We cannot shade bouncycastle in the plugin API. Still we need it to be
included in the gerrit.war, licenses file and Eclipse classpath.
Expose bouncycastle libraries in PLUGIN_TEST_DEPS constant, so that
the plugins don't need to change anything in tree build mode.
gerrit_api() bazlet in bazlets repository is extended too, so that the
plugins don't need to change anything in standalone build mode.
One side effect of this change, is that bouncycastle libraries are
now listed with neverlink suffix, e.g.:
* bouncycastle:bcprov-neverlink
Bug: Issue 5826
Change-Id: Idb8051e16b14e20c8dd528783ab297ee25707bb3
Per
https://www.bis.doc.gov/index.php/forms-documents/encryption/328-flowchart-2/file
open source crypto software can be self-classified as 5D002, and
requires only notification of the U.S. Bureau of Industry and
Security.
This registration has been performed by Google, as of Feb 15, 2017.
This gets rid of the special casing for BouncyCastle, simplifying our
build and deployment process.
Change-Id: I680b0a001e5e2e497ed6e62c90c8b8be30efff48
Reformat the Bazel build files with the buildifier tool [1].
The style is different for Bazel files. Most notably, indentation level
is 4 spaces instead of 2, and " is used instead of '.
[1] https://github.com/bazelbuild/buildifier
Change-Id: I95c0c6f11b6d76572797853b4ebb5cee5ebd3c98
To run the tests:
bazel test //...
To build the Gerrit plugin API, run:
bazel build gerrit-plugin-api:plugin-api_deploy.jar
To build the Gerrit extension API, run:
bazel build gerrit-extension-api:extension-api_deploy.jar
TODOs:
Licenses
Reduce visibility (all public for now)
Generate HTML Documentation
Core plugins
gerrit_plugin() rule to build plugins in tree and standalone modes
GWT UI (only gwt_module() skylark rule is provided, no gwt_binary())
PolyGerrit UI
WAR
Publish artifacts to Maven Central
Ask Bazel team to add Gerrit to their CI on ci.bazel.io
Contributed-By: Han-Wen Nienhuys <hanwen@google.com>
Change-Id: I9a86e670882a44a5c966579cdeb8ed79b1590de3
If the Bouncy Castle Crypto libraries are unsigned, issues result with
the Eclipse build, since they rely on the copy that exists in the
libraries copied by the download_file.py script. As a workaround, use
a genrule in ConvertKey to unsign the JARs manually.
Change-Id: I44d6ad5b05a18258e8bf5400c42f1cbd159e59b2
Since we're a BUCK shop, convert the SSH key converter accordingly.
This requires we mark Bouncy Castle as unsign, even though we
do not include this in our normal Gerrit builds. Also, we had to
add slf4j-nop, since this app doesn't require logging.
Change-Id: I85031192f9172a90512d5f28cf1621c10ad6ebf4
During server startup the warning:
Disabling cipher <name>: JCE cannot authenticate the provider BC
is emitted for each cipher [1],
and when using SSH, all git operations fail with the error:
no matching cipher found [2].
This reverts commit 3420d83f39bca93752e62e28080bb65cf4e000d4.
[1] http://paste.openstack.org/show/460590/
[2] http://paste.openstack.org/show/460591/
Change-Id: I8352d6074120f1c148a12d16a013da5965308d9e
Exclude the 2 bouncycastle key files from the 2 downloaded jar files
that are repackaged into our gerrit plugin-api jar. Do so in order to
fix a SecurityException [1] thrown upon using the plugin api from plugin
IT tests [2] in standalone (non-tree) mode.
Indeed, BCKEY.DSA and BCKEY.SF used to be repackaged under META-INF/ in
our gerrit plugin-api jar. Doing so caused that exception [1], as such
BCKEY files did not properly sign our built plugin-api jar; they
strictly belonged to their 2 mother bouncycastle jar files. Our jar used
to have 2 sets of such key files, one set coming from bcprov and the
other from bcpg (the 2 bouncycastle libs involved herein). This fix
removes them all 4 (BC key files) from the resulting plugin-api jar:
jar tvf gerrit-plugin-api-2.12-SNAPSHOT.jar | grep BCKEY
=> (before this fix)
26965 Sun Mar 01 12:09:10 EST 2015 META-INF/BCKEY.SF
2219 Sun Mar 01 12:09:10 EST 2015 META-INF/BCKEY.DSA
269297 Sun Mar 01 12:09:32 EST 2015 META-INF/BCKEY.SF
2219 Sun Mar 01 12:09:32 EST 2015 META-INF/BCKEY.DSA
This fix is first for plugin IT tests [2], which expose this issue as
the first 'pure' plugin-api jar loaders. Such BC libs started to be
-needfully- introduced in acceptance testing by commit ed170f3.
