Status Update
Comments
un...@gmail.com <un...@gmail.com> #2
ek...@google.com <ek...@google.com> #3
Branch: master
commit d1ad7d504171c8f68d2cf956bb3422fa84a8194f
Author: Luca Milanesio <luca.milanesio@gmail.com>
Date: Thu Jun 13 17:56:43 2024
Use SecureStore to access replication credentials
Gerrit introduced the SecureStore in Ibbb15ad2aa over 10 years
ago, however, the replication plugin was never adapted and then
unable to access the remote endpoint credentials when Gerrit
has a custom secure provider installed that would provide
data encryption at rest.
Replace the direct reading of the secure.config with the abstract
implementation of the Gerrit SecureStore, so that it can still
be working as expected with encrypted credentials.
Existing installations may have used a mix of encrypted and clear text
credentials in secure.config, leveraging the replication plugin bug
that was not accessing it using the correct API. Introduce a legacy
feature flag 'gerrit.useLegacyCredentials' that allow the Gerrit
admin to still use the legacy mode.
Whenever the replication plugin detects the legacy mode, it displays
a warning explaining what is happening and how to adjust the
configuration and enable full encryption in secure.config.
Release-Notes: Use SecureStore for reading username/password credentials
Bug:
Change-Id: Ie5b6339d65d144536416cf070d52f11342b39fe6
M src/main/java/com/googlesource/gerrit/plugins/replication/AutoReloadConfigDecorator.java
M src/main/java/com/googlesource/gerrit/plugins/replication/AutoReloadSecureCredentialsFactoryDecorator.java
A src/main/java/com/googlesource/gerrit/plugins/replication/LegacyCredentialsFactory.java
M src/main/java/com/googlesource/gerrit/plugins/replication/ReplicationConfigImpl.java
M src/main/java/com/googlesource/gerrit/plugins/replication/SecureCredentialsFactory.java
M src/main/java/com/googlesource/gerrit/plugins/replication/api/ReplicationConfig.java
M src/main/resources/Documentation/config.md
M src/test/java/com/googlesource/gerrit/plugins/replication/AbstractConfigTest.java
A src/test/java/com/googlesource/gerrit/plugins/replication/AutoReloadSecureCredentialsFactoryDecoratorTest.java
ma...@gmail.com <ma...@gmail.com> #4
Currently available sshd 2.13.1 and 2.13.2 both have issues.
See Nasser's comment in
"No, we need 2.14.0 (or a 2.13.3 if that would happen). See 435018: Bump BC to 1.78.1 and SSHD to 2.13.2 |
Hence sshd was reverted to 2.12.0 in
Currently gerrit master uses bouncycastle 1.72, hence I think updating to 1.74 is a step in the right direction.
I pushed an update to 1.74 for review:
JGit updated to 1.78.1 which is the latest available release.
ap...@google.com <ap...@google.com> #5
Branch: master
commit 07659708dab5d8f4b8ca683915606489ce241cad
Author: Matthias Sohn <matthias.sohn@sap.com>
Date: Tue Sep 10 15:33:26 2024
Update bouncycastle to 1.74
Bouncycastle release notes:
Release-Notes: Update bouncycastle to 1.74
Bug:
Change-Id: I3b4ad2fd2563e8859ec551e99faed9656ee51ff9
M tools/deps.bzl
Description
The update is implemented in [2].
[1]
[2]