diff options
author | Nasser Grainawi <nasser.grainawi@linaro.org> | 2023-10-25 14:09:54 -0600 |
---|---|---|
committer | Nasser Grainawi <nasser.grainawi@linaro.org> | 2023-10-25 14:09:54 -0600 |
commit | 7bdee49e2412a7fd62572e7caae85748f282a8d2 (patch) | |
tree | faac4ae930ed90046e672b9c3cc162b7aa84d087 | |
parent | 6d2643ec12e52ebca219e0e630a354dbaa8d2223 (diff) | |
parent | 44eb389915a391a4de38b29ec09802ca5cdabdb5 (diff) |
Merge branch 'stable-3.7' into stable-3.8
* stable-3.7:
Allow uploading changes to group refs
project-configuration: Fix old UI references
Setup operator aliases with submit requirement expressions
Update Jetty to 9.4.53.v20231009 for security updates
Explain in ls-projects SSH API when the "parent" field is "?-N"
Change-Id: If82069a4e88006edcc3dd5ae70478447f0ee57a8
Release-Notes: skip
-rw-r--r-- | Documentation/cmd-ls-projects.txt | 15 | ||||
-rw-r--r-- | Documentation/project-configuration.txt | 11 | ||||
-rw-r--r-- | java/com/google/gerrit/server/git/validators/MergeValidators.java | 30 | ||||
-rw-r--r-- | java/com/google/gerrit/server/group/db/GroupConfig.java | 7 | ||||
-rw-r--r-- | java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java | 10 | ||||
-rw-r--r-- | javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java | 21 | ||||
-rw-r--r-- | tools/deps.bzl | 20 |
7 files changed, 84 insertions, 30 deletions
diff --git a/Documentation/cmd-ls-projects.txt b/Documentation/cmd-ls-projects.txt index 1dd6720148..ebd365af7f 100644 --- a/Documentation/cmd-ls-projects.txt +++ b/Documentation/cmd-ls-projects.txt @@ -58,6 +58,21 @@ used to unescape the output. Displays project inheritance in a tree-like format. This option does not work together with the show-branch option. +[NOTE] +If the calling user does not meet any of the following criteria: + +* The state of the parent project is either "ACTIVE" or "READ ONLY", +and the calling user has READ permission to at least one ref. +* The state of the parent project is "HIDDEN" and the calling user +has READ permission for 'refs/meta/config'. + +Then the 'parent' field will be labeled as '?-N', where N represents the +nesting level within the project's tree structure. In the provided example, +'All-Projects' corresponds to level 1, 'parent-project' to level 2, and +'child-project' to level 3. + +The output format to display the results should be `json` or `json_compact`. + --type:: Display only projects of the specified type. If not specified, defaults to `all`. Supported types: diff --git a/Documentation/project-configuration.txt b/Documentation/project-configuration.txt index e583f457e0..3c88c2e400 100644 --- a/Documentation/project-configuration.txt +++ b/Documentation/project-configuration.txt @@ -5,7 +5,7 @@ There are several ways to create a new project in Gerrit: -- in the Web UI under 'Projects' > 'Create Project' +- click 'CREATE NEW' in the Web UI under 'BROWSE' > 'Repositories' - via the link:rest-api-projects.html#create-project[Create Project] REST endpoint - via the link:cmd-create-project.html[create-project] SSH command @@ -58,7 +58,7 @@ See details at link:config-project-config.html#project-section[project section]. There are several ways to create a new branch in a project: -- in the Web UI under 'Projects' > 'List' > <project> > 'Branches' +- in the Web UI under 'BROWSE' > 'Repositories' > <project> > 'Branches' - via the link:rest-api-projects.html#create-branch[Create Branch] REST endpoint - via the link:cmd-create-branch.html[create-branch] SSH command @@ -84,7 +84,7 @@ are not supported. There are several ways to delete a