1680 Commits

Author SHA1 Message Date
David Pursehouse
a564df698a Make inner classes static where possible
Change-Id: Icb75d765bd4e9198ef294c3d099c762a395a623e
2018-09-12 14:46:10 +09:00
David Pursehouse
751b132245 IndexServletTest: Specify charset in construction of String
Change-Id: Ib62d75f684019376116a90a0036bd5d180087642
2018-09-12 14:35:02 +09:00
David Ostrovsky
5689d6fec4 RestApiServlet: Skip capability check for administrators
The migration to permission backend in I9458bd55fa wasn't equivalent:
Old code:

  CapabilityUtils.checkRequiresCapability(globals.currentUser,
      null, rc.getClass());

New code:

  globals
      .permissionBackend
      .user(globals.currentUser)
      .checkAny(GlobalPermission.fromAnnotation(d.pluginName,
          d.view.getClass()));

The skipping of capability check in the base version was erroneously
omitted:

  if (ctl.canAdministrateServer()) {
    return;
  }

This broke some plugins, most notably importer plugin. Plugin name is
resolved to null (this is probably wrong too and indicates, that the
capability check for plugin own capability is broken but it is a
different bug). That why the check doesn't work, because import is a
plugin capability and not gerrit core capability. The same wrong
resolution of the plugin name to null is happening on stable-2.14
branch, but the only reason it works there, is because the capability
check is omitted for administrators on stable-2.14 branch.

Bug: Issue 8859
Change-Id: I61534cd9c5cd0da34782e671ae53c0b7fc2e4b65
2018-09-05 09:13:21 +02:00
David Ostrovsky
bb46f7570a Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  GitOverHttpModule: Bind REST auth filter in its own module
  Ensure user authentication in AllRequestFilter filters

Change-Id: I873737ead014c20f0590ab0f246e9ded0601e4ef
2018-08-31 21:43:59 +02:00
David Ostrovsky
b8695a315d GitOverHttpModule: Bind REST auth filter in its own module
GitOverHttpModule is binding both filters for git over HTTP and for REST
requests. Extract filter definition for REST requests in its own module.

Change-Id: If03e76c906bc3e0cac827b49f5f087cc859be4cd
2018-08-31 08:43:09 +00:00
David Pursehouse
39dcd91570 Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Minor improvements in receive.maxObjectSizeLimit documentation
  Bazel: Consume rules_closure from HEAD
  Bump auto-value to 1.6.2

Change-Id: I401942a40c5001300f77f9437d342001cd42e619
2018-08-02 15:07:21 +02:00
David Ostrovsky
5531347e56 Bump auto-value to 1.6.2
This upgrade is needed to support JDK9, that was fixed in this
commit: [1].

[1] f04406c1f1

Change-Id: Ic7464964dc7e21946aac4b4a786107a0df51ae2a
2018-08-01 22:35:35 +02:00
Gert van Dijk
4262fdcf8c Perform fonts preloads in "anonymous" cross-origin mode
Rationale on why preloading fonts should be preloaded with the crossorigin
attribute set to "anonymous":
  https://drafts.csswg.org/css-fonts/#font-fetching-requirements
as referenced via
  https://developer.mozilla.org/en-US/docs/Web/HTML/Preloading_content#Cross-origin_fetches

The latter explains that it should be set explicitly when preloading them
- which is what this change adds.

Requested on the mailing list:
https://groups.google.com/d/msg/repo-discuss/OR07NEaqHBk/ZhuBPa2YCAAJ

Bug: Issue 9483
Change-Id: I8acbdc7c038d740b6f20d8bc3825ae4d1e70a25a
2018-07-26 01:00:21 +02:00
David Pursehouse
d5ceaf81a5 Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  [GitwebServlet] Use logger built-in formatting
  [GitwebServlet] Avoid empty error flooding the logs

Change-Id: I98f4161d88e3c895c22f8b559fc7a356b56d50f3
2018-06-20 19:35:06 +09:00
Hector Oswaldo Caballero
943341d2a1 [GitwebServlet] Use logger built-in formatting
Change-Id: I780ca9606f9a821dd91990a428984b06f4c64942
2018-06-20 05:31:25 -04:00
Hector Oswaldo Caballero
35c80e2e5f [GitwebServlet] Avoid empty error flooding the logs
So far, the logs were being flooded with empty error messages every time
a gitweb operation was done:

  [Gitweb-ErrorLogger] ERROR com.google.gerrit.httpd.gitweb.GitwebServlet :

Check error message is not empty before log in it.

