mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36261 Commits
59 Branches
Tree: 1398b6005b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1398b6005b'
${ noResults }
sonarqube/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/GithubProjectCreator.java

GithubProjectCreator.java 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2024 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.almsettings.ws;

  21. 

  22. import java.util.Optional;

  23. import java.util.Set;

  24. import javax.annotation.CheckForNull;

  25. import javax.annotation.Nullable;

  26. import org.sonar.auth.github.AppInstallationToken;

  27. import org.sonar.auth.github.GitHubSettings;

  28. import org.sonar.auth.github.client.GithubApplicationClient;

  29. import org.sonar.alm.client.github.GithubPermissionConverter;

  30. import org.sonar.auth.github.GsonRepositoryCollaborator;

  31. import org.sonar.auth.github.GsonRepositoryTeam;

  32. import org.sonar.auth.github.client.GithubApplicationClient.Repository;

  33. import org.sonar.auth.github.security.AccessToken;

  34. import org.sonar.api.web.UserRole;

  35. import org.sonar.auth.github.GsonRepositoryPermissions;

  36. import org.sonar.db.DbClient;

  37. import org.sonar.db.DbSession;

  38. import org.sonar.db.alm.setting.AlmSettingDto;

  39. import org.sonar.db.alm.setting.ProjectAlmSettingDto;

  40. import org.sonar.db.component.BranchDto;

  41. import org.sonar.db.project.CreationMethod;

  42. import org.sonar.db.project.ProjectDto;

  43. import org.sonar.db.provisioning.GithubPermissionsMappingDto;

  44. import org.sonar.db.user.GroupDto;

  45. import org.sonar.db.user.UserIdDto;

  46. import org.sonar.server.almintegration.ws.ProjectKeyGenerator;

  47. import org.sonar.server.common.permission.Operation;

  48. import org.sonar.server.component.ComponentCreationData;

  49. import org.sonar.server.management.ManagedProjectService;

  50. import org.sonar.server.permission.PermissionService;

  51. import org.sonar.server.permission.PermissionUpdater;

  52. import org.sonar.server.permission.UserPermissionChange;

  53. import org.sonar.server.project.ws.ProjectCreator;

  54. import org.sonar.server.user.UserSession;

  55. 

  56. import static java.util.Objects.requireNonNull;

  57. import static java.util.stream.Collectors.toSet;

  58. import static org.sonar.api.utils.Preconditions.checkState;

  59. 

  60. public class GithubProjectCreator implements DevOpsProjectCreator {

  61. 

  62.   private final DbClient dbClient;

  63.   private final GithubApplicationClient githubApplicationClient;

  64.   private final GithubPermissionConverter githubPermissionConverter;

  65.   private final ProjectKeyGenerator projectKeyGenerator;

  66.   private final PermissionUpdater<UserPermissionChange> permissionUpdater;

  67.   private final PermissionService permissionService;

  68.   private final ManagedProjectService managedProjectService;

  69.   private final ProjectCreator projectCreator;

  70.   private final GithubProjectCreationParameters githubProjectCreationParameters;

  71.   private final DevOpsProjectDescriptor devOpsProjectDescriptor;

  72.   private final UserSession userSession;

  73.   private final AlmSettingDto almSettingDto;

  74.   private final AccessToken devOpsAppInstallationToken;

  75.   private final GitHubSettings gitHubSettings;

  76. 

  77.   @CheckForNull

  78.   private final AppInstallationToken authAppInstallationToken;

  79. 

  80.   public GithubProjectCreator(DbClient dbClient, GithubApplicationClient githubApplicationClient, GithubPermissionConverter githubPermissionConverter,

  81.     ProjectKeyGenerator projectKeyGenerator, PermissionUpdater<UserPermissionChange> permissionUpdater, PermissionService permissionService,

  82.     ManagedProjectService managedProjectService, ProjectCreator projectCreator, GithubProjectCreationParameters githubProjectCreationParameters, GitHubSettings gitHubSettings) {

  83. 

