Merge changes Iba3a674f,I8ed3f12e,Id6617817 into stable-2.14 * changes: InitSshd: Use correct flag to set empty passphrase SshSession: Specify charset in constructor of Scanner Specify charset in constructors of InputStreamReader
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritAuthModule.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritAuthModule.java new file mode 100644 index 0000000..c0ef207 --- /dev/null +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GerritAuthModule.java
@@ -0,0 +1,55 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.httpd; + +import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_URL_WO_AUTH_REGEX; + +import com.google.gerrit.extensions.client.GitBasicAuthPolicy; +import com.google.gerrit.server.config.AuthConfig; +import com.google.inject.Inject; +import com.google.inject.servlet.ServletModule; +import javax.servlet.Filter; + +/** Configures filter for authenticating REST requests. */ +public class GerritAuthModule extends ServletModule { + private static final String NOT_AUTHORIZED_LFS_URL_REGEX = "^(?:(?!/a/))" + LFS_URL_WO_AUTH_REGEX; + private final AuthConfig authConfig; + + @Inject + GerritAuthModule(AuthConfig authConfig) { + this.authConfig = authConfig; + } + + @Override + protected void configureServlets() { + Class<? extends Filter> authFilter = retreiveAuthFilterFromConfig(authConfig); + + filterRegex(NOT_AUTHORIZED_LFS_URL_REGEX).through(authFilter); + filter("/a/*").through(authFilter); + } + + static Class<? extends Filter> retreiveAuthFilterFromConfig(AuthConfig authConfig) { + Class<? extends Filter> authFilter; + if (authConfig.isTrustContainerAuth()) { + authFilter = ContainerAuthFilter.class; + } else { + authFilter = + authConfig.getGitBasicAuthPolicy() == GitBasicAuthPolicy.OAUTH + ? ProjectOAuthFilter.class + : ProjectBasicAuthFilter.class; + } + return authFilter; + } +}
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java index 3f3737d..8400d60 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java
@@ -14,20 +14,16 @@ package com.google.gerrit.httpd; -import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_URL_WO_AUTH_REGEX; +import static com.google.gerrit.httpd.GitOverHttpServlet.URL_REGEX; -import com.google.gerrit.extensions.client.GitBasicAuthPolicy; import com.google.gerrit.reviewdb.client.CoreDownloadSchemes; import com.google.gerrit.server.config.AuthConfig; import com.google.gerrit.server.config.DownloadConfig; import com.google.inject.Inject; import com.google.inject.servlet.ServletModule; -import javax.servlet.Filter; /** Configures Git access over HTTP with authentication. */ public class GitOverHttpModule extends ServletModule { - private static final String NOT_AUTHORIZED_LFS_URL_REGEX = "^(?:(?!/a/))" + LFS_URL_WO_AUTH_REGEX; - private final AuthConfig authConfig; private final DownloadConfig downloadConfig; @@ -39,28 +35,10 @@ @Override protected void configureServlets() { - Class<? extends Filter> authFilter; - if (authConfig.isTrustContainerAuth()) { - authFilter = ContainerAuthFilter.class; - } else { - authFilter = - authConfig.getGitBasicAuthPolicy() == GitBasicAuthPolicy.OAUTH - ? ProjectOAuthFilter.class - : ProjectBasicAuthFilter.class; + if (downloadConfig.getDownloadSchemes().contains(CoreDownloadSchemes.ANON_HTTP) + || downloadConfig.getDownloadSchemes().contains(CoreDownloadSchemes.HTTP)) { + filterRegex(URL_REGEX).through(GerritAuthModule.retreiveAuthFilterFromConfig(authConfig)); + serveRegex(URL_REGEX).with(GitOverHttpServlet.class); } - - if (isHttpEnabled()) { - String git = GitOverHttpServlet.URL_REGEX; - filterRegex(git).through(authFilter); - serveRegex(git).with(GitOverHttpServlet.class); - } - - filterRegex(NOT_AUTHORIZED_LFS_URL_REGEX).through(authFilter); - filter("/a/*").through(authFilter); - } - - private boolean isHttpEnabled() { - return downloadConfig.getDownloadSchemes().contains(CoreDownloadSchemes.ANON_HTTP) - || downloadConfig.getDownloadSchemes().contains(CoreDownloadSchemes.HTTP); } }
diff --git a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java index d6ae6e1..8327513 100644 --- a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java +++ b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java
@@ -24,6 +24,7 @@ import com.google.gerrit.extensions.client.AuthType; import com.google.gerrit.gpg.GpgModule; import com.google.gerrit.httpd.AllRequestFilter; +import com.google.gerrit.httpd.GerritAuthModule; import com.google.gerrit.httpd.GetUserFilter; import com.google.gerrit.httpd.GitOverHttpModule; import com.google.gerrit.httpd.H2CacheBasedWebSession; @@ -513,10 +514,11 @@ modules.add(new ProjectQoSFilter.Module()); } modules.add(RequestContextFilter.module()); - modules.add(AllRequestFilter.module()); modules.add(RequestMetricsFilter.module()); modules.add(H2CacheBasedWebSession.module()); + modules.add(sysInjector.getInstance(GerritAuthModule.class)); modules.add(sysInjector.getInstance(GitOverHttpModule.class)); + modules.add(AllRequestFilter.module()); modules.add(sysInjector.getInstance(WebModule.class)); modules.add(sysInjector.getInstance(RequireSslFilter.Module.class)); modules.add(new HttpPluginModule());
diff --git a/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java b/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java index 8bc091a..4815366 100644 --- a/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java +++ b/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java
@@ -401,9 +401,10 @@ private Injector createWebInjector() { final List<Module> modules = new ArrayList<>(); modules.add(RequestContextFilter.module()); - modules.add(AllRequestFilter.module()); modules.add(RequestMetricsFilter.module()); + modules.add(sysInjector.getInstance(GerritAuthModule.class)); modules.add(sysInjector.getInstance(GitOverHttpModule.class)); + modules.add(AllRequestFilter.module()); modules.add(sysInjector.getInstance(WebModule.class)); modules.add(sysInjector.getInstance(RequireSslFilter.Module.class)); if (sshInjector != null) {