This exception was only used by the project access handlers. It was not
given any special treatment by RestApiServlet, so it was propagated as a
500, which was probably not the intent. Replace all usages with
AuthException.
Change-Id: I134cbd4155de306fe443865be5e0ea9c4e711b7a
Fix two test failures due to the merge:
* StandaloneNoteDbMigrationIT assumed that GCing All-Users would prune
all loose objects, whereas in recent JGit versions, unreachable
objects are left loose unless gc.pruneExpire is set to "now". Do this
in the tests.
* AbstractQueryChangesTest#watched modifies the user's project watches.
In the master branch, watches are now stored in the AccountState
instance, so we need to recreate the IdentifiedUser in order to reload
the AccountState.
* origin/stable-2.15: (33 commits)
Release 2.15
Mention groups index in documentation of index start command
Enable UI action to toggle WIP flag for admins
Docs: Clarify that for external groups the name in GroupInfo can be missing
AccountGroupAuditLogScreen: Display group UUID if group name is missing
GetAuditLog: Fix NPE if group UUID cannot be resolved
Limit assignee suggestions to users that can see the change
Add account predicate that checks if user can see a certain change
Allow admins to toggle the WIP flag on all changes
Included-In dialog polish
PolyGerrit: Add support for "Included In"
Make template testing faster
Limit assignee suggestions to users that can see the change
Add account predicate that checks if user can see a certain change
AbstractQueryChangesTest: Extend byDraftBy to include test for "has:draft"
AbstractQueryChangesTest: Add explicit tests for is:watched and watchedby:
AbstractQueryChangesTest: Add explicit tests for is:abandoned and status:abandoned
user-search: Clarify behavior of default search resulting in single change
user-search: Fix query used in "My > Watched Changes"
Documentation: Clarify ref-updated event content when ref is deleted
Update git submodules
Fix markup in Documentation section sendemail
Allow graceful rolling restarts
Release 2.15-rc4
user-search: Remove incorrect statement about default searches
user-search: Fix incorrect label: search example
StandaloneSiteTest: Ignore user and system git config
Fix documentation about create and delete branches
GcAllUsers: Respect gc.auto=0 in All-Users
GcAllUsers: Add extra log line in online case
MigrateToNoteDb: Auto-flush and close GC writer
Turn off autoReindexIfStale by default
GC All-Users after migrating to NoteDb
Change-Id: If2dff6bd1e0b299be75878aca3bc45103a5a875f
All int range field must be stored. This is why FieldDef#intRange
already calls the stored() method. Calling it again for int range
fields in ChangeField is unneeded.
Change-Id: I04c11c70568a0ac510a9b95bc1a4489a4e34f9e8
Signed-off-by: Edwin Kempin <ekempin@google.com>
RefUtil is a utility class which only contains statics. Add a private
constructor to prevent creating an instance of it.
Change-Id: If689d8e91886fb98b078d68ef6f6d5d9edf1ccfa
PermissionBackend is supposed to only contain permission related checks.
Apparently, this #isHidden is a project state check rather than a
permission check. Thus it should be removed from the ProjectControl,
which is part of the DefaultPermissionBackend.
Before removing this, "ACCESS" permission checks for hidden projects will
only succeed for the project owners. After removing, they may also succeed
for other users, e.g. internal user.
The existing checks for "ACCESS" could be divided into two categories
base on whether it's helpful for users to change the configuration of
the project state or not.
For the helpful case, this commit preserves the current behavior of
the "ACCESS" check on hidden projects by checking the "READ_CONFIG"
permission which will only succeed for the project owners. For the
other case, this commit rejects directly even for project owners if
the project is hidden.
Change-Id: I20743e6380129eea7cb942d8d9ccad314e29d187
The reviewers plugin passes null as changeNotes to the
ReviewersUtil#suggestReviewers method which led to a
NullPointerException.
Mark changesNotes as Nullable and expect that it can be null.
Change-Id: I6d1656ed7e44719130dd2da393906518b2833245
Signed-off-by: Edwin Kempin <ekempin@google.com>
PermissionBackend should only do permission related checks.
Non-permission related checks must be done outside of the
PermissionBackend. Like the case in this commit, the caller
should verify the change is deletable before checking the
DELETE permission.
ChangePermission.DELETE is only used in the DeleteChange
endpoint, which makes it very easy to remove.
Change-Id: I5aa477facf2ca64e6f9aa64fad173a2db081430e
Looking at the history of the refs/meta/external-ids branch in All-Users
when can see from the commit messages from why and from where an
external ID was updated (e.g. see [1]).
