Page MenuHomePhabricator

Enable sandbox branches in gerrit
Closed, ResolvedPublic

Description

Please change the configuration in gerrit to allow user's to have sandbox branches as is documented on MW.o.

Please ensure that I can delete sandbox branches I create.

Related Objects

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 3 2019, 2:28 AM

This does not seem to be about Gerrit-Privilege-Requests but about Gerrit

hashar closed this task as Resolved.Jul 3 2019, 9:42 AM
hashar claimed this task.
hashar added a subscriber: hashar.

User sandboxes are enabled for all projects. From All-Projects.git in refs/meta/config:

project.config
[access "refs/heads/sandbox/${username}/*"]
    create = group Registered Users
    push = group Registered Users
    pushMerge = group Registered Users

https://gerrit.wikimedia.org/r/#/admin/projects/All-Projects,access


Example usage:

$ git clone ssh://gerrit.wikimedia.org:29418/test/gerrit-ping.git
$ cd gerrit-ping
$ git commit --allow-empty -m 'hashar sandbox'

And push it:

$  git push origin HEAD:sandbox/hashar/dummy
Counting objects: 1, done.
Writing objects: 100% (1/1), 224 bytes | 0 bytes/s, done.
Total 1 (delta 0), reused 0 (delta 0)
remote: Processing changes: done    
To ssh://gerrit.wikimedia.org:29418/test/gerrit-ping.git
 * [new branch]      HEAD -> sandbox/hashar/dummy

And it is public:

$ git ls-remote https://gerrit.wikimedia.org/r/test/gerrit-ping.git sandbox*
e0a4d0b2db52bbf00fd1229a61ed544e65109e82	refs/heads/sandbox/hashar/dummy

Side note: the usefulness of sandbox is doubtful since git is more or less decentralized. I just use local branches :-]

MarkAHershberger reopened this task as Open.Jul 3 2019, 4:31 PM

I understand the limited usefulness for development.

I also understand that I can create these branches and that they are public:

$ git ls-remote https://gerrit.wikimedia.org/r/mediawiki/core.git sandbox/markahershberger*
b33feee9a44b58206425ab486b29ba98f5876afc	refs/heads/sandbox/markahershberger/testbranch
b33feee9a44b58206425ab486b29ba98f5876afc	refs/heads/sandbox/markahershberger/testbranch2

However, deleting a sandbox branch that I created does not seem possible:

$  git push  --delete origin sandbox/markahershberger/testbranch
remote: Branch refs/heads/sandbox/markahershberger/testbranch:
remote: You need 'Delete Reference' rights or 'Push' rights with the 
remote: 'Force Push' flag set to delete references.
remote: User: mah
remote: Please read the documentation and contact an administrator
remote: if you feel the configuration is incorrect
remote: Processing changes: refs: 1, done    
To ssh://gerrit.wikimedia.org:29418/mediawiki/core.git
 ! [remote rejected]       sandbox/markahershberger/testbranch (cannot delete references)
error: failed to push some refs to 'ssh://gerrit.wikimedia.org:29418/mediawiki/core.git'
$ git push --force --delete origin sandbox/markahershberger/testbranch
remote: Branch refs/heads/sandbox/markahershberger/testbranch:
remote: You need 'Delete Reference' rights or 'Push' rights with the 
remote: 'Force Push' flag set to delete references.
remote: User: mah
remote: Please read the documentation and contact an administrator
remote: if you feel the configuration is incorrect
remote: Processing changes: refs: 1, done    
To ssh://gerrit.wikimedia.org:29418/mediawiki/core.git
 ! [remote rejected]       sandbox/markahershberger/testbranch (cannot delete references)
error: failed to push some refs to 'ssh://gerrit.wikimedia.org:29418/mediawiki/core.git'

I did not specify this in the original request, but I will clarify now that I would like to be able to delete sandbox branches that I create.

