commit | 82cd64b4044f1887c6d82c4d97450703e7e318fc | [log] [tgz] |
---|---|---|
author | Jacek Centkowski <jcentkowski@collab.net> | Fri Feb 22 14:10:06 2019 +0100 |
committer | Jacek Centkowski <jcentkowski@collab.net> | Mon Feb 25 11:51:05 2019 +0100 |
tree | 2d2dbae87654e32792423f5aca33738155e2baad | |
parent | e238e4ebe1550026be16a490889f972c09fe2935 [diff] |
Allow LFS-over-SSH created auth pass through ContainerAuthFilter Issue: When LFS operation is initiated through the SSH LFS client receives auth token and uses it to perform requested operation e.g.: POST /gerrit/test-org/test-no-block/info/lfs/objects/batch Authorization: Ssh: ... Content-Type: application/vnd.git-lfs+json; charset=utf-8 { "operation":"upload","objects"... } ContainerAuthFilter searches for existing user but none of the containers can perform successful LFS auth (as it is deeply buried in the plugin internals) therefore typically it is configured to let it go through to eventually fail in the filter with: 403 Forbidden Solution: Modify ContainerAuthFilter so that it returns 'true' when Content-Type indicates LFS request is against LFS and Authorization header value starts with "Ssh: " string (similarly to ProjectBasicAuthFilter when it doesn't start with "Basic "). Rationale: ContainerAuthFilter is installed for requests that either go through /a/* (authorised path) or to LFS (note that LFS over HTTP sends auth token even when request is not `/a/` prefixed - hence user can be obtained from request with the first call without sending 401 back and re-sending request with `/a/` prefix. In terms of LFS over SSH it is again request against LFS but in this case it has `Ssh: ` based auth token that is not recognized by filter and results in 403. This change is safe as it introduces exception only for LFS requests that rely on internal LFS auth anyway. Change-Id: Ia886dc284c8ded9c21a5b9f57628f228c1e691f0 Signed-off-by: Jacek Centkowski <jcentkowski@collab.net>
Gerrit is a code review and project management tool for Git based projects.
Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.
Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.
For information about how to install and use Gerrit, refer to the documentation.
Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.
Please report bugs on the issue tracker.
Gerrit is the work of hundreds of contributors. We appreciate your help!
Please read the contribution guidelines.
Note that we do not accept Pull Requests via the Github mirror.
The IRC channel on freenode is #gerrit. An archive is available at: echelog.com.
The Developer Mailing list is repo-discuss on Google Groups.
Gerrit is provided under the Apache License 2.0.
Install Bazel and run the following:
git clone --recursive https://gerrit.googlesource.com/gerrit cd gerrit && bazel build release
The instruction how to configure GerritForge/BinTray repositories is here
On Debian/Ubuntu run:
apt-get update & apt-get install gerrit=<version>-<release>
NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.
On CentOS/RedHat run:
yum clean all && yum install gerrit-<version>[-<release>]
On Fedora run:
dnf clean all && dnf install gerrit-<version>[-<release>]
Docker images of Gerrit are available on DockerHub
To run a CentOS 7 based Gerrit image:
docker run -p 8080:8080 gerritforge/gerrit-centos7[:version]
To run a Ubuntu 15.04 based Gerrit image:
docker run -p 8080:8080 gerritforge/gerrit-ubuntu15.04[:version]
NOTE: release is optional. Last released package of the version is installed if the release number is omitted.