Bring back some methods in PermissionDao for GOV

author: Simon Brandhof <simon.brandhof@sonarsource.com> 2016-09-29 21:08:11 +0200
committer: Simon Brandhof <simon.brandhof@sonarsource.com> 2016-09-29 21:08:17 +0200
commit: 3dc31a53701aa20bd05fe54a34875b397ffa72c4 (patch)
tree: e8d3443d753e433d6ee0b9d2126d8534abff7773 /sonar-db
parent: 3a48d39a6450558b50f8298a88f3587082afa920 (diff)
download: sonarqube-3dc31a53701aa20bd05fe54a34875b397ffa72c4.tar.gz
sonarqube-3dc31a53701aa20bd05fe54a34875b397ffa72c4.zip
7 files changed, 328 insertions, 0 deletions
diff --git a/sonar-db/src/main/java/org/sonar/db/permission/PermissionDao.java b/sonar-db/src/main/java/org/sonar/db/permission/PermissionDao.java
index 70774f47bae..204e30baba4 100644
--- a/sonar-db/src/main/java/org/sonar/db/permission/PermissionDao.java
+++ b/sonar-db/src/main/java/org/sonar/db/permission/PermissionDao.java
@@ -19,6 +19,7 @@
  */
 package org.sonar.db.permission;
 
+import com.google.common.collect.Sets;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
@@ -87,4 +88,31 @@ public class PermissionDao implements Dao {
     }
   }
 
+  /**
+   * Keep only authorized user that have the given permission on a given project.
+   * Please Note that if the permission is 'Anyone' is NOT taking into account by thie method.
+   */
+  public Collection<Long> keepAuthorizedUsersForRoleAndProject(final DbSession session, Collection<Long> userIds, String role, final long projectId) {
+    return executeLargeInputs(
+      userIds,
+      partitionOfIds -> session.getMapper(PermissionMapper.class).keepAuthorizedUsersForRoleAndProject(role, projectId, partitionOfIds));
+  }
+
+  public boolean isAuthorizedComponentKey(String componentKey, @Nullable Integer userId, String role) {
+    DbSession session = mybatis.openSession(false);
+    try {
+      return keepAuthorizedComponentKeys(session, componentKey, userId, role).size() == 1;
+    } finally {
+      MyBatis.closeQuietly(session);
+    }
+  }
+
+  private static List<String> keepAuthorizedComponentKeys(final DbSession session, final String componentKey, @Nullable final Integer userId, final String role) {
+    if (userId == null) {
+      return session.getMapper(PermissionMapper.class).keepAuthorizedComponentKeysForAnonymous(role, Sets.newHashSet(componentKey));
+    } else {
+      return session.getMapper(PermissionMapper.class).keepAuthorizedComponentKeysForUser(userId, role, Sets.newHashSet(componentKey));
+    }
+  }
+
 }
diff --git a/sonar-db/src/main/java/org/sonar/db/permission/PermissionMapper.java b/sonar-db/src/main/java/org/sonar/db/permission/PermissionMapper.java
index 8010812c5cc..d8d1c029ef1 100644
--- a/sonar-db/src/main/java/org/sonar/db/permission/PermissionMapper.java
+++ b/sonar-db/src/main/java/org/sonar/db/permission/PermissionMapper.java
@@ -35,4 +35,10 @@ public interface PermissionMapper {
 
   List<Long> keepAuthorizedProjectIdsForUser(@Param("userId") long userId, @Param("role") String role, @Param("componentIds") Collection<Long> componentIds);
 
+  List<String> keepAuthorizedComponentKeysForAnonymous(@Param("role") String role, @Param("componentKeys") Collection<String> componentKeys);
+
+  List<String> keepAuthorizedComponentKeysForUser(@Param("userId") Integer userId, @Param("role") String role, @Param("componentKeys") Collection<String> componentKeys);
+
+  List<Long> keepAuthorizedUsersForRoleAndProject(@Param("role") String role, @Param("componentId") long componentId, @Param("userIds") List<Long> userIds);
+
 }
diff --git a/sonar-db/src/main/resources/org/sonar/db/permission/PermissionMapper.xml b/sonar-db/src/main/resources/org/sonar/db/permission/PermissionMapper.xml
index d02f2b152b7..a3aad31ed9c 100644
--- a/sonar-db/src/main/resources/org/sonar/db/permission/PermissionMapper.xml
+++ b/sonar-db/src/main/resources/org/sonar/db/permission/PermissionMapper.xml
@@ -151,4 +151,88 @@
     </choose>
   </select>
 
