| // Copyright (C) 2011 The Android Open Source Project |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package com.google.gerrit.httpd.rpc.project; |
| |
| import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER; |
| import static com.google.gerrit.server.permissions.RefPermission.CREATE_CHANGE; |
| import static com.google.gerrit.server.permissions.RefPermission.READ; |
| import static com.google.gerrit.server.permissions.RefPermission.WRITE_CONFIG; |
| |
| import com.google.common.collect.Maps; |
| import com.google.gerrit.common.data.AccessSection; |
| import com.google.gerrit.common.data.GroupDescription; |
| import com.google.gerrit.common.data.GroupInfo; |
| import com.google.gerrit.common.data.Permission; |
| import com.google.gerrit.common.data.PermissionRule; |
| import com.google.gerrit.common.data.ProjectAccess; |
| import com.google.gerrit.common.data.RefConfigSection; |
| import com.google.gerrit.common.data.WebLinkInfoCommon; |
| import com.google.gerrit.common.errors.NoSuchGroupException; |
| import com.google.gerrit.extensions.restapi.AuthException; |
| import com.google.gerrit.extensions.restapi.ResourceConflictException; |
| import com.google.gerrit.httpd.rpc.Handler; |
| import com.google.gerrit.reviewdb.client.AccountGroup; |
| import com.google.gerrit.reviewdb.client.Project; |
| import com.google.gerrit.reviewdb.client.RefNames; |
| import com.google.gerrit.server.WebLinks; |
| import com.google.gerrit.server.account.GroupBackend; |
| import com.google.gerrit.server.account.GroupControl; |
| import com.google.gerrit.server.config.AllProjectsName; |
| import com.google.gerrit.server.git.meta.MetaDataUpdate; |
| import com.google.gerrit.server.permissions.GlobalPermission; |
| import com.google.gerrit.server.permissions.PermissionBackend; |
| import com.google.gerrit.server.permissions.PermissionBackendException; |
| import com.google.gerrit.server.permissions.ProjectPermission; |
| import com.google.gerrit.server.permissions.RefPermission; |
| import com.google.gerrit.server.project.NoSuchProjectException; |
| import com.google.gerrit.server.project.ProjectCache; |
| import com.google.gerrit.server.project.ProjectConfig; |
| import com.google.gerrit.server.project.ProjectState; |
| import com.google.inject.Inject; |
| import com.google.inject.assistedinject.Assisted; |
| import java.io.IOException; |
| import java.util.ArrayList; |
| import java.util.HashMap; |
| import java.util.HashSet; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Set; |
| import org.eclipse.jgit.errors.ConfigInvalidException; |
| |
| class ProjectAccessFactory extends Handler<ProjectAccess> { |
| interface Factory { |
| ProjectAccessFactory create(@Assisted Project.NameKey name); |
| } |
| |
| private final GroupBackend groupBackend; |
| private final ProjectCache projectCache; |
| private final PermissionBackend permissionBackend; |
| private final GroupControl.Factory groupControlFactory; |
| private final MetaDataUpdate.Server metaDataUpdateFactory; |
| private final AllProjectsName allProjectsName; |
| |
| private final Project.NameKey projectName; |
| private WebLinks webLinks; |
| |
| @Inject |
| ProjectAccessFactory( |
| GroupBackend groupBackend, |
| ProjectCache projectCache, |
| PermissionBackend permissionBackend, |
| GroupControl.Factory groupControlFactory, |
| MetaDataUpdate.Server metaDataUpdateFactory, |
| AllProjectsName allProjectsName, |
| WebLinks webLinks, |
| @Assisted final Project.NameKey name) { |
| this.groupBackend = groupBackend; |
| this.projectCache = projectCache; |
