Checking permissions of users that aren't the caller on the current request
can have implications on the security of the system. The most prominent
one is creating a group-oracle.
To limit the cases where we could potentially expose Gerrit to these
threats, PermissionBackend removes the method that was operating solely
on the provider of the current user.
Change-Id: I601ea1200a15a5f262ca0770b23cc1c7bee126b1
Change I4878f066b6 allowed administrators to toggle the WIP flag on any
change but the UI action was still disabled for admins.
Change-Id: I55dd6400dc07d57fe2aaaf3528ff429d5baf48ed
Signed-off-by: Edwin Kempin <ekempin@google.com>
Passing in a Provider<CurrentUser> into PermissionBackend is
boiler-platy. This change adds a convenience method to PermissionBackend
and DefaultPermissionBackend to limit this boiler-plate. Future commits
will remove #user(Provider<CurrentUser>) from PermissionBackend, once
all callers were moved.
Change-Id: Ifcd07fe2c7d2673a66b2b4f9eff06ee8a3b6b943
Groups have been migrated to NoteDb. Hence we no longer need to be able
to read groups from ReviewDb.
Change-Id: Ie87c1c8e604cf1344af5291f0b369cd24af8387d
Signed-off-by: Edwin Kempin <ekempin@google.com>
This change adds a schema migration that migrates Gerrit groups from
ReviewDb to NoteDb.
In NoteDb groups are stored in group refs in the All-Users repository.
When a group is migrated its group ref in NoteDb is overwritten if it
already exists.
If groups in ReviewDb have already been disabled (e.g. a new Gerrit
instance that directly used groups in NoteDb, or if groups have been
migrated differently) this schema migration does nothing, as we don't
want to overwrite group information in NoteDb with potentially outdated
ReviewDb content.
The commits in the group refs form the audit log of the group. This is
why the migration creates one commit per audit event in the group ref.
When members or subgroups are added or removed they are listed as
footers in the commit message. For subgroups this footer line contains
the group name and the group UUID. The schema migration can set the
proper group name only for Gerrit internal groups and system groups,
but not for external groups since the external group backends, which are
needed to resolve the UUID to the group name, are not available during
init. For groups which cannot be resolved during init the UUID is used
as group name. This is only a cosmetic issue with the commits of the
group refs that might affect human readers of the history. When Gerrit
is reading the audit log it doesn't rely on the group names in the
footers, but resolves the group UUIDs via the group backends.
After the migration has been done all groups are now fully in NoteDb.
The default values for the group migration configuration are changed so
that NoteDb is used as primary storage for groups and groups in ReviewDb
are disabled. Writing groups to NoteDb can no longer be disabled because
after this point there will be no further migration to copy group data
from ReviewDb to NoteDb.
GroupRebuilderIT is merged into the new
Schema_166_to_167_WithGroupsInReviewDbTest.
Change-Id: I530116c8c5a6a5c595d24ca2445ffa921c2d3eb0
Signed-off-by: Edwin Kempin <ekempin@google.com>
Add unit tests for the labels functions.
Check if prolog rules are defined for this project or its parents, and
if not default to the added Java implementations of LabelFunctons.
Before this commit, the Prolog rules engine was always invoked to check
wether a change can be submitted or not, even if no prolog rules were
defined.
Doing so should also make it easier to extract Prolog as a plugin
without losing any of its currently offered features (label functions
and default rules implementation).
The LabelFunction code is inspired by Saša Živkov's change Iffe1567,
adjusted to live directly in the enum.
Change-Id: I5e18b0d494be3f0423bb533ed84a63ea4b8a31df
Some tests want to configure the server ID via the Gerrit config.
InMemoryModule should respect this setting if it is there and only
fallback to the hard-coded server ID if this config is missing.
Change-Id: I8eace895978d221b8d4e726a4c5428bc16f9e77b
Signed-off-by: Edwin Kempin <ekempin@google.com>
E.g. GroupConfigCommitMessage#getFooters is using Sets for the footers
and hence the order was not guaranteed. As result of this tests checking
group audit logs could be flaky.
The AuditLogFormatter in AbstractGroupTest is now loading the real group
names instead of using 'Group <uuid>'. This is needed to control the
order of the subgroup modification footers from the AuditLogReaderTest.
If the real name is not included into these footers the sort order
depends on the generated UUIDs. Since the UUIDs are generated based on
the group name and the server ID they are stable for each run, but
relying on the order of the UUIDs makes the test at least less readable.
The AuditLogFormatter in AbstractGroupTest is loading the group from the
repo each time a group name is needed. Since it's an in memory
repository and there are only few tests using this AuditLogFormatter we
don't bother about caching here.
Reading footers from group config commit messages works regardless of
the order of the footers. This means this change doesn't require
rewriting already existing group refs.
