java/com/google/gerrit/server/account/AccountControl.java - gerrit - Git at Google

 // Copyright (C) 2012 The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 // http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package com.google.gerrit.server.account;

 import static java.util.stream.Collectors.toSet;

 import com.google.common.flogger.FluentLogger;
 import com.google.gerrit.common.UsedAt;
 import com.google.gerrit.entities.Account;
 import com.google.gerrit.entities.AccountGroup;
 import com.google.gerrit.entities.AccountsSection;
 import com.google.gerrit.entities.PermissionRule;
 import com.google.gerrit.exceptions.NoSuchGroupException;
 import com.google.gerrit.extensions.common.AccountVisibility;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.group.SystemGroupBackend;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import java.util.Set;

 /** Access control management for one account's access to other accounts. */
 public class AccountControl {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

   public static class Factory {
     private final PermissionBackend permissionBackend;
     private final ProjectCache projectCache;
     private final GroupControl.Factory groupControlFactory;
     private final Provider<CurrentUser> user;
     private final IdentifiedUser.GenericFactory userFactory;
     private final AccountVisibility accountVisibility;

     @Inject
     Factory(
         PermissionBackend permissionBackend,
         ProjectCache projectCache,
         GroupControl.Factory groupControlFactory,
         Provider<CurrentUser> user,
         IdentifiedUser.GenericFactory userFactory,
         AccountVisibility accountVisibility) {
       this.permissionBackend = permissionBackend;
       this.projectCache = projectCache;
       this.groupControlFactory = groupControlFactory;
       this.user = user;
       this.userFactory = userFactory;
       this.accountVisibility = accountVisibility;
     }

     /**
      * Creates a {@link AccountControl} instance that checks whether the current user can see other
      * accounts.
      */
     public AccountControl get() {
       return new AccountControl(
           permissionBackend,
           projectCache,
           groupControlFactory,
           user.get(),
           userFactory,
           accountVisibility);
     }

     /**
      * Creates a {@link AccountControl} instance that checks whether the given user can see other
      * accounts.
      */
     @UsedAt(UsedAt.Project.PLUGIN_CODE_OWNERS)
     public AccountControl get(CurrentUser user) {
       return new AccountControl(
           permissionBackend,
           projectCache,
           groupControlFactory,
           user,
           userFactory,
           accountVisibility);
     }
   }

   private final AccountsSection accountsSection;
   private final GroupControl.Factory groupControlFactory;
   private final PermissionBackend.WithUser perm;
   private final CurrentUser user;
   private final IdentifiedUser.GenericFactory userFactory;
   private final AccountVisibility accountVisibility;

   private Boolean viewAll;

   private AccountControl(
       PermissionBackend permissionBackend,
       ProjectCache projectCache,
       GroupControl.Factory groupControlFactory,
       CurrentUser user,
       IdentifiedUser.GenericFactory userFactory,
       AccountVisibility accountVisibility) {
     this.accountsSection = projectCache.getAllProjects().getConfig().getAccountsSection();
     this.groupControlFactory = groupControlFactory;
     this.perm = permissionBackend.user(user);
     this.user = user;
     this.userFactory = userFactory;
     this.accountVisibility = accountVisibility;
   }

   public CurrentUser getUser() {
     return user;
   }

   /**
    * Returns true if the current user is allowed to see the otherUser, based on the account
    * visibility policy. Depending on the group membership realms supported, this may not be able to
    * determine SAME_GROUP or VISIBLE_GROUP correctly (defaulting to not being visible). This is
    * because {@link GroupMembership#getKnownGroups()} may only return a subset of the effective
    * groups.
    */
   public boolean canSee(Account.Id otherUser) {
     return canSee(
         new OtherUser() {
           @Override
           Account.Id getId() {
             return otherUser;
           }

           @Override
           IdentifiedUser createUser() {
             return userFactory.create(otherUser);
           }
         });
   }

   /**
    * Returns true if the current user is allowed to see the otherUser, based on the account
    * visibility policy. Depending on the group membership realms supported, this may not be able to
    * determine SAME_GROUP or VISIBLE_GROUP correctly (defaulting to not being visible). This is
    * because {@link GroupMembership#getKnownGroups()} may only return a subset of the effective
    * groups.
    */
   public boolean canSee(AccountState otherUser) {
     return canSee(
         new OtherUser() {
           @Override
           Account.Id getId() {
             return otherUser.account().id();
           }

