import org.sonar.db.DatabaseChecker;
import org.sonar.db.DbClient;
import org.sonar.db.DefaultDatabase;
-import org.sonar.db.permission.PermissionRepository;
import org.sonar.db.purge.PurgeProfiler;
import org.sonar.db.version.DatabaseVersion;
import org.sonar.process.Props;
UserIndex.class,
// permissions
- PermissionRepository.class,
PermissionTemplateService.class,
PermissionUpdater.class,
UserPermissionChanger.class,
assertThat(picoContainer.getComponentAdapters())
.hasSize(
CONTAINER_ITSELF
- + 78 // level 4
+ + 77 // level 4
+ 4 // content of CeConfigurationModule
+ 3 // content of CeHttpModule
+ 5 // content of CeQueueModule
import com.google.common.base.Optional;
import java.io.InputStream;
-import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import org.apache.commons.lang.StringUtils;
import org.sonar.api.resources.Qualifiers;
}
}
- @CheckForNull
private ComponentDto createProject(DbSession dbSession, String projectKey, @Nullable String projectBranch, @Nullable String projectName) {
- boolean wouldCurrentUserHaveScanPermission = permissionTemplateService.wouldCurrentUserHavePermissionWithDefaultTemplate(dbSession, SCAN_EXECUTION, projectBranch, projectKey,
- Qualifiers.PROJECT);
+ Integer userId = userSession.getUserId();
+ Long projectCreatorUserId = userId == null ? null : userId.longValue();
+
+ boolean wouldCurrentUserHaveScanPermission = permissionTemplateService.wouldUserHavePermissionWithDefaultTemplate(
+ dbSession, projectCreatorUserId, SCAN_EXECUTION, projectBranch, projectKey, Qualifiers.PROJECT);
if (!wouldCurrentUserHaveScanPermission) {
throw insufficientPrivilegesException();
}
// "provisioning" permission is check in ComponentService
ComponentDto project = componentService.create(dbSession, newProject);
- Integer currentUserId = userSession.getUserId();
- permissionTemplateService.applyDefault(dbSession, project, currentUserId != null ? currentUserId.longValue() : null);
+ permissionTemplateService.applyDefault(dbSession, project, projectCreatorUserId);
return project;
}
*/
package org.sonar.server.permission;
+import java.text.MessageFormat;
+import java.util.ArrayList;
import java.util.Collection;
+import java.util.Iterator;
import java.util.List;
+import java.util.Set;
+import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
+import org.apache.commons.lang.StringUtils;
+import org.sonar.api.config.Settings;
import org.sonar.api.resources.Qualifiers;
import org.sonar.api.server.ServerSide;
import org.sonar.core.component.ComponentKeys;
import org.sonar.db.DbSession;
import org.sonar.db.component.ComponentDto;
import org.sonar.db.component.ResourceDto;
-import org.sonar.db.permission.PermissionRepository;
+import org.sonar.db.permission.GroupPermissionDto;
+import org.sonar.db.permission.UserPermissionDto;
+import org.sonar.db.permission.template.PermissionTemplateCharacteristicDto;
import org.sonar.db.permission.template.PermissionTemplateDto;
+import org.sonar.db.permission.template.PermissionTemplateGroupDto;
+import org.sonar.db.permission.template.PermissionTemplateUserDto;
import org.sonar.server.permission.index.PermissionIndexer;
import org.sonar.server.user.UserSession;
+import static com.google.common.base.Preconditions.checkArgument;
import static java.util.Arrays.asList;
+import static org.sonar.api.security.DefaultGroups.isAnyone;
import static org.sonar.server.permission.PermissionPrivilegeChecker.checkProjectAdminUserByComponentKey;
import static org.sonar.server.ws.WsUtils.checkFoundWithOptional;
public class PermissionTemplateService {
private final DbClient dbClient;
- private final PermissionRepository permissionRepository;
+ private final Settings settings;
private final PermissionIndexer permissionIndexer;
private final UserSession userSession;
- public PermissionTemplateService(DbClient dbClient, PermissionRepository permissionRepository, PermissionIndexer permissionIndexer, UserSession userSession) {
+ public PermissionTemplateService(DbClient dbClient, Settings settings, PermissionIndexer permissionIndexer, UserSession userSession) {
this.dbClient = dbClient;
- this.permissionRepository = permissionRepository;
+ this.settings = settings;
this.permissionIndexer = permissionIndexer;
this.userSession = userSession;
}
Integer currentUserId = userSession.getUserId();
Long userId = Qualifiers.PROJECT.equals(component.qualifier()) && currentUserId != null ? currentUserId.longValue() : null;
- permissionRepository.applyDefaultPermissionTemplate(session, component, userId);
- session.commit();
- indexProjectPermissions(session, asList(component.uuid()));
+ applyDefault(session, component, userId);
}
- public boolean wouldCurrentUserHavePermissionWithDefaultTemplate(DbSession dbSession, String permission, @Nullable String branch, String projectKey, String qualifier) {
+ public boolean wouldUserHavePermissionWithDefaultTemplate(DbSession dbSession, @Nullable Long userId, String permission, @Nullable String branch, String projectKey, String qualifier) {
if (userSession.hasPermission(permission)) {
return true;
}
String effectiveKey = ComponentKeys.createKey(projectKey, branch);
+ PermissionTemplateDto template = findDefaultTemplate(dbSession, new ComponentDto().setKey(effectiveKey).setQualifier(qualifier));
+ if (template == null) {
+ return false;
+ }
- Long userId = userSession.getUserId() == null ? null : userSession.getUserId().longValue();
- return permissionRepository.wouldUserHavePermissionWithDefaultTemplate(dbSession, userId, permission, effectiveKey, qualifier);
+ List<String> potentialPermissions = dbClient.permissionTemplateDao().selectPotentialPermissionsByUserIdAndTemplateId(dbSession, userId, template.getId());
+ return potentialPermissions.contains(permission);
}
/**
}
for (ComponentDto project : projects) {
- permissionRepository.apply(dbSession, template, project, null);
+ copyPermissions(dbSession, template, project, null);
}
dbSession.commit();
indexProjectPermissions(dbSession, projects.stream().map(ComponentDto::uuid).collect(Collectors.toList()));
* benefit from the permissions defined in the template for "project creator".
*/
public void applyDefault(DbSession dbSession, ComponentDto component, @Nullable Long projectCreatorUserId) {
- permissionRepository.applyDefaultPermissionTemplate(dbSession, component, projectCreatorUserId);
+ PermissionTemplateDto template = findDefaultTemplate(dbSession, component);
+ checkArgument(template != null, "Can not retrieve default permission template");
+ copyPermissions(dbSession, template, component, projectCreatorUserId);
dbSession.commit();
indexProjectPermissions(dbSession, asList(component.uuid()));
}
private void indexProjectPermissions(DbSession dbSession, List<String> projectUuids) {
permissionIndexer.index(dbSession, projectUuids);
}
+
+ private void copyPermissions(DbSession dbSession, PermissionTemplateDto template, ComponentDto project, @Nullable Long projectCreatorUserId) {
+ dbClient.resourceDao().updateAuthorizationDate(project.getId(), dbSession);
+ dbClient.groupPermissionDao().deleteByRootComponentId(dbSession, project.getId());
+ dbClient.userPermissionDao().deleteProjectPermissions(dbSession, project.getId());
+
+ List<PermissionTemplateUserDto> usersPermissions = dbClient.permissionTemplateDao().selectUserPermissionsByTemplateId(dbSession, template.getId());
+ String organizationUuid = template.getOrganizationUuid();
+ usersPermissions
+ .forEach(up -> {
+ UserPermissionDto dto = new UserPermissionDto(organizationUuid, up.getPermission(), up.getUserId(), project.getId());
+ dbClient.userPermissionDao().insert(dbSession, dto);
+ });
+
+ List<PermissionTemplateGroupDto> groupsPermissions = dbClient.permissionTemplateDao().selectGroupPermissionsByTemplateId(dbSession, template.getId());
+ groupsPermissions.forEach(gp -> {
+ GroupPermissionDto dto = new GroupPermissionDto()
+ .setOrganizationUuid(organizationUuid)
+ .setGroupId(isAnyone(gp.getGroupName()) ? null : gp.getGroupId())
+ .setRole(gp.getPermission())
+ .setResourceId(project.getId());
+ dbClient.groupPermissionDao().insert(dbSession, dto);
+ });
+
+ List<PermissionTemplateCharacteristicDto> characteristics = dbClient.permissionTemplateCharacteristicDao().selectByTemplateIds(dbSession, asList(template.getId()));
+ if (projectCreatorUserId != null) {
+ Set<String> permissionsForCurrentUserAlreadyInDb = usersPermissions.stream()
+ .filter(userPermission -> projectCreatorUserId.equals(userPermission.getUserId()))
+ .map(PermissionTemplateUserDto::getPermission)
+ .collect(java.util.stream.Collectors.toSet());
+ characteristics.stream()
+ .filter(PermissionTemplateCharacteristicDto::getWithProjectCreator)
+ .filter(characteristic -> !permissionsForCurrentUserAlreadyInDb.contains(characteristic.getPermission()))
+ .forEach(c -> {
+ UserPermissionDto dto = new UserPermissionDto(organizationUuid, c.getPermission(), projectCreatorUserId, project.getId());
+ dbClient.userPermissionDao().insert(dbSession, dto);
+ });
+ }
+ }
+
+ /**
+ * Return the permission template for the given component. If no template key pattern match then consider default
+ * template for the component qualifier.
