diff options
author | Nasser Grainawi <nasser.grainawi@linaro.org> | 2023-10-25 13:47:05 -0600 |
---|---|---|
committer | Nasser Grainawi <nasser.grainawi@linaro.org> | 2023-10-25 13:47:05 -0600 |
commit | 44eb389915a391a4de38b29ec09802ca5cdabdb5 (patch) | |
tree | acd185a7e04bb91dd8515dd33d065f3bd10882e5 | |
parent | d950df1c135c4c8e97894feef8c5943b00d1ee23 (diff) | |
parent | 237f7e42a37df45de23f948212c331a99ad82684 (diff) |
Merge branch 'stable-3.6' into stable-3.7
* stable-3.6:
Allow uploading changes to group refs
project-configuration: Fix old UI references
Setup operator aliases with submit requirement expressions
Update Jetty to 9.4.53.v20231009 for security updates
Explain in ls-projects SSH API when the "parent" field is "?-N"
Change-Id: I0e7984e3b780864c2c0eaa57bbb349f9a159e5fb
Release-Notes: skip
-rw-r--r-- | Documentation/cmd-ls-projects.txt | 15 | ||||
-rw-r--r-- | Documentation/project-configuration.txt | 11 | ||||
-rw-r--r-- | java/com/google/gerrit/server/git/validators/MergeValidators.java | 30 | ||||
-rw-r--r-- | java/com/google/gerrit/server/group/db/GroupConfig.java | 7 | ||||
-rw-r--r-- | java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java | 10 | ||||
-rw-r--r-- | javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java | 21 | ||||
-rw-r--r-- | tools/deps.bzl | 20 |
7 files changed, 84 insertions, 30 deletions
diff --git a/Documentation/cmd-ls-projects.txt b/Documentation/cmd-ls-projects.txt index 1dd6720148..ebd365af7f 100644 --- a/Documentation/cmd-ls-projects.txt +++ b/Documentation/cmd-ls-projects.txt @@ -58,6 +58,21 @@ used to unescape the output. Displays project inheritance in a tree-like format. This option does not work together with the show-branch option. +[NOTE] +If the calling user does not meet any of the following criteria: + +* The state of the parent project is either "ACTIVE" or "READ ONLY", +and the calling user has READ permission to at least one ref. +* The state of the parent project is "HIDDEN" and the calling user +has READ permission for 'refs/meta/config'. + +Then the 'parent' field will be labeled as '?-N', where N represents the +nesting level within the project's tree structure. In the provided example, +'All-Projects' corresponds to level 1, 'parent-project' to level 2, and +'child-project' to level 3. + +The output format to display the results should be `json` or `json_compact`. + --type:: Display only projects of the specified type. If not specified, defaults to `all`. Supported types: diff --git a/Documentation/project-configuration.txt b/Documentation/project-configuration.txt index e583f457e0..3c88c2e400 100644 --- a/Documentation/project-configuration.txt +++ b/Documentation/project-configuration.txt @@ -5,7 +5,7 @@ There are several ways to create a new project in Gerrit: -- in the Web UI under 'Projects' > 'Create Project' +- click 'CREATE NEW' in the Web UI under 'BROWSE' > 'Repositories' - via the link:rest-api-projects.html#create-project[Create Project] REST endpoint - via the link:cmd-create-project.html[create-project] SSH command @@ -58,7 +58,7 @@ See details at link:config-project-config.html#project-section[project section]. There are several ways to create a new branch in a project: -- in the Web UI under 'Projects' > 'List' > <project> > 'Branches' +- in the Web UI under 'BROWSE' > 'Repositories' > <project> > 'Branches' - via the link:rest-api-projects.html#create-branch[Create Branch] REST endpoint - via the link:cmd-create-branch.html[create-branch] SSH command @@ -84,7 +84,7 @@ are not supported. There are several ways to delete