Skip to content

Added comprehensive Gerrit HTTP authentication support #366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 20 commits into
base: main
Choose a base branch
from
Draft

Added comprehensive Gerrit HTTP authentication support #366

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
f570cd6
feat: Add comprehensive Gerrit authentication support
zuharz Jun 25, 2025
f3158e6
fix: Strengthen security warning for direct token values
zuharz Jun 25, 2025
8960cde
fix: Update all schema files with stronger security warnings for dire…
zuharz Jun 25, 2025
fde61ef
fix: Add minLength validation to prevent empty tokens in schema
zuharz Jun 25, 2025
2229944
fix(security): Remove inline token support from schema
zuharz Jul 15, 2025
df079c5
fix: Remove test credential entries from .gitignore
zuharz Jul 15, 2025
dd4feb1
docs: Add Gerrit REST API authentication documentation link
zuharz Jul 15, 2025
6c0fd3b
fix: Improve XSSI prefix handling robustness
zuharz Jul 15, 2025
9790c4b
docs: Streamline Gerrit documentation
zuharz Jul 15, 2025
100530a
test: Add comprehensive test coverage for security changes
zuharz Jul 15, 2025
2cd6366
chore: Update generated schema types and documentation
zuharz Jul 15, 2025
332b5cf
fix: Address PR review comments
zuharz Jul 23, 2025
80351fe
fix: Update web package tests to use modern @testing-library/react
zuharz Aug 20, 2025
7adfc6a
Fix Gerrit connection bugs and improve validation
zuharz Aug 21, 2025
dd33c28
Disable GitHub Actions workflows by renaming workflows directory
zuharz Sep 5, 2025
c01e017
refactor: clean up Gerrit auth based on review feedback
zuharz Sep 8, 2025
4245adf
fix: remove redundant token validation check per review feedback
zuharz Sep 8, 2025
ac8bc27
Revert "Disable GitHub Actions workflows by renaming workflows direct…
zuharz Sep 9, 2025
7f90710
fix: Minimal changes to resolve rebase conflicts in repoManager.ts
zuharz Sep 18, 2025
e36563e
refactor: Improve auto-generated schema consistency
zuharz Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,4 +163,7 @@ dist
.sourcebot
/bin
/config.json
.DS_Store
.DS_Store

# Claude Code generated files
CLAUDE.md
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added
- Added comprehensive Gerrit HTTP authentication support with username/password credentials via secrets and environment variables. [#366](https://github.com/sourcebot-dev/sourcebot/pull/366)

## [4.7.0] - 2025-09-17

### Added
Expand Down
123 changes: 107 additions & 16 deletions docs/docs/connections/gerrit.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,74 +6,165 @@ icon: crow

import GerritSchema from '/snippets/schemas/v3/gerrit.schema.mdx'

<Note>Authenticating with Gerrit is currently not supported. If you need this capability, please raise a [feature request](https://github.com/sourcebot-dev/sourcebot/issues/new?template=feature_request.md).</Note>
Sourcebot can sync code from self-hosted Gerrit instances, including both public and authenticated repositories.

Sourcebot can sync code from self-hosted gerrit instances.
## Authentication Support

<Info>
**Authentication Status**: Gerrit authentication is supported through HTTP Basic Auth using username and HTTP password credentials. This guide documents the verified authentication methods and implementation details.
</Info>

### Authentication Methods

Gerrit supports these authentication methods with Sourcebot:

1. **Public Access**: For publicly accessible projects (no authentication required)
2. **HTTP Basic Auth**: Using Gerrit username and HTTP password

If you're not familiar with Sourcebot [connections](/docs/connections/overview), please read that overview first.

## Connecting to a Gerrit instance

To connect to a gerrit instance, provide the `url` property to your config:
### Basic Connection (Public Projects)

For publicly accessible Gerrit projects:

```json
{
"type": "gerrit",
"url": "https://gerrit.example.com",
"projects": ["public-project-name"]
}
```

### Authenticated Connection

For private/authenticated Gerrit projects, you need to provide credentials:

```json
{
"type": "gerrit",
"url": "https://gerrit.example.com"
// .. rest of config ..
"url": "https://gerrit.example.com",
"projects": ["private-project-name"],
"auth": {
"username": "your-gerrit-username",
"password": {
"env": "GERRIT_HTTP_PASSWORD"
}
}
}
```

<Warning>
Use **HTTP Password**, not your Gerrit account password. Generate an HTTP password in Gerrit: **Settings → HTTP Credentials → Generate Password**.
</Warning>

Set your Gerrit HTTP password as an environment variable:

```bash
export GERRIT_HTTP_PASSWORD="your-generated-http-password"
```

When running with Docker:

```bash
docker run -e GERRIT_HTTP_PASSWORD="your-http-password" ...
```

## Authentication Setup

### Generate HTTP Password

1. Log into your Gerrit instance
2. Go to **Settings** → **HTTP Credentials** → **Generate Password**
3. Copy the generated password (this is your HTTP password)

<Note>
**Special Characters**: If your HTTP password contains special characters like `/`, `+`, or `=`, Sourcebot automatically handles URL encoding for git operations.
</Note>

## Examples

<AccordionGroup>
<Accordion title="Public Gerrit instance">
```json
{
"type": "gerrit",
"url": "https://gerrit.googlesource.com",
"projects": ["android/platform/build"]
}
```
</Accordion>

