aboutsummaryrefslogtreecommitdiffstats
path: root/org.eclipse.jgit/src
Commit message (Collapse)AuthorAgeFilesLines
* Store push certificates in refs/meta/push-certsDave Borowitz2015-07-102-0/+446
| | | | | | | | | | | | | | | | | | | | | | | | | Inspired by a proposal from gitolite[1], where we store a file in a tree for each ref name, and the contents of the file is the latest push cert to affect that ref. The main modification from that proposal (other than lacking the out-of-git batching) is to append "@{cert}" to filenames, which allows storing certificates for both refs/foo and refs/foo/bar. Those refnames cannot coexist at the same time in a repository, but we do not want to discard the push certificate responsible for deleting the ref, which we would have to do if refs/foo in the push cert tree changed from a tree to a blob. The "@{cert}" syntax is at least somewhat consistent with gitrevisions(7) wherein @{...} describe operators on ref names. As we cannot (currently) atomically update the push cert ref with the refs that were updated, this operation is inherently racy. Kick the can down the road by pushing this burden on callers. [1] https://github.com/sitaramc/gitolite/blob/cf062b8bb6b21a52f7c5002d33fbc950762c1aa7/contrib/hooks/repo-specific/save-push-signatures Change-Id: Id3eb32416f969fba4b5e4d9c4b47053c564b0ccd
* Add setTargetBranch in RepoCommand.Yuxuan 'fishy' Wang2015-07-101-14/+35
| | | | | | | | This will allow us to write the super project in a branch other than master. Change-Id: I578ed9ecbc6423416239e31ad644531dae9fb5c3 Signed-off-by: Yuxuan 'fishy' Wang <fishywang@google.com>
* PushCertificateParser: Move reader parsing to instance methodDave Borowitz2015-07-091-17/+35
| | | | Change-Id: I8ab5fb97303e25b28187375b6f9ff28f918bdd43
* PushCertificateParser: Make constructor publicDave Borowitz2015-07-091-1/+7
| | | | | | | | Primarily to aid in writing end-to-end tests, which must be written outside this package as we don't currently have a Bouncy Castle dependency. Change-Id: Ia24179773140d9ecc616b3a6b2e630c85d800157
* Report PackProtocolExceptions to client during receive-packDave Borowitz2015-07-092-47/+52
| | | | | | | We have done this since forever with the "wanted old new ref" error, so let's do it for other such errors thrown in the same block as well. Change-Id: Ib3b1c7f05e31a5b3e40e85eb07b16736920a033b
* PushCertificate: implement hashCode/equals/toStringDave Borowitz2015-07-091-0/+42
| | | | Change-Id: Ib588a3f47492cee5e5e6274a3b088678919a0fa0
* PushCertificateParser: Make pushee optionalDave Borowitz2015-07-092-7/+12
| | | | | | | | When pushing to an HTTP server using the C git client, I observed a certificate lacking a pushee field. Handle this gracefully in the parser. Change-Id: I7f3c5fa78f2e35172a93180036e679687415cac4
* PushCertificateParser: Change error string for invalid fieldDave Borowitz2015-07-091-1/+1
| | | | | | | The old one didn't take an argument; the new one includes the field name. Change-Id: I175dc75dcdd05ba6fdec315c04c79550cfdc2342
* PushCertificateParser: Add method for parsing from a streamDave Borowitz2015-07-091-23/+140
| | | | | | | | | We intend to store received push certificates somewhere, like a particular ref in the repository in question. For reading data back out, it will be useful to read push certificates (without pkt-line framing) in a streaming fashion. Change-Id: I70de313b1ae463407b69505caee63e8f4e057ed4
* IO: Add a method for reading linesDave Borowitz2015-07-081-0/+69
| | | | Change-Id: Ib7be76aa7ac889354ad4782e2b64d4221a0e25b9
* BaseReceivePack: Treat all LFs as optionalDave Borowitz2015-07-073-53/+34
| | | | | | | | | | | | | | | | Discussion on the git mailing list has concluded[1] that the intended behavior for all (non-sideband) portions of the receive-pack protocol is for trailing LFs in pkt-lines to be optional. Go back to using PacketLineIn#readString() everywhere. For push certificates specifically, we agreed that the payload signed by the client is always concatenated with LFs even though the client MAY omit LFs when framing the certificate for the wire. This is still reflected in the implementation of PushCertificate#toText(). [1] http://thread.gmane.org/gmane.comp.version-control.git/273175/focus=273412 Change-Id: I817231c4d4defececb8722142fea18ff42e06e44
