| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Change-Id: I1d1e55bdcde69d03cc1945f81d7ba969bbafd041
|
| |
|
|
|
|
|
|
|
|
| |
79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.
Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
(cherry picked from commit 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d)
|
| |
|
|
|
|
|
| |
Changes in Schema_163 class were reverted because ReviewDb must still be
used during migration of groups from ReviewDb to NoteDb.
Change-Id: I49afd0f6e02ccd498f31075961a2f69c9c53e71e
|
| |
|
|
| |
Change-Id: Icd472f927db0c7231549fb4eead4afe9fd54b9fa
|
| |
|
|
|
|
|
|
|
|
| |
NoteDb sequence seed is already used in Sequences class. Consistently
use it also in SequencesOnInit and avoid using the ReviewDb for that.
Changes in Schema_155 class were reverted because ReviewDb must still be
used during migration of accounts from ReviewDb to NoteDb.
Change-Id: I75ac27dae90ec9be0efe017f73c798d3ccd0ad04
|
| |
|
|
|
|
|
|
|
|
|
| |
When notedb.config is set to read from NoteDb and ReviewDb
is disabled, do not use anymore a real instance of the DBMS connection
to access ReviewDb but return a simple NoOpReviewDb wrapper
that returns dummy values for relation name/id and the fixed
Gerrit version number.
Bug: Issue 14013
Change-Id: I7132d0e6007ead880e4161f52c2f4b12f13f1e59
|
| |\
| |
| |
| |
| |
| |
| |
| |
| | |
* stable-2.15:
Set version to 2.15.23-SNAPSHOT
Set version to 2.15.22
Avoid creating HTTP Sessions for Git-over-HTTP
Change-Id: I016334e2b14fdb0fc89705dbb7c8c48b21bae452
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* stable-2.15-issue-13858:
Set version to 2.15.23-SNAPSHOT
Set version to 2.15.22
Avoid creating HTTP Sessions for Git-over-HTTP
Change-Id: I883a74b062b6c60f398ca9eada7c5e23e338901b
|
| | | |
| | |
| | |
| | | |
Change-Id: I2eccac9b3dfedf0baa03616b7af455c0ec7768d3
|
| | | |
| | |
| | |
| | | |
Change-Id: I5eda0539314629c0f5900775dd4e5de0bf4e7de5
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The Change-Id: Iffcd0fbd7 has involuntarily triggered the
creation of a new HTTP Session for every invocation a Git-over-HTTP
request.
All came from the mistake of tracing the HTTP session instead
of the Gerrit session in the audit record.
The HTTP Servlet API specs say that any attempt to access
the current session of an incoming request would result
in the creation of a brand-new session.
The session involuntarily created also had an expiry time
equal to zero, which prevented the session housekeeper
to reclaim them later on, even though they were unused.
The consequence of creating an empty session for every
Git-over-HTTP request isn't immediately tangible, because
the session is empty and doesn't occupy a significant
amount of memory. However, longer-term, the in-memory
hashtable that records all the sessions, each one using
750 bytes on average, will be causing the overload
of the JVM heap and the crash of the process because of
lack of available memory.
Use the correct Gerrit session-id, retrieving
from the Provider<WebSession> the proper session, if active
and logged in, and make sure in tests that no HTTP sessions
are created as a result of a Git-over-http request.
Bug: Issue 13858
Change-Id: I8c086fed54b196c3f46fa88ac78c127784524d30
|
| |\ \ \ |
|
| | |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-2.15:
Disallow editing the Change-Id during inline edits
ForRef#check should permit internal users to read all refs
Change-Id: I83102ed0f8ded4f0dbebbaf85650f2d31933f19d
|
| | | |\ \
| | | |/
| | |/|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-2.14:
Disallow editing the Change-Id during inline edits
Reuse the PutMessage.ensureChangeIdIsCorrect of the new inline
edit API for assuring consistency of the way the Change-Id
modification is checked across GWT and PolyGerrit.
Change-Id: I9bac4e42314d4628fa2ba5bfac268df9fba841df
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Editing an existing Change-Id is checked when a new patch-set
is uploaded via Git protocol. However, when the commit message
is modified through an inline edit, the commit is created
directly on the Git repository and therefore any change was
allowed, including the editing of the Change-Id.