+ */
+ @CheckForNull
+ private PermissionTemplateDto findDefaultTemplate(DbSession dbSession, ComponentDto component) {
+ // FIXME performance issue here, we should not load all templates
+ List<PermissionTemplateDto> allPermissionTemplates = dbClient.permissionTemplateDao().selectAll(dbSession);
+ List<PermissionTemplateDto> matchingTemplates = new ArrayList<>();
+ for (PermissionTemplateDto permissionTemplateDto : allPermissionTemplates) {
+ String keyPattern = permissionTemplateDto.getKeyPattern();
+ if (StringUtils.isNotBlank(keyPattern) && component.getKey().matches(keyPattern)) {
+ matchingTemplates.add(permissionTemplateDto);
+ }
+ }
+ checkAtMostOneMatchForComponentKey(component.getKey(), matchingTemplates);
+ if (matchingTemplates.size() == 1) {
+ return matchingTemplates.get(0);
+ }
+ String qualifierTemplateKey = settings.getString("sonar.permission.template." + component.qualifier() + ".default");
+ if (!StringUtils.isBlank(qualifierTemplateKey)) {
+ return dbClient.permissionTemplateDao().selectByUuid(dbSession, qualifierTemplateKey);
+ }
+
+ String defaultTemplateKey = settings.getString("sonar.permission.template.default");
+ if (StringUtils.isBlank(defaultTemplateKey)) {
+ throw new IllegalStateException("At least one default permission template should be defined");
+ }
+ return dbClient.permissionTemplateDao().selectByUuid(dbSession, defaultTemplateKey);
+ }
+
+ private static void checkAtMostOneMatchForComponentKey(String componentKey, List<PermissionTemplateDto> matchingTemplates) {
+ if (matchingTemplates.size() > 1) {
+ StringBuilder templatesNames = new StringBuilder();
+ for (Iterator<PermissionTemplateDto> it = matchingTemplates.iterator(); it.hasNext();) {
+ templatesNames.append("\"").append(it.next().getName()).append("\"");
+ if (it.hasNext()) {
+ templatesNames.append(", ");
+ }
+ }
+ throw new IllegalStateException(MessageFormat.format(
+ "The \"{0}\" key matches multiple permission templates: {1}."
+ + " A system administrator must update these templates so that only one of them matches the key.",
+ componentKey,
+ templatesNames.toString()));
+ }
+ }
+
}
import org.sonar.ce.settings.ProjectSettingsFactory;
import org.sonar.core.component.DefaultResourceTypes;
import org.sonar.core.timemachine.Periods;
-import org.sonar.db.permission.PermissionRepository;
import org.sonar.server.authentication.AuthenticationModule;
import org.sonar.server.batch.BatchWsModule;
import org.sonar.server.ce.ws.CeWsModule;
// permissions
PermissionsWsModule.class,
- PermissionRepository.class,
PermissionTemplateService.class,
PermissionUpdater.class,
UserPermissionChanger.class,
when(queue.prepareSubmit()).thenReturn(new CeTaskSubmit.Builder(TASK_UUID));
ComponentDto createdProject = new ComponentDto().setUuid(PROJECT_UUID).setKey(PROJECT_KEY);
when(componentService.create(any(DbSession.class), any(NewComponent.class))).thenReturn(createdProject);
- when(permissionTemplateService.wouldCurrentUserHavePermissionWithDefaultTemplate(any(DbSession.class), eq(SCAN_EXECUTION), anyString(), eq(PROJECT_KEY), eq(Qualifiers.PROJECT)))
+ when(permissionTemplateService.wouldUserHavePermissionWithDefaultTemplate(any(DbSession.class), anyLong(), eq(SCAN_EXECUTION), anyString(), eq(PROJECT_KEY), eq(Qualifiers.PROJECT)))
.thenReturn(true);
underTest.submit(PROJECT_KEY, null, PROJECT_NAME, IOUtils.toInputStream("{binary}"));
when(queue.prepareSubmit()).thenReturn(new CeTaskSubmit.Builder(TASK_UUID));
when(componentService.create(any(DbSession.class), any(NewComponent.class))).thenReturn(new ComponentDto().setUuid(PROJECT_UUID).setKey(PROJECT_KEY));
- when(permissionTemplateService.wouldCurrentUserHavePermissionWithDefaultTemplate(any(DbSession.class), eq(SCAN_EXECUTION), anyString(), eq(PROJECT_KEY), eq(Qualifiers.PROJECT)))
+ when(permissionTemplateService.wouldUserHavePermissionWithDefaultTemplate(any(DbSession.class), anyLong(), eq(SCAN_EXECUTION), anyString(), eq(PROJECT_KEY), eq(Qualifiers.PROJECT)))
.thenReturn(true);
underTest.submit(PROJECT_KEY, null, PROJECT_NAME, IOUtils.toInputStream("{binary}"));
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2016 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package org.sonar.server.permission;
+
+import java.util.List;
+import javax.annotation.Nullable;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.sonar.api.config.MapSettings;
+import org.sonar.api.config.Settings;
+import org.sonar.api.resources.Qualifiers;
+import org.sonar.api.utils.System2;
+import org.sonar.api.web.UserRole;
+import org.sonar.db.DbSession;
+import org.sonar.db.DbTester;
+import org.sonar.db.component.ComponentDto;
+import org.sonar.db.permission.template.PermissionTemplateDbTester;
+import org.sonar.db.permission.template.PermissionTemplateDto;
+import org.sonar.db.user.GroupDto;
+import org.sonar.db.user.UserDto;
+import org.sonar.server.permission.index.PermissionIndexer;
+import org.sonar.server.tester.UserSessionRule;
+
+import static java.util.Collections.singletonList;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.sonar.core.permission.GlobalPermissions.PROVISIONING;
+import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
+import static org.sonar.db.component.ComponentTesting.newProjectDto;
+import static org.sonar.db.user.GroupTesting.newGroupDto;
+
+
+public class PermissionTemplateServiceTest {
+
+ private static final String DEFAULT_TEMPLATE = "default_20130101_010203";
+ private static final ComponentDto PROJECT = newProjectDto().setId(123L).setUuid("THE_PROJECT_UUID");
+ private static final long NOW = 123456789L;
+
+ @Rule
+ public ExpectedException throwable = ExpectedException.none();
+
+ private System2 system2 = mock(System2.class);
+
+ @Rule
+ public DbTester dbTester = DbTester.create(system2);
+
+ private UserSessionRule userSession = UserSessionRule.standalone();
+ private PermissionTemplateDbTester templateDb = dbTester.permissionTemplates();
+ private DbSession session = dbTester.getSession();
+ private Settings settings = new MapSettings();
+ private PermissionIndexer permissionIndexer = mock(PermissionIndexer.class);
+ private PermissionTemplateService underTest = new PermissionTemplateService(dbTester.getDbClient(), settings, permissionIndexer, userSession);
+
+ @Before
+ public void setUp() {
+ when(system2.now()).thenReturn(NOW);
+ }
+
+ @Test
+ public void apply_permission_template() {
+ dbTester.prepareDbUnit(getClass(), "should_apply_permission_template.xml");
+
+ assertThat(selectProjectPermissionsOfGroup("org1", 100L, PROJECT)).isEmpty();
+ assertThat(selectProjectPermissionsOfGroup("org1", 101L, PROJECT)).isEmpty();
+ assertThat(selectProjectPermissionsOfGroup("org1", null, PROJECT)).isEmpty();
+ assertThat(selectProjectPermissionsOfUser(200L, PROJECT)).isEmpty();
+
+ PermissionTemplateDto template = dbTester.getDbClient().permissionTemplateDao().selectByUuid(session, "default_20130101_010203");
+ underTest.apply(session, template, singletonList(PROJECT));
+
+ assertThat(selectProjectPermissionsOfGroup("org1", 100L, PROJECT)).containsOnly("admin", "issueadmin");
+ assertThat(selectProjectPermissionsOfGroup("org1", 101L, PROJECT)).containsOnly("user", "codeviewer");
+ assertThat(selectProjectPermissionsOfGroup("org1", null, PROJECT)).containsOnly("user", "codeviewer");