           @Override
           IdentifiedUser createUser() {
             return userFactory.create(otherUser);
           }
         });
   }

   private boolean canSee(OtherUser otherUser) {
     if (accountVisibility == AccountVisibility.ALL) {
       logger.atFine().log(
           "user %s can see account %d (accountVisibility = %s)",
           user.getLoggableName(), otherUser.getId().get(), AccountVisibility.ALL);
       return true;
     } else if (user.isIdentifiedUser() && user.getAccountId().equals(otherUser.getId())) {
       // I can always see myself.
       logger.atFine().log(
           "user %s can see own account %d", user.getLoggableName(), otherUser.getId().get());
       return true;
     } else if (canViewAll()) {
       logger.atFine().log(
           "user %s can see account %d (view all accounts = true)",
           user.getLoggableName(), otherUser.getId().get());
       return true;
     }

     switch (accountVisibility) {
       case SAME_GROUP:
         {
           Set<AccountGroup.UUID> usersGroups = groupsOf(otherUser.getUser());
           for (PermissionRule rule : accountsSection.getSameGroupVisibility()) {
             if (rule.isBlock() || rule.isDeny()) {
               logger.atFine().log(
                   "ignoring group %s of user %s for %s account visibility check"
                       + " because there is a blocked/denied sameGroupVisibility rule: %s",
                   rule.getGroup().getUUID(),
                   otherUser.getUser().getLoggableName(),
                   AccountVisibility.SAME_GROUP,
                   rule);
               usersGroups.remove(rule.getGroup().getUUID());
             }
           }

           if (user.getEffectiveGroups().containsAnyOf(usersGroups)) {
             logger.atFine().log(
                 "user %s can see account %d because they share a group (accountVisibility = %s)",
                 user.getLoggableName(), otherUser.getId().get(), AccountVisibility.SAME_GROUP);
             return true;
           }

           logger.atFine().log(
               "user %s cannot see account %d because they don't share a group"
                   + " (accountVisibility = %s)",
               user.getLoggableName(), otherUser.getId().get(), AccountVisibility.SAME_GROUP);
           logger.atFine().log("groups of user %s: %s", user.getLoggableName(), groupsOf(user));
           logger.atFine().log(
               "groups of other user %s: %s", otherUser.getUser().getLoggableName(), usersGroups);
           return false;
         }
       case VISIBLE_GROUP:
         {
           Set<AccountGroup.UUID> usersGroups = groupsOf(otherUser.getUser());
           for (AccountGroup.UUID usersGroup : usersGroups) {
             try {
               if (groupControlFactory.controlFor(usersGroup).isVisible()) {
                 logger.atFine().log(
                     "user %s can see account %d because it is member of the visible group %s"
                         + " (accountVisibility = %s)",
                     user.getLoggableName(),
                     otherUser.getId().get(),
                     usersGroup.get(),
                     AccountVisibility.VISIBLE_GROUP);
                 return true;
               }
             } catch (NoSuchGroupException e) {
               continue;
             }
           }

           logger.atFine().log(
               "user %s cannot see account %d because none of its groups are visible"
                   + " (accountVisibility = %s)",
               user.getLoggableName(), otherUser.getId().get(), AccountVisibility.VISIBLE_GROUP);
           logger.atFine().log(
               "groups of other user %s: %s", otherUser.getUser().getLoggableName(), usersGroups);
           return false;
         }
       case NONE:
         logger.atFine().log(
             "user %s cannot see account %d (accountVisibility = %s)",
             user.getLoggableName(), otherUser.getId().get(), AccountVisibility.NONE);
         return false;
       case ALL:
       default:
         throw new IllegalStateException("Bad AccountVisibility " + accountVisibility);
     }
   }

   public boolean canViewAll() {
     if (viewAll == null) {
       try {
         viewAll = perm.test(GlobalPermission.VIEW_ALL_ACCOUNTS);
       } catch (PermissionBackendException e) {
         logger.atFine().withCause(e).log(
             "Failed to check %s global capability for user %s",
             GlobalPermission.VIEW_ALL_ACCOUNTS, user.getLoggableName());
         viewAll = false;
       }
     }
     return viewAll;
   }

   private Set<AccountGroup.UUID> groupsOf(CurrentUser user) {
     return user.getEffectiveGroups().getKnownGroups().stream()
         .filter(a -> !SystemGroupBackend.isSystemGroup(a))
         .collect(toSet());
   }

   private abstract static class OtherUser {
     IdentifiedUser user;