* BaseReceivePack: More validation during parseCommandDave Borowitz2015-07-072-10/+28
| | | | Change-Id: I25f3a5582a45dd0ec8f78f5daf74c2203797a184
* Throw InvalidObjectIdException from ObjectId.fromString("tooshort")Jonathan Nieder2015-07-062-5/+12
| | | | | | | | | | | ObjectId.fromString already throws InvalidObjectIdException for most malformed object ids, but for this kind it previously threw IllegalArgumentException. Since InvalidObjectIdException is a child of IllegalArgumentException, callers that catch IllegalArgumentException will continue to work. Change-Id: I24e1422d51607c86a1cb816a495703279e461f01 Signed-off-by: Jonathan Nieder <jrn@google.com>
* Avoid double-colon in InvalidObjectIdException descriptionJonathan Nieder2015-07-062-8/+10
| | | | | | | | | | | | | | | The invalidId message in JGitText and the asAscii bad id both contain a colon, so the resulting message would say Invalid id: : a78987c98798ufa Fix it by keeping the colon in the translated message and not adding another colon programmatically. Noticed by code inspection. Change-Id: I13972eebde27a4128828e6c64517666f0ba6288b Signed-off-by: Jonathan Nieder <jrn@google.com>
* Merge branch 'stable-4.0'Matthias Sohn2015-06-241-20/+37
|\ | | | | | | Change-Id: I5c965206ad10bababe366a51ab7c33a8836a7868 Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
| * Add a grace period for packfiles during GCChristian Halstrick2015-06-221-20/+37
| | | | | | | | | | | | | | | | | | For loose objects an expiration date can be set which will save too young objects from being deleted. Add the same for packfiles. Packfiles which are too young are not deleted. Bug: 468024 Change-Id: I3956411d19b47aaadc215dab360d57fa6c24635e Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
* | API to remove repositories from RepositoryCacheTobias Oberlies2015-06-231-0/+28
| | | | | | | | | | | | | | | | | | Add methods that allow to unregister repositories from the RepositoryCache individually. Bug: 470234 Change-Id: Ib918a634d829c9898072ae7bdeb22b099a32b1c9 Signed-off-by: Tobias Oberlies <tobias.oberlies@sap.com> Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
* | SignedPushConfig: Allow setting a custom nonce generator implDave Borowitz2015-06-182-8/+44
| | | | | | | | Change-Id: Ic0156a7d65d99881ef27801fcce7754594c436f0
* | PackCertificateParser: return null if nothing was receivedDave Borowitz2015-06-182-2/+6
| | | | | | | | | | | | Add test for this case in both the enabled and disabled cases. Change-Id: If9d12192a2dc9f9dd1eac9844b5a7b0edadc0b34
* | Include push certificates in RefUpdateDave Borowitz2015-06-183-0/+62
| | | | | | | | | | | | | | This may be used by e.g. a custom reflog implementation to record this information along with the ref update. Change-Id: I44adbfad704b76f9c1beced6e1ce82eaf71410d2
* | Remove redundant @since tags in new signed push classesDave Borowitz2015-06-182-34/+6
| | | | | | | | Change-Id: I9f57318a59f668906b80f67230d36ba6439fc7b4
* | Add a separate type for the identity in a push certificateDave Borowitz2015-06-185-47/+374
| | | | | | | | | | | | | | | | | | | | | | | | | | | | These differ subtly from a PersonIdent, because they can contain anything that is a valid User ID passed to gpg --local-user. Upstream git push --signed will just take the configuration value from user.signingkey and pass that verbatim in both --local-user and the pusher field of the certificate. This does not necessarily contain an email address, which means the parsing implementation ends up being substantially different from RawParseUtils.parsePersonIdent. Nonetheless, we try hard to match PersonIdent behavior in questionable cases. Change-Id: I37714ce7372ccf554b24ddbff56aa61f0b19cbae
* | PushCertificateParser: include begin/end lines in signatureDave Borowitz2015-06-182-3/+8
| | | | | | | | | | | | | | | | The signature is intended to be passed to a verification library such as Bouncy Castle, which expects these lines to be present in order to parse the signature. Change-Id: I22097bead2746da5fc53419f79761cafd5c31c3b
* | PushCertificateParser: throw PackProtocolException in more casesDave Borowitz2015-06-181-7/+9
