| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Change-Id: I4fb636a659a8382ec98795207ece3efaa1a03b7f
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* stable-3.2:
Set version to 3.2.10
Set version to 3.1.15
Don't serve polygerrit assets for git requests
Fix PUT/POST/DELETE REST-API with cookie authentication
NoShellIT: Increase the timeout to avoid failures
Set version to 3.2.10-SNAPSHOT
Set version to 3.2.9
Set version to 3.1.14
download_bower: download to GERRIT_CACHE_HOME
Change-Id: Ib1803ca5f5164cd744a52209203277d3bf6797ca
|
| |
| |
| |
| | |
Change-Id: I6ffb688d111c71d11ab1647a3cd26d3809839c70
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* stable-3.1:
Set version to 3.1.15
Don't serve polygerrit assets for git requests
Fix PUT/POST/DELETE REST-API with cookie authentication
NoShellIT: Increase the timeout to avoid failures
Set version to 3.1.14
download_bower: download to GERRIT_CACHE_HOME
Change-Id: I036ccd8618372407b5c693fce599fb8b80db254d
|
| | |
| | |
| | |
| | | |
Change-Id: I64df1dcbbbd4fa1c628ed9b966202568b9999bf4
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After migration to PolyGerrit routes are mounted at the root
of the gerrit URL. Particularly these path prefixes are reserved:
"/c/"
"/id/"
"/p/"
"/q/"
"/x/"
and would collide with project namespaces, so that the project with
these prefixes cannot be served with Git over HTTP protocol.
Particularly, the /x prefix restriction is very painful, because quite
some gerrit users in the wild are using this prefix in their project
names and have problem to update to newer Gerrit releases.
To rectify exclude the serving of PolyGerrit assets for git requests.
Bug: Issue 13721
Change-Id: Ieb6e9ddab1383fad32ae1763e3a19f03d3a46d01
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Change-Id: I2a56197ee0 has broken existing Python (or other)
scripting when performing automation with Gerrit REST-API.
That is due to the generation of the GerritAccount cookie in
the HTTP response, which Python automatically manages
to reuse in subsequent calls.
Gerrit REST-API have a stricter requirement for incoming calls
that are not GET or HEAD requests: they need the X-Gerrit-Auth
HTTP header matching the associated attribute in the user's session.
When the X-Gerrit-Auth header isn't there OR does not correspond
to the user's session, the REST-API execution fails with
403 FORBIDDEN even though the user has an active session associated
with the cookie.
Python has no way to manage that logic out of the box and therefore
it is the responsibility of the Gerrit backend to request explicit
authentication when the incoming call isn't from a Git/HTTP client.
For the Git/HTTP requests instead, the requirement for X-Gerrit-Auth
isn't there and therefore, the current cookie-based authentication can
continue to be used as usual and won't cause any trouble.
Bug: Issue 14553
Change-Id: I62a7a59b07333eeb1a36d4a6b8b67edd5da76440
|
| | |
| | |
| | |
| | |
| | |
| | | |
With 30 seconds timeout the test appears to be flaky.
Change-Id: Icc900ad6f108221d2e2dabb7e05c12d6772bd88b
|
| | |
| | |
| | |
| | | |
Change-Id: Icae8468aec805a75aa9092bca58c7070b396e025
|
| | |\
| | | |
| | | |
| | | | |
stable-3.1
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Similar to Ie4fac83928527e0e71b159b9500983234c2261ac which lets one
relocate download_file.py downloaded artifacts by setting the
`GERRIT_CACHE_HOME` environment variable.
The default behavior is unchanged.
Change-Id: I9e223acff29ed4da6fda39589282a107420b9795
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: I79c7a520170f4fd96f1c5ce5173ceb29ea0d0a81
|
| | | |
| | | |
| | | |
| | | | |
Change-Id: I4b79b4ac358eb7ed98542044566fc1a45fb74df2
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fix a typo and use some variables to avoid repetitions.
