mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34603 Commits
59 Branches
Tree: c62e96c158
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c62e96c158'
${ noResults }
sonarqube/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ServerUserSession.java

ServerUserSession.java 15KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2023 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.user;

  21. 

  22. import java.util.Arrays;

  23. import java.util.Collection;

  24. import java.util.Collections;

  25. import java.util.HashMap;

  26. import java.util.HashSet;

  27. import java.util.List;

  28. import java.util.Map;

  29. import java.util.Objects;

  30. import java.util.Optional;

  31. import java.util.Set;

  32. import java.util.stream.Collectors;

  33. import javax.annotation.CheckForNull;

  34. import javax.annotation.Nullable;

  35. import org.sonar.api.resources.Qualifiers;

  36. import org.sonar.api.resources.Scopes;

  37. import org.sonar.db.DbClient;

  38. import org.sonar.db.DbSession;

  39. import org.sonar.db.component.BranchDto;

  40. import org.sonar.db.component.ComponentDto;

  41. import org.sonar.db.component.ComponentTreeQuery;

  42. import org.sonar.db.component.ComponentTreeQuery.Strategy;

  43. import org.sonar.db.entity.EntityDto;

  44. import org.sonar.db.permission.GlobalPermission;

  45. import org.sonar.db.user.GroupDto;

  46. import org.sonar.db.user.UserDto;

  47. 

  48. import static java.util.Collections.singleton;

  49. import static java.util.Optional.of;

  50. import static java.util.Optional.ofNullable;

  51. import static java.util.stream.Collectors.toSet;

  52. import static org.sonar.api.resources.Qualifiers.SUBVIEW;

  53. import static org.sonar.api.resources.Qualifiers.VIEW;

  54. import static org.sonar.api.web.UserRole.PUBLIC_PERMISSIONS;

  55. 

  56. /**

  57.  * Implementation of {@link UserSession} used in web server

  58.  */

  59. public class ServerUserSession extends AbstractUserSession {

  60. 

  61.   private static final Set<String> QUALIFIERS = Set.of(VIEW, SUBVIEW);

  62. 

  63.   @CheckForNull

  64.   private final UserDto userDto;

  65.   private final DbClient dbClient;

  66.   private final Map<String, String> entityUuidByComponentUuid = new HashMap<>();

  67.   private final Map<String, Set<String>> permissionsByEntityUuid = new HashMap<>();

  68. 

  69.   private Collection<GroupDto> groups;

  70.   private Boolean isSystemAdministrator;

  71.   private Set<GlobalPermission> permissions;

  72. 

  73.   public ServerUserSession(DbClient dbClient, @Nullable UserDto userDto) {

  74.     this.dbClient = dbClient;

  75.     this.userDto = userDto;

  76.   }

  77. 

  78.   private Collection<GroupDto> loadGroups() {

  79.     if (this.userDto == null) {

  80.       return Collections.emptyList();

  81.     }

  82.     try (DbSession dbSession = dbClient.openSession(false)) {

  83.       return dbClient.groupDao().selectByUserLogin(dbSession, userDto.getLogin());

  84.     }

  85.   }

  86. 

  87.   @Override

  88.   @CheckForNull

  89.   public Long getLastSonarlintConnectionDate() {

  90.     return userDto == null ? null : userDto.getLastSonarlintConnectionDate();

  91.   }

  92. 

  93.   @Override

  94.   @CheckForNull

  95.   public String getLogin() {

  96.     return userDto == null ? null : userDto.getLogin();

  97.   }

  98. 

  99.   @Override

  100.   @CheckForNull

  101.   public String getUuid() {

  102.     return userDto == null ? null : userDto.getUuid();

  103.   }

  104. 

  105.   @Override

  106.   @CheckForNull

  107.   public String getName() {

  108.     return userDto == null ? null : userDto.getName();

  109.   }

  110. 

  111.   @Override

  112.   public Collection<GroupDto> getGroups() {

  113.     if (groups == null) {

  114.       groups = loadGroups();

  115.     }

  116.     return groups;

  117.   }

  118. 

  119.   @Override

  120.   public boolean shouldResetPassword() {

  121.     return userDto != null && userDto.isResetPassword();

  122.   }

  123. 

  124.   @Override

  125.   public boolean isLoggedIn() {

  126.     return userDto != null;

  127.   }

  128. 

  129.   @Override

  130.   public Optional<IdentityProvider> getIdentityProvider() {

  131.     return ofNullable(userDto).map(d -> computeIdentity(d).getIdentityProvider());

  132.   }

  133. 

  134.   @Override

  135.   public Optional<ExternalIdentity> getExternalIdentity() {

  136.     return ofNullable(userDto).map(d -> computeIdentity(d).getExternalIdentity());

  137.   }

  138. 