+  <select id="keepAuthorizedComponentKeysForAnonymous" parameterType="map" resultType="string">
+    SELECT p.kee
+    FROM group_roles gr, projects p
+    WHERE
+    gr.role=#{role}
+    and gr.group_id is null
+    and gr.resource_id = p.id
+    and
+    <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or ">
+      p.kee=#{element}
+    </foreach>
+    UNION
+    SELECT p.kee
+    FROM group_roles gr, projects root, projects p
+    WHERE
+    gr.role=#{role}
+    and gr.group_id is null
+    and gr.resource_id = root.id
+    and p.root_uuid = root.uuid
+    and
+    <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or ">
+      p.kee=#{element}
+    </foreach>
+  </select>
+
+  <select id="keepAuthorizedComponentKeysForUser" parameterType="map" resultType="string">
+    SELECT p.kee
+    FROM group_roles gr, projects p
+    WHERE
+    gr.role=#{role}
+    and (gr.group_id is null or gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
+    and gr.resource_id = p.id
+    and
+    <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or ">
+      p.kee=#{element}
+    </foreach>
+    UNION
+    SELECT p.kee
+    FROM group_roles gr, projects root, projects p
+    WHERE
+    gr.role=#{role}
+    and (gr.group_id is null or gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
+    and gr.resource_id = root.id
+    and p.root_uuid = root.uuid
+    and
+    <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or ">
+      p.kee=#{element}
+    </foreach>
+    UNION
+    SELECT p.kee
+    FROM user_roles ur
+    INNER JOIN projects p on p.id = ur.resource_id
+    WHERE
+    ur.role=#{role}
+    and ur.user_id=#{userId}
+    and
+    <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or ">
+      p.kee=#{element}
+    </foreach>
+  </select>
+
+  <select id="keepAuthorizedUsersForRoleAndProject" parameterType="map" resultType="Long">
+    SELECT gu.user_id
+    FROM groups_users gu
+    INNER JOIN group_roles gr ON gr.group_id=gu.group_id
+    WHERE
+    gr.resource_id=#{componentId}
+    AND gr.role=#{role}
+    AND gu.user_id in
+    <foreach collection="userIds" open="(" close=")" item="id" separator=",">
+      #{id}
+    </foreach>
+    UNION
+    SELECT ur.user_id
+    FROM user_roles ur
+    WHERE
+    ur.resource_id=#{componentId}
+    AND ur.role=#{role}
+    AND ur.user_id IN
+    <foreach collection="userIds" open="(" close=")" item="id" separator=",">
+      #{id}
+    </foreach>
+  </select>
+
 </mapper>
diff --git a/sonar-db/src/test/java/org/sonar/db/permission/PermissionDaoTest.java b/sonar-db/src/test/java/org/sonar/db/permission/PermissionDaoTest.java
index 43137eb4e29..64be54435e3 100644
--- a/sonar-db/src/test/java/org/sonar/db/permission/PermissionDaoTest.java
+++ b/sonar-db/src/test/java/org/sonar/db/permission/PermissionDaoTest.java
@@ -35,6 +35,7 @@ public class PermissionDaoTest {
   private static final Long PROJECT_ID = 300L;
   private static final Long PROJECT_ID_WITHOUT_SNAPSHOT = 400L;
   private static final String PROJECT = "pj-w-snapshot";
+  private static final String PROJECT_WIHOUT_SNAPSHOT = "pj-wo-snapshot";
 
   @Rule
   public DbTester dbTester = DbTester.create(System2.INSTANCE);
@@ -249,4 +250,80 @@ public class PermissionDaoTest {
     assertThat(authorization.selectGlobalPermissions("anyone_user")).containsOnly("user", "profileadmin");
   }
 