| this.permissionBackend = permissionBackend; |
| this.groupControlFactory = groupControlFactory; |
| this.metaDataUpdateFactory = metaDataUpdateFactory; |
| this.allProjectsName = allProjectsName; |
| this.webLinks = webLinks; |
| |
| this.projectName = name; |
| } |
| |
| @Override |
| public ProjectAccess call() |
| throws NoSuchProjectException, IOException, ConfigInvalidException, |
| PermissionBackendException, ResourceConflictException { |
| ProjectState projectState = checkProjectState(); |
| |
| // Load the current configuration from the repository, ensuring its the most |
| // recent version available. If it differs from what was in the project |
| // state, force a cache flush now. |
| // |
| ProjectConfig config; |
| try (MetaDataUpdate md = metaDataUpdateFactory.create(projectName)) { |
| config = ProjectConfig.read(md); |
| if (config.updateGroupNames(groupBackend)) { |
| md.setMessage("Update group names\n"); |
| config.commit(md); |
| projectCache.evict(config.getProject()); |
| projectState = checkProjectState(); |
| } else if (config.getRevision() != null |
| && !config.getRevision().equals(projectState.getConfig().getRevision())) { |
| projectCache.evict(config.getProject()); |
| projectState = checkProjectState(); |
| } |
| } |
| |
| // The following implementation must match the GetAccess REST API endpoint. |
| |
| List<AccessSection> local = new ArrayList<>(); |
| Set<String> ownerOf = new HashSet<>(); |
| Map<AccountGroup.UUID, Boolean> visibleGroups = new HashMap<>(); |
| PermissionBackend.ForProject perm = permissionBackend.currentUser().project(projectName); |
| boolean checkReadConfig = check(perm, RefNames.REFS_CONFIG, READ); |
| boolean canWriteProjectConfig = true; |
| try { |
| perm.check(ProjectPermission.WRITE_CONFIG); |
| } catch (AuthException e) { |
| canWriteProjectConfig = false; |
| } |
| |
| for (AccessSection section : config.getAccessSections()) { |
| String name = section.getName(); |
| if (AccessSection.GLOBAL_CAPABILITIES.equals(name)) { |
| if (canWriteProjectConfig) { |
| local.add(section); |
| ownerOf.add(name); |
| |
| } else if (checkReadConfig) { |
| local.add(section); |
| } |
| |
| } else if (RefConfigSection.isValid(name)) { |
| if (check(perm, name, WRITE_CONFIG)) { |
| local.add(section); |
| ownerOf.add(name); |
| |
| } else if (checkReadConfig) { |
| local.add(section); |
| |
| } else if (check(perm, name, READ)) { |
| // Filter the section to only add rules describing groups that |
| // are visible to the current-user. This includes any group the |
| // user is a member of, as well as groups they own or that |
| // are visible to all users. |
| |
| AccessSection dst = null; |
| for (Permission srcPerm : section.getPermissions()) { |
| Permission dstPerm = null; |
| |
| for (PermissionRule srcRule : srcPerm.getRules()) { |
| AccountGroup.UUID group = srcRule.getGroup().getUUID(); |
| if (group == null) { |
| continue; |
| } |
| |
| Boolean canSeeGroup = visibleGroups.get(group); |
| if (canSeeGroup == null) { |
| try { |
| canSeeGroup = groupControlFactory.controlFor(group).isVisible(); |
| } catch (NoSuchGroupException e) { |
| canSeeGroup = Boolean.FALSE; |
| } |
| visibleGroups.put(group, canSeeGroup); |
| } |
| |
| if (canSeeGroup) { |
| if (dstPerm == null) { |
| if (dst == null) { |
| dst = new AccessSection(name); |
| local.add(dst); |
| } |
| dstPerm = dst.getPermission(srcPerm.getName(), true); |
| } |
| dstPerm.add(srcRule); |
| } |
| } |
| } |
| } |
| } |
| } |
| |
| if (ownerOf.isEmpty() && isAdmin()) { |