Change-Id: Ida6a19092d69e65782041d4327ed97ec5f4dc70e
2018-06-20 05:22:23 -04:00
David Pursehouse
094671b459 Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Remove unused elasticsearch library from WORKSPACE
  Use Logger's built-in formatting

Change-Id: I2d3dca1036a1a1a1a6e00331cab31c244bd78bc6
2018-05-30 09:35:44 +09:00
David Pursehouse
fac55c753f Use Logger's built-in formatting
Change-Id: I79eb533d44df45ff1e57656084c7ef4cb080fd91
2018-05-29 16:18:17 +09:00
David Pursehouse
856ff18d5c Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Use Logger's built-in string formatting where possible
  Doc: Fix code example in JS API

Change-Id: I1b953b6d9ab5cd066b8b6f43bb1843dcb1736d1b
2018-05-23 20:19:37 +09:00
David Pursehouse
46af8d137d Use Logger's built-in string formatting where possible
Change-Id: Ie1d03cbd17660a777a15961333dbd8c7fbd2e453
2018-05-23 16:05:40 +09:00
David Pursehouse
a17c4f558f Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Update git submodules
  Update git submodules
  ldap.Helper: Use local logger and make logger in LdapRealm private
  Remove ValidationError#createLoggerSink to avoid passing around loggers
  LdapLoginServlet: Improve exception handling
  OperatingSystemMXBeanProvider: Log exception for ReflectiveOperationException
  WorkQueue: Don't fail when queue metric already exists
  WorkQueue: Sanitize metric name when queue is created
  DropWizardMetricMaker: Introduce method to sanitize metric name

Change-Id: I4729d537aeb5ef934fcae90b610e28966a6ada9a
2018-05-18 10:32:17 +09:00
Edwin Kempin
7f52122396 LdapLoginServlet: Improve exception handling
* Handle AuthenticationFailedException separately:
  This exception is a subclass of AccountException that is thrown if the
  user provides wrong credentials. For this exception we want to return
  "Invalid username or password." as message to the client.
* Return a more general message for other AccountExceptions:
  Likely they are not caused by invalid username or password since this
  would cause a AuthenticationFailedException which we handle before.
* Increase log level to warning:
  This is the log level that we use for these exceptions in other places
  (e.g. ProjectBasicAuthFilter). Make it consistent.
* Log the stacktrace for AccountExceptions:
  We do this everywhere else (e.g. ProjectBasicAuthFilter,
  HttpLoginServlet). Make it consistent.

Change-Id: Ie34687d087b5a6cd102bf8cebd0f9830f54c9c1c
Signed-off-by: Edwin Kempin <ekempin@google.com>
2018-05-17 19:19:44 +09:00
David Pursehouse
b5e620a6a9 Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  HttpPluginServlet: Don't trim leading whitespace from about.md content
  ProjectConfig: Don't use JGit's StringUtils to convert to lower case
  Do not abort indexing if < 50% projects failed
  Revert "AllChangesIndexer: Don't abort when failing to open repository"
  VersionedAccountDestinations: Remove unused createSink(String) method
  ProjectBasicAuthFilter: Add comment why cause is not logged
  BazelBuild: Fix exception message when command was interrupted
  GitwebServlet: Write only one log entry for CGI errors
  GitwebServlet: Log unexpected errors on error level
  PostGpgKeys: Remove unneeded use of Joiner
  Remove some logs for errors that are rethrown
  DropWizardMetricMaker: Improve error messages for invalid arguments
  DropWizardMetricMaker: Improve error message when metric name is invalid
  AllChangesIndexer: Don't abort when failing to open repository

Change-Id: I6febb890b7717731fcb5f0653360982668469069
2018-05-17 15:39:34 +09:00
David Pursehouse
fcbdca1e30 HttpPluginServlet: Don't trim leading whitespace from about.md content
Trimming leading whitespace prevents preformatted code blocks from
being rendered properly.

