]> source.dussan.org Git - sonarqube.git/blob
projects / sonarqube.git / blob
? search:


76028e096d916031158769e8861fe3c92c0bd15b
[sonarqube.git] /
1 /*
2  * SonarQube
3  * Copyright (C) 2009-2021 SonarSource SA
4  * mailto:info AT sonarsource DOT com
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 3 of the License, or (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public License
17  * along with this program; if not, write to the Free Software Foundation,
18  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
19  */
20 package org.sonar.server.permission.index;
21
22 import java.util.Collection;
23 import org.junit.Rule;
24 import org.junit.Test;
25 import org.junit.rules.ExpectedException;
26 import org.sonar.api.utils.System2;
27 import org.sonar.db.DbSession;
28 import org.sonar.db.DbTester;
29 import org.sonar.db.component.ComponentDto;
30 import org.sonar.db.es.EsQueueDto;
31 import org.sonar.db.user.GroupDto;
32 import org.sonar.db.user.UserDto;
33 import org.sonar.server.es.EsTester;
34 import org.sonar.server.es.IndexType;
35 import org.sonar.server.es.IndexType.IndexMainType;
36 import org.sonar.server.es.IndexingResult;
37 import org.sonar.server.es.ProjectIndexer;
38 import org.sonar.server.tester.UserSessionRule;
39
40 import static java.util.Arrays.asList;
41 import static java.util.Collections.singletonList;
42 import static org.assertj.core.api.Assertions.assertThat;
43 import static org.sonar.api.web.UserRole.ADMIN;
44 import static org.sonar.api.web.UserRole.USER;
45 import static org.sonar.server.es.ProjectIndexer.Cause.PERMISSION_CHANGE;
46 import static org.sonar.server.permission.index.IndexAuthorizationConstants.TYPE_AUTHORIZATION;
47
48 public class PermissionIndexerTest {
49
50   private static final IndexMainType INDEX_TYPE_FOO_AUTH = IndexType.main(FooIndexDefinition.DESCRIPTOR, TYPE_AUTHORIZATION);
51
52   @Rule
53   public ExpectedException expectedException = ExpectedException.none();
54   @Rule
55   public DbTester db = DbTester.create(System2.INSTANCE);
56   @Rule
57   public EsTester es = EsTester.createCustom(new FooIndexDefinition());
58   @Rule
59   public UserSessionRule userSession = UserSessionRule.standalone();
60
61   private FooIndex fooIndex = new FooIndex(es.client(), new WebAuthorizationTypeSupport(userSession));
62   private FooIndexer fooIndexer = new FooIndexer(es.client());
63   private PermissionIndexer underTest = new PermissionIndexer(db.getDbClient(), es.client(), fooIndexer);
64
65   @Test
66   public void indexOnStartup_grants_access_to_any_user_and_to_group_Anyone_on_public_projects() {
67     ComponentDto project = createAndIndexPublicProject();
68     UserDto user1 = db.users().insertUser();
69     UserDto user2 = db.users().insertUser();
70
71     indexOnStartup();
72
73     verifyAnyoneAuthorized(project);
74     verifyAuthorized(project, user1);
75     verifyAuthorized(project, user2);
76   }
77
78   @Test
79   public void indexAll_grants_access_to_any_user_and_to_group_Anyone_on_public_projects() {
80     ComponentDto project = createAndIndexPublicProject();
81     UserDto user1 = db.users().insertUser();
82     UserDto user2 = db.users().insertUser();
83
84     underTest.indexAll(underTest.getIndexTypes());
85
86     verifyAnyoneAuthorized(project);
87     verifyAuthorized(project, user1);
88     verifyAuthorized(project, user2);
89   }
90
91   @Test
92   public void deletion_resilience_will_deindex_projects() {
93     ComponentDto project1 = createUnindexedPublicProject();
94     ComponentDto project2 = createUnindexedPublicProject();
95     // UserDto user1 = db.users().insertUser();
96     indexOnStartup();
97     assertThat(es.countDocuments(INDEX_TYPE_FOO_AUTH)).isEqualTo(2);
98
99     // Simulate a indexation issue
100     db.getDbClient().componentDao().delete(db.getSession(), project1.uuid());
101     underTest.prepareForRecovery(db.getSession(), asList(project1.uuid()), ProjectIndexer.Cause.PROJECT_DELETION);