| // Special case: If the section list is empty, this project has no current |
| // access control information. Fall back to site administrators. |
| ownerOf.add(AccessSection.ALL); |
| } |
| |
| final ProjectAccess detail = new ProjectAccess(); |
| detail.setProjectName(projectName); |
| |
| if (config.getRevision() != null) { |
| detail.setRevision(config.getRevision().name()); |
| } |
| |
| detail.setInheritsFrom(config.getProject().getParent(allProjectsName)); |
| |
| if (projectName.equals(allProjectsName) |
| && permissionBackend.currentUser().testOrFalse(ADMINISTRATE_SERVER)) { |
| ownerOf.add(AccessSection.GLOBAL_CAPABILITIES); |
| } |
| |
| detail.setLocal(local); |
| detail.setOwnerOf(ownerOf); |
| detail.setCanUpload( |
| canWriteProjectConfig |
| || (checkReadConfig |
| && perm.ref(RefNames.REFS_CONFIG).testOrFalse(CREATE_CHANGE) |
| && projectState.statePermitsWrite())); |
| detail.setConfigVisible(canWriteProjectConfig || checkReadConfig); |
| detail.setGroupInfo(buildGroupInfo(local)); |
| detail.setLabelTypes(projectState.getLabelTypes()); |
| detail.setFileHistoryLinks(getConfigFileLogLinks(projectName.get())); |
| return detail; |
| } |
| |
| private List<WebLinkInfoCommon> getConfigFileLogLinks(String projectName) { |
| List<WebLinkInfoCommon> links = |
| webLinks.getFileHistoryLinks( |
| projectName, RefNames.REFS_CONFIG, ProjectConfig.PROJECT_CONFIG); |
| return links.isEmpty() ? null : links; |
| } |
| |
| private Map<AccountGroup.UUID, GroupInfo> buildGroupInfo(List<AccessSection> local) { |
| Map<AccountGroup.UUID, GroupInfo> infos = new HashMap<>(); |
| for (AccessSection section : local) { |
| for (Permission permission : section.getPermissions()) { |
| for (PermissionRule rule : permission.getRules()) { |
| if (rule.getGroup() != null) { |
| AccountGroup.UUID uuid = rule.getGroup().getUUID(); |
| if (uuid != null && !infos.containsKey(uuid)) { |
| GroupDescription.Basic group = groupBackend.get(uuid); |
| infos.put(uuid, group != null ? new GroupInfo(group) : null); |
| } |
| } |
| } |
| } |
| } |
| return Maps.filterEntries(infos, in -> in.getValue() != null); |
| } |
| |
| private ProjectState checkProjectState() |
| throws NoSuchProjectException, IOException, PermissionBackendException, |
| ResourceConflictException { |
| ProjectState state = projectCache.checkedGet(projectName); |
| // Hidden projects(permitsRead = false) should only be accessible by the project owners. |
| // READ_CONFIG is checked here because it's only allowed to project owners(ACCESS may also |
| // be allowed for other users). Allowing project owners to access here will help them to view |
| // and update the config of hidden projects easily. |
| ProjectPermission permissionToCheck = |
| state.statePermitsRead() ? ProjectPermission.ACCESS : ProjectPermission.READ_CONFIG; |
| try { |
| permissionBackend.currentUser().project(projectName).check(permissionToCheck); |
| } catch (AuthException e) { |
| throw new NoSuchProjectException(projectName, e); |
| } |
| state.checkStatePermitsRead(); |
| return state; |
| } |
| |
| private static boolean check(PermissionBackend.ForProject ctx, String ref, RefPermission perm) |
| throws PermissionBackendException { |
| try { |
| ctx.ref(ref).check(perm); |
| return true; |
| } catch (AuthException denied) { |
| return false; |
| } |
| } |
| |
| private boolean isAdmin() throws PermissionBackendException { |
| try { |
| permissionBackend.currentUser().check(GlobalPermission.ADMINISTRATE_SERVER); |
| return true; |
| } catch (AuthException e) { |
| return false; |
| } |
| } |
| } |