mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36262 Commits
59 Branches
Tree: 412f42cb11
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '412f42cb11'
${ noResults }
sonarqube/server/sonar-webserver-common/src/main/java/org/sonar/server/common/almsettings/github/GithubProjectCreator.java

GithubProjectCreator.java 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2024 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.common.almsettings.github;

  21. 

  22. import java.util.Optional;

  23. import java.util.Set;

  24. import javax.annotation.CheckForNull;

  25. import javax.annotation.Nullable;

  26. import org.sonar.alm.client.github.GithubPermissionConverter;

  27. import org.sonar.api.web.UserRole;

  28. import org.sonar.auth.github.AppInstallationToken;

  29. import org.sonar.auth.github.GitHubSettings;

  30. import org.sonar.auth.github.GsonRepositoryCollaborator;

  31. import org.sonar.auth.github.GsonRepositoryPermissions;

  32. import org.sonar.auth.github.GsonRepositoryTeam;

  33. import org.sonar.auth.github.client.GithubApplicationClient;

  34. import org.sonar.auth.github.client.GithubApplicationClient.Repository;

  35. import org.sonar.auth.github.security.AccessToken;

  36. import org.sonar.db.DbClient;

  37. import org.sonar.db.DbSession;

  38. import org.sonar.db.alm.setting.AlmSettingDto;

  39. import org.sonar.db.alm.setting.ProjectAlmSettingDto;

  40. import org.sonar.db.component.BranchDto;

  41. import org.sonar.db.project.CreationMethod;

  42. import org.sonar.db.project.ProjectDto;

  43. import org.sonar.db.provisioning.GithubPermissionsMappingDto;

  44. import org.sonar.db.user.GroupDto;

  45. import org.sonar.db.user.UserIdDto;

  46. import org.sonar.server.common.almintegration.ProjectKeyGenerator;

  47. import org.sonar.server.common.almsettings.DevOpsProjectCreator;

  48. import org.sonar.server.common.almsettings.DevOpsProjectDescriptor;

  49. import org.sonar.server.common.permission.Operation;

  50. import org.sonar.server.common.permission.PermissionUpdater;

  51. import org.sonar.server.common.permission.UserPermissionChange;

  52. import org.sonar.server.common.project.ProjectCreator;

  53. import org.sonar.server.component.ComponentCreationData;

  54. import org.sonar.server.management.ManagedProjectService;

  55. import org.sonar.server.permission.PermissionService;

  56. import org.sonar.server.user.UserSession;

  57. 

  58. import static java.util.Objects.requireNonNull;

  59. import static java.util.stream.Collectors.toSet;

  60. import static org.sonar.api.utils.Preconditions.checkState;

  61. 

  62. public class GithubProjectCreator implements DevOpsProjectCreator {

  63. 

  64.   private final DbClient dbClient;

  65.   private final GithubApplicationClient githubApplicationClient;

  66.   private final GithubPermissionConverter githubPermissionConverter;

  67.   private final ProjectKeyGenerator projectKeyGenerator;

  68.   private final PermissionUpdater<UserPermissionChange> permissionUpdater;

  69.   private final PermissionService permissionService;

  70.   private final ManagedProjectService managedProjectService;

  71.   private final ProjectCreator projectCreator;

  72.   private final GithubProjectCreationParameters githubProjectCreationParameters;

  73.   private final DevOpsProjectDescriptor devOpsProjectDescriptor;

  74.   private final UserSession userSession;

  75.   private final AlmSettingDto almSettingDto;

  76.   private final AccessToken devOpsAppInstallationToken;

  77.   private final GitHubSettings gitHubSettings;

  78. 

  79.   @CheckForNull

  80.   private final AppInstallationToken authAppInstallationToken;

  81. 

  82.   public GithubProjectCreator(DbClient dbClient, GithubApplicationClient githubApplicationClient, GithubPermissionConverter githubPermissionConverter,

  83.     ProjectKeyGenerator projectKeyGenerator, PermissionUpdater<UserPermissionChange> permissionUpdater, PermissionService permissionService,

  84.     ManagedProjectService managedProjectService, ProjectCreator projectCreator, GithubProjectCreationParameters githubProjectCreationParameters, GitHubSettings gitHubSettings) {

  85. 