+ assertThat(selectProjectPermissionsOfUser(200L, PROJECT)).containsOnly("admin");
+
+ checkAuthorizationUpdatedAtIsUpdated();
+ }
+
+ private List<String> selectProjectPermissionsOfGroup(String organizationUuid, @Nullable Long groupId, ComponentDto project) {
+ return dbTester.getDbClient().groupPermissionDao().selectProjectPermissionsOfGroup(session,
+ organizationUuid, groupId != null ? groupId : null, project.getId());
+ }
+
+ private List<String> selectProjectPermissionsOfUser(long userId, ComponentDto project) {
+ return dbTester.getDbClient().userPermissionDao().selectProjectPermissionsOfUser(session,
+ userId, project.getId());
+ }
+
+ @Test
+ public void applyDefaultPermissionTemplate_from_component_key() {
+ dbTester.prepareDbUnit(getClass(), "apply_default_permission_template_by_component_id.xml");
+ userSession.setGlobalPermissions(PROVISIONING);
+ settings.setProperty("sonar.permission.template.default", DEFAULT_TEMPLATE);
+
+ underTest.applyDefaultPermissionTemplate("org.struts:struts");
+ session.commit();
+
+ dbTester.assertDbUnitTable(getClass(), "apply_default_permission_template_by_component_id-result.xml", "user_roles", "user_id", "resource_id", "role");
+ }
+
+ @Test
+ public void would_user_have_permission_with_default_permission_template() {
+ UserDto user = dbTester.users().insertUser();
+ GroupDto group = dbTester.users().insertGroup(newGroupDto());
+ dbTester.users().insertMember(group, user);
+ PermissionTemplateDto template = templateDb.insertTemplate();
+ setDefaultTemplateUuid(template.getUuid());
+ templateDb.addProjectCreatorToTemplate(template.getId(), SCAN_EXECUTION);
+ templateDb.addUserToTemplate(template.getId(), user.getId(), UserRole.USER);
+ templateDb.addGroupToTemplate(template.getId(), group.getId(), UserRole.CODEVIEWER);
+ templateDb.addGroupToTemplate(template.getId(), null, UserRole.ISSUE_ADMIN);
+
+ // authenticated user
+ checkWouldUserHavePermission(user.getId(), UserRole.ADMIN, false);
+ checkWouldUserHavePermission(user.getId(), SCAN_EXECUTION, true);
+ checkWouldUserHavePermission(user.getId(), UserRole.USER, true);
+ checkWouldUserHavePermission(user.getId(), UserRole.CODEVIEWER, true);
+ checkWouldUserHavePermission(user.getId(), UserRole.ISSUE_ADMIN, true);
+
+ // anonymous user
+ checkWouldUserHavePermission(null, UserRole.ADMIN, false);
+ checkWouldUserHavePermission(null, SCAN_EXECUTION, false);
+ checkWouldUserHavePermission(null, UserRole.USER, false);
+ checkWouldUserHavePermission(null, UserRole.CODEVIEWER, false);
+ checkWouldUserHavePermission(null, UserRole.ISSUE_ADMIN, true);
+ }
+
+ @Test
+ public void would_user_have_permission_with_unknown_default_permission_template() {
+ setDefaultTemplateUuid("UNKNOWN_TEMPLATE_UUID");
+
+ checkWouldUserHavePermission(null, UserRole.ADMIN, false);
+ }
+
+ @Test
+ public void would_user_have_permission_with_empty_template() {
+ PermissionTemplateDto template = templateDb.insertTemplate();
+ setDefaultTemplateUuid(template.getUuid());
+
+ checkWouldUserHavePermission(null, UserRole.ADMIN, false);
+ }
+
+ private void checkWouldUserHavePermission(@Nullable Long userId, String permission, boolean expectedResult) {
+ assertThat(underTest.wouldUserHavePermissionWithDefaultTemplate(session, userId, permission, null, "PROJECT_KEY", Qualifiers.PROJECT)).isEqualTo(expectedResult);
+ }
+
+ private void checkAuthorizationUpdatedAtIsUpdated() {
+ assertThat(dbTester.getDbClient().resourceDao().selectResource(PROJECT.getId(), session).getAuthorizationUpdatedAt()).isEqualTo(NOW);
+ }
+
+ private void setDefaultTemplateUuid(String templateUuid) {
+ settings.setProperty("sonar.permission.template.default", templateUuid);
+ }
+
+}
import org.sonar.db.component.ComponentDto;
import org.sonar.db.organization.OrganizationDto;
import org.sonar.db.permission.PermissionQuery;
-import org.sonar.db.permission.PermissionRepository;
import org.sonar.db.permission.template.PermissionTemplateDto;
import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto;
@Override
protected ApplyTemplateAction buildWsAction() {
- PermissionRepository repository = new PermissionRepository(db.getDbClient(), new MapSettings());
- PermissionTemplateService permissionTemplateService = new PermissionTemplateService(db.getDbClient(), repository, permissionIndexer, userSession);
+ PermissionTemplateService permissionTemplateService = new PermissionTemplateService(db.getDbClient(), new MapSettings(), permissionIndexer, userSession);
return new ApplyTemplateAction(db.getDbClient(), userSession, permissionTemplateService, newPermissionWsSupport());
}
import org.sonar.db.component.ComponentDto;
import org.sonar.db.organization.OrganizationDto;
import org.sonar.db.permission.PermissionQuery;
-import org.sonar.db.permission.PermissionRepository;
import org.sonar.db.permission.template.PermissionTemplateDto;
import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto;
@Override
protected BulkApplyTemplateAction buildWsAction() {
- PermissionRepository repository = new PermissionRepository(db.getDbClient(), new MapSettings());
- PermissionTemplateService permissionTemplateService = new PermissionTemplateService(db.getDbClient(), repository, issuePermissionIndexer, userSession);
+ PermissionTemplateService permissionTemplateService = new PermissionTemplateService(db.getDbClient(), new MapSettings(), issuePermissionIndexer, userSession);
return new BulkApplyTemplateAction(db.getDbClient(), userSession, permissionTemplateService, newPermissionWsSupport(), new I18nRule(), newRootResourceTypes());
}
--- /dev/null
+<dataset>
+
+ <groups id="100"
+ name="sonar-administrators"
+ organization_uuid="org1"/>
+ <groups id="101"
+ name="sonar-users"
+ organization_uuid="org1"/>
+
+ <users id="200"
+ login="marius"
+ name="Marius"
+ email="[null]"
+ active="[true]"
+ is_root="[false]"/>
+ <users id="201"
+ login="janette"
+ name="Janette"
+ email="[null]"
+ active="[true]"
+ is_root="[false]"/>
+
+ <!-- on other resources -->
+ <group_roles id="1"
+ group_id="100"
+ resource_id="1"
+ role="admin"
+ organization_uuid="org1"/>
+ <group_roles id="2"
+ group_id="101"
+ resource_id="1"
+ role="user"
+ organization_uuid="org1"/>
+ <user_roles id="1"
+ user_id="200"
+ resource_id="1"
+ role="admin"
+ organization_uuid="org1"/>
+
+ <!-- new groups permissions : sonar-administrators (admin), sonar-users (user & codeviewer), Anyone (user & codeviewer) -->
+ <group_roles id="3"
+ group_id="100"
+ resource_id="123"
+ role="admin"
+ organization_uuid="org1"/>
+ <group_roles id="4"
+ group_id="101"
+ resource_id="123"
+ role="user"
+ organization_uuid="org1"/>
+ <group_roles id="5"
+ group_id="[null]"
+ resource_id="123"
+ role="user"
+ organization_uuid="org1"/>
+ <group_roles id="6"
+ group_id="101"
+ resource_id="123"
+ role="codeviewer"
+ organization_uuid="org1"/>
+ <group_roles id="7"
+ group_id="[null]"
+ resource_id="123"
+ role="codeviewer"
+ organization_uuid="org1"/>
+ <group_roles id="8"
+ group_id="100"
+ resource_id="123"
+ role="issueadmin"
+ organization_uuid="org1"/>
+
+ <!-- new user permission : marius (admin) & janette (user) -->
+ <user_roles id="2"
+ user_id="200"
+ resource_id="123"
+ role="admin"
+ organization_uuid="org1"/>
+
