Merge branch 'stable-2.14' into stable-2.15 * stable-2.14: Bump required bazel version to 1.0.0rc2 Upgrade bazlets to latest stable-2.14 Change-Id: Ib3ef5836b4953180864a4087b5773ce26166e3ad
diff --git a/WORKSPACE b/WORKSPACE index b8021e7..40b8ab4 100644 --- a/WORKSPACE +++ b/WORKSPACE
@@ -3,7 +3,7 @@ load("//:bazlets.bzl", "load_bazlets") load_bazlets( - commit = "bec81c8319e560d2a92ba0fe35d40d021ffd7708", + commit = "1aa9482d30e8873e6d3e1e75dc307a43aae0482e", #local_path = "/home/<user>/projects/bazlets", )
diff --git a/external_plugin_deps.bzl b/external_plugin_deps.bzl index fca9fbb..3457c2f 100644 --- a/external_plugin_deps.bzl +++ b/external_plugin_deps.bzl
@@ -1,13 +1,13 @@ load("//tools/bzl:maven_jar.bzl", "GERRIT", "MAVEN_CENTRAL", "MAVEN_LOCAL", "maven_jar") -JGIT_VERSION = "4.7.9.201904161809-r" +JGIT_VERSION = "4.11.9.201909030838-r" REPO = MAVEN_CENTRAL def external_plugin_deps(): maven_jar( name = "jgit-http-apache", artifact = "org.eclipse.jgit:org.eclipse.jgit.http.apache:" + JGIT_VERSION, - sha1 = "d6f23663efeb2bfab032c75915765e086a26d494", + sha1 = "f28a659ca83e2aa644f4ba81d28312d291d385ad", repository = REPO, unsign = True, exclude = [ @@ -19,7 +19,7 @@ maven_jar( name = "jgit-lfs", artifact = "org.eclipse.jgit:org.eclipse.jgit.lfs:" + JGIT_VERSION, - sha1 = "6e8485a140b2f58195f3ed48ecb0dd7acf46410f", + sha1 = "88234aa639497cf725f2a32e47dbd7433975da67", repository = REPO, unsign = True, exclude = [ @@ -31,7 +31,7 @@ maven_jar( name = "jgit-lfs-server", artifact = "org.eclipse.jgit:org.eclipse.jgit.lfs.server:" + JGIT_VERSION, - sha1 = "8dc0cf32615b15d327c70574022964b34f101226", + sha1 = "a1cd4548172c62a24cec195399e2dba877f44d32", repository = REPO, unsign = True, exclude = [
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/GetLfsGlobalConfig.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/GetLfsGlobalConfig.java index dcdcbac..40e00b0 100644 --- a/src/main/java/com/googlesource/gerrit/plugins/lfs/GetLfsGlobalConfig.java +++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/GetLfsGlobalConfig.java
@@ -14,6 +14,8 @@ package com.googlesource.gerrit.plugins.lfs; +import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER; + import com.google.common.collect.Maps; import com.google.gerrit.extensions.restapi.ResourceNotFoundException; import com.google.gerrit.extensions.restapi.RestApiException; @@ -21,6 +23,7 @@ import com.google.gerrit.server.CurrentUser; import com.google.gerrit.server.IdentifiedUser; import com.google.gerrit.server.config.AllProjectsName; +import com.google.gerrit.server.permissions.PermissionBackend; import com.google.gerrit.server.project.ProjectResource; import com.google.inject.Inject; import com.google.inject.Provider; @@ -33,22 +36,25 @@ private final LfsConfigurationFactory lfsConfigFactory; private final AllProjectsName allProjectsName; private final Provider<CurrentUser> self; + private final PermissionBackend permissionBackend; @Inject GetLfsGlobalConfig( LfsConfigurationFactory lfsConfigFactory, AllProjectsName allProjectsName, - Provider<CurrentUser> self) { + Provider<CurrentUser> self, + PermissionBackend permissionBackend) { this.lfsConfigFactory = lfsConfigFactory; this.allProjectsName = allProjectsName; this.self = self; + this.permissionBackend = permissionBackend; } @Override public LfsGlobalConfigInfo apply(ProjectResource resource) throws RestApiException { IdentifiedUser user = self.get().asIdentifiedUser(); if (!(resource.getNameKey().equals(allProjectsName) - && user.getCapabilities().canAdministrateServer())) { + && permissionBackend.user(user).testOrFalse(ADMINISTRATE_SERVER))) { throw new ResourceNotFoundException(); }
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java index 3c9b4cc..d5eeddc 100644 --- a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java +++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java
