mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36262 Commits
59 Branches
Tree: 412f42cb11
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '412f42cb11'
${ noResults }
sonarqube/server/sonar-webserver-common/src/main/java/org/sonar/server/common/permission/GroupPermissionChanger.java

GroupPermissionChanger.java 7.4KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2024 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.common.permission;

  21. 

  22. import java.util.HashSet;

  23. import java.util.Set;

  24. import javax.annotation.Nullable;

  25. import org.sonar.api.web.UserRole;

  26. import org.sonar.core.util.UuidFactory;

  27. import org.sonar.db.DbClient;

  28. import org.sonar.db.DbSession;

  29. import org.sonar.db.entity.EntityDto;

  30. import org.sonar.db.permission.GlobalPermission;

  31. import org.sonar.db.permission.GroupPermissionDto;

  32. import org.sonar.server.exceptions.BadRequestException;

  33. import org.sonar.server.permission.GroupUuidOrAnyone;

  34. 

  35. import static com.google.common.base.Preconditions.checkNotNull;

  36. import static java.lang.String.format;

  37. import static org.sonar.server.common.permission.Operation.ADD;

  38. import static org.sonar.server.common.permission.Operation.REMOVE;

  39. import static org.sonar.server.exceptions.BadRequestException.checkRequest;

  40. 

  41. public class GroupPermissionChanger implements GranteeTypeSpecificPermissionUpdater<GroupPermissionChange> {

  42. 

  43.   private final DbClient dbClient;

  44.   private final UuidFactory uuidFactory;

  45. 

  46.   public GroupPermissionChanger(DbClient dbClient, UuidFactory uuidFactory) {

  47.     this.dbClient = dbClient;

  48.     this.uuidFactory = uuidFactory;

  49.   }

  50. 

  51.   @Override

  52.   public Class<GroupPermissionChange> getHandledClass() {

  53.     return GroupPermissionChange.class;

  54.   }

  55. 

  56.   @Override

  57.   public Set<String> loadExistingEntityPermissions(DbSession dbSession, String uuidOfGrantee, @Nullable String entityUuid) {

  58.     if (entityUuid != null) {

  59.       return new HashSet<>(dbClient.groupPermissionDao().selectEntityPermissionsOfGroup(dbSession, uuidOfGrantee, entityUuid));

  60.     }

  61.     return new HashSet<>(dbClient.groupPermissionDao().selectGlobalPermissionsOfGroup(dbSession, uuidOfGrantee));

  62.   }

  63. 

  64.   @Override

  65.   public boolean apply(DbSession dbSession, Set<String> existingPermissions, GroupPermissionChange change) {

  66.     ensureConsistencyWithVisibility(change);

  67.     if (isImplicitlyAlreadyDone(change)) {

  68.       return false;

  69.     }

  70.     switch (change.getOperation()) {

  71.       case ADD:

  72.         if (existingPermissions.contains(change.getPermission())) {

  73.           return false;

  74.         }

  75.         return addPermission(dbSession, change);

  76.       case REMOVE:

  77.         if (!existingPermissions.contains(change.getPermission())) {

  78.           return false;

  79.         }

  80.         return removePermission(dbSession, change);

  81.       default:

  82.         throw new UnsupportedOperationException("Unsupported permission change: " + change.getOperation());

  83.     }

  84.   }

  85. 

  86.   private static boolean isImplicitlyAlreadyDone(GroupPermissionChange change) {

  87.     EntityDto project = change.getEntity();

  88.     if (project != null) {

  89.       return isImplicitlyAlreadyDone(project, change);

  90.     }

  91.     return false;

  92.   }

  93. 

  94.   private static boolean isImplicitlyAlreadyDone(EntityDto project, GroupPermissionChange change) {

  95.     return isAttemptToAddPublicPermissionToPublicComponent(change, project)

  96.       || isAttemptToRemovePermissionFromAnyoneOnPrivateComponent(change, project);

  97.   }

  98. 

  99.   private static boolean isAttemptToAddPublicPermissionToPublicComponent(GroupPermissionChange change, EntityDto project) {

  100.     return !project.isPrivate()

  101.       && change.getOperation() == ADD

  102.       && UserRole.PUBLIC_PERMISSIONS.contains(change.getPermission());

  103.   }

  104. 

