mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31090 Commits
59 Branches
Tree: ae5711e2ee
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae5711e2ee'
${ noResults }
sonarqube/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/UserRegistrarImpl.java

UserRegistrarImpl.java 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2021 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.authentication;

  21. 

  22. import com.google.common.collect.Sets;

  23. import java.util.ArrayList;

  24. import java.util.Collection;

  25. import java.util.HashSet;

  26. import java.util.List;

  27. import java.util.Map;

  28. import java.util.Objects;

  29. import java.util.Optional;

  30. import java.util.Set;

  31. import java.util.function.Consumer;

  32. import javax.annotation.CheckForNull;

  33. import javax.annotation.Nullable;

  34. import org.sonar.api.server.authentication.IdentityProvider;

  35. import org.sonar.api.server.authentication.UserIdentity;

  36. import org.sonar.api.utils.log.Logger;

  37. import org.sonar.api.utils.log.Loggers;

  38. import org.sonar.db.DbClient;

  39. import org.sonar.db.DbSession;

  40. import org.sonar.db.user.GroupDto;

  41. import org.sonar.db.user.UserDto;

  42. import org.sonar.db.user.UserGroupDto;

  43. import org.sonar.server.authentication.event.AuthenticationEvent;

  44. import org.sonar.server.authentication.event.AuthenticationException;

  45. import org.sonar.server.user.ExternalIdentity;

  46. import org.sonar.server.user.NewUser;

  47. import org.sonar.server.user.UpdateUser;

  48. import org.sonar.server.user.UserUpdater;

  49. import org.sonar.server.usergroups.DefaultGroupFinder;

  50. 

  51. import static java.lang.String.format;

  52. import static java.util.Collections.singletonList;

  53. import static org.sonar.core.util.stream.MoreCollectors.uniqueIndex;

  54. 

  55. public class UserRegistrarImpl implements UserRegistrar {

  56. 

  57.   private static final Logger LOGGER = Loggers.get(UserRegistrarImpl.class);

  58.   private static final String SQ_AUTHORITY = "sonarqube";

  59. 

  60.   private final DbClient dbClient;

  61.   private final UserUpdater userUpdater;

  62.   private final DefaultGroupFinder defaultGroupFinder;

  63. 

  64.   public UserRegistrarImpl(DbClient dbClient, UserUpdater userUpdater, DefaultGroupFinder defaultGroupFinder) {

  65.     this.dbClient = dbClient;

  66.     this.userUpdater = userUpdater;

  67.     this.defaultGroupFinder = defaultGroupFinder;

  68.   }

  69. 

  70.   @Override

  71.   public UserDto register(UserRegistration registration) {

  72.     try (DbSession dbSession = dbClient.openSession(false)) {

  73.       UserDto userDto = getUser(dbSession, registration.getUserIdentity(), registration.getProvider(), registration.getSource());

  74.       if (userDto == null) {

  75.         return registerNewUser(dbSession, null, registration);

  76.       }

  77.       if (!userDto.isActive()) {

  78.         return registerNewUser(dbSession, userDto, registration);

  79.       }

  80.       return registerExistingUser(dbSession, userDto, registration);

  81.     }

  82.   }

  83. 

  84.   @CheckForNull

  85.   private UserDto getUser(DbSession dbSession, UserIdentity userIdentity, IdentityProvider provider, AuthenticationEvent.Source source) {

  86.     // First, try to authenticate using the external ID

  87.     UserDto user = dbClient.userDao().selectByExternalIdAndIdentityProvider(dbSession, getProviderIdOrProviderLogin(userIdentity), provider.getKey());

  88.     if (user != null) {

  89.       return user;

  90.     }

  91. 

  92.     // Then, try with the external login, for instance when external ID has changed or is not used by the provider

  93.     user = dbClient.userDao().selectByExternalLoginAndIdentityProvider(dbSession, userIdentity.getProviderLogin(), provider.getKey());

  94.     if (user == null) {

  95.       return null;

  96.     }

  97.     // all gitlab users have an external ID, so the other two authentication methods should never be used

  98.     if (provider.getKey().equals("gitlab")) {

  99.       throw loginAlreadyUsedException(userIdentity, source);

  100.     }

  101. 

  102.     validateEmailToAvoidLoginRecycling(userIdentity, user, source);

  103.     updateUserExternalId(dbSession, user, userIdentity);

  104.     return user;

  105.   }

  106. 

  107.   private void updateUserExternalId(DbSession dbSession, UserDto user, UserIdentity userIdentity) {

  108.     String externalId = userIdentity.getProviderId();

  109.     if (externalId != null) {

  110.       user.setExternalId(externalId);

  111.       dbClient.userDao().update(dbSession, user);

  112.     }

  113.   }

  114. 

  115.   private static void validateEmailToAvoidLoginRecycling(UserIdentity userIdentity, UserDto user, AuthenticationEvent.Source source) {

  116.     String dbEmail = user.getEmail();

  117. 

