Florian Zschocke [Mon, 10 Jun 2019 14:37:15 +0000 (16:37 +0200)]
Do not resolve symbolic links to repositories.
When symbolic links under the base repository folder point to repositories
outside the base repository folder, the forming of relative repository
names failed and resulted in NullPointerExceptions.
Create the relative path by not following symbolic links, i.e. the link
name is taken as is and not resolved to the external path.
This also changes the whole `exactPath` method to work on Paths, instead
of Files.
Zips of recreated hello-world.git and all external repositories for testing.
This hello-world.git repo is created using the native Git for Windows
software.
Various test classes in the GitBlitSuite test suite require the presence
of the hello-world.git repo in github.com/git/ which has been missing,
hence causing many test failures in the suite. This recreation of the
hello-world.git repo aims to conform to the many test cases'
requirements in the suite, and to be checked in as part of the gitblit
repo, thus eliminates the requirement of a remote hello-world.git repo
during the test run. The repo is now stored is a zip ball in the new
src/test/data folder.
The hello-world repo's various commit IDs were hard-coded in various
test classes. These commit IDs, which must now have new values in the
recreated repo, are now extracted out to the
src/test/data/hello-world.properties file. The gitblit's build.xml is
modified to generate the HelloworldKeys.java file containing the
hello-world.properties file's key strings, in similar fashion as the
existing generation of the com.gitblit.Keys.java file. And these key
strings in HelloworldKeys.java are now used in the various test classes,
thus eliminating the hard-coding of the hello-world repo's commit IDs in
the test code.
During the test run by GitBlitSuite test suite, some repos from GitHub
were cloned and became part of the test data. These repos are now zipped
to be part of gitblit repo itself, thus eliminating the network fetch at
the start of test run which can be slow, especially with the JGit repo
cloning which is huge and time consuming. The cloned JGit repo is now
zipped and checked in to gitblit, along with the other 4 repos
(hello-world, ambition, gitective and ticgit). They will be unzipped
during the test suite run and be available in the local file system,
thus avoiding the need for some network fetch.
Special note on the zipped JGit repo: this repo is big (and growing all
the time on GitHub), and takes up about 32MB of disk space after cloning
from GitHub. I've made it smaller by resetting HEAD back to a commit of
5 years ago (with git reset --hard <commitId> command), to put it back
to roughly where/when the tests were written for it (which is not quite,
because there are tons of commit history since which can't be removed.)
The local JGit repo is then garbage-collected (with git gc --prune
--aggressive) to reduce its size to about 19MB.
Zipped it is still 17MB. This is a lot of MBs for a few tests.
So the JGit repo is not included in this commit.
Most of failures were due to temporary test repos, users and/or teams
being left behind after the test run, and these left-over stuff in
$baseFolder/data/git caused assertion errors in many tests in subsequent
test runs. This fix tries to delete those left-over stuff at the end of
each test, mainly in their @Afterclass code blocks.
PushLogTest.java is deleted as it doesn't work, and has been superseded
with better tests in various protocol test suites (GitServletTest,
GitDaemonTest, SshDaemonTest, etc.)
Sebastiano Pilla [Wed, 31 May 2017 22:07:45 +0000 (00:07 +0200)]
Adds the
server.httpTimeout
setting to allow cloning big repositories over HTTP. This change fixes the java.util.concurrent.TimeoutException issue described in https://groups.google.com/d/topic/gitblit/UvDC48NpmF4/discussion .
Martin Spielmann [Sun, 21 May 2017 22:32:23 +0000 (00:32 +0200)]
Revert "Add feedback to SSH Key Form. #1226"
This reverts commit c3e317a28899915036517c3a05a2b883796f633d.
Was added by mistake here. Should go into own branch to be able to merge with upstream using separate PR
Florian Zschocke [Sat, 18 Mar 2017 12:37:25 +0000 (13:37 +0100)]
Merge pull request #1168 from lucamilanesio/bump-to-lucene-5.5.2
Bump to Lucene 5.5.2
The new code will create Lucene indices in a new directory named after codec and index version.
This provides for easy and safe up- and downgrades. But it also means that the old indices will
stick around on disk. What this version is missing is a kind of "garbage collection" deleting old, unused
indices when they are no longer needed. That task needs to be done manually currently. We should
at leas at some point provide a script for it.
Reindex tickets on server start if no index exists
Check if tickets need to be reindexed when the server starts. This is the
case if no ticket index exists. In that case the ticket index is built.