@@ -18,12 +18,14 @@ import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_URL_REGEX_TEMPLATE; import static com.google.gerrit.extensions.client.ProjectState.HIDDEN; import static com.google.gerrit.extensions.client.ProjectState.READ_ONLY; +import static com.google.gerrit.server.permissions.ProjectPermission.ACCESS; import com.google.common.base.Strings; import com.google.gerrit.common.ProjectUtil; import com.google.gerrit.common.data.Capable; import com.google.gerrit.reviewdb.client.Project; import com.google.gerrit.server.CurrentUser; +import com.google.gerrit.server.permissions.PermissionBackend; import com.google.gerrit.server.project.ProjectCache; import com.google.gerrit.server.project.ProjectControl; import com.google.gerrit.server.project.ProjectState; @@ -51,10 +53,9 @@ private static final Logger log = LoggerFactory.getLogger(LfsApiServlet.class); private static final long serialVersionUID = 1L; private static final Pattern URL_PATTERN = Pattern.compile(LFS_OBJECTS_REGEX_REST); - private static final String DOWNLOAD = "download"; - private static final String UPLOAD = "upload"; private final ProjectCache projectCache; + private final PermissionBackend permissionBackend; private final LfsConfigurationFactory lfsConfigFactory; private final LfsRepositoryResolver repoResolver; private final LfsAuthUserProvider userProvider; @@ -62,10 +63,12 @@ @Inject LfsApiServlet( ProjectCache projectCache, + PermissionBackend permissionBackend, LfsConfigurationFactory lfsConfigFactory, LfsRepositoryResolver repoResolver, LfsAuthUserProvider userProvider) { this.projectCache = projectCache; + this.permissionBackend = permissionBackend; this.lfsConfigFactory = lfsConfigFactory; this.repoResolver = repoResolver; this.userProvider = userProvider; @@ -85,12 +88,9 @@ if (state == null || state.getProject().getState() == HIDDEN) { throw new LfsRepositoryNotFound(project.get()); } - authorizeUser( - userProvider.getUser(auth, projName, request.getOperation()), - state, - request.getOperation()); + authorizeUser(userProvider.getUser(auth, projName, request.getOperation()), state, request); - if (request.getOperation().equals(UPLOAD) && state.getProject().getState() == READ_ONLY) { + if (request.isUpload() && state.getProject().getState() == READ_ONLY) { throw new LfsRepositoryReadOnly(project.get()); } @@ -99,7 +99,7 @@ // No config means we default to "not enabled". if (config != null && config.isEnabled()) { // For uploads, check object sizes against limit if configured - if (request.getOperation().equals(UPLOAD)) { + if (request.isUpload()) { if (config.isReadOnly()) { throw new LfsRepositoryReadOnly(project.get()); } @@ -123,12 +123,16 @@ throw new LfsUnavailable(project.get()); } - private void authorizeUser(CurrentUser user, ProjectState state, String operation) + private void authorizeUser(CurrentUser user, ProjectState state, LfsRequest request) throws LfsUnauthorized { ProjectControl control = state.controlFor(user); - if ((operation.equals(DOWNLOAD) && !control.isReadable()) - || (operation.equals(UPLOAD) && Capable.OK != control.canPushToAtLeastOneRef())) { - String op = operation.toLowerCase(); + if ((request.isDownload() + && !permissionBackend + .user(user) + .project(state.getProject().getNameKey()) + .testOrFalse(ACCESS)) + || (request.isUpload() && Capable.OK != control.canPushToAtLeastOneRef())) { + String op = request.getOperation().toLowerCase(); String project = state.getProject().getName(); String userName = Strings.isNullOrEmpty(user.getUserName()) ? "anonymous" : user.getUserName();
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/PutLfsGlobalConfig.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/PutLfsGlobalConfig.java index 5e81e73..b747925 100644 --- a/src/main/java/com/googlesource/gerrit/plugins/lfs/PutLfsGlobalConfig.java +++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/PutLfsGlobalConfig.java
