3 * Copyright (C) 2009-2022 SonarSource SA
4 * mailto:info AT sonarsource DOT com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 3 of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with this program; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 package org.sonar.server.permission;
22 import java.text.MessageFormat;
23 import java.util.ArrayList;
24 import java.util.Collection;
25 import java.util.Iterator;
26 import java.util.List;
29 import java.util.stream.Collectors;
30 import javax.annotation.CheckForNull;
31 import javax.annotation.Nullable;
32 import org.apache.commons.lang.StringUtils;
33 import org.sonar.api.resources.Qualifiers;
34 import org.sonar.api.server.ServerSide;
35 import org.sonar.core.util.UuidFactory;
36 import org.sonar.db.DbClient;
37 import org.sonar.db.DbSession;
38 import org.sonar.db.component.ComponentDto;
39 import org.sonar.db.permission.GroupPermissionDto;
40 import org.sonar.db.permission.UserPermissionDto;
41 import org.sonar.db.permission.template.PermissionTemplateCharacteristicDto;
42 import org.sonar.db.permission.template.PermissionTemplateDto;
43 import org.sonar.db.permission.template.PermissionTemplateGroupDto;
44 import org.sonar.db.permission.template.PermissionTemplateUserDto;
45 import org.sonar.db.user.UserDto;
46 import org.sonar.db.user.UserId;
47 import org.sonar.server.es.ProjectIndexer;
48 import org.sonar.server.es.ProjectIndexers;
49 import org.sonar.server.exceptions.TemplateMatchingKeyException;
50 import org.sonar.server.permission.DefaultTemplatesResolver.ResolvedDefaultTemplates;
51 import org.sonar.server.user.UserSession;
53 import static com.google.common.base.Preconditions.checkArgument;
54 import static java.lang.String.format;
55 import static java.util.Collections.singletonList;
56 import static org.sonar.api.security.DefaultGroups.isAnyone;
57 import static org.sonar.api.web.UserRole.PUBLIC_PERMISSIONS;
58 import static org.sonar.db.permission.GlobalPermission.SCAN;
61 public class PermissionTemplateService {
63 private final DbClient dbClient;
64 private final ProjectIndexers projectIndexers;
65 private final UserSession userSession;
66 private final DefaultTemplatesResolver defaultTemplatesResolver;
67 private final UuidFactory uuidFactory;
69 public PermissionTemplateService(DbClient dbClient, ProjectIndexers projectIndexers, UserSession userSession,
70 DefaultTemplatesResolver defaultTemplatesResolver, UuidFactory uuidFactory) {
71 this.dbClient = dbClient;
72 this.projectIndexers = projectIndexers;
73 this.userSession = userSession;
74 this.defaultTemplatesResolver = defaultTemplatesResolver;
75 this.uuidFactory = uuidFactory;
78 public boolean wouldUserHaveScanPermissionWithDefaultTemplate(DbSession dbSession, @Nullable String userUuid, String projectKey) {
79 if (userSession.hasPermission(SCAN)) {
83 ComponentDto dto = new ComponentDto().setDbKey(projectKey).setQualifier(Qualifiers.PROJECT);
84 PermissionTemplateDto template = findTemplate(dbSession, dto);
85 if (template == null) {
89 List<String> potentialPermissions = dbClient.permissionTemplateDao().selectPotentialPermissionsByUserUuidAndTemplateUuid(dbSession, userUuid, template.getUuid());
90 return potentialPermissions.contains(SCAN.getKey());
94 * Apply a permission template to a set of projects. Authorization to administrate these projects
95 * is not verified. The projects must exist, so the "project creator" permissions defined in the
96 * template are ignored.
98 public void applyAndCommit(DbSession dbSession, PermissionTemplateDto template, Collection<ComponentDto> projects) {
99 if (projects.isEmpty()) {
103 for (ComponentDto project : projects) {
104 dbClient.groupPermissionDao().deleteByRootComponentUuid(dbSession, project);
105 dbClient.userPermissionDao().deleteProjectPermissions(dbSession, project);
106 copyPermissions(dbSession, template, project, null);
108 projectIndexers.commitAndIndexComponents(dbSession, projects, ProjectIndexer.Cause.PERMISSION_CHANGE);
112 * Apply the default permission template to a new project (has no permissions yet).
113 * @param projectCreatorUserId id of the user creating the project.