This is done during the start of the `ITicketService`.
For this the interface of `ITicketService` needed to change. The `start`
method was defined abstract and the specific ticket services had to
implement it. None does any real starting stuff in it.
The `start` method is now final. It calls a new abstract method `onStart`
which the specific ticket services need to implement. In the existing
implementations I just changed `start` to `onStart`.
Use versioned index directories for repository indices.
Change from the index version of a repository index being stored in a config
file to also using index directories with the version in the name. For that,
`LuceneRepoIndexStore` is added, which adds the fixed `lucene` part to the path.
It also gives out the location of the `lucene.conf` file, which is now stored in
the index directory. This way it is automatically deleted when the directory is
deleted.
I believe that it should also provide means to store branch aliases and tips,
i.e. hide the config file completely. But this isn't implemented with this
commit, the `LuceneService` is still aware that a config file is used.
In order to be able to update the index definition, the ticket index
is assigned a version number, 2. This way the definiton can be updated
and compatability with existing index files can be checked.
The actual index is stored in a directory of name `indexVersion_codecVersion`.
This wayit is veriy easy to check if an index of a certain version exists on the
filesystem. It allows to have multiple indexes of different versions present,
so that a downgrade of the software is possible without having to reindex
again. Of coure, this is only possible if no new tickets were created since these
would be missing in the old index.
A new class `LuceneIndexStore` is introduced, which abstracts away the versioned
index directory. The idea is, that this provides one place to keep the Lucene
codec version and to allow to code compatibility rules into this class, so that
older indices can still be used if they are compatible.
Florian Zschocke [Sun, 26 Feb 2017 17:44:02 +0000 (18:44 +0100)]
Add DocValues to support sorting of ticket index fields.
In order to support sorting, Lucene 5 needs DocValue fields in an index.
So in order to make the ticket index work, i.e. show any tickets on the
tickets page, the ticket index needs to be changed, adding a DocValues
field.
The DocValuesFields are implemented for the current index, which does not
use multiple values for a field. Should at any time in the future an
existing numeric field get multiple values stored in a document, then
the index needs to know that and use SortedNumeric DocValues and SortFields
instead.
Florian Zschocke [Sat, 21 Jan 2017 17:05:53 +0000 (18:05 +0100)]
Update link target to Lucene 5.5 query syntax, moving the link to the page.
Update the link target to the query parser syntax page of the 5.5 version.
Refactor the `LuceneSearchPage` to use an `ExternalLink` for the link
to the lucene page, so that the link target is kept and updated in the
Java code. Move the link out of the language files. This was way too
cumbersome to update the link target (which is probably why no one ever
did).
The query help text is changed to contain a variable:
`gb.queryHelp = here be some ${querySyntax} help`, which is replaced by
Wicket with a link.
The link text is a new lange file property: `gb.querySyntax`.
Add library `lucene-backward-codecs` to migrate indices.
To be able to read and migrate Lucene indices from old (4.x)
formats to new (5.x) ones, add the `lucene-backward-codecs`
library to the project.
It is added to the `ext` directory and therefore to the classpath.
According to the Lucene documentation, having it in the classpath
can affect performance. But right now the `ext` directory is the
only one available and even for a separate tool for offline
migration the library would be needed.
Exclude Lucene dependencies `lucene-spatial` and `lucene-join`.
They were added during the update but are not needed. This patch
excludes them explicitly so that they do not show up in the
generated IDE files and `ext` directory.
Jan Breuer [Mon, 20 Feb 2017 16:35:49 +0000 (17:35 +0100)]
Prevent last column on Tree page from wraping
With localizations, there can be longer text then 13em so there is a line break.
This fix prevent this line breaking and thus every line has normal height again.
Florian Zschocke [Thu, 15 Dec 2016 21:10:37 +0000 (22:10 +0100)]
Add build definition file for Circle CI
Configure the build for Circle CI in the new file circle.yml.
Specify a compile step to have the build fail on compilation error.
The test step is then configured as `ant test`, which will compile
again due to the limits of Ant/Moxie.
Contrary to the documentation, the default Java version on Circle CI
is Java 8.
The project is set as a Java 7 project. We define to use OpenJDK 7,
because the Gitblit build has some trouble with Java 8, I consider
Java 7 the default, and Circle CI does not provide an Oracle JDK 7
installation to use. I could only get it to work with OpenJDK 7.
The Java version is reported in the Circle CI build script to ease
analysis.
Test and coverage reports get stored as artifacts for a build, which
allows to browse them in the Circle CI web interface.
