From b5f6facd4b7070ea08c7a280d1f402ee1ad37373 Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Tue, 7 Feb 2017 12:00:32 +0100 Subject: [PATCH] SONAR-8716 fix fallback of component to organization permission --- .../java/it/organization/OrganizationIt.java | 63 ++++++++++++++++++- .../permission/PermissionTemplateService.java | 2 +- .../sonar/server/user/ServerUserSession.java | 19 ++++-- .../server/user/ServerUserSessionTest.java | 10 --- 4 files changed, 76 insertions(+), 18 deletions(-) diff --git a/it/it-tests/src/test/java/it/organization/OrganizationIt.java b/it/it-tests/src/test/java/it/organization/OrganizationIt.java index 327c9f2499e..f16a54af2ce 100644 --- a/it/it-tests/src/test/java/it/organization/OrganizationIt.java +++ b/it/it-tests/src/test/java/it/organization/OrganizationIt.java @@ -20,6 +20,7 @@ package it.organization; import com.sonar.orchestrator.Orchestrator; +import com.sonar.orchestrator.build.BuildFailureException; import it.Category3Suite; import java.util.List; import java.util.function.Consumer; @@ -37,6 +38,8 @@ import org.sonarqube.ws.client.organization.CreateWsRequest; import org.sonarqube.ws.client.organization.OrganizationService; import org.sonarqube.ws.client.organization.SearchWsRequest; import org.sonarqube.ws.client.organization.UpdateWsRequest; +import org.sonarqube.ws.client.permission.AddUserWsRequest; +import org.sonarqube.ws.client.permission.PermissionsService; import util.ItUtils; import util.user.GroupManagement; import util.user.Groups; @@ -242,6 +245,63 @@ public class OrganizationIt { expect403HttpError(() -> fooUserOrganizationService.create(createWsRequest)); } + @Test + public void an_organization_member_can_analyze_project() { + verifyNoExtraOrganization(); + + String orgKeyAndName = "org-key"; + Organizations.Organization createdOrganization = adminOrganizationService.create(new CreateWsRequest.Builder() + .setName(orgKeyAndName) + .setKey(orgKeyAndName) + .build()) + .getOrganization(); + verifySingleSearchResult(createdOrganization, orgKeyAndName, null, null, null); + + userRule.createUser("bob", "bob"); + userRule.removeGroups("sonar-users"); + addPermissionsToUser(orgKeyAndName, "bob", "provisioning", "scan"); + + ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample", + "sonar.organization", orgKeyAndName, "sonar.login", "bob", "sonar.password", "bob"); + ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components(); + assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsList()).hasSize(1); + + adminOrganizationService.delete(orgKeyAndName); + } + + @Test + public void by_default_anonymous_cannot_analyse_project_on_organization() { + verifyNoExtraOrganization(); + + String orgKeyAndName = "org-key"; + Organizations.Organization createdOrganization = adminOrganizationService.create(new CreateWsRequest.Builder() + .setName(orgKeyAndName) + .setKey(orgKeyAndName) + .build()) + .getOrganization(); + verifySingleSearchResult(createdOrganization, orgKeyAndName, null, null, null); + + try { + ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample", + "sonar.organization", orgKeyAndName); + fail(); + } catch (BuildFailureException e) { + assertThat(e.getResult().getLogs()).contains("Insufficient privileges"); + } + + ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components(); + assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsCount()).isEqualTo(0); + adminOrganizationService.delete(orgKeyAndName); + } + + private void addPermissionsToUser(String orgKeyAndName, String login, String permission, String... otherPermissions) { + PermissionsService permissionsService = ItUtils.newAdminWsClient(orchestrator).permissions(); + permissionsService.addUser(new AddUserWsRequest().setLogin(login).setOrganization(orgKeyAndName).setPermission(permission)); + for (String otherPermission : otherPermissions) { + permissionsService.addUser(new AddUserWsRequest().setLogin(login).setOrganization(orgKeyAndName).setPermission(otherPermission)); + } + } + @Test public void deleting_an_organization_also_deletes_group_permissions_and_projects_and_check_security() { verifyNoExtraOrganization(); @@ -263,9 +323,10 @@ public