+ <!-- default permission template for all qualifiers -->
+ <permission_templates id="1"
+ name="default"
+ kee="default_20130101_010203"
+ organization_uuid="org1"/>
+
+ <perm_templates_groups id="1"
+ template_id="1"
+ group_id="100"
+ permission_reference="admin"/>
+ <perm_templates_groups id="2"
+ template_id="1"
+ group_id="101"
+ permission_reference="user"/>
+ <perm_templates_groups id="3"
+ template_id="1"
+ group_id="[null]"
+ permission_reference="user"/>
+ <perm_templates_groups id="4"
+ template_id="1"
+ group_id="101"
+ permission_reference="codeviewer"/>
+ <perm_templates_groups id="5"
+ template_id="1"
+ group_id="[null]"
+ permission_reference="codeviewer"/>
+ <perm_templates_groups id="6"
+ template_id="1"
+ group_id="100"
+ permission_reference="issueadmin"/>
+
+ <perm_templates_users id="1"
+ template_id="1"
+ user_id="200"
+ permission_reference="admin"/>
+
+</dataset>
--- /dev/null
+<dataset>
+ <projects uuid="A"
+ uuid_path="NOT_USED"
+ root_uuid="A"
+ scope="PRJ"
+ qualifier="TRK"
+ kee="org.struts:struts"
+ name="Struts"
+ description="the description"
+ long_name="Apache Struts"
+ enabled="[true]"
+ language="java"
+ copy_component_uuid="[null]"
+ developer_uuid="[null]"
+ path="[null]"
+ authorization_updated_at="123456789"
+ id="123"/>
+
+ <groups id="100"
+ name="sonar-administrators"
+ organization_uuid="org1"/>
+ <groups id="101"
+ name="sonar-users"
+ organization_uuid="org1"/>
+
+ <users id="200"
+ login="marius"
+ name="Marius"
+ email="[null]"
+ active="[true]"
+ is_root="[false]"/>
+
+ <!-- on other resources -->
+ <group_roles id="1"
+ group_id="100"
+ resource_id="1"
+ role="admin"
+ organization_uuid="org1"/>
+ <group_roles id="2"
+ group_id="101"
+ resource_id="1"
+ role="user"
+ organization_uuid="org1"/>
+ <user_roles id="1"
+ user_id="200"
+ resource_id="1"
+ role="admin"
+ organization_uuid="org1"/>
+
+ <!-- default permission template for all qualifiers -->
+ <permission_templates id="1"
+ name="default"
+ kee="default_20130101_010203"
+ organization_uuid="org1"/>
+
+ <perm_templates_groups id="1"
+ template_id="1"
+ group_id="100"
+ permission_reference="admin"/>
+ <perm_templates_groups id="2"
+ template_id="1"
+ group_id="101"
+ permission_reference="user"/>
+ <perm_templates_groups id="3"
+ template_id="1"
+ group_id="[null]"
+ permission_reference="user"/>
+ <perm_templates_groups id="4"
+ template_id="1"
+ group_id="101"
+ permission_reference="codeviewer"/>
+ <perm_templates_groups id="5"
+ template_id="1"
+ group_id="[null]"
+ permission_reference="codeviewer"/>
+ <perm_templates_groups id="6"
+ template_id="1"
+ group_id="100"
+ permission_reference="issueadmin"/>
+
+ <perm_templates_users id="1"
+ template_id="1"
+ user_id="200"
+ permission_reference="admin"/>
+
+ <perm_tpl_characteristics id="1"
+ template_id="1"
+ permission_key="user"
+ with_project_creator="[true]"
+ created_at="1234567890"
+ updated_at="123457890"/>
+ <perm_tpl_characteristics id="2"
+ template_id="2"
+ permission_key="user"
+ with_project_creator="[false]"
+ created_at="1234567890"
+ updated_at="1234567890"/>
+</dataset>
--- /dev/null
+<dataset>
+
+ <groups id="100"
+ name="sonar-administrators"
+ organization_uuid="org1"/>
+ <groups id="101"
+ name="sonar-users"
+ organization_uuid="org1"/>
+
+ <users id="200"
+ login="marius"
+ name="Marius"
+ email="[null]"
+ active="[true]"
+ is_root="[false]"/>
+
+ <!-- on other resources -->
+ <group_roles id="1"
+ group_id="100"
+ resource_id="1"
+ role="admin"
+ organization_uuid="org1"/>
+ <group_roles id="2"
+ group_id="101"
+ resource_id="1"
+ role="user"
+ organization_uuid="org1"/>
+ <user_roles id="1"
+ user_id="200"
+ resource_id="1"
+ role="admin"
+ organization_uuid="org1"/>
+
+ <!-- new groups permissions : sonar-administrators (admin), sonar-users (user & codeviewer), Anyone (user & codeviewer) -->
+ <group_roles id="3"
+ group_id="100"
+ resource_id="123"
+ role="admin"
+ organization_uuid="org1"/>
+ <group_roles id="4"
+ group_id="101"
+ resource_id="123"
+ role="user"
+ organization_uuid="org1"/>
+ <group_roles id="5"
+ group_id="[null]"
+ resource_id="123"
+ role="user"
+ organization_uuid="org1"/>
+ <group_roles id="6"
+ group_id="101"
+ resource_id="123"
+ role="codeviewer"
+ organization_uuid="org1"/>
+ <group_roles id="7"
+ group_id="[null]"
+ resource_id="123"
+ role="codeviewer"
+ organization_uuid="org1"/>
+ <group_roles id="8"
+ group_id="100"
+ resource_id="123"
+ role="issueadmin"
+ organization_uuid="org1"/>
+
+ <!-- new user permission : marius (admin) -->
+ <user_roles id="2"
+ user_id="200"
+ resource_id="123"
+ role="admin"
+ organization_uuid="org1"/>
+
+ <!-- default permission template for all qualifiers -->
+ <permission_templates id="1"
+ name="default"
+ kee="default_20130101_010203"
+ organization_uuid="org1"/>
+
+ <perm_templates_groups id="1"
+ template_id="1"
+ group_id="100"
+ permission_reference="admin"/>
+ <perm_templates_groups id="2"
+ template_id="1"
+ group_id="101"
+ permission_reference="user"/>
+ <perm_templates_groups id="3"
+ template_id="1"
+ group_id="[null]"
+ permission_reference="user"/>
+ <perm_templates_groups id="4"
+ template_id="1"
+ group_id="101"
+ permission_reference="codeviewer"/>
+ <perm_templates_groups id="5"
+ template_id="1"
+ group_id="[null]"
+ permission_reference="codeviewer"/>
+ <perm_templates_groups id="6"
+ template_id="1"
+ group_id="100"
+ permission_reference="issueadmin"/>
+
+ <perm_templates_users id="1"
+ template_id="1"
+ user_id="200"
+ permission_reference="admin"/>
+
+</dataset>
--- /dev/null
+<dataset>
+
+ <projects uuid="THE_PROJECT_UUID"
+ uuid_path="NOT_USED"
+ root_uuid="THE_PROJECT_UUID"
+ scope="PRJ"
+ qualifier="TRK"
+ kee="org.struts:struts"
+ name="Struts"
+ description="the description"
+ long_name="Apache Struts"
+ enabled="[true]"
+ language="java"
+ copy_component_uuid="[null]"
+ developer_uuid="[null]"
+ path="[null]"
+ authorization_updated_at="123456789"
+ id="123"/>
+
+ <groups id="100"
+ name="sonar-administrators"
+ organization_uuid="org1"/>
+ <groups id="101"
+ name="sonar-users"
+ organization_uuid="org1"/>
+
+ <users id="200"
+ login="marius"
+ name="Marius"
+ email="[null]"
+ active="[true]"
+ is_root="[false]"/>
+
+ <!-- on other resources -->
+ <group_roles id="1"
+ group_id="100"
+ resource_id="1"
+ role="admin"
+ organization_uuid="org1"/>
+ <group_roles id="2"
+ group_id="101"
+ resource_id="1"
+ role="user"
+ organization_uuid="org1"/>
+ <user_roles id="1"
+ user_id="200"
+ resource_id="1"
+ role="admin"
+ organization_uuid="org1"/>
+
+
+ <!-- default permission template for all qualifiers -->
+ <permission_templates id="1"
+ name="default"
+ kee="default_20130101_010203"
+ organization_uuid="org1"/>
+
+ <perm_templates_groups id="1"
+ template_id="1"
+ group_id="100"
+ permission_reference="admin"/>
+ <perm_templates_groups id="2"
+ template_id="1"
+ group_id="101"
+ permission_reference="user"/>
+ <perm_templates_groups id="3"
+ template_id="1"
+ group_id="[null]"
+ permission_reference="user"/>
+ <perm_templates_groups id="4"
+ template_id="1"
+ group_id="101"
+ permission_reference="codeviewer"/>
+ <perm_templates_groups id="5"
+ template_id="1"
+ group_id="[null]"
+ permission_reference="codeviewer"/>
+ <perm_templates_groups id="6"
+ template_id="1"
