An SSH agent might contain keys that Apache MINA sshd cannot handle.
Pageant for instance can contain ed448 keys, which are not implemented
in OpenSSH or in Apache MINA sshd.
When an agent delivers such keys, simply skip (and log) them. That way,
we can work with the remaining keys. Otherwise a single unknown key in
the agent would break pubkey authentication.
Change-Id: I3945d932c7e64b628465004cfbaf10f4dc05f3e4
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Add parsing of the config. Implement the SSH agent protocol for adding
a key. In the pubkey authentication, add keys to the agent as soon as
they've been loaded successfully, before even attempting to use them
for authentication. OpenSSH does the same.
Bug: 577052
Change-Id: Id1c08d9676a74652256b22281c2f8fa0b6508fa6
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
OpenSSH has (for legacy reasons?) the option of specifying the default
environment variable directly, instead of using ${SSH_AUTH_SOCK}. Make
sure the plain variable name is not taken as a relative path name.
Bug: 577053
Change-Id: If8f550dffc43887254f71aa0b487c50fa14d0627
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Win32-OpenSSH uses a named Windows pipe for communication. Implement
a connector for this mechanism using JNA. Choose the appropriate
connector based on the setting of the 'identityAgent' parameter.
Bug: 577053
Change-Id: I205f07fb33654aa18ca5db92706e65544ce38641
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
If an SSH agent is used but "IdentitiesOnly yes" is set, only those
keys from the agent that correspond to one of the keys explicitly given
via an IdentityFile directive are to be used.
Implement this by filtering the list of keys obtained from the agent
against the list of IdentityFiles, each entry suffixed with ".pub".
Load the public keys from these files, and ignore all other keys from
the agent. Keys without ".pub" file are also ignored.
Apache MINA sshd has no operation to load only the public key from a
private key file, so we have to rely on *.pub files.
Bug: 577053
Change-Id: I75c2c0b3ce35781c933ec2944bd6da1b94f4caf9
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Handle the 'none' value, and change the value to select Pageant to
something that looks like an absolute UNC path name to avoid it's
handled as an relative path name.
Bug: 577053
Change-Id: I4ccf047abbc1def50e2782319e4fa7c744069401
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Fix TransportException occurring when deleting
a branch and push that change to remote repository
if BuiltinLFS is used to work with repository.
When finding LFS pointers in RemoteRepUpdate,
LfsPrePushHook fails to open ObjectReader
with new object id equal to ObjectId.zeroId().
If update is a deleting update (new object id is zero id),
we can assume that this update doesn't contain LFS Pointer
and we can skip step with extracting LFS pointer for that
RemoteRefUpdate.
Bug: 578313
Change-Id: Ic4367978338b8234d39d9af0d9674490f79fc22d
Signed-off-by: Nail Samatov <sanail@yandex.ru>
Checking the cancelled status and keeping a digest of the written data
is useful for other output streams. e.g. to write commit-graphs.
Pull up that functionality to a superclass, so it can be reused.
Change-Id: I177b50be09c4ea631e7a144cc6127085ec2ca411
Signed-off-by: kylezhao <kylezhao@tencent.com>
In I988f61e34 tools/remote-bazelrc was added, but this resource file
wasn't imported from main resource file workspace/.bazelrc.
Change-Id: Ie0c2f128fbccaa6f9e99ad29a3a76ac294f3cd29
Enhance cache performance monitoring for large data such as pack and
bitmap indexes. Provide details about what is loaded and evicted from
cache like total number of cache hits, time in cache before eviction.
Add a custom consumer to report loading events and eviction events when
enabled.
Signed-off-by: Alina Djamankulova <adjama@google.com>
Change-Id: I5739325db7ff7ec370e4defd8f7e46f1c3f5d2dd
The Bazel build can be used with Google's Remote Build Execution.
This needs the following setup steps:
$ gcloud auth application-default login
$ gcloud services enable remotebuildexecution.googleapis.com --project=${PROJECT}
Create a worker pool. The instances should have at least 4 CPUs each
for adequate performance.
$ gcloud alpha remote-build-execution worker-pools create default \
--project=${PROJECT} \
--instance=default_instance \
--worker-count=50 \
--machine-type=e2-standard-4 \
--disk-size=200
To use RBE, execute
$ bazel test --config=remote \
--remote_instance_name=projects/${PROJECT}/instances/default_instance \
//...
