mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34603 Commits
59 Branches
Tree: c62e96c158
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c62e96c158'
${ noResults }
sonarqube/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/UserUpdater.java

UserUpdater.java 19KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2023 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.user;

  21. 

  22. import com.google.common.base.Joiner;

  23. import com.google.common.base.Strings;

  24. import java.util.ArrayList;

  25. import java.util.HashSet;

  26. import java.util.List;

  27. import java.util.Objects;

  28. import java.util.function.Consumer;

  29. import java.util.regex.Pattern;

  30. import java.util.stream.Collectors;

  31. import javax.annotation.Nullable;

  32. import javax.inject.Inject;

  33. import org.apache.commons.lang.math.RandomUtils;

  34. import org.sonar.api.config.Configuration;

  35. import org.sonar.api.platform.NewUserHandler;

  36. import org.sonar.api.server.ServerSide;

  37. import org.sonar.db.DbClient;

  38. import org.sonar.db.DbSession;

  39. import org.sonar.db.audit.AuditPersister;

  40. import org.sonar.db.audit.model.SecretNewValue;

  41. import org.sonar.db.user.GroupDto;

  42. import org.sonar.db.user.UserDto;

  43. import org.sonar.db.user.UserGroupDto;

  44. import org.sonar.server.authentication.CredentialsLocalAuthentication;

  45. import org.sonar.server.usergroups.DefaultGroupFinder;

  46. import org.sonar.server.util.Validation;

  47. 

  48. import static com.google.common.base.Preconditions.checkArgument;

  49. import static com.google.common.base.Strings.isNullOrEmpty;

  50. import static com.google.common.collect.Lists.newArrayList;

  51. import static java.lang.String.format;

  52. import static java.util.Collections.emptyList;

  53. import static org.sonar.api.CoreProperties.DEFAULT_ISSUE_ASSIGNEE;

  54. import static org.sonar.core.util.Slug.slugify;

  55. import static org.sonar.server.exceptions.BadRequestException.checkRequest;

  56. 

  57. @ServerSide

  58. public class UserUpdater {

  59. 

  60.   private static final String SQ_AUTHORITY = "sonarqube";

  61. 

  62.   private static final String LOGIN_PARAM = "Login";

  63.   private static final String PASSWORD_PARAM = "Password";

  64.   private static final String NAME_PARAM = "Name";

  65.   private static final String EMAIL_PARAM = "Email";

  66.   private static final Pattern START_WITH_SPECIFIC_AUTHORIZED_CHARACTERS = Pattern.compile("\\w+");

  67.   private static final Pattern CONTAINS_ONLY_AUTHORIZED_CHARACTERS = Pattern.compile("\\A\\w[\\w\\.\\-@]+\\z");

  68. 

  69.   public static final int LOGIN_MIN_LENGTH = 2;

  70.   public static final int LOGIN_MAX_LENGTH = 255;

  71.   public static final int EMAIL_MAX_LENGTH = 100;

  72.   public static final int NAME_MAX_LENGTH = 200;

  73. 

  74.   private final NewUserNotifier newUserNotifier;

  75.   private final DbClient dbClient;

  76.   private final DefaultGroupFinder defaultGroupFinder;

  77.   private final AuditPersister auditPersister;

  78.   private final CredentialsLocalAuthentication localAuthentication;

  79. 

  80.   @Inject

  81.   public UserUpdater(NewUserNotifier newUserNotifier, DbClient dbClient, DefaultGroupFinder defaultGroupFinder, Configuration config,

  82.     AuditPersister auditPersister, CredentialsLocalAuthentication localAuthentication) {

  83.     this.newUserNotifier = newUserNotifier;

  84.     this.dbClient = dbClient;

  85.     this.defaultGroupFinder = defaultGroupFinder;

  86.     this.auditPersister = auditPersister;

  87.     this.localAuthentication = localAuthentication;

  88.   }

  89. 

  90.   public UserDto createAndCommit(DbSession dbSession, NewUser newUser, Consumer<UserDto> beforeCommit, UserDto... otherUsersToIndex) {

  91.     UserDto userDto = saveUser(dbSession, createDto(dbSession, newUser));

  92.     return commitUser(dbSession, userDto, beforeCommit, otherUsersToIndex);

  93.   }

  94. 

  95.   public UserDto reactivateAndCommit(DbSession dbSession, UserDto disabledUser, NewUser newUser, Consumer<UserDto> beforeCommit, UserDto... otherUsersToIndex) {

  96.     checkArgument(!disabledUser.isActive(), "An active user with login '%s' already exists", disabledUser.getLogin());

  97.     reactivateUser(dbSession, disabledUser, newUser);

  98.     return commitUser(dbSession, disabledUser, beforeCommit, otherUsersToIndex);

  99.   }

  100. 