+  @Test
+  public void is_authorized_component_key_for_user() {
+    dbTester.prepareDbUnit(getClass(), "keep_authorized_project_ids_for_user.xml");
+
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT, USER, "user")).isTrue();
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT_WIHOUT_SNAPSHOT, USER, "user")).isFalse();
+
+    // user does not have the role "admin"
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT, USER, "admin")).isFalse();
+  }
+
+  @Test
+  public void is_authorized_component_key_for_group() {
+    dbTester.prepareDbUnit(getClass(), "keep_authorized_project_ids_for_group.xml");
+
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT, USER, "user")).isTrue();
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT_WIHOUT_SNAPSHOT, USER, "user")).isFalse();
+
+    // user does not have the role "admin"
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT, USER, "admin")).isFalse();
+  }
+
+  @Test
+  public void is_authorized_component_key_for_anonymous() {
+    dbTester.prepareDbUnit(getClass(), "keep_authorized_project_ids_for_anonymous.xml");
+
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT, null, "user")).isTrue();
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT_WIHOUT_SNAPSHOT, null, "user")).isFalse();
+    assertThat(authorization.isAuthorizedComponentKey(PROJECT, null, "admin")).isFalse();
+  }
+
+  @Test
+  public void keep_authorized_users_for_role_and_project_for_user() {
+    dbTester.prepareDbUnit(getClass(), "keep_authorized_users_for_role_and_project_for_user.xml");
+
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(),
+      // Only 100 and 101 has 'user' role on project
+      newHashSet(100L, 101L, 102L), "user", PROJECT_ID)).containsOnly(100L, 101L);
+
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(),
+      // Only 100 and 101 has 'user' role on project
+      newHashSet(100L), "user", PROJECT_ID)).containsOnly(100L);
+
+    // user does not have the role "admin"
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(), newHashSet(100L), "admin", PROJECT_ID)).isEmpty();
+
+    // Empty list
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(), Collections.emptySet(), "user", PROJECT_ID)).isEmpty();
+  }
+
+  @Test
+  public void keep_authorized_users_for_role_and_project_for_group() {
+    dbTester.prepareDbUnit(getClass(), "keep_authorized_users_for_role_and_project_for_group.xml");
+
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(),
+      // Only 100 and 101 has 'user' role on project
+      newHashSet(100L, 101L, 102L), "user", PROJECT_ID)).containsOnly(100L, 101L);
+
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(),
+      newHashSet(100L), "user", PROJECT_ID)).containsOnly(100L);
+
+    // user does not have the role "admin"
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(), newHashSet(100L), "admin", PROJECT_ID)).isEmpty();
+
+    // Empty list
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(), Collections.emptySet(), "user", PROJECT_ID)).isEmpty();
+  }
+
+  @Test
+  public void keep_authorized_users_returns_empty_list_for_role_and_project_for_anonymous() {
+    dbTester.prepareDbUnit(getClass(), "keep_authorized_users_for_role_and_project_for_anonymous.xml");
+
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(),
+      // Only 100 and 101 has 'user' role on project
+      newHashSet(100L, 101L, 102L), "user", PROJECT_ID)).isEmpty();
+  }
 }
diff --git a/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_anonymous.xml b/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_anonymous.xml
new file mode 100644
index 00000000000..93356a34bda
--- /dev/null
+++ b/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_anonymous.xml
@@ -0,0 +1,46 @@
+<dataset>
+
+  <!-- users 100 and 101 have no direct grant access, but are in the group 200 that has the role "user" on the project 300  -->
+  <user_roles id="1"
+              user_id="100"
+              resource_id="999"
+              role="user"/>
+  <user_roles id="2"
+              user_id="101"
+              resource_id="999"
+              role="user"/>
+  <user_roles id="3"
+              user_id="102"
+              resource_id="999"
+              role="user"/>
+
+  <groups_users user_id="100"
