mirrors
/
sonarqube
zrcadlo https://github.com/SonarSource/sonarqube.git
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Vydání 237 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
30154 Revize
59 Větve
Strom: 276abb4233
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „276abb4233“
${ noResults }
sonarqube/server/sonar-webserver-webapi/src/main/java/org/sonar/server/permission/PermissionTemplateService.java

PermissionTemplateService.java 12KB
Surový Blame Historie

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2020 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.permission;

  21. 

  22. import java.text.MessageFormat;

  23. import java.util.ArrayList;

  24. import java.util.Collection;

  25. import java.util.Iterator;

  26. import java.util.List;

  27. import java.util.Map;

  28. import java.util.Set;

  29. import java.util.stream.Collectors;

  30. import javax.annotation.CheckForNull;

  31. import javax.annotation.Nullable;

  32. import org.apache.commons.lang.StringUtils;

  33. import org.sonar.api.resources.Qualifiers;

  34. import org.sonar.api.server.ServerSide;

  35. import org.sonar.core.util.UuidFactory;

  36. import org.sonar.db.DbClient;

  37. import org.sonar.db.DbSession;

  38. import org.sonar.db.component.ComponentDto;

  39. import org.sonar.db.organization.DefaultTemplates;

  40. import org.sonar.db.permission.GroupPermissionDto;

  41. import org.sonar.db.permission.UserPermissionDto;

  42. import org.sonar.db.permission.template.PermissionTemplateCharacteristicDto;

  43. import org.sonar.db.permission.template.PermissionTemplateDto;

  44. import org.sonar.db.permission.template.PermissionTemplateGroupDto;

  45. import org.sonar.db.permission.template.PermissionTemplateUserDto;

  46. import org.sonar.db.user.UserDto;

  47. import org.sonar.server.es.ProjectIndexer;

  48. import org.sonar.server.es.ProjectIndexers;

  49. import org.sonar.server.organization.DefaultOrganizationProvider;

  50. import org.sonar.server.permission.DefaultTemplatesResolver.ResolvedDefaultTemplates;

  51. import org.sonar.server.user.UserSession;

  52. 

  53. import static com.google.common.base.Preconditions.checkArgument;

  54. import static java.lang.String.format;

  55. import static java.util.Collections.singletonList;

  56. import static org.sonar.api.security.DefaultGroups.isAnyone;

  57. import static org.sonar.api.web.UserRole.PUBLIC_PERMISSIONS;

  58. import static org.sonar.db.permission.OrganizationPermission.SCAN;

  59. 

  60. @ServerSide

  61. public class PermissionTemplateService {

  62. 

  63.   private final DbClient dbClient;

  64.   private final ProjectIndexers projectIndexers;

  65.   private final UserSession userSession;

  66.   private final DefaultTemplatesResolver defaultTemplatesResolver;

  67.   private final UuidFactory uuidFactory;

  68.   private final DefaultOrganizationProvider defaultOrganizationProvider;

  69. 

  70.   public PermissionTemplateService(DbClient dbClient, ProjectIndexers projectIndexers, UserSession userSession,

  71.     DefaultTemplatesResolver defaultTemplatesResolver, UuidFactory uuidFactory, DefaultOrganizationProvider defaultOrganizationProvider) {

  72.     this.dbClient = dbClient;

  73.     this.projectIndexers = projectIndexers;

  74.     this.userSession = userSession;

  75.     this.defaultTemplatesResolver = defaultTemplatesResolver;

  76.     this.uuidFactory = uuidFactory;

  77.     this.defaultOrganizationProvider = defaultOrganizationProvider;

  78.   }

  79. 

  80.   public boolean wouldUserHaveScanPermissionWithDefaultTemplate(DbSession dbSession, @Nullable String userUuid, String projectKey) {

  81.     if (userSession.hasPermission(SCAN)) {

  82.       return true;

  83.     }

  84. 

  85.     ComponentDto dto = new ComponentDto().setDbKey(projectKey).setQualifier(Qualifiers.PROJECT);

  86.     PermissionTemplateDto template = findTemplate(dbSession, dto);

  87.     if (template == null) {

  88.       return false;

  89.     }

  90. 

  91.     List<String> potentialPermissions = dbClient.permissionTemplateDao().selectPotentialPermissionsByUserUuidAndTemplateUuid(dbSession, userUuid, template.getUuid());

  92.     return potentialPermissions.contains(SCAN.getKey());

  93.   }

  94. 

  95.   /**

  96.    * Apply a permission template to a set of projects. Authorization to administrate these projects

  97.    * is not verified. The projects must exist, so the "project creator" permissions defined in the

  98.    * template are ignored.

