blob: 677ee18587f23eddbd9b4723a2eab8f0d5642027 [file] [log] [blame]
// Copyright (C) 2017 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.permissions;
import static com.google.gerrit.server.permissions.DefaultPermissionMappings.globalPermissionName;
import static com.google.gerrit.server.project.ProjectCache.illegalState;
import static java.util.Objects.requireNonNull;
import static java.util.stream.Collectors.toSet;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Sets;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.entities.PermissionRule;
import com.google.gerrit.entities.PermissionRule.Action;
import com.google.gerrit.entities.Project;
import com.google.gerrit.extensions.api.access.GlobalOrPluginPermission;
import com.google.gerrit.extensions.api.access.PluginPermission;
import com.google.gerrit.extensions.conditions.BooleanCondition;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.PeerDaemonUser;
import com.google.gerrit.server.account.CapabilityCollection;
import com.google.gerrit.server.cache.PerThreadCache;
import com.google.gerrit.server.cache.PerThreadProjectCache;
import com.google.gerrit.server.project.ProjectCache;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.util.Collection;
import java.util.Optional;
import java.util.Set;
@Singleton
public class DefaultPermissionBackend extends PermissionBackend {
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
private final Provider<CurrentUser> currentUser;
private final ProjectCache projectCache;
private final ProjectControl.Factory projectControlFactory;
private final IdentifiedUser.GenericFactory identifiedUserFactory;
@Inject
DefaultPermissionBackend(
Provider<CurrentUser> currentUser,
ProjectCache projectCache,
ProjectControl.Factory projectControlFactory,
IdentifiedUser.GenericFactory identifiedUserFactory) {
this.currentUser = currentUser;
this.projectCache = projectCache;
this.projectControlFactory = projectControlFactory;
this.identifiedUserFactory = identifiedUserFactory;
}
private CapabilityCollection capabilities() {
return projectCache.getAllProjects().getCapabilityCollection();
}
@Override
public WithUser currentUser() {
return new WithUserImpl(currentUser.get());
}
@Override
public WithUser user(CurrentUser user) {
return new WithUserImpl(requireNonNull(user, "user"));
}
@Override
public WithUser absentUser(Account.Id id) {
requireNonNull(id, "user");
Optional<Account.Id> user = getAccountIdOfIdentifiedUser();
if (user.isPresent() && id.equals(user.get())) {
// What looked liked an absent user is actually the current caller. Use the per-request
// singleton IdentifiedUser instead of constructing a new object to leverage caching in member
// variables of IdentifiedUser.
return new WithUserImpl(currentUser.get().asIdentifiedUser());
}
return new WithUserImpl(identifiedUserFactory.create(requireNonNull(id, "user")));
}
@Override
public boolean usesDefaultCapabilities() {
return true;
}
/**
* Returns the {@link com.google.gerrit.entities.Account.Id} of the current user if a user is
* signed in. Catches exceptions so that background jobs don't get impacted.
*/
private Optional<Account.Id> getAccountIdOfIdentifiedUser() {
try {
return currentUser.get().isIdentifiedUser()
? Optional.of(currentUser.get().getAccountId())
: Optional.empty();
} catch (Exception e) {
logger.atFine().withCause(e).log("Unable to get current user");
return Optional.empty();
}
}
class WithUserImpl extends WithUser {
private final CurrentUser user;
private Boolean admin;
WithUserImpl(CurrentUser user) {
this.user = requireNonNull(user, "user");
}
@Override
public ForProject project(Project.NameKey project) {
try {
ProjectControl control =
PerThreadProjectCache.getOrCompute(
PerThreadCache.Key.create(Project.NameKey.class, project, user.getCacheKey()),
() ->
projectControlFactory.create(
user, projectCache.get(project).orElseThrow(illegalState(project))));
return control.asForProject();
} catch (Exception e) {
