123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247 |
- /*
- * SonarQube
- * Copyright (C) 2009-2020 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
- package org.sonar.server.permission;
-
- import java.text.MessageFormat;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.Iterator;
- import java.util.List;
- import java.util.Map;
- import java.util.Set;
- import java.util.stream.Collectors;
- import javax.annotation.CheckForNull;
- import javax.annotation.Nullable;
- import org.apache.commons.lang.StringUtils;
- import org.sonar.api.resources.Qualifiers;
- import org.sonar.api.server.ServerSide;
- import org.sonar.core.util.UuidFactory;
- import org.sonar.db.DbClient;
- import org.sonar.db.DbSession;
- import org.sonar.db.component.ComponentDto;
- import org.sonar.db.organization.DefaultTemplates;
- import org.sonar.db.permission.GroupPermissionDto;
- import org.sonar.db.permission.UserPermissionDto;
- import org.sonar.db.permission.template.PermissionTemplateCharacteristicDto;
- import org.sonar.db.permission.template.PermissionTemplateDto;
- import org.sonar.db.permission.template.PermissionTemplateGroupDto;
- import org.sonar.db.permission.template.PermissionTemplateUserDto;
- import org.sonar.db.user.UserDto;
- import org.sonar.server.es.ProjectIndexer;
- import org.sonar.server.es.ProjectIndexers;
- import org.sonar.server.organization.DefaultOrganizationProvider;
- import org.sonar.server.permission.DefaultTemplatesResolver.ResolvedDefaultTemplates;
- import org.sonar.server.user.UserSession;
-
- import static com.google.common.base.Preconditions.checkArgument;
- import static java.lang.String.format;
- import static java.util.Collections.singletonList;
- import static org.sonar.api.security.DefaultGroups.isAnyone;
- import static org.sonar.api.web.UserRole.PUBLIC_PERMISSIONS;
- import static org.sonar.db.permission.OrganizationPermission.SCAN;
-
- @ServerSide
- public class PermissionTemplateService {
-
- private final DbClient dbClient;
- private final ProjectIndexers projectIndexers;
- private final UserSession userSession;
- private final DefaultTemplatesResolver defaultTemplatesResolver;
- private final UuidFactory uuidFactory;
- private final DefaultOrganizationProvider defaultOrganizationProvider;
-
- public PermissionTemplateService(DbClient dbClient, ProjectIndexers projectIndexers, UserSession userSession,
- DefaultTemplatesResolver defaultTemplatesResolver, UuidFactory uuidFactory, DefaultOrganizationProvider defaultOrganizationProvider) {
- this.dbClient = dbClient;
- this.projectIndexers = projectIndexers;
- this.userSession = userSession;
- this.defaultTemplatesResolver = defaultTemplatesResolver;
- this.uuidFactory = uuidFactory;
- this.defaultOrganizationProvider = defaultOrganizationProvider;
- }
-
- public boolean wouldUserHaveScanPermissionWithDefaultTemplate(DbSession dbSession, @Nullable String userUuid, String projectKey) {
- if (userSession.hasPermission(SCAN)) {
- return true;
- }
-
- ComponentDto dto = new ComponentDto().setDbKey(projectKey).setQualifier(Qualifiers.PROJECT);
- PermissionTemplateDto template = findTemplate(dbSession, dto);
- if (template == null) {
- return false;
- }
-
- List<String> potentialPermissions = dbClient.permissionTemplateDao().selectPotentialPermissionsByUserUuidAndTemplateUuid(dbSession, userUuid, template.getUuid());
- return potentialPermissions.contains(SCAN.getKey());
- }
-
- /**
- * Apply a permission template to a set of projects. Authorization to administrate these projects
- * is not verified. The projects must exist, so the "project creator" permissions defined in the
- * template are ignored.