  86.     this.dbClient = dbClient;

  87.     this.githubApplicationClient = githubApplicationClient;

  88.     this.githubPermissionConverter = githubPermissionConverter;

  89.     this.projectKeyGenerator = projectKeyGenerator;

  90.     this.permissionUpdater = permissionUpdater;

  91.     this.permissionService = permissionService;

  92.     this.managedProjectService = managedProjectService;

  93.     this.projectCreator = projectCreator;

  94.     this.githubProjectCreationParameters = githubProjectCreationParameters;

  95.     userSession = githubProjectCreationParameters.userSession();

  96.     almSettingDto = githubProjectCreationParameters.almSettingDto();

  97.     devOpsProjectDescriptor = githubProjectCreationParameters.devOpsProjectDescriptor();

  98.     devOpsAppInstallationToken = githubProjectCreationParameters.devOpsAppInstallationToken();

  99.     authAppInstallationToken = githubProjectCreationParameters.authAppInstallationToken();

  100.     this.gitHubSettings = gitHubSettings;

  101.   }

  102. 

  103.   @Override

  104.   public boolean isScanAllowedUsingPermissionsFromDevopsPlatform() {

  105.     checkState(githubProjectCreationParameters.authAppInstallationToken() != null, "An auth app token is required in case repository permissions checking is necessary.");

  106. 

  107.     String[] orgaAndRepoTokenified = devOpsProjectDescriptor.projectIdentifier().split("/");

  108.     String organization = orgaAndRepoTokenified[0];

  109.     String repository = orgaAndRepoTokenified[1];

  110. 

  111.     Set<GithubPermissionsMappingDto> permissionsMappingDtos = dbClient.githubPermissionsMappingDao().findAll(dbClient.openSession(false));

  112. 

  113.     boolean userHasDirectAccessToRepo = doesUserHaveScanPermission(organization, repository, permissionsMappingDtos);

  114.     if (userHasDirectAccessToRepo) {

  115.       return true;

  116.     }

  117.     return doesUserBelongToAGroupWithScanPermission(organization, repository, permissionsMappingDtos);

  118.   }

  119. 

  120.   private boolean doesUserHaveScanPermission(String organization, String repository, Set<GithubPermissionsMappingDto> permissionsMappingDtos) {

  121.     Set<GsonRepositoryCollaborator> repositoryCollaborators = githubApplicationClient.getRepositoryCollaborators(devOpsProjectDescriptor.url(), authAppInstallationToken,

  122.       organization, repository);

  123. 

  124.     String externalLogin = userSession.getExternalIdentity().map(UserSession.ExternalIdentity::login).orElse(null);

  125.     if (externalLogin == null) {

  126.       return false;

  127.     }

  128.     return repositoryCollaborators.stream()

  129.       .filter(gsonRepositoryCollaborator -> externalLogin.equals(gsonRepositoryCollaborator.name()))

  130.       .findAny()

  131.       .map(gsonRepositoryCollaborator -> hasScanPermission(permissionsMappingDtos, gsonRepositoryCollaborator.roleName(), gsonRepositoryCollaborator.permissions()))

  132.       .orElse(false);

  133.   }

  134. 

  135.   private boolean doesUserBelongToAGroupWithScanPermission(String organization, String repository,

  136.     Set<GithubPermissionsMappingDto> permissionsMappingDtos) {

  137.     Set<GsonRepositoryTeam> repositoryTeams = githubApplicationClient.getRepositoryTeams(devOpsProjectDescriptor.url(), authAppInstallationToken, organization, repository);

  138. 

  139.     Set<String> groupsOfUser = findUserMembershipOnSonarQube(organization);

  140.     return repositoryTeams.stream()

  141.       .filter(team -> hasScanPermission(permissionsMappingDtos, team.permission(), team.permissions()))

  142.       .map(GsonRepositoryTeam::name)

  143.       .anyMatch(groupsOfUser::contains);

  144.   }

  145. 

  146.   private Set<String> findUserMembershipOnSonarQube(String organization) {

  147.     return userSession.getGroups().stream()

  148.       .map(GroupDto::getName)

  149.       .filter(groupName -> groupName.contains("/"))

  150.       .map(name -> name.replaceFirst(organization + "/", ""))

  151.       .collect(toSet());

  152.   }

  153. 

  154.   private boolean hasScanPermission(Set<GithubPermissionsMappingDto> permissionsMappingDtos, String role, GsonRepositoryPermissions permissions) {

  155.     Set<String> sonarqubePermissions = githubPermissionConverter.toSonarqubeRolesWithFallbackOnRepositoryPermissions(permissionsMappingDtos,

  156.       role, permissions);

  157.     return sonarqubePermissions.contains(UserRole.SCAN);

  158.   }

  159. 