branch: -- in the Web UI under 'Projects' > 'List' > <project> > 'Branches' +- in the Web UI under 'BROWSE' > 'Repositories' > <project> > 'Branches' - via the link:rest-api-projects.html#delete-branch[Delete Branch] REST endpoint - by using a git client @@ -114,10 +114,11 @@ if the project was created with empty branches. For convenience reasons, when the repository is cloned Git creates a local branch for this default branch and checks it out. -Project owners can set `HEAD` +Project owners can set `HEAD` several ways: -- in the Web UI under 'Projects' > 'List' > <project> > 'Branches' or +- in the Web UI under 'BROWSE' > 'Repositories' > <project> > 'Branches' - via the link:rest-api-projects.html#set-head[Set HEAD] REST endpoint +- via the link:cmd-set-head.html[Set HEAD] SSH command GERRIT diff --git a/java/com/google/gerrit/server/git/validators/MergeValidators.java b/java/com/google/gerrit/server/git/validators/MergeValidators.java index 40ce671a36..811e960a34 100644 --- a/java/com/google/gerrit/server/git/validators/MergeValidators.java +++ b/java/com/google/gerrit/server/git/validators/MergeValidators.java @@ -36,6 +36,7 @@ import com.google.gerrit.server.config.PluginConfig; import com.google.gerrit.server.config.ProjectConfigEntry; import com.google.gerrit.server.git.CodeReviewCommit; import com.google.gerrit.server.git.CodeReviewCommit.CodeReviewRevWalk; +import com.google.gerrit.server.group.db.GroupConfig; import com.google.gerrit.server.permissions.GlobalPermission; import com.google.gerrit.server.permissions.PermissionBackend; import com.google.gerrit.server.permissions.PermissionBackendException; @@ -343,10 +344,12 @@ public class MergeValidators { } private final AllUsersName allUsersName; + private final ChangeData.Factory changeDataFactory; @Inject - public GroupMergeValidator(AllUsersName allUsersName) { + public GroupMergeValidator(AllUsersName allUsersName, ChangeData.Factory changeDataFactory) { this.allUsersName = allUsersName; + this.changeDataFactory = changeDataFactory; } @Override @@ -365,7 +368,30 @@ public class MergeValidators { return; } - throw new MergeValidationException("group update not allowed"); + // Update to group files is not supported because there are no validations + // on the changes being done to these files, without which the group data + // might get corrupted. Thus don't allow merges into All-Users group refs + // which updates group files (i.e., group.config, members and subgroups). + // But it is still useful to allow users to update files apart from group + // files. For example, users can maintain task config in group refs which + // allows users to collaborate and review changes on group specific task configs. + ChangeData cd = + changeDataFactory.create(destProject.getProject().getNameKey(), patchSetId.changeId()); + try { + if (cd.currentFilePaths().contains(GroupConfig.GROUP_CONFIG_FILE) + || cd.currentFilePaths().contains(GroupConfig.MEMBERS_FILE) + || cd.currentFilePaths().contains(GroupConfig.SUBGROUPS_FILE)) { + throw new MergeValidationException( + String.format( + "update to group files (%s, %s, %s) not allowed", + GroupConfig.GROUP_CONFIG_FILE, + GroupConfig.MEMBERS_FILE, + GroupConfig.SUBGROUPS_FILE)); + } + } catch (StorageException e) { + logger.atSevere().withCause(e).log("Cannot validate group update"); + throw new MergeValidationException("group validation unavailable", e); + } } } diff --git a/java/com/google/gerrit/server/group/db/GroupConfig.java b/java/com/google/gerrit/server/group/db/GroupConfig.java index 4f2c04972b..682fd15f27 100644 --- a/java/com/google/gerrit/server/group/db/GroupConfig.java +++ b/java/com/google/gerrit/server/group/db/GroupConfig.java @@ -19,7 +19,6 @@ import static com.google.common.collect.ImmutableSet.toImmutableSet; import static java.util.Objects.requireNonNull; import static java.util.stream.Collectors.joining; -import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Splitter; import com.google.common.base.Strings; import com.google.common.collect.ImmutableSet; @@ -89,9 +88,9 @@ import org.eclipse.jgit.revwalk.RevSort; * doesn't have any members or subgroups. */ public class GroupConfig extends VersionedMetaData { - @VisibleForTesting public static final String GROUP_CONFIG_FILE = "group.config"; - @VisibleForTesting static final String MEMBERS_FILE = "members"; - @VisibleForTesting static final String SUBGROUPS_FILE = "subgroups"; + public static final String GROUP_CONFIG_FILE = "group.config"; + public static final String MEMBERS_FILE = "members"; + public static final String SUBGROUPS_FILE = "subgroups"; private static final Pattern LINE_SEPARATOR_PATTERN = Pattern.compile("\\R"); /** diff --git a/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java b/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java index 57b59ef180..816936b220 100644 --- a/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java +++ b/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java @@ -502,18 +502,22 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData, ChangeQueryBuil @Inject protected ChangeQueryBuilder(Arguments args) { this(mydef, args); - setupAliases(); } @VisibleForTesting protected ChangeQueryBuilder(Definition<ChangeData, ChangeQueryBuilder> def, Arguments args) { super(def, args.opFactories); this.args = args; + setupAliases(); } private void setupAliases() { - setOperatorAliases(args.operatorAliasConfig.getChangeQueryOperatorAliases()); - hasOperandAliases = args.hasOperandAliasConfig.getChangeQueryHasOperandAliases(); + if (args.operatorAliasConfig != null) { + setOperatorAliases(args.operatorAliasConfig.getChangeQueryOperatorAliases()); + } + if (args.hasOperandAliasConfig != null) { + hasOperandAliases = args.hasOperandAliasConfig.getChangeQueryHasOperandAliases(); + } } public ChangeQueryBuilder asUser(CurrentUser user) { diff --git a/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java b/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java index 9456a31439..6dbbe9ac76 100644 --- a/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java +++ b/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java @@ -1285,16 +1285,24 @@ public class GroupsIT extends AbstractDaemonTest { } @Test - public void pushToGroupBranchForReviewForAllUsersRepoIsRejectedOnSubmit() throws Throwable { + public void pushToGroupBranchForReviewForAllUsersRepoIsRejectedOnSubmitForGroupFiles() + throws Throwable { + String error = "update to group files (group.config, members, subgroups) not allowed"; pushToGroupBranchForReviewAndSubmit( - allUsers, RefNames.refsGroups(adminGroupUuid()), "group update not allowed"); + allUsers, RefNames.refsGroups(adminGroupUuid()), "group.config", error); + pushToGroupBranchForReviewAndSubmit( + allUsers, RefNames.refsGroups(adminGroupUuid()), "members", error); + pushToGroupBranchForReviewAndSubmit( + allUsers, RefNames.refsGroups(adminGroupUuid()), "subgroups", error); + pushToGroupBranchForReviewAndSubmit( + allUsers, RefNames.refsGroups(adminGroupUuid()), "destinations/myreviews", null); } @Test public void pushToGroupBranchForReviewForNonAllUsersRepoAndSubmit() throws Throwable { String groupRef = RefNames.refsGroups(adminGroupUuid()); createBranch(project, groupRef); - pushToGroupBranchForReviewAndSubmit(project, groupRef, null); + pushToGroupBranchForReviewAndSubmit(project, groupRef, "group.config", null); } @Test @@ -1576,7 +1584,8 @@ public class GroupsIT extends AbstractDaemonTest { } private void pushToGroupBranchForReviewAndSubmit( - Project.NameKey project, String groupRef, String expectedError) throws Throwable { + Project.NameKey project, String groupRef, String fileName, String expectedError) + throws Throwable { projectOperations .project(project) .forUpdate() @@ -1594,7 +1603,7 @@ public class GroupsIT extends AbstractDaemonTest { PushOneCommit.Result r = pushFactory - .create(admin.newIdent(), repo, "Update group config", "group.config", "some content") + .create(admin.newIdent(), repo, "Update group config", fileName, "some content") .to(MagicBranch.NEW_CHANGE + groupRef); r.assertOkStatus(); assertThat(r.getChange().change().getDest().branch()).isEqualTo(groupRef); @@ -1603,7 +1612,7 @@ public class GroupsIT extends AbstractDaemonTest { ThrowingRunnable submit = () -> gApi.changes().id(r.getChangeId()).current().submit(); if (expectedError != null) { Throwable thrown = assertThrows(ResourceConflictException.class, submit); - assertThat(thrown).hasMessageThat().contains("group update not allowed"); + assertThat(thrown).hasMessageThat().contains(expectedError); } else { submit.run(); } diff --git a/tools/deps.bzl b/tools/deps.bzl index 7d4499a7c8..133d06d570 100644 --- a/tools/deps.bzl +++ b/tools/deps.bzl @@ -20,7 +20,7 @@ GITILES_REPO = GERRIT # When updating Bouncy Castle, also update it in bazlets. BC_VERS = "1.72" HTTPCOMP_VERS = "4.5.2" -JETTY_VERS = "9.4.51.v20230217" +JETTY_VERS = "9.4.53.v20231009" BYTE_BUDDY_VERSION = "1.10.7" def java_dependencies(): @@ -626,50 +626,50 @@ def java_dependencies(): maven_jar( name = "jetty-servlet", artifact = "org.eclipse.jetty:jetty-servlet:" + JETTY_VERS, - sha1 = "3ec1be0b1ca49b633dd7de0733d0054bb4763965", + sha1 = "6670d6a54cdcaedd8090e8cf420fd5dd7d08e859", ) maven_jar( name = "jetty-security", artifact = "org.eclipse.jetty:jetty-security:" + JETTY_VERS, - sha1 = "a3342214ce480cc5bb8e74fe7589dd0436a5d903", + sha1 = "6fbc8ebe9046954dc2f51d4ba69c8f8344b05f7f", ) maven_jar( name = "jetty-server", artifact = "org.eclipse.jetty:jetty-server:" + JETTY_VERS, - sha1 = "d0572c8460eb26adf8420e78535d95859c89a936", + sha1 = "8b0e761a0b359db59dae77c00b4213b0586cb994", ) maven_jar( name = "jetty-jmx", artifact = "org.eclipse.jetty:jetty-jmx:" + JETTY_VERS, - sha1 = "a69e9b0a223a5f661606f6fb36d3b3fcf6216432", + sha1 = "f0392f756b59f65ea7d6be41bf7a2f7b2c7c98d5", ) maven_jar( name = "jetty-http", artifact = "org.eclipse.jetty:jetty-http:" + JETTY_VERS, - sha1 = "fe37568aded59dd8e437e0f670fe5f809071fe8f", + sha1 = "87faf21eb322753f0527bcb88c43e67044786369", ) maven_jar( name = "jetty-io", artifact = "org.eclipse.jetty:jetty-io:" + JETTY_VERS, - sha1 = "a11a0713b17334a5b6e694602fbd1a9457cb5fdd", + sha1 = "70cf7649b27c964ad29bfddf58f3bfe0d30346cf", ) maven_jar( name = "jetty-util", artifact = "org.eclipse.jetty:jetty-util:" + JETTY_VERS, - sha1 = "a11df06530a3a28c9af7ff336730a2f8e18e7205", + sha1 = "f72bb4f687b4454052c6f06528ba9910714df947", ) maven_jar( name = "jetty-util-ajax", artifact = "org.eclipse.jetty:jetty-util-ajax:" + JETTY_VERS, - sha1 = "3b2a998a5ed1f93bc1878fa89d65e307d8b8ebaf", - src_sha1 = "027a15819d3fd1f18e1890bd1bf04b7d48cb3da4", + sha1 = "4d20f6206eb7747293697c5f64c2dc5bf4bd54a4", + src_sha1 = "1aed8017c3c8a449323901639de6b4eb3b1f02ea", ) maven_jar( |