import org.sonar.server.notification.email.AlertsEmailTemplate;
import org.sonar.server.notification.email.EmailNotificationChannel;
import org.sonar.server.organization.DefaultOrganizationProviderImpl;
+import org.sonar.server.permission.GroupPermissionChanger;
+import org.sonar.server.permission.PermissionService;
+import org.sonar.server.permission.PermissionUpdater;
+import org.sonar.server.permission.UserPermissionChanger;
import org.sonar.server.platform.DatabaseServerCompatibility;
import org.sonar.server.platform.DefaultServerUpgradeStatus;
import org.sonar.server.platform.ServerFileSystemImpl;
// permissions
PermissionRepository.class,
+ PermissionService.class,
+ PermissionUpdater.class,
+ UserPermissionChanger.class,
+ GroupPermissionChanger.class,
+
// components
ComponentFinder.class, // used in ComponentService
assertThat(picoContainer.getComponentAdapters())
.hasSize(
CONTAINER_ITSELF
- + 74 // level 4
+ + 78 // level 4
+ 4 // content of CeConfigurationModule
+ 3 // content of CeHttpModule
+ 5 // content of CeQueueModule
import org.sonar.db.DbSession;
import org.sonar.db.permission.GroupPermissionDto;
import org.sonar.server.exceptions.BadRequestException;
-import org.sonar.server.user.UserSession;
import static org.sonar.server.permission.ws.PermissionRequestValidator.validateNotAnyoneAndAdminPermission;
public class GroupPermissionChanger {
private final DbClient dbClient;
- private final UserSession userSession;
- public GroupPermissionChanger(DbClient dbClient, UserSession userSession) {
+ public GroupPermissionChanger(DbClient dbClient) {
this.dbClient = dbClient;
- this.userSession = userSession;
}
public boolean apply(DbSession dbSession, GroupPermissionChange change) {
- PermissionPrivilegeChecker.checkProjectAdminUserByComponentUuid(userSession, change.getProjectUuid());
-
if (shouldSkip(dbSession, change)) {
return false;
}
*/
package org.sonar.server.permission;
+import java.util.Optional;
import javax.annotation.Nullable;
import org.sonar.api.web.UserRole;
import org.sonar.core.permission.GlobalPermissions;
}
}
- public static void checkProjectAdminUserByComponentUuid(UserSession userSession, @Nullable String componentUuid) {
+ public static void checkAdministrationPermission(UserSession userSession, Optional<ProjectId> projectId) {
userSession.checkLoggedIn();
- if (componentUuid == null || !userSession.hasComponentUuidPermission(UserRole.ADMIN, componentUuid)) {
+ if (!projectId.isPresent() || !userSession.hasComponentUuidPermission(UserRole.ADMIN, projectId.get().getUuid())) {
userSession.checkPermission(GlobalPermissions.SYSTEM_ADMIN);
}
}
import org.sonar.db.DbSession;
import org.sonar.server.issue.index.IssueAuthorizationIndexer;
+/**
+ * Add or remove global/project permissions to a group. This class
+ * does not verify that caller has administration right on the related
+ * organization or project.
+ */
public class PermissionUpdater {
private final DbClient dbClient;
import org.sonar.db.permission.UserPermissionDto;
import org.sonar.server.exceptions.BadRequestException;
import org.sonar.server.permission.PermissionChange.Operation;
-import org.sonar.server.user.UserSession;
-
-import static org.sonar.server.permission.PermissionPrivilegeChecker.checkProjectAdminUserByComponentUuid;
public class UserPermissionChanger {
private final DbClient dbClient;
- private final UserSession userSession;
- public UserPermissionChanger(DbClient dbClient, UserSession userSession) {
+ public UserPermissionChanger(DbClient dbClient) {
this.dbClient = dbClient;
- this.userSession = userSession;
}
public boolean apply(DbSession dbSession, UserPermissionChange change) {
- checkProjectAdminUserByComponentUuid(userSession, change.getProjectUuid());
-
if (shouldSkipChange(dbSession, change)) {
return false;
}
import org.sonar.server.permission.PermissionChange;
import org.sonar.server.permission.PermissionUpdater;
import org.sonar.server.permission.ProjectId;
+import org.sonar.server.user.UserSession;
import org.sonar.server.usergroups.ws.GroupIdOrAnyone;
import static java.util.Arrays.asList;
+import static org.sonar.server.permission.PermissionPrivilegeChecker.checkAdministrationPermission;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createGroupIdParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createGroupNameParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createPermissionParameter;
public static final String ACTION = "add_group";
private final DbClient dbClient;
+ private final UserSession userSession;
private final PermissionUpdater permissionUpdater;
private final PermissionWsSupport support;
- public AddGroupAction(DbClient dbClient, PermissionUpdater permissionUpdater, PermissionWsSupport support) {
+ public AddGroupAction(DbClient dbClient, UserSession userSession, PermissionUpdater permissionUpdater, PermissionWsSupport support) {
this.dbClient = dbClient;
+ this.userSession = userSession;
this.permissionUpdater = permissionUpdater;
this.support = support;
}
GroupIdOrAnyone group = support.findGroup(dbSession, request);
Optional<ProjectId> projectId = support.findProject(dbSession, request);
+ checkAdministrationPermission(userSession, projectId);
+
PermissionChange change = new GroupPermissionChange(
PermissionChange.Operation.ADD,
request.mandatoryParam(PARAM_PERMISSION),
import org.sonar.server.permission.ProjectId;
import org.sonar.server.permission.UserId;
