opendev/gerrit
Code Issues Proposed changes

Merge "Explicitly check READ permission when processing a git push"

Browse Source
This commit is contained in:
Patrick Hiesel
2020-08-26 09:26:39 +00:00
committed by Gerrit Code Review
parent 907b99179b c2d48fb765
commit ce406559ee
3 changed files with 25 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/com/google/gerrit/server/git/receive/ReceiveCommits.java
View File

@@ -1839,7 +1839,9 @@ class ReceiveCommits {
magicBranch.perm = permissions.ref(ref);
Optional<AuthException> err =
checkRefPermission(magicBranch.perm, RefPermission.CREATE_CHANGE);
checkRefPermission(magicBranch.perm, RefPermission.READ)
.map(Optional::of)
.orElse(checkRefPermission(magicBranch.perm, RefPermission.CREATE_CHANGE));
if (err.isPresent()) {
rejectProhibited(cmd, err.get());
return;

10
javatests/com/google/gerrit/acceptance/api/change/QueryChangesIT.java
View File

@@ -153,16 +153,16 @@ public class QueryChangesIT extends AbstractDaemonTest {
// Create hidden project.
Project.NameKey hiddenProject = projectOperations.newProject().create();
TestRepository<InMemoryRepository> hiddenRepo = cloneProject(hiddenProject, admin);
// Create 2 hidden changes.
createChange(hiddenRepo);
createChange(hiddenRepo);
// Actually hide project
projectOperations
.project(hiddenProject)
.forUpdate()
.add(block(Permission.READ).ref("refs/*").group(REGISTERED_USERS))
.update();
TestRepository<InMemoryRepository> hiddenRepo = cloneProject(hiddenProject, admin);
// Create 2 hidden changes.
createChange(hiddenRepo);
createChange(hiddenRepo);
// Create a change query that matches all changes (visible and hidden changes).
// The index returns the changes ordered by last updated timestamp:

17
javatests/com/google/gerrit/acceptance/git/PushPermissionsIT.java
View File

@@ -17,6 +17,7 @@ package com.google.gerrit.acceptance.git;
import static com.google.common.truth.Truth.assertThat;
import static com.google.common.truth.Truth.assertWithMessage;
import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.allow;
import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.block;
import static com.google.gerrit.git.testing.PushResultSubject.assertThat;
import static com.google.gerrit.server.group.SystemGroupBackend.REGISTERED_USERS;
import static java.util.stream.Collectors.toList;
@@ -145,6 +146,22 @@ public class PushPermissionsIT extends AbstractDaemonTest {
assertThat(r).hasProcessed(ImmutableMap.of("refs", 1));
}
@Test
public void createDeniedIfUserCantRead() throws Exception {
projectOperations
.project(project)
.forUpdate()
.add(block(Permission.READ).ref("refs/*").group(REGISTERED_USERS))
.add(allow(Permission.PUSH).ref("refs/*").group(REGISTERED_USERS))
.update();
testRepo.branch("HEAD").commit().create();
PushResult r = push("HEAD:refs/for/master");
assertThat(r)
.onlyRef("refs/for/master")
.isRejected("prohibited by Gerrit: not permitted: read on refs/heads/master");
assertThat(r).hasProcessed(ImmutableMap.of("refs", 1));
}
@Test
public void groupRefsByMessage() throws Exception {
try (Repository repo = repoManager.openRepository(project);