  160.   @Override

  161.   public ComponentCreationData createProjectAndBindToDevOpsPlatform(DbSession dbSession, CreationMethod creationMethod, Boolean monorepo, @Nullable String projectKey,

  162.     @Nullable String projectName) {

  163.     String url = requireNonNull(almSettingDto.getUrl(), "DevOps Platform url cannot be null");

  164.     Repository repository = githubApplicationClient.getRepository(url, devOpsAppInstallationToken, devOpsProjectDescriptor.projectIdentifier())

  165.       .orElseThrow(() -> new IllegalStateException(

  166.         String.format("Impossible to find the repository '%s' on GitHub, using the devops config %s", devOpsProjectDescriptor.projectIdentifier(), almSettingDto.getKey())));

  167. 

  168.     return createProjectAndBindToDevOpsPlatform(dbSession, monorepo, projectKey, projectName, almSettingDto, repository, creationMethod);

  169.   }

  170. 

  171.   private ComponentCreationData createProjectAndBindToDevOpsPlatform(DbSession dbSession, Boolean monorepo, @Nullable String projectKey, @Nullable String projectName,

  172.     AlmSettingDto almSettingDto,

  173.     Repository repository, CreationMethod creationMethod) {

  174.     String key = Optional.ofNullable(projectKey).orElse(getUniqueProjectKey(repository));

  175. 

  176.     boolean isManaged = gitHubSettings.isProvisioningEnabled();

  177. 

  178.     ComponentCreationData componentCreationData = projectCreator.createProject(dbSession, key, Optional.ofNullable(projectName).orElse(repository.getName()),

  179.       repository.getDefaultBranch(), creationMethod,

  180.       shouldProjectBePrivate(repository), isManaged);

  181.     ProjectDto projectDto = Optional.ofNullable(componentCreationData.projectDto()).orElseThrow();

  182.     createProjectAlmSettingDto(dbSession, repository, projectDto, almSettingDto, monorepo);

  183.     addScanPermissionToCurrentUser(dbSession, projectDto);

  184. 

  185.     BranchDto mainBranchDto = Optional.ofNullable(componentCreationData.mainBranchDto()).orElseThrow();

  186.     if (gitHubSettings.isProvisioningEnabled()) {

  187.       syncProjectPermissionsWithGithub(projectDto, mainBranchDto);

  188.     }

  189.     return componentCreationData;

  190.   }

  191. 

  192.   @CheckForNull

  193.   private Boolean shouldProjectBePrivate(Repository repository) {

  194.     if (gitHubSettings.isProvisioningEnabled() && gitHubSettings.isProjectVisibilitySynchronizationActivated()) {

  195.       return repository.isPrivate();

  196.     } else if (gitHubSettings.isProvisioningEnabled()) {

  197.       return true;

  198.     } else {

  199.       return null;

  200.     }

  201.   }

  202. 

  203.   private void addScanPermissionToCurrentUser(DbSession dbSession, ProjectDto projectDto) {

  204.     UserIdDto userId = new UserIdDto(requireNonNull(userSession.getUuid()), requireNonNull(userSession.getLogin()));

  205.     UserPermissionChange scanPermission = new UserPermissionChange(Operation.ADD, UserRole.SCAN, projectDto, userId, permissionService);

  206.     permissionUpdater.apply(dbSession, Set.of(scanPermission));

  207.   }

  208. 

  209.   private void syncProjectPermissionsWithGithub(ProjectDto projectDto, BranchDto mainBranchDto) {

  210.     String userUuid = requireNonNull(userSession.getUuid());

  211.     managedProjectService.queuePermissionSyncTask(userUuid, mainBranchDto.getUuid(), projectDto.getUuid());

  212.   }

  213. 

  214.   private String getUniqueProjectKey(Repository repository) {

  215.     return projectKeyGenerator.generateUniqueProjectKey(repository.getFullName());

  216.   }

  217. 

  218.   private void createProjectAlmSettingDto(DbSession dbSession, Repository repo, ProjectDto projectDto, AlmSettingDto almSettingDto, Boolean monorepo) {

  219.     ProjectAlmSettingDto projectAlmSettingDto = new ProjectAlmSettingDto()

  220.       .setAlmSettingUuid(almSettingDto.getUuid())

  221.       .setAlmRepo(repo.getFullName())

  222.       .setAlmSlug(null)

  223.       .setProjectUuid(projectDto.getUuid())

  224.       .setSummaryCommentEnabled(true)

  225.       .setMonorepo(monorepo);

  226.     dbClient.projectAlmSettingDao().insertOrUpdate(dbSession, projectAlmSettingDto, almSettingDto.getKey(), projectDto.getName(), projectDto.getKey());

  227.   }

  228. 

  229. }