Florian Zschocke [Mon, 12 Dec 2016 12:34:17 +0000 (13:34 +0100)]
Add definition file for Travis CI
Add the most basic build definition file for Travis CI. It only
defines the project language as Java. For the rest the defaults
are kept as Travis seems to work fine with them.
We add `.travis.yml` as a dotfile in order not to clutter the
top directory with too much non-project files.
Florian Zschocke [Wed, 21 Dec 2016 21:02:46 +0000 (22:02 +0100)]
Update to explicit versions of JUnit 4.12 and JaCoCo 0.7.8
Use explicit coordinates, and therefor version numbers fro JUnit
in the build.moxie file. It should not be some version that just
happens to be used.
Update JUnit to latest 4.12.
Update JaCoCo to lates 0.7.8, which makes it work under Java 8.
The last used version would fail when tests are run under Java 8.
Florian Zschocke [Sat, 10 Dec 2016 00:00:27 +0000 (01:00 +0100)]
Introduce SecureRandom wrapper for properly seeded static instances
Introduce our own wrapper `SecureRandom` around `java.security.SecureRandom`.
This a) makes sure that the PRNG is seeded on creation and not when
random bytes are retrieved, and
b) uses a static instance in the `UserModel` so that lags do not occur
during operation due to potentially seeding getting blocked on Unix
when reading from the system's entropy pool. To keep the random data
still secure, the static instance will reseed all 24 hours, also a
functionality of the wrapper class.
Florian Zschocke [Sat, 10 Dec 2016 15:02:21 +0000 (16:02 +0100)]
Fix user mention regular expression and group replacement.
The regular expression used for user mentions used to work
only inside sentences. Also, since it tested for whitespace, the
whitespace would get replaced, too, which would join lines together.
Instead the new regex uses boundary matchers to match against
word boundaires. As these are not capturing only the actual user
mention can be captured and is then replaced. Also, this way the
regex can ignore punctuation like in "@jim, look at this."
Since Gibtlit now requires Java 7 we can use named capture groups.
This makes the use of a centrally defined regular expression much
safer. The (admittedly only) group to capture the user name is named
"user" and can be referenced by this name. By using the name instead
of a group number, the regex could be changed without the code using
it breaking because the group number changed.
A simple test is added for user mentions, which unfortunately
has to deal with the full markdown replacement, too.
Florian Zschocke [Sat, 10 Dec 2016 10:30:28 +0000 (11:30 +0100)]
Set secure session cookies when redirecting from HTTP to HTTPS.
So far for session cookies the secure property was only set when no
HTTP port was opened. This changes to also set it when HTTP is redirected
to the HTTPS port.
Florian Zschocke [Tue, 29 Nov 2016 21:08:50 +0000 (22:08 +0100)]
The public key manager can disable writing keys, which hides commands
Some public key mangers may be read-only, i.e. not allow to add or
delete keys, or to change the key comment or assigned permissions.
In such a case the respective commands should not be available on the
SSH shell and the SSH Keys panel should also not offer the possibility.
The `IPublicKeyManager` gets three new methods, modelled after the
`AuthenticationManager`:
`supportsWritingKeys`, `supportsCommentChanges` and
`supportsPermissionChanges`. They return true if a key manager allows for
keys to be written or updated.
For example the existing `FileKeyManager` will return true for all three
since it allows to store and update keys in a file.
The new `LdapKeyManager` returns false since it only accesses LDAP and
can not add or update any keys in the directory.
A future key manager might get keys from an LDAP directory but still
keep comments and permissions for it in a local copy.
If writing of keys is not supported:
* the welcome shell does not suggest adding a key,
* the `SshKeysDispatcher` does not offer the "add", "remove", "comment" and
"permission" commands, and
* the SSH keys panel hides the "delete" button in the key list, and the
"Add Key" form.
The hiding of the "Add key" form is not perfect since the surrounding
div is still shown, but I don't know how to hide it and it didn't look
too bad, either.
Florian Zschocke [Tue, 29 Nov 2016 20:46:54 +0000 (21:46 +0100)]
Fix SshKeysDispatcher test failing on Windows
The `SshKeysDispatcher` tests that use the keys list command are failing
on Windows because they assume a Unix line ending after each key. But
the command will use a system line ending. So this fix uses system line
endings in the reference string for the assert, too.
In addition, two `assertTrue(false)´ are replaced with a proper `fail`.