However to investigate issues with external IDs we often want to look at
the external IDs of a specific user and how they have changed over time.
Finding all commits that modified an external of an account/email is
difficult because this information is only contained in the blobs.
To make this easier we now add the affected accounts/emails as footers
in the commit message when updating external IDs (e.g. see [2]).
[1]
commit 4ccc8d21f3702ef145b1c5824e87cf93010a39d3 (refs/meta/external-ids)
Author: Gerrit Code Review <ekempin@ekempin0.muc.corp.google.com>
Date: Wed Mar 28 14:03:15 2018 +0200
Link External ID
commit 4b733408ab4697539aeb4265028589f5811ee3ad
Author: Administrator <ekempin@ekempin0.muc.corp.google.com>
Date: Mon Mar 5 16:20:06 2018 +0100
Set HTTP Password via API
commit cee914f803ec07549cf0dbf604634a2484f077b6
Author: Gerrit Code Review <ekempin@ekempin0.muc.corp.google.com>
Date: Fri Feb 2 08:26:08 2018 +0100
Create Account on First Login
[2]
commit 4ccc8d21f3702ef145b1c5824e87cf93010a39d3 (refs/meta/external-ids)
Author: Gerrit Code Review <ekempin@ekempin0.muc.corp.google.com>
Date: Wed Mar 28 14:03:15 2018 +0200
Link External ID
Account: 1000004
Email: foo@example.com
commit 4b733408ab4697539aeb4265028589f5811ee3ad
Author: Administrator <ekempin@ekempin0.muc.corp.google.com>
Date: Mon Mar 5 16:20:06 2018 +0100
Set HTTP Password via API
Account: 1000015
commit cee914f803ec07549cf0dbf604634a2484f077b6
Author: Gerrit Code Review <ekempin@ekempin0.muc.corp.google.com>
Date: Fri Feb 2 08:26:08 2018 +0100
Create Account on First Login
Account: 1000015
Change-Id: I26e72866e8effe777945c1f197bc0aeed6d3ddb1
Signed-off-by: Edwin Kempin <ekempin@google.com>
Checking permissions of users that aren't the caller of the current request
can have implications on the security of the system. The most prominent
one is creating a group-oracle.
A group-oracle is created when a user who can modify the access settings
of a host or project can use a feature of the system to get feedback if
a specified user has access to a resource. If access was granted by
group-membership through an external group, this can be used to probe
for membership in the external system.
To limit the cases where we could potentially expose Gerrit to these
threats, PermissionBackend adds a new method to provide checks for absent
users. We consider a user to be absent if they are not the issuer of the
current request and not the target of impersonation.
This way, we can easily check where we perform permission checks on
absent users. We can use this knowledge to better assess and mitigate
this risk.
PermissionBackends that do not support impersonation can have a
checkState() call in PermissionBackend#user() to ensure the provided
user is the current user.
This commit migrates the first caller to use #absentUser(). Follow-up
commits will migrate the rest.
Change-Id: Iea329f9bbbff74d1bd3521ccd2ec217c2befefc0
Groups are now in NoteDb and the group tables in ReviewDb are no longer
needed.
Change-Id: I5fcff38aa88f2c62921f5bc9c891ba7299a67b33
Signed-off-by: Edwin Kempin <ekempin@google.com>
This has always been allowed for input types that have a @DefaultInput.
Previously, a body-less POST to /a/changes/.../submit would return a
400 error because SubmitInput has no default input fields.
Change-Id: Ie0741e7f1082c2bf95bc89acf3a31d1ce3091d0c
Checking permissions of users that aren't the caller on the current request
can have implications on the security of the system. The most prominent
one is creating a group-oracle.
To limit the cases where we could potentially expose Gerrit to these
threats, PermissionBackend removes the method that was operating solely
on the provider of the current user.
Change-Id: I601ea1200a15a5f262ca0770b23cc1c7bee126b1
Change I4878f066b6 allowed administrators to toggle the WIP flag on any
change but the UI action was still disabled for admins.
Change-Id: I55dd6400dc07d57fe2aaaf3528ff429d5baf48ed
Signed-off-by: Edwin Kempin <ekempin@google.com>
Passing in a Provider<CurrentUser> into PermissionBackend is
boiler-platy. This change adds a convenience method to PermissionBackend
and DefaultPermissionBackend to limit this boiler-plate. Future commits
will remove #user(Provider<CurrentUser>) from PermissionBackend, once
all callers were moved.