+ group_id="100"
+ permission_reference="issueadmin"/>
+
+ <perm_templates_users id="1"
+ template_id="1"
+ user_id="200"
+ permission_reference="admin"/>
+
+</dataset>
+++ /dev/null
-/*
- * SonarQube
- * Copyright (C) 2009-2016 SonarSource SA
- * mailto:contact AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.db.permission;
-
-import java.text.MessageFormat;
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
-import java.util.stream.Collectors;
-import javax.annotation.CheckForNull;
-import javax.annotation.Nullable;
-import org.apache.commons.lang.StringUtils;
-import org.sonar.api.config.Settings;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
-import org.sonar.db.component.ComponentDto;
-import org.sonar.db.permission.template.PermissionTemplateCharacteristicDto;
-import org.sonar.db.permission.template.PermissionTemplateDto;
-import org.sonar.db.permission.template.PermissionTemplateGroupDto;
-import org.sonar.db.permission.template.PermissionTemplateUserDto;
-
-import static java.util.Arrays.asList;
-import static org.sonar.api.security.DefaultGroups.isAnyone;
-
-/**
- * This facade wraps db operations related to permissions
- * <p/>
- * Should be removed when batch will no more create permission, and be replaced by a new PermissionService in module server (probably be a merge with InternalPermissionService)
- * <p/>
- * WARNING, this class is called by Deveveloper Cockpit to apply default permission template on new developers
- */
-public class PermissionRepository {
-
- private final DbClient dbClient;
- private final Settings settings;
-
- public PermissionRepository(DbClient dbClient, Settings settings) {
- this.dbClient = dbClient;
- this.settings = settings;
- }
-
- public void apply(DbSession session, PermissionTemplateDto template, ComponentDto project, @Nullable Long currentUserId) {
- updateProjectAuthorizationDate(session, project.getId());
- dbClient.groupPermissionDao().deleteByRootComponentId(session, project.getId());
- dbClient.userPermissionDao().deleteProjectPermissions(session, project.getId());
-
- List<PermissionTemplateUserDto> usersPermissions = dbClient.permissionTemplateDao().selectUserPermissionsByTemplateId(session, template.getId());
- String organizationUuid = template.getOrganizationUuid();
- usersPermissions
- .forEach(up -> {
- UserPermissionDto dto = new UserPermissionDto(organizationUuid, up.getPermission(), up.getUserId(), project.getId());
- dbClient.userPermissionDao().insert(session, dto);
- });
-
- List<PermissionTemplateGroupDto> groupsPermissions = dbClient.permissionTemplateDao().selectGroupPermissionsByTemplateId(session, template.getId());
- groupsPermissions.forEach(gp -> {
- GroupPermissionDto dto = new GroupPermissionDto()
- .setOrganizationUuid(organizationUuid)
- .setGroupId(isAnyone(gp.getGroupName()) ? null : gp.getGroupId())
- .setRole(gp.getPermission())
- .setResourceId(project.getId());
- dbClient.groupPermissionDao().insert(session, dto);
- });
-
- List<PermissionTemplateCharacteristicDto> characteristics = dbClient.permissionTemplateCharacteristicDao().selectByTemplateIds(session, asList(template.getId()));
- if (currentUserId != null) {
- Set<String> permissionsForCurrentUserAlreadyInDb = usersPermissions.stream()
- .filter(userPermission -> currentUserId.equals(userPermission.getUserId()))
- .map(PermissionTemplateUserDto::getPermission)
- .collect(Collectors.toSet());
- characteristics.stream()
- .filter(PermissionTemplateCharacteristicDto::getWithProjectCreator)
- .filter(characteristic -> !permissionsForCurrentUserAlreadyInDb.contains(characteristic.getPermission()))
- .forEach(c -> {
- UserPermissionDto dto = new UserPermissionDto(organizationUuid, c.getPermission(), currentUserId, project.getId());
- dbClient.userPermissionDao().insert(session, dto);
- });
- }
- }
-
- /**
- * Warning, this method is also used by the Developer Cockpit plugin
- */
- public void applyDefaultPermissionTemplate(DbSession session, long componentId) {
- ComponentDto component = dbClient.componentDao().selectOrFailById(session, componentId);
- applyDefaultPermissionTemplate(session, component, null);
- }
-
- public void applyDefaultPermissionTemplate(DbSession dbSession, ComponentDto componentDto, @Nullable Long userId) {
- PermissionTemplateDto template = getApplicablePermissionTemplate(dbSession, componentDto);
- if (template == null) {
- throw new IllegalArgumentException("Can not retrieve default permission template");
- }
- apply(dbSession, template, componentDto, userId);
- }
-
- /**
- * Return the permission template for the given componentKey. If no template key pattern match then consider default
- * permission template for the resource qualifier.
- */
- @CheckForNull
- private PermissionTemplateDto getApplicablePermissionTemplate(DbSession dbSession, ComponentDto component) {
- // FIXME performance issue here, we should not load all templates
- List<PermissionTemplateDto> allPermissionTemplates = dbClient.permissionTemplateDao().selectAll(dbSession);
- List<PermissionTemplateDto> matchingTemplates = new ArrayList<>();
- for (PermissionTemplateDto permissionTemplateDto : allPermissionTemplates) {
- String keyPattern = permissionTemplateDto.getKeyPattern();
- if (StringUtils.isNotBlank(keyPattern) && component.getKey().matches(keyPattern)) {
- matchingTemplates.add(permissionTemplateDto);
- }
- }
- checkAtMostOneMatchForComponentKey(component.getKey(), matchingTemplates);
- if (matchingTemplates.size() == 1) {
- return matchingTemplates.get(0);
- }
- String qualifierTemplateKey = settings.getString("sonar.permission.template." + component.qualifier() + ".default");
- if (!StringUtils.isBlank(qualifierTemplateKey)) {
- return dbClient.permissionTemplateDao().selectByUuid(dbSession, qualifierTemplateKey);
- }
-
- String defaultTemplateKey = settings.getString("sonar.permission.template.default");
- if (StringUtils.isBlank(defaultTemplateKey)) {
- throw new IllegalStateException("At least one default permission template should be defined");
- }
- return dbClient.permissionTemplateDao().selectByUuid(dbSession, defaultTemplateKey);
- }
-
- public boolean wouldUserHavePermissionWithDefaultTemplate(DbSession dbSession, @Nullable Long currentUserId, String permission, String projectKey, String qualifier) {
- PermissionTemplateDto template = getApplicablePermissionTemplate(dbSession, new ComponentDto().setKey(projectKey).setQualifier(qualifier));
- if (template == null) {
- return false;
- }
-
- List<String> potentialPermissions = dbClient.permissionTemplateDao().selectPotentialPermissionsByUserIdAndTemplateId(dbSession, currentUserId, template.getId());
- return potentialPermissions.contains(permission);
- }
-
- private static void checkAtMostOneMatchForComponentKey(final String componentKey, List<PermissionTemplateDto> matchingTemplates) {
- if (matchingTemplates.size() > 1) {
- StringBuilder templatesNames = new StringBuilder();
- for (Iterator<PermissionTemplateDto> it = matchingTemplates.iterator(); it.hasNext();) {
- templatesNames.append("\"").append(it.next().getName()).append("\"");
- if (it.hasNext()) {
- templatesNames.append(", ");
- }
- }
- throw new IllegalStateException(MessageFormat.format(
- "The \"{0}\" key matches multiple permission templates: {1}."