     IdentifiedUser getUser() {
       if (user == null) {
         user = createUser();
       }
       return user;
     }

     abstract IdentifiedUser createUser();

     abstract Account.Id getId();
   }
 }
	// Copyright (C) 2012 The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package com.google.gerrit.server.account;

	import static java.util.stream.Collectors.toSet;

	import com.google.common.flogger.FluentLogger;
	import com.google.gerrit.common.UsedAt;
	import com.google.gerrit.entities.Account;
	import com.google.gerrit.entities.AccountGroup;
	import com.google.gerrit.entities.AccountsSection;
	import com.google.gerrit.entities.PermissionRule;
	import com.google.gerrit.exceptions.NoSuchGroupException;
	import com.google.gerrit.extensions.common.AccountVisibility;
	import com.google.gerrit.server.CurrentUser;
	import com.google.gerrit.server.IdentifiedUser;
	import com.google.gerrit.server.group.SystemGroupBackend;
	import com.google.gerrit.server.permissions.GlobalPermission;
	import com.google.gerrit.server.permissions.PermissionBackend;
	import com.google.gerrit.server.permissions.PermissionBackendException;
	import com.google.gerrit.server.project.ProjectCache;
	import com.google.inject.Inject;
	import com.google.inject.Provider;
	import java.util.Set;

	/** Access control management for one account's access to other accounts. */
	public class AccountControl {
	private static final FluentLogger logger = FluentLogger.forEnclosingClass();

	public static class Factory {
	private final PermissionBackend permissionBackend;
	private final ProjectCache projectCache;
	private final GroupControl.Factory groupControlFactory;
	private final Provider<CurrentUser> user;
	private final IdentifiedUser.GenericFactory userFactory;
	private final AccountVisibility accountVisibility;

	@Inject
	Factory(
	PermissionBackend permissionBackend,
	ProjectCache projectCache,
	GroupControl.Factory groupControlFactory,
	Provider<CurrentUser> user,
	IdentifiedUser.GenericFactory userFactory,
	AccountVisibility accountVisibility) {
	this.permissionBackend = permissionBackend;
	this.projectCache = projectCache;
	this.groupControlFactory = groupControlFactory;
	this.user = user;
	this.userFactory = userFactory;
	this.accountVisibility = accountVisibility;
	}

	/**
	* Creates a {@link AccountControl} instance that checks whether the current user can see other
	* accounts.
	*/
	public AccountControl get() {
	return new AccountControl(
	permissionBackend,
	projectCache,
	groupControlFactory,
	user.get(),
	userFactory,
	accountVisibility);
	}

	/**
	* Creates a {@link AccountControl} instance that checks whether the given user can see other
	* accounts.
	*/
	@UsedAt(UsedAt.Project.PLUGIN_CODE_OWNERS)
	public AccountControl get(CurrentUser user) {
	return new AccountControl(
	permissionBackend,
	projectCache,
	groupControlFactory,
	user,
	userFactory,
	accountVisibility);
	}
	}

	private final AccountsSection accountsSection;
	private final GroupControl.Factory groupControlFactory;
	private final PermissionBackend.WithUser perm;
	private final CurrentUser user;
	private final IdentifiedUser.GenericFactory userFactory;
	private final AccountVisibility accountVisibility;

	private Boolean viewAll;

	private AccountControl(
	PermissionBackend permissionBackend,
	ProjectCache projectCache,
	GroupControl.Factory groupControlFactory,
	CurrentUser user,
	IdentifiedUser.GenericFactory userFactory,
	AccountVisibility accountVisibility) {
	this.accountsSection = projectCache.getAllProjects().getConfig().getAccountsSection();
	this.groupControlFactory = groupControlFactory;
	this.perm = permissionBackend.user(user);
	this.user = user;
	this.userFactory = userFactory;
	this.accountVisibility = accountVisibility;
	}

	public CurrentUser getUser() {
	return user;
	}

	/**
	* Returns true if the current user is allowed to see the otherUser, based on the account
	* visibility policy. Depending on the group membership realms supported, this may not be able to
	* determine SAME_GROUP or VISIBLE_GROUP correctly (defaulting to not being visible). This is
	* because {@link GroupMembership#getKnownGroups()} may only return a subset of the effective
	* groups.
	*/
	public boolean canSee(Account.Id otherUser) {
	return canSee(
	new OtherUser() {
	@Override
	Account.Id getId() {
	return otherUser;
	}

	@Override
	IdentifiedUser createUser() {
	return userFactory.create(otherUser);
	}
	});
	}

	/**
	* Returns true if the current user is allowed to see the otherUser, based on the account
	* visibility policy. Depending on the group membership realms supported, this may not be able to
	* determine SAME_GROUP or VISIBLE_GROUP correctly (defaulting to not being visible). This is
	* because {@link GroupMembership#getKnownGroups()} may only return a subset of the effective
	* groups.
	*/
	public boolean canSee(AccountState otherUser) {
	return canSee(
	new OtherUser() {
	@Override
	Account.Id getId() {
	return otherUser.account().id();
	}