  105.   private static boolean isAttemptToRemovePermissionFromAnyoneOnPrivateComponent(GroupPermissionChange change, EntityDto project) {

  106.     return project.isPrivate()

  107.       && change.getOperation() == REMOVE

  108.       && change.getGroupUuidOrAnyone().isAnyone();

  109.   }

  110. 

  111.   private static void ensureConsistencyWithVisibility(GroupPermissionChange change) {

  112.     EntityDto project = change.getEntity();

  113.     if (project != null) {

  114.       checkRequest(

  115.         !isAttemptToAddPermissionToAnyoneOnPrivateComponent(change, project),

  116.         "No permission can be granted to Anyone on a private component");

  117.       BadRequestException.checkRequest(

  118.         !isAttemptToRemovePublicPermissionFromPublicComponent(change, project),

  119.         "Permission %s can't be removed from a public component", change.getPermission());

  120.     }

  121.   }

  122. 

  123.   private static boolean isAttemptToAddPermissionToAnyoneOnPrivateComponent(GroupPermissionChange change, EntityDto project) {

  124.     return project.isPrivate()

  125.       && change.getOperation() == ADD

  126.       && change.getGroupUuidOrAnyone().isAnyone();

  127.   }

  128. 

  129.   private static boolean isAttemptToRemovePublicPermissionFromPublicComponent(GroupPermissionChange change, EntityDto project) {

  130.     return !project.isPrivate()

  131.       && change.getOperation() == REMOVE

  132.       && UserRole.PUBLIC_PERMISSIONS.contains(change.getPermission());

  133.   }

  134. 

  135.   private boolean addPermission(DbSession dbSession, GroupPermissionChange change) {

  136.     validateNotAnyoneAndAdminPermission(change.getPermission(), change.getGroupUuidOrAnyone());

  137. 

  138.     String groupUuid = change.getGroupUuidOrAnyone().getUuid();

  139.     String groupName = change.getGroupName().orElse(null);

  140. 

  141.     GroupPermissionDto addedDto = new GroupPermissionDto()

  142.       .setUuid(uuidFactory.create())

  143.       .setRole(change.getPermission())

  144.       .setGroupUuid(groupUuid)

  145.       .setEntityName(change.getProjectName())

  146.       .setEntityUuid(change.getProjectUuid())

  147.       .setGroupName(groupName);

  148. 

  149.     dbClient.groupPermissionDao().insert(dbSession, addedDto, change.getEntity(), null);

  150.     return true;

  151.   }

  152. 

  153.   private static void validateNotAnyoneAndAdminPermission(String permission, GroupUuidOrAnyone group) {

  154.     checkRequest(!GlobalPermission.ADMINISTER.getKey().equals(permission) || !group.isAnyone(),

  155.       format("It is not possible to add the '%s' permission to group 'Anyone'.", permission));

  156.   }

  157. 

  158.   private boolean removePermission(DbSession dbSession, GroupPermissionChange change) {

  159.     checkIfRemainingGlobalAdministrators(dbSession, change);

  160.     String groupUuid = change.getGroupUuidOrAnyone().getUuid();

  161.     String groupName = change.getGroupName().orElse(null);

  162.     dbClient.groupPermissionDao().delete(dbSession,

  163.       change.getPermission(),

  164.       groupUuid,

  165.       groupName,

  166.       change.getEntity());

  167.     return true;

  168.   }

  169. 

  170.   private void checkIfRemainingGlobalAdministrators(DbSession dbSession, GroupPermissionChange change) {

  171.     GroupUuidOrAnyone groupUuidOrAnyone = change.getGroupUuidOrAnyone();

  172.     if (GlobalPermission.ADMINISTER.getKey().equals(change.getPermission()) &&

  173.       !groupUuidOrAnyone.isAnyone() &&

  174.       change.getProjectUuid() == null) {

  175.       String groupUuid = checkNotNull(groupUuidOrAnyone.getUuid());

  176.       // removing global admin permission from group

  177.       int remaining = dbClient.authorizationDao().countUsersWithGlobalPermissionExcludingGroup(dbSession, GlobalPermission.ADMINISTER.getKey(), groupUuid);

  178.       checkRequest(remaining > 0, "Last group with permission '%s'. Permission cannot be removed.", GlobalPermission.ADMINISTER.getKey());

  179.     }

  180.   }

  181. 

  182. }