPath.REST_API, true);
    return true;
  }
+
+  private static boolean isLfsOverSshRequest(HttpServletRequest req) {
+    String hdr = req.getHeader(AUTHORIZATION);
+    return CONTENTTYPE_VND_GIT_LFS_JSON.equals(req.getContentType())
+        && !Strings.isNullOrEmpty(hdr)
+        && hdr.startsWith(LFS_AUTH_PREFIX)
+        && LFS_ENDPOINT.matcher(req.getRequestURI()).matches();
+  }
 }
--- a/java/com/google/gerrit/httpd/GerritAuthModule.java
+++ b/java/com/google/gerrit/httpd/GerritAuthModule.java
@ -24,7 +24,7 @@ import javax.servlet.Filter;

 /** Configures filter for authenticating REST requests. */
 public class GerritAuthModule extends ServletModule {
-  private static final String NOT_AUTHORIZED_LFS_URL_REGEX = "^(?:(?!/a/))" + LFS_URL_WO_AUTH_REGEX;
+  static final String NOT_AUTHORIZED_LFS_URL_REGEX = "^(?:(?!/a/))" + LFS_URL_WO_AUTH_REGEX;
  private final AuthConfig authConfig;

  @Inject
--- a/javatests/com/google/gerrit/elasticsearch/ElasticContainer.java
+++ b/javatests/com/google/gerrit/elasticsearch/ElasticContainer.java
@ -37,7 +37,7 @@ public class ElasticContainer extends ElasticsearchContainer {
  private static String getImageName(ElasticVersion version) {
    switch (version) {
      case V5_6:
-        return "docker.elastic.co/elasticsearch/elasticsearch:5.6.14";
+        return "docker.elastic.co/elasticsearch/elasticsearch:5.6.15";
      case V6_2:
        return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4";
      case V6_3:
@ -47,7 +47,7 @@ public class ElasticContainer extends ElasticsearchContainer {
      case V6_5:
        return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.5.4";
      case V6_6:
-        return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.6.0";
+        return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.6.1";
      case V7_0:
        return "docker.elastic.co/elasticsearch/elasticsearch-oss:7.0.0-beta1";
    }