Google Git
Sign in
gerrit / gerrit / 565efcb7afecb85de0c04e2926d4bf7c255b13ce / . / java / com / google / gerrit / server / schema / AllUsersCreator.java
blob: 3779d0d5484b5c26dd13a25afa62e13f2490cf49 [file] [log] [blame]
// Copyright (C) 2014 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.schema;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.gerrit.server.group.SystemGroupBackend.REGISTERED_USERS;
import static com.google.gerrit.server.schema.AclUtil.grant;
import static com.google.gerrit.server.schema.AllProjectsCreator.getDefaultCodeReviewLabel;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.common.Version;
import com.google.gerrit.common.data.AccessSection;
import com.google.gerrit.common.data.GroupReference;
import com.google.gerrit.common.data.LabelType;
import com.google.gerrit.common.data.Permission;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.reviewdb.client.RefNames;
import com.google.gerrit.server.GerritPersonIdent;
import com.google.gerrit.server.UsedAt;
import com.google.gerrit.server.config.AllUsersName;
import com.google.gerrit.server.extensions.events.GitReferenceUpdated;
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.git.meta.MetaDataUpdate;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.gerrit.server.project.ProjectConfig;
import com.google.gerrit.server.project.RefPattern;
import com.google.inject.Inject;
import java.io.IOException;
import org.eclipse.jgit.errors.ConfigInvalidException;
import org.eclipse.jgit.errors.RepositoryNotFoundException;
import org.eclipse.jgit.lib.Constants;
import org.eclipse.jgit.lib.PersonIdent;
import org.eclipse.jgit.lib.RefUpdate;
import org.eclipse.jgit.lib.Repository;
/** Creates the {@code All-Users} repository. */
public class AllUsersCreator {
private final GitRepositoryManager mgr;
private final AllUsersName allUsersName;
private final PersonIdent serverUser;
private final GroupReference registered;
@Nullable private GroupReference admin;
private LabelType codeReviewLabel;
@Inject
AllUsersCreator(
GitRepositoryManager mgr,
AllUsersName allUsersName,
SystemGroupBackend systemGroupBackend,
@GerritPersonIdent PersonIdent serverUser) {
this.mgr = mgr;
this.allUsersName = allUsersName;
this.serverUser = serverUser;
this.registered = systemGroupBackend.getGroup(REGISTERED_USERS);
this.codeReviewLabel = getDefaultCodeReviewLabel();
}
/**
* If setAdministrators() is called, grant the given administrator group permissions on the
* default user.
*/
public AllUsersCreator setAdministrators(GroupReference admin) {
this.admin = admin;
return this;
}
/** If called, the provided "Code-Review" label will be used rather than the default. */
@UsedAt(UsedAt.Project.GOOGLE)
public AllUsersCreator setCodeReviewLabel(LabelType labelType) {
checkArgument(
labelType.getName().equals("Code-Review"), "label should have 'Code-Review' as its name");
this.codeReviewLabel = labelType;
return this;
}
public void create() throws IOException, ConfigInvalidException {
try (Repository git = mgr.openRepository(allUsersName)) {
initAllUsers(git);
} catch (RepositoryNotFoundException notFound) {
try (Repository git = mgr.createRepository(allUsersName)) {
initAllUsers(git);
RefUpdate u = git.updateRef(Constants.HEAD);
u.link(RefNames.REFS_CONFIG);
} catch (RepositoryNotFoundException err) {
String name = allUsersName.get();
throw new IOException("Cannot create repository " + name, err);
}
}
}
private void initAllUsers(Repository git) throws IOException, ConfigInvalidException {
try (MetaDataUpdate md = new MetaDataUpdate(GitReferenceUpdated.DISABLED, allUsersName, git)) {
md.getCommitBuilder().setAuthor(serverUser);
md.getCommitBuilder().setCommitter(serverUser);
md.setMessage("Initialized Gerrit Code Review " + Version.getVersion());
ProjectConfig config = ProjectConfig.read(md);
Project project = config.getProject();
project.setDescription("Individual user settings and preferences.");
AccessSection users =
config.getAccessSection(
RefNames.REFS_USERS + "${" + RefPattern.USERID_SHARDED + "}", true);
// Initialize "Code-Review" label.
config.getLabelSections().put(codeReviewLabel.getName(), codeReviewLabel);
grant(config, users, Permission.READ, false, true, registered);
grant(config, users, Permission.PUSH, false, true, registered);
grant(config, users, Permission.SUBMIT, false, true, registered);
grant(config, users, codeReviewLabel, -2, 2, true, registered);
if (admin != null) {
AccessSection defaults = config.getAccessSection(RefNames.REFS_USERS_DEFAULT, true);
defaults.getPermission(Permission.READ, true).setExclusiveGroup(true);
grant(config, defaults, Permission.READ, admin);
defaults.getPermission(Permission.PUSH, true).setExclusiveGroup(true);
grant(config, defaults, Permission.PUSH, admin);
defaults.getPermission(Permission.CREATE, true).setExclusiveGroup(true);
grant(config, defaults, Permission.CREATE, admin);
}
// Grant read permissions on the group branches to all users.
// This allows group owners to see the group refs. VisibleRefFilter ensures that read
// permissions for non-group-owners are ignored.
AccessSection groups = config.getAccessSection(RefNames.REFS_GROUPS + "*", true);
grant(config, groups, Permission.READ, false, true, registered);
config.commit(md);
}
}
}