import org.sonar.server.permission.UserPermissionChange;
+import org.sonar.server.user.UserSession;
import static java.util.Arrays.asList;
+import static org.sonar.server.permission.PermissionPrivilegeChecker.checkAdministrationPermission;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createOrganizationParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createPermissionParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createProjectParameters;
public static final String ACTION = "add_user";
private final DbClient dbClient;
+ private final UserSession userSession;
private final PermissionUpdater permissionUpdater;
private final PermissionWsSupport support;
- public AddUserAction(DbClient dbClient, PermissionUpdater permissionUpdater, PermissionWsSupport support) {
+ public AddUserAction(DbClient dbClient, UserSession userSession, PermissionUpdater permissionUpdater, PermissionWsSupport support) {
this.dbClient = dbClient;
+ this.userSession = userSession;
this.permissionUpdater = permissionUpdater;
this.support = support;
}
UserId user = support.findUser(dbSession, request.mandatoryParam(PARAM_USER_LOGIN));
Optional<ProjectId> projectId = support.findProject(dbSession, request);
OrganizationDto org = support.findOrganization(dbSession, request.param(PARAM_ORGANIZATION_KEY));
+
+ checkAdministrationPermission(userSession, projectId);
+
PermissionChange change = new UserPermissionChange(
PermissionChange.Operation.ADD,
org.getUuid(),
import static org.sonar.db.permission.PermissionQuery.DEFAULT_PAGE_SIZE;
import static org.sonar.db.permission.PermissionQuery.RESULTS_MAX_SIZE;
import static org.sonar.db.permission.PermissionQuery.SEARCH_QUERY_MIN_LENGTH;
-import static org.sonar.server.permission.PermissionPrivilegeChecker.checkProjectAdminUserByComponentUuid;
+import static org.sonar.server.permission.PermissionPrivilegeChecker.checkAdministrationPermission;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createPermissionParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createProjectParameters;
import static org.sonar.server.ws.WsUtils.writeProtobuf;
public void handle(Request request, Response response) throws Exception {
try (DbSession dbSession = dbClient.openSession(false)) {
Optional<ProjectId> projectId = support.findProject(dbSession, request);
- checkProjectAdminUserByComponentUuid(userSession, projectId.isPresent() ? projectId.get().getUuid() : null);
+ checkAdministrationPermission(userSession, projectId);
PermissionQuery query = buildPermissionQuery(request, projectId);
// TODO validatePermission(groupsRequest.getPermission(), wsProjectRef);
package org.sonar.server.permission.ws;
import org.sonar.core.platform.Module;
-import org.sonar.db.permission.PermissionRepository;
-import org.sonar.server.permission.GroupPermissionChanger;
-import org.sonar.server.permission.PermissionService;
-import org.sonar.server.permission.PermissionUpdater;
-import org.sonar.server.permission.UserPermissionChanger;
import org.sonar.server.permission.ws.template.AddGroupToTemplateAction;
import org.sonar.server.permission.ws.template.AddProjectCreatorToTemplateAction;
import org.sonar.server.permission.ws.template.AddUserToTemplateAction;
TemplateGroupsAction.class,
BulkApplyTemplateAction.class,
// utility classes
- PermissionRepository.class,
- PermissionService.class,
- PermissionUpdater.class,
- UserPermissionChanger.class,
- GroupPermissionChanger.class,
SearchProjectPermissionsDataLoader.class,
SearchTemplatesDataLoader.class,
PermissionWsSupport.class,
import org.sonar.server.permission.PermissionChange;
import org.sonar.server.permission.PermissionUpdater;
import org.sonar.server.permission.ProjectId;
+import org.sonar.server.user.UserSession;
import org.sonar.server.usergroups.ws.GroupIdOrAnyone;
import static java.util.Arrays.asList;
+import static org.sonar.server.permission.PermissionPrivilegeChecker.checkAdministrationPermission;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createGroupIdParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createGroupNameParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createPermissionParameter;
public static final String ACTION = "remove_group";
private final DbClient dbClient;
+ private final UserSession userSession;
private final PermissionUpdater permissionUpdater;
private final PermissionWsSupport support;
- public RemoveGroupAction(DbClient dbClient, PermissionUpdater permissionUpdater, PermissionWsSupport support) {
+ public RemoveGroupAction(DbClient dbClient, UserSession userSession, PermissionUpdater permissionUpdater, PermissionWsSupport support) {
this.dbClient = dbClient;
+ this.userSession = userSession;
this.permissionUpdater = permissionUpdater;
this.support = support;
}
GroupIdOrAnyone group = support.findGroup(dbSession, request);
Optional<ProjectId> projectId = support.findProject(dbSession, request);
+ checkAdministrationPermission(userSession, projectId);
+
PermissionChange change = new GroupPermissionChange(
PermissionChange.Operation.REMOVE,
request.mandatoryParam(PARAM_PERMISSION),
import org.sonar.server.permission.ProjectId;
import org.sonar.server.permission.UserId;
import org.sonar.server.permission.UserPermissionChange;
+import org.sonar.server.user.UserSession;
import static java.util.Arrays.asList;