102     assertThat(db.countRowsOfTable(db.getSession(), "es_queue")).isEqualTo(1);
103     Collection<EsQueueDto> esQueueDtos = db.getDbClient().esQueueDao().selectForRecovery(db.getSession(), Long.MAX_VALUE, 2);
104
105     underTest.index(db.getSession(), esQueueDtos);
106
107     assertThat(db.countRowsOfTable(db.getSession(), "es_queue")).isZero();
108     assertThat(es.countDocuments(INDEX_TYPE_FOO_AUTH)).isEqualTo(1);
109   }
110
111   @Test
112   public void indexOnStartup_grants_access_to_user() {
113     ComponentDto project = createAndIndexPrivateProject();
114     UserDto user1 = db.users().insertUser();
115     UserDto user2 = db.users().insertUser();
116     db.users().insertProjectPermissionOnUser(user1, USER, project);
117     db.users().insertProjectPermissionOnUser(user2, ADMIN, project);
118
119     indexOnStartup();
120
121     // anonymous
122     verifyAnyoneNotAuthorized(project);
123
124     // user1 has access
125     verifyAuthorized(project, user1);
126
127     // user2 has not access (only USER permission is accepted)
128     verifyNotAuthorized(project, user2);
129   }
130
131   @Test
132   public void indexOnStartup_grants_access_to_group_on_private_project() {
133     ComponentDto project = createAndIndexPrivateProject();
134     UserDto user1 = db.users().insertUser();
135     UserDto user2 = db.users().insertUser();
136     UserDto user3 = db.users().insertUser();
137     GroupDto group1 = db.users().insertGroup();
138     GroupDto group2 = db.users().insertGroup();
139     db.users().insertProjectPermissionOnGroup(group1, USER, project);
140     db.users().insertProjectPermissionOnGroup(group2, ADMIN, project);
141
142     indexOnStartup();
143
144     // anonymous
145     verifyAnyoneNotAuthorized(project);
146
147     // group1 has access
148     verifyAuthorized(project, user1, group1);
149
150     // group2 has not access (only USER permission is accepted)
151     verifyNotAuthorized(project, user2, group2);
152
153     // user3 is not in any group
154     verifyNotAuthorized(project, user3);
155   }
156
157   @Test
158   public void indexOnStartup_grants_access_to_user_and_group() {
159     ComponentDto project = createAndIndexPrivateProject();
160     UserDto user1 = db.users().insertUser();
161     UserDto user2 = db.users().insertUser();
162     GroupDto group = db.users().insertGroup();
163     db.users().insertMember(group, user2);
164     db.users().insertProjectPermissionOnUser(user1, USER, project);
165     db.users().insertProjectPermissionOnGroup(group, USER, project);
166
167     indexOnStartup();
168
169     // anonymous
170     verifyAnyoneNotAuthorized(project);
171
172     // has direct access
173     verifyAuthorized(project, user1);
174
175     // has access through group
176     verifyAuthorized(project, user1, group);
177
178     // no access
179     verifyNotAuthorized(project, user2);
180   }
181
182   @Test
183   public void indexOnStartup_does_not_grant_access_to_anybody_on_private_project() {
184     ComponentDto project = createAndIndexPrivateProject();
185     UserDto user = db.users().insertUser();
186     GroupDto group = db.users().insertGroup();
187
188     indexOnStartup();
189
190     verifyAnyoneNotAuthorized(project);
191     verifyNotAuthorized(project, user);
192     verifyNotAuthorized(project, user, group);
193   }
194
195   @Test
196   public void indexOnStartup_grants_access_to_anybody_on_public_project() {
197     ComponentDto project = createAndIndexPublicProject();
198     UserDto user = db.users().insertUser();
199     GroupDto group = db.users().insertGroup();
200
201     indexOnStartup();
202
203     verifyAnyoneAuthorized(project);
204     verifyAuthorized(project, user);
205     verifyAuthorized(project, user, group);
206   }
207
208   @Test
209   public void indexOnStartup_grants_access_to_anybody_on_view() {
210     ComponentDto view = createAndIndexView();
211     UserDto user = db.users().insertUser();