<Accordion title="Private Gerrit with authentication">
```json
{
"type": "gerrit",
"url": "https://gerrit.company.com",
"projects": ["internal-project"],
"auth": {
"username": "john.doe",
"password": {
"env": "GERRIT_HTTP_PASSWORD"
}
}
}
```
</Accordion>

<Accordion title="Sync projects by glob pattern">
```json
{
"type": "gerrit",
"url": "https://gerrit.example.com",
// Sync all repos under project1 and project2/sub-project
"projects": [
"project1/**",
"project2/sub-project/**"
]
],
"auth": {
"username": "your-username",
"password": {
"env": "GERRIT_HTTP_PASSWORD"
}
}
}
```
</Accordion>

<Accordion title="Exclude repos from syncing">
```json
{
"type": "gerrit",
"url": "https://gerrit.example.com",
// Sync all repos under project1 and project2/sub-project...
"projects": [
"project1/**",
"project2/sub-project/**"
],
// ...except:
"exclude": {
// any project that matches these glob patterns
"projects": [
"project1/foo-project",
"project2/sub-project/some-sub-folder/**"
],

// projects that have state READ_ONLY
"readOnly": true,

// projects that have state HIDDEN
"hidden": true
},
"auth": {
"username": "your-username",
"password": {
"env": "GERRIT_HTTP_PASSWORD"
}
}
}
```
</Accordion>
</AccordionGroup>

## Schema reference
## Schema Reference

<Accordion title="Reference">
[schemas/v3/gerrit.json](https://github.com/sourcebot-dev/sourcebot/blob/main/schemas/v3/gerrit.json)

<GerritSchema />

</Accordion>
</Accordion>

2 changes: 2 additions & 0 deletions docs/snippets/schemas/v3/azuredevops.schema.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
"properties": {
"secret": {
"type": "string",
"minLength": 1,
"description": "The name of the secret that contains the token."
}
},
Expand All @@ -35,6 +36,7 @@
"properties": {
"env": {
"type": "string",
"minLength": 1,
"description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
}
},
Expand Down
2 changes: 2 additions & 0 deletions docs/snippets/schemas/v3/bitbucket.schema.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
"properties": {
"secret": {
"type": "string",
"minLength": 1,
"description": "The name of the secret that contains the token."
}
},
Expand All @@ -39,6 +40,7 @@
"properties": {
"env": {
"type": "string",
"minLength": 1,
"description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
}
},
Expand Down
69 changes: 69 additions & 0 deletions docs/snippets/schemas/v3/connection.schema.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
"properties": {
"secret": {
"type": "string",
"minLength": 1,
"description": "The name of the secret that contains the token."
}
},
Expand All @@ -39,6 +40,7 @@
"properties": {
"env": {
"type": "string",
"minLength": 1,
"description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
}
},
Expand Down Expand Up @@ -239,6 +241,7 @@
"properties": {
"secret": {
"type": "string",
"minLength": 1,
"description": "The name of the secret that contains the token."
}
},
Expand All @@ -252,6 +255,7 @@
"properties": {
"env": {
"type": "string",
"minLength": 1,
"description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
}
},
Expand Down Expand Up @@ -446,6 +450,7 @@
"properties": {
"secret": {
"type": "string",
"minLength": 1,
"description": "The name of the secret that contains the token."
}
},
Expand All @@ -459,6 +464,7 @@
"properties": {
"env": {
"type": "string",
"minLength": 1,
"description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
}
},
Expand Down Expand Up @@ -602,6 +608,65 @@
],
"pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
},
"auth": {
"type": "object",
"description": "Authentication configuration for Gerrit",
"properties": {
"username": {
"type": "string",
"description": "Gerrit username for authentication",
"examples": [
"john.doe"
]
},
"password": {
"description": "Gerrit HTTP password (not your account password). Generate this in Gerrit → Settings → HTTP Credentials → Generate Password. Note: HTTP password authentication requires Gerrit's auth.gitBasicAuthPolicy to be set to HTTP or HTTP_LDAP.",
"examples": [
{
"env": "GERRIT_HTTP_PASSWORD"
},
{
"secret": "GERRIT_PASSWORD_SECRET"
}
],
"anyOf": [
{
"type": "object",
"properties": {
"secret": {
"type": "string",
"minLength": 1,
"description": "The name of the secret that contains the token."
}
},
"required": [
"secret"
],
"additionalProperties": false
},
{
"type": "object",
"properties": {
"env": {
"type": "string",
"minLength": 1,
"description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
}
},
"required": [
"env"
],
"additionalProperties": false
}
]
}
},
"required": [
"username",
"password"
],
"additionalProperties": false
},
"projects": {
"type": "array",
"items": {
Expand Down Expand Up @@ -718,6 +783,7 @@
"properties": {
"secret": {
"type": "string",
"minLength": 1,
"description": "The name of the secret that contains the token."
}
},
Expand All @@ -731,6 +797,7 @@
"properties": {
"env": {
"type": "string",
"minLength": 1,
"description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
}
},
Expand Down Expand Up @@ -891,6 +958,7 @@
"properties": {
"secret": {
"type": "string",
"minLength": 1,
"description": "The name of the secret that contains the token."
}
},
Expand All @@ -904,6 +972,7 @@
"properties": {
"env": {
"type": "string",
"minLength": 1,
"description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
}
},
Expand Down
Loading