Return HTTP status code 409 (conflict) error when editing Change-Id
which is consistent to the error raised when the same operation
is attempted on more recent versions of the inline edit with
PolyGerrit.
Bug: Issue 13931
Change-Id: I6ba424e09d5a38fd474bf3b2373ff3209b7baf74
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.
Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
(cherry picked from commit 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d)
|
| |\| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Prevent ChangeEditIT.updateCommitMessageByEditingMagicCommitMsgFile
and RobotCommentsIT.fixDoesNotModifyCommitMessageOfChangeEdit
corrupting the change by removing the Change-Id footer.
Change-Id: I7f55e2d6bf6ddc0ab6891c3e27f24297933ac168
|
| |\| | |
| | | |
| | | |
| | | | |
stable-2.16
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The tests in RevisionDiffIT should update the commit message
of a change preserving the Change-Id footer.
Change-Id: Id77d9d6e41e231627ff1a464c666fa6e9d20ba48
|
| |\| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The updated commit message literal is used
as magic value in multiple tests of RevisionDiffIT.
Introduce a common constant that represents what
the test value means, so that tests become more
readable.
Change-Id: I8d9f00e343169b135550b83d47974f7a2e4d4cd3
|
| |\| | |
| | | |
| | | |
| | | | |
stable-2.16
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The ensureChangeIdIsCorrect method implements the logic for accepting
or reject a commit message based on its Change-Id footer correctness.
This is a preparation work for sharing the validation logic between
commit message changed in context of change edit and commit message
changed directly from change screen.
Moving the method to ChangeUtil allows to avoid circular dependencies
between the 'server' and 'restapi' Bazel build modules.
Change-Id: Iadd8c7020b6cc7add27d040d147b6ccea725f61b
|
| |\ \ \ \
| |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-2.16-issue-13858:
Set version to 2.16.27-SNAPSHOT
Set version to 2.16.26
Avoid creating HTTP Sessions for Git-over-HTTP
Change-Id: I38143ac9206a72aaf3c0aef51bf54edd68ad7bfb
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: Iafbc0cac00a2eee676cee17446f9f27aa2aedaf1
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I75458dadebde6f871e00a00c126a14b25ae09c3e
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The Change-Id: Iffcd0fbd7 has involuntarily triggered the
creation of a new HTTP Session for every invocation a Git-over-HTTP
request.
All came from the mistake of tracing the HTTP session instead
of the Gerrit session in the audit record.
The HTTP Servlet API specs say that any attempt to access
the current session of an incoming request would result
in the creation of a brand-new session.
The session involuntarily created also had an expiry time
equal to zero, which prevented the session housekeeper
to reclaim them later on, even though they were unused.
The consequence of creating an empty session for every
Git-over-HTTP request isn't immediately tangible, because
the session is empty and doesn't occupy a significant
amount of memory. However, longer-term, the in-memory
hashtable that records all the sessions, each one using
750 bytes on average, will be causing the overload
of the JVM heap and the crash of the process because of
lack of available memory.
Use the correct Gerrit session-id, retrieving
from the Provider<WebSession> the proper session, if active
and logged in, and make sure in tests that no HTTP sessions
are created as a result of a Git-over-http request.
Bug: Issue 13858
Change-Id: I8c086fed54b196c3f46fa88ac78c127784524d30
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Update plugins/replication from branch 'stable-2.16'
to 4a44e534128a0415ebca61ad7a6751905f0f4242
- Use volatile and AtomicIntegers to be thread safe
Modify the fields in ReplicationState class to be volatile and
AtomicIntegers so that changes to them are reflected to other
threads. By not doing so, modifications made by one thread to
these fields may not be reflected instantly depending on
cpu caching thus resulting in incorrect state
Change-Id: I76512b17c19cc68e4f1e6a5223899f9a184bb549
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Update plugins/replication from branch 'stable-2.16'
to ba2c8e16b798c2eaf4e56dd66d8c1cd00999e096
- Fix replication to retry on lock errors
Versions of Git released since 2014 have created a new status
"failed to update ref" which replaces the two statuses "failed to lock"
and "failed to write". So, we now see the newer status when the remote
is unable to lock a ref.