- */
- public void applyAndCommit(DbSession dbSession, PermissionTemplateDto template, Collection<ComponentDto> projects) {
- if (projects.isEmpty()) {
- return;
- }
-
- for (ComponentDto project : projects) {
- copyPermissions(dbSession, template, project, null);
- }
- projectIndexers.commitAndIndexComponents(dbSession, projects, ProjectIndexer.Cause.PERMISSION_CHANGE);
- }
-
- /**
- * Apply the default permission template to project. The project can already exist (so it has permissions) or
- * can be provisioned (so has no permissions yet).
- * @param projectCreatorUserId id of the user who creates the project, only if project is provisioned. He will
- */
- public void applyDefault(DbSession dbSession, ComponentDto component, @Nullable String projectCreatorUserId) {
- PermissionTemplateDto template = findTemplate(dbSession, component);
- checkArgument(template != null, "Cannot retrieve default permission template");
- copyPermissions(dbSession, template, component, projectCreatorUserId);
- }
-
- public boolean hasDefaultTemplateWithPermissionOnProjectCreator(DbSession dbSession, ComponentDto component) {
- PermissionTemplateDto template = findTemplate(dbSession, component);
- return hasProjectCreatorPermission(dbSession, template);
- }
-
- private boolean hasProjectCreatorPermission(DbSession dbSession, @Nullable PermissionTemplateDto template) {
- return template != null && dbClient.permissionTemplateCharacteristicDao().selectByTemplateUuids(dbSession, singletonList(template.getUuid())).stream()
- .anyMatch(PermissionTemplateCharacteristicDto::getWithProjectCreator);
- }
-
- private void copyPermissions(DbSession dbSession, PermissionTemplateDto template, ComponentDto project, @Nullable String projectCreatorUserUuid) {
- dbClient.groupPermissionDao().deleteByRootComponentUuid(dbSession, project.uuid());
- dbClient.userPermissionDao().deleteProjectPermissions(dbSession, project.uuid());
-
- List<PermissionTemplateUserDto> usersPermissions = dbClient.permissionTemplateDao().selectUserPermissionsByTemplateId(dbSession, template.getUuid());
- Map<String, String> userDtoMap = dbClient.userDao().selectByUuids(dbSession, usersPermissions.stream().map(PermissionTemplateUserDto::getUserUuid).collect(Collectors.toSet()))
- .stream().collect(Collectors.toMap(UserDto::getUuid, UserDto::getUuid));
- usersPermissions
- .stream()
- .filter(up -> permissionValidForProject(project, up.getPermission()))
- .forEach(up -> {
- UserPermissionDto dto = new UserPermissionDto(uuidFactory.create(), up.getPermission(), userDtoMap.get(up.getUserUuid()), project.uuid());
- dbClient.userPermissionDao().insert(dbSession, dto);
- });
-
- List<PermissionTemplateGroupDto> groupsPermissions = dbClient.permissionTemplateDao().selectGroupPermissionsByTemplateUuid(dbSession, template.getUuid());
- groupsPermissions
- .stream()
- .filter(gp -> groupNameValidForProject(project, gp.getGroupName()))
- .filter(gp -> permissionValidForProject(project, gp.getPermission()))
- .forEach(gp -> {
- GroupPermissionDto dto = new GroupPermissionDto()
- .setUuid(uuidFactory.create())
- .setGroupUuid(isAnyone(gp.getGroupName()) ? null : gp.getGroupUuid())
- .setRole(gp.getPermission())
- .setComponentUuid(project.uuid());
- dbClient.groupPermissionDao().insert(dbSession, dto);
- });
-
- List<PermissionTemplateCharacteristicDto> characteristics = dbClient.permissionTemplateCharacteristicDao().selectByTemplateUuids(dbSession, singletonList(template.getUuid()));
- if (projectCreatorUserUuid != null) {
- Set<String> permissionsForCurrentUserAlreadyInDb = usersPermissions.stream()
- .filter(userPermission -> projectCreatorUserUuid.equals(userPermission.getUserUuid()))
- .map(PermissionTemplateUserDto::getPermission)
- .collect(java.util.stream.Collectors.toSet());
-
- UserDto userDto = dbClient.userDao().selectByUuid(dbSession, projectCreatorUserUuid);
- characteristics.stream()
- .filter(PermissionTemplateCharacteristicDto::getWithProjectCreator)
- .filter(up -> permissionValidForProject(project, up.getPermission()))
- .filter(characteristic -> !permissionsForCurrentUserAlreadyInDb.contains(characteristic.getPermission()))
- .forEach(c -> {
- UserPermissionDto dto = new UserPermissionDto(uuidFactory.create(), c.getPermission(), userDto.getUuid(), project.uuid());
- dbClient.userPermissionDao().insert(dbSession, dto);
- });
- }
- }
-
- private static boolean permissionValidForProject(ComponentDto project, String permission) {
- return project.isPrivate() || !PUBLIC_PERMISSIONS.contains(permission);
- }
-
- private static boolean groupNameValidForProject(ComponentDto project, String groupName) {
- return !project.isPrivate() || !isAnyone(groupName);
- }
-
- /**
- * Return the permission template for the given component. If no template key pattern match then consider default
- * template for the component qualifier.