| | | | | | | | | | | | | | | | | | This is the subclass of IOException already thrown by BaseReceivePack#recvCommands when encountering an invalid value on the wire. That's what PushCertificateParser is doing too, so use the same subclass. Change-Id: I1d323909ffe70757ea56e511556080695b1a0c11
* | Extract a class for signed push configurationDave Borowitz2015-06-183-18/+165
| | | | | | | | | | | | | | | | | | The default behavior is to read a repository's signed push configuration from that repo's config file, but this is not very flexible when it comes to managing groups of repositories (e.g. with Gerrit). Allow callers to override the configuration using a POJO. Change-Id: Ib8f33e75daa0b2fbd000a2c4558c01c014ab1ce5
* | BaseReceivePack: fix reading cert lines in command loopDave Borowitz2015-06-181-4/+8
| | | | | | | | | | | | | | | | | | | | | | Add a missing continues to prevent falling through to the command parsing section. The first continue happens when the command list is empty, so change the condition to see whether we have read the first line, rather than any commands. Fix comparison to BEGIN_SIGNATURE to use raw line with newline. Change-Id: If3d92f5ceade8ba7605847a4b2bc55ff17d119ac
* | Silence API warnings introduced by a85e817dMatthias Sohn2015-06-171-2/+5
| | | | | | | | | | | | | | | | | | | | | | a85e817d is a slightly breaking API change to classes that were technically public and technically released in 4.0. However, it is highly unlikely that people were actually depending on public behavior, since there were no public methods to create PushCertificates with anything other than null field values, or a PushCertificateParser that did anything other than infinite loop or throw exceptions when reading. Change-Id: I1d0ba9ea0a347e8ff5a0f4af169d9bb18c5838d2 Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
* | Update comments about PackStatisticsTerry Parker2015-06-162-4/+14
| | | | | | | | | | Change-Id: I4862932dc38b58cc98400ed584cc506013846065 Signed-off-by: Terry Parker <tparker@google.com>
* | Add the set of shallow commits to PackStatisticsTerry Parker2015-06-153-0/+24
| | | | | | | | | | Change-Id: I976102e054369b045340d4b9209984b5243e3750 Signed-off-by: Terry Parker <tparker@google.com>
* | Add tests for HMACSHA1NonceGeneratorDave Borowitz2015-06-152-11/+20
| | | | | | | | | | | | | | Correct documentation of NonceStatus.OK/SLOP to match the implemented behavior. Change-Id: Id5ec1945eab76db6d2e4b592cb25907ea3d835cd
* | Merge "Introduce PostUploadHook to replace UploadPackLogger"Shawn Pearce2015-06-1210-114/+766
|\ \
| * | Introduce PostUploadHook to replace UploadPackLoggerTerry Parker2015-06-1210-114/+766
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | UploadPackLogger is incorrectly named--it can be used to trigger any post upload action, such as GC/compaction. This change introduces PostUploadHook/PostUploadHookChain to replace UploadPackLogger/UploadPackLoggerChain and deprecates the latter. It also introduces PackStatistics as a replacement for PackWriter.Statistics, since the latter is not public API. It changes PackWriter to use PackStatistics and reimplements PackWriter.Statistics to delegate to PackStatistics. Change-Id: Ic51df1613e471f568ffee25ae67e118425b38986 Signed-off-by: Terry Parker <tparker@google.com>
* | | Treat CloneCommand.setBranch(null) as setBranch("HEAD")Jonathan Nieder2015-06-111-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This method is documented to take a branch name (not a possibly null string). The only way a caller could have set null without either re-setting to a sane value afterward or producing NullPointerException was to also call setNoCheckout(true), in which case there would have been no reason to set the branch in the first place. Make setBranch(null) request the default behavior (remote's default branch) instead, imitating C git's clone --no-branch. Change-Id: I960e7046b8d5b5bc75c7f3688f3a075d3a951b00 Signed-off-by: Jonathan Nieder <jrn@google.com>