Change-Id: I97f0fab63d128a11320cabe9e13ff5b6e80fc139
2018-05-17 14:41:31 +09:00
Edwin Kempin
b492df1f56 ProjectBasicAuthFilter: Add comment why cause is not logged
Change-Id: I5c738557f50034a8ed0bff3af750e698d7c52604
Signed-off-by: Edwin Kempin <ekempin@google.com>
2018-05-17 10:46:55 +09:00
Edwin Kempin
e709298363 BazelBuild: Fix exception message when command was interrupted
We used ProcessBuilder#toString() but ProcessBuilder doesn't implement
the toString() method, hence calling toString() would return the
instance identity (e.g. 'java.lang.ProcessBuilder@4488aabb'). Instead
include the command which is more useful.

This issue was detected by ErrorProne.

Change-Id: I780f21bbfeae8e7c1b3f4467d789bcf148293324
Signed-off-by: Edwin Kempin <ekempin@google.com>
2018-05-17 10:44:40 +09:00
Edwin Kempin
5fa97fcdd0 GitwebServlet: Write only one log entry for CGI errors
If a separate log statement is written for each line then the entries in
the log file can be interleaved with log entries from other threads,
which makes them less readable.

Change-Id: I038a0d8bc906746cc23b8f3bfb31d6c4d98b53c0
Signed-off-by: Edwin Kempin <ekempin@google.com>
2018-05-17 10:44:32 +09:00
Edwin Kempin
510dc55590 GitwebServlet: Log unexpected errors on error level
Especially it's seems odd that copyStderrToLog logs the input on error
level but failing to do so results only in a debug log.

Change-Id: I52302be34e8f4a62639015acffe26d0a11a5c8da
Signed-off-by: Edwin Kempin <ekempin@google.com>
2018-05-17 10:44:25 +09:00
Gustaf Lundh
e45c333b70 GetUserFilter: Allow to include username in servlet response header
Add a new setting, http.addUserAsResponseHeader, which when enabled
causes the servlet response to include a 'User' header that contains
the name of the logged in user.

This will enable reverse proxies to log the name of the user that
issued the http request.

The new setting is disabled by default.

Change-Id: I5c3c783813f3aa71209320610bb8168a51305cba
2018-05-08 12:51:44 +09:00
David Pursehouse
0722d23ab7 Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Replace "the the" occurences with "the" (wrong repetition)

Change-Id: Id14f6873b81883c93d60725a22bda38567d94ad3
2018-04-19 09:33:20 +02:00
Maxime Guerreiro
db9c8ad778 Replace "the the" occurences with "the" (wrong repetition)
Change-Id: I01cbebd79e1d3470a4f00e55a228d57ac156b676
2018-04-19 09:30:07 +02:00
David Pursehouse
c421174abf Upgrade to google-java-format 1.5
Change-Id: Ibad33f7aff0226fa954d44365e2b3ea2e3c6ff8e
2018-04-18 09:33:50 +02:00
David Pursehouse
4ec5ef6bd2 Upgrade to google-java-format 1.5
Change-Id: I8e0270efad021e69b1a127cf3175626d26381bdb
2018-04-18 09:06:49 +02:00
Masaya Suzuki
8271f4588c Detect RawInput correctly
Some endpoints allow both JSON and raw input. parseRequest selects
whether to parse to JSON using a reader or to provide the raw input as
an InputStream based on the request's content-type.