+import static org.sonar.server.permission.PermissionPrivilegeChecker.checkAdministrationPermission;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createOrganizationParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createPermissionParameter;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createProjectParameters;
public static final String ACTION = "remove_user";
private final DbClient dbClient;
+ private final UserSession userSession;
private final PermissionUpdater permissionUpdater;
private final PermissionWsSupport support;
- public RemoveUserAction(DbClient dbClient, PermissionUpdater permissionUpdater, PermissionWsSupport support) {
+ public RemoveUserAction(DbClient dbClient, UserSession userSession, PermissionUpdater permissionUpdater, PermissionWsSupport support) {
this.dbClient = dbClient;
+ this.userSession = userSession;
this.permissionUpdater = permissionUpdater;
this.support = support;
}
Optional<ProjectId> projectId = support.findProject(dbSession, request);
OrganizationDto org = support.findOrganization(dbSession, request.param(PARAM_ORGANIZATION_KEY));
+ checkAdministrationPermission(userSession, projectId);
+
PermissionChange change = new UserPermissionChange(
PermissionChange.Operation.REMOVE,
org.getUuid(),
*/
package org.sonar.server.permission.ws;
-import com.google.common.base.Optional;
import java.util.Locale;
+import java.util.Optional;
import org.sonar.api.i18n.I18n;
import org.sonar.api.resources.ResourceTypes;
import org.sonar.api.server.ws.Request;
import org.sonar.api.utils.Paging;
import org.sonar.core.permission.ProjectPermissions;
import org.sonar.db.DbClient;
+import org.sonar.db.DbSession;
import org.sonar.db.component.ComponentDto;
+import org.sonar.server.permission.ProjectId;
import org.sonar.server.user.UserSession;
import org.sonarqube.ws.Common;
import org.sonarqube.ws.WsPermissions.Permission;
import org.sonarqube.ws.WsPermissions.SearchProjectPermissionsWsResponse.Project;
import org.sonarqube.ws.client.permission.SearchProjectPermissionsWsRequest;
-import static org.sonar.server.permission.PermissionPrivilegeChecker.checkGlobalAdminUser;
-import static org.sonar.server.permission.PermissionPrivilegeChecker.checkProjectAdminUserByComponentKey;
-import static org.sonar.server.permission.PermissionPrivilegeChecker.checkProjectAdminUserByComponentUuid;
+import static org.sonar.server.permission.PermissionPrivilegeChecker.checkAdministrationPermission;
import static org.sonar.server.permission.ws.PermissionRequestValidator.validateQualifier;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createProjectParameters;
import static org.sonar.server.permission.ws.ProjectWsRef.newOptionalWsProjectRef;
private final I18n i18n;
private final ResourceTypes resourceTypes;
private final SearchProjectPermissionsDataLoader dataLoader;
+ private final PermissionWsSupport wsSupport;
- public SearchProjectPermissionsAction(DbClient dbClient, UserSession userSession, I18n i18n, ResourceTypes resourceTypes, SearchProjectPermissionsDataLoader dataLoader) {
+ public SearchProjectPermissionsAction(DbClient dbClient, UserSession userSession, I18n i18n, ResourceTypes resourceTypes,
+ SearchProjectPermissionsDataLoader dataLoader, PermissionWsSupport wsSupport) {
this.dbClient = dbClient;
this.userSession = userSession;
this.i18n = i18n;
this.resourceTypes = resourceTypes;
this.dataLoader = dataLoader;
+ this.wsSupport = wsSupport;
}
@Override
}
private SearchProjectPermissionsWsResponse doHandle(SearchProjectPermissionsWsRequest request) {
- checkRequestAndPermissions(request);
- validateQualifier(request.getQualifier(), resourceTypes);
- SearchProjectPermissionsData data = dataLoader.load(request);
- return buildResponse(data);
+ try (DbSession dbSession = dbClient.openSession(false)) {
+ checkAuthorized(dbSession, request);
+ validateQualifier(request.getQualifier(), resourceTypes);
+ SearchProjectPermissionsData data = dataLoader.load(dbSession, request);
+ return buildResponse(data);
+ }
}
private static SearchProjectPermissionsWsRequest toSearchProjectPermissionsWsRequest(Request request) {
.setQuery(request.param(Param.TEXT_QUERY));
}
- private void checkRequestAndPermissions(SearchProjectPermissionsWsRequest request) {
- Optional<ProjectWsRef> project = newOptionalWsProjectRef(request.getProjectId(), request.getProjectKey());
- boolean hasProject = project.isPresent();
- boolean hasProjectUuid = hasProject && project.get().uuid() != null;
- boolean hasProjectKey = hasProject && project.get().key() != null;
-
- if (hasProjectUuid) {
- checkProjectAdminUserByComponentUuid(userSession, project.get().uuid());
- } else if (hasProjectKey) {
- checkProjectAdminUserByComponentKey(userSession, project.get().key());
+ private void checkAuthorized(DbSession dbSession, SearchProjectPermissionsWsRequest request) {
+ com.google.common.base.Optional<ProjectWsRef> projectRef = newOptionalWsProjectRef(request.getProjectId(), request.getProjectKey());
+ Optional<ProjectId> projectId;
+ if (projectRef.isPresent()) {
+ projectId = Optional.of(wsSupport.findProject(dbSession, projectRef.get()));
} else {
- checkGlobalAdminUser(userSession);
+ projectId = Optional.empty();
}
+ checkAdministrationPermission(userSession, projectId);
}
private SearchProjectPermissionsWsResponse buildResponse(SearchProjectPermissionsData data) {
import static java.util.Collections.singletonList;
import static org.sonar.api.utils.Paging.forPageIndex;
import static org.sonar.server.component.ResourceTypeFunctions.RESOURCE_TYPE_TO_QUALIFIER;