Rationale: I would like to be able to test the gerrit branching code that I'm writing and don't want to pollute the main namespace ( | as I accidentally did in T226946) with branches I cannot delete.

greg triaged this task as Low priority.Jul 3 2019, 5:18 PM
greg added subscribers: Paladox, greg.

To unblock Mark's work...

@Paladox, could @MarkAHershberger use your WMCS install of gerrit to test his branching code?

Yup! (which is at https://gerrit.git.wmflabs.org/r/) i can make you an admin once you sign in (also need to register at https://ldapauth-gitldap.wmflabs.org/w/index.php)

I got ⧼authmanager-authplugin-create-fail⧽ when I tried to create an account.

Now, an xdebug dump:

Notice: Trying to get property 'status' of non-object in /vagrant/mediawiki/includes/auth/AuthManager.php on line 1347

and several complaints about headers already being sent (natch).

And then, under all that:

[b5d5fd4aab29276d18e39f34] /w/index.php?title=Special:CreateAccount&returnto=Main+Page DomainException from line 1346 of /vagrant/mediawiki/includes/auth/AuthManager.php: LdapPrimaryAuthenticationProvider::beginPrimaryAccountCreation() returned

Backtrace:

#0 /vagrant/mediawiki/includes/auth/AuthManager.php(1147): MediaWiki\Auth\AuthManager->continueAccountCreation(array)
#1 /vagrant/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(358): MediaWiki\Auth\AuthManager->beginAccountCreation(User, array, string)
#2 /vagrant/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
#3 /vagrant/mediawiki/includes/htmlform/HTMLForm.php(688): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
#4 /vagrant/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
#5 /vagrant/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(313): AuthManagerSpecialPage->trySubmit()
#6 /vagrant/mediawiki/includes/specialpage/SpecialPage.php(571): LoginSignupSpecialPage->execute(NULL)
#7 /vagrant/mediawiki/includes/specialpage/SpecialPageFactory.php(581): SpecialPage->run(NULL)
#8 /vagrant/mediawiki/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#9 /vagrant/mediawiki/includes/MediaWiki.php(884): MediaWiki->performRequest()
#10 /vagrant/mediawiki/includes/MediaWiki.php(515): MediaWiki->main()
#11 /vagrant/mediawiki/index.php(42): MediaWiki->run()
#12 /var/www/w/index.php(5): require(string)
#13 {main}
Tgr added a subscriber: Tgr.Jul 7 2019, 9:55 AM

The error message suggests LdapPrimaryAuthenticationProvider::beginPrimaryAccountCreation returned null (or some other non-object) instead of an AuthenticationResponse. I can't see that happening unless the code was altered locally.

hashar added a subscriber: Hexmode.Jul 8 2019, 8:42 AM

<snip>
However, deleting a sandbox branch that I created does not seem possible:

$  git push  --delete origin sandbox/markahershberger/testbranch
remote: Branch refs/heads/sandbox/markahershberger/testbranch:
remote: You need 'Delete Reference' rights or 'Push' rights with the 
remote: 'Force Push' flag set to delete references.
remote: User: mah
remote: Please read the documentation and contact an administrator
remote: if you feel the configuration is incorrect
remote: Processing changes: refs: 1, done    
To ssh://gerrit.wikimedia.org:29418/mediawiki/core.git
 ! [remote rejected]       sandbox/markahershberger/testbranch (cannot delete references)
error: failed to push some refs to 'ssh://gerrit.wikimedia.org:29418/mediawiki/core.git'
$ git push --force --delete origin sandbox/markahershberger/testbranch
remote: Branch refs/heads/sandbox/markahershberger/testbranch:
remote: You need 'Delete Reference' rights or 'Push' rights with the 
remote: 'Force Push' flag set to delete references.
remote: User: mah
remote: Please read the documentation and contact an administrator
remote: if you feel the configuration is incorrect
remote: Processing changes: refs: 1, done    
To ssh://gerrit.wikimedia.org:29418/mediawiki/core.git
 ! [remote rejected]       sandbox/markahershberger/testbranch (cannot delete references)
error: failed to push some refs to 'ssh://gerrit.wikimedia.org:29418/mediawiki/core.git'

I did not specify this in the original request, but I will clarify now that I would like to be able to delete sandbox branches that I create.
Rationale: I would like to be able to test the gerrit branching code that I'm writing and don't want to pollute the main namespace ( | as I accidentally did in T226946) with branches I cannot delete.

