Disable authorization for roots in ES indices

5 files changed, 185 insertions, 0 deletions

diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/index/AuthorizationTypeSupport.java b/server/sonar-server/src/main/java/org/sonar/server/permission/index/AuthorizationTypeSupport.java
index 3ca3359473c..6d4c1c33b6b 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/index/AuthorizationTypeSupport.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/index/AuthorizationTypeSupport.java
@@ -85,6 +85,10 @@ public class AuthorizationTypeSupport {
    * user has read access.
    */
   public QueryBuilder createQueryFilter() {
+    if (userSession.isRoot()) {
+      return QueryBuilders.matchAllQuery();
+    }
+
     Integer userId = userSession.getUserId();
     BoolQueryBuilder filter = boolQuery();
 
diff --git a/server/sonar-server/src/test/java/org/sonar/server/component/index/ComponentIndexLoginTest.java b/server/sonar-server/src/test/java/org/sonar/server/component/index/ComponentIndexLoginTest.java
index b294e4ea4e5..c5b30d5db51 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/component/index/ComponentIndexLoginTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/component/index/ComponentIndexLoginTest.java
@@ -68,4 +68,14 @@ public class ComponentIndexLoginTest extends ComponentIndexTest {
     authorizationIndexerTester.allowOnlyGroup(project, group);
     assertSearchResults("sonarqube", project);
   }
+
+  @Test
+  public void do_not_check_permissions_when_logged_in_user_is_root() {
+    userSession.logIn().setRoot();
+    ComponentDto project = newProject("sonarqube", "Quality Product");
+    indexer.index(project);
+    // do not give any permissions to that project
+
+    assertSearchResults("sonarqube", project);
+  }
 }
diff --git a/server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexTest.java b/server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexTest.java
index a27cf1661be..a0b31e5f8e5 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexTest.java
@@ -1218,6 +1218,15 @@ public class IssueIndexTest {
   }
 
   @Test
+  public void root_user_is_authorized_to_access_all_issues() {
+    ComponentDto project = newProjectDto(newOrganizationDto());
+    indexIssue(IssueDocTesting.newDoc("I1", project));
+    userSessionRule.logIn().setRoot();
+
+    assertThat(underTest.search(IssueQuery.builder().build(), new SearchOptions()).getDocs()).hasSize(1);
+  }
+
+  @Test
   public void search_issues_for_batch_return_needed_fields() {
     ComponentDto project = newProjectDto(newOrganizationDto(), "PROJECT");
     ComponentDto file = newFileDto(project, null).setPath("src/File.xoo");
diff --git a/server/sonar-server/src/test/java/org/sonar/server/measure/index/ProjectMeasuresIndexTest.java b/server/sonar-server/src/test/java/org/sonar/server/measure/index/ProjectMeasuresIndexTest.java
index ecb6a730b17..67d69c11523 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/measure/index/ProjectMeasuresIndexTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/measure/index/ProjectMeasuresIndexTest.java
@@ -273,6 +273,15 @@ public class ProjectMeasuresIndexTest {
   }
 
