createSignedTag ACLs are ignored by Gerrit >=3.4
19 views
Skip to first unread message
Clark Boylan
Jan 25, 2022, 2:45:45 PM1/25/22
to Repo and Gerrit Discussion
We upgraded from Gerrit 3.3.9 to Gerrit 3.4.3 yesterday and our users
noticed they could no longer push signed tags to repositories. Gerrit
reported "You need 'Create Tag' rights to push a normal tag." despite
the tags being signed. In testing this we went ahead and added
createTag ACLs which did correct the problem and is serving as our
current workaround.
Digging into the code more I think I've identified why this is
happening on 3.4 and not on 3.3. Gerrit calls getFullMessage() on the
tag object and checks if the gpg header is in the result [0]. Newer
Jgit included in 3.4 but not 3.3 stopped including that information in
the getFullMessage() result [1] which means Gerrit 3.4 (and newer?)
will only ever check the createTag permission.
I've filed an issue [2] for this and pushed a change [3] that should
fix it. Though this change needs some testing which I'm trying to do
locally against one of our test Gerrit's in CI.
Calling this out on the mailing list in case anyone else runs into
this and needs a workaround. Also, hoping that I can get some help
fixing it properly in Gerrit :)
[0] https://gerrit.googlesource.com/gerrit/+/refs/heads/stable-3.4/java/com/google/gerrit/server/project/CreateRefControl.java#105
[1] https://gerrit.googlesource.com/jgit/+/dd3846513bbc682b9c51b09d369687ab7a036a49%5E%21/
[2] https://bugs.chromium.org/p/gerrit/issues/detail?id=15616
[3] https://gerrit-review.googlesource.com/c/gerrit/+/328839
Clark
noticed they could no longer push signed tags to repositories. Gerrit
reported "You need 'Create Tag' rights to push a normal tag." despite
the tags being signed. In testing this we went ahead and added
createTag ACLs which did correct the problem and is serving as our
current workaround.
Digging into the code more I think I've identified why this is
happening on 3.4 and not on 3.3. Gerrit calls getFullMessage() on the
tag object and checks if the gpg header is in the result [0]. Newer
Jgit included in 3.4 but not 3.3 stopped including that information in
the getFullMessage() result [1] which means Gerrit 3.4 (and newer?)
will only ever check the createTag permission.
I've filed an issue [2] for this and pushed a change [3] that should
fix it. Though this change needs some testing which I'm trying to do
locally against one of our test Gerrit's in CI.
Calling this out on the mailing list in case anyone else runs into
this and needs a workaround. Also, hoping that I can get some help
fixing it properly in Gerrit :)
[0] https://gerrit.googlesource.com/gerrit/+/refs/heads/stable-3.4/java/com/google/gerrit/server/project/CreateRefControl.java#105
[1] https://gerrit.googlesource.com/jgit/+/dd3846513bbc682b9c51b09d369687ab7a036a49%5E%21/
[2] https://bugs.chromium.org/p/gerrit/issues/detail?id=15616
[3] https://gerrit-review.googlesource.com/c/gerrit/+/328839
Clark
Reply all
Reply to author
Forward
0 new messages