Ah indeed. So All-Projects.git has:

[access "refs/heads/sandbox/${username}/*"]
    create = group Registered Users
    push = group Registered Users
    pushMerge = group Registered Users

Which apparently mean that any registered user can create a branch anywhere under refs/heads/sandbox/. So tentatively @Hexmode might be able to create a branch under my sandbox (ex: refs/heads/sandbox/hashar/hexmode). Unless the sandbox references are handled specially in Gerrit, that would mean that adding the right to delete a reference would let anyone delete anyone sandbox branches?

@MarkAHershberger i had to create the account manually using createAndPromote.php, i've sent the details through email for logging in.

@Tgr yup, i hacked it locally (now i've removed the hack)

Ah indeed. So All-Projects.git has:

[access "refs/heads/sandbox/${username}/*"]
    create = group Registered Users
    push = group Registered Users
    pushMerge = group Registered Users

Which apparently mean that any registered user can create a branch anywhere under refs/heads/sandbox/. So tentatively @Hexmode might be able to create a branch under my sandbox (ex: refs/heads/sandbox/hashar/hexmode).

Looks like it:

$ git push origin HEAD:refs/heads/sandbox/hashar/hexmode
Total 0 (delta 0), reused 0 (delta 0)
remote: Processing changes: done    
To ssh://gerrit.wikimedia.org:29418/mediawiki/core.git
 * [new branch]            HEAD -> sandbox/hashar/hexmode
$ git branch -a | grep hexmode
  remotes/origin/sandbox/hashar/hexmode
$ git push --delete origin refs/heads/sandbox/hashar/hexmode
remote: Branch refs/heads/sandbox/hashar/hexmode:
remote: You need 'Delete Reference' rights or 'Push' rights with the 
remote: 'Force Push' flag set to delete references.
remote: User: mah
remote: Please read the documentation and contact an administrator
remote: if you feel the configuration is incorrect
remote: Processing changes: refs: 1, done    
To ssh://gerrit.wikimedia.org:29418/mediawiki/core.git
 ! [remote rejected]       sandbox/hashar/hexmode (cannot delete references)
error: failed to push some refs to 'ssh://gerrit.wikimedia.org:29418/mediawiki/

@MarkAHershberger i had to create the account manually using createAndPromote.php, i've sent the details through email for logging in.

Thanks. Trying now. I'll create a new task with @Paladox and @greg CC'd if I run into any more issues. (i.e. nothing else here about it.)

@Hexmode on the test/gerrit-ping.git repository, can you try creating a sandbox branch under my namespace? Eg refs/sandbox/hashar/testcreation. I am wondering whether you would be allowed to create such a reference.

I really do not know how ${username} works in references. Maybe it is special cased.

rejected...

$ git clone ssh://gerrit.wikimedia.org:29418/test/gerrit-ping test-gerrit-repo
Cloning into 'test-gerrit-repo'...
remote: Counting objects: 2, done        
remote: Finding sources: 100% (1/1)        
Receiving objects: 100% (5/5), done.
remote: Total 5 (delta 0), reused 5 (delta 0)        
$ cd test-gerrit-repo/
$ git checkout -b sandbox/hashar/testcreation
Switched to a new branch 'sandbox/hashar/testcreation'
$ git push origin sandbox/hashar/testcreation
Total 0 (delta 0), reused 0 (delta 0)
remote: Processing changes: refs: 1, done            
To ssh://gerrit.wikimedia.org:29418/test/gerrit-ping
 ! [remote rejected] sandbox/hashar/testcreation -> sandbox/hashar/testcreation (prohibited by Gerrit: create not permitted for refs/heads/sandbox/hashar/testcreation)
error: failed to push some refs to 'ssh://gerrit.wikimedia.org:29418/test/gerrit-ping'