212     GroupDto group = db.users().insertGroup();
213
214     indexOnStartup();
215
216     verifyAnyoneAuthorized(view);
217     verifyAuthorized(view, user);
218     verifyAuthorized(view, user, group);
219   }
220
221   @Test
222   public void indexOnStartup_grants_access_on_many_projects() {
223     UserDto user1 = db.users().insertUser();
224     UserDto user2 = db.users().insertUser();
225     ComponentDto project = null;
226     for (int i = 0; i < 10; i++) {
227       project = createAndIndexPrivateProject();
228       db.users().insertProjectPermissionOnUser(user1, USER, project);
229     }
230
231     indexOnStartup();
232
233     verifyAnyoneNotAuthorized(project);
234     verifyAuthorized(project, user1);
235     verifyNotAuthorized(project, user2);
236   }
237
238   @Test
239   public void public_projects_are_visible_to_anybody() {
240     ComponentDto projectOnOrg1 = createAndIndexPublicProject();
241     UserDto user = db.users().insertUser();
242
243     indexOnStartup();
244
245     verifyAnyoneAuthorized(projectOnOrg1);
246     verifyAuthorized(projectOnOrg1, user);
247   }
248
249   @Test
250   public void indexOnAnalysis_does_nothing_because_CE_does_not_touch_permissions() {
251     ComponentDto project = createAndIndexPublicProject();
252
253     underTest.indexOnAnalysis(project.uuid());
254
255     assertThatAuthIndexHasSize(0);
256     verifyAnyoneNotAuthorized(project);
257   }
258
259   @Test
260   public void permissions_are_not_updated_on_project_tags_update() {
261     ComponentDto project = createAndIndexPublicProject();
262
263     indexPermissions(project, ProjectIndexer.Cause.PROJECT_TAGS_UPDATE);
264
265     assertThatAuthIndexHasSize(0);
266     verifyAnyoneNotAuthorized(project);
267   }
268
269   @Test
270   public void permissions_are_not_updated_on_project_key_update() {
271     ComponentDto project = createAndIndexPublicProject();
272
273     indexPermissions(project, ProjectIndexer.Cause.PROJECT_TAGS_UPDATE);
274
275     assertThatAuthIndexHasSize(0);
276     verifyAnyoneNotAuthorized(project);
277   }
278
279   @Test
280   public void index_permissions_on_project_creation() {
281     ComponentDto project = createAndIndexPrivateProject();
282     UserDto user = db.users().insertUser();
283     db.users().insertProjectPermissionOnUser(user, USER, project);
284
285     indexPermissions(project, ProjectIndexer.Cause.PROJECT_CREATION);
286
287     assertThatAuthIndexHasSize(1);
288     verifyAuthorized(project, user);
289   }
290
291   @Test
292   public void index_permissions_on_permission_change() {
293     ComponentDto project = createAndIndexPrivateProject();
294     UserDto user1 = db.users().insertUser();
295     UserDto user2 = db.users().insertUser();
296     db.users().insertProjectPermissionOnUser(user1, USER, project);
297     indexPermissions(project, ProjectIndexer.Cause.PROJECT_CREATION);
298     verifyAuthorized(project, user1);
299     verifyNotAuthorized(project, user2);
300
301     db.users().insertProjectPermissionOnUser(user2, USER, project);
302     indexPermissions(project, PERMISSION_CHANGE);
303
304     verifyAuthorized(project, user1);
305     verifyAuthorized(project, user1);
306   }
307
308   @Test
309   public void delete_permissions_on_project_deletion() {
310     ComponentDto project = createAndIndexPrivateProject();
311     UserDto user = db.users().insertUser();
312     db.users().insertProjectPermissionOnUser(user, USER, project);
313     indexPermissions(project, ProjectIndexer.Cause.PROJECT_CREATION);
314     verifyAuthorized(project, user);
315
316     db.getDbClient().componentDao().delete(db.getSession(), project.uuid());
317     indexPermissions(project, ProjectIndexer.Cause.PROJECT_DELETION);
318
319     verifyNotAuthorized(project, user);
320     assertThatAuthIndexHasSize(0);
321   }
322
323   @Test
324   public void errors_during_indexing_are_recovered() {
325     ComponentDto project = createAndIndexPublicProject();
