Looking at the history of the refs/meta/external-ids branch in All-Users
when can see from the commit messages from why and from where an
external ID was updated (e.g. see [1]).
However to investigate issues with external IDs we often want to look at
the external IDs of a specific user and how they have changed over time.
Finding all commits that modified an external of an account/email is
difficult because this information is only contained in the blobs.
To make this easier we now add the affected accounts/emails as footers
in the commit message when updating external IDs (e.g. see [2]).
[1]
commit 4ccc8d21f3702ef145b1c5824e87cf93010a39d3 (refs/meta/external-ids)
Author: Gerrit Code Review <ekempin@ekempin0.muc.corp.google.com>
Date: Wed Mar 28 14:03:15 2018 +0200
Link External ID
commit 4b733408ab4697539aeb4265028589f5811ee3ad
Author: Administrator <ekempin@ekempin0.muc.corp.google.com>
Date: Mon Mar 5 16:20:06 2018 +0100
Set HTTP Password via API
commit cee914f803ec07549cf0dbf604634a2484f077b6
Author: Gerrit Code Review <ekempin@ekempin0.muc.corp.google.com>
Date: Fri Feb 2 08:26:08 2018 +0100
Create Account on First Login
[2]
commit 4ccc8d21f3702ef145b1c5824e87cf93010a39d3 (refs/meta/external-ids)
Author: Gerrit Code Review <ekempin@ekempin0.muc.corp.google.com>
Date: Wed Mar 28 14:03:15 2018 +0200
Link External ID
Account: 1000004
Email: foo@example.com
commit 4b733408ab4697539aeb4265028589f5811ee3ad
Author: Administrator <ekempin@ekempin0.muc.corp.google.com>
Date: Mon Mar 5 16:20:06 2018 +0100
Set HTTP Password via API
Account: 1000015
commit cee914f803ec07549cf0dbf604634a2484f077b6
Author: Gerrit Code Review <ekempin@ekempin0.muc.corp.google.com>
Date: Fri Feb 2 08:26:08 2018 +0100
Create Account on First Login
Account: 1000015
Change-Id: I26e72866e8effe777945c1f197bc0aeed6d3ddb1
Signed-off-by: Edwin Kempin <ekempin@google.com>
Checking permissions of users that aren't the caller of the current request
can have implications on the security of the system. The most prominent
one is creating a group-oracle.
A group-oracle is created when a user who can modify the access settings
of a host or project can use a feature of the system to get feedback if
a specified user has access to a resource. If access was granted by
group-membership through an external group, this can be used to probe
for membership in the external system.
To limit the cases where we could potentially expose Gerrit to these
threats, PermissionBackend adds a new method to provide checks for absent
users. We consider a user to be absent if they are not the issuer of the
current request and not the target of impersonation.
This way, we can easily check where we perform permission checks on
absent users. We can use this knowledge to better assess and mitigate
this risk.
PermissionBackends that do not support impersonation can have a
checkState() call in PermissionBackend#user() to ensure the provided
user is the current user.
This commit migrates the first caller to use #absentUser(). Follow-up
commits will migrate the rest.
Change-Id: Iea329f9bbbff74d1bd3521ccd2ec217c2befefc0
Groups are now in NoteDb and the group tables in ReviewDb are no longer
needed.
Change-Id: I5fcff38aa88f2c62921f5bc9c891ba7299a67b33
Signed-off-by: Edwin Kempin <ekempin@google.com>
This has always been allowed for input types that have a @DefaultInput.
Previously, a body-less POST to /a/changes/.../submit would return a
400 error because SubmitInput has no default input fields.
Change-Id: Ie0741e7f1082c2bf95bc89acf3a31d1ce3091d0c
Checking permissions of users that aren't the caller on the current request
can have implications on the security of the system. The most prominent
one is creating a group-oracle.
To limit the cases where we could potentially expose Gerrit to these
threats, PermissionBackend removes the method that was operating solely
on the provider of the current user.
Change-Id: I601ea1200a15a5f262ca0770b23cc1c7bee126b1
Change I4878f066b6 allowed administrators to toggle the WIP flag on any
change but the UI action was still disabled for admins.
Change-Id: I55dd6400dc07d57fe2aaaf3528ff429d5baf48ed
Signed-off-by: Edwin Kempin <ekempin@google.com>
Passing in a Provider<CurrentUser> into PermissionBackend is
boiler-platy. This change adds a convenience method to PermissionBackend
and DefaultPermissionBackend to limit this boiler-plate. Future commits
will remove #user(Provider<CurrentUser>) from PermissionBackend, once
all callers were moved.
Change-Id: Ifcd07fe2c7d2673a66b2b4f9eff06ee8a3b6b943
Groups have been migrated to NoteDb. Hence we no longer need to be able
to read groups from ReviewDb.
Change-Id: Ie87c1c8e604cf1344af5291f0b369cd24af8387d
Signed-off-by: Edwin Kempin <ekempin@google.com>
This change adds a schema migration that migrates Gerrit groups from
ReviewDb to NoteDb.
In NoteDb groups are stored in group refs in the All-Users repository.
When a group is migrated its group ref in NoteDb is overwritten if it
already exists.