-import static org.sonar.server.permission.ws.SearchProjectPermissionsData.newBuilder;
import static org.sonar.server.permission.ws.ProjectWsRef.newOptionalWsProjectRef;
+import static org.sonar.server.permission.ws.SearchProjectPermissionsData.newBuilder;
public class SearchProjectPermissionsDataLoader {
private final DbClient dbClient;
this.rootQualifiers = Collections2.transform(resourceTypes.getRoots(), RESOURCE_TYPE_TO_QUALIFIER).toArray(new String[resourceTypes.getRoots().size()]);
}
- SearchProjectPermissionsData load(SearchProjectPermissionsWsRequest request) {
- try (DbSession dbSession = dbClient.openSession(false)) {
- SearchProjectPermissionsData.Builder data = newBuilder();
- int countRootComponents = countRootComponents(dbSession, request);
- List<ComponentDto> rootComponents = searchRootComponents(dbSession, request, paging(request, countRootComponents));
- List<Long> rootComponentIds = Lists.transform(rootComponents, ComponentDto::getId);
+ SearchProjectPermissionsData load(DbSession dbSession, SearchProjectPermissionsWsRequest request) {
+ SearchProjectPermissionsData.Builder data = newBuilder();
+ int countRootComponents = countRootComponents(dbSession, request);
+ List<ComponentDto> rootComponents = searchRootComponents(dbSession, request, paging(request, countRootComponents));
+ List<Long> rootComponentIds = Lists.transform(rootComponents, ComponentDto::getId);
- data.rootComponents(rootComponents)
- .paging(paging(request, countRootComponents))
- .userCountByProjectIdAndPermission(userCountByRootComponentIdAndPermission(dbSession, rootComponentIds))
- .groupCountByProjectIdAndPermission(groupCountByRootComponentIdAndPermission(dbSession, rootComponentIds));
+ data.rootComponents(rootComponents)
+ .paging(paging(request, countRootComponents))
+ .userCountByProjectIdAndPermission(userCountByRootComponentIdAndPermission(dbSession, rootComponentIds))
+ .groupCountByProjectIdAndPermission(groupCountByRootComponentIdAndPermission(dbSession, rootComponentIds));
- return data.build();
- }
+ return data.build();
}
private static Paging paging(SearchProjectPermissionsWsRequest request, int total) {
import static org.sonar.db.permission.PermissionQuery.DEFAULT_PAGE_SIZE;
import static org.sonar.db.permission.PermissionQuery.RESULTS_MAX_SIZE;
import static org.sonar.db.permission.PermissionQuery.SEARCH_QUERY_MIN_LENGTH;
-import static org.sonar.server.permission.PermissionPrivilegeChecker.checkProjectAdminUserByComponentUuid;
+import static org.sonar.server.permission.PermissionPrivilegeChecker.checkAdministrationPermission;
import static org.sonar.server.permission.ws.PermissionRequestValidator.validateGlobalPermission;
import static org.sonar.server.permission.ws.PermissionRequestValidator.validateProjectPermission;
import static org.sonar.server.permission.ws.PermissionsWsParametersBuilder.createPermissionParameter;
public void handle(Request request, Response response) throws Exception {
try (DbSession dbSession = dbClient.openSession(false)) {
Optional<ProjectId> projectId = support.findProject(dbSession, request);
- checkProjectAdminUserByComponentUuid(userSession, projectId.isPresent() ? projectId.get().getUuid() : null);
+ checkAdministrationPermission(userSession, projectId);
PermissionQuery query = buildPermissionQuery(request, projectId);
List<UserDto> users = findUsers(dbSession, query);
import org.sonar.ce.settings.ProjectSettingsFactory;
import org.sonar.core.component.DefaultResourceTypes;
import org.sonar.core.timemachine.Periods;
+import org.sonar.db.permission.PermissionRepository;
import org.sonar.server.authentication.AuthenticationModule;
import org.sonar.server.batch.BatchWsModule;
import org.sonar.server.ce.ws.CeWsModule;
import org.sonar.server.notification.email.AlertsEmailTemplate;
import org.sonar.server.notification.email.EmailNotificationChannel;
import org.sonar.server.organization.ws.OrganizationsWsModule;
+import org.sonar.server.permission.GroupPermissionChanger;
+import org.sonar.server.permission.PermissionService;
+import org.sonar.server.permission.PermissionUpdater;
+import org.sonar.server.permission.UserPermissionChanger;
import org.sonar.server.permission.ws.PermissionsWsModule;
import org.sonar.server.platform.BackendCleanup;
import org.sonar.server.platform.PersistentSettings;
// permissions
PermissionsWsModule.class,
+ PermissionRepository.class,
+ PermissionService.class,
+ PermissionUpdater.class,
+ UserPermissionChanger.class,
+ GroupPermissionChanger.class,
// components
ProjectsWsModule.class,
import org.sonar.db.organization.OrganizationTesting;
import org.sonar.db.user.GroupDto;
import org.sonar.server.exceptions.BadRequestException;
-import org.sonar.server.exceptions.ForbiddenException;
-import org.sonar.server.tester.UserSessionRule;
import org.sonar.server.usergroups.ws.GroupIdOrAnyone;
import static org.assertj.core.api.Assertions.assertThat;
-import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
public class GroupPermissionChangerTest {
@Rule
public ExpectedException expectedException = ExpectedException.none();
- private UserSessionRule userSession = UserSessionRule.standalone();
- private GroupPermissionChanger underTest = new GroupPermissionChanger(db.getDbClient(), userSession);
+ private GroupPermissionChanger underTest = new GroupPermissionChanger(db.getDbClient());
private OrganizationDto org;
private GroupDto group;