  84.     this.dbClient = dbClient;

  85.     this.githubApplicationClient = githubApplicationClient;

  86.     this.githubPermissionConverter = githubPermissionConverter;

  87.     this.projectKeyGenerator = projectKeyGenerator;

  88.     this.permissionUpdater = permissionUpdater;

  89.     this.permissionService = permissionService;

  90.     this.managedProjectService = managedProjectService;

  91.     this.projectCreator = projectCreator;

  92.     this.githubProjectCreationParameters = githubProjectCreationParameters;

  93.     userSession = githubProjectCreationParameters.userSession();

  94.     almSettingDto = githubProjectCreationParameters.almSettingDto();

  95.     devOpsProjectDescriptor = githubProjectCreationParameters.devOpsProjectDescriptor();

  96.     devOpsAppInstallationToken = githubProjectCreationParameters.devOpsAppInstallationToken();

  97.     authAppInstallationToken = githubProjectCreationParameters.authAppInstallationToken();

  98.     this.gitHubSettings = gitHubSettings;

  99.   }

  100. 

  101.   @Override

  102.   public boolean isScanAllowedUsingPermissionsFromDevopsPlatform() {

  103.     checkState(githubProjectCreationParameters.authAppInstallationToken() != null, "An auth app token is required in case repository permissions checking is necessary.");

  104. 

  105.     String[] orgaAndRepoTokenified = devOpsProjectDescriptor.projectIdentifier().split("/");

  106.     String organization = orgaAndRepoTokenified[0];

  107.     String repository = orgaAndRepoTokenified[1];

  108. 

  109.     Set<GithubPermissionsMappingDto> permissionsMappingDtos = dbClient.githubPermissionsMappingDao().findAll(dbClient.openSession(false));

  110. 

  111.     boolean userHasDirectAccessToRepo = doesUserHaveScanPermission(organization, repository, permissionsMappingDtos);

  112.     if (userHasDirectAccessToRepo) {

  113.       return true;

  114.     }

  115.     return doesUserBelongToAGroupWithScanPermission(organization, repository, permissionsMappingDtos);

  116.   }

  117. 

  118.   private boolean doesUserHaveScanPermission(String organization, String repository, Set<GithubPermissionsMappingDto> permissionsMappingDtos) {

  119.     Set<GsonRepositoryCollaborator> repositoryCollaborators = githubApplicationClient.getRepositoryCollaborators(devOpsProjectDescriptor.url(), authAppInstallationToken,

  120.       organization, repository);

  121. 

  122.     String externalLogin = userSession.getExternalIdentity().map(UserSession.ExternalIdentity::login).orElse(null);

  123.     if (externalLogin == null) {

  124.       return false;

  125.     }

  126.     return repositoryCollaborators.stream()

  127.       .filter(gsonRepositoryCollaborator -> externalLogin.equals(gsonRepositoryCollaborator.name()))

  128.       .findAny()

  129.       .map(gsonRepositoryCollaborator -> hasScanPermission(permissionsMappingDtos, gsonRepositoryCollaborator.roleName(), gsonRepositoryCollaborator.permissions()))

  130.       .orElse(false);

  131.   }

  132. 

  133.   private boolean doesUserBelongToAGroupWithScanPermission(String organization, String repository,

  134.     Set<GithubPermissionsMappingDto> permissionsMappingDtos) {

  135.     Set<GsonRepositoryTeam> repositoryTeams = githubApplicationClient.getRepositoryTeams(devOpsProjectDescriptor.url(), authAppInstallationToken, organization, repository);

  136. 

  137.     Set<String> groupsOfUser = findUserMembershipOnSonarQube(organization);

  138.     return repositoryTeams.stream()

  139.       .filter(team -> hasScanPermission(permissionsMappingDtos, team.permission(), team.permissions()))

  140.       .map(GsonRepositoryTeam::name)

  141.       .anyMatch(groupsOfUser::contains);

  142.   }

  143. 

  144.   private Set<String> findUserMembershipOnSonarQube(String organization) {

  145.     return userSession.getGroups().stream()

  146.       .map(GroupDto::getName)

  147.       .filter(groupName -> groupName.contains("/"))

  148.       .map(name -> name.replaceFirst(organization + "/", ""))

  149.       .collect(toSet());

  150.   }

  151. 

  152.   private boolean hasScanPermission(Set<GithubPermissionsMappingDto> permissionsMappingDtos, String role, GsonRepositoryPermissions permissions) {

  153.     Set<String> sonarqubePermissions = githubPermissionConverter.toSonarqubeRolesWithFallbackOnRepositoryPermissions(permissionsMappingDtos,

  154.       role, permissions);

  155.     return sonarqubePermissions.contains(UserRole.SCAN);

  156.   }

  157. 