If groups in ReviewDb have already been disabled (e.g. a new Gerrit
instance that directly used groups in NoteDb, or if groups have been
migrated differently) this schema migration does nothing, as we don't
want to overwrite group information in NoteDb with potentially outdated
ReviewDb content.
The commits in the group refs form the audit log of the group. This is
why the migration creates one commit per audit event in the group ref.
When members or subgroups are added or removed they are listed as
footers in the commit message. For subgroups this footer line contains
the group name and the group UUID. The schema migration can set the
proper group name only for Gerrit internal groups and system groups,
but not for external groups since the external group backends, which are
needed to resolve the UUID to the group name, are not available during
init. For groups which cannot be resolved during init the UUID is used
as group name. This is only a cosmetic issue with the commits of the
group refs that might affect human readers of the history. When Gerrit
is reading the audit log it doesn't rely on the group names in the
footers, but resolves the group UUIDs via the group backends.
After the migration has been done all groups are now fully in NoteDb.
The default values for the group migration configuration are changed so
that NoteDb is used as primary storage for groups and groups in ReviewDb
are disabled. Writing groups to NoteDb can no longer be disabled because
after this point there will be no further migration to copy group data
from ReviewDb to NoteDb.
GroupRebuilderIT is merged into the new
Schema_166_to_167_WithGroupsInReviewDbTest.
Change-Id: I530116c8c5a6a5c595d24ca2445ffa921c2d3eb0
Signed-off-by: Edwin Kempin <ekempin@google.com>
Add unit tests for the labels functions.
Check if prolog rules are defined for this project or its parents, and
if not default to the added Java implementations of LabelFunctons.
Before this commit, the Prolog rules engine was always invoked to check
wether a change can be submitted or not, even if no prolog rules were
defined.
Doing so should also make it easier to extract Prolog as a plugin
without losing any of its currently offered features (label functions
and default rules implementation).
The LabelFunction code is inspired by Saša Živkov's change Iffe1567,
adjusted to live directly in the enum.
Change-Id: I5e18b0d494be3f0423bb533ed84a63ea4b8a31df
Some tests want to configure the server ID via the Gerrit config.
InMemoryModule should respect this setting if it is there and only
fallback to the hard-coded server ID if this config is missing.
Change-Id: I8eace895978d221b8d4e726a4c5428bc16f9e77b
Signed-off-by: Edwin Kempin <ekempin@google.com>
E.g. GroupConfigCommitMessage#getFooters is using Sets for the footers
and hence the order was not guaranteed. As result of this tests checking
group audit logs could be flaky.
The AuditLogFormatter in AbstractGroupTest is now loading the real group
names instead of using 'Group <uuid>'. This is needed to control the
order of the subgroup modification footers from the AuditLogReaderTest.
If the real name is not included into these footers the sort order
depends on the generated UUIDs. Since the UUIDs are generated based on
the group name and the server ID they are stable for each run, but
relying on the order of the UUIDs makes the test at least less readable.
The AuditLogFormatter in AbstractGroupTest is loading the group from the
repo each time a group name is needed. Since it's an in memory
repository and there are only few tests using this AuditLogFormatter we
don't bother about caching here.
Reading footers from group config commit messages works regardless of
the order of the footers. This means this change doesn't require
rewriting already existing group refs.
Change-Id: I3eafef10e916890b90d9f9ac222595eaf2246e27
Signed-off-by: Edwin Kempin <ekempin@google.com>
This commit changes this class so that every PBE will be logged
out as an error. But another option is throwing out this
exception since it stands for an error on the server side.
Change-Id: I231ab13ebeb9e5b37788875355d675c17f68745b
By design, PermissionBackendException stands for some error
in the permission backend. It doesn't mean the user doesn't
hold the checked/tested permission. Thus this endpoint should
not catch PBE and treat it the same with AuthException.
Change-Id: Ibbb99fb3648a1bfdbdea922cdb94a77f6824c141
Create project could fail when there are concurrent requests.
For example, in the test
CreateProjectIT#createSameProjectFromTwoConcurrentRequests.
Like other places, it's good to check whether ProjectState is
null before use.
Change-Id: I9dc590912f6ffa1878a3974991f78ccf51ca9ad1
Sometimes this can be useful, e.g. if one developers starts a WIP
change, goes to vacation and another developer makes the change ready.
At the moment the WIP flag cannot be removed by anyone else than the
change owner.
Change-Id: I4878f066b633b349dbfe927480ebb143539bf4d3
Signed-off-by: Edwin Kempin <ekempin@google.com>
Gerrit users active on several Gerrit servers may find it hard to
determine the gerrit instance related to an email.
This commit fixes it by adding a Gerrit instance name to the email
titles, right before the project's short name.
For instance, for a Gerrit instance called "Pear" and the project
"website/forum", the notification email titles will contain "Pear/forum".
Also add configuration to disable this behavior.
Change-Id: I6c842f33ce605125ec64ca7d09643f59aa96a02d
GroupRebuilder and GroupBundle are supposed to be only used by schema
migrations. Make sure that they are not used otherwise by moving them
into the schema package.
Change-Id: I094043259720edec9b60309f0ec0535bf0505d9e
Signed-off-by: Edwin Kempin <ekempin@google.com>