- + " A system administrator must update these templates so that only one of them matches the key.",
- componentKey,
- templatesNames.toString()));
- }
- }
-
- /**
- * For each modification of permission on a project, update the authorization_updated_at to help ES reindex only relevant changes
- */
- private void updateProjectAuthorizationDate(DbSession dbSession, long projectId) {
- dbClient.resourceDao().updateAuthorizationDate(projectId, dbSession);
- }
-}
+++ /dev/null
-/*
- * SonarQube
- * Copyright (C) 2009-2016 SonarSource SA
- * mailto:contact AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.db.permission;
-
-import java.util.List;
-import javax.annotation.Nullable;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.ExpectedException;
-import org.sonar.api.config.MapSettings;
-import org.sonar.api.config.Settings;
-import org.sonar.api.resources.Qualifiers;
-import org.sonar.api.utils.System2;
-import org.sonar.api.web.UserRole;
-import org.sonar.db.DbSession;
-import org.sonar.db.DbTester;
-import org.sonar.db.component.ComponentDto;
-import org.sonar.db.permission.template.PermissionTemplateDbTester;
-import org.sonar.db.permission.template.PermissionTemplateDto;
-import org.sonar.db.user.GroupDto;
-import org.sonar.db.user.UserDto;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
-import static org.sonar.db.component.ComponentTesting.newProjectDto;
-import static org.sonar.db.user.GroupTesting.newGroupDto;
-
-public class PermissionRepositoryTest {
-
- private static final String DEFAULT_TEMPLATE = "default_20130101_010203";
- private static final ComponentDto PROJECT = newProjectDto().setId(123L).setUuid("THE_PROJECT_UUID");
- private static final long NOW = 123456789L;
-
- @Rule
- public ExpectedException throwable = ExpectedException.none();
-
- private System2 system2 = mock(System2.class);
-
- @Rule
- public DbTester dbTester = DbTester.create(system2);
-
- private PermissionTemplateDbTester templateDb = dbTester.permissionTemplates();
- private DbSession session = dbTester.getSession();
- private Settings settings = new MapSettings();
- private PermissionRepository underTest = new PermissionRepository(dbTester.getDbClient(), settings);
-
- @Before
- public void setUp() {
- when(system2.now()).thenReturn(NOW);
- }
-
- @Test
- public void apply_permission_template() {
- dbTester.prepareDbUnit(getClass(), "should_apply_permission_template.xml");
-
- assertThat(selectProjectPermissionsOfGroup("org1", 100L, PROJECT)).isEmpty();
- assertThat(selectProjectPermissionsOfGroup("org1", 101L, PROJECT)).isEmpty();
- assertThat(selectProjectPermissionsOfGroup("org1", null, PROJECT)).isEmpty();
- assertThat(selectProjectPermissionsOfUser(200L, PROJECT)).isEmpty();
-
- PermissionTemplateDto template = dbTester.getDbClient().permissionTemplateDao().selectByUuid(session, "default_20130101_010203");
- underTest.apply(session, template, PROJECT, null);
-
- assertThat(selectProjectPermissionsOfGroup("org1", 100L, PROJECT)).containsOnly("admin", "issueadmin");
- assertThat(selectProjectPermissionsOfGroup("org1", 101L, PROJECT)).containsOnly("user", "codeviewer");
- assertThat(selectProjectPermissionsOfGroup("org1", null, PROJECT)).containsOnly("user", "codeviewer");
- assertThat(selectProjectPermissionsOfUser(200L, PROJECT)).containsOnly("admin");
-
- checkAuthorizationUpdatedAtIsUpdated();
- }
-
- private List<String> selectProjectPermissionsOfGroup(String organizationUuid, @Nullable Long groupId, ComponentDto project) {
- return dbTester.getDbClient().groupPermissionDao().selectProjectPermissionsOfGroup(session,
- organizationUuid, groupId != null ? groupId : null, project.getId());
- }
-
- private List<String> selectProjectPermissionsOfUser(long userId, ComponentDto project) {
- return dbTester.getDbClient().userPermissionDao().selectProjectPermissionsOfUser(session,
- userId, project.getId());
- }
-
- @Test
- public void apply_default_permission_template_from_component_id() {
- dbTester.prepareDbUnit(getClass(), "apply_default_permission_template_by_component_id.xml");
- settings.setProperty("sonar.permission.template.default", DEFAULT_TEMPLATE);
-
- underTest.applyDefaultPermissionTemplate(session, PROJECT.getId());
- session.commit();
-
- dbTester.assertDbUnitTable(getClass(), "apply_default_permission_template_by_component_id-result.xml", "user_roles", "user_id", "resource_id", "role");
- }
-
- @Test
- public void apply_default_permission_template_from_component() {
- dbTester.prepareDbUnit(getClass(), "apply_default_permission_template.xml");
- settings.setProperty("sonar.permission.template.default", DEFAULT_TEMPLATE);
-
- underTest.applyDefaultPermissionTemplate(session, dbTester.getDbClient().componentDao().selectOrFailByKey(session, "org.struts:struts"), 201L);
- session.commit();
-
- dbTester.assertDbUnitTable(getClass(), "apply_default_permission_template-result.xml", "user_roles", "user_id", "resource_id", "role");
- }
-
- @Test
- public void would_user_have_permission_with_default_permission_template() {
- UserDto user = dbTester.users().insertUser();
- GroupDto group = dbTester.users().insertGroup(newGroupDto());
- dbTester.users().insertMember(group, user);
- PermissionTemplateDto template = templateDb.insertTemplate();
- setDefaultTemplateUuid(template.getUuid());
- templateDb.addProjectCreatorToTemplate(template.getId(), SCAN_EXECUTION);
- templateDb.addUserToTemplate(template.getId(), user.getId(), UserRole.USER);
- templateDb.addGroupToTemplate(template.getId(), group.getId(), UserRole.CODEVIEWER);
- templateDb.addGroupToTemplate(template.getId(), null, UserRole.ISSUE_ADMIN);
-
- // authenticated user
- checkWouldUserHavePermission(user.getId(), UserRole.ADMIN, false);
- checkWouldUserHavePermission(user.getId(), SCAN_EXECUTION, true);
- checkWouldUserHavePermission(user.getId(), UserRole.USER, true);
- checkWouldUserHavePermission(user.getId(), UserRole.CODEVIEWER, true);
- checkWouldUserHavePermission(user.getId(), UserRole.ISSUE_ADMIN, true);
-
- // anonymous user
- checkWouldUserHavePermission(null, UserRole.ADMIN, false);
- checkWouldUserHavePermission(null, SCAN_EXECUTION, false);
- checkWouldUserHavePermission(null, UserRole.USER, false);
- checkWouldUserHavePermission(null, UserRole.CODEVIEWER, false);
- checkWouldUserHavePermission(null, UserRole.ISSUE_ADMIN, true);
- }
-
- @Test
- public void would_user_have_permission_with_unknown_default_permission_template() {
- setDefaultTemplateUuid("UNKNOWN_TEMPLATE_UUID");
-
- checkWouldUserHavePermission(null, UserRole.ADMIN, false);
- }
-
- @Test
- public void would_user_have_permission_with_empty_template() {
- PermissionTemplateDto template = templateDb.insertTemplate();
- setDefaultTemplateUuid(template.getUuid());
-
- checkWouldUserHavePermission(null, UserRole.ADMIN, false);
- }
-
- private void checkWouldUserHavePermission(@Nullable Long userId, String permission, boolean expectedResult) {
- assertThat(underTest.wouldUserHavePermissionWithDefaultTemplate(session, userId, permission, "PROJECT_KEY", Qualifiers.PROJECT)).isEqualTo(expectedResult);
- }
-
- private void checkAuthorizationUpdatedAtIsUpdated() {
- assertThat(dbTester.getDbClient().resourceDao().selectResource(PROJECT.getId(), session).getAuthorizationUpdatedAt()).isEqualTo(NOW);
- }
-
- private void setDefaultTemplateUuid(String templateUuid) {
- settings.setProperty("sonar.permission.template.default", templateUuid);
- }
-
-}
+++ /dev/null
-<dataset>
-
- <groups id="100"
- name="sonar-administrators"
- organization_uuid="org1"/>
- <groups id="101"
- name="sonar-users"
- organization_uuid="org1"/>
-
- <users id="200"
- login="marius"
