From 7a1980e9e558e03ae8238127c4703fe6b7d7e480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C5=A1a=20=C5=BDivkov?= Date: Mon, 1 Feb 2021 15:49:55 +0100 Subject: Log when a new SSH connection is rejected due to exceeded limit When the sshd.maxConnectionsPer got exceeded for a user, new connections from that user were rejected but we had no trace of that rejection in our logs. Log a warning in the error_log for this event. This should help Gerrit admins in troubleshooting SSH connectivity issues. Change-Id: Id931f68374afb67a5bef91afbc98a3efbe16b38a --- .../sshd/LogMaxConnectionsPerUserExceeded.java | 42 ++++++++++++++++++++++ java/com/google/gerrit/sshd/SshDaemon.java | 4 ++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 java/com/google/gerrit/sshd/LogMaxConnectionsPerUserExceeded.java diff --git a/java/com/google/gerrit/sshd/LogMaxConnectionsPerUserExceeded.java b/java/com/google/gerrit/sshd/LogMaxConnectionsPerUserExceeded.java new file mode 100644 index 0000000000..6f568b1a5b --- /dev/null +++ b/java/com/google/gerrit/sshd/LogMaxConnectionsPerUserExceeded.java @@ -0,0 +1,42 @@ +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.sshd; + +import com.google.common.flogger.FluentLogger; +import com.google.inject.Singleton; +import java.io.IOException; +import org.apache.sshd.common.Service; +import org.apache.sshd.common.session.Session; +import org.apache.sshd.common.session.SessionDisconnectHandler; + +@Singleton +public class LogMaxConnectionsPerUserExceeded implements SessionDisconnectHandler { + private static final FluentLogger logger = FluentLogger.forEnclosingClass(); + + @Override + public boolean handleSessionsCountDisconnectReason( + Session session, + Service service, + String username, + int currentSessionCount, + int maxSessionCount) + throws IOException { + logger.atWarning().log( + "Max connection count for user %s exceeded, rejecting new connection." + + " currentSessionCount = %d, maxSessionCount = %d", + username, currentSessionCount, maxSessionCount); + return false; + } +} diff --git a/java/com/google/gerrit/sshd/SshDaemon.java b/java/com/google/gerrit/sshd/SshDaemon.java index a1c057ffc0..f04ff7eadd 100644 --- a/java/com/google/gerrit/sshd/SshDaemon.java +++ b/java/com/google/gerrit/sshd/SshDaemon.java @@ -160,7 +160,8 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { SshLog sshLog, @SshListenAddresses List listen, @SshAdvertisedAddresses List advertised, - MetricMaker metricMaker) { + MetricMaker metricMaker, + LogMaxConnectionsPerUserExceeded logMaxConnectionsPerUserExceeded) { setPort(IANA_SSH_PORT /* never used */); this.cfg = cfg; @@ -240,6 +241,7 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { setKeyPairProvider(hostKeyProvider); setCommandFactory(commandFactory); setShellFactory(noShell); + setSessionDisconnectHandler(logMaxConnectionsPerUserExceeded); final AtomicInteger connected = new AtomicInteger(); metricMaker.newCallbackMetric( -- cgit v1.2.3 From 778bc9d10930ce4b81b9ce3d8b349522195a51a4 Mon Sep 17 00:00:00 2001 From: Matthias Sohn Date: Tue, 11 May 2021 10:29:57 +0200 Subject: Update jgit to 00386272264f65c41e36406f7c2e9ea6e901276e This version fixes "Too many open files" errors when - fetching repos with many refs [1] - converting from reftable back to refdir format [2] [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=552173 [2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=573328 Change-Id: Idf5cc9921ab2bc21e67af8e546422c8933195cde --- modules/jgit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/jgit b/modules/jgit index c9d871f15d..0038627226 160000 --- a/modules/jgit +++ b/modules/jgit @@ -1 +1 @@ -Subproject commit c9d871f15d4daa4ab959b34d2a0759016e415643 +Subproject commit 00386272264f65c41e36406f7c2e9ea6e901276e -- cgit v1.2.3 From b23b7e82936f37e76e352e70ea15b5afbd8e319e Mon Sep 17 00:00:00 2001 From: Diogo Ferreira Date: Tue, 18 Aug 2020 12:43:20 +0100 Subject: Fix registration redirect on OpenID For polygerrit, the default URL for anonymous is: http(s)://host/q/status:open+-is:wip When authenticating via OpenID, a new redirect URL is constructed and the following is produced: http(s)://host/#registerq/status:open+-is:wip This is obviously wrong and causes a 404. Instead what we want is: http(s)://host/#register/q/status:open+-is:wip This patch simply adds that slash. Change-Id: I06cf37df2771223b02af984f45d961de3cf19a92 --- java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java b/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java index be975c5e99..b685011744 100644 --- a/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java +++ b/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java @@ -477,8 +477,9 @@ class OpenIdServiceImpl { final StringBuilder rdr = new StringBuilder(); rdr.append(urlProvider.get(req)); String nextToken = Url.decode(token); - if (isNew && !token.startsWith(PageLinks.REGISTER + "/")) { - rdr.append('#' + PageLinks.REGISTER); + String registerUri = PageLinks.REGISTER + "/"; + if (isNew && !token.startsWith(registerUri)) { + rdr.append('#' + registerUri); if (nextToken.startsWith("#")) { // Need to strip the leading # off the token to fix registration page redirect nextToken = nextToken.substring(1); -- cgit v1.2.3