Change-Id: Ifcd07fe2c7d2673a66b2b4f9eff06ee8a3b6b943
Groups have been migrated to NoteDb. Hence we no longer need to be able
to read groups from ReviewDb.
Change-Id: Ie87c1c8e604cf1344af5291f0b369cd24af8387d
Signed-off-by: Edwin Kempin <ekempin@google.com>
This change adds a schema migration that migrates Gerrit groups from
ReviewDb to NoteDb.
In NoteDb groups are stored in group refs in the All-Users repository.
When a group is migrated its group ref in NoteDb is overwritten if it
already exists.
If groups in ReviewDb have already been disabled (e.g. a new Gerrit
instance that directly used groups in NoteDb, or if groups have been
migrated differently) this schema migration does nothing, as we don't
want to overwrite group information in NoteDb with potentially outdated
ReviewDb content.
The commits in the group refs form the audit log of the group. This is
why the migration creates one commit per audit event in the group ref.
When members or subgroups are added or removed they are listed as
footers in the commit message. For subgroups this footer line contains
the group name and the group UUID. The schema migration can set the
proper group name only for Gerrit internal groups and system groups,
but not for external groups since the external group backends, which are
needed to resolve the UUID to the group name, are not available during
init. For groups which cannot be resolved during init the UUID is used
as group name. This is only a cosmetic issue with the commits of the
group refs that might affect human readers of the history. When Gerrit
is reading the audit log it doesn't rely on the group names in the
footers, but resolves the group UUIDs via the group backends.
After the migration has been done all groups are now fully in NoteDb.
The default values for the group migration configuration are changed so
that NoteDb is used as primary storage for groups and groups in ReviewDb
are disabled. Writing groups to NoteDb can no longer be disabled because
after this point there will be no further migration to copy group data
from ReviewDb to NoteDb.
GroupRebuilderIT is merged into the new
Schema_166_to_167_WithGroupsInReviewDbTest.
Change-Id: I530116c8c5a6a5c595d24ca2445ffa921c2d3eb0
Signed-off-by: Edwin Kempin <ekempin@google.com>
Add unit tests for the labels functions.
Check if prolog rules are defined for this project or its parents, and
if not default to the added Java implementations of LabelFunctons.
Before this commit, the Prolog rules engine was always invoked to check
wether a change can be submitted or not, even if no prolog rules were
defined.
Doing so should also make it easier to extract Prolog as a plugin
without losing any of its currently offered features (label functions
and default rules implementation).
The LabelFunction code is inspired by Saša Živkov's change Iffe1567,
adjusted to live directly in the enum.
Change-Id: I5e18b0d494be3f0423bb533ed84a63ea4b8a31df
Some tests want to configure the server ID via the Gerrit config.
InMemoryModule should respect this setting if it is there and only
fallback to the hard-coded server ID if this config is missing.
Change-Id: I8eace895978d221b8d4e726a4c5428bc16f9e77b
Signed-off-by: Edwin Kempin <ekempin@google.com>
E.g. GroupConfigCommitMessage#getFooters is using Sets for the footers
and hence the order was not guaranteed. As result of this tests checking
group audit logs could be flaky.
The AuditLogFormatter in AbstractGroupTest is now loading the real group
names instead of using 'Group <uuid>'. This is needed to control the
order of the subgroup modification footers from the AuditLogReaderTest.
If the real name is not included into these footers the sort order
depends on the generated UUIDs. Since the UUIDs are generated based on
the group name and the server ID they are stable for each run, but
relying on the order of the UUIDs makes the test at least less readable.
The AuditLogFormatter in AbstractGroupTest is loading the group from the
repo each time a group name is needed. Since it's an in memory
repository and there are only few tests using this AuditLogFormatter we
don't bother about caching here.
Reading footers from group config commit messages works regardless of
the order of the footers. This means this change doesn't require
rewriting already existing group refs.
Change-Id: I3eafef10e916890b90d9f9ac222595eaf2246e27
Signed-off-by: Edwin Kempin <ekempin@google.com>
This commit changes this class so that every PBE will be logged
out as an error. But another option is throwing out this
exception since it stands for an error on the server side.
Change-Id: I231ab13ebeb9e5b37788875355d675c17f68745b
By design, PermissionBackendException stands for some error
in the permission backend. It doesn't mean the user doesn't
hold the checked/tested permission. Thus this endpoint should
not catch PBE and treat it the same with AuthException.
Change-Id: Ibbb99fb3648a1bfdbdea922cdb94a77f6824c141