	@Override
	IdentifiedUser createUser() {
	return userFactory.create(otherUser);
	}
	});
	}

	private boolean canSee(OtherUser otherUser) {
	if (accountVisibility == AccountVisibility.ALL) {
	logger.atFine().log(
	"user %s can see account %d (accountVisibility = %s)",
	user.getLoggableName(), otherUser.getId().get(), AccountVisibility.ALL);
	return true;
	} else if (user.isIdentifiedUser() && user.getAccountId().equals(otherUser.getId())) {
	// I can always see myself.
	logger.atFine().log(
	"user %s can see own account %d", user.getLoggableName(), otherUser.getId().get());
	return true;
	} else if (canViewAll()) {
	logger.atFine().log(
	"user %s can see account %d (view all accounts = true)",
	user.getLoggableName(), otherUser.getId().get());
	return true;
	}

	switch (accountVisibility) {
	case SAME_GROUP:
	{
	Set<AccountGroup.UUID> usersGroups = groupsOf(otherUser.getUser());
	for (PermissionRule rule : accountsSection.getSameGroupVisibility()) {
	if (rule.isBlock() \|\| rule.isDeny()) {
	logger.atFine().log(
	"ignoring group %s of user %s for %s account visibility check"
	+ " because there is a blocked/denied sameGroupVisibility rule: %s",
	rule.getGroup().getUUID(),
	otherUser.getUser().getLoggableName(),
	AccountVisibility.SAME_GROUP,
	rule);
	usersGroups.remove(rule.getGroup().getUUID());
	}
	}

	if (user.getEffectiveGroups().containsAnyOf(usersGroups)) {
	logger.atFine().log(
	"user %s can see account %d because they share a group (accountVisibility = %s)",
	user.getLoggableName(), otherUser.getId().get(), AccountVisibility.SAME_GROUP);
	return true;
	}

	logger.atFine().log(
	"user %s cannot see account %d because they don't share a group"
	+ " (accountVisibility = %s)",
	user.getLoggableName(), otherUser.getId().get(), AccountVisibility.SAME_GROUP);
	logger.atFine().log("groups of user %s: %s", user.getLoggableName(), groupsOf(user));
	logger.atFine().log(
	"groups of other user %s: %s", otherUser.getUser().getLoggableName(), usersGroups);
	return false;
	}
	case VISIBLE_GROUP:
	{
	Set<AccountGroup.UUID> usersGroups = groupsOf(otherUser.getUser());
	for (AccountGroup.UUID usersGroup : usersGroups) {
	try {
	if (groupControlFactory.controlFor(usersGroup).isVisible()) {
	logger.atFine().log(
	"user %s can see account %d because it is member of the visible group %s"
	+ " (accountVisibility = %s)",
	user.getLoggableName(),
	otherUser.getId().get(),
	usersGroup.get(),
	AccountVisibility.VISIBLE_GROUP);
	return true;
	}
	} catch (NoSuchGroupException e) {
	continue;
	}
	}

	logger.atFine().log(
	"user %s cannot see account %d because none of its groups are visible"
	+ " (accountVisibility = %s)",
	user.getLoggableName(), otherUser.getId().get(), AccountVisibility.VISIBLE_GROUP);
	logger.atFine().log(
	"groups of other user %s: %s", otherUser.getUser().getLoggableName(), usersGroups);
	return false;
	}
	case NONE:
	logger.atFine().log(
	"user %s cannot see account %d (accountVisibility = %s)",
	user.getLoggableName(), otherUser.getId().get(), AccountVisibility.NONE);
	return false;
	case ALL:
	default:
	throw new IllegalStateException("Bad AccountVisibility " + accountVisibility);
	}
	}

	public boolean canViewAll() {
	if (viewAll == null) {
	try {
	viewAll = perm.test(GlobalPermission.VIEW_ALL_ACCOUNTS);
	} catch (PermissionBackendException e) {
	logger.atFine().withCause(e).log(
	"Failed to check %s global capability for user %s",
	GlobalPermission.VIEW_ALL_ACCOUNTS, user.getLoggableName());
	viewAll = false;
	}
	}
	return viewAll;
	}

	private Set<AccountGroup.UUID> groupsOf(CurrentUser user) {
	return user.getEffectiveGroups().getKnownGroups().stream()
	.filter(a -> !SystemGroupBackend.isSystemGroup(a))
	.collect(toSet());
	}

	private abstract static class OtherUser {
	IdentifiedUser user;

	IdentifiedUser getUser() {
	if (user == null) {
	user = createUser();
	}
	return user;
	}

	abstract IdentifiedUser createUser();

	abstract Account.Id getId();
	}
	}