* | | Treat CloneCommand.setRemote(null) as setRemote("origin")Jonathan Nieder2015-06-111-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A non-bare clone command with null remote produces a NullPointerException when trying to produce a refspec to fetch against. In a bare repository, a null remote name is accepted by mistake, producing a configuration with items like 'remote.url' instead of 'remote.<remote>.url'. This was never meant to work. Instead, let's make setRemote(null) undo any previous setRemote calls and re-set the remote name to DEFAULT_REMOTE, imitating C git clone's --no-origin option. While we're here, add some tests for setRemote working normally. Change-Id: I76f502da5e677df501d3ef387e7f61f42a7ca238 Signed-off-by: Jonathan Nieder <jrn@google.com>
* | | Document CloneCommand.setURI(null)Jonathan Nieder2015-06-111-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | call() throws InvalidRemoteException if uri == null, so there should never be reason to leave the URI set to null. Document this. Change-Id: I7f2cdbe8042d99cf8a3c1a8c4c2dcb58c5b8c305 Signed-off-by: Jonathan Nieder <jrn@google.com>
* | | Handle null in ProgressMonitor settersJonathan Nieder2015-06-116-1/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These commands' monitor fields can never be null unless someone passes null to setProgressMonitor. Anyone passing null probably meant to disable the ProgressMonitor, so do that (by falling back to NullProgressMonitor.INSTANCE) instead of saving a null and eventually producing NullPointerException. Change-Id: I63ad93ea8ad669fd333a5fd40880e7583ba24827 Signed-off-by: Jonathan Nieder <jrn@google.com>
* | | Document CloneCommand.setDirectory(null) and setGitDir(null) more clearlyJonathan Nieder2015-06-111-2/+4
| | | | | | | | | | | | | | | Change-Id: I74757ca68eaa941833846a7c8d983b4e996fa207 Signed-off-by: Jonathan Nieder <jrn@google.com>
* | | Require all projects to have a nameJonathan Nieder2015-06-112-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A project's name attribute is required according to repo's doc/manifest-format.txt: <!ELEMENT project (annotation*, project*)> <!ATTLIST project name CDATA #REQUIRED> Enforcing this in code makes reading easier (in particular making it clearer that getName() and getPath() can never return null). Change-Id: I8c7014dd6042183d7fecb2202af5acdc384aa8e4 Signed-off-by: Jonathan Nieder <jrn@google.com>
* | | Merge topic 'push-cert-2'Dave Borowitz2015-06-114-101/+321
|\ \ \ | |/ / |/| | | | | | | | | | | * changes: Rewrite push certificate parsing Allow trailing newlines in receive-pack
| * | Rewrite push certificate parsingDave Borowitz2015-06-114-95/+298
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Consistently return structured data, such as actual ReceiveCommands, which is more useful for callers that are doing things other than verifying the signature, e.g. recording the set of commands. - Store the certificate version field, as this is required to be part of the signed payload. - Add a toText() method to recreate the actual payload for signature verification. This requires keeping track of the un-chomped command strings from the original protocol stream. - Separate the parser from the certificate itself, so the actual PushCertificate object can be immutable. Make a fair attempt at deep immutability, but this is not possible with the current mutable ReceiveCommand structure. - Use more detailed error messages that don't involve NON-NLS strings. - Document null return values more thoroughly. Instead of having the undocumented behavior of throwing NPE from certain methods if they are not first guarded by enabled(), eliminate enabled() and return null from those methods. - Add tests for parsing a push cert from a section of pkt-line stream using a real live stream captured with Wireshark (which, it should be noted, uncovered several simply incorrect statements in C git's Documentation/technical/pack-protocol.txt). This is a slightly breaking API change to classes that were technically public and technically released in 4.0. However, it is highly unlikely that people were actually depending on public behavior, since there were no public methods to create PushCertificates with anything other than null field values, or a PushCertificateParser that did anything other than infinite loop or throw exceptions when reading. Change-Id: I5382193347a8eb1811032d9b32af9651871372d0