115 public void applyDefaultToNewComponent(DbSession dbSession, ComponentDto component, @Nullable String projectCreatorUserId) {
116 PermissionTemplateDto template = findTemplate(dbSession, component);
117 checkArgument(template != null, "Cannot retrieve default permission template");
118 copyPermissions(dbSession, template, component, projectCreatorUserId);
121 public boolean hasDefaultTemplateWithPermissionOnProjectCreator(DbSession dbSession, ComponentDto component) {
122 PermissionTemplateDto template = findTemplate(dbSession, component);
123 return hasProjectCreatorPermission(dbSession, template);
126 private boolean hasProjectCreatorPermission(DbSession dbSession, @Nullable PermissionTemplateDto template) {
127 return template != null && dbClient.permissionTemplateCharacteristicDao().selectByTemplateUuids(dbSession, singletonList(template.getUuid())).stream()
128 .anyMatch(PermissionTemplateCharacteristicDto::getWithProjectCreator);
131 private void copyPermissions(DbSession dbSession, PermissionTemplateDto template, ComponentDto project, @Nullable String projectCreatorUserUuid) {
132 List<PermissionTemplateUserDto> usersPermissions = dbClient.permissionTemplateDao().selectUserPermissionsByTemplateId(dbSession, template.getUuid());
133 Set<String> permissionTemplateUserUuids = usersPermissions.stream().map(PermissionTemplateUserDto::getUserUuid).collect(Collectors.toSet());
134 Map<String, UserId> userIdByUuid = dbClient.userDao().selectByUuids(dbSession, permissionTemplateUserUuids).stream().collect(Collectors.toMap(UserDto::getUuid, u -> u));
137 .filter(up -> permissionValidForProject(project, up.getPermission()))
139 UserPermissionDto dto = new UserPermissionDto(uuidFactory.create(), up.getPermission(), up.getUserUuid(), project.uuid());
140 dbClient.userPermissionDao().insert(dbSession, dto, project, userIdByUuid.get(up.getUserUuid()), template);
143 List<PermissionTemplateGroupDto> groupsPermissions = dbClient.permissionTemplateDao().selectGroupPermissionsByTemplateUuid(dbSession, template.getUuid());
146 .filter(gp -> groupNameValidForProject(project, gp.getGroupName()))
147 .filter(gp -> permissionValidForProject(project, gp.getPermission()))
149 String groupUuid = isAnyone(gp.getGroupName()) ? null : gp.getGroupUuid();
150 String groupName = groupUuid == null ? null : dbClient.groupDao().selectByUuid(dbSession, groupUuid).getName();
151 GroupPermissionDto dto = new GroupPermissionDto()
152 .setUuid(uuidFactory.create())
153 .setGroupUuid(groupUuid)
154 .setGroupName(groupName)
155 .setRole(gp.getPermission())
156 .setComponentUuid(project.uuid())
157 .setComponentName(project.name());
158 dbClient.groupPermissionDao().insert(dbSession, dto, project, template);
161 List<PermissionTemplateCharacteristicDto> characteristics = dbClient.permissionTemplateCharacteristicDao().selectByTemplateUuids(dbSession, singletonList(template.getUuid()));
162 if (projectCreatorUserUuid != null) {
163 Set<String> permissionsForCurrentUserAlreadyInDb = usersPermissions.stream()
164 .filter(userPermission -> projectCreatorUserUuid.equals(userPermission.getUserUuid()))
165 .map(PermissionTemplateUserDto::getPermission)
166 .collect(java.util.stream.Collectors.toSet());
168 UserDto userDto = dbClient.userDao().selectByUuid(dbSession, projectCreatorUserUuid);
169 characteristics.stream()
170 .filter(PermissionTemplateCharacteristicDto::getWithProjectCreator)
171 .filter(up -> permissionValidForProject(project, up.getPermission()))
172 .filter(characteristic -> !permissionsForCurrentUserAlreadyInDb.contains(characteristic.getPermission()))
174 UserPermissionDto dto = new UserPermissionDto(uuidFactory.create(), c.getPermission(), userDto.getUuid(), project.uuid());
175 dbClient.userPermissionDao().insert(dbSession, dto, project, userDto, template);
180 private static boolean permissionValidForProject(ComponentDto project, String permission) {
181 return project.isPrivate() || !PUBLIC_PERMISSIONS.contains(permission);
184 private static boolean groupNameValidForProject(ComponentDto project, String groupName) {
185 return !project.isPrivate() || !isAnyone(groupName);
189 * Return the permission template for the given component. If no template key pattern match then consider default
190 * template for the component qualifier.
193 private PermissionTemplateDto findTemplate(DbSession dbSession, ComponentDto component) {
194 List<PermissionTemplateDto> allPermissionTemplates = dbClient.permissionTemplateDao().selectAll(dbSession, null);
195 List<PermissionTemplateDto> matchingTemplates = new ArrayList<>();
196 for (PermissionTemplateDto permissionTemplateDto : allPermissionTemplates) {
197 String keyPattern = permissionTemplateDto.getKeyPattern();
198 if (StringUtils.isNotBlank(keyPattern) && component.getDbKey().matches(keyPattern)) {
199 matchingTemplates.add(permissionTemplateDto);
202 checkAtMostOneMatchForComponentKey(component.getDbKey(), matchingTemplates);
203 if (matchingTemplates.size() == 1) {
204 return matchingTemplates.get(0);
207 String qualifier = component.qualifier();
208 ResolvedDefaultTemplates resolvedDefaultTemplates = defaultTemplatesResolver.resolve(dbSession);
210 case Qualifiers.PROJECT:
211 return dbClient.permissionTemplateDao().selectByUuid(dbSession, resolvedDefaultTemplates.getProject());
212 case Qualifiers.VIEW:
213 String portDefaultTemplateUuid = resolvedDefaultTemplates.getPortfolio().orElseThrow(
214 () -> new IllegalStateException("Failed to find default template for portfolios"));
215 return dbClient.permissionTemplateDao().selectByUuid(dbSession, portDefaultTemplateUuid);
217 String appDefaultTemplateUuid = resolvedDefaultTemplates.getApplication().orElseThrow(
218 () -> new IllegalStateException("Failed to find default template for applications"));
219 return dbClient.permissionTemplateDao().selectByUuid(dbSession, appDefaultTemplateUuid);
221 throw new IllegalArgumentException(format("Qualifier '%s' is not supported", qualifier));
225 private static void checkAtMostOneMatchForComponentKey(String componentKey, List<PermissionTemplateDto> matchingTemplates) {
226 if (matchingTemplates.size() > 1) {
227 StringBuilder templatesNames = new StringBuilder();
228 for (Iterator<PermissionTemplateDto> it = matchingTemplates.iterator(); it.hasNext(); ) {
229 templatesNames.append("\"").append(it.next().getName()).append("\"");
231 templatesNames.append(", ");
234 throw new TemplateMatchingKeyException(MessageFormat.format(
235 "The \"{0}\" key matches multiple permission templates: {1}."
236 + " A system administrator must update these templates so that only one of them matches the key.",
238 templatesNames.toString()));