Change 522462 had a related patch set uploaded (by Hashar; owner: Hashar):
[test/gerrit-ping@refs/meta/config] Allow registered users to delete refs in sandbox

https://gerrit.wikimedia.org/r/522462

Change 522462 merged by Hashar:
[test/gerrit-ping@refs/meta/config] Allow registered users to delete refs in sandbox

https://gerrit.wikimedia.org/r/522462

@Hexmode on test/gerrit-ping.git can you try creating a reference in a sandbox and then deleting it? https://gerrit.wikimedia.org/r/522462 should enable that. Then I guess we can enable the feature by default via All-Projects.git.

Success!

mah@silk:~/work/code/mediawiki$ git clone ssh://gerrit.wikimedia.org:29418/test/gerrit-ping test-gerrit-repo
Cloning into 'test-gerrit-repo'...
remote: Counting objects: 2, done
remote: Finding sources: 100% (1/1)
Receiving objects: 100% (5/5), done.
remote: Total 5 (delta 0), reused 5 (delta 0)
mah@silk:~/work/code/mediawiki$ cd test-gerrit-repo/
mah@silk:~/work/code/mediawiki/test-gerrit-repo$ git checkout -b sandbox/hashar/testcreation
Switched to a new branch 'sandbox/hashar/testcreation'
mah@silk:~/work/code/mediawiki/test-gerrit-repo$ git push origin sandbox/hashar/testcreation
Total 0 (delta 0), reused 0 (delta 0)
remote: Processing changes: refs: 1, done    
To ssh://gerrit.wikimedia.org:29418/test/gerrit-ping
 ! [remote rejected] sandbox/hashar/testcreation -> sandbox/hashar/testcreation (prohibited by Gerrit: create not permitted for refs/heads/sandbox/hashar/testcreation)
error: failed to push some refs to 'ssh://gerrit.wikimedia.org:29418/test/gerrit-ping'
mah@silk:~/work/code/mediawiki/test-gerrit-repo$ git checkout -b sandbox/mah/testcreation
Switched to a new branch 'sandbox/mah/testcreation'
mah@silk:~/work/code/mediawiki/test-gerrit-repo$ git push origin sandbox/mah/testcreation
Total 0 (delta 0), reused 0 (delta 0)
remote: Processing changes: done    
To ssh://gerrit.wikimedia.org:29418/test/gerrit-ping
 * [new branch]      sandbox/mah/testcreation -> sandbox/mah/testcreation
mah@silk:~/work/code/mediawiki/test-gerrit-repo$ git push --delete origin sandbox/mah/testcreation
remote: Processing changes: done    
To ssh://gerrit.wikimedia.org:29418/test/gerrit-ping
 - [deleted]         sandbox/mah/testcreation

Change 524206 had a related patch set uploaded (by Hashar; owner: Hashar):
[All-Projects@refs/meta/config] Allow registered users to delete refs in sandbox

https://gerrit.wikimedia.org/r/524206

Change 524207 had a related patch set uploaded (by Hashar; owner: Hashar):
[test/gerrit-ping@refs/meta/config] Revert "Allow registered users to delete refs in sandbox"

https://gerrit.wikimedia.org/r/524207

Change 524207 merged by Hashar:
[test/gerrit-ping@refs/meta/config] Revert "Allow registered users to delete refs in sandbox"

https://gerrit.wikimedia.org/r/524207

Change 524206 merged by Hashar:
[All-Projects@refs/meta/config] Allow registered users to delete refs in sandbox

https://gerrit.wikimedia.org/r/524206