class OrganizationIt { assertThat(groupManagement.getUserGroups("bob").getGroups()) .extracting(Groups.Group::getName) .contains("grp1", "grp2"); + addPermissionsToUser(orgKeyAndName, "bob", "provisioning", "scan"); ItUtils.runProjectAnalysis(orchestrator, "shared/xoo-sample", - "sonar.organization", orgKeyAndName); + "sonar.organization", orgKeyAndName, "sonar.login", "bob", "sonar.password", "bob"); ComponentsService componentsService = ItUtils.newAdminWsClient(orchestrator).components(); assertThat(searchSampleProject(orgKeyAndName, componentsService).getComponentsList()).hasSize(1); diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java index 1465bd49326..34cda3357d3 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java +++ b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionTemplateService.java @@ -77,7 +77,7 @@ public class PermissionTemplateService { } String effectiveKey = ComponentKeys.createKey(projectKey, branch); - PermissionTemplateDto template = findTemplate(dbSession, organizationUuid, new ComponentDto().setKey(effectiveKey).setQualifier(qualifier)); + PermissionTemplateDto template = findTemplate(dbSession, organizationUuid, new ComponentDto().setOrganizationUuid(organizationUuid).setKey(effectiveKey).setQualifier(qualifier)); if (template == null) { return false; } diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java b/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java index 7364c9698d7..e92b7c4a8d0 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java +++ b/server/sonar-server/src/main/java/org/sonar/server/user/ServerUserSession.java @@ -19,6 +19,7 @@ */ package org.sonar.server.user; +import com.google.common.base.Optional; import com.google.common.base.Supplier; import com.google.common.base.Suppliers; import com.google.common.collect.HashMultimap; @@ -34,8 +35,8 @@ import javax.annotation.CheckForNull; import javax.annotation.Nullable; import org.sonar.db.DbClient; import org.sonar.db.DbSession; +import org.sonar.db.component.ComponentDto; import org.sonar.db.component.ResourceDao; -import org.sonar.db.component.ResourceDto; import org.sonar.db.user.GroupDto; import org.sonar.db.user.UserDto; @@ -151,17 +152,23 @@ public class ServerUserSession extends AbstractUserSession { @Override public boolean hasComponentUuidPermission(String permission, String componentUuid) { - if (isRoot() || hasPermission(permission)) { + if (isRoot()) { return true; } String projectUuid = projectUuidByComponentUuid.get(componentUuid); if (projectUuid == null) { - ResourceDto project = resourceDao.selectResource(componentUuid); - if (project == null) { - return false; + try (DbSession dbSession = dbClient.openSession(false)) { + Optional component = dbClient.componentDao().selectByUuid(dbSession, componentUuid); + if (!component.isPresent()) { + return false; + } + projectUuid = component.get().projectUuid(); + if (hasOrganizationPermission(component.get().getOrganizationUuid(), permission)) { + projectUuidByComponentUuid.put(componentUuid, projectUuid); + return true; + } } - projectUuid = project.getProjectUuid(); } boolean hasComponentPermission = hasProjectPermissionByUuid(permission, projectUuid); if (hasComponentPermission) { diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java index 0cd02fc01b9..4238f873c19 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/user/ServerUserSessionTest.java @@ -172,16 +172,6 @@ public class ServerUserSessionTest { assertThat(underTest.hasComponentUuidPermission("whatever", "who cares?")).isTrue(); } - @Test - public void has_component_uuid_permission_with_only_global_permission() { - addGlobalPermissions(UserRole.USER); - UserSession session = newUserSession(userDto); - - assertThat(session.hasComponentUuidPermission(UserRole.USER, FILE_UUID)).isTrue(); - assertThat(session.hasComponentUuidPermission(UserRole.CODEVIEWER, FILE_UUID)).isFalse(); - assertThat(session.hasComponentUuidPermission(UserRole.ADMIN, FILE_UUID)).isFalse(); - } - @Test public void checkComponentUuidPermission_succeeds_if_user_has_permission_for_specified_uuid_in_db() { UserSession underTest = newUserSession(ROOT_USER_DTO); -- 2.39.5