Change-Id: I3eafef10e916890b90d9f9ac222595eaf2246e27
Signed-off-by: Edwin Kempin <ekempin@google.com>
This commit changes this class so that every PBE will be logged
out as an error. But another option is throwing out this
exception since it stands for an error on the server side.
Change-Id: I231ab13ebeb9e5b37788875355d675c17f68745b
By design, PermissionBackendException stands for some error
in the permission backend. It doesn't mean the user doesn't
hold the checked/tested permission. Thus this endpoint should
not catch PBE and treat it the same with AuthException.
Change-Id: Ibbb99fb3648a1bfdbdea922cdb94a77f6824c141
Create project could fail when there are concurrent requests.
For example, in the test
CreateProjectIT#createSameProjectFromTwoConcurrentRequests.
Like other places, it's good to check whether ProjectState is
null before use.
Change-Id: I9dc590912f6ffa1878a3974991f78ccf51ca9ad1
Sometimes this can be useful, e.g. if one developers starts a WIP
change, goes to vacation and another developer makes the change ready.
At the moment the WIP flag cannot be removed by anyone else than the
change owner.
Change-Id: I4878f066b633b349dbfe927480ebb143539bf4d3
Signed-off-by: Edwin Kempin <ekempin@google.com>
Gerrit users active on several Gerrit servers may find it hard to
determine the gerrit instance related to an email.
This commit fixes it by adding a Gerrit instance name to the email
titles, right before the project's short name.
For instance, for a Gerrit instance called "Pear" and the project
"website/forum", the notification email titles will contain "Pear/forum".
Also add configuration to disable this behavior.
Change-Id: I6c842f33ce605125ec64ca7d09643f59aa96a02d
GroupRebuilder and GroupBundle are supposed to be only used by schema
migrations. Make sure that they are not used otherwise by moving them
into the schema package.
Change-Id: I094043259720edec9b60309f0ec0535bf0505d9e
Signed-off-by: Edwin Kempin <ekempin@google.com>
This is better than checking a constant group name that is the same for
all groups.
Change-Id: Ie92327bb1d5f285f3ef65fa229f1b3ee863cd8f6
Signed-off-by: Edwin Kempin <ekempin@google.com>
We want to use GroupRebuilder from a schema migration to migrate Gerrit
groups to NoteDb. For this GroupRebuilder must not depend on classes
which are not available during init:
- Don't use MetaDataUpdate.InternalFactory but instead instantiate
MetaDataUpdate directly (it's okay to use GitReferenceUpdated.DISABLED
since we don't fire events during init and init is the only place
where GroupRebuilder is used).
- Don't create an AuditLogFormatter from account cache, group cache and
server ID but instead require that the AuditLogFormatter is created
and passed in by the caller.
Change-Id: Ib43e3121ec99c38ef4c1a1879c48d879118fb4c4
Signed-off-by: Edwin Kempin <ekempin@google.com>
This will make it easier to use this method from the schema migration
that implements the migration of Gerrit groups to NoteDb.
Change-Id: Ic15d54c240998796bb5e8ad91a8b8144674c8af0
Signed-off-by: Edwin Kempin <ekempin@google.com>
This will allow us to use this method from the schema migration that
implements the migration of Gerrit groups to NoteDb.
Change-Id: I12ba4a0217ae9479f32c6c5f3fc0a834fd127e30
Signed-off-by: Edwin Kempin <ekempin@google.com>
The Gerrit groups will be migrated to NoteDb. Once this is done reading
groups from ReviewDb will be no longer supported and the
AccountGroup*Access classes will be removed.
The GroupBundle class will be used by the schema migration that migrates
the Gerrit groups from ReviewDb to NoteDb and we need to keep this
migration running for some longer time to support Gerrit upgrades.
This means GroupBundle will still exist when the AccountGroup*Access
classes are already gone. Hence to read group data it cannot rely on the
AccountGroup*Access classes, but must use plain SQL to retrieve this
data from ReviewDb.
Change-Id: If4bc99191bc7cd0e713c9666c2d52b278fe3a246
Signed-off-by: Edwin Kempin <ekempin@google.com>
This reverts commit 809de7e70c9a974df0a4c467ab731938c8b81d85.
Reason for revert: Groups are migrated offline with change I530116c8c5a.
Hence, we don't need to prevent any intermediate group updates.
Change-Id: I28113f8dbca7698a2335ae315405e7893636a745
This change partially reverts I84201c0c9d.
A follow-up change will migrate all groups from ReviewDb to NoteDb.
Further follow-up changes will remove all ReviewDb code for groups.
Hence, we don't need this REST endpoint anymore, which only existed
temporarily while implementing groups in NoteDb.
Change-Id: Ia2cf0c75a80e34ef9a8d8c8063b08388fa5fae9c