[1] java.lang.SecurityException: Invalid signature file digest for
Manifest main attributes
[2] https://gerrit-review.googlesource.com/#/q/topic:Plugin-IT-tests
Change-Id: Iea2c61ea026e8ee17684a82f0ec41d77d30e02e5
Since there is no official 0.9.1 release of the SSHD yet, the
0.9.0-4-g5967cfd version was built from the 0.9.x branch and uploaded to
the Google cloud storage.
This change reverts the following Gerrit commits:
3d9c70c SSHD: Update to 0.13.0
52e4e0c Bump SSHD Mina version to 2.0.8
3921163 Don't use deprecated PGPPublicKeyRingCollection constructor
13452f4 Bump Bouncycastle version to 1.51
5f7d5a7 Update EncryptedContactStore to not use deprecated/removed methods
f69698c Update SSHD to 0.11.1-atlassian-1
67c38c8 Added global request handlers to SshDaemon
c31e17f Update sshd to 0.11.0
b9c66ea Bump SSHD version to 0.10.1 and enable nio2 backend
The reason for the downgrade (copied from the change 60161):
SSHD release 0.9 is known to be free from exhausting thread pool problem
[1]. Unfortunately 0.9 release suffers from sporadic handshake failures
[2]. The fix cannot be cleanly cherry-picked to 0.9 release. The back
port of this fix [3] is tracked under its own issue [4], was uploaded as
PR for SSHD Mina's GH repository [5] and merged recently [6].
Moreover, 0.9 suffers from "Authenticated with partial success" issue
[7]
that was fixed by [8], [9]; this patch must be applied as well.
This reverts commit dc7318b8eeda15732d4d2865fc5a7a0a68b3be15.
[1] https://issues.apache.org/jira/browse/SSHD-348
[2] https://issues.apache.org/jira/browse/SSHD-330
[3] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\
h=2aed686bdb21681a421033c6ee5997e5cd8a9a83
[4] https://issues.apache.org/jira/browse/SSHD-356
[5] https://github.com/apache/mina-sshd/pull/7
[6] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\
h=cc7162acf7ca89561ca57a9c68de735f17bf168b
[7] https://issues.apache.org/jira/browse/SSHD-254
[8] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\
h=28a8ae258b08c6b41ab64ac25f2331168dc0415a
[9] https://gerrit-review.googlesource.com/51516
Change-Id: I889fb02c2cb1aa5df2cf8dcabace086f5094a914
937d527ac0e4ee685fccb60ae604406a6638daec upgraded bouncy castle to 1.49.
The old JAR artifact was renamed and split to number of files. For Gerrit
two libraries must be downloaded and be available under `$gerrit_site/lib`:
* bcprov-jdk15on-149.jar
* bcpkix-jdk15on-149.jar
Update download logic to support a basic concept of required dependencies,
ensuring BC provider is downloaded if the SSL library is installed by init.
Change-Id: I60092ebe136f78a5649fe8512737275f50195a34
Many bugs were fixed since version 1.44 that we are using[1].
JARs artifacts were renamed.
[1] http://www.bouncycastle.org/releasenotes.html
Change-Id: Ie2b22328c77b0100dfff61139b737894b88e7664
Implement a new build system using Buck[1], Facebook's
open source clone of Google's internal build system.
Pros:
- Concise build language
- Test and build output is concise
- Test failures and stack traces show on terminal
- Reliable incrementals; clean is unnecessary
- Extensible with simple blocks of Python
- Fast
buck: clean: 0.452s, full 1m21.083s [*], no-op: 7.145s,
mvn: clean: 4.596s, full 2m53.776s, no-op: 59.108s,
[*] full build includes downloading all dependencies,
time can vary due to remote server performance.
Cons:
- No Windows support
- No native Maven Central support (added by macros)
- No native GWT, Prolog, or WAR support (added by macros)
- Bootstrap of buck requires Ant
Getting started:
git clone https://gerrit.googlesource.com/buck
cd buck
ant
Mac OS X:
PATH="`pwd`/bin:/System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands:$PATH"
Linux:
PATH="`pwd`/bin:$PATH"
Importing into Eclipse:
$ time buck build :eclipse
0m48.949s
Import existing project from `pwd`
Import 'gerrit' (do not import other Maven based projects)
Expand 'gerrit'
Right click 'buck-out' > Properties
Under Attributes check 'Derived'
If the code doesn't currently compile but an updated classpath
is needed, refresh the configs and obtain missing JARs:
$ buck build :eclipse_project :download
Running JUnit tests:
$ time buck test --all -e slow # skip slow tests
0m19.320s
$ time buck test --all # includes acceptance tests
5m17.517s
Building WAR:
$ buck build :gerrit
$ java -jar buck-out/gen/gerrit.war
Building release:
$ buck test --all && buck build :api :release
$ java -jar buck-out/gen/release.war
$ ls -lh buck-out/gen/{extension,plugin}-api.jar
Downloading dependencies:
Dependencies are normally downloaded automatically, but Buck can
inspect its graph and download missing dependencies so future
compiles can run without the network:
$ buck build :download
[1] http://facebook.github.io/buck/
Change-Id: I40853b108bd8e153cefa0896a5280a9a5ff81655
