Factor out Gerrit-specific PushCertificateChecker
We want to use this same checker, which uses GerritPublicKeyChecker, to check certificates after the fact, not just during push. Change-Id: I065c303213520f644c6ae7717c99f8adc38d62c2
This commit is contained in:
Dave Borowitz
@@ -0,0 +1,55 @@
|
||||
// Copyright (C) 2015 The Android Open Source Project
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package com.google.gerrit.gpg;
|
||||
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.config.AllUsersName;
|
||||
import com.google.gerrit.server.git.GitRepositoryManager;
|
||||
import com.google.inject.assistedinject.Assisted;
|
||||
import com.google.inject.assistedinject.AssistedInject;
|
||||
|
||||
import org.eclipse.jgit.lib.Repository;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
public class GerritPushCertificateChecker extends PushCertificateChecker {
|
||||
public interface Factory {
|
||||
GerritPushCertificateChecker create(IdentifiedUser expectedUser);
|
||||
}
|
||||
|
||||
private final GitRepositoryManager repoManager;
|
||||
private final AllUsersName allUsers;
|
||||
|
||||
@AssistedInject
|
||||
GerritPushCertificateChecker(
|
||||
GerritPublicKeyChecker.Factory keyCheckerFactory,
|
||||
GitRepositoryManager repoManager,
|
||||
AllUsersName allUsers,
|
||||
@Assisted IdentifiedUser expectedUser) {
|
||||
super(keyCheckerFactory.create(expectedUser));
|
||||
this.repoManager = repoManager;
|
||||
this.allUsers = allUsers;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Repository getRepository() throws IOException {
|
||||
return repoManager.openRepository(allUsers);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean shouldClose(Repository repo) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
@@ -67,6 +67,7 @@ public class GpgModule extends RestApiModule {
|
||||
|
||||
install(new SignedPushModule());
|
||||
bind(GpgApiAdapter.class).to(GpgApiAdapterImpl.class);
|
||||
factory(GerritPushCertificateChecker.Factory.class);
|
||||
factory(GpgKeyApiImpl.Factory.class);
|
||||
|
||||
DynamicMap.mapOf(binder(), GPG_KEY_KIND);
|
||||
|
||||
@@ -15,20 +15,16 @@
|
||||
package com.google.gerrit.gpg;
|
||||
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.config.AllUsersName;
|
||||
import com.google.gerrit.server.git.GitRepositoryManager;
|
||||
import com.google.gerrit.server.util.MagicBranch;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
|
||||
import org.eclipse.jgit.lib.Repository;
|
||||
import org.eclipse.jgit.transport.PreReceiveHook;
|
||||
import org.eclipse.jgit.transport.PushCertificate;
|
||||
import org.eclipse.jgit.transport.ReceiveCommand;
|
||||
import org.eclipse.jgit.transport.ReceivePack;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.Collection;
|
||||
|
||||
/**
|
||||
@@ -40,21 +36,15 @@ import java.util.Collection;
|
||||
*/
|
||||
@Singleton
|
||||
public class SignedPushPreReceiveHook implements PreReceiveHook {
|
||||
private final GitRepositoryManager repoManager;
|
||||
private final AllUsersName allUsers;
|
||||
private final Provider<IdentifiedUser> user;
|
||||
private final GerritPublicKeyChecker.Factory keyCheckerFactory;
|
||||
private final GerritPushCertificateChecker.Factory checkerFactory;
|
||||
|
||||
@Inject
|
||||
public SignedPushPreReceiveHook(
|
||||
GitRepositoryManager repoManager,
|
||||
AllUsersName allUsers,
|
||||
Provider<IdentifiedUser> user,
|
||||
GerritPublicKeyChecker.Factory keyCheckerFactory) {
|
||||
this.repoManager = repoManager;
|
||||
this.allUsers = allUsers;
|
||||
GerritPushCertificateChecker.Factory checkerFactory) {
|
||||
this.user = user;
|
||||
this.keyCheckerFactory = keyCheckerFactory;
|
||||
this.checkerFactory = checkerFactory;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -64,19 +54,8 @@ public class SignedPushPreReceiveHook implements PreReceiveHook {
|
||||
if (cert == null) {
|
||||
return;
|
||||
}
|
||||
PublicKeyChecker keyChecker = keyCheckerFactory.create(user.get());
|
||||
PushCertificateChecker checker = new PushCertificateChecker(keyChecker) {
|
||||
@Override
|
||||
protected Repository getRepository() throws IOException {
|
||||
return repoManager.openRepository(allUsers);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean shouldClose(Repository repo) {
|
||||
return true;
|
||||
}
|
||||
};
|
||||
CheckResult result = checker.check(cert);
|
||||
CheckResult result = checkerFactory.create(user.get())
|
||||
.check(cert);
|
||||
if (!isAllowed(result, commands)) {
|
||||
for (String problem : result.getProblems()) {
|
||||
rp.sendMessage(problem);
|
||||
|
||||
Reference in New Issue
Block a user