Throwable cause = e.getCause() != null ? e.getCause() : e;
return FailedPermissionBackend.project(
"project '" + project.get() + "' is unavailable", cause);
}
}
@Override
public void check(GlobalOrPluginPermission perm)
throws AuthException, PermissionBackendException {
if (!can(perm)) {
throw new AuthException(perm.describeForException() + " not permitted");
}
}
@Override
public <T extends GlobalOrPluginPermission> Set<T> test(Collection<T> permSet)
throws PermissionBackendException {
Set<T> ok = Sets.newHashSetWithExpectedSize(permSet.size());
for (T perm : permSet) {
if (can(perm)) {
ok.add(perm);
}
}
return ok;
}
@Override
public BooleanCondition testCond(GlobalOrPluginPermission perm) {
return new PermissionBackendCondition.WithUser(this, perm, user);
}
private boolean can(GlobalOrPluginPermission perm) throws PermissionBackendException {
if (perm instanceof GlobalPermission) {
return can((GlobalPermission) perm);
} else if (perm instanceof PluginPermission) {
PluginPermission pluginPermission = (PluginPermission) perm;
return has(DefaultPermissionMappings.pluginCapabilityName(pluginPermission))
|| (pluginPermission.fallBackToAdmin() && isAdmin());
}
throw new PermissionBackendException(perm + " unsupported");
}
private boolean can(GlobalPermission perm) throws PermissionBackendException {
switch (perm) {
case ADMINISTRATE_SERVER:
return isAdmin();
case EMAIL_REVIEWERS:
return canEmailReviewers();
case FLUSH_CACHES:
case KILL_TASK:
case RUN_GC:
case VIEW_CACHES:
case VIEW_QUEUE:
return has(globalPermissionName(perm)) || can(GlobalPermission.MAINTAIN_SERVER);
case CREATE_ACCOUNT:
case CREATE_GROUP:
case CREATE_PROJECT:
case MAINTAIN_SERVER:
case MODIFY_ACCOUNT:
case READ_AS:
case STREAM_EVENTS:
case VIEW_ACCESS:
case VIEW_ALL_ACCOUNTS:
case VIEW_CONNECTIONS:
case VIEW_PLUGINS:
return has(globalPermissionName(perm)) || isAdmin();
case VIEW_SECONDARY_EMAILS:
return has(globalPermissionName(perm))
|| has(globalPermissionName(GlobalPermission.MODIFY_ACCOUNT))
|| isAdmin();
case ACCESS_DATABASE:
case RUN_AS:
return has(globalPermissionName(perm));
}
throw new PermissionBackendException(perm + " unsupported");
}
private boolean isAdmin() {
if (admin == null) {
admin = computeAdmin();
if (admin) {
logger.atFinest().log(
"user %s is an administrator of the server", user.getLoggableName());
} else {
logger.atFinest().log(
"user %s is not an administrator of the server", user.getLoggableName());
}
}
return admin;
}
private Boolean computeAdmin() {
if (user.isImpersonating()) {
return false;
}
if (user instanceof PeerDaemonUser) {
return true;
}
return allow(capabilities().administrateServer);
}
private boolean canEmailReviewers() {
ImmutableList<PermissionRule> email = capabilities().emailReviewers;
if (allow(email)) {
logger.atFinest().log(
"user %s can email reviewers (allowed by %s)", user.getLoggableName(), email);
return true;
}
if (notDenied(email)) {
logger.atFinest().log(
"user %s can email reviewers (not denied by %s)", user.getLoggableName(), email);
return true;
}
logger.atFinest().log("user %s cannot email reviewers", user.getLoggableName());
return false;
}
private boolean has(String permissionName) {
boolean has = allow(capabilities().getPermission(requireNonNull(permissionName)));
if (has) {
logger.atFinest().log(
"user %s has global capability %s", user.getLoggableName(), permissionName);
} else {
logger.atFinest().log(
"user %s doesn't have global capability %s", user.getLoggableName(), permissionName);
}
return has;
}
private boolean allow(Collection<PermissionRule> rules) {
return user.getEffectiveGroups()
.containsAnyOf(
rules.stream()
.filter(r -> r.getAction() == Action.ALLOW)
.map(r -> r.getGroup().getUUID())
.collect(toSet()));
}
private boolean notDenied(Collection<PermissionRule> rules) {
Set<AccountGroup.UUID> denied =
rules.stream()
.filter(r -> r.getAction() != Action.ALLOW)
.map(r -> r.getGroup().getUUID())
.collect(toSet());
return denied.isEmpty() || !user.getEffectiveGroups().containsAnyOf(denied);
}
}
}