  139.   @Override

  140.   protected boolean hasPermissionImpl(GlobalPermission permission) {

  141.     if (permissions == null) {

  142.       permissions = loadGlobalPermissions();

  143.     }

  144.     return permissions.contains(permission);

  145.   }

  146. 

  147.   @Override

  148.   protected Optional<String> componentUuidToEntityUuid(String componentUuid) {

  149.     String entityUuid = entityUuidByComponentUuid.get(componentUuid);

  150.     if (entityUuid != null) {

  151.       return of(entityUuid);

  152.     }

  153.     try (DbSession dbSession = dbClient.openSession(false)) {

  154.       Optional<ComponentDto> component = dbClient.componentDao().selectByUuid(dbSession, componentUuid);

  155.       if (component.isEmpty()) {

  156.         return Optional.empty();

  157.       }

  158.       // permissions must be checked on the project

  159.       entityUuid = getEntityUuid(dbSession, component.get());

  160.       entityUuidByComponentUuid.put(componentUuid, entityUuid);

  161.       return of(entityUuid);

  162.     }

  163.   }

  164. 

  165.   @Override

  166.   protected boolean hasEntityUuidPermission(String permission, String entityUuid) {

  167.     return hasPermission(permission, entityUuid);

  168.   }

  169. 

  170.   @Override

  171.   protected boolean hasChildProjectsPermission(String permission, String applicationUuid) {

  172.     Set<String> childProjectUuids = loadChildProjectUuids(applicationUuid);

  173.     Set<String> projectsWithPermission = keepEntitiesUuidsByPermission(permission, childProjectUuids);

  174.     return projectsWithPermission.containsAll(childProjectUuids);

  175.   }

  176. 

  177.   @Override

  178.   protected boolean hasPortfolioChildProjectsPermission(String permission, String portfolioUuid) {

  179.     Set<ComponentDto> portfolioHierarchyComponents = resolvePortfolioHierarchyComponents(portfolioUuid);

  180.     Set<String> branchUuids = findBranchUuids(portfolioHierarchyComponents);

  181.     Set<String> projectUuids = findProjectUuids(branchUuids);

  182. 

  183.     Set<String> projectsWithPermission = keepEntitiesUuidsByPermission(permission, projectUuids);

  184.     return projectsWithPermission.containsAll(projectUuids);

  185.   }

  186. 

  187.   @Override

  188.   public <T extends EntityDto> List<T> keepAuthorizedEntities(String permission, Collection<T> entities) {

  189.     Set<String> projectsUuids = entities.stream().map(EntityDto::getUuid).collect(Collectors.toSet());

  190.     // TODO in SONAR-19445

  191.     Set<String> authorizedEntitiesUuids = keepEntitiesUuidsByPermission(permission, projectsUuids);

  192. 

  193.     return entities.stream()

  194.       .filter(project -> authorizedEntitiesUuids.contains(project.getUuid()))

  195.       .toList();

  196.   }

  197. 

  198.   private Set<String> keepEntitiesUuidsByPermission(String permission, Collection<String> entityUuids) {

  199.     try (DbSession dbSession = dbClient.openSession(false)) {

  200.       String userUuid = userDto == null ? null : userDto.getUuid();

  201.       return dbClient.authorizationDao().keepAuthorizedEntityUuids(dbSession, entityUuids, userUuid, permission);

  202.     }

  203.   }

  204. 

  205.   private static Set<String> findBranchUuids(Set<ComponentDto> portfolioHierarchyComponents) {

  206.     return portfolioHierarchyComponents.stream()

  207.       .map(ComponentDto::getCopyComponentUuid)

  208.       .collect(toSet());

  209.   }

  210. 

  211.   private Set<String> findProjectUuids(Set<String> branchesComponentsUuid) {

  212.     try (DbSession dbSession = dbClient.openSession(false)) {

  213.       List<ComponentDto> componentDtos = dbClient.componentDao().selectByUuids(dbSession, branchesComponentsUuid);

  214.       return getProjectUuids(dbSession, componentDtos);

  215.     }

  216.   }

  217. 

  218.   private String getEntityUuid(DbSession dbSession, ComponentDto componentDto) {

  219.     // Portfolio & subPortfolio don't have branch, so branchUuid represents the portfolio uuid.

  220.     // technical project store root portfolio uuid in branchUuid

  221.     if (isPortfolioOrSubPortfolio(componentDto) || isTechnicalProject(componentDto)) {

  222.       return componentDto.branchUuid();

  223.     }

  224.     Optional<BranchDto> branchDto = dbClient.branchDao().selectByUuid(dbSession, componentDto.branchUuid());

  225.     return branchDto.map(BranchDto::getProjectUuid).orElseThrow(() -> new IllegalStateException("No branch found for component : " + componentDto));

  226.   }

  227. 