- name="Marius"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
- <users id="201"
- login="janette"
- name="Janette"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
-
- <!-- on other resources -->
- <group_roles id="1"
- group_id="100"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="2"
- group_id="101"
- resource_id="1"
- role="user"
- organization_uuid="org1"/>
- <user_roles id="1"
- user_id="200"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
-
- <!-- new groups permissions : sonar-administrators (admin), sonar-users (user & codeviewer), Anyone (user & codeviewer) -->
- <group_roles id="3"
- group_id="100"
- resource_id="123"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="4"
- group_id="101"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
- <group_roles id="5"
- group_id="[null]"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
- <group_roles id="6"
- group_id="101"
- resource_id="123"
- role="codeviewer"
- organization_uuid="org1"/>
- <group_roles id="7"
- group_id="[null]"
- resource_id="123"
- role="codeviewer"
- organization_uuid="org1"/>
- <group_roles id="8"
- group_id="100"
- resource_id="123"
- role="issueadmin"
- organization_uuid="org1"/>
-
- <!-- new user permission : marius (admin) & janette (user) -->
- <user_roles id="2"
- user_id="200"
- resource_id="123"
- role="admin"
- organization_uuid="org1"/>
- <user_roles id="3"
- user_id="201"
- resource_id="123"
- role="admin"
- organization_uuid="org1"/>
- <user_roles id="4"
- user_id="201"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
-
- <!-- default permission template for all qualifiers -->
- <permission_templates id="1"
- name="default"
- kee="default_20130101_010203"
- organization_uuid="org1"/>
-
- <perm_templates_groups id="1"
- template_id="1"
- group_id="100"
- permission_reference="admin"/>
- <perm_templates_groups id="2"
- template_id="1"
- group_id="101"
- permission_reference="user"/>
- <perm_templates_groups id="3"
- template_id="1"
- group_id="[null]"
- permission_reference="user"/>
- <perm_templates_groups id="4"
- template_id="1"
- group_id="101"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="5"
- template_id="1"
- group_id="[null]"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="6"
- template_id="1"
- group_id="100"
- permission_reference="issueadmin"/>
-
- <perm_templates_users id="1"
- template_id="1"
- user_id="200"
- permission_reference="admin"/>
-
-</dataset>
+++ /dev/null
-<dataset>
-
- <projects uuid="A"
- uuid_path="NOT_USED"
- root_uuid="A"
- scope="PRJ"
- qualifier="TRK"
- kee="org.struts:struts"
- name="Struts"
- description="the description"
- long_name="Apache Struts"
- enabled="[true]"
- language="java"
- copy_component_uuid="[null]"
- developer_uuid="[null]"
- path="[null]"
- authorization_updated_at="123456789"
- id="123"/>
-
- <groups id="100"
- name="sonar-administrators"
- organization_uuid="org1"/>
- <groups id="101"
- name="sonar-users"
- organization_uuid="org1"/>
-
- <users id="200"
- login="marius"
- name="Marius"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
- <users id="201"
- login="janette"
- name="Janette"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
-
- <!-- on other resources -->
- <group_roles id="1"
- group_id="100"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="2"
- group_id="101"
- resource_id="1"
- role="user"
- organization_uuid="org1"/>
- <user_roles id="1"
- user_id="200"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
-
- <!-- default permission template for all qualifiers -->
- <permission_templates id="1"
- name="default"
- kee="default_20130101_010203"
- organization_uuid="org1"/>
-
- <perm_templates_groups id="1"
- template_id="1"
- group_id="100"
- permission_reference="admin"/>
- <perm_templates_groups id="2"
- template_id="1"
- group_id="101"
- permission_reference="user"/>
- <perm_templates_groups id="3"
- template_id="1"
- group_id="[null]"
- permission_reference="user"/>
- <perm_templates_groups id="4"
- template_id="1"
- group_id="101"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="5"
- template_id="1"
- group_id="[null]"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="6"
- template_id="1"
- group_id="100"
- permission_reference="issueadmin"/>
-
- <perm_templates_users id="1"
- template_id="1"
- user_id="200"
- permission_reference="admin"/>
- <perm_templates_users id="2"
- template_id="1"
- user_id="201"
- permission_reference="admin"/>
-
- <perm_tpl_characteristics id="1"
- template_id="1"
- permission_key="user"
- with_project_creator="[true]"
- created_at="1234567890"
- updated_at="123457890"/>
- <perm_tpl_characteristics id="2"
- template_id="1"
- permission_key="admin"
- with_project_creator="[true]"
- created_at="1234567890"
- updated_at="123457890"/>
- <perm_tpl_characteristics id="3"
- template_id="2"
- permission_key="user"
- with_project_creator="[false]"
- created_at="1234567890"
- updated_at="1234567890"/>
-</dataset>
+++ /dev/null
-<dataset>
-
- <groups id="100"
- name="sonar-administrators"
- organization_uuid="org1"/>
- <groups id="101"
- name="sonar-users"
- organization_uuid="org1"/>
-
- <users id="200"
- login="marius"
- name="Marius"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
- <users id="201"
- login="janette"
- name="Janette"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
-
- <!-- on other resources -->
- <group_roles id="1"
- group_id="100"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="2"
- group_id="101"
- resource_id="1"
- role="user"
- organization_uuid="org1"/>
- <user_roles id="1"
- user_id="200"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
-
- <!-- new groups permissions : sonar-administrators (admin), sonar-users (user & codeviewer), Anyone (user & codeviewer) -->
- <group_roles id="3"
- group_id="100"
- resource_id="123"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="4"
- group_id="101"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
- <group_roles id="5"
- group_id="[null]"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
- <group_roles id="6"
- group_id="101"
- resource_id="123"
- role="codeviewer"
- organization_uuid="org1"/>
- <group_roles id="7"
- group_id="[null]"
- resource_id="123"
- role="codeviewer"
- organization_uuid="org1"/>
- <group_roles id="8"
- group_id="100"
- resource_id="123"
- role="issueadmin"
- organization_uuid="org1"/>
-
- <!-- new user permission : marius (admin) & janette (user) -->
- <user_roles id="2"
- user_id="200"
- resource_id="123"
- role="admin"
- organization_uuid="org1"/>
-
- <!-- default permission template for all qualifiers -->
- <permission_templates id="1"
- name="default"
- kee="default_20130101_010203"
- organization_uuid="org1"/>
-
- <perm_templates_groups id="1"
- template_id="1"
- group_id="100"
- permission_reference="admin"/>
- <perm_templates_groups id="2"
- template_id="1"
- group_id="101"
- permission_reference="user"/>
- <perm_templates_groups id="3"
- template_id="1"
- group_id="[null]"
- permission_reference="user"/>
- <perm_templates_groups id="4"
- template_id="1"
- group_id="101"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="5"
- template_id="1"
- group_id="[null]"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="6"
- template_id="1"
- group_id="100"
- permission_reference="issueadmin"/>
-
- <perm_templates_users id="1"
- template_id="1"
- user_id="200"
- permission_reference="admin"/>
-
-</dataset>
+++ /dev/null
-<dataset>
- <projects uuid="A"
- uuid_path="NOT_USED"
- root_uuid="A"
- scope="PRJ"
- qualifier="TRK"
- kee="org.struts:struts"
- name="Struts"
- description="the description"
- long_name="Apache Struts"