326     es.lockWrites(INDEX_TYPE_FOO_AUTH);
327
328     IndexingResult result = indexPermissions(project, PERMISSION_CHANGE);
329     assertThat(result.getTotal()).isEqualTo(1L);
330     assertThat(result.getFailures()).isEqualTo(1L);
331
332     // index is still read-only, fail to recover
333     result = recover();
334     assertThat(result.getTotal()).isEqualTo(1L);
335     assertThat(result.getFailures()).isEqualTo(1L);
336     assertThatAuthIndexHasSize(0);
337     assertThatEsQueueTableHasSize(1);
338
339     es.unlockWrites(INDEX_TYPE_FOO_AUTH);
340
341     result = recover();
342     assertThat(result.getTotal()).isEqualTo(1L);
343     assertThat(result.getFailures()).isEqualTo(0L);
344     verifyAnyoneAuthorized(project);
345     assertThatEsQueueTableHasSize(0);
346   }
347
348   private void assertThatAuthIndexHasSize(int expectedSize) {
349     assertThat(es.countDocuments(FooIndexDefinition.TYPE_AUTHORIZATION)).isEqualTo(expectedSize);
350   }
351
352   private void indexOnStartup() {
353     underTest.indexOnStartup(underTest.getIndexTypes());
354   }
355
356   private void verifyAuthorized(ComponentDto project, UserDto user) {
357     logIn(user);
358     verifyAuthorized(project, true);
359   }
360
361   private void verifyAuthorized(ComponentDto project, UserDto user, GroupDto group) {
362     logIn(user).setGroups(group);
363     verifyAuthorized(project, true);
364   }
365
366   private void verifyNotAuthorized(ComponentDto project, UserDto user) {
367     logIn(user);
368     verifyAuthorized(project, false);
369   }
370
371   private void verifyNotAuthorized(ComponentDto project, UserDto user, GroupDto group) {
372     logIn(user).setGroups(group);
373     verifyAuthorized(project, false);
374   }
375
376   private void verifyAnyoneAuthorized(ComponentDto project) {
377     userSession.anonymous();
378     verifyAuthorized(project, true);
379   }
380
381   private void verifyAnyoneNotAuthorized(ComponentDto project) {
382     userSession.anonymous();
383     verifyAuthorized(project, false);
384   }
385
386   private void verifyAuthorized(ComponentDto project, boolean expectedAccess) {
387     assertThat(fooIndex.hasAccessToProject(project.uuid())).isEqualTo(expectedAccess);
388   }
389
390   private UserSessionRule logIn(UserDto u) {
391     userSession.logIn(u);
392     return userSession;
393   }
394
395   private IndexingResult indexPermissions(ComponentDto project, ProjectIndexer.Cause cause) {
396     DbSession dbSession = db.getSession();
397     Collection<EsQueueDto> items = underTest.prepareForRecovery(dbSession, singletonList(project.uuid()), cause);
398     dbSession.commit();
399     return underTest.index(dbSession, items);
400   }
401
402   private ComponentDto createUnindexedPublicProject() {
403     return db.components().insertPublicProject();
404   }
405
406   private ComponentDto createAndIndexPrivateProject() {
407     ComponentDto project = db.components().insertPrivateProject();
408     fooIndexer.indexOnAnalysis(project.uuid());
409     return project;
410   }
411
412   private ComponentDto createAndIndexPublicProject() {
413     ComponentDto project = db.components().insertPublicProject();
414     fooIndexer.indexOnAnalysis(project.uuid());
415     return project;
416   }
417
418   private ComponentDto createAndIndexView() {
419     ComponentDto view = db.components().insertPublicPortfolio();
420     fooIndexer.indexOnAnalysis(view.uuid());
421     return view;
422   }
423
424   private IndexingResult recover() {
425     Collection<EsQueueDto> items = db.getDbClient().esQueueDao().selectForRecovery(db.getSession(), System.currentTimeMillis() + 1_000L, 10);
426     return underTest.index(db.getSession(), items);
427   }
428
429   private void assertThatEsQueueTableHasSize(int expectedSize) {
430     assertThat(db.countRowsOfTable("es_queue")).isEqualTo(expectedSize);
431   }
432
433 }
Continuous Inspection: https://github.com/SonarSource/sonarqube