  99.    */

  100.   public void applyAndCommit(DbSession dbSession, PermissionTemplateDto template, Collection<ComponentDto> projects) {

  101.     if (projects.isEmpty()) {

  102.       return;

  103.     }

  104. 

  105.     for (ComponentDto project : projects) {

  106.       copyPermissions(dbSession, template, project, null);

  107.     }

  108.     projectIndexers.commitAndIndexComponents(dbSession, projects, ProjectIndexer.Cause.PERMISSION_CHANGE);

  109.   }

  110. 

  111.   /**

  112.    * Apply the default permission template to project. The project can already exist (so it has permissions) or

  113.    * can be provisioned (so has no permissions yet).

  114.    * @param projectCreatorUserId id of the user who creates the project, only if project is provisioned. He will

  115.    */

  116.   public void applyDefault(DbSession dbSession, ComponentDto component, @Nullable String projectCreatorUserId) {

  117.     PermissionTemplateDto template = findTemplate(dbSession, component);

  118.     checkArgument(template != null, "Cannot retrieve default permission template");

  119.     copyPermissions(dbSession, template, component, projectCreatorUserId);

  120.   }

  121. 

  122.   public boolean hasDefaultTemplateWithPermissionOnProjectCreator(DbSession dbSession, ComponentDto component) {

  123.     PermissionTemplateDto template = findTemplate(dbSession, component);

  124.     return hasProjectCreatorPermission(dbSession, template);

  125.   }

  126. 

  127.   private boolean hasProjectCreatorPermission(DbSession dbSession, @Nullable PermissionTemplateDto template) {

  128.     return template != null && dbClient.permissionTemplateCharacteristicDao().selectByTemplateUuids(dbSession, singletonList(template.getUuid())).stream()

  129.       .anyMatch(PermissionTemplateCharacteristicDto::getWithProjectCreator);

  130.   }

  131. 

  132.   private void copyPermissions(DbSession dbSession, PermissionTemplateDto template, ComponentDto project, @Nullable String projectCreatorUserUuid) {

  133.     dbClient.groupPermissionDao().deleteByRootComponentUuid(dbSession, project.uuid());

  134.     dbClient.userPermissionDao().deleteProjectPermissions(dbSession, project.uuid());

  135. 

  136.     List<PermissionTemplateUserDto> usersPermissions = dbClient.permissionTemplateDao().selectUserPermissionsByTemplateId(dbSession, template.getUuid());

  137.     Map<String, String> userDtoMap = dbClient.userDao().selectByUuids(dbSession, usersPermissions.stream().map(PermissionTemplateUserDto::getUserUuid).collect(Collectors.toSet()))

  138.       .stream().collect(Collectors.toMap(UserDto::getUuid, UserDto::getUuid));

  139.     usersPermissions

  140.       .stream()

  141.       .filter(up -> permissionValidForProject(project, up.getPermission()))

  142.       .forEach(up -> {

  143.         UserPermissionDto dto = new UserPermissionDto(uuidFactory.create(), up.getPermission(), userDtoMap.get(up.getUserUuid()), project.uuid());

  144.         dbClient.userPermissionDao().insert(dbSession, dto);

  145.       });

  146. 

  147.     List<PermissionTemplateGroupDto> groupsPermissions = dbClient.permissionTemplateDao().selectGroupPermissionsByTemplateUuid(dbSession, template.getUuid());

  148.     groupsPermissions

  149.       .stream()

  150.       .filter(gp -> groupNameValidForProject(project, gp.getGroupName()))

  151.       .filter(gp -> permissionValidForProject(project, gp.getPermission()))

  152.       .forEach(gp -> {

  153.         GroupPermissionDto dto = new GroupPermissionDto()

  154.           .setUuid(uuidFactory.create())

  155.           .setGroupUuid(isAnyone(gp.getGroupName()) ? null : gp.getGroupUuid())

  156.           .setRole(gp.getPermission())

  157.           .setComponentUuid(project.uuid());

  158.         dbClient.groupPermissionDao().insert(dbSession, dto);

  159.       });

  160. 

  161.     List<PermissionTemplateCharacteristicDto> characteristics = dbClient.permissionTemplateCharacteristicDao().selectByTemplateUuids(dbSession, singletonList(template.getUuid()));

  162.     if (projectCreatorUserUuid != null) {

  163.       Set<String> permissionsForCurrentUserAlreadyInDb = usersPermissions.stream()

  164.         .filter(userPermission -> projectCreatorUserUuid.equals(userPermission.getUserUuid()))

  165.         .map(PermissionTemplateUserDto::getPermission)

  166.         .collect(java.util.stream.Collectors.toSet());

  167. 