Change-Id: I9b3e757717a64e8538d5d05bdb86b3b26c9f363d
(cherry picked from commit 84840881b31b1376873a8dd2c7cc3008d9db9748)
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Change-Id: Ia8421a9ef6f1ad91808bb698769da84022f63973
(cherry picked from commit 9975c3cf96a1fa8d68a6582e57fef235ea208abc)
|
|\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-3.2:
Adapt SendMessage of the NoShell command to AsyncCommand type
Update jgit to f2e5bace4841758927d47db7d20e4a6f7353ce57
Change-Id: Ia8b7a15ea7c67cf04887e58cf271c91405e8df31
|
| |\ \ \
| | | |/
| | |/|
| | | |
| | | |
| | | |
| | | | |
* stable-3.1:
Adapt SendMessage of the NoShell command to AsyncCommand type
Change-Id: I86309a2d6912c10e496ba95196d48efca727c4af
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Before this change, the SendMessage class inside the NoShell command
implemented the Command interface. Therefore, the command was using
instances of OutputStream and closing them at the end of the command.
Given that the channel isn't closed at this stage, this produced a
problem as apache-sshd calls the flush method of one of the output
streams. Therefore, the command was hanging and didn't release the
terminal until the user pressed a key.
This change adapts the SendMessage class to an AyncCommand type.
Therefore, the Apache library treats the command as AsyncCommand and
uses the newly introduced I/O streams instead of normal streams. As a
result, the problematic flush call of the output stream doesn't happen,
because the normal output stream is not initialized, instead the I/O
streams are initialized and used.
An integration test is added to verify that the command doesn't hang
indefinitely. It does so by setting a timeout to the command.
Bug: Issue 11142
Change-Id: Ia6ed0d4ee264d2e901eaa17ea444bf715e3b44db
|
| |\ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This includes the following jgit changes:
003862722 LockFile: create OutputStream only when needed
this fixes "Too many open files" errors when
- fetching repos with many refs [1]
- converting from reftable back to refdir format [2]
540b29bf4 Remove ReftableNumbersNotIncreasingException
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=552173
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=573328
Change-Id: If29ffa24e3c5ba244578e2b4f1ed74efa6b3a8ba
|
| |\| | | |
|
| | |\ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* stable-3.1:
Update jgit to 00386272264f65c41e36406f7c2e9ea6e901276e
Change-Id: I99c797c814deedaa376c0489f242c5aceb260179
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This includes the following jgit changes:
003862722 LockFile: create OutputStream only when needed
this fixes "Too many open files" errors when
- fetching repos with many refs [1]
- converting from reftable back to refdir format [2]
540b29bf4 Remove ReftableNumbersNotIncreasingException
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=552173
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=573328
Change-Id: I9382497720484b7520136be94a42b716436e135e
|
|\ \ \ \ \ \ |
|
| |\| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
* stable-3.2:
Fix registration redirect on OpenID
Update jgit to 00386272264f65c41e36406f7c2e9ea6e901276e
Log when a new SSH connection is rejected due to exceeded limit
Change-Id: I2646bbfcc7ae4f23d8e92db071c2895f8fc4998d
|
| | |\ \ \ \ \
| | | |/ / / /
| | |/| | | /
| | | | |_|/
| | | |/| |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* stable-3.1:
Fix registration redirect on OpenID
Update jgit to 00386272264f65c41e36406f7c2e9ea6e901276e
Log when a new SSH connection is rejected due to exceeded limit
Change-Id: Ibbf94b2eff60cc08ee437873a1a335e9e6a413ed
|
| | | | |/
| | | |/|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For polygerrit, the default URL for anonymous is:
http(s)://host/q/status:open+-is:wip
When authenticating via OpenID, a new redirect URL is constructed and
the following is produced:
http(s)://host/#registerq/status:open+-is:wip
This is obviously wrong and causes a 404. Instead what we want is:
http(s)://host/#register/q/status:open+-is:wip
This patch simply adds that slash.
Change-Id: I06cf37df2771223b02af984f45d961de3cf19a92
|
| | | |\ \
| | | | |/
| | | |/|
| | | | | |
stable-3.1
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When the sshd.maxConnectionsPer got exceeded for a user, new connections
from that user were rejected but we had no trace of that rejection in
our logs.
Log a warning in the error_log for this event. This should help Gerrit
admins in troubleshooting SSH connectivity issues.
Change-Id: Id931f68374afb67a5bef91afbc98a3efbe16b38a
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This version fixes "Too many open files" errors when
- fetching repos with many refs [1]
- converting from reftable back to refdir format [2]
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=552173
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=573328
Change-Id: Idf5cc9921ab2bc21e67af8e546422c8933195cde
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add more details on how the security fixes are supposed to
be validated by the Gerrit-CI.