  228.   private Set<String> getProjectUuids(DbSession dbSession, Collection<ComponentDto> components) {

  229.     Set<String> mainProjectUuids = new HashSet<>();

  230. 

  231.     // the result of following stream could be project or application

  232.     Collection<String> componentsWithBranch = components.stream()

  233.       .filter(c -> !(isTechnicalProject(c) || isPortfolioOrSubPortfolio(c)))

  234.       .map(ComponentDto::branchUuid)

  235.       .toList();

  236. 

  237.     dbClient.branchDao().selectByUuids(dbSession, componentsWithBranch).stream()

  238.       .map(BranchDto::getProjectUuid).forEach(mainProjectUuids::add);

  239. 

  240.     components.stream()

  241.       .filter(c -> isTechnicalProject(c) || isPortfolioOrSubPortfolio(c))

  242.       .map(ComponentDto::branchUuid)

  243.       .forEach(mainProjectUuids::add);

  244. 

  245.     return mainProjectUuids;

  246.   }

  247. 

  248.   private static boolean isTechnicalProject(ComponentDto componentDto) {

  249.     return Qualifiers.PROJECT.equals(componentDto.qualifier()) && Scopes.FILE.equals(componentDto.scope());

  250.   }

  251. 

  252.   private static boolean isPortfolioOrSubPortfolio(ComponentDto componentDto) {

  253.     return !Objects.isNull(componentDto.qualifier()) && QUALIFIERS.contains(componentDto.qualifier());

  254.   }

  255. 

  256.   private boolean hasPermission(String permission, String entityUuid) {

  257.     Set<String> entityPermissions = permissionsByEntityUuid.computeIfAbsent(entityUuid, this::loadEntityPermissions);

  258.     return entityPermissions.contains(permission);

  259.   }

  260. 

  261.   private Set<String> loadEntityPermissions(String entityUuid) {

  262.     try (DbSession dbSession = dbClient.openSession(false)) {

  263.       Optional<EntityDto> entity = dbClient.entityDao().selectByUuid(dbSession, entityUuid);

  264.       if (entity.isEmpty()) {

  265.         return Collections.emptySet();

  266.       }

  267.       if (entity.get().isPrivate()) {

  268.         return loadDbPermissions(dbSession, entityUuid);

  269.       }

  270.       Set<String> projectPermissions = new HashSet<>();

  271.       projectPermissions.addAll(PUBLIC_PERMISSIONS);

  272.       projectPermissions.addAll(loadDbPermissions(dbSession, entityUuid));

  273.       return Collections.unmodifiableSet(projectPermissions);

  274.     }

  275.   }

  276. 

  277.   private Set<String> loadChildProjectUuids(String applicationUuid) {

  278.     try (DbSession dbSession = dbClient.openSession(false)) {

  279.       BranchDto branchDto = dbClient.branchDao().selectMainBranchByProjectUuid(dbSession, applicationUuid)

  280.         .orElseThrow();

  281.       Set<String> projectBranchesUuid = dbClient.componentDao()

  282.         .selectDescendants(dbSession, ComponentTreeQuery.builder()

  283.           .setBaseUuid(branchDto.getUuid())

  284.           .setQualifiers(singleton(Qualifiers.PROJECT))

  285.           .setScopes(singleton(Scopes.FILE))

  286.           .setStrategy(Strategy.CHILDREN).build())

  287.         .stream()

  288.         .map(ComponentDto::getCopyComponentUuid)

  289.         .collect(toSet());

  290. 

  291.       return dbClient.branchDao().selectByUuids(dbSession, projectBranchesUuid).stream()

  292.         .map(BranchDto::getProjectUuid)

  293.         .collect(toSet());

  294. 

  295.     }

  296.   }

  297. 

  298.   private List<ComponentDto> getDirectChildComponents(String portfolioUuid) {

  299.     try (DbSession dbSession = dbClient.openSession(false)) {

  300.       return dbClient.componentDao().selectDescendants(dbSession, ComponentTreeQuery.builder()

  301.         .setBaseUuid(portfolioUuid)

  302.         .setQualifiers(Arrays.asList(Qualifiers.PROJECT, Qualifiers.SUBVIEW))

  303.         .setStrategy(Strategy.CHILDREN).build());

  304.     }

  305.   }

  306. 

  307.   private Set<ComponentDto> resolvePortfolioHierarchyComponents(String parentComponentUuid) {

  308.     Set<ComponentDto> portfolioHierarchyProjects = new HashSet<>();

  309.     resolvePortfolioHierarchyComponents(parentComponentUuid, portfolioHierarchyProjects);

  310.     return portfolioHierarchyProjects;

  311.   }

  312. 