   @Test
+  public void root_user_can_access_all_projects() {
+    indexForUser(USER1, newDoc(PROJECT1));
+    // connecting with a root but not USER1
+    userSession.logIn().setRoot();
+
+    assertResults(new ProjectMeasuresQuery(), PROJECT1);
+  }
+
+  @Test
   public void does_not_return_facet_when_no_facets_in_options() throws Exception {
     index(
         newDoc(PROJECT1, NCLOC, 10d, COVERAGE_KEY, 30d, MAINTAINABILITY_RATING, 3d)
diff --git a/server/sonar-server/src/test/java/org/sonar/server/permission/index/AuthorizationTypeSupportTest.java b/server/sonar-server/src/test/java/org/sonar/server/permission/index/AuthorizationTypeSupportTest.java
new file mode 100644
index 00000000000..b52f34d96e8
--- /dev/null
+++ b/server/sonar-server/src/test/java/org/sonar/server/permission/index/AuthorizationTypeSupportTest.java
@@ -0,0 +1,153 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2017 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.server.permission.index;
+
+import org.elasticsearch.index.query.HasParentQueryBuilder;
+import org.elasticsearch.index.query.MatchAllQueryBuilder;
+import org.elasticsearch.index.query.QueryBuilder;
+import org.junit.Rule;
+import org.junit.Test;
+import org.sonar.db.user.GroupDto;
+import org.sonar.db.user.GroupTesting;
+import org.sonar.server.tester.UserSessionRule;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.sonar.test.JsonAssert.assertJson;
+
+public class AuthorizationTypeSupportTest {
+
+  @Rule
+  public UserSessionRule userSession = UserSessionRule.standalone();
+
+  private AuthorizationTypeSupport underTest = new AuthorizationTypeSupport(userSession);
+
+  @Test
+  public void createQueryFilter_does_not_include_permission_filters_if_user_is_flagged_as_root() {
+    userSession.logIn().setRoot();
+
+    QueryBuilder filter = underTest.createQueryFilter();
+
+    assertThat(filter).isInstanceOf(MatchAllQueryBuilder.class);
+  }
+
+  @Test
+  public void createQueryFilter_sets_filter_on_anyone_group_if_user_is_anonymous() {
+    userSession.anonymous();
+
+    HasParentQueryBuilder filter = (HasParentQueryBuilder) underTest.createQueryFilter();
+
+    assertJson(filter.toString()).isSimilarTo("{" +
+      "  \"has_parent\" : {" +
+      "    \"query\" : {" +
+      "      \"bool\" : {" +
+      "        \"filter\" : {" +
+      "          \"bool\" : {" +
+      "            \"should\" : {" +
+      "              \"term\" : {" +
+      "                \"allowAnyone\" : true" +
+      "              }" +
+      "            }" +
+      "          }" +
+      "        }" +
+      "      }" +
+      "    }," +
+      "    \"parent_type\" : \"authorization\"" +
+      "  }" +
+      "}");
+  }
+
+  @Test
+  public void createQueryFilter_sets_filter_on_anyone_and_user_id_if_user_is_logged_in_but_has_no_groups() {
+    userSession.logIn().setUserId(1234);
+
+    HasParentQueryBuilder filter = (HasParentQueryBuilder) underTest.createQueryFilter();
+
+    assertJson(filter.toString()).isSimilarTo("{" +
+      "  \"has_parent\": {" +
+      "    \"query\": {" +
+      "      \"bool\": {" +
+      "        \"filter\": {" +
+      "          \"bool\": {" +
+      "            \"should\": [" +
+      "              {" +
+      "                \"term\": {" +
+      "                  \"allowAnyone\": true" +
+      "                }" +
+      "              }," +
+      "              {" +
+      "                \"term\": {" +
+      "                  \"userIds\": 1234" +
+      "                }" +
+      "              }" +
+      "            ]" +
+      "          }" +
+      "        }" +
+      "      }" +
+      "    }," +
+      "    \"parent_type\": \"authorization\"" +
+      "  }" +
+      "}");
+  }
+
+  @Test
+  public void createQueryFilter_sets_filter_on_anyone_and_user_id_and_group_ids_if_user_is_logged_in_and_has_groups() {
+    GroupDto group1 = GroupTesting.newGroupDto().setId(10L);
+    GroupDto group2 = GroupTesting.newGroupDto().setId(11L);
+    userSession.logIn().setUserId(1234).setGroups(group1, group2);
+
+    HasParentQueryBuilder filter = (HasParentQueryBuilder) underTest.createQueryFilter();
+
+    assertJson(filter.toString()).isSimilarTo("{" +
+      "  \"has_parent\": {" +
+      "    \"query\": {" +
+      "      \"bool\": {" +
+      "        \"filter\": {" +
+      "          \"bool\": {" +
+      "            \"should\": [" +
+      "              {" +
+      "                \"term\": {" +
+      "                  \"allowAnyone\": true" +
+      "                }" +
+      "              }," +
+      "              {" +
+      "                \"term\": {" +
+      "                  \"userIds\": 1234" +
+      "                }" +
+      "              }," +
+      "              {" +
+      "                \"term\": {" +
+      "                  \"groupIds\": 10" +
+      "                }" +
+      "              }," +
+      "              {" +
+      "                \"term\": {" +
+      "                  \"groupIds\": 11" +
+      "                }" +
+      "              }" +
+      "            ]" +
+      "          }" +
+      "        }" +
+      "      }" +
+      "    }," +
+      "    \"parent_type\": \"authorization\"" +
+      "  }" +
+      "}");
+  }
+}

path: root/server/sonar-server/src