Since v2.15-rc0~1847^2 (Discard request HTTP bodies before writing
response, 2017-03-16), on endpoints that permit raw input, we call
getInputStream to obtain the rest of the response body and discard it
before writing the response. When the request was JSON, this produces
errors from Jetty, since calling getInputStream after getReader violates
the servlet API:

[HTTP-66] ERROR com.google.gerrit.httpd.restapi.RestApiServlet : Error in PUT /a/plugins/reviewers.jar
java.lang.IllegalStateException: READER
      at org.eclipse.jetty.server.Request.getInputStream(Request.java:844)
      at javax.servlet.ServletRequestWrapper.getInputStream(ServletRequestWrapper.java:138)
      at javax.servlet.ServletRequestWrapper.getInputStream(ServletRequestWrapper.java:138)

To fix it, instead of guessing whether this was a raw request based on
whether the endpoint supports raw requests, use the parseRequest result
to decide whether this is a raw request for which we need to discard any
unconsumed content.

Bug: Issue 8677
Change-Id: I1db69104f31e1c04b137d994523422a07ca5cf43
(cherry picked from commit 91136bb28ec45cbbd66e7d8aabe209a6faa7eb2a)
2018-04-03 12:53:11 -07:00
David Ostrovsky
1eb5429227 ExternalIds NoteDb migration: Avoid intermediate migration state
The problem we are facing on the stable-2.14 branch is: we have
intermediate NoteDb migration state for accounts entity due to
merge of: Ic9bd5791e84. That why we are writing to both backends:
ReviewDb and NoteDb. It creates potential risk to be out of sync
between ReviewDb and NoteDb (and secondary index). In addition it
is always bad from performance point of view to unnecessary write
to 2 different backends. The real migration to NoteDb for accounts
entities (phase 2) happens in: Ia1dae9306b7 and Schema_144, that is
migrating the external IDs from ReviewDb to NoteDb, and that change
is not a part of stable-2.14.

In retrospective, we shouldn't include partially migrated code paths
for the production releases. It's error prone and bad for the
performance. Originally, multi-phase upgrade procedure was done on
master only to support multi master and zero downtime upgrades. These
feature is not related to open source gerrit version.

Moreover, now, that we are facing intermittent account corruption
problems: Issue 7652 that is hard to track down, understand and fix,
we are seeing automatic recovery attempt: [1], that is trying to
detect database corruption and synchronize both backends. This change
takes a different approach and avoids two backends where only ReviewDb
is actually used on production release line 2.14.

To avoid fixing too many caller sites the interfaces of ExternalIds,
ExternalIdsOnInit, ExternalIdsBatchUpdate and ExternalIdsUpdate are
mostly preserved, but the code paths for NoteDb mutations is dropped.

This partially reverts commit 744d2b896719e2058539db98443c80eb9368fd77.

[1] https://gerrit-review.googlesource.com/162450

Change-Id: Iec8d0c5639e462d88a7c5d0906febfd6f3337277
2018-03-07 21:35:20 +01:00
Steffen Gebert
a1afe1a893 Add attributes to <body> tag of login forms
When integrators of Gerrit want to style the login forms, having a class or
ID for the <body> tag come in very handy.

Change-Id: I073424241c5bf4430ce3c3476b2836f022dc1140
2018-01-09 10:36:58 +00:00
Hugo Arès
2beb2211d6 Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Prevent concurrent login by disabling form submission

Change-Id: I997c25155b8d3641428fd53a5474ee80efdbf6c9
2018-01-05 08:46:33 -05:00
Hugo Arès
66a0c4a343 Prevent concurrent login by disabling form submission
Double-clickers are logging in twice because the form is submitted twice
and the server will handle both requests concurrently. This is not a big
issue but it becomes one when a user login in for the first time is a
double-clicker. Server will handle both requests concurrently resulting
in creating 2 accounts for the same user.

This change disables the form submission after the first submit.

Change-Id: Ida55e632618c72ab11e536854c654ed423a0f195
2018-01-05 13:43:11 +00:00
David Pursehouse
40894fcc05 Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Add CORS to default plugin requests handling

Change-Id: I5556a00273de2604468da2de78e82ad29eed923f
2017-11-22 10:20:24 +09:00
Jacek Centkowski
c081b01c42 Add CORS to default plugin requests handling
Allow to request static or Documentation content with respect to CORS.
This change was inspired by [1] and [2]. It sets
Access-Control-Allow-Origin header to origin of the client if the
client's domain matches a regular expression defined in
'site.allowOriginRegex' or when 'site.allowOriginRegex' is empty
(assumption is that access to documentation is not restricted).