  168.       UserDto userDto = dbClient.userDao().selectByUuid(dbSession, projectCreatorUserUuid);

  169.       characteristics.stream()

  170.         .filter(PermissionTemplateCharacteristicDto::getWithProjectCreator)

  171.         .filter(up -> permissionValidForProject(project, up.getPermission()))

  172.         .filter(characteristic -> !permissionsForCurrentUserAlreadyInDb.contains(characteristic.getPermission()))

  173.         .forEach(c -> {

  174.           UserPermissionDto dto = new UserPermissionDto(uuidFactory.create(), c.getPermission(), userDto.getUuid(), project.uuid());

  175.           dbClient.userPermissionDao().insert(dbSession, dto);

  176.         });

  177.     }

  178.   }

  179. 

  180.   private static boolean permissionValidForProject(ComponentDto project, String permission) {

  181.     return project.isPrivate() || !PUBLIC_PERMISSIONS.contains(permission);

  182.   }

  183. 

  184.   private static boolean groupNameValidForProject(ComponentDto project, String groupName) {

  185.     return !project.isPrivate() || !isAnyone(groupName);

  186.   }

  187. 

  188.   /**

  189.    * Return the permission template for the given component. If no template key pattern match then consider default

  190.    * template for the component qualifier.

  191.    */

  192.   @CheckForNull

  193.   private PermissionTemplateDto findTemplate(DbSession dbSession, ComponentDto component) {

  194.     String organizationUuid = defaultOrganizationProvider.get().getUuid();

  195.     List<PermissionTemplateDto> allPermissionTemplates = dbClient.permissionTemplateDao().selectAll(dbSession, null);

  196.     List<PermissionTemplateDto> matchingTemplates = new ArrayList<>();

  197.     for (PermissionTemplateDto permissionTemplateDto : allPermissionTemplates) {

  198.       String keyPattern = permissionTemplateDto.getKeyPattern();

  199.       if (StringUtils.isNotBlank(keyPattern) && component.getDbKey().matches(keyPattern)) {

  200.         matchingTemplates.add(permissionTemplateDto);

  201.       }

  202.     }

  203.     checkAtMostOneMatchForComponentKey(component.getDbKey(), matchingTemplates);

  204.     if (matchingTemplates.size() == 1) {

  205.       return matchingTemplates.get(0);

  206.     }

  207. 

  208.     DefaultTemplates defaultTemplates = dbClient.organizationDao().getDefaultTemplates(dbSession, organizationUuid)

  209.       .orElseThrow(() -> new IllegalStateException(

  210.         format("No Default templates defined for organization with uuid '%s'", organizationUuid)));

  211. 

  212.     String qualifier = component.qualifier();

  213.     ResolvedDefaultTemplates resolvedDefaultTemplates = defaultTemplatesResolver.resolve(defaultTemplates);

  214.     switch (qualifier) {

  215.       case Qualifiers.PROJECT:

  216.         return dbClient.permissionTemplateDao().selectByUuid(dbSession, resolvedDefaultTemplates.getProject());

  217.       case Qualifiers.VIEW:

  218.         String portDefaultTemplateUuid = resolvedDefaultTemplates.getPortfolio().orElseThrow(

  219.           () -> new IllegalStateException("Attempt to create a view when Governance plugin is not installed"));

  220.         return dbClient.permissionTemplateDao().selectByUuid(dbSession, portDefaultTemplateUuid);

  221.       case Qualifiers.APP:

  222.         String appDefaultTemplateUuid = resolvedDefaultTemplates.getApplication().orElseThrow(

  223.           () -> new IllegalStateException("Attempt to create a view when Governance plugin is not installed"));

  224.         return dbClient.permissionTemplateDao().selectByUuid(dbSession, appDefaultTemplateUuid);

  225.       default:

  226.         throw new IllegalArgumentException(format("Qualifier '%s' is not supported", qualifier));

  227.     }

  228.   }

  229. 

  230.   private static void checkAtMostOneMatchForComponentKey(String componentKey, List<PermissionTemplateDto> matchingTemplates) {

  231.     if (matchingTemplates.size() > 1) {

  232.       StringBuilder templatesNames = new StringBuilder();

  233.       for (Iterator<PermissionTemplateDto> it = matchingTemplates.iterator(); it.hasNext();) {

  234.         templatesNames.append("\"").append(it.next().getName()).append("\"");

  235.         if (it.hasNext()) {

  236.           templatesNames.append(", ");

  237.         }

  238.       }

  239.       throw new IllegalStateException(MessageFormat.format(

  240.         "The \"{0}\" key matches multiple permission templates: {1}."

  241.           + " A system administrator must update these templates so that only one of them matches the key.",

  242.         componentKey,

  243.         templatesNames.toString()));

  244.     }

  245.   }

  246. 

  247. }