  313.   private void resolvePortfolioHierarchyComponents(String parentComponentUuid, Set<ComponentDto> hierarchyChildComponents) {

  314.     List<ComponentDto> childComponents = getDirectChildComponents(parentComponentUuid);

  315. 

  316.     if (childComponents.isEmpty()) {

  317.       return;

  318.     }

  319. 

  320.     childComponents.forEach(c -> {

  321.       if (c.getCopyComponentUuid() != null) {

  322.         hierarchyChildComponents.add(c);

  323.       }

  324. 

  325.       if (Qualifiers.SUBVIEW.equals(c.qualifier())) {

  326.         resolvePortfolioHierarchyComponents(c.uuid(), hierarchyChildComponents);

  327.       }

  328.     });

  329.   }

  330. 

  331.   private Set<GlobalPermission> loadGlobalPermissions() {

  332.     Set<String> permissionKeys;

  333.     try (DbSession dbSession = dbClient.openSession(false)) {

  334.       if (userDto != null && userDto.getUuid() != null) {

  335.         permissionKeys = dbClient.authorizationDao().selectGlobalPermissions(dbSession, userDto.getUuid());

  336.       } else {

  337.         permissionKeys = dbClient.authorizationDao().selectGlobalPermissionsOfAnonymous(dbSession);

  338.       }

  339.     }

  340.     return permissionKeys.stream()

  341.       .map(GlobalPermission::fromKey)

  342.       .collect(toSet());

  343.   }

  344. 

  345.   private Set<String> loadDbPermissions(DbSession dbSession, String entityUuid) {

  346.     if (userDto != null && userDto.getUuid() != null) {

  347.       return dbClient.authorizationDao().selectEntityPermissions(dbSession, entityUuid, userDto.getUuid());

  348.     }

  349.     return dbClient.authorizationDao().selectEntityPermissionsOfAnonymous(dbSession, entityUuid);

  350.   }

  351. 

  352.   @Override

  353.   protected List<ComponentDto> doKeepAuthorizedComponents(String permission, Collection<ComponentDto> components) {

  354.     try (DbSession dbSession = dbClient.openSession(false)) {

  355.       Set<String> projectUuids = getProjectUuids(dbSession, components);

  356. 

  357.       Map<String, ComponentDto> originalComponents = findComponentsByCopyComponentUuid(components,

  358.         dbSession);

  359. 

  360.       Set<String> originalComponentsProjectUuids = getProjectUuids(dbSession, originalComponents.values());

  361. 

  362.       Set<String> allProjectUuids = new HashSet<>(projectUuids);

  363.       allProjectUuids.addAll(originalComponentsProjectUuids);

  364. 

  365.       Set<String> authorizedProjectUuids = dbClient.authorizationDao().keepAuthorizedEntityUuids(dbSession, allProjectUuids, getUuid(), permission);

  366. 

  367.       return components.stream()

  368.         .filter(c -> {

  369.           if (c.getCopyComponentUuid() != null) {

  370.             var componentDto = originalComponents.get(c.getCopyComponentUuid());

  371.             return componentDto != null && authorizedProjectUuids.contains(getEntityUuid(dbSession, componentDto));

  372.           }

  373. 

  374.           return authorizedProjectUuids.contains(c.branchUuid()) || authorizedProjectUuids.contains(

  375.             getEntityUuid(dbSession, c));

  376.         })

  377.         .toList();

  378.     }

  379.   }

  380. 

  381.   private Map<String, ComponentDto> findComponentsByCopyComponentUuid(Collection<ComponentDto> components, DbSession dbSession) {

  382.     Set<String> copyComponentsUuid = components.stream()

  383.       .map(ComponentDto::getCopyComponentUuid)

  384.       .filter(Objects::nonNull)

  385.       .collect(toSet());

  386.     return dbClient.componentDao().selectByUuids(dbSession, copyComponentsUuid).stream()

  387.       .collect(Collectors.toMap(ComponentDto::uuid, componentDto -> componentDto));

  388.   }

  389. 

  390.   @Override

  391.   public boolean isSystemAdministrator() {

  392.     if (isSystemAdministrator == null) {

  393.       isSystemAdministrator = loadIsSystemAdministrator();

  394.     }

  395.     return isSystemAdministrator;

  396.   }

  397. 

  398.   @Override

  399.   public boolean isActive() {

  400.     return userDto.isActive();

  401.   }

  402. 

  403.   private boolean loadIsSystemAdministrator() {

  404.     return hasPermission(GlobalPermission.ADMINISTER);

  405.   }

  406. }