opendev/gerrit
Code Issues Proposed changes

Merge branch 'stable-2.15' into stable-2.16

Browse Source 
* stable-2.15:
  Set version to 2.15.12-SNAPSHOT
  Set version to 2.15.11
  Allow LFS-over-SSH created auth pass through ContainerAuthFilter
  Upgrade elasticsearch-rest-client to 6.6.1
  ElasticContainer: Bump the test server version to 5.6.15

Change-Id: I6a54f5b233cf9fa6053241b729cdd300f83dfdc9
This commit is contained in:
David Pursehouse
2019-02-26 14:25:46 +09:00
parent a73d761b8a 1f4de46456
commit a193aee064
4 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
WORKSPACE
View File

@@ -1091,8 +1091,8 @@ maven_jar(
# and httpasyncclient as necessary. # and httpasyncclient as necessary.
maven_jar( maven_jar(
name = "elasticsearch-rest-client", name = "elasticsearch-rest-client",
artifact = "org.elasticsearch.client:elasticsearch-rest-client:6.6.0", artifact = "org.elasticsearch.client:elasticsearch-rest-client:6.6.1",
sha1 = "f0ce1ea819fedde731511b440b025e4fb5a2f5f7", sha1 = "dc1c9284ffca28cd169fae2776c3956e90b76c00",
) )
JACKSON_VERSION = "2.9.8" JACKSON_VERSION = "2.9.8"

20
java/com/google/gerrit/httpd/ContainerAuthFilter.java
View File

@@ -17,9 +17,12 @@ package com.google.gerrit.httpd;
import static com.google.common.base.MoreObjects.firstNonNull; import static com.google.common.base.MoreObjects.firstNonNull;
import static com.google.common.base.Strings.emptyToNull; import static com.google.common.base.Strings.emptyToNull;
import static com.google.common.net.HttpHeaders.AUTHORIZATION; import static com.google.common.net.HttpHeaders.AUTHORIZATION;
import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.CONTENTTYPE_VND_GIT_LFS_JSON;
import static com.google.gerrit.httpd.GerritAuthModule.NOT_AUTHORIZED_LFS_URL_REGEX;
import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN; import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
import com.google.common.base.Strings;
import com.google.gerrit.extensions.registration.DynamicItem; import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.httpd.restapi.RestApiServlet; import com.google.gerrit.httpd.restapi.RestApiServlet;
import com.google.gerrit.server.AccessPath; import com.google.gerrit.server.AccessPath;
@@ -32,6 +35,7 @@ import com.google.inject.Singleton;
import java.io.IOException; import java.io.IOException;
import java.util.Locale; import java.util.Locale;
import java.util.Optional; import java.util.Optional;
import java.util.regex.Pattern;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.FilterConfig; import javax.servlet.FilterConfig;
@@ -55,6 +59,9 @@ import org.eclipse.jgit.lib.Config;
*/ */
@Singleton @Singleton
class ContainerAuthFilter implements Filter { class ContainerAuthFilter implements Filter {
private static final String LFS_AUTH_PREFIX = "Ssh: ";
private static final Pattern LFS_ENDPOINT = Pattern.compile(NOT_AUTHORIZED_LFS_URL_REGEX);
private final DynamicItem<WebSession> session; private final DynamicItem<WebSession> session;
private final AccountCache accountCache; private final AccountCache accountCache;
private final Config config; private final Config config;
@@ -93,6 +100,11 @@ class ContainerAuthFilter implements Filter {
private boolean verify(HttpServletRequest req, HttpServletResponse rsp) throws IOException { private boolean verify(HttpServletRequest req, HttpServletResponse rsp) throws IOException {
String username = RemoteUserUtil.getRemoteUser(req, loginHttpHeader); String username = RemoteUserUtil.getRemoteUser(req, loginHttpHeader);
if (username == null) { if (username == null) {
if (isLfsOverSshRequest(req)) {
// LFS-over-SSH auth request cannot be authorized by container
// therefore let it go through the filter
return true;
}
rsp.sendError(SC_FORBIDDEN); rsp.sendError(SC_FORBIDDEN);
return false; return false;
} }
@@ -111,4 +123,12 @@ class ContainerAuthFilter implements Filter {
ws.setAccessPathOk(AccessPath.REST_API, true); ws.setAccessPathOk(AccessPath.REST_API, true);
return true; return true;
} }
private static boolean isLfsOverSshRequest(HttpServletRequest req) {
String hdr = req.getHeader(AUTHORIZATION);
return CONTENTTYPE_VND_GIT_LFS_JSON.equals(req.getContentType())
&& !Strings.isNullOrEmpty(hdr)
&& hdr.startsWith(LFS_AUTH_PREFIX)
&& LFS_ENDPOINT.matcher(req.getRequestURI()).matches();
}
} }

2
java/com/google/gerrit/httpd/GerritAuthModule.java
View File

@@ -24,7 +24,7 @@ import javax.servlet.Filter;
/** Configures filter for authenticating REST requests. */ /** Configures filter for authenticating REST requests. */
public class GerritAuthModule extends ServletModule { public class GerritAuthModule extends ServletModule {
private static final String NOT_AUTHORIZED_LFS_URL_REGEX = "^(?:(?!/a/))" + LFS_URL_WO_AUTH_REGEX; static final String NOT_AUTHORIZED_LFS_URL_REGEX = "^(?:(?!/a/))" + LFS_URL_WO_AUTH_REGEX;
private final AuthConfig authConfig; private final AuthConfig authConfig;
@Inject @Inject

4
javatests/com/google/gerrit/elasticsearch/ElasticContainer.java
View File

@@ -37,7 +37,7 @@ public class ElasticContainer extends ElasticsearchContainer {
private static String getImageName(ElasticVersion version) { private static String getImageName(ElasticVersion version) {
switch (version) { switch (version) {
case V5_6: case V5_6:
return "docker.elastic.co/elasticsearch/elasticsearch:5.6.14"; return "docker.elastic.co/elasticsearch/elasticsearch:5.6.15";
case V6_2: case V6_2:
return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4"; return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4";
case V6_3: case V6_3:
@@ -47,7 +47,7 @@ public class ElasticContainer extends ElasticsearchContainer {
case V6_5: case V6_5:
return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.5.4"; return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.5.4";
case V6_6: case V6_6:
return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.6.0"; return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.6.1";
case V7_0: case V7_0:
return "docker.elastic.co/elasticsearch/elasticsearch-oss:7.0.0-beta1"; return "docker.elastic.co/elasticsearch/elasticsearch-oss:7.0.0-beta1";
} }