  158.   @Override

  159.   public ComponentCreationData createProjectAndBindToDevOpsPlatform(DbSession dbSession, CreationMethod creationMethod, Boolean monorepo, @Nullable String projectKey,

  160.     @Nullable String projectName) {

  161.     String url = requireNonNull(almSettingDto.getUrl(), "DevOps Platform url cannot be null");

  162.     Repository repository = githubApplicationClient.getRepository(url, devOpsAppInstallationToken, devOpsProjectDescriptor.projectIdentifier())

  163.       .orElseThrow(() -> new IllegalStateException(

  164.         String.format("Impossible to find the repository '%s' on GitHub, using the devops config %s", devOpsProjectDescriptor.projectIdentifier(), almSettingDto.getKey())));

  165. 

  166.     return createProjectAndBindToDevOpsPlatform(dbSession, monorepo, projectKey, projectName, almSettingDto, repository, creationMethod);

  167.   }

  168. 

  169.   private ComponentCreationData createProjectAndBindToDevOpsPlatform(DbSession dbSession, Boolean monorepo, @Nullable String projectKey, @Nullable String projectName,

  170.     AlmSettingDto almSettingDto,

  171.     Repository repository, CreationMethod creationMethod) {

  172.     String key = Optional.ofNullable(projectKey).orElse(getUniqueProjectKey(repository));

  173. 

  174.     boolean isManaged = gitHubSettings.isProvisioningEnabled();

  175. 

  176.     ComponentCreationData componentCreationData = projectCreator.createProject(dbSession, key, Optional.ofNullable(projectName).orElse(repository.getName()),

  177.       repository.getDefaultBranch(), creationMethod,

  178.       shouldProjectBePrivate(repository), isManaged);

  179.     ProjectDto projectDto = Optional.ofNullable(componentCreationData.projectDto()).orElseThrow();

  180.     createProjectAlmSettingDto(dbSession, repository, projectDto, almSettingDto, monorepo);

  181.     addScanPermissionToCurrentUser(dbSession, projectDto);

  182. 

  183.     BranchDto mainBranchDto = Optional.ofNullable(componentCreationData.mainBranchDto()).orElseThrow();

  184.     if (gitHubSettings.isProvisioningEnabled()) {

  185.       syncProjectPermissionsWithGithub(projectDto, mainBranchDto);

  186.     }

  187.     return componentCreationData;

  188.   }

  189. 

  190.   @CheckForNull

  191.   private Boolean shouldProjectBePrivate(Repository repository) {

  192.     if (gitHubSettings.isProvisioningEnabled() && gitHubSettings.isProjectVisibilitySynchronizationActivated()) {

  193.       return repository.isPrivate();

  194.     } else if (gitHubSettings.isProvisioningEnabled()) {

  195.       return true;

  196.     } else {

  197.       return null;

  198.     }

  199.   }

  200. 

  201.   private void addScanPermissionToCurrentUser(DbSession dbSession, ProjectDto projectDto) {

  202.     UserIdDto userId = new UserIdDto(requireNonNull(userSession.getUuid()), requireNonNull(userSession.getLogin()));

  203.     UserPermissionChange scanPermission = new UserPermissionChange(Operation.ADD, UserRole.SCAN, projectDto, userId, permissionService);

  204.     permissionUpdater.apply(dbSession, Set.of(scanPermission));

  205.   }

  206. 

  207.   private void syncProjectPermissionsWithGithub(ProjectDto projectDto, BranchDto mainBranchDto) {

  208.     String userUuid = requireNonNull(userSession.getUuid());

  209.     managedProjectService.queuePermissionSyncTask(userUuid, mainBranchDto.getUuid(), projectDto.getUuid());

  210.   }

  211. 

  212.   private String getUniqueProjectKey(Repository repository) {

  213.     return projectKeyGenerator.generateUniqueProjectKey(repository.getFullName());

  214.   }

  215. 

  216.   private void createProjectAlmSettingDto(DbSession dbSession, Repository repo, ProjectDto projectDto, AlmSettingDto almSettingDto, Boolean monorepo) {

  217.     ProjectAlmSettingDto projectAlmSettingDto = new ProjectAlmSettingDto()

  218.       .setAlmSettingUuid(almSettingDto.getUuid())

  219.       .setAlmRepo(repo.getFullName())

  220.       .setAlmSlug(null)

  221.       .setProjectUuid(projectDto.getUuid())

  222.       .setSummaryCommentEnabled(true)

  223.       .setMonorepo(monorepo);

  224.     dbClient.projectAlmSettingDao().insertOrUpdate(dbSession, projectAlmSettingDto, almSettingDto.getKey(), projectDto.getName(), projectDto.getKey());

  225.   }

  226. 

  227. }