Refer Git commit:
https://github.com/git/git/commit/6629ea2d4a5faa0a84367f6d4aedba53cb0f26b4
Config 'lockErrorMaxRetries' is not removed as part of this change
as folks who have it configured currently don't run into unexpected
behavior with retries when they upgrade to a newer version of the
plugin. Also, the "failed to lock" check is not removed for folks
still using a version of Git older than 2014.
Change-Id: I9b3b15bebd55df30cbee50a0e0c2190d04f2f443
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This version fixes a bug occurring when processing a fetch request and
running gc concurrently.
Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=569349
Change-Id: I605749727d39822683371b98d996f5afdf1604e9
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This version contains the following fix:
Ensure that GC#deleteOrphans respects pack lock
If pack or index files are guarded by a pack lock (.keep file)
deleteOrphans() should not touch the respective files protected by the
lock file. Otherwise it may interfere with PackInserter concurrently
inserting a new pack file and its index.
Release Notes:
https://projects.eclipse.org/projects/technology.jgit/releases/5.1.14
Bug: Issue 13544
Change-Id: Ieeb5a883bcb487a4d45f299aec5b31475002cdd3
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The Bazel option `--incompatible_run_shell_command_string` is going to be flipped to true in upcoming Bazel 4.0 release per default, see: [1] for more details.
Test Plan:
bazel build :release
[1] https://github.com/bazelbuild/bazel/issues/5903
Bug: Issue 13612
Change-Id: Icc9589906198386b1e4805ceeabbb420a7ea1afb
(cherry picked from commit c1f4e91406b9da411dd2f5eab4ee92bfc761e1f4)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The version of bazel-toolchain in the current WORKSPACE file has some invalid escape sequences (https://buildkite.com/bazel/bazel-at-head-plus-downstream/builds/1756#951353b2-9c81-4819-b89e-e448b043f284). Bazel itself uses bazel-toolchains 3.1.0 right now, and those invalid escape sequences have been fixed some time before 3.1.0.
Change-Id: I013dfb1202bb2cbecd0d479e0fcd9e59a80ce929
(cherry picked from commit f100cda91ea0278bf2d4b1e68f18d35779d3209e)
|
| |\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* stable-2.15:
Set version to 2.14.22
Workaround Gitiles bug on All-Users visibility
Validate Gerrit changes on stable-2.15 with Jenkins
Set version to 2.15.22-SNAPSHOT
Set version to 2.15.21
Workaround Gitiles bug on All-Users visibility
Set version to 2.15.21-SNAPSHOT
Set version to 2.15.20
Fetch JGit documentation from the archive site
Remove generation for c.g.gwtexpui.* JavaDoc
Make PermissionBackend#ForRef authoritative
Validate Gerrit changes on stable-2.15 with Jenkins
Fix tests for stable-2.15 branch
Change-Id: I8cf90d6a78c946f12140462f97e81cca3f3c18e3
|
| | |\|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* stable-2.14:
Set version to 2.14.22
Workaround Gitiles bug on All-Users visibility
Validate Gerrit changes on stable-2.15 with Jenkins
Change-Id: I1839c9aebbbe14544464e07025fbd96d576dd5bf
|
| | | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-2.14-2020-11.notedb-refs-tags:
Set version to 2.14.22
Workaround Gitiles bug on All-Users visibility
Validate Gerrit changes on stable-2.15 with Jenkins
Also, set target version to 2.14.23-SNAPSHOT.
Change-Id: I400d374a5950c95d9abfedc8a6ff07a6b4864b66
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: Id3c767d04411ac7551e7016a37136a77e4ae8118
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Gitiles has special FilteredRepository wrapper that
allows to carefully hide refs based on the project's ACLs.
There is however an optimisation that skips the filtering
in case a user has READ permissions on every ACLs patterns.
When the target repository is All-Users, the optimisation
turns into a security issue because it allows seeing everything
that belongs to everyone:
- draft comments
- PII of all users
- external ids
- draft edits
Block Gitiles or any other part of Gerrit to abuse of this
power when the target repository is All-Users, where nobody
can be authorised to skip the ACLs evaluation.
