Audit: fetch current user and sessionId at the beginning of the REST API
Before this change, the current user and sessionId for the audit
trail of the REST API were fetched at the end of the execution.
For regular REST API execution, there are no specific issues in fetching
user and sessionId at any time; however, when running the plugin-reload
API, the Guice injections can be amended and influenced by the plugin
loader, therefore the request to fetch the sessionId and user at the
end of the API may fail, assuming that the plugin has impacted
the HTTP-related injections.
An example of the failure to reload the pull-replicaton plugin is:
1) [Guice/ErrorInCustomProvider]: OutOfScopeException:
Cannot access scoped [WebSession]. Either we are not currently inside
an HTTP Servlet request, or you may have forgotten to apply
GuiceFilter as a servlet filter for this request.
at DynamicItem.bind(DynamicItem.java:111) while locating WebSession
Learn more:
https://github.com/google/guice/wiki/ERROR_IN_CUSTOM_PROVIDER
Retrieve the user and sessionId at the beginning of the REST-API
servlet service method, making sure that the values are the same
across the whole API invocation.
Bug: Issue 388863156
Release-Notes: Fix OutOfScopeException when reloading plugins via REST-API
Change-Id: I8e61044e969bbad0267ddb63a5615936f64094cd
diff --git a/java/com/google/gerrit/httpd/restapi/RestApiServlet.java b/java/com/google/gerrit/httpd/restapi/RestApiServlet.java
index b4acfc0..f1cbc26 100644
--- a/java/com/google/gerrit/httpd/restapi/RestApiServlet.java
+++ b/java/com/google/gerrit/httpd/restapi/RestApiServlet.java
@@ -324,6 +324,8 @@
Object inputRequestBody = null;
RestResource rsrc = TopLevelResource.INSTANCE;
ViewData viewData = null;
+ String sessionId = globals.webSession.get().getSessionId();
+ CurrentUser currentUser = globals.currentUser.get();
try (TraceContext traceContext = enableTracing(req, res)) {
String requestUri = requestUri(req);
@@ -759,8 +761,8 @@
metric, System.nanoTime() - startNanos, TimeUnit.NANOSECONDS);
globals.auditService.dispatch(
new ExtendedHttpAuditEvent(
- globals.webSession.get().getSessionId(),
- globals.currentUser.get(),
+ sessionId,
+ currentUser,
req,
auditStartTs,
qp != null ? qp.params() : ImmutableListMultimap.of(),