opendev/gerrit
Code Issues Proposed changes

ChangeNotesParser: Hoist server id check to ChangeNotes

Browse Source 
In some contextes (e.g. analytics plugin) allow ChangeNotesParser to
return ChangeNotesStates objects containing the account instances from
foreign servers.

It would be bad if these objects escaped the analytics plugin and got
used elsewhere in other Gerrit APIs. Any solution that allows to parse
arbitrary serverIds from analytics plugin should also include some
safety provisions so it doesn't cause unintended consequences
elsewhere in Gerrit core/Gerrit plugin API.

Here is the plan:

* Add a serverId field to ChangeNotesState
* Modify ChangeNotesParser/NoteDbUtil to allow any serverId during the
  parsing phase
* In ChangeNotes, reject any ChangeNotesState that has a serverId not
  matching the serverId of the running server
* If serverId is not present, the cached entry was populated with an
  earlier version and thus serverId has been already checked
* Since analytics plugin won't be using ChangeNotes, it doesn't need to
  run the check that the serverId in the ChangeNotesState matches the
  current server
* Outside of the NoteDb code, all or almost all Gerrit APIs use
  ChangeNotes, not ChangeNotesState
* So with the above approach, it should be mostly impossible to ever
  see notes in non-analytics contextes with a mismatched serverId.

Inspired-By: Dave Borowitz <dborowitz@google.com>
Feature: Issue 10174
Change-Id: I9b43f8479206b6373edad857251cecdfde917269
This commit is contained in:
David Ostrovsky
2019-08-03 17:05:19 +02:00
parent f5d9ab7e59
commit f8367a8da5
10 changed files with 76 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
java/com/google/gerrit/server/notedb/ChangeNotes.java
View File

@@ -22,6 +22,7 @@ import static java.util.Objects.requireNonNull;
import com.google.auto.value.AutoValue;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableListMultimap;
import com.google.common.collect.ImmutableSet;
@@ -503,6 +504,19 @@ public class ChangeNotes extends AbstractChangeNotes<ChangeNotes> {
ChangeNotesCache.Value v =
args.cache.get().get(getProjectName(), getChangeId(), rev, handle::walk);
state = v.state();
String stateServerId = state.serverId();
/**
* In earlier Gerrit versions serverId wasn't part of the change notes cache. That's why the
* earlier cached entries don't have the serverId attribute. That's fine because in earlier
* gerrit version serverId was already validated. Another approach to simplify the check would
* be to bump the cache version, but that would invalidate all persistent cache entries, what we
* rather try to avoid.
*/
checkState(
Strings.isNullOrEmpty(stateServerId) || args.serverId.equals(stateServerId),
String.format("invalid server id, expected %s: actual: %s", args.serverId, stateServerId));
state.copyColumnsTo(change);
revisionNoteMap = v.revisionNoteMap();
}