  101.   private void reactivateUser(DbSession dbSession, UserDto reactivatedUser, NewUser newUser) {

  102.     UpdateUser updateUser = new UpdateUser()

  103.       .setName(newUser.name())

  104.       .setEmail(newUser.email())

  105.       .setScmAccounts(newUser.scmAccounts())

  106.       .setExternalIdentity(newUser.externalIdentity());

  107.     String login = newUser.login();

  108.     if (login != null) {

  109.       updateUser.setLogin(login);

  110.     }

  111.     String password = newUser.password();

  112.     if (password != null) {

  113.       updateUser.setPassword(password);

  114.     }

  115.     updateDto(dbSession, updateUser, reactivatedUser);

  116.     updateUser(dbSession, reactivatedUser);

  117.     addUserToDefaultGroup(dbSession, reactivatedUser);

  118.   }

  119. 

  120.   public void updateAndCommit(DbSession dbSession, UserDto dto, UpdateUser updateUser, Consumer<UserDto> beforeCommit, UserDto... otherUsersToIndex) {

  121.     boolean isUserUpdated = updateDto(dbSession, updateUser, dto);

  122.     if (isUserUpdated) {

  123.       // at least one change. Database must be updated and Elasticsearch re-indexed

  124.       updateUser(dbSession, dto);

  125.       commitUser(dbSession, dto, beforeCommit, otherUsersToIndex);

  126.     } else {

  127.       // no changes but still execute the consumer

  128.       beforeCommit.accept(dto);

  129.       dbSession.commit();

  130.     }

  131.   }

  132. 

  133.   private UserDto commitUser(DbSession dbSession, UserDto userDto, Consumer<UserDto> beforeCommit, UserDto... otherUsersToIndex) {

  134.     beforeCommit.accept(userDto);

  135.     dbSession.commit();

  136.     notifyNewUser(userDto.getLogin(), userDto.getName(), userDto.getEmail());

  137.     return userDto;

  138.   }

  139. 

  140.   private UserDto createDto(DbSession dbSession, NewUser newUser) {

  141.     UserDto userDto = new UserDto();

  142.     List<String> messages = new ArrayList<>();

  143. 

  144.     String login = newUser.login();

  145.     if (isNullOrEmpty(login)) {

  146.       userDto.setLogin(generateUniqueLogin(dbSession, newUser.name()));

  147.     } else if (validateLoginFormat(login, messages)) {

  148.       checkLoginUniqueness(dbSession, login);

  149.       userDto.setLogin(login);

  150.     }

  151. 

  152.     String name = newUser.name();

  153.     if (validateNameFormat(name, messages)) {

  154.       userDto.setName(name);

  155.     }

  156. 

  157.     String email = newUser.email();

  158.     if (email != null && validateEmailFormat(email, messages)) {

  159.       userDto.setEmail(email);

  160.     }

  161. 

  162.     String password = newUser.password();

  163.     if (password != null && validatePasswords(password, messages)) {

  164.       localAuthentication.storeHashPassword(userDto, password);

  165.     }

  166. 

  167.     List<String> scmAccounts = sanitizeScmAccounts(newUser.scmAccounts());

  168.     if (scmAccounts != null && !scmAccounts.isEmpty() && validateScmAccounts(dbSession, scmAccounts, login, email, null, messages)) {

  169.       userDto.setScmAccounts(scmAccounts);

  170.     }

  171. 

  172.     setExternalIdentity(dbSession, userDto, newUser.externalIdentity());

  173. 

  174.     checkRequest(messages.isEmpty(), messages);

  175.     return userDto;

  176.   }

  177. 

  178.   private String generateUniqueLogin(DbSession dbSession, String userName) {

  179.     String slugName = slugify(userName);

  180.     for (int i = 0; i < 10; i++) {

  181.       String login = slugName + RandomUtils.nextInt(100_000);

  182.       UserDto existingUser = dbClient.userDao().selectByLogin(dbSession, login);

  183.       if (existingUser == null) {

  184.         return login;

  185.       }

  186.     }

  187.     throw new IllegalStateException("Cannot create unique login for user name " + userName);

  188.   }

  189. 

