From b5f6facd4b7070ea08c7a280d1f402ee1ad37373 Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@sonarsource.com>
Date: Tue, 7 Feb 2017 12:00:32 +0100
Subject: [PATCH] SONAR-8716 fix fallback of component to organization
 permission

---
 .../java/it/organization/OrganizationIt.java  | 63 ++++++++++++++++++-
 .../permission/PermissionTemplateService.java |  2 +-
 .../sonar/server/user/ServerUserSession.java  | 19 ++++--
 .../server/user/ServerUserSessionTest.java    | 10 ---
 4 files changed, 76 insertions(+), 18 deletions(-)

diff --git a/it/it-tests/src/test/java/it/organization/OrganizationIt.java b/it/it-tests/src/test/java/it/organization/OrganizationIt.java
index 327c9f2499e..f16a54af2ce 100644
--- a/it/it-tests/src/test/java/it/organization/OrganizationIt.java
+++ b/it/it-tests/src/test/java/it/organization/OrganizationIt.java
@@ -20,6 +20,7 @@
 package it.organization;
 
 import com.sonar.orchestrator.Orchestrator;
+import com.sonar.orchestrator.build.BuildFailureException;
 import it.Category3Suite;
 import java.util.List;
 import java.util.function.Consumer;
@@ -37,6 +38,8 @@ import org.sonarqube.ws.client.organization.CreateWsRequest;
 import org.sonarqube.ws.client.organization.OrganizationService;
 import org.sonarqube.ws.client.organization.SearchWsRequest;
 import org.sonarqube.ws.client.organization.UpdateWsRequest;
+import org.sonarqube.ws.client.permission.AddUserWsRequest;
+import org.sonarqube.ws.client.permission.PermissionsService;
 import util.ItUtils;
 import util.user.GroupManagement;
 import util.user.Groups;
@@ -242,6 +245,63 @@ public class OrganizationIt {
     expect403HttpError(() -> fooUserOrganizationService.create(createWsRequest));
   }
 
+  @Test
+  public void an_organization_member_can_analyze_project() {
+    verifyNoExtraOrganization();
+
+    String orgKeyAndName = "org-key";
+    Organizations.Organization createdOrganization = adminOrganizationService.create(new CreateWsRequest.Builder()
+      .setName(orgKeyAndName)
+      .setKey(orgKeyAndName)
+      .build())
+      .getOrganization();
+    verifySingleSearchResult(createdOrganization, orgKeyAndName, null, null, null);
+
+    userRule.createUser("bob", "bob");
+    userRule.removeGroups("sonar-users");
+    addPermissionsToUser(orgKeyAndName, "bob", "provisioning", "scan");
+
+    ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample",
+      "sonar.organization", orgKeyAndName, "sonar.login", "bob", "sonar.password", "bob");
+    ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components();
+    assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsList()).hasSize(1);
+
+    adminOrganizationService.delete(orgKeyAndName);
+  }
+
+  @Test
+  public void by_default_anonymous_cannot_analyse_project_on_organization() {
+    verifyNoExtraOrganization();
+
+    String orgKeyAndName = "org-key";
+    Organizations.Organization createdOrganization = adminOrganizationService.create(new CreateWsRequest.Builder()
+      .setName(orgKeyAndName)
+      .setKey(orgKeyAndName)
+      .build())
+      .getOrganization();
+    verifySingleSearchResult(createdOrganization, orgKeyAndName, null, null, null);
+
+    try {
+      ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample",
+        "sonar.organization", orgKeyAndName);
+      fail();
+    } catch (BuildFailureException e) {
+      assertThat(e.getResult().getLogs()).contains("Insufficient privileges");
+    }
+
+    ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components();
+    assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsCount()).isEqualTo(0);
+    adminOrganizationService.delete(orgKeyAndName);
+  }
+
+  private void addPermissionsToUser(String orgKeyAndName, String login, String permission, String... otherPermissions) {
+    PermissionsService permissionsService = ItUtils.newAdminWsClient(orchestrator).permissions();
+    permissionsService.addUser(new AddUserWsRequest().setLogin(login).setOrganization(orgKeyAndName).setPermission(permission));
+    for (String otherPermission : otherPermissions) {
+      permissionsService.addUser(new AddUserWsRequest().setLogin(login).setOrganization(orgKeyAndName).setPermission(otherPermission));
+    }
+  }
+
   @Test
   public void deleting_an_organization_also_deletes_group_permissions_and_projects_and_check_security() {
     verifyNoExtraOrganization();
@@ -263,9 +323,10 @@ public class OrganizationIt {
     assertThat(groupManagement.getUserGroups("bob").getGroups())
       .extracting(Groups.Group::getName)
       .contains("grp1", "grp2");
+    addPermissionsToUser(orgKeyAndName, "bob", "provisioning", "scan");
 
     ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample",
-      "sonar.organization", orgKeyAndName);
+      "sonar.organization", orgKeyAndName, "sonar.login", "bob", "sonar.password", "bob");
     ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components();
     assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsList()).hasSize(1);
 
diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java
index 1465bd49326..34cda3357d3 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java
@@ -77,7 +77,7 @@ public class PermissionTemplateService {
     }
 
     String effectiveKey = ComponentKeys.createKey(projectKey, branch);
-    PermissionTemplateDto template = findTemplate(dbSession, organizationUuid, new ComponentDto().setKey(effectiveKey).setQualifier(qualifier));
+    PermissionTemplateDto template = findTemplate(dbSession, organizationUuid, new ComponentDto().setOrganizationUuid(organizationUuid).setKey(effectiveKey).setQualifier(qualifier));
     if (template == null) {
       return false;
     }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java b/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java
index 7364c9698d7..e92b7c4a8d0 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java
@@ -19,6 +19,7 @@
  */
 package org.sonar.server.user;
 
+import com.google.common.base.Optional;
 import com.google.common.base.Supplier;
 import com.google.common.base.Suppliers;
 import com.google.common.collect.HashMultimap;
@@ -34,8 +35,8 @@ import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
+import org.sonar.db.component.ComponentDto;
 import org.sonar.db.component.ResourceDao;
-import org.sonar.db.component.ResourceDto;
 import org.sonar.db.user.GroupDto;
 import org.sonar.db.user.UserDto;
 
@@ -151,17 +152,23 @@ public class ServerUserSession extends AbstractUserSession {
 
   @Override
   public boolean hasComponentUuidPermission(String permission, String componentUuid) {
-    if (isRoot() || hasPermission(permission)) {
+    if (isRoot()) {
       return true;
     }
 
     String projectUuid = projectUuidByComponentUuid.get(componentUuid);
     if (projectUuid == null) {
-      ResourceDto project = resourceDao.selectResource(componentUuid);
-      if (project == null) {
-        return false;
+      try (DbSession dbSession = dbClient.openSession(false)) {
+        Optional<ComponentDto> component = dbClient.componentDao().selectByUuid(dbSession, componentUuid);
+        if (!component.isPresent()) {
+          return false;
+        }
+        projectUuid = component.get().projectUuid();
+        if (hasOrganizationPermission(component.get().getOrganizationUuid(), permission)) {
+          projectUuidByComponentUuid.put(componentUuid, projectUuid);
+          return true;
+        }
       }
-      projectUuid = project.getProjectUuid();
     }
     boolean hasComponentPermission = hasProjectPermissionByUuid(permission, projectUuid);
     if (hasComponentPermission) {
diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
index 0cd02fc01b9..4238f873c19 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
@@ -172,16 +172,6 @@ public class ServerUserSessionTest {
     assertThat(underTest.hasComponentUuidPermission("whatever", "who cares?")).isTrue();
   }
 
-  @Test
-  public void has_component_uuid_permission_with_only_global_permission() {
-    addGlobalPermissions(UserRole.USER);
-    UserSession session = newUserSession(userDto);
-
-    assertThat(session.hasComponentUuidPermission(UserRole.USER, FILE_UUID)).isTrue();
-    assertThat(session.hasComponentUuidPermission(UserRole.CODEVIEWER, FILE_UUID)).isFalse();
-    assertThat(session.hasComponentUuidPermission(UserRole.ADMIN, FILE_UUID)).isFalse();
-  }
-
   @Test
   public void checkComponentUuidPermission_succeeds_if_user_has_permission_for_specified_uuid_in_db() {
     UserSession underTest = newUserSession(ROOT_USER_DTO);
-- 
2.39.5