Google Git
Sign in
gerrit / gerrit / 82cd64b4044f1887c6d82c4d97450703e7e318fc
commit82cd64b4044f1887c6d82c4d97450703e7e318fc[log] [tgz]
authorJacek Centkowski <jcentkowski@collab.net>Fri Feb 22 14:10:06 2019 +0100
committerJacek Centkowski <jcentkowski@collab.net>Mon Feb 25 11:51:05 2019 +0100
tree2d2dbae87654e32792423f5aca33738155e2baad
parente238e4ebe1550026be16a490889f972c09fe2935 [diff]
Allow LFS-over-SSH created auth pass through ContainerAuthFilter

Issue:
When LFS operation is initiated through the SSH LFS client receives auth
token and uses it to perform requested operation e.g.:

  POST /gerrit/test-org/test-no-block/info/lfs/objects/batch
  Authorization: Ssh: ...
  Content-Type: application/vnd.git-lfs+json; charset=utf-8
  {
    "operation":"upload","objects"...
  }

ContainerAuthFilter searches for existing user but none of the
containers can perform successful LFS auth (as it is deeply buried in
the plugin internals) therefore typically it is configured to let it go
through to eventually fail in the filter with:

  403 Forbidden

Solution:
Modify ContainerAuthFilter so that it returns 'true' when Content-Type
indicates LFS request is against LFS and Authorization header value
starts with "Ssh: " string (similarly to ProjectBasicAuthFilter when
it doesn't start with "Basic ").

Rationale:
ContainerAuthFilter is installed for requests that either go through
/a/* (authorised path) or to LFS (note that LFS over HTTP sends
auth token even when request is not `/a/` prefixed - hence user
can be obtained from request with the first call without sending
401 back and re-sending request with `/a/` prefix.
In terms of LFS over SSH it is again request against LFS but in this
case it has `Ssh: ` based auth token that is not recognized by
filter and results in 403.

This change is safe as it introduces exception only for LFS requests
that rely on internal LFS auth anyway.

Change-Id: Ia886dc284c8ded9c21a5b9f57628f228c1e691f0
Signed-off-by: Jacek Centkowski <jcentkowski@collab.net>
2 files changed
tree: 2d2dbae87654e32792423f5aca33738155e2baad
  1. .settings/
  2. contrib/
  3. Documentation/
  4. gerrit-acceptance-framework/
  5. gerrit-acceptance-tests/
  6. gerrit-cache-h2/
  7. gerrit-cache-mem/
  8. gerrit-common/
  9. gerrit-elasticsearch/
  10. gerrit-extension-api/
  11. gerrit-gpg/
  12. gerrit-gwtdebug/
  13. gerrit-gwtexpui/
  14. gerrit-gwtui/
  15. gerrit-gwtui-common/
  16. gerrit-httpd/
  17. gerrit-index/
  18. gerrit-launcher/
  19. gerrit-lucene/
  20. gerrit-main/
  21. gerrit-oauth/
  22. gerrit-openid/
  23. gerrit-patch-commonsnet/
  24. gerrit-patch-jgit/
  25. gerrit-pgm/
  26. gerrit-plugin-api/
  27. gerrit-plugin-gwtui/
  28. gerrit-prettify/
  29. gerrit-reviewdb/
  30. gerrit-server/
  31. gerrit-sshd/
  32. gerrit-test-util/
  33. gerrit-util-cli/
  34. gerrit-util-http/
  35. gerrit-util-ssl/
  36. gerrit-war/
  37. lib/
  38. plugins/
  39. polygerrit-ui/
  40. ReleaseNotes/
  41. tools/
  42. website/
  43. .bazelproject
  44. .bazelrc
  45. .editorconfig
  46. .git-blame-ignore-revs
  47. .gitignore
  48. .gitmodules
  49. .mailmap
  50. .pydevproject
  51. 0001-Replace-native-http-git-_archive-with-Skylark-rules.patch
  52. BUILD
  53. COPYING
  54. INSTALL
  55. README.md
  56. SUBMITTING_PATCHES
  57. version.bzl
  58. WORKSPACE
README.md

Gerrit Code Review

Gerrit is a code review and project management tool for Git based projects.

Build Status

Objective

Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.

Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.

Documentation

For information about how to install and use Gerrit, refer to the documentation.

Source

Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.

Reporting bugs

Please report bugs on the issue tracker.

Contribute

Gerrit is the work of hundreds of contributors. We appreciate your help!

Please read the contribution guidelines.

Note that we do not accept Pull Requests via the Github mirror.

Getting in contact

The IRC channel on freenode is #gerrit. An archive is available at: echelog.com.

The Developer Mailing list is repo-discuss on Google Groups.

License

Gerrit is provided under the Apache License 2.0.

Build

Install Bazel and run the following:

    git clone --recursive https://gerrit.googlesource.com/gerrit
    cd gerrit && bazel build release

Install binary packages (Deb/Rpm)

The instruction how to configure GerritForge/BinTray repositories is here

On Debian/Ubuntu run:

    apt-get update & apt-get install gerrit=<version>-<release>

NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.

On CentOS/RedHat run:

    yum clean all && yum install gerrit-<version>[-<release>]

On Fedora run:

    dnf clean all && dnf install gerrit-<version>[-<release>]

Use pre-built Gerrit images on Docker

Docker images of Gerrit are available on DockerHub

To run a CentOS 7 based Gerrit image:

    docker run -p 8080:8080 gerritforge/gerrit-centos7[:version]

To run a Ubuntu 15.04 based Gerrit image:

    docker run -p 8080:8080 gerritforge/gerrit-ubuntu15.04[:version]

NOTE: release is optional. Last released package of the version is installed if the release number is omitted.