  118.     if (dbEmail == null) {

  119.       return;

  120.     }

  121. 

  122.     String externalEmail = userIdentity.getEmail();

  123. 

  124.     if (!dbEmail.equals(externalEmail)) {

  125.       LOGGER.warn("User with login '{}' tried to login with email '{}' which doesn't match the email on record '{}'",

  126.         userIdentity.getProviderLogin(), externalEmail, dbEmail);

  127.       throw loginAlreadyUsedException(userIdentity, source);

  128.     }

  129.   }

  130. 

  131.   private static AuthenticationException loginAlreadyUsedException(UserIdentity userIdentity, AuthenticationEvent.Source source) {

  132.     return authException(

  133.       userIdentity,

  134.       source,

  135.       String.format("Login '%s' is already used", userIdentity.getProviderLogin()),

  136.       String.format("You can't sign up because login '%s' is already used by an existing user.", userIdentity.getProviderLogin()));

  137.   }

  138. 

  139.   private static AuthenticationException authException(UserIdentity userIdentity, AuthenticationEvent.Source source, String message, String publicMessage) {

  140.     return AuthenticationException.newBuilder()

  141.       .setSource(source)

  142.       .setLogin(userIdentity.getProviderLogin())

  143.       .setMessage(message)

  144.       .setPublicMessage(publicMessage)

  145.       .build();

  146.   }

  147. 

  148.   private UserDto registerNewUser(DbSession dbSession, @Nullable UserDto disabledUser, UserRegistration authenticatorParameters) {

  149.     Optional<UserDto> otherUserToIndex = detectEmailUpdate(dbSession, authenticatorParameters, disabledUser != null ? disabledUser.getUuid() : null);

  150.     NewUser newUser = createNewUser(authenticatorParameters);

  151.     if (disabledUser == null) {

  152.       return userUpdater.createAndCommit(dbSession, newUser, beforeCommit(dbSession, authenticatorParameters), toArray(otherUserToIndex));

  153.     }

  154.     return userUpdater.reactivateAndCommit(dbSession, disabledUser, newUser, beforeCommit(dbSession, authenticatorParameters), toArray(otherUserToIndex));

  155.   }

  156. 

  157.   private UserDto registerExistingUser(DbSession dbSession, UserDto userDto, UserRegistration authenticatorParameters) {

  158.     UpdateUser update = new UpdateUser()

  159.       .setEmail(authenticatorParameters.getUserIdentity().getEmail())

  160.       .setName(authenticatorParameters.getUserIdentity().getName())

  161.       .setExternalIdentity(new ExternalIdentity(

  162.         authenticatorParameters.getProvider().getKey(),

  163.         authenticatorParameters.getUserIdentity().getProviderLogin(),

  164.         authenticatorParameters.getUserIdentity().getProviderId()));

  165.     Optional<UserDto> otherUserToIndex = detectEmailUpdate(dbSession, authenticatorParameters, userDto.getUuid());

  166.     userUpdater.updateAndCommit(dbSession, userDto, update, beforeCommit(dbSession, authenticatorParameters), toArray(otherUserToIndex));

  167.     return userDto;

  168.   }

  169. 

  170.   private Consumer<UserDto> beforeCommit(DbSession dbSession, UserRegistration authenticatorParameters) {

  171.     return user -> syncGroups(dbSession, authenticatorParameters.getUserIdentity(), user);

  172.   }

  173. 

  174.   private Optional<UserDto> detectEmailUpdate(DbSession dbSession, UserRegistration authenticatorParameters, @Nullable String authenticatingUserUuid) {

  175.     String email = authenticatorParameters.getUserIdentity().getEmail();

  176.     if (email == null) {

  177.       return Optional.empty();

  178.     }

  179.     List<UserDto> existingUsers = dbClient.userDao().selectByEmail(dbSession, email);

  180.     if (existingUsers.isEmpty()) {

  181.       return Optional.empty();

  182.     }

  183.     if (existingUsers.size() > 1) {

  184.       throw generateExistingEmailError(authenticatorParameters, email);

  185.     }

  186. 

  187.     UserDto existingUser = existingUsers.get(0);

  188.     if (existingUser == null || existingUser.getUuid().equals(authenticatingUserUuid)) {

  189.       return Optional.empty();

  190.     }

  191.     throw generateExistingEmailError(authenticatorParameters, email);

  192.   }

  193. 

  194.   private void syncGroups(DbSession dbSession, UserIdentity userIdentity, UserDto userDto) {

  195.     if (!userIdentity.shouldSyncGroups()) {

  196.       return;

  197.     }

  198.     String userLogin = userDto.getLogin();

  199.     Set<String> userGroups = new HashSet<>(dbClient.groupMembershipDao().selectGroupsByLogins(dbSession, singletonList(userLogin)).get(userLogin));

  200.     Set<String> identityGroups = userIdentity.getGroups();

  201.     LOGGER.debug("List of groups returned by the identity provider '{}'", identityGroups);

  202. 