Florian Zschocke [Sat, 26 Nov 2016 16:35:21 +0000 (17:35 +0100)]
Use dynamic port selection for LDAP listeners in LDAP tests.
Instead of using fixed ports for the listeners of the in-memory
LDAP server, let the listeners select ports and then save them in
the authentication mode instance. This way we prevent port collisions,
which especially showed up under Windows.
Make the SSH authentication methods used by the server configurable,
so that for example password authentication can be turned off.
For this, a `git.sshAuthenticationMethods` setting is added which is a space
separated list of authentication method names. Only the methods listed will
be enabled in the server.
This is modeled after the option of the same name from sshd_config, but it
does not offer listing multiple required methods. It leaves the door open,
though, for a later extension to support such a multi-factor authentication.
Since this also includes Kerberos authentication with GSS API, this obsoletes
the `git.sshWithKrb5` property. The latter is removed. Instead, to enable
Kerberos5 authentication, add the method name `gssapi-with-mic` to the
authentication methods list.
Florian Zschocke [Fri, 25 Nov 2016 17:21:27 +0000 (18:21 +0100)]
Retrieve public SSH keys from LDAP.
Add new class `LdapPublicKeyManager` which retrieves public SSH keys
from LDAP.
The attribute can be configured with the new configuration option
`realm.ldap.sshPublicKey`. The setting can be a simple attribute name,
like `sshPublicKey`, or an attribute name and a prefix for the value,
like `altSecurityIdentities:SshKey`, in which case attributes are selected
that have the name `altSecurityIdentities` and whose values start with
`SshKey:`.
Florian Zschocke [Wed, 23 Nov 2016 01:59:39 +0000 (02:59 +0100)]
Extract LdapConnection into new class from LdapAuthProvider
Extract the inner class `LdapConnection` from the `LdapAuthProvider`
into a separate class, so that it can be used from multiple classes
that have to connect to an LDAP directory.
The new class is placed into the new package `com.gitblit.ldap`, since
it isn't specific to authentication.
Florian Zschocke [Wed, 23 Nov 2016 01:48:38 +0000 (02:48 +0100)]
Create base unit test class for LDAP tests.
Extract the creation of the in-memory servers and the interceptor
code to a base class that LDAP related unit tests can extend to
have the servers available.
Florian Zschocke [Fri, 18 Nov 2016 19:26:06 +0000 (20:26 +0100)]
Set "can admin" permission on LDAP users and teams correctly
The canAdmin permission is set on a LDAP user, when the user is listed
in `realm.ldap.admins` or is a member of a team listed in `realm.ldap.admins`.
This leads to inconsistent and surprising behaviour on the EditUser page
when clicking the "can admin" checkbox. Also, the "can admin" checkbox
is disabled, but not checked, for teams that are listed as admin teams.
The new behaviour implemented in this patch makes users and teams from
LDAP match local ones. That means:
* LDAP teams that are listed in `realm.ldap.admins` get the canAdmin
property set if teams are maintained in LDAP.
* LDAP users that are listed in `realm.ldap.admins` get the canAdmin
property set if teams are maintained in LDAP.
* LDAP users do not get the canAdmin property set, if they are only a
member of a team listed in `realm.ldap.admins`.
* The `supportsRoleChanges` method for users and teams of the
`LdapAuthProvider` unconditially returns false if teams are
maintained in LDAP, not only for users and teams listed in
`realm.ldap.admins`.
* Therefore, for all LDAP users and teams the "can admin" checkbox
is always disabled if teams are maintained in LDAP.
Florian Zschocke [Fri, 11 Nov 2016 18:22:17 +0000 (19:22 +0100)]
Clean up `LdapAuthProvider` to properly cover different LDAP search scenarios.
Gitblit allows in its configuration to set a "manager" user (and password) which can be used
to search for the entry of a user wanting to log in. If they are both not set, an anonymous search
is attempted. In the description below, when I say "...as manager", it is either as manager or
anonymous.
So far the behaviour of Gitblit, with respect to binding to and searching in LDAP,
has been the following when a user logs in:
**bind as manager**
**search for the user**
_bind as the user_
_search for the teams_
I'll call this code flow A.
Later an additional configuration option had been added: `realm.ldap.bindpattern`.
(PR gitblit/gitblit#162) It was meant to allow for not using a manager nor anonymous binds,
by searching the directory as the user logging in.
This is done in code flow B:
**bind as manager**
_bind as user_
_search for user_
_search for teams_
Both A and B are flawed, I think. In A, it looks like a mistake to me that the binding stays with the
user after authentication. The problem that this causes is, that in LDAP server configurations
where normal users are not allowed to read groups, the team information cannot be retrieved.