private ComponentDto project;
public void add_permission_to_group() {
GroupIdOrAnyone groupId = new GroupIdOrAnyone(group);
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.ADD, GlobalPermissions.QUALITY_GATE_ADMIN, null, groupId));
assertThat(db.users().selectGroupPermissions(group, null)).containsOnly(GlobalPermissions.QUALITY_GATE_ADMIN);
public void add_project_permission_to_group() {
GroupIdOrAnyone groupId = new GroupIdOrAnyone(group);
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.ADD, UserRole.ISSUE_ADMIN, new ProjectId(project), groupId));
assertThat(db.users().selectGroupPermissions(group, null)).isEmpty();
public void add_permission_to_anyone() {
GroupIdOrAnyone groupId = new GroupIdOrAnyone(db.getDefaultOrganization().getUuid(), null);
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.ADD, GlobalPermissions.QUALITY_GATE_ADMIN, null, groupId));
assertThat(db.users().selectGroupPermissions(group, null)).isEmpty();
public void add_project_permission_to_anyone() {
GroupIdOrAnyone groupId = new GroupIdOrAnyone(db.getDefaultOrganization().getUuid(), null);
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.ADD, UserRole.ISSUE_ADMIN, new ProjectId(project), groupId));
assertThat(db.users().selectAnyonePermissions(null)).isEmpty();
assertThat(db.users().selectAnyonePermissions(project)).containsOnly(UserRole.ISSUE_ADMIN);
}
- @Test
- public void fail_to_add_permission_if_not_admin() {
- GroupIdOrAnyone groupId = new GroupIdOrAnyone(db.getDefaultOrganization().getUuid(), null);
-
- expectedException.expect(ForbiddenException.class);
-
- userSession.login("a_guy");
- underTest.apply(db.getSession(), new GroupPermissionChange(PermissionChange.Operation.ADD, UserRole.ISSUE_ADMIN, new ProjectId(project), groupId));
- }
-
@Test
public void do_nothing_when_adding_permission_that_already_exists() {
GroupIdOrAnyone groupId = new GroupIdOrAnyone(group);
db.users().insertPermissionOnGroup(group, GlobalPermissions.QUALITY_GATE_ADMIN);
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.ADD, GlobalPermissions.QUALITY_GATE_ADMIN, null, groupId));
assertThat(db.users().selectGroupPermissions(group, null)).containsOnly(GlobalPermissions.QUALITY_GATE_ADMIN);
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("Invalid project permission 'gateadmin'. Valid values are [admin, codeviewer, issueadmin, scan, user]");
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.ADD, GlobalPermissions.QUALITY_GATE_ADMIN, new ProjectId(project), groupId));
}
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("Invalid global permission 'issueadmin'. Valid values are [admin, profileadmin, gateadmin, scan, provisioning]");
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.ADD, UserRole.ISSUE_ADMIN, null, groupId));
}
db.users().insertPermissionOnGroup(group, GlobalPermissions.QUALITY_GATE_ADMIN);
db.users().insertPermissionOnGroup(group, GlobalPermissions.PROVISIONING);
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, GlobalPermissions.QUALITY_GATE_ADMIN, null, groupId));
assertThat(db.users().selectGroupPermissions(group, null)).containsOnly(GlobalPermissions.PROVISIONING);
db.users().insertProjectPermissionOnGroup(group, UserRole.ISSUE_ADMIN, project);
db.users().insertProjectPermissionOnGroup(group, UserRole.CODEVIEWER, project);
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, UserRole.ISSUE_ADMIN, new ProjectId(project), groupId));
assertThat(db.users().selectGroupPermissions(group, null)).containsOnly(GlobalPermissions.QUALITY_GATE_ADMIN);
public void do_not_fail_if_removing_a_permission_that_does_not_exist() {
GroupIdOrAnyone groupId = new GroupIdOrAnyone(group);
- loginAsAdmin();
apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, UserRole.ISSUE_ADMIN, new ProjectId(project), groupId));
assertThat(db.users().selectGroupPermissions(group, null)).isEmpty();
assertThat(db.users().selectGroupPermissions(group, project)).isEmpty();
}
- @Test
- public void fail_to_remove_permission_if_not_admin() {
- GroupIdOrAnyone groupId = new GroupIdOrAnyone(db.getDefaultOrganization().getUuid(), null);
-
- expectedException.expect(ForbiddenException.class);
-
- userSession.login("a_guy");
- underTest.apply(db.getSession(), new GroupPermissionChange(PermissionChange.Operation.REMOVE, UserRole.ISSUE_ADMIN, new ProjectId(project), groupId));
- }
-
@Test
public void fail_to_remove_sysadmin_permission_if_no_more_sysadmins() {
GroupIdOrAnyone groupId = new GroupIdOrAnyone(group);
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("Last group with 'admin' permission. Permission cannot be removed.");
- loginAsAdmin();
underTest.apply(db.getSession(), new GroupPermissionChange(PermissionChange.Operation.REMOVE, GlobalPermissions.SYSTEM_ADMIN, null, groupId));
}
underTest.apply(db.getSession(), change);
db.commit();
}
-
- private void loginAsAdmin() {
- userSession.login("admin").setGlobalPermissions(SYSTEM_ADMIN);
- }
}
import org.sonar.server.ws.WsTester;
import static org.assertj.core.api.Assertions.assertThat;
+import static org.sonar.api.web.UserRole.ISSUE_ADMIN;
+import static org.sonar.core.permission.GlobalPermissions.PROVISIONING;
import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
import static org.sonar.db.component.ComponentTesting.newProjectDto;
import static org.sonar.db.component.ComponentTesting.newView;
@Override
protected AddGroupAction buildWsAction() {