[1] https://gerrit-review.googlesource.com/c/gerrit/+/84191
[2] https://gerrit-review.googlesource.com/c/gitiles/+/84151

Change-Id: I0343ac1cdce9da10fea9bc207a4114e1596fbfab
Signed-off-by: Jacek Centkowski <jcentkowski@collab.net>
2017-11-21 23:30:12 +00:00
Paladox none
dd2ae2d0c6 Upgrade Guava to 22.0
The dead lock issue is fixed: [1].

[1] https://github.com/google/guava/issues/2743

Bug: Issue 7645
Change-Id: I77dd930503e6869be207ca4a4f2fd85116719506
2017-11-02 19:10:14 +00:00
David Pursehouse
6307c3b6dc Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Redirect polygerrit urls with context to GWTUI

Change-Id: Idc721bc1ba5981c2a2c9d23d4251bbac9323aa91
2017-10-11 19:51:06 +09:00
Sven Selberg
d57189eb4f Redirect polygerrit urls with context to GWTUI
When CanonicalWebURL contains a context like 'gerrit'.
https://a-host/gerrit the context was not taken into consideration
when redirecting polygerrit urls to GWT urls.

pg-uri: /gerrit/c/123/
context + '#' +  pg-uri = /gerrit/#/gerrit/c/123

Strip context from pg-uri before transforming it to GWT url.

Change-Id: I7aa10c53a40c21c3240f227d015827ca38e19da8
2017-10-11 11:03:19 +02:00
David Pursehouse
c3b1c1c18d Merge "Merge branch 'stable-2.14' into stable-2.15" into stable-2.15 2017-10-03 10:30:30 +00:00
David Pursehouse
e63cb3dd3f Merge branch 'stable-2.14' into stable-2.15
* stable-2.14:
  Fix false positive warning in gitweb

Change-Id: I8d1e44b08b1d7d23918cc6baa63e9294dae1b034
2017-10-03 10:52:01 +01:00
Dave Borowitz
223580f314 Add UploadPackInitializer extension point
I suggested to Luca at the hackathon that he could use this mechanism to
limit refs advertised to Jenkins, instead of writing a custom
PermissionBackend. Getting this in 2.15 means people using his plugin
won't have to wait for the next release to stop using the
PermissionBackend hack.

Change-Id: I8c38eef94d6e505b926b3da6c470e34f6613ca2c
2017-10-03 10:39:42 +01:00
Peter Wu
2da0d11158 Fix false positive warning in gitweb
Since CGI.pm 4.05 (2014-10-08), a warning is shown for every gitweb
request involving the "h" or "hb" parameters. There is no vulnerability
since "add_review_link" only takes one scalar parameter.

Force a scalar to prevent the warning in gerrit error log.

Bug: Issue 5897
Change-Id: I1b7e6b608af7700225da8625cb749fa12e971591
2017-10-03 05:31:26 -04:00
David Pursehouse
b7d274f03c Merge changes Ib3f0849f,I9d12ed46,I38520cff
* changes:
  Factor out Contributor Agreements from ProjectControl
  Add ProjectPermissions for upload and receive pack, migrate callers
  Add ProjectPermission.READ_NO_CONFIG
2017-10-01 15:31:51 +00:00
Patrick Hiesel
0c8feaa6f9 Factor out Contributor Agreements from ProjectControl
This commit factors out the check for valid CLAs from ProjectControl.
CLAs will continue to exist separate of permission backend as the fact
if a user has signed a CLA has nothing to do with permissions per-se.

This refactoring also removes the callers of
ProjectControl#canPushToAtLeastOneRef() which will be removed in a
follow-up change when the last caller was migrated.