- enabled="[true]"
- language="java"
- copy_component_uuid="[null]"
- developer_uuid="[null]"
- path="[null]"
- authorization_updated_at="123456789"
- id="123"/>
-
- <groups id="100"
- name="sonar-administrators"
- organization_uuid="org1"/>
- <groups id="101"
- name="sonar-users"
- organization_uuid="org1"/>
-
- <users id="200"
- login="marius"
- name="Marius"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
-
- <!-- on other resources -->
- <group_roles id="1"
- group_id="100"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="2"
- group_id="101"
- resource_id="1"
- role="user"
- organization_uuid="org1"/>
- <user_roles id="1"
- user_id="200"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
-
- <!-- default permission template for all qualifiers -->
- <permission_templates id="1"
- name="default"
- kee="default_20130101_010203"
- organization_uuid="org1"/>
-
- <perm_templates_groups id="1"
- template_id="1"
- group_id="100"
- permission_reference="admin"/>
- <perm_templates_groups id="2"
- template_id="1"
- group_id="101"
- permission_reference="user"/>
- <perm_templates_groups id="3"
- template_id="1"
- group_id="[null]"
- permission_reference="user"/>
- <perm_templates_groups id="4"
- template_id="1"
- group_id="101"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="5"
- template_id="1"
- group_id="[null]"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="6"
- template_id="1"
- group_id="100"
- permission_reference="issueadmin"/>
-
- <perm_templates_users id="1"
- template_id="1"
- user_id="200"
- permission_reference="admin"/>
-
- <perm_tpl_characteristics id="1"
- template_id="1"
- permission_key="user"
- with_project_creator="[true]"
- created_at="1234567890"
- updated_at="123457890"/>
- <perm_tpl_characteristics id="2"
- template_id="2"
- permission_key="user"
- with_project_creator="[false]"
- created_at="1234567890"
- updated_at="1234567890"/>
-</dataset>
+++ /dev/null
-<dataset>
-
- <groups id="100"
- name="sonar-administrators"
- organization_uuid="org1"/>
- <groups id="101"
- name="sonar-users"
- organization_uuid="org1"/>
-
- <users id="200"
- login="marius"
- name="Marius"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
-
- <!-- on other resources -->
- <group_roles id="1"
- group_id="100"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="2"
- group_id="101"
- resource_id="1"
- role="user"
- organization_uuid="org1"/>
- <user_roles id="1"
- user_id="200"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
-
- <!-- new groups permissions : sonar-administrators (admin), sonar-users (user & codeviewer), Anyone (user & codeviewer) -->
- <group_roles id="3"
- group_id="100"
- resource_id="123"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="4"
- group_id="101"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
- <group_roles id="5"
- group_id="[null]"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
- <group_roles id="6"
- group_id="101"
- resource_id="123"
- role="codeviewer"
- organization_uuid="org1"/>
- <group_roles id="7"
- group_id="[null]"
- resource_id="123"
- role="codeviewer"
- organization_uuid="org1"/>
- <group_roles id="8"
- group_id="100"
- resource_id="123"
- role="issueadmin"
- organization_uuid="org1"/>
-
- <!-- new user permission : marius (admin) -->
- <user_roles id="2"
- user_id="200"
- resource_id="123"
- role="admin"
- organization_uuid="org1"/>
-
- <!-- default permission template for all qualifiers -->
- <permission_templates id="1"
- name="default"
- kee="default_20130101_010203"
- organization_uuid="org1"/>
-
- <perm_templates_groups id="1"
- template_id="1"
- group_id="100"
- permission_reference="admin"/>
- <perm_templates_groups id="2"
- template_id="1"
- group_id="101"
- permission_reference="user"/>
- <perm_templates_groups id="3"
- template_id="1"
- group_id="[null]"
- permission_reference="user"/>
- <perm_templates_groups id="4"
- template_id="1"
- group_id="101"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="5"
- template_id="1"
- group_id="[null]"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="6"
- template_id="1"
- group_id="100"
- permission_reference="issueadmin"/>
-
- <perm_templates_users id="1"
- template_id="1"
- user_id="200"
- permission_reference="admin"/>
-
-</dataset>
+++ /dev/null
-<dataset>
-
- <projects uuid="THE_PROJECT_UUID"
- uuid_path="NOT_USED"
- root_uuid="THE_PROJECT_UUID"
- scope="PRJ"
- qualifier="TRK"
- kee="org.struts:struts"
- name="Struts"
- description="the description"
- long_name="Apache Struts"
- enabled="[true]"
- language="java"
- copy_component_uuid="[null]"
- developer_uuid="[null]"
- path="[null]"
- authorization_updated_at="123456789"
- id="123"/>
-
- <groups id="100"
- name="sonar-administrators"
- organization_uuid="org1"/>
- <groups id="101"
- name="sonar-users"
- organization_uuid="org1"/>
-
- <users id="200"
- login="marius"
- name="Marius"
- email="[null]"
- active="[true]"
- is_root="[false]"/>
-
- <!-- on other resources -->
- <group_roles id="1"
- group_id="100"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
- <group_roles id="2"
- group_id="101"
- resource_id="1"
- role="user"
- organization_uuid="org1"/>
- <user_roles id="1"
- user_id="200"
- resource_id="1"
- role="admin"
- organization_uuid="org1"/>
-
-
- <!-- default permission template for all qualifiers -->
- <permission_templates id="1"
- name="default"
- kee="default_20130101_010203"
- organization_uuid="org1"/>
-
- <perm_templates_groups id="1"
- template_id="1"
- group_id="100"
- permission_reference="admin"/>
- <perm_templates_groups id="2"
- template_id="1"
- group_id="101"
- permission_reference="user"/>
- <perm_templates_groups id="3"
- template_id="1"
- group_id="[null]"
- permission_reference="user"/>
- <perm_templates_groups id="4"
- template_id="1"
- group_id="101"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="5"
- template_id="1"
- group_id="[null]"
- permission_reference="codeviewer"/>
- <perm_templates_groups id="6"
- template_id="1"
- group_id="100"
- permission_reference="issueadmin"/>
-
- <perm_templates_users id="1"
- template_id="1"
- user_id="200"
- permission_reference="admin"/>
-
-</dataset>
+++ /dev/null
-<dataset>
-
- <users id="200"
- login="dave.loper"
- name="Dave Loper"
- email="dave.loper@company.net"
- active="[true]"
- is_root="[false]"/>
-
- <groups id="100"
- name="devs"
- organization_uuid="org1"/>
-
- <user_roles id="1"
- user_id="200"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
-
- <group_roles id="1"
- group_id="100"
- resource_id="123"
- role="codeviewer"
- organization_uuid="org1"/>
-
-</dataset>
+++ /dev/null
-<dataset>
-
- <users id="200"
- login="dave.loper"
- name="Dave Loper"
- email="dave.loper@company.net"
- active="[true]"
- is_root="[false]"/>
-
- <groups id="100"
- name="devs"
- organization_uuid="org1"/>
-
- <user_roles/>
-
- <group_roles/>
-
-</dataset>
+++ /dev/null
-<dataset>
-
- <users id="200"
- login="dave.loper"
- name="Dave Loper"
- email="dave.loper@company.net"
- active="[true]"
- is_root="[false]"/>
-
- <groups id="100"
- name="devs"
- organization_uuid="org1"/>
-
- <user_roles id="1"
- user_id="200"
- resource_id="123"
- role="user"
- organization_uuid="org1"/>
-
- <group_roles id="1"
- group_id="100"
- resource_id="123"
- role="codeviewer"
- organization_uuid="org1"/>
-
-</dataset>
+++ /dev/null
-<dataset>
- <permission_templates id="1"
- name="Môü Gnô Gnèçàß"
- kee="mou_gno_gneca_20130102_010405"
- description="my description"
- key_pattern="[null]"
- organization_uuid="org1"/>
-</dataset>
+++ /dev/null
-<dataset></dataset>
\ No newline at end of file
projects / sonarqube.git / commitdiff