  190.   private boolean updateDto(DbSession dbSession, UpdateUser update, UserDto dto) {

  191.     List<String> messages = newArrayList();

  192.     boolean changed = updateLogin(dbSession, update, dto, messages);

  193.     changed |= updateName(update, dto, messages);

  194.     changed |= updateEmail(update, dto, messages);

  195.     changed |= updateExternalIdentity(dbSession, update, dto);

  196.     changed |= updatePassword(dbSession, update, dto, messages);

  197.     changed |= updateScmAccounts(dbSession, update, dto, messages);

  198.     checkRequest(messages.isEmpty(), messages);

  199.     return changed;

  200.   }

  201. 

  202.   private boolean updateLogin(DbSession dbSession, UpdateUser updateUser, UserDto userDto, List<String> messages) {

  203.     String newLogin = updateUser.login();

  204.     if (!updateUser.isLoginChanged() || !validateLoginFormat(newLogin, messages) || Objects.equals(userDto.getLogin(), newLogin)) {

  205.       return false;

  206.     }

  207.     checkLoginUniqueness(dbSession, newLogin);

  208.     dbClient.propertiesDao().selectByKeyAndMatchingValue(dbSession, DEFAULT_ISSUE_ASSIGNEE, userDto.getLogin())

  209.       .forEach(p -> dbClient.propertiesDao().saveProperty(p.setValue(newLogin)));

  210.     userDto.setLogin(newLogin);

  211.     if (userDto.isLocal() || SQ_AUTHORITY.equals(userDto.getExternalIdentityProvider())) {

  212.       userDto.setExternalLogin(newLogin);

  213.       userDto.setExternalId(newLogin);

  214.     }

  215.     return true;

  216.   }

  217. 

  218.   private static boolean updateName(UpdateUser updateUser, UserDto userDto, List<String> messages) {

  219.     String name = updateUser.name();

  220.     if (updateUser.isNameChanged() && validateNameFormat(name, messages) && !Objects.equals(userDto.getName(), name)) {

  221.       userDto.setName(name);

  222.       return true;

  223.     }

  224.     return false;

  225.   }

  226. 

  227.   private static boolean updateEmail(UpdateUser updateUser, UserDto userDto, List<String> messages) {

  228.     String email = updateUser.email();

  229.     if (updateUser.isEmailChanged() && validateEmailFormat(email, messages) && !Objects.equals(userDto.getEmail(), email)) {

  230.       userDto.setEmail(email);

  231.       return true;

  232.     }

  233.     return false;

  234.   }

  235. 

  236.   private boolean updateExternalIdentity(DbSession dbSession, UpdateUser updateUser, UserDto userDto) {

  237.     ExternalIdentity externalIdentity = updateUser.externalIdentity();

  238.     if (updateUser.isExternalIdentityChanged() && !isSameExternalIdentity(userDto, externalIdentity)) {

  239.       setExternalIdentity(dbSession, userDto, externalIdentity);

  240.       return true;

  241.     }

  242.     return false;

  243.   }

  244. 

  245.   private boolean updatePassword(DbSession dbSession, UpdateUser updateUser, UserDto userDto, List<String> messages) {

  246.     String password = updateUser.password();

  247.     if (updateUser.isPasswordChanged() && validatePasswords(password, messages) && checkPasswordChangeAllowed(userDto, messages)) {

  248.       localAuthentication.storeHashPassword(userDto, password);

  249.       userDto.setResetPassword(false);

  250.       auditPersister.updateUserPassword(dbSession, new SecretNewValue("userLogin", userDto.getLogin()));

  251.       return true;

  252.     }

  253.     return false;

  254.   }

  255. 

  256.   private boolean updateScmAccounts(DbSession dbSession, UpdateUser updateUser, UserDto userDto, List<String> messages) {

  257.     String email = updateUser.email();

  258.     List<String> scmAccounts = sanitizeScmAccounts(updateUser.scmAccounts());

  259.     List<String> existingScmAccounts = userDto.getSortedScmAccounts();

  260.     if (updateUser.isScmAccountsChanged() && !(existingScmAccounts.containsAll(scmAccounts) && scmAccounts.containsAll(existingScmAccounts))) {

  261.       if (!scmAccounts.isEmpty()) {

  262.         String newOrOldEmail = email != null ? email : userDto.getEmail();

  263.         if (validateScmAccounts(dbSession, scmAccounts, userDto.getLogin(), newOrOldEmail, userDto, messages)) {

  264.           userDto.setScmAccounts(scmAccounts);

  265.         }

  266.       } else {

  267.         userDto.setScmAccounts(emptyList());

  268.       }

  269.       return true;

  270.     }

  271.     return false;

  272.   }

  273. 

