blob: c1658f969d030e0176719bf5e85b4eb96267056e [file] [log] [blame]
// Copyright (C) 2017 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.project;
import static com.google.gerrit.server.project.ProjectCache.noSuchProject;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.entities.BranchNameKey;
import com.google.gerrit.entities.Project;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.gerrit.server.query.change.ChangeData;
import com.google.gerrit.server.update.RetryHelper;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import java.util.List;
import java.util.Optional;
import org.eclipse.jgit.lib.Constants;
import org.eclipse.jgit.lib.PersonIdent;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.revwalk.RevCommit;
import org.eclipse.jgit.revwalk.RevObject;
import org.eclipse.jgit.revwalk.RevTag;
import org.eclipse.jgit.revwalk.RevWalk;
/** Manages access control for creating Git references (aka branches, tags). */
@Singleton
public class CreateRefControl {
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
private final PermissionBackend permissionBackend;
private final ProjectCache projectCache;
private final Reachable reachable;
private final RetryHelper retryHelper;
@Inject
CreateRefControl(
PermissionBackend permissionBackend,
ProjectCache projectCache,
Reachable reachable,
RetryHelper retryHelper) {
this.permissionBackend = permissionBackend;
this.projectCache = projectCache;
this.reachable = reachable;
this.retryHelper = retryHelper;
}
/**
* Checks whether the {@link CurrentUser} can create a new Git ref.
*
* @param user the user performing the operation
* @param repo repository on which user want to create
* @param destBranch the branch the new {@link RevObject} should be created on
* @param object the object the user will start the reference with
* @param sourceBranches the source ref from which the new ref is created from
* @throws AuthException if creation is denied; the message explains the denial.
* @throws PermissionBackendException on failure of permission checks.
* @throws ResourceConflictException if the project state does not permit the operation
*/
public void checkCreateRef(
Provider<? extends CurrentUser> user,
Repository repo,
BranchNameKey destBranch,
RevObject object,
boolean forPush,
BranchNameKey... sourceBranches)
throws AuthException,
PermissionBackendException,
NoSuchProjectException,
IOException,
ResourceConflictException {
ProjectState ps =
projectCache.get(destBranch.project()).orElseThrow(noSuchProject(destBranch.project()));
ps.checkStatePermitsWrite();
PermissionBackend.ForRef perm = permissionBackend.user(user.get()).ref(destBranch);
if (object instanceof RevCommit) {
perm.check(RefPermission.CREATE);
if (sourceBranches.length == 0) {
checkCreateCommit(user, repo, (RevCommit) object, ps.getNameKey(), perm, forPush);
} else {
for (BranchNameKey src : sourceBranches) {
PermissionBackend.ForRef forRef = permissionBackend.user(user.get()).ref(src);
if (forRef.testOrFalse(RefPermission.READ)) {
return;
}
}
AuthException e =
new AuthException(
String.format(
"must have %s on existing ref to create new ref from it",
RefPermission.READ.describeForException()));
e.setAdvice(
String.format(
"use an existing ref visible to you, or get %s permission on the ref",
RefPermission.READ.describeForException()));
throw e;
}
} else if (object instanceof RevTag) {
RevTag tag = (RevTag) object;
try (RevWalk rw = new RevWalk(repo)) {
rw.parseBody(tag);
} catch (IOException e) {
logger.atSevere().withCause(e).log(
"RevWalk(%s) parsing %s:", destBranch.project(), tag.name());
throw e;
}
// If tagger is present, require it matches the user's email.
PersonIdent tagger = tag.getTaggerIdent();
if (tagger != null
&& (!user.get().isIdentifiedUser()
|| !user.get().asIdentifiedUser().hasEmailAddress(tagger.getEmailAddress()))) {
perm.check(RefPermission.FORGE_COMMITTER);
}
RevObject target = tag.getObject();
if (target instanceof RevCommit) {
checkCreateCommit(user, repo, (RevCommit) target, ps.getNameKey(), perm, forPush);
} else {
checkCreateRef(user, repo, destBranch, target, forPush);
}
// If the tag has a PGP signature, allow a lower level of permission
// than if it doesn't have a PGP signature.
PermissionBackend.ForRef forRef = permissionBackend.user(user.get()).ref(destBranch);
if (tag.getRawGpgSignature() != null) {
forRef.check(RefPermission.CREATE_SIGNED_TAG);
} else {
forRef.check(RefPermission.CREATE_TAG);
}
}
}
/**
* Check if the user is allowed to create a new commit object if this creation would introduce a
* new commit to the repository.
*/
private void checkCreateCommit(
Provider<? extends CurrentUser> user,
Repository repo,
RevCommit commit,
Project.NameKey project,
PermissionBackend.ForRef forRef,
boolean forPush)
throws AuthException, PermissionBackendException, IOException {
try {
// If the user has UPDATE (push) permission, they can set the ref to an arbitrary commit:
//
// * if they don't have access, we don't advertise the data, and a conforming git client
// would send the object along with the push as outcome of the negotation.
// * a malicious client could try to send the update without sending the object. This
// is prevented by JGit's ConnectivityChecker (see receive.checkReferencedObjectsAreReachable
// to switch off this costly check).
//
// Thus, when using the git command-line client, we don't need to do extra checks for users
// with push access.
//
// When using the REST API, there is no negotiation, and the target commit must already be on
// the server, so we must check that the user can see that commit.
if (forPush) {
// We can only shortcut for UPDATE permission. Pushing a tag (CREATE_TAG, CREATE_SIGNED_TAG)
// can also introduce new objects. While there may not be a confidentiality problem
// (the caller supplies the data as documented above), the permission is for creating
// tags to existing commits.
forRef.check(RefPermission.UPDATE);
return;
}
} catch (AuthException denied) {
// Fall through to check reachability.
}
if (reachable.fromRefs(
project,
repo,
commit,
repo.getRefDatabase().getRefsByPrefix(Constants.R_HEADS, Constants.R_TAGS),
Optional.of(user.get()))) {
// If the user has no push permissions, check whether the object is
// merged into a branch or tag readable by this user. If so, they are
// not effectively "pushing" more objects, so they can create the ref
// even if they don't have push permission.
return;
}
// Previous check only catches normal branches. Try PatchSet refs too. If we can create refs,
// we're not a replica, so we can always use the change index.
List<ChangeData> changes =
retryHelper
.changeIndexQuery(
"queryChangesByProjectCommitWithLimit1",
q -> q.enforceVisibility(true).setLimit(1).byProjectCommit(project, commit))
.call();
if (!changes.isEmpty()) {
return;
}
AuthException e =
new AuthException(
String.format(
"%s for creating new commit object not permitted",
RefPermission.UPDATE.describeForException()));
e.setAdvice(
String.format(
"use a SHA1 visible to you, or get %s permission on the ref",
RefPermission.UPDATE.describeForException()));
throw e;
}
}