- return new AddGroupAction(db.getDbClient(), newPermissionUpdater(), newPermissionWsSupport());
+ return new AddGroupAction(db.getDbClient(), userSession, newPermissionUpdater(), newPermissionWsSupport());
}
@Test
.execute();
}
- @Test(expected = ForbiddenException.class)
- public void require_admin_permission() throws Exception {
+ @Test
+ public void adding_global_permission_fails_if_not_administrator_of_organization() throws Exception {
GroupDto group = db.users().insertGroup(defaultOrganizationProvider.getDto(), "sonar-administrators");
- ComponentDto project = db.components().insertComponent(newProjectDto(A_PROJECT_UUID).setKey(A_PROJECT_KEY));
- userSession.login("not-admin");
+ userSession.login();
+
+ expectedException.expect(ForbiddenException.class);
+
+ newRequest()
+ .setParam(PARAM_GROUP_NAME, group.getName())
+ .setParam(PARAM_PERMISSION, PROVISIONING)
+ .execute();
+ }
+
+ @Test
+ public void adding_project_permission_fails_if_not_administrator_of_project() throws Exception {
+ GroupDto group = db.users().insertGroup(defaultOrganizationProvider.getDto(), "sonar-administrators");
+ ComponentDto project = db.components().insertProject();
+ userSession.login();
+
+ expectedException.expect(ForbiddenException.class);
+
+ newRequest()
+ .setParam(PARAM_GROUP_NAME, group.getName())
+ .setParam(PARAM_PERMISSION, PROVISIONING)
+ .setParam(PARAM_PROJECT_KEY, project.key())
+ .execute();
+ }
+
+ /**
+ * User is project administrator but not system administrator
+ */
+ @Test
+ public void adding_project_permission_is_allowed_to_project_administrators() throws Exception {
+ GroupDto group = db.users().insertGroup(defaultOrganizationProvider.getDto(), "sonar-administrators");
+ ComponentDto project = db.components().insertProject();
+ userSession.login().addProjectUuidPermissions(UserRole.ADMIN, project.uuid());
newRequest()
.setParam(PARAM_GROUP_NAME, group.getName())
- .setParam(PARAM_PERMISSION, SYSTEM_ADMIN)
.setParam(PARAM_PROJECT_ID, project.uuid())
+ .setParam(PARAM_PERMISSION, ISSUE_ADMIN)
.execute();
+
+ assertThat(db.users().selectGroupPermissions(group, project)).containsOnly(ISSUE_ADMIN);
}
private WsTester.TestRequest newRequest() {
}
private void loginAsAdmin() {
- userSession.login("admin").setGlobalPermissions(SYSTEM_ADMIN);
+ userSession.login().setGlobalPermissions(SYSTEM_ADMIN);
}
}
import org.sonar.db.component.ComponentDto;
import org.sonar.db.user.UserDto;
import org.sonar.server.exceptions.BadRequestException;
+import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException;
import org.sonar.server.exceptions.ServerException;
import static org.assertj.core.api.Assertions.assertThat;
+import static org.sonar.api.web.UserRole.ISSUE_ADMIN;
import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
import static org.sonar.db.component.ComponentTesting.newFileDto;
import static org.sonar.db.component.ComponentTesting.newProjectDto;
public class AddUserActionTest extends BasePermissionWsTest<AddUserAction> {
- private static final String A_PROJECT_UUID = "project-uuid";
- private static final String A_PROJECT_KEY = "project-key";
-
private UserDto user;
@Before
@Override
protected AddUserAction buildWsAction() {
- return new AddUserAction(db.getDbClient(), newPermissionUpdater(), newPermissionWsSupport());
+ return new AddUserAction(db.getDbClient(), userSession, newPermissionUpdater(), newPermissionWsSupport());
}
@Test
@Test
public void add_permission_to_project_referenced_by_its_id() throws Exception {
- ComponentDto project = db.components().insertComponent(newProjectDto("project-uuid").setKey("project-key"));
+ ComponentDto project = db.components().insertProject();
loginAsAdmin();
wsTester.newPostRequest(CONTROLLER, ACTION)
@Test
public void add_permission_to_project_referenced_by_its_key() throws Exception {
- ComponentDto project = db.components().insertComponent(newProjectDto("project-uuid").setKey("project-key"));
+ ComponentDto project = db.components().insertProject();
loginAsAdmin();
wsTester.newPostRequest(CONTROLLER, ACTION)
@Test
public void fail_when_project_uuid_and_project_key_are_provided() throws Exception {
- db.components().insertComponent(newProjectDto(A_PROJECT_UUID).setKey(A_PROJECT_KEY));
+ db.components().insertProject();
loginAsAdmin();
expectedException.expect(BadRequestException.class);
.execute();
}
+ @Test
+ public void adding_global_permission_fails_if_not_administrator_of_organization() throws Exception {
+ userSession.login();
+
+ expectedException.expect(ForbiddenException.class);
+
+ wsTester.newPostRequest(CONTROLLER, ACTION)
+ .setParam(PARAM_USER_LOGIN, user.getLogin())
+ .setParam(PARAM_PERMISSION, SYSTEM_ADMIN)
+ .execute();
+ }
+
+ @Test
+ public void adding_project_permission_fails_if_not_administrator_of_project() throws Exception {
+ ComponentDto project = db.components().insertProject();
+ userSession.login();
+
+ expectedException.expect(ForbiddenException.class);
+
+ wsTester.newPostRequest(CONTROLLER, ACTION)
+ .setParam(PARAM_USER_LOGIN, user.getLogin())
+ .setParam(PARAM_PERMISSION, SYSTEM_ADMIN)
+ .setParam(PARAM_PROJECT_KEY, project.getKey())
+ .execute();
+ }
+
+ /**
+ * User is project administrator but not system administrator
+ */
+ @Test
+ public void adding_project_permission_is_allowed_to_project_administrators() throws Exception {
+ ComponentDto project = db.components().insertProject();
+
+ userSession.login().addProjectUuidPermissions(UserRole.ADMIN, project.uuid());