Change-Id: I988f61e342dab2136d8752ace945a4ed91a4189a
Bump Bazel version to release 5.0.0. In this new Bazel release,
--incompatible_use_toolchain_resolution_for_java_rules is flipped, that
means that the build must be adapted to toolchain resolution.
Specification toolchain resolution for java rules is here: [1]. Main
tracking Bazel issue is here: [2].
Given that new Bazel release also added support for remote JDK 17, add
experimental support for building with remote JDK 17 to produce major
byte code version 61.
Test Plan:
To build with remote JDK 11 run:
$ bazel build :all
To build with remote JDK 17 run:
$ bazel build --config java17 :all
[1] https://docs.google.com/document/d/1MVbBxbKVKRJJY7DnkptHpvz7ROhyAYy4a-TZ-n7Q0r4/edit?usp=sharing
[2] https://github.com/bazelbuild/bazel/issues/7849
Change-Id: I8d26dff722c6677ea7642913b61e416b23ea9041
In upcoming Bazel release 5.0 resource_jars attribute was removed: [1].
Replace resource_jars with runtime_deps as recommended in the release
notes.
[1] https://github.com/bazelbuild/bazel/issues/13221
Change-Id: Iab834d647cf63259ca182adc1f862b6001db0cce
and update
- com.google.gson to 2.8.9.v20220111-1409
- org.bouncycastle.bcpg to 1.70.0.v20220105-1522
- org.bouncycastle.bcpkix to 1.70.0.v20220105-1522
- org.bouncycastle.bcprov to 1.70.0.v20220105-1522
- org.bouncycastle.bcutil to 1.70.0.v20220105-1522
Change-Id: I7d9159e0e8524459a11da84cb2db709cb1f0823d
Move this test to another class and skip it when running tests with
bazel since the bazel test runner does not allow to create files in the
home directory.
FS#userHome retrieves the home directory on the first call and caches it
for subsequent calls to avoid overhead in case path translation is
required (currently on cygwin). This prevents that the test can mock the
home directory using MockSystemReader like SshTestHarness does.
Change-Id: I6a22f37f4a19eb4b4935509eae508a23e56db7aa
The fetch of a single orphan ref (for example Gerrit meta ref:
refs/changes/21/21/meta) did not stop the negotiation so client
had to advertise all refs. This impacts the fetch performance
on repositories with a large number of refs (for example on
Gerrit repository it takes 20 seconds to fetch meta ref
comparing to 1.2 second to fetch ref with parent).
To avoid this issue UploadPack, used on the server side,
now checks if all `want` refs have parents, if not this
means that client doesn't need any extra objects, hence
the server responds with `ready` and finishes the
negotiation phase.
Bug: 577937
Change-Id: Ia3001b400b415d5cf6aae45e72345ca08d3af058
Ibd0240cf7ad updated servlet-api to 4.0.0 only partially for the
osgi-based build in Eclipse.
Complete this by updating dependencies also in maven and bazel build.
Change-Id: Ic4c3eb78c538007ca2177f6109d415147e58eabe
Update version in root pom.xml, adapt code & manifests. Bump the
dependency in the bazel build.
Update Orbit to I20220105095044 to get Apache MINA sshd 2.8.0 and
regenerate all target platforms.
Bug: 577542
Change-Id: Iefc02ceda8a9b0683f49aa8059999a5486d1f322
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
SSHD-1231[1] may lead to exceptions when trying to authenticate first
with an RSA key that is rejected by the server. The upstream fix is a
one-liner but unfortunately didn't make it into Apache MINA sshd 2.8.0.
Incorporate the upstream fix in JGitPublicKeyAuthentication, and add
a test case for this.
[1] https://issues.apache.org/jira/browse/SSHD-1231
Bug: 577545
Change-Id: Ia744cd4aa569bccd937c855f3bb45c0116915bad
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Bump the japicmp base version to 6.0.0.202111291000-r and configure
the o.e.j.ssh.apache and o.e.j.ssh.apache.agent bundles to ignore
internal classes.
Change-Id: Id95350c73b9141e1583f9de5fb6ab2496c7407d9
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
* stable-6.0:
Use slf4j-simple instead of log4j for logging
Update orbit to R20211213173813
Change-Id: I746b7fb71571020ce49f7b50fd675c9864327719
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
* stable-5.13:
Use slf4j-simple instead of log4j for logging
Update orbit to R20211213173813
Change-Id: I219ef3901c1d908b91bf9c8f00431b22686ff7a5
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>