Change-Id: Ib3f0849f9fbb720fee2cbc422127f7769a45a20f
2017-10-01 14:14:41 +00:00
Patrick Hiesel
b2bf8d7299 Add ProjectPermissions for upload and receive pack, migrate callers
ProjectControl#canRunUploadPack() and #canRunReceivePack() are just
permission checks using group membership. Therefore they can easily be
checked using PermissionBackend.

Installations that do not use these permissions at all (like Google) can
just have their own PermissionBackend implementation always deny that
permission.

Change-Id: I9d12ed4664c94ef77a9a0958bc91595bef6dfd5d
2017-10-01 15:10:32 +01:00
Hugo Arès
dd61f28354 Remove unused ReviewDb from AccountResolver
Change-Id: Ie0df178fc89f25e24f87ea836eb3b788b3d73e11
2017-10-01 13:27:49 +01:00
Dave Borowitz
3a3aed6ead ResourceServlet: Consistently use class load time as mtime
The GWT UI static servlets (e.g. WarGwtUiServlet) were already using
class load time as the "mtime" of a file, to account for the fact that
the build system always sets the mtime of zipfile entries to the Unix
epoch. (This is intentional, to keep bazel builds reproducible.)

PolyGerrit has the same problem served from a WAR file, but was not
applying this hack. Complicating the situation is that the same class
(PolyGerritUiServlet) is used for the dev server, where we can trust
the mtime. Hackily check whether the path in question is on-disk in the
implementation of getLastModifiedTime.

There was also a bug in ResourceServlet#maybeStream that was bypassing
getLastModifiedTime when checking If-Modified-Since; fix that as well.

While we're in here, fix the other broken class in this hierarchy,
WarDocServlet.

In retrospect, it may have been a mistake to make ResourceServlet try to
handle all possible caching behaviors, since it makes bugs like this all
too easy to introduce. Long term, may want to disentangle the on-disk
implementation, which may depend on mtime to determine staleness, from
the zipfile implementation, which shouldn't.

Bug: Issue 6885
Change-Id: Iea041774c1005cb9918c462d01aef05cff61da23
(cherry picked from commit 65c8345a96c4de35ccf4ddc09a6bc74ce6a429f8)
2017-10-01 12:08:57 +00:00
Dave Borowitz
65c8345a96 ResourceServlet: Consistently use class load time as mtime
The GWT UI static servlets (e.g. WarGwtUiServlet) were already using
class load time as the "mtime" of a file, to account for the fact that
the build system always sets the mtime of zipfile entries to the Unix
epoch. (This is intentional, to keep bazel builds reproducible.)

PolyGerrit has the same problem served from a WAR file, but was not
applying this hack. Complicating the situation is that the same class
(PolyGerritUiServlet) is used for the dev server, where we can trust
the mtime. Hackily check whether the path in question is on-disk in the
implementation of getLastModifiedTime.

There was also a bug in ResourceServlet#maybeStream that was bypassing
getLastModifiedTime when checking If-Modified-Since; fix that as well.

While we're in here, fix the other broken class in this hierarchy,
WarDocServlet.

In retrospect, it may have been a mistake to make ResourceServlet try to
handle all possible caching behaviors, since it makes bugs like this all
too easy to introduce. Long term, may want to disentangle the on-disk
implementation, which may depend on mtime to determine staleness, from
the zipfile implementation, which shouldn't.

Bug: Issue 6885
Change-Id: Iea041774c1005cb9918c462d01aef05cff61da23
2017-10-01 11:39:14 +01:00
Patrick Hiesel
bae538bd84 Remove ProjectControl#isOwnerAnyRef()
In most cases, this method was used as a fallback in case no ref owner
was defined. Comments in the code suggested that it was always intended
to just fall back to ADMINISTRATE_SERVER.

Looking at all use cases individually, it seems safe to just fall back
to ADMINISTRATE_SERVER directly.

Change-Id: I3c7726c3720492f36f737edf7c0e4e7e64c5e6f1
2017-09-30 13:04:05 +00:00
Becky Siegel
2df9a75899 Update Roboto to Roboto-Regular
For consistency with gerrit build process

Change-Id: I2e06175b3499f855c98e8138eb9e07543cde0016
2017-09-06 13:00:11 -07:00