+
+ wsTester.newPostRequest(CONTROLLER, ACTION)
+ .setParam(PARAM_USER_LOGIN, user.getLogin())
+ .setParam(PARAM_PROJECT_KEY, project.getKey())
+ .setParam(PARAM_PERMISSION, UserRole.ISSUE_ADMIN)
+ .execute();
+
+ assertThat(db.users().selectUserPermissions(user, project)).containsOnly(ISSUE_ADMIN);
+ }
+
private void loginAsAdmin() {
- userSession.login("admin").setGlobalPermissions(SYSTEM_ADMIN);
+ userSession.login().setGlobalPermissions(SYSTEM_ADMIN);
}
}
protected PermissionUpdater newPermissionUpdater() {
return new PermissionUpdater(db.getDbClient(),
mock(IssueAuthorizationIndexer.class),
- new UserPermissionChanger(db.getDbClient(), userSession),
- new GroupPermissionChanger(db.getDbClient(), userSession));
+ new UserPermissionChanger(db.getDbClient()),
+ new GroupPermissionChanger(db.getDbClient()));
}
protected PermissionTemplateDto insertTemplate() {
public void verify_count_of_added_components() {
ComponentContainer container = new ComponentContainer();
new PermissionsWsModule().configure(container);
- assertThat(container.size()).isEqualTo(2 + 33);
+ assertThat(container.size()).isEqualTo(2 + 28);
}
}
import org.junit.Before;
import org.junit.Test;
+import org.sonar.api.web.UserRole;
import org.sonar.db.component.ComponentDto;
import org.sonar.db.user.GroupDto;
import org.sonar.server.exceptions.BadRequestException;
+import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException;
import org.sonar.server.exceptions.ServerException;
import org.sonar.server.ws.WsTester;
import static org.assertj.core.api.Assertions.assertThat;
import static org.sonar.api.web.UserRole.ADMIN;
+import static org.sonar.api.web.UserRole.CODEVIEWER;
import static org.sonar.api.web.UserRole.ISSUE_ADMIN;
import static org.sonar.core.permission.GlobalPermissions.PROVISIONING;
import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
public class RemoveGroupActionTest extends BasePermissionWsTest<RemoveGroupAction> {
- private static final String A_PROJECT_UUID = "project-uuid";
- private static final String A_PROJECT_KEY = "project-key";
-
private GroupDto aGroup;
@Before
@Override
protected RemoveGroupAction buildWsAction() {
- return new RemoveGroupAction(db.getDbClient(), newPermissionUpdater(), newPermissionWsSupport());
+ return new RemoveGroupAction(db.getDbClient(), userSession, newPermissionUpdater(), newPermissionWsSupport());
}
@Test
public void remove_permission_using_group_name() throws Exception {
db.users().insertPermissionOnGroup(aGroup, SYSTEM_ADMIN);
db.users().insertPermissionOnGroup(aGroup, PROVISIONING);
-
loginAsAdmin();
+
newRequest()
.setParam(PARAM_GROUP_NAME, aGroup.getName())
.setParam(PARAM_PERMISSION, PROVISIONING)
public void remove_permission_using_group_id() throws Exception {
db.users().insertPermissionOnGroup(aGroup, SYSTEM_ADMIN);
db.users().insertPermissionOnGroup(aGroup, PROVISIONING);
-
loginAsAdmin();
+
newRequest()
.setParam(PARAM_GROUP_ID, aGroup.getId().toString())
.setParam(PARAM_PERMISSION, PROVISIONING)
@Test
public void remove_project_permission() throws Exception {
- ComponentDto project = db.components().insertComponent(newProjectDto(A_PROJECT_UUID).setKey(A_PROJECT_KEY));
+ ComponentDto project = db.components().insertProject();
db.users().insertPermissionOnGroup(aGroup, SYSTEM_ADMIN);
db.users().insertProjectPermissionOnGroup(aGroup, ADMIN, project);
db.users().insertProjectPermissionOnGroup(aGroup, ISSUE_ADMIN, project);
@Test
public void remove_with_project_key() throws Exception {
- ComponentDto project = db.components().insertComponent(newProjectDto(A_PROJECT_UUID).setKey(A_PROJECT_KEY));
+ ComponentDto project = db.components().insertProject();
db.users().insertPermissionOnGroup(aGroup, SYSTEM_ADMIN);
db.users().insertProjectPermissionOnGroup(aGroup, ADMIN, project);
db.users().insertProjectPermissionOnGroup(aGroup, ISSUE_ADMIN, project);
@Test
public void fail_when_project_does_not_exist() throws Exception {
+ loginAsAdmin();
+
expectedException.expect(NotFoundException.class);
expectedException.expectMessage("Project id 'unknown-project-uuid' not found");
@Test
public void fail_when_project_project_permission_without_project() throws Exception {
+ loginAsAdmin();
+
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("Invalid global permission 'issueadmin'. Valid values are [admin, profileadmin, gateadmin, scan, provisioning]");
@Test
public void fail_when_component_is_not_a_project() throws Exception {
- ComponentDto file = db.components().insertComponent(newFileDto(newProjectDto(A_PROJECT_UUID), null, "file-uuid"));
+ ComponentDto file = db.components().insertComponent(newFileDto(newProjectDto(), null, "file-uuid"));
+ loginAsAdmin();
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("Component 'KEY_file-uuid' (id: file-uuid) must be a project or a module.");
@Test
public void fail_when_get_request() throws Exception {
+ loginAsAdmin();
+
expectedException.expect(ServerException.class);
expectedException.expectMessage("HTTP method POST is required");
@Test
public void fail_when_group_name_is_missing() throws Exception {
+ loginAsAdmin();
+
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("Group name or group id must be provided");
@Test
public void fail_when_permission_name_and_id_are_missing() throws Exception {
+ loginAsAdmin();
+
expectedException.expect(IllegalArgumentException.class);
expectedException.expectMessage("The 'permission' parameter is missing");
