diff options
author | Patrick Hiesel <hiesel@google.com> | 2022-05-06 07:42:58 +0200 |
---|---|---|
committer | David Ostrovsky <david.ostrovsky@gmail.com> | 2022-05-11 07:07:29 +0000 |
commit | 9a0fb8defab2630b12a87d6205818cd198669d4b (patch) | |
tree | 06488ae637ab974af8d0d325d7635b8645f78fff | |
parent | 6cf8db2ac5ba8c032409dcbb1250c77c3601d9ed (diff) |
GitProtocolV2IT: Remove superfluous permission grants in tests
Permission on refs/changes are not respected by the permission
backend. Change refs are visible if the change is visible to the
user. In these tests, the change was already made visible by
pushing them to master, which is visible to registered users.
This commit reworks the permission grants to work on All-Projects
instead of the test repository. It wipes existing permissions
before the test. This makes it more obvious what is happening
because the repo under test inherits permissions from
All-Projects and setting permissions on that repo means the reader
must also understand what permissions are set in All-Projects
which makes it harder to know what is going on.
Release-Notes: n/a
Change-Id: Ib5d3bbfeb4238ef0545024738555d96b3f06acfa
(cherry picked from commit 30d43cd7d2b816712578203e64708bcf60b22c19)
-rw-r--r-- | javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java | 49 |
1 files changed, 25 insertions, 24 deletions
diff --git a/javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java b/javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java index acf9a506b3..5544238c15 100644 --- a/javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java +++ b/javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java @@ -16,7 +16,7 @@ package com.google.gerrit.integration.git; import static com.google.common.truth.Truth.assertThat; import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.allow; -import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.deny; +import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.allowCapability; import static java.nio.charset.StandardCharsets.UTF_8; import com.google.common.collect.ImmutableList; @@ -27,7 +27,10 @@ import com.google.gerrit.acceptance.GitClientVersion; import com.google.gerrit.acceptance.StandaloneSiteTest; import com.google.gerrit.acceptance.TestAccount; import com.google.gerrit.acceptance.UseSsh; +import com.google.gerrit.acceptance.testsuite.group.GroupOperations; import com.google.gerrit.acceptance.testsuite.project.ProjectOperations; +import com.google.gerrit.common.data.GlobalCapability; +import com.google.gerrit.entities.AccountGroup; import com.google.gerrit.entities.Change; import com.google.gerrit.entities.PatchSet; import com.google.gerrit.entities.Permission; @@ -62,6 +65,7 @@ public class GitProtocolV2IT extends StandaloneSiteTest { @Inject private GerritApi gApi; @Inject private AccountCreator accountCreator; @Inject private ProjectOperations projectOperations; + @Inject private GroupOperations groupOperations; @Inject private @TestSshServerAddress InetSocketAddress sshAddress; @Inject private @GerritServerConfig Config config; @Inject private AllProjectsName allProjectsName; @@ -86,15 +90,20 @@ public class GitProtocolV2IT extends StandaloneSiteTest { Project.NameKey project = Project.nameKey("foo"); gApi.projects().create(project.get()); - // Set up project permission + // Clear all permissions for anonymous users. Allow registered users to fetch/push. + AccountGroup.UUID admins = groupOperations.newGroup().addMember(admin.id()).create(); projectOperations - .project(project) + .project(allProjectsName) .forUpdate() - .add(deny(Permission.READ).ref("refs/heads/*").group(SystemGroupBackend.ANONYMOUS_USERS)) + .removeAllAccessSections() .add( allow(Permission.READ) .ref("refs/heads/master") .group(SystemGroupBackend.REGISTERED_USERS)) + .add(allow(Permission.READ).ref("refs/*").group(admins)) + .add(allow(Permission.CREATE).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS)) + .add(allow(Permission.PUSH).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS)) + .add(allowCapability(GlobalCapability.ADMINISTRATE_SERVER).group(admins)) .update(); // Retrieve HTTP url @@ -211,15 +220,17 @@ public class GitProtocolV2IT extends StandaloneSiteTest { Project.NameKey allRefsVisibleProject = Project.nameKey("all-refs-visible"); gApi.projects().create(allRefsVisibleProject.get()); - // Set up project permission to allow reading all refs + // Allow registered users to fetch/push. Allow anonymous users to read refs/heads/* which also + // allows reading changes. projectOperations - .project(allRefsVisibleProject) + .project(allProjectsName) .forUpdate() + .removeAllAccessSections() .add(allow(Permission.READ).ref("refs/heads/*").group(SystemGroupBackend.ANONYMOUS_USERS)) .add( - allow(Permission.READ) - .ref("refs/changes/*") - .group(SystemGroupBackend.ANONYMOUS_USERS)) + allow(Permission.READ).ref("refs/heads/*").group(SystemGroupBackend.REGISTERED_USERS)) + .add(allow(Permission.CREATE).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS)) + .add(allow(Permission.PUSH).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS)) .update(); // Create new change and retrieve refs for the created patch set @@ -265,25 +276,15 @@ public class GitProtocolV2IT extends StandaloneSiteTest { Project.NameKey privateProject = Project.nameKey("private-project"); gApi.projects().create(privateProject.get()); - // Disallow general read permissions for anonymous users + // Clear all permissions for anonymous users. Allow registered users to fetch/push. projectOperations .project(allProjectsName) .forUpdate() - .add(deny(Permission.READ).ref("refs/*").group(SystemGroupBackend.ANONYMOUS_USERS)) + .removeAllAccessSections() .add( - allow(Permission.READ) - .ref("refs/heads/master") - .group(SystemGroupBackend.REGISTERED_USERS)) - .update(); - - // Set up project permission to allow registered users fetching changes/* - projectOperations - .project(privateProject) - .forUpdate() - .add( - allow(Permission.READ) - .ref("refs/changes/*") - .group(SystemGroupBackend.REGISTERED_USERS)) + allow(Permission.READ).ref("refs/heads/*").group(SystemGroupBackend.REGISTERED_USERS)) + .add(allow(Permission.CREATE).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS)) + .add(allow(Permission.PUSH).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS)) .update(); // Create new change and retrieve refs for the created patch set |