Change-Id: Ie67512df229110cc2b88d9f3192f86efabb5f09a
|
|\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-3.2:
Allow GerritAccount Cookie authentication for Git/HTTP
Change-Id: I17f7112d837f93330579ed5da5886b43a3108566
|
| |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-3.1:
Allow GerritAccount Cookie authentication for Git/HTTP
Also, add //lib/bouncycastle:bcprov to the HTTP unit tests
to allow testing of the Git/HTTP basic authentication
with user/pass validation against the one stored in
the account external id.
Change-Id: I282db1ca5720b4e32c6ee5e0547740dfc68d6d91
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Since the introduction of basic auth with Change-Id: Ibe589ab2b0,
the mechanism of keeping a session (it was a digest before)
across calls has not been preserved and the basic-auth implementation
resulted in multiple authentications with the configured realm.
Triggering a full authentication handshake could be an
issue when using potentially expensive authentication backends
like LDAP.
Allow to create a Gerrit session from the GerritAccount
cookie set on the Git client, so that only the first HTTP call
will actually authenticate and create a session whilst all
the others would just reuse the existing cookie.
The Git client needs to have HTTP cookies enabled by setting
the http.cookieFile in Git config pointing to a local
file. For keeping HTTP cookies across Git/HTTP commands, the
extra http.saveCookie Git config variable needs to be set to
true.
Previously all Git/HTTP requests were ignored for parsing
the GerritAccount cookie whilst now they are excluded only when
the account token is passed as URL parameter. This problem was
there since the very beginning of the introduction of Git/HTTP
basic auth.
NOTE: Gerrit does not generate HTTP cookies when using
password-based authentication against the external-ids rather
than using the realm: that is expected because it would not
be correct to allocate a cookie when a real authentication
against the realm has not been performed, therefore the
cookie-based authentication for Git/HTTP would not be
available.
Bug: Issue 14508
Change-Id: I2a56197ee0dad479f0973192157e5970d9deac25
|
|\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-3.2:
download_file: download to GERRIT_CACHE_HOME when set
Avoid multiple auth requests for Git/HTTP access
Add unit-tests for ProjectBasicAuthFilter
Change-Id: Ic5a0f60ee33f1ee510a7285ac85280251a179c45
|
| |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-3.1:
download_file: download to GERRIT_CACHE_HOME when set
Avoid multiple auth requests for Git/HTTP access
Add unit-tests for ProjectBasicAuthFilter
Change-Id: Ie5d537d4638d7067573a3baa6e3309ee75ac0818
|
| | |\ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When building a plugin as user `nobody`, download_file is unable to
write the artifacts to the cache since the user does not have a home
directory. For a CI build I also need to be set the cache directory to
a predetermined value.
Introduce the optional `GERRIT_CACHE_HOME` environment variable to
support relocating downloaded artifacts. When the environment variable
is not set, behavior is unchanged.
Update documentation to mention support for `GERRIT_CACHE_HOME`. While at
it, explain how to override the bazel repository and disk cache, would
have same a bit of time the first time I had to tweak them.
Change-Id: Ie4fac83928527e0e71b159b9500983234c2261ac
|
| | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When authenticating incoming Git calls over HTTP
the BasicAuth filter was called 3 times per call
triggering multiple authentications against the backend.
Example: Git protocol v1 triggering 2x HTTP calls,
one for refs-advertisement and another for upload-pack
was generating 6x authentication requests.
When the backend is Gerrit's HTTP password authentication
the operation is quite fast making the impact of the extra
authentications negligible. However, when authenticating
against a slower backend (e.g. corporate LDAP with groups
resolution) the extra authentication calls were introducing
unneeded latency and generating extra workload to the
LDAP server.
NOTE: It is still not possible to have one single authenticated
session for multiple HTTP calls, because of the lack of
support for GerritAccount cookie from the ProjectBasicAuthFilter.
The next follow-up change is focused in solving that problem
specifically, bringing the number of authentication requests
to one.