@Test
public void fail_when_group_id_does_not_exist() throws Exception {
+ loginAsAdmin();
+
expectedException.expect(NotFoundException.class);
expectedException.expectMessage("No group with id '42'");
@Test
public void fail_when_project_uuid_and_project_key_are_provided() throws Exception {
- ComponentDto project = db.components().insertComponent(newProjectDto(A_PROJECT_UUID).setKey(A_PROJECT_KEY));
+ ComponentDto project = db.components().insertProject();
+ loginAsAdmin();
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("Project id or project key can be provided, not both.");
.execute();
}
+ @Test
+ public void removing_global_permission_fails_if_not_administrator_of_organization() throws Exception {
+ userSession.login();
+
+ expectedException.expect(ForbiddenException.class);
+
+ newRequest()
+ .setParam(PARAM_GROUP_NAME, aGroup.getName())
+ .setParam(PARAM_PERMISSION, PROVISIONING)
+ .execute();
+ }
+
+ @Test
+ public void removing_project_permission_fails_if_not_administrator_of_project() throws Exception {
+ ComponentDto project = db.components().insertProject();
+ userSession.login();
+
+ expectedException.expect(ForbiddenException.class);
+
+ newRequest()
+ .setParam(PARAM_GROUP_NAME, aGroup.getName())
+ .setParam(PARAM_PERMISSION, PROVISIONING)
+ .setParam(PARAM_PROJECT_KEY, project.key())
+ .execute();
+ }
+
+ /**
+ * User is project administrator but not system administrator
+ */
+ @Test
+ public void removing_project_permission_is_allowed_to_project_administrators() throws Exception {
+ ComponentDto project = db.components().insertProject();
+ db.users().insertProjectPermissionOnGroup(aGroup, CODEVIEWER, project);
+ db.users().insertProjectPermissionOnGroup(aGroup, ISSUE_ADMIN, project);
+
+ userSession.login().addProjectUuidPermissions(UserRole.ADMIN, project.uuid());
+ newRequest()
+ .setParam(PARAM_GROUP_NAME, aGroup.getName())
+ .setParam(PARAM_PROJECT_ID, project.uuid())
+ .setParam(PARAM_PERMISSION, ISSUE_ADMIN)
+ .execute();
+
+ assertThat(db.users().selectGroupPermissions(aGroup, project)).containsOnly(CODEVIEWER);
+ }
+
private WsTester.TestRequest newRequest() {
return wsTester.newPostRequest(CONTROLLER, ACTION);
}
private void loginAsAdmin() {
- userSession.login("admin").setGlobalPermissions(SYSTEM_ADMIN);
+ userSession.login().setGlobalPermissions(SYSTEM_ADMIN);
}
}
import org.junit.Before;
import org.junit.Test;
+import org.sonar.api.web.UserRole;
import org.sonar.db.component.ComponentDto;
import org.sonar.db.user.UserDto;
import org.sonar.server.exceptions.BadRequestException;
+import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException;
import org.sonar.server.exceptions.ServerException;
@Override
protected RemoveUserAction buildWsAction() {
- return new RemoveUserAction(db.getDbClient(), newPermissionUpdater(), newPermissionWsSupport());
+ return new RemoveUserAction(db.getDbClient(), userSession, newPermissionUpdater(), newPermissionWsSupport());
}
@Test
.execute();
}
+ @Test
+ public void removing_global_permission_fails_if_not_administrator_of_organization() throws Exception {
+ userSession.login();
+
+ expectedException.expect(ForbiddenException.class);
+
+ wsTester.newPostRequest(CONTROLLER, ACTION)
+ .setParam(PARAM_USER_LOGIN, user.getLogin())
+ .setParam(PARAM_PERMISSION, PROVISIONING)
+ .execute();
+ }
+
+ @Test
+ public void removing_project_permission_fails_if_not_administrator_of_project() throws Exception {
+ ComponentDto project = db.components().insertProject();
+ userSession.login();
+
+ expectedException.expect(ForbiddenException.class);
+
+ wsTester.newPostRequest(CONTROLLER, ACTION)
+ .setParam(PARAM_USER_LOGIN, user.getLogin())
+ .setParam(PARAM_PERMISSION, ISSUE_ADMIN)
+ .setParam(PARAM_PROJECT_KEY, project.key())
+ .execute();
+ }
+
+ /**
+ * User is project administrator but not system administrator
+ */
+ @Test
+ public void removing_project_permission_is_allowed_to_project_administrators() throws Exception {
+ ComponentDto project = db.components().insertProject();
+ db.users().insertProjectPermissionOnUser(user, CODEVIEWER, project);
+ db.users().insertProjectPermissionOnUser(user, ISSUE_ADMIN, project);
+ userSession.login().addProjectUuidPermissions(UserRole.ADMIN, project.uuid());
+
+ wsTester.newPostRequest(CONTROLLER, ACTION)
+ .setParam(PARAM_USER_LOGIN, user.getLogin())
+ .setParam(PARAM_PROJECT_ID, project.uuid())
+ .setParam(PARAM_PERMISSION, ISSUE_ADMIN)
+ .execute();
+
+ assertThat(db.users().selectUserPermissions(user, project)).containsOnly(CODEVIEWER);
+ }
+
private void loginAsAdmin() {
userSession.login("admin").setGlobalPermissions(SYSTEM_ADMIN);
}
protected SearchProjectPermissionsAction buildWsAction() {
i18n.setProjectPermissions();
ResourceTypesRule rootResourceTypes = newRootResourceTypes();
- SearchProjectPermissionsDataLoader dataLoader = new SearchProjectPermissionsDataLoader(db.getDbClient(), newPermissionWsSupport(), rootResourceTypes);
- return new SearchProjectPermissionsAction(db.getDbClient(), userSession, i18n, rootResourceTypes, dataLoader);
+ PermissionWsSupport wsSupport = newPermissionWsSupport();
+ SearchProjectPermissionsDataLoader dataLoader = new SearchProjectPermissionsDataLoader(db.getDbClient(), wsSupport, rootResourceTypes);
+ return new SearchProjectPermissionsAction(db.getDbClient(), userSession, i18n, rootResourceTypes, dataLoader, wsSupport);
}
@Test
projects / sonarqube.git / commitdiff