  274.   private static boolean isSameExternalIdentity(UserDto dto, @Nullable ExternalIdentity externalIdentity) {

  275.     return externalIdentity != null

  276.       && !dto.isLocal()

  277.       && Objects.equals(dto.getExternalId(), externalIdentity.getId())

  278.       && Objects.equals(dto.getExternalLogin(), externalIdentity.getLogin())

  279.       && Objects.equals(dto.getExternalIdentityProvider(), externalIdentity.getProvider());

  280.   }

  281. 

  282.   private void setExternalIdentity(DbSession dbSession, UserDto dto, @Nullable ExternalIdentity externalIdentity) {

  283.     if (externalIdentity == null) {

  284.       dto.setExternalLogin(dto.getLogin());

  285.       dto.setExternalIdentityProvider(SQ_AUTHORITY);

  286.       dto.setExternalId(dto.getLogin());

  287.       dto.setLocal(true);

  288.     } else {

  289.       dto.setExternalLogin(externalIdentity.getLogin());

  290.       dto.setExternalIdentityProvider(externalIdentity.getProvider());

  291.       dto.setExternalId(externalIdentity.getId());

  292.       dto.setLocal(false);

  293.       dto.setSalt(null);

  294.       dto.setCryptedPassword(null);

  295.     }

  296.     UserDto existingUser = dbClient.userDao().selectByExternalIdAndIdentityProvider(dbSession, dto.getExternalId(), dto.getExternalIdentityProvider());

  297.     checkArgument(existingUser == null || Objects.equals(dto.getUuid(), existingUser.getUuid()),

  298.       "A user with provider id '%s' and identity provider '%s' already exists", dto.getExternalId(), dto.getExternalIdentityProvider());

  299.   }

  300. 

  301.   private static boolean checkNotEmptyParam(@Nullable String value, String param, List<String> messages) {

  302.     if (isNullOrEmpty(value)) {

  303.       messages.add(format(Validation.CANT_BE_EMPTY_MESSAGE, param));

  304.       return false;

  305.     }

  306.     return true;

  307.   }

  308. 

  309.   private static boolean validateLoginFormat(@Nullable String login, List<String> messages) {

  310.     boolean isValid = checkNotEmptyParam(login, LOGIN_PARAM, messages);

  311.     if (isValid) {

  312.       if (login.length() < LOGIN_MIN_LENGTH) {

  313.         messages.add(format(Validation.IS_TOO_SHORT_MESSAGE, LOGIN_PARAM, LOGIN_MIN_LENGTH));

  314.         return false;

  315.       } else if (login.length() > LOGIN_MAX_LENGTH) {

  316.         messages.add(format(Validation.IS_TOO_LONG_MESSAGE, LOGIN_PARAM, LOGIN_MAX_LENGTH));

  317.         return false;

  318.       } else if (!startWithUnderscoreOrAlphanumeric(login)) {

  319.         messages.add("Login should start with _ or alphanumeric.");

  320.         return false;

  321.       } else if (!CONTAINS_ONLY_AUTHORIZED_CHARACTERS.matcher(login).matches()) {

  322.         messages.add("Login should contain only letters, numbers, and .-_@");

  323.         return false;

  324.       }

  325.     }

  326.     return isValid;

  327.   }

  328. 

  329.   private static boolean startWithUnderscoreOrAlphanumeric(String login) {

  330.     String firstCharacter = login.substring(0, 1);

  331.     if ("_".equals(firstCharacter)) {

  332.       return true;

  333.     }

  334.     return START_WITH_SPECIFIC_AUTHORIZED_CHARACTERS.matcher(firstCharacter).matches();

  335.   }

  336. 

  337.   private static boolean validateNameFormat(@Nullable String name, List<String> messages) {

  338.     boolean isValid = checkNotEmptyParam(name, NAME_PARAM, messages);

  339.     if (name != null && name.length() > NAME_MAX_LENGTH) {

  340.       messages.add(format(Validation.IS_TOO_LONG_MESSAGE, NAME_PARAM, 200));

  341.       return false;

  342.     }

  343.     return isValid;

  344.   }

  345. 

  346.   private static boolean validateEmailFormat(@Nullable String email, List<String> messages) {

  347.     if (email != null && email.length() > EMAIL_MAX_LENGTH) {

  348.       messages.add(format(Validation.IS_TOO_LONG_MESSAGE, EMAIL_PARAM, 100));

  349.       return false;

  350.     }

  351.     return true;

  352.   }

  353. 

  354.   private static boolean checkPasswordChangeAllowed(UserDto userDto, List<String> messages) {

  355.     if (!userDto.isLocal()) {

  356.       messages.add("Password cannot be changed when external authentication is used");

  357.       return false;

  358.     }

  359.     return true;

  360.   }

  361. 

