commit 94c199e175d3c505dd9bfeb9251b5fafe85ab502
author Luca Milanesio <luca.milanesio@gmail.com> Mon Apr 10 16:50:40 2017 +0100
committer Luca Milanesio <luca.milanesio@gmail.com> Mon Apr 10 16:50:47 2017 +0100
tree 3b2eafb203f64e5506a93a82414ede41d79ed911
parent 47d2b8f259be0e4ea191dbfdb5d18c954bb8933a

Require admin server capability to get data

Deny anonymous and general user access to the Gerrit support
data as it may contain sensitive or confidential information
about the system and the Gerrit changes' data.

Require authentication from a user that has been delegated
with server administration permissions.

Change-Id: I745698156051bda396cafc74b64b486a7ff4220c

src/main/scala/com/googlesource/gerrit/plugins/support/GerritSupportServlet.scala

diff --git a/src/main/scala/com/googlesource/gerrit/plugins/support/GerritSupportServlet.scala b/src/main/scala/com/googlesource/gerrit/plugins/support/GerritSupportServlet.scala
index 019d84c..be70f84 100644
--- a/src/main/scala/com/googlesource/gerrit/plugins/support/GerritSupportServlet.scala
+++ b/src/main/scala/com/googlesource/gerrit/plugins/support/GerritSupportServlet.scala
@@ -16,23 +16,27 @@
 
 package com.googlesource.gerrit.plugins.support
 
-import java.io.{ File, FileNotFoundException }
+import java.io.{File, FileNotFoundException}
 
 import com.google.gerrit.extensions.annotations._
-import com.google.inject.{ Inject, Singleton }
+import com.google.gerrit.server.CurrentUser
+import com.google.inject.{Inject, Provider, Singleton}
 import eu.medsea.mimeutil.detector.ExtensionMimeDetector
 import org.scalatra._
 import org.scalatra.util.Mimes
 
 import scala.collection.JavaConversions._
-import scala.util.{ Failure, Success, Try }
+import scala.util.{Failure, Success}
 
 @Singleton
 @Export("/collect*")
-class GerritSupportServlet @Inject() (processor: RequestProcessor, bundleFactory: SupportBundleFile, mimeDetector: ExtensionMimeDetector)
+class GerritSupportServlet @Inject() (val processor: RequestProcessor,
+                                      bundleFactory: SupportBundleFile,
+                                      mimeDetector: ExtensionMimeDetector,
+                                      currentUserProvider: Provider[CurrentUser])
     extends ScalatraServlet with Mimes {
 
-  post("/") {
+  post("/") (requireAdministrateServerPermissions {
     processor.processRequest(request.body) match {
       case Success(zipped) =>
         Created("OK", Map(
@@ -40,9 +44,9 @@
       case Failure(e) =>
         InternalServerError(reason = e.getLocalizedMessage)
     }
-  }
+  })
 
-  get("/:filename") {
+  get("/:filename") (requireAdministrateServerPermissions {
     val bundleFilename = params.getOrElse("filename", halt(BadRequest("Missing or invalid bundle name")))
 
     bundleFactory(bundleFilename) match {
@@ -54,6 +58,13 @@
       case Failure(e: IllegalArgumentException) => BadRequest("Invalid bundle name")
 
     }
+  })
+
+  private def requireAdministrateServerPermissions(block: => ActionResult) = {
+    currentUserProvider.get match {
+      case user if user.isIdentifiedUser && user.getCapabilities.canAdministrateServer => block
+      case _ => Forbidden("ACCESS DENIED TO NON-ADMINS")
+    }
   }
 
   private def mimeType(filename: String) = mimeDetector.getMimeTypes(filename)