Bug: Issue 14497
Change-Id: Ibe41df0357b6be10bcdf0bd1f5a1b6160c34d4a4
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The Git/HTTP authentication filter did not have
any test coverage: add some initial tests for verifying
the main use-cases.
Change-Id: Ib9abf133d2128b6a29751ecbeda26b0b43115bb3
|
|\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-3.2:
Introduce LDAP metrics
Fix EqualsLabelPredicate to not fail when calling match() from a plugin
Respect auth.userNameToLowerCase when creating accounts via REST or SSH
Also fix PredicateIT tests by removing the redundant class MyInfo which
conflicted with the message field of its superclass PluginDefinedInfo and
therefore was failing when converted to JSON.
Change-Id: I68ce2ee9eb04f044378ba4fc0bac8bcea9cd7f1c
|
| |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-3.1:
Introduce LDAP metrics
Respect auth.userNameToLowerCase when creating accounts via REST or SSH
Also rename the import of c.g.g.acceptance.GerritConfig
to c.g.g.acceptance.config.GerritConfig.
Change-Id: I1766105ce83e1a63bbdcc5afc9c422f212e16365
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
LDAP performance can have a massive impact on
the overall responsiveness and latency of Gerrit API.
Expose the LDAP metrics in terms of latency and call rates
so that any problem can be highlighted early on and
potentially alerted to the Gerrit admin.
Bug: Issue 14490
Change-Id: I18e5d5b797b272ca11a6745bc39dcd73cab68c34
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The CreateAccount SSH command and REST API was able to create accounts
with usernames that contained uppercase letters even if
auth.userNameToLowerCase was set to true. However, such a user could
never log in. The username should be all lower case in the notedb
as it is done for accounts created during login with an IDP like
LDAP, if ldap.localUsernameToLowerCase is set.
If no display name (input.name) is set, the originally provided
username will be used as a display name to conserve capitalization
in the UI.
Bug: Issue 14246
Change-Id: If0f120f188e9f5bdf8008c4e66a55568180e7351
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Calling match() on the EqualsLabelPredicate returned from
ChangeQueryBuilder.parse() in a plugin fails when in the context of an
HTTP query. In HTTP query workflow, ChangeData lazyLoad flag is being
set to true when certain conditions are met. But in SSH workflow,
ChangeData lazyLoad flag is always set to true. Due to this reason,
we observe the issue only through a HTTP query. In [1], ChangeControl
was modified to use ChangeNotes, but EqualsLabelPredicate wasn't
updated to always load ChangeNotes in order to check permissions for
approvers. Fix this issue by setting ChangeData lazy load to true
within match() in EqualsLabelPredicate.
Also write integration tests for Label Predicate to ensure it continues
to work as expected. In this test setup, plugin named "my-plugin"
defines a --sample switch which calls match() on the predicate received
from ChangeQueryBuilder.parse() which parses a Label operator query.
[1] Iac176b8e55e https://gerrit-review.googlesource.com/246154
Change-Id: Icd2541fe26c18a8e61ce855862e0c9814a91f5ef
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Gerrit stream-events have never been systematically
tested before, giving the possibility to accidentally break
external integrations (e.g. Jenkins, Zuul or any other CI system)
without being noticed by the automatic change validation.
Create an initial scaffolding for enabling future versions of
Gerrit to benefit from automated acceptance tests of the
expected stream events outcome of Gerrit operations.
Bug: Issue 13799
Change-Id: I6987d413ba911039e56950425b501573b4555204
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* Sort node_modules licenses by license name
* Add options to ignore nested directories in a package. Some
packages (for example, rxjs) adds fake package.json to nested dirs.
It should be possible to ignore such packages.
Bug: Issue 14175
Change-Id: Ifd38a8e3ae7f06354e00aee420f282773b64583a
(cherry picked from commit 1b1ba78f8dc77be4f65141091fd546e0af5c2f54)
|
|\ \ \ \ \
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | | |
* stable-3.2:
Fix typo in hashtags docs
Change-Id: I0732bcef5775901d2d930839fef72f48796ec328
|
| |\ \ \ \
| | | |/ /
| | |/| |
| | | | |
| | | | |
| | | | |
| | | | | |
* stable-3.1:
Fix typo in hashtags docs
Change-Id: Ic9025a6cedcc4ecf8b5c0a27237a1e566d4fc172
|