gerrit

History

Jacek Centkowski 82cd64b404 Allow LFS-over-SSH created auth pass through ContainerAuthFilter Issue: When LFS operation is initiated through the SSH LFS client receives auth token and uses it to perform requested operation e.g.: POST /gerrit/test-org/test-no-block/info/lfs/objects/batch Authorization: Ssh: ... Content-Type: application/vnd.git-lfs+json; charset=utf-8 { "operation":"upload","objects"... } ContainerAuthFilter searches for existing user but none of the containers can perform successful LFS auth (as it is deeply buried in the plugin internals) therefore typically it is configured to let it go through to eventually fail in the filter with: 403 Forbidden Solution: Modify ContainerAuthFilter so that it returns 'true' when Content-Type indicates LFS request is against LFS and Authorization header value starts with "Ssh: " string (similarly to ProjectBasicAuthFilter when it doesn't start with "Basic "). Rationale: ContainerAuthFilter is installed for requests that either go through /a/* (authorised path) or to LFS (note that LFS over HTTP sends auth token even when request is not `/a/` prefixed - hence user can be obtained from request with the first call without sending 401 back and re-sending request with `/a/` prefix. In terms of LFS over SSH it is again request against LFS but in this case it has `Ssh: ` based auth token that is not recognized by filter and results in 403. This change is safe as it introduces exception only for LFS requests that rely on internal LFS auth anyway. Change-Id: Ia886dc284c8ded9c21a5b9f57628f228c1e691f0 Signed-off-by: Jacek Centkowski <jcentkowski@collab.net>	2019-02-25 11:51:05 +01:00
..
src	Allow LFS-over-SSH created auth pass through ContainerAuthFilter	2019-02-25 11:51:05 +01:00
BUILD	Merge branch 'stable-2.14' into stable-2.15	2019-01-09 23:10:35 +01:00

Jacek Centkowski 82cd64b404 Allow LFS-over-SSH created auth pass through ContainerAuthFilter

Issue:
When LFS operation is initiated through the SSH LFS client receives auth
token and uses it to perform requested operation e.g.:

  POST /gerrit/test-org/test-no-block/info/lfs/objects/batch
  Authorization: Ssh: ...
  Content-Type: application/vnd.git-lfs+json; charset=utf-8
  {
    "operation":"upload","objects"...
  }

ContainerAuthFilter searches for existing user but none of the
containers can perform successful LFS auth (as it is deeply buried in
the plugin internals) therefore typically it is configured to let it go
through to eventually fail in the filter with:

  403 Forbidden

Solution:
Modify ContainerAuthFilter so that it returns 'true' when Content-Type
indicates LFS request is against LFS and Authorization header value
starts with "Ssh: " string (similarly to ProjectBasicAuthFilter when
it doesn't start with "Basic ").

Rationale:
ContainerAuthFilter is installed for requests that either go through
/a/* (authorised path) or to LFS (note that LFS over HTTP sends
auth token even when request is not `/a/` prefixed - hence user
can be obtained from request with the first call without sending
401 back and re-sending request with `/a/` prefix.
In terms of LFS over SSH it is again request against LFS but in this
case it has `Ssh: ` based auth token that is not recognized by
filter and results in 403.

This change is safe as it introduces exception only for LFS requests
that rely on internal LFS auth anyway.

Change-Id: Ia886dc284c8ded9c21a5b9f57628f228c1e691f0
Signed-off-by: Jacek Centkowski <jcentkowski@collab.net>

2019-02-25 11:51:05 +01:00

src

Allow LFS-over-SSH created auth pass through ContainerAuthFilter

2019-02-25 11:51:05 +01:00

BUILD

Merge branch 'stable-2.14' into stable-2.15

2019-01-09 23:10:35 +01:00