  203.     Collection<String> groupsToAdd = Sets.difference(identityGroups, userGroups);

  204.     Collection<String> groupsToRemove = Sets.difference(userGroups, identityGroups);

  205.     Collection<String> allGroups = new ArrayList<>(groupsToAdd);

  206.     allGroups.addAll(groupsToRemove);

  207.     Map<String, GroupDto> groupsByName = dbClient.groupDao().selectByNames(dbSession, allGroups)

  208.       .stream()

  209.       .collect(uniqueIndex(GroupDto::getName));

  210. 

  211.     addGroups(dbSession, userDto, groupsToAdd, groupsByName);

  212.     removeGroups(dbSession, userDto, groupsToRemove, groupsByName);

  213.   }

  214. 

  215.   private void addGroups(DbSession dbSession, UserDto userDto, Collection<String> groupsToAdd, Map<String, GroupDto> groupsByName) {

  216.     groupsToAdd.stream().map(groupsByName::get).filter(Objects::nonNull).forEach(

  217.       groupDto -> {

  218.         LOGGER.debug("Adding group '{}' to user '{}'", groupDto.getName(), userDto.getLogin());

  219.         dbClient.userGroupDao().insert(dbSession, new UserGroupDto().setGroupUuid(groupDto.getUuid()).setUserUuid(userDto.getUuid()));

  220.       });

  221.   }

  222. 

  223.   private void removeGroups(DbSession dbSession, UserDto userDto, Collection<String> groupsToRemove, Map<String, GroupDto> groupsByName) {

  224.     Optional<GroupDto> defaultGroup = getDefaultGroup(dbSession);

  225.     groupsToRemove.stream().map(groupsByName::get)

  226.       .filter(Objects::nonNull)

  227.       // user should be member of default group only when organizations are disabled, as the IdentityProvider API doesn't handle yet

  228.       // organizations

  229.       .filter(group -> !defaultGroup.isPresent() || !group.getUuid().equals(defaultGroup.get().getUuid()))

  230.       .forEach(groupDto -> {

  231.         LOGGER.debug("Removing group '{}' from user '{}'", groupDto.getName(), userDto.getLogin());

  232.         dbClient.userGroupDao().delete(dbSession, groupDto.getUuid(), userDto.getUuid());

  233.       });

  234.   }

  235. 

  236.   private Optional<GroupDto> getDefaultGroup(DbSession dbSession) {

  237.     return Optional.of(defaultGroupFinder.findDefaultGroup(dbSession));

  238.   }

  239. 

  240.   private static NewUser createNewUser(UserRegistration authenticatorParameters) {

  241.     String identityProviderKey = authenticatorParameters.getProvider().getKey();

  242.     if (!authenticatorParameters.getProvider().allowsUsersToSignUp()) {

  243.       throw AuthenticationException.newBuilder()

  244.         .setSource(authenticatorParameters.getSource())

  245.         .setLogin(authenticatorParameters.getUserIdentity().getProviderLogin())

  246.         .setMessage(format("User signup disabled for provider '%s'", identityProviderKey))

  247.         .setPublicMessage(format("'%s' users are not allowed to sign up", identityProviderKey))

  248.         .build();

  249.     }

  250.     String providerLogin = authenticatorParameters.getUserIdentity().getProviderLogin();

  251.     return NewUser.builder()

  252.       .setLogin(SQ_AUTHORITY.equals(identityProviderKey) ? providerLogin : null)

  253.       .setEmail(authenticatorParameters.getUserIdentity().getEmail())

  254.       .setName(authenticatorParameters.getUserIdentity().getName())

  255.       .setExternalIdentity(

  256.         new ExternalIdentity(

  257.           identityProviderKey,

  258.           providerLogin,

  259.           authenticatorParameters.getUserIdentity().getProviderId()))

  260.       .build();

  261.   }

  262. 

  263.   private static UserDto[] toArray(Optional<UserDto> userDto) {

  264.     return userDto.map(u -> new UserDto[] {u}).orElse(new UserDto[] {});

  265.   }

  266. 

  267.   private static AuthenticationException generateExistingEmailError(UserRegistration authenticatorParameters, String email) {

  268.     return AuthenticationException.newBuilder()

  269.       .setSource(authenticatorParameters.getSource())

  270.       .setLogin(authenticatorParameters.getUserIdentity().getProviderLogin())

  271.       .setMessage(format("Email '%s' is already used", email))

  272.       .setPublicMessage(

  273.         "This account is already associated with another authentication method. "

  274.           + "Sign in using the current authentication method, "

  275.           + "or contact your administrator to transfer your account to a different authentication method.")

  276.       .build();

  277.   }

  278. 

  279.   private static String getProviderIdOrProviderLogin(UserIdentity userIdentity) {

  280.     String providerId = userIdentity.getProviderId();

  281.     return providerId == null ? userIdentity.getProviderLogin() : providerId;

  282.   }

  283. 

  284. }