SONAR-8716 fix fallback of component to organization permission

diff --git a/it/it-tests/src/test/java/it/organization/OrganizationIt.java b/it/it-tests/src/test/java/it/organization/OrganizationIt.java
index 327c9f2499e91096785a42a30ecb562e4476ee0d..f16a54af2cec44d05b827f934f63ef3802ad0164 100644 (file)
--- a/it/it-tests/src/test/java/it/organization/OrganizationIt.java
+++ b/it/it-tests/src/test/java/it/organization/OrganizationIt.java
@@ -20,6 +20,7 @@
 package it.organization;
 
 import com.sonar.orchestrator.Orchestrator;
+import com.sonar.orchestrator.build.BuildFailureException;
 import it.Category3Suite;
 import java.util.List;
 import java.util.function.Consumer;
@@ -37,6 +38,8 @@ import org.sonarqube.ws.client.organization.CreateWsRequest;
 import org.sonarqube.ws.client.organization.OrganizationService;
 import org.sonarqube.ws.client.organization.SearchWsRequest;
 import org.sonarqube.ws.client.organization.UpdateWsRequest;
+import org.sonarqube.ws.client.permission.AddUserWsRequest;
+import org.sonarqube.ws.client.permission.PermissionsService;
 import util.ItUtils;
 import util.user.GroupManagement;
 import util.user.Groups;
@@ -242,6 +245,63 @@ public class OrganizationIt {
     expect403HttpError(() -> fooUserOrganizationService.create(createWsRequest));
   }
 
+  @Test
+  public void an_organization_member_can_analyze_project() {
+    verifyNoExtraOrganization();
+
+    String orgKeyAndName = "org-key";
+    Organizations.Organization createdOrganization = adminOrganizationService.create(new CreateWsRequest.Builder()
+      .setName(orgKeyAndName)
+      .setKey(orgKeyAndName)
+      .build())
+      .getOrganization();
+    verifySingleSearchResult(createdOrganization, orgKeyAndName, null, null, null);
+
+    userRule.createUser("bob", "bob");
+    userRule.removeGroups("sonar-users");
+    addPermissionsToUser(orgKeyAndName, "bob", "provisioning", "scan");
+
+    ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample",
+      "sonar.organization", orgKeyAndName, "sonar.login", "bob", "sonar.password", "bob");
+    ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components();
+    assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsList()).hasSize(1);
+
+    adminOrganizationService.delete(orgKeyAndName);
+  }
+
+  @Test
+  public void by_default_anonymous_cannot_analyse_project_on_organization() {
+    verifyNoExtraOrganization();
+
+    String orgKeyAndName = "org-key";
+    Organizations.Organization createdOrganization = adminOrganizationService.create(new CreateWsRequest.Builder()
+      .setName(orgKeyAndName)
+      .setKey(orgKeyAndName)
+      .build())
+      .getOrganization();
+    verifySingleSearchResult(createdOrganization, orgKeyAndName, null, null, null);
+
+    try {
+      ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample",
+        "sonar.organization", orgKeyAndName);
+      fail();
+    } catch (BuildFailureException e) {
+      assertThat(e.getResult().getLogs()).contains("Insufficient privileges");
+    }
+
+    ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components();
+    assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsCount()).isEqualTo(0);
+    adminOrganizationService.delete(orgKeyAndName);
+  }
+
+  private void addPermissionsToUser(String orgKeyAndName, String login, String permission, String... otherPermissions) {
+    PermissionsService permissionsService = ItUtils.newAdminWsClient(orchestrator).permissions();
+    permissionsService.addUser(new AddUserWsRequest().setLogin(login).setOrganization(orgKeyAndName).setPermission(permission));
+    for (String otherPermission : otherPermissions) {
+      permissionsService.addUser(new AddUserWsRequest().setLogin(login).setOrganization(orgKeyAndName).setPermission(otherPermission));
+    }
+  }
+
   @Test
   public void deleting_an_organization_also_deletes_group_permissions_and_projects_and_check_security() {
     verifyNoExtraOrganization();
@@ -263,9 +323,10 @@ public class OrganizationIt {
     assertThat(groupManagement.getUserGroups("bob").getGroups())
       .extracting(Groups.Group::getName)
       .contains("grp1", "grp2");
+    addPermissionsToUser(orgKeyAndName, "bob", "provisioning", "scan");
 
     ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample",
-      "sonar.organization", orgKeyAndName);
+      "sonar.organization", orgKeyAndName, "sonar.login", "bob", "sonar.password", "bob");
     ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components();
     assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsList()).hasSize(1);
 

diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java
index 1465bd493261c3555a54f18cb3e497e7e3638e4e..34cda3357d3550713afe2b2f9d1c3a50e30ca267 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java
@@ -77,7 +77,7 @@ public class PermissionTemplateService {
     }
 
     String effectiveKey = ComponentKeys.createKey(projectKey, branch);
-    PermissionTemplateDto template = findTemplate(dbSession, organizationUuid, new ComponentDto().setKey(effectiveKey).setQualifier(qualifier));
+    PermissionTemplateDto template = findTemplate(dbSession, organizationUuid, new ComponentDto().setOrganizationUuid(organizationUuid).setKey(effectiveKey).setQualifier(qualifier));
     if (template == null) {
       return false;
     }

diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java b/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java
index 7364c9698d74284516604796eb3ba037754cc584..e92b7c4a8d0ec7e2cf0353fe12aa4d22e88f58f5 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java
@@ -19,6 +19,7 @@
  */
 package org.sonar.server.user;
 
+import com.google.common.base.Optional;
 import com.google.common.base.Supplier;
 import com.google.common.base.Suppliers;
 import com.google.common.collect.HashMultimap;
@@ -34,8 +35,8 @@ import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
+import org.sonar.db.component.ComponentDto;
 import org.sonar.db.component.ResourceDao;
-import org.sonar.db.component.ResourceDto;
 import org.sonar.db.user.GroupDto;
 import org.sonar.db.user.UserDto;
 
@@ -151,17 +152,23 @@ public class ServerUserSession extends AbstractUserSession {
 
   @Override
   public boolean hasComponentUuidPermission(String permission, String componentUuid) {
-    if (isRoot() || hasPermission(permission)) {
+    if (isRoot()) {
       return true;
     }
 
     String projectUuid = projectUuidByComponentUuid.get(componentUuid);
     if (projectUuid == null) {
-      ResourceDto project = resourceDao.selectResource(componentUuid);
-      if (project == null) {
-        return false;
+      try (DbSession dbSession = dbClient.openSession(false)) {
+        Optional<ComponentDto> component = dbClient.componentDao().selectByUuid(dbSession, componentUuid);
+        if (!component.isPresent()) {
+          return false;
+        }
+        projectUuid = component.get().projectUuid();
+        if (hasOrganizationPermission(component.get().getOrganizationUuid(), permission)) {
+          projectUuidByComponentUuid.put(componentUuid, projectUuid);
+          return true;
+        }
       }
-      projectUuid = project.getProjectUuid();
     }
     boolean hasComponentPermission = hasProjectPermissionByUuid(permission, projectUuid);
     if (hasComponentPermission) {

diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
index 0cd02fc01b96fd71d5976be011654f095e28baf1..4238f873c1998fd70ba68a01264fd29267fbb897 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
@@ -172,16 +172,6 @@ public class ServerUserSessionTest {
     assertThat(underTest.hasComponentUuidPermission("whatever", "who cares?")).isTrue();
   }
 
-  @Test
-  public void has_component_uuid_permission_with_only_global_permission() {
-    addGlobalPermissions(UserRole.USER);
-    UserSession session = newUserSession(userDto);
-
-    assertThat(session.hasComponentUuidPermission(UserRole.USER, FILE_UUID)).isTrue();
-    assertThat(session.hasComponentUuidPermission(UserRole.CODEVIEWER, FILE_UUID)).isFalse();
-    assertThat(session.hasComponentUuidPermission(UserRole.ADMIN, FILE_UUID)).isFalse();
-  }
-
   @Test
   public void checkComponentUuidPermission_succeeds_if_user_has_permission_for_specified_uuid_in_db() {
     UserSession underTest = newUserSession(ROOT_USER_DTO);