| * | Allow trailing newlines in receive-packDave Borowitz2015-06-101-10/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | C git's receive-pack.c strips trailing newlines in command lists when present[1], although send-pack.c does not send them, at least in the case of command lists[2]. Change JGit to match this behavior. Add tests. This also fixes parsing of commands in the push cert, which, unlike commands sent in the non-push case, always have trailing newlines. [1] https://github.com/git/git/blob/7974889a053574e449b55ca543a486e38e74864f/builtin/receive-pack.c#L1380 where packet_read_line chomps newlines: https://github.com/git/git/blob/7974889a053574e449b55ca543a486e38e74864f/pkt-line.c#L202 [2] https://github.com/git/git/blob/7974889a053574e449b55ca543a486e38e74864f/send-pack.c#L470 Change-Id: I4bca6342a7482a53c9a5815a94b3c181a479d04b
* | | Merge "Add new submodule layout to SubmoduleAddCommand"Christian Halstrick2015-06-111-0/+2
|\ \ \
| * | | Add new submodule layout to SubmoduleAddCommandChristian Halstrick2015-06-111-0/+2
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | The new submodule layout where GITDIR of a submodule is located at <parent-repo-GITDIR>/modules/<submodule-path> was only used during clone. Teach SubmoduleAddCommand to use the new layout. Bug: 469666 Change-Id: Ie97dc0607b71499560444616f362bccee9cce515 Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
* / / Tweak exception Javadoc to be eclipse-cleanJonathan Nieder2015-06-102-1/+3
|/ / | | | | | | | | | | Bug: 469887 Change-Id: Ic189efc50d9c1f573dda0c79e5b0dad0813a5577 Signed-off-by: Jonathan Nieder <jrn@google.com>
* | Merge changes I38e1798e,Id1fe1c20,I945ba188,I2c6be9cbJonathan Nieder2015-06-108-4/+105
|\ \ | | | | | | | | | | | | | | | | | | | | | * changes: Allow setting detail message and cause when constructing most exceptions Use message from ServiceNotAuthorizedException, ServiceNotEnabledException dumb HTTP: Clarify AsIsFilter by introducing req and res locals Clarify description of ServiceNotAuthorizedException
| * | Allow setting detail message and cause when constructing most exceptionsJonathan Nieder2015-06-027-0/+96
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In particular, this means a RepositoryResolver, UploadPackFactory, or ReceivePackFactory can set a detail message for ServiceNotAuthorizedException or ServiceNotEnabledException with information for the client about why access is not allowed. Change-Id: I38e1798e1e9d09b5e75cefacd9d85f25729235a9 Signed-off-by: Jonathan Nieder <jrn@google.com>
| * | Clarify description of ServiceNotAuthorizedExceptionJonathan Nieder2015-06-022-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This exception's detail message states Service not permitted and according to the Javadoc it indicates that the current user does not have access to the service. In practice, though, callers handle this exception by presenting a '401 Unauthorized' response to the client, meaning that the user is unauthenticated and should authenticate. Clarify the documentation and detail message to match the practice. The exception message is not used anywhere except logs. No client-visible effect intended. Change-Id: I2c6be9cb74af932f0dcb121a381a64f2ad876766 Signed-off-by: Jonathan Nieder <jrn@google.com>
* | | Merge "UploadPack: Use reachable-sha1-in-want configuration"Shawn Pearce2015-06-094-2/+38
|\ \ \
| * | | UploadPack: Use reachable-sha1-in-want configurationFredrik Medley2015-06-094-2/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | C git 2.5 supports setting the equivalent of RequestPolicy.REACHABLE_COMMIT with uploadpack.allowreachablesha1inwant. Parse this into TransportConfig and use it from UploadPack. An explicitly set RequestPolicy overrides the config, and the policy may still be upgraded on a unidirectional connection to avoid races. Change-Id: Id39771a6e42d8082099acde11249306828a053c0 Signed-off-by: Fredrik Medley <fredrik.medley@gmail.com>
* | | | Add missing imports for javadoc to ObjectCountCallbackJonathan Nieder2015-06-091-0/+3
| | | | | | | | | | | | | | | | | | | | Change-Id: I24780a28c01047654d81af09045d88c6a84950b6 Signed-off-by: Jonathan Nieder <jrn@google.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-03 22:05:05 +0000