  362.   private static boolean validatePasswords(@Nullable String password, List<String> messages) {

  363.     if (password == null || password.length() == 0) {

  364.       messages.add(format(Validation.CANT_BE_EMPTY_MESSAGE, PASSWORD_PARAM));

  365.       return false;

  366.     }

  367.     return true;

  368.   }

  369. 

  370.   private boolean validateScmAccounts(DbSession dbSession, List<String> scmAccounts, @Nullable String login, @Nullable String email, @Nullable UserDto existingUser,

  371.     List<String> messages) {

  372.     boolean isValid = true;

  373.     for (String scmAccount : scmAccounts) {

  374.       if (scmAccount.equals(login) || scmAccount.equals(email)) {

  375.         messages.add("Login and email are automatically considered as SCM accounts");

  376.         isValid = false;

  377.       } else {

  378.         List<UserDto> matchingUsers = dbClient.userDao().selectByScmAccountOrLoginOrEmail(dbSession, scmAccount);

  379.         List<String> matchingUsersWithoutExistingUser = newArrayList();

  380.         for (UserDto matchingUser : matchingUsers) {

  381.           if (existingUser != null && matchingUser.getUuid().equals(existingUser.getUuid())) {

  382.             continue;

  383.           }

  384.           matchingUsersWithoutExistingUser.add(getNameOrLogin(matchingUser) + " (" + matchingUser.getLogin() + ")");

  385.         }

  386.         if (!matchingUsersWithoutExistingUser.isEmpty()) {

  387.           messages.add(format("The scm account '%s' is already used by user(s) : '%s'", scmAccount, Joiner.on(", ").join(matchingUsersWithoutExistingUser)));

  388.           isValid = false;

  389.         }

  390.       }

  391.     }

  392.     return isValid;

  393.   }

  394. 

  395.   private static String getNameOrLogin(UserDto user) {

  396.     String name = user.getName();

  397.     return name != null ? name : user.getLogin();

  398.   }

  399. 

  400.   private static List<String> sanitizeScmAccounts(@Nullable List<String> scmAccounts) {

  401.     if (scmAccounts != null) {

  402.       return new HashSet<>(scmAccounts).stream()

  403.         .map(Strings::emptyToNull)

  404.         .filter(Objects::nonNull)

  405.         .sorted(String::compareToIgnoreCase)

  406.         .toList();

  407.     }

  408.     return emptyList();

  409.   }

  410. 

  411.   private void checkLoginUniqueness(DbSession dbSession, String login) {

  412.     UserDto existingUser = dbClient.userDao().selectByLogin(dbSession, login);

  413.     checkArgument(existingUser == null, "A user with login '%s' already exists", login);

  414.   }

  415. 

  416.   private UserDto saveUser(DbSession dbSession, UserDto userDto) {

  417.     userDto.setActive(true);

  418.     UserDto res = dbClient.userDao().insert(dbSession, userDto);

  419.     addUserToDefaultGroup(dbSession, userDto);

  420.     return res;

  421.   }

  422. 

  423.   private void updateUser(DbSession dbSession, UserDto dto) {

  424.     dto.setActive(true);

  425.     dbClient.userDao().update(dbSession, dto);

  426.   }

  427. 

  428.   private void notifyNewUser(String login, String name, @Nullable String email) {

  429.     newUserNotifier.onNewUser(NewUserHandler.Context.builder()

  430.       .setLogin(login)

  431.       .setName(name)

  432.       .setEmail(email)

  433.       .build());

  434.   }

  435. 

  436.   private static boolean isUserAlreadyMemberOfDefaultGroup(GroupDto defaultGroup, List<GroupDto> userGroups) {

  437.     return userGroups.stream().anyMatch(group -> defaultGroup.getUuid().equals(group.getUuid()));

  438.   }

  439. 

  440.   private void addUserToDefaultGroup(DbSession dbSession, UserDto userDto) {

  441.     addDefaultGroup(dbSession, userDto);

  442.   }

  443. 

  444.   private void addDefaultGroup(DbSession dbSession, UserDto userDto) {

  445.     List<GroupDto> userGroups = dbClient.groupDao().selectByUserLogin(dbSession, userDto.getLogin());

  446.     GroupDto defaultGroup = defaultGroupFinder.findDefaultGroup(dbSession);

  447.     if (isUserAlreadyMemberOfDefaultGroup(defaultGroup, userGroups)) {

  448.       return;

  449.     }

  450.     dbClient.userGroupDao().insert(dbSession, new UserGroupDto().setUserUuid(userDto.getUuid()).setGroupUuid(defaultGroup.getUuid()),

  451.       defaultGroup.getName(), userDto.getLogin());

  452.   }

  453. }