I tried but failed to understand how B is supposed to work. There will always be a bind request
as either anonymous or the manager DN when the LDAP connection is created. If neither is
possible, the authentication process will fail and the user cannot log in.
When synchronizing users and teams from LDAP, the following code flow is exercised:
F:
**bind as manager**
**search for users**
**search for teams**
This patch fixes both code flows by introducing a new flow.
C:
**bind as manager**
**search for user**
_bind as user to authenticate_
**bind as manager**
**search for teams**
And it changes code flow B to the following code flow D:
_bind as user_
_search for user_
_search for teams_
With code flows A, C, D and F the following usage (and authentication) scenarios are covered.
They are described from the view of a Gitblit administrator's intent and his LDAP setup.
* Users and team should be snychronized with LDAP
This means anonymous or a fixed account must be able to read users and groups.
=> covered by C and F
As the above allows for authentication and is required for synchronisation, all the others below
do not cover synchronization.
* No anonymous binding allowed and no special manager binding required
This means that users must be able to read user an group entries.
=> covered by D
* The user DN needs to be searched, e.g. because they are not all under the same parent DN.
This means that anonymous or a fixed account must be able to read users.
-- anonymous or the "manager" account can also read groups
=> covered by C
-- anonymous or the "manager" account cannot read groups but a user can
=> covered by A
I therefore believe that the new code will cover all common use cases. The implementation
either directly binds as the user, when `bindpattern` is not empty, or it binds anonymous or
against the manger DN to search for the user DN entry.
If it directly bound against the user DN, the user is already authenticated. It will then only check
that the user DN it found in the search is identical to the one it is currently bound against. If it
was bound against a manager DN (or anonymously) it will bind against the found user DN to
authenticate the user logging in, and will then rebind against the manager DN.
When searching for groups in LDAP, if the search fails with a result code other than SUCCESS,
the implementation will bind against the user DN, if it isn't already bound against it. It will then
repeat the search for groups under the user authorization. This is to keep backwards
compatible with the original behaviour A, in order to not break cases where the LDAP setup
would deny a manager account to search for groups but allow it for normal users.
To achieve this the implementation introduces an internal `LdapConnection` class that wraps
the connection and keeps bind state, so that a rebind as a user is possible.
This also fixes a resource leak where the connection was not closed in case that the initial bind
as the manager account did not succeed.
Extend LDAP tests to use LDAP servers with access restrictions.
Add access restrictions to the LDAP test server instances.
New modes used a test parameters are ANONYMOUS, DS_MANAGER and USR_MANAGER.
ANONYMOUS can bind anonymously and access users and groups.
In DS_MANAGER the server requires authentication and will only allow
the DIRECTORY_MANAGER user to search for users and groups.
In USR_MANAGER only the user can search groups, the USER_MANAGER, which
is used to bind in this mode, can not.
A third server instance is created because I did fear side effects should
the tests be run in parallel, had I tried to configure the access
restriction in Before.
Extend LDAP authentication tests to use different modes.
Instantiate two LDAP servers, one that allows anonymous access, and
one that requires authentication for all operations.
The JUnit test is parameterized to run all tests with both instances.
It uses different settings for each mode.
Tom [Mon, 31 Oct 2016 06:50:26 +0000 (07:50 +0100)]
Fix disabled links in PagerPanel
Disabled links in the PagerPanel (used on the LuceneSearchPage to page
through search results) were only rendered as "disabled". The links
themselves remained active, which gives strange effects when clicked.
For instance it was possible to move to result pages -1, -2, and so on.
Really disable the links. Add missing CSS rules to have correct styling
as Wicket renders disabled links as spans, not anchors. Include the new
CSS file in BasePage.html. And add the left/right arrows only if not on
the first/last page.
Florian Zschocke [Sat, 21 Jun 2014 00:53:21 +0000 (02:53 +0200)]
Add integration strategy to merge tickes fast-forward or with commit.
Add the option to merge a ticket branch to the integration branch
only when it can be fast-forwarded, or
always with a merge commit, or
by fast-foward if possible, otherwise with a merge commit.
Adds a new property ticket.mergeType with the valid values
FAST_FOWARD_ONLY, MERGE_ALWAYS and MERGE_IF_NECESSARY.
Merging and canMerge were refactored to make use of a new
IntegrationStrategy class for each type of strategy.