- */
- @CheckForNull
- private PermissionTemplateDto findTemplate(DbSession dbSession, ComponentDto component) {
- String organizationUuid = defaultOrganizationProvider.get().getUuid();
- List<PermissionTemplateDto> allPermissionTemplates = dbClient.permissionTemplateDao().selectAll(dbSession, null);
- List<PermissionTemplateDto> matchingTemplates = new ArrayList<>();
- for (PermissionTemplateDto permissionTemplateDto : allPermissionTemplates) {
- String keyPattern = permissionTemplateDto.getKeyPattern();
- if (StringUtils.isNotBlank(keyPattern) && component.getDbKey().matches(keyPattern)) {
- matchingTemplates.add(permissionTemplateDto);
- }
- }
- checkAtMostOneMatchForComponentKey(component.getDbKey(), matchingTemplates);
- if (matchingTemplates.size() == 1) {
- return matchingTemplates.get(0);
- }
-
- DefaultTemplates defaultTemplates = dbClient.organizationDao().getDefaultTemplates(dbSession, organizationUuid)
- .orElseThrow(() -> new IllegalStateException(
- format("No Default templates defined for organization with uuid '%s'", organizationUuid)));
-
- String qualifier = component.qualifier();
- ResolvedDefaultTemplates resolvedDefaultTemplates = defaultTemplatesResolver.resolve(defaultTemplates);
- switch (qualifier) {
- case Qualifiers.PROJECT:
- return dbClient.permissionTemplateDao().selectByUuid(dbSession, resolvedDefaultTemplates.getProject());
- case Qualifiers.VIEW:
- String portDefaultTemplateUuid = resolvedDefaultTemplates.getPortfolio().orElseThrow(
- () -> new IllegalStateException("Attempt to create a view when Governance plugin is not installed"));
- return dbClient.permissionTemplateDao().selectByUuid(dbSession, portDefaultTemplateUuid);
- case Qualifiers.APP:
- String appDefaultTemplateUuid = resolvedDefaultTemplates.getApplication().orElseThrow(
- () -> new IllegalStateException("Attempt to create a view when Governance plugin is not installed"));
- return dbClient.permissionTemplateDao().selectByUuid(dbSession, appDefaultTemplateUuid);
- default:
- throw new IllegalArgumentException(format("Qualifier '%s' is not supported", qualifier));
- }
- }
-
- private static void checkAtMostOneMatchForComponentKey(String componentKey, List<PermissionTemplateDto> matchingTemplates) {
- if (matchingTemplates.size() > 1) {
- StringBuilder templatesNames = new StringBuilder();
- for (Iterator<PermissionTemplateDto> it = matchingTemplates.iterator(); it.hasNext();) {
- templatesNames.append("\"").append(it.next().getName()).append("\"");
- if (it.hasNext()) {
- templatesNames.append(", ");
- }
- }
- throw new IllegalStateException(MessageFormat.format(
- "The \"{0}\" key matches multiple permission templates: {1}."
- + " A system administrator must update these templates so that only one of them matches the key.",
- componentKey,
- templatesNames.toString()));
- }
- }
-
- }
|