@@ -14,6 +14,7 @@ package com.googlesource.gerrit.plugins.lfs; +import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER; import static com.googlesource.gerrit.plugins.lfs.LfsProjectConfigSection.KEY_BACKEND; import static com.googlesource.gerrit.plugins.lfs.LfsProjectConfigSection.KEY_ENABLED; import static com.googlesource.gerrit.plugins.lfs.LfsProjectConfigSection.KEY_MAX_OBJECT_SIZE; @@ -30,6 +31,7 @@ import com.google.gerrit.server.IdentifiedUser; import com.google.gerrit.server.config.AllProjectsName; import com.google.gerrit.server.git.MetaDataUpdate; +import com.google.gerrit.server.permissions.PermissionBackend; import com.google.gerrit.server.project.ProjectResource; import com.google.inject.Inject; import com.google.inject.Provider; @@ -47,6 +49,7 @@ private final String pluginName; private final AllProjectsName allProjectsName; + private final PermissionBackend permissionBackend; private final Provider<CurrentUser> self; private final Provider<MetaDataUpdate.User> metaDataUpdateFactory; private final LfsConfigurationFactory lfsConfigFactory; @@ -56,12 +59,14 @@ PutLfsGlobalConfig( @PluginName String pluginName, AllProjectsName allProjectsName, + PermissionBackend permissionBackend, Provider<CurrentUser> self, Provider<MetaDataUpdate.User> metaDataUpdateFactory, LfsConfigurationFactory lfsConfigFactory, GetLfsGlobalConfig get) { this.pluginName = pluginName; this.allProjectsName = allProjectsName; + this.permissionBackend = permissionBackend; this.self = self; this.metaDataUpdateFactory = metaDataUpdateFactory; this.lfsConfigFactory = lfsConfigFactory; @@ -74,7 +79,8 @@ IdentifiedUser user = self.get().asIdentifiedUser(); Project.NameKey projectName = resource.getNameKey(); - if (!(projectName.equals(allProjectsName) && user.getCapabilities().canAdministrateServer())) { + if (!(projectName.equals(allProjectsName) + && permissionBackend.user(user).testOrFalse(ADMINISTRATE_SERVER))) { throw new ResourceNotFoundException(); }
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java index e30703e..32616f6 100644 --- a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java +++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java
@@ -16,10 +16,14 @@ import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_LOCKS_PATH_REGEX; import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_URL_REGEX_TEMPLATE; +import static com.google.gerrit.server.permissions.ProjectPermission.ACCESS; import com.google.common.base.Strings; +import com.google.gerrit.extensions.restapi.AuthException; import com.google.gerrit.reviewdb.client.Project; import com.google.gerrit.server.CurrentUser; +import com.google.gerrit.server.permissions.PermissionBackend; +import com.google.gerrit.server.permissions.PermissionBackendException; import com.google.gerrit.server.project.ProjectCache; import com.google.gerrit.server.project.ProjectControl; import com.google.gerrit.server.project.ProjectState; @@ -38,13 +42,17 @@ static final Pattern LFS_LOCKS_URL_PATTERN = Pattern.compile(String.format(LFS_URL_REGEX_TEMPLATE, LFS_LOCKS_PATH_REGEX)); + private final PermissionBackend permissionBackend; + @Inject LfsGetLocksAction( + PermissionBackend permissionBackend, ProjectCache projectCache, LfsAuthUserProvider userProvider, LfsLocksHandler handler, @Assisted LfsLocksContext context) { super(projectCache, userProvider, handler, context); + this.permissionBackend = permissionBackend; } @Override @@ -59,7 +67,12 @@ @Override protected void authorizeUser(ProjectControl control) throws LfsUnauthorized { - if (!control.isReadable()) { + try { + permissionBackend + .user(control.getUser()) + .project(control.getProject().getNameKey()) + .check(ACCESS); + } catch (AuthException | PermissionBackendException e) { throwUnauthorizedOp("list locks", control); } }