+                group_id="200"/>
+  <groups_users user_id="101"
+                group_id="200"/>
+  <groups_users user_id="102"
+                group_id="201"/>
+
+  <group_roles id="1"
+               group_id="[null]"
+               resource_id="300"
+               role="user"/>
+  <group_roles id="2"
+               group_id="201"
+               resource_id="400"
+               role="user"/>
+
+  <projects id="300"
+            kee="pj-w-snapshot"
+            uuid="DEFG"
+            uuid_path="NOT_USED"
+            root_uuid="DEFG"
+            module_uuid="[null]"/>
+  <projects id="400"
+            kee="pj-wo-snapshot"
+            uuid="EFGH"
+            uuid_path="NOT_USED"
+            root_uuid="EFGH"
+            module_uuid="[null]"/>
+
+</dataset>
diff --git a/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_group.xml b/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_group.xml
new file mode 100644
index 00000000000..3b7278e4c0a
--- /dev/null
+++ b/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_group.xml
@@ -0,0 +1,46 @@
+<dataset>
+
+  <!-- users 100 and 101 have no direct grant access, but are in the group 200 that has the role "user" on the project 300  -->
+  <user_roles id="1"
+              user_id="100"
+              resource_id="999"
+              role="user"/>
+  <user_roles id="2"
+              user_id="101"
+              resource_id="999"
+              role="user"/>
+  <user_roles id="3"
+              user_id="102"
+              resource_id="999"
+              role="user"/>
+
+  <groups_users user_id="100"
+                group_id="200"/>
+  <groups_users user_id="101"
+                group_id="200"/>
+  <groups_users user_id="102"
+                group_id="201"/>
+
+  <group_roles id="1"
+               group_id="200"
+               resource_id="300"
+               role="user"/>
+  <group_roles id="2"
+               group_id="201"
+               resource_id="400"
+               role="user"/>
+
+  <projects id="300"
+            kee="pj-w-snapshot"
+            uuid="DEFG"
+            uuid_path="NOT_USED"
+            root_uuid="DEFG"
+            module_uuid="[null]"/>
+  <projects id="400"
+            kee="pj-wo-snapshot"
+            uuid="EFGH"
+            uuid_path="NOT_USED"
+            root_uuid="EFGH"
+            module_uuid="[null]"/>
+
+</dataset>
diff --git a/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_user.xml b/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_user.xml
new file mode 100644
index 00000000000..173657868ec
--- /dev/null
+++ b/sonar-db/src/test/resources/org/sonar/db/permission/PermissionDaoTest/keep_authorized_users_for_role_and_project_for_user.xml
@@ -0,0 +1,41 @@
+<dataset>
+
+  <!-- Users 100 and 101 are 'user' on project 300 -->
+  <user_roles id="1"
+              user_id="100"
+              resource_id="300"
+              role="user"/>
+  <user_roles id="2"
+              user_id="101"
+              resource_id="300"
+              role="user"/>
+  <user_roles id="3"
+              user_id="102"
+              resource_id="300"
+              role="admin"/>
+  <user_roles id="4"
+              user_id="100"
+              resource_id="400"
+              role="user"/>
+
+  <groups_users user_id="100"
+                group_id="200"/>
+  <group_roles id="1"
+               group_id="200"
+               resource_id="400"
+               role="user"/>
+
+  <projects id="300"
+            kee="pj-w-snapshot"
+            uuid="DEFG"
+            uuid_path="NOT_USED"
+            root_uuid="DEFG"
+            module_uuid="[null]"/>
+  <projects id="400"
+            kee="pj-wo-snapshot"
+            uuid="EFGH"
+            uuid_path="NOT_USED"
+            root_uuid="EFGH"
+            module_uuid="[null]"/>
+
+</dataset>
author	Simon Brandhof <simon.brandhof@sonarsource.com>	2016-09-29 21:08:11 +0200
committer	Simon Brandhof <simon.brandhof@sonarsource.com>	2016-09-29 21:08:17 +0200
commit	3dc31a53701aa20bd05fe54a34875b397ffa72c4 (patch)
tree	e8d3443d753e433d6ee0b9d2126d8534abff7773 /sonar-db
parent	3a48d39a6450558b50f8298a88f3587082afa920 (diff)
download	sonarqube-3dc31a53701aa20bd05fe54a34875b397ffa72c4.tar.gz sonarqube-3dc31a53701aa20bd05fe54a34875b397ffa72c4.zip