Cover the additional special case of the All-Users project
access with two explicit positive and negative tests,
so that the security check is covered.
Bug: Issue 13621
Change-Id: Ia6ea1a9fd5473adff534204aea7d8f25324a45b7
(cherry picked from commit 45071d6977932bca5a1427c8abad24710fed2e33)
(cherry picked from commit 1be1d6ff45f18c978fd21e5c7d437d0a1351d7d8)
|
| | | |/
| | |
| | |
| | |
| | | |
Change-Id: I35c47ba60c08e8d5d1f767672b5e83b7d29fea1b
(cherry picked from commit 1346eab23259f8dc4adec9cb098e2f818c9cf79d)
|
| | |\ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-2.15-2020-11.notedb-refs-tags:
Set version to 2.15.22-SNAPSHOT
Set version to 2.15.21
Workaround Gitiles bug on All-Users visibility
Set version to 2.15.21-SNAPSHOT
Set version to 2.15.20
Fetch JGit documentation from the archive site
Remove generation for c.g.gwtexpui.* JavaDoc
Make PermissionBackend#ForRef authoritative
Validate Gerrit changes on stable-2.15 with Jenkins
Fix tests for stable-2.15 branch
Change-Id: I91db12c2c627550b2e897ccb4d7e27ee760cd32d
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I1ed863213d9946b77ae558d52094731db10ff721
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I3e3eb891d717169f912a20e7de948cea1f47fab3
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Gitiles has special FilteredRepository wrapper that
allows to carefully hide refs based on the project's ACLs.
There is however an optimisation that skips the filtering
in case a user has READ permissions on every ACLs patterns.
When the target repository is All-Users, the optimisation
turns into a security issue because it allows seeing everything
that belongs to everyone:
- draft comments
- PII of all users
- external ids
- draft edits
Block Gitiles or any other part of Gerrit to abuse of this
power when the target repository is All-Users, where nobody
can be authorised to skip the ACLs evaluation.
Cover the additional special case of the All-Users project
access with two explicit positive and negative tests,
so that the security check is covered.
Bug: Issue 13621
Change-Id: Ia6ea1a9fd5473adff534204aea7d8f25324a45b7
(cherry picked from commit 45071d6977932bca5a1427c8abad24710fed2e33)
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I3f5c762fda9d47da21685ca12b0f6c80032a3be2
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I83a8ece5ace5da608b3377461c572399b70962d0
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I8e78f5064fda7c2ff73134f6ac3d681c6be2e7d1
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The JavaDoc for com.google.gwtexpui.* cannot be generated
because the source files are not accessible anymore.
Failing to generate the JavaDocs caused the Gerrit build to
fail with 'No source files for package com.google.gwtexpui...'.
Change-Id: Ie36e650962636813d8f9f615e495a980b7280420
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This change fixes a misconception that leads to data being accessible
through Gerrit APIs that should be locked down.
Gerrit had two components for determining if a Git ref is visible to a
user: (Default)RefFilter and PermissionBackend#ForRef (ex RefControl).
The former was always capable of providing correct results for all refs.
The latter only had logic to decide if a Git ref is visible according to
the Gerrit READ permissions. This includes all refs under refs/heads as
well as any other ref that isn't a database ref or a Git tag. This
component was unware of Git tags and database references. Hence, when
asked for a database reference such as refs/changes/xx/yyyyxx/meta the
logic would allow access if the user has READ permissions on any of the
ref prefixes, such as the default "read refs/* Anonymous Users".
That is problematic, because it bypasses documented behavior [1] where
a user should only have access to a change if they can see the destination
ref. The same goes for other database references.
This change fixes the problem. It is intentionally kept to a minimally
invasive code change so that it's easier to backport it.
Add tests to assert the correct behavior. These tests would fail before
this fix. We have included them in this change to be able to backport
just a single commit.
[1] https://gerrit-review.googlesource.com/Documentation/access-control.html
Change-Id: Ice3a756cf573dd9b38e3f198ccc44899ccf65f75
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I35c47ba60c08e8d5d1f767672b5e83b7d29fea1b
|
