opendev/gerrit
Code Issues Proposed changes

GitOverHttpModule: Bind REST auth filter in its own module

Browse Source 
GitOverHttpModule is binding both filters for git over HTTP and for REST
requests. Extract filter definition for REST requests in its own module.

Change-Id: If03e76c906bc3e0cac827b49f5f087cc859be4cd
This commit is contained in:
David Ostrovsky 2018-08-31 08:55:47 +02:00 committed by David Ostrovsky
parent b545f0cae5
commit b8695a315d
4 changed files with 63 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritAuthModule.java Normal file
View File

@ -0,0 +1,55 @@
// Copyright (C) 2018 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.httpd;
import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_URL_WO_AUTH_REGEX;
import com.google.gerrit.extensions.client.GitBasicAuthPolicy;
import com.google.gerrit.server.config.AuthConfig;
import com.google.inject.Inject;
import com.google.inject.servlet.ServletModule;
import javax.servlet.Filter;
/** Configures filter for authenticating REST requests. */
public class GerritAuthModule extends ServletModule {
private static final String NOT_AUTHORIZED_LFS_URL_REGEX = "^(?:(?!/a/))" + LFS_URL_WO_AUTH_REGEX;
private final AuthConfig authConfig;
@Inject
GerritAuthModule(AuthConfig authConfig) {
this.authConfig = authConfig;
}
@Override
protected void configureServlets() {
Class<? extends Filter> authFilter = retreiveAuthFilterFromConfig(authConfig);
filterRegex(NOT_AUTHORIZED_LFS_URL_REGEX).through(authFilter);
filter("/a/*").through(authFilter);
}
static Class<? extends Filter> retreiveAuthFilterFromConfig(AuthConfig authConfig) {
Class<? extends Filter> authFilter;
if (authConfig.isTrustContainerAuth()) {
authFilter = ContainerAuthFilter.class;
} else {
authFilter =
authConfig.getGitBasicAuthPolicy() == GitBasicAuthPolicy.OAUTH
? ProjectOAuthFilter.class
: ProjectBasicAuthFilter.class;
}
return authFilter;
}
}

32
gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java
View File

@ -14,20 +14,16 @@
package com.google.gerrit.httpd;
import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_URL_WO_AUTH_REGEX;
import static com.google.gerrit.httpd.GitOverHttpServlet.URL_REGEX;
import com.google.gerrit.extensions.client.GitBasicAuthPolicy;
import com.google.gerrit.reviewdb.client.CoreDownloadSchemes;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.config.DownloadConfig;
import com.google.inject.Inject;
import com.google.inject.servlet.ServletModule;
import javax.servlet.Filter;
/** Configures Git access over HTTP with authentication. */
public class GitOverHttpModule extends ServletModule {
private static final String NOT_AUTHORIZED_LFS_URL_REGEX = "^(?:(?!/a/))" + LFS_URL_WO_AUTH_REGEX;
private final AuthConfig authConfig;
private final DownloadConfig downloadConfig;
@ -39,28 +35,10 @@ public class GitOverHttpModule extends ServletModule {
@Override
protected void configureServlets() {
Class<? extends Filter> authFilter;
if (authConfig.isTrustContainerAuth()) {
authFilter = ContainerAuthFilter.class;
} else {
authFilter =
authConfig.getGitBasicAuthPolicy() == GitBasicAuthPolicy.OAUTH
? ProjectOAuthFilter.class
: ProjectBasicAuthFilter.class;
if (downloadConfig.getDownloadSchemes().contains(CoreDownloadSchemes.ANON_HTTP)
|| downloadConfig.getDownloadSchemes().contains(CoreDownloadSchemes.HTTP)) {
filterRegex(URL_REGEX).through(GerritAuthModule.retreiveAuthFilterFromConfig(authConfig));
serveRegex(URL_REGEX).with(GitOverHttpServlet.class);
}
if (isHttpEnabled()) {
String git = GitOverHttpServlet.URL_REGEX;
filterRegex(git).through(authFilter);
serveRegex(git).with(GitOverHttpServlet.class);
}
filterRegex(NOT_AUTHORIZED_LFS_URL_REGEX).through(authFilter);
filter("/a/*").through(authFilter);
}
private boolean isHttpEnabled() {
return downloadConfig.getDownloadSchemes().contains(CoreDownloadSchemes.ANON_HTTP)
|| downloadConfig.getDownloadSchemes().contains(CoreDownloadSchemes.HTTP);
}
}

2
gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java
View File

@ -24,6 +24,7 @@ import com.google.gerrit.elasticsearch.ElasticIndexModule;
import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.gpg.GpgModule;
import com.google.gerrit.httpd.AllRequestFilter;
import com.google.gerrit.httpd.GerritAuthModule;
import com.google.gerrit.httpd.GetUserFilter;
import com.google.gerrit.httpd.GitOverHttpModule;
import com.google.gerrit.httpd.H2CacheBasedWebSession;
@ -515,6 +516,7 @@ public class Daemon extends SiteProgram {
modules.add(RequestContextFilter.module());
modules.add(RequestMetricsFilter.module());
modules.add(H2CacheBasedWebSession.module());
modules.add(sysInjector.getInstance(GerritAuthModule.class));
modules.add(sysInjector.getInstance(GitOverHttpModule.class));
modules.add(AllRequestFilter.module());
modules.add(sysInjector.getInstance(WebModule.class));

1
gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java
View File

@ -402,6 +402,7 @@ public class WebAppInitializer extends GuiceServletContextListener implements Fi
final List<Module> modules = new ArrayList<>();
modules.add(RequestContextFilter.module());
modules.add(RequestMetricsFilter.module());
modules.add(sysInjector.getInstance(GerritAuthModule.class));
modules.add(sysInjector.getInstance(GitOverHttpModule.class));
modules.add(AllRequestFilter.module());
modules.add(sysInjector.getInstance(WebModule.class));