a branch: -- in the Web UI under 'Projects' > 'List' > <project> > 'Branches' +- in the Web UI under 'BROWSE' > 'Repositories' > <project> > 'Branches' - via the link:rest-api-projects.html#delete-branch[Delete Branch] REST endpoint - by using a git client @@ -114,10 +114,11 @@ if the project was created with empty branches. For convenience reasons, when the repository is cloned Git creates a local branch for this default branch and checks it out. -Project owners can set `HEAD` +Project owners can set `HEAD` several ways: -- in the Web UI under 'Projects' > 'List' > <project> > 'Branches' or +- in the Web UI under 'BROWSE' > 'Repositories' > <project> > 'Branches' - via the link:rest-api-projects.html#set-head[Set HEAD] REST endpoint +- via the link:cmd-set-head.html[Set HEAD] SSH command GERRIT diff --git a/java/com/google/gerrit/server/git/validators/MergeValidators.java b/java/com/google/gerrit/server/git/validators/MergeValidators.java index 40ce671a36..811e960a34 100644 --- a/java/com/google/gerrit/server/git/validators/MergeValidators.java +++ b/java/com/google/gerrit/server/git/validators/MergeValidators.java @@ -36,6 +36,7 @@ import com.google.gerrit.server.config.PluginConfig; import com.google.gerrit.server.config.ProjectConfigEntry; import com.google.gerrit.server.git.CodeReviewCommit; import com.google.gerrit.server.git.CodeReviewCommit.CodeReviewRevWalk; +import com.google.gerrit.server.group.db.GroupConfig; import com.google.gerrit.server.permissions.GlobalPermission; import com.google.gerrit.server.permissions.PermissionBackend; import com.google.gerrit.server.permissions.PermissionBackendException; @@ -343,10 +344,12 @@ public class MergeValidators { } private final AllUsersName allUsersName; + private final ChangeData.Factory changeDataFactory; @Inject - public GroupMergeValidator(AllUsersName allUsersName) { + public GroupMergeValidator(AllUsersName allUsersName, ChangeData.Factory changeDataFactory) { this.allUsersName = allUsersName; + this.changeDataFactory = changeDataFactory; } @Override @@ -365,7 +368,30 @@ public class MergeValidators { return; } - throw new MergeValidationException("group update not allowed"); + // Update to group files is not supported because there are no validations + // on the changes being done to these files, without which the group data + // might get corrupted. Thus don't allow merges into All-Users group refs + // which updates group files (i.e., group.config, members and subgroups). + // But it is still useful to allow users to update files apart from group + // files. For example, users can maintain task config in group refs which + // allows users to collaborate and review changes on group specific task configs. + ChangeData cd = + changeDataFactory.create(destProject.getProject().getNameKey(), patchSetId.changeId()); + try { + if (cd.currentFilePaths().contains(GroupConfig.GROUP_CONFIG_FILE) + || cd.currentFilePaths().contains(GroupConfig.MEMBERS_FILE) + || cd.currentFilePaths().contains(GroupConfig.SUBGROUPS_FILE)) { + throw new MergeValidationException( + String.format( + "update to group files (%s, %s, %s) not allowed", + GroupConfig.GROUP_CONFIG_FILE, + GroupConfig.MEMBERS_FILE, + GroupConfig.SUBGROUPS_FILE)); + } + } catch (StorageException e) { + logger.atSevere().withCause(e).log("Cannot validate group update"); + throw new MergeValidationException("group validation unavailable", e); + } } } diff --git a/java/com/google/gerrit/server/group/db/GroupConfig.java b/java/com/google/gerrit/server/group/db/GroupConfig.java index 4f2c04972b..682fd15f27 100644 --- a/java/com/google/gerrit/server/group/db/GroupConfig.java +++ b/java/com/google/gerrit/server/group/db/GroupConfig.java @@ -19,7 +19,6 @@ import static com.google.common.collect.ImmutableSet.toImmutableSet; import static java.util.Objects.requireNonNull; import static java.util.stream.Collectors.joining; -import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Splitter; import com.google.common.base.Strings; import com.google.common.collect.ImmutableSet; @@ -89,9 +88,9 @@ import org.eclipse.jgit.revwalk.RevSort; * doesn't have any members or subgroups. */ public class GroupConfig extends VersionedMetaData { - @VisibleForTesting public static final String GROUP_CONFIG_FILE = "group.config"; - @VisibleForTesting static final String MEMBERS_FILE = "members"; - @VisibleForTesting static final String SUBGROUPS_FILE = "subgroups"; + public static final String GROUP_CONFIG_FILE = "group.config"; + public static final String MEMBERS_FILE = "members"; + public static final String SUBGROUPS_FILE = "subgroups"; private static final Pattern LINE_SEPARATOR_PATTERN = Pattern.compile("\\R"); /** diff --git a/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java b/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java index 6c874f9f28..4c548e04de 100644 --- a/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java +++ b/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java @@ -491,18 +491,22 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData, ChangeQueryBuil @Inject ChangeQueryBuilder(Arguments args) { this(mydef, args); - setupAliases(); } @VisibleForTesting protected ChangeQueryBuilder(Definition<ChangeData, ChangeQueryBuilder> def, Arguments args) { super(def, args.opFactories); this.args = args; + setupAliases(); } private void setupAliases() { - setOperatorAliases(args.operatorAliasConfig.getChangeQueryOperatorAliases()); - hasOperandAliases = args.hasOperandAliasConfig.getChangeQueryHasOperandAliases(); + if (args.operatorAliasConfig != null) { + setOperatorAliases(args.operatorAliasConfig.getChangeQueryOperatorAliases()); + } + if (args.hasOperandAliasConfig != null) { + hasOperandAliases = args.hasOperandAliasConfig.getChangeQueryHasOperandAliases(); + } } public ChangeQueryBuilder asUser(CurrentUser user) { diff --git a/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java b/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java index d6302960bd..12f8506b51 100644 --- a/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java +++ b/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java @@ -1269,16 +1269,24 @@ public class GroupsIT extends AbstractDaemonTest { } @Test - public void pushToGroupBranchForReviewForAllUsersRepoIsRejectedOnSubmit() throws Throwable { + public void pushToGroupBranchForReviewForAllUsersRepoIsRejectedOnSubmitForGroupFiles() + throws Throwable { + String error = "update to group files (group.config, members, subgroups) not allowed"; pushToGroupBranchForReviewAndSubmit( - allUsers, RefNames.refsGroups(adminGroupUuid()), "group update not allowed"); + allUsers, RefNames.refsGroups(adminGroupUuid()), "group.config", error); + pushToGroupBranchForReviewAndSubmit( + allUsers, RefNames.refsGroups(adminGroupUuid()), "members", error); + pushToGroupBranchForReviewAndSubmit( + allUsers, RefNames.refsGroups(adminGroupUuid()), "subgroups", error); + pushToGroupBranchForReviewAndSubmit( + allUsers, RefNames.refsGroups(adminGroupUuid()), "destinations/myreviews", null); } @Test public void pushToGroupBranchForReviewForNonAllUsersRepoAndSubmit() throws Throwable { String groupRef = RefNames.refsGroups(adminGroupUuid()); createBranch(project, groupRef); - pushToGroupBranchForReviewAndSubmit(project, groupRef, null); + pushToGroupBranchForReviewAndSubmit(project, groupRef, "group.config", null); } @Test @@ -1558,7 +1566,8 @@ public class GroupsIT extends AbstractDaemonTest { } private void pushToGroupBranchForReviewAndSubmit( - Project.NameKey project, String groupRef, String expectedError) throws Throwable { + Project.NameKey project, String groupRef, String fileName, String expectedError) + throws Throwable { projectOperations .project(project) .forUpdate() @@ -1576,7 +1585,7 @@ public class GroupsIT extends AbstractDaemonTest { PushOneCommit.Result r = pushFactory - .create(admin.newIdent(), repo, "Update group config", "group.config", "some content") + .create(admin.newIdent(), repo, "Update group config", fileName, "some content") .to(MagicBranch.NEW_CHANGE + groupRef); r.assertOkStatus(); assertThat(r.getChange().change().getDest().branch()).isEqualTo(groupRef); @@ -1585,7 +1594,7 @@ public class GroupsIT extends AbstractDaemonTest { ThrowingRunnable submit = () -> gApi.changes().id(r.getChangeId()).current().submit(); if (expectedError != null) { Throwable thrown = assertThrows(ResourceConflictException.class, submit); - assertThat(thrown).hasMessageThat().contains("group update not allowed"); + assertThat(thrown).hasMessageThat().contains(expectedError); } else { submit.run(); } diff --git a/tools/deps.bzl b/tools/deps.bzl index 3156e1a209..9a17ca803e 100644 --- a/tools/deps.bzl +++ b/tools/deps.bzl @@ -21,7 +21,7 @@ GITILES_REPO = GERRIT # When updating Bouncy Castle, also update it in bazlets. BC_VERS = "1.72" HTTPCOMP_VERS = "4.5.2" -JETTY_VERS = "9.4.36.v20210114" +JETTY_VERS = "9.4.53.v20231009" BYTE_BUDDY_VERSION = "1.10.7" def java_dependencies(): @@ -627,50 +627,50 @@ def java_dependencies(): maven_jar( name = "jetty-servlet", artifact = "org.eclipse.jetty:jetty-servlet:" + JETTY_VERS, - sha1 = "b189e52a5ee55ae172e4e99e29c5c314f5daf4b9", + sha1 = "6670d6a54cdcaedd8090e8cf420fd5dd7d08e859", ) maven_jar( name = "jetty-security", artifact = "org.eclipse.jetty:jetty-security:" + JETTY_VERS, - sha1 = "42030d6ed7dfc0f75818cde0adcf738efc477574", + sha1 = "6fbc8ebe9046954dc2f51d4ba69c8f8344b05f7f", ) maven_jar( name = "jetty-server", artifact = "org.eclipse.jetty:jetty-server:" + JETTY_VERS, - sha1 = "88a7d342974aadca658e7386e8d0fcc5c0788f41", + sha1 = "8b0e761a0b359db59dae77c00b4213b0586cb994", ) maven_jar( name = "jetty-jmx", artifact = "org.eclipse.jetty:jetty-jmx:" + JETTY_VERS, - sha1 = "bb3847eabe085832aeaedd30e872b40931632e54", + sha1 = "f0392f756b59f65ea7d6be41bf7a2f7b2c7c98d5", ) maven_jar( name = "jetty-http", artifact = "org.eclipse.jetty:jetty-http:" + JETTY_VERS, - sha1 = "1eee89a55e04ff94df0f85d95200fc48acb43d86", + sha1 = "87faf21eb322753f0527bcb88c43e67044786369", ) maven_jar( name = "jetty-io", artifact = "org.eclipse.jetty:jetty-io:" + JETTY_VERS, - sha1 = "84a8faf9031eb45a5a2ddb7681e22c483d81ab3a", + sha1 = "70cf7649b27c964ad29bfddf58f3bfe0d30346cf", ) maven_jar( name = "jetty-util", artifact = "org.eclipse.jetty:jetty-util:" + JETTY_VERS, - sha1 = "925257fbcca6b501a25252c7447dbedb021f7404", + sha1 = "f72bb4f687b4454052c6f06528ba9910714df947", ) maven_jar( name = "jetty-util-ajax", artifact = "org.eclipse.jetty:jetty-util-ajax:" + JETTY_VERS, - sha1 = "2f478130c21787073facb64d7242e06f94980c60", - src_sha1 = "7153d7ca38878d971fd90992c303bb7719ba7a21", + sha1 = "4d20f6206eb7747293697c5f64c2dc5bf4bd54a4", + src_sha1 = "1aed8017c3c8a449323901639de6b4eb3b1f02ea", ) maven_jar( |