Google Git
Sign in
gerrit / gerrit / bf4dbe6619477e4528caebe503eed1c3cf4b29e1 / . / java / com / google / gerrit / server / permissions / PermissionCollection.java
blob: f3da9c5e7bb63d20b3d63296eb4262947cf5ab88 [file] [log] [blame]
// Copyright (C) 2011 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.permissions;
import static com.google.common.base.MoreObjects.firstNonNull;
import static com.google.gerrit.server.project.RefPattern.isRE;
import com.google.auto.value.AutoValue;
import com.google.common.collect.ListMultimap;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.MultimapBuilder;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.common.data.AccessSection;
import com.google.gerrit.common.data.Permission;
import com.google.gerrit.common.data.PermissionRule;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.project.RefPattern;
import com.google.gerrit.server.project.RefPatternMatcher.ExpandParameters;
import com.google.gerrit.server.project.SectionMatcher;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
* Effective permissions applied to a reference in a project.
*
* <p>A collection may be user specific if a matching {@link AccessSection} uses "${username}" in
* its name. The permissions granted in that section may only be granted to the username that
* appears in the reference name, and also only if the user is a member of the relevant group.
*/
public class PermissionCollection {
@Singleton
public static class Factory {
private final SectionSortCache sorter;
@Inject
Factory(SectionSortCache sorter) {
this.sorter = sorter;
}
/**
* Drop the SectionMatchers that don't apply to the current ref. The user is only used for
* expanding per-user ref patterns, and not for checking group memberships.
*
* @param matcherList the input sections.
* @param ref the ref name for which to filter.
* @param user Only used for expanding per-user ref patterns.
* @param out the filtered sections.
* @return true if the result is only valid for this user.
*/
private static boolean filterRefMatchingSections(
Iterable<SectionMatcher> matcherList,
String ref,
CurrentUser user,
Map<AccessSection, Project.NameKey> out) {
boolean perUser = false;
for (SectionMatcher sm : matcherList) {
// If the matcher has to expand parameters and its prefix matches the
// reference there is a very good chance the reference is actually user
// specific, even if the matcher does not match the reference. Since its
// difficult to prove this is true all of the time, use an approximation
// to prevent reuse of collections across users accessing the same
// reference at the same time.
//
// This check usually gets caching right, as most per-user references
// use a common prefix like "refs/sandbox/" or "refs/heads/users/"
// that will never be shared with non-user references, and the per-user
// references are usually less frequent than the non-user references.
if (sm.getMatcher() instanceof ExpandParameters) {
if (!((ExpandParameters) sm.getMatcher()).matchPrefix(ref)) {
continue;
}
perUser = true;
if (sm.match(ref, user)) {
out.put(sm.getSection(), sm.getProject());
}
} else if (sm.match(ref, null)) {
out.put(sm.getSection(), sm.getProject());
}
}
return perUser;
}
/**
* Get all permissions that apply to a reference. The user is only used for per-user ref names,
* so the return value may include permissions for groups the user is not part of.
*
* @param matcherList collection of sections that should be considered, in priority order
* (project specific definitions must appear before inherited ones).
* @param ref reference being accessed.
* @param user if the reference is a per-user reference, e.g. access sections using the
* parameter variable "${username}" will have each username inserted into them to see if
* they apply to the reference named by {@code ref}.
* @return map of permissions that apply to this reference, keyed by permission name.
*/
PermissionCollection filter(
Iterable<SectionMatcher> matcherList, String ref, CurrentUser user) {
if (isRE(ref)) {
ref = RefPattern.shortestExample(ref);
} else if (ref.endsWith("/*")) {
ref = ref.substring(0, ref.length() - 1);
}
// LinkedHashMap to maintain input ordering.
Map<AccessSection, Project.NameKey> sectionToProject = new LinkedHashMap<>();
boolean perUser = filterRefMatchingSections(matcherList, ref, user, sectionToProject);
List<AccessSection> sections = Lists.newArrayList(sectionToProject.keySet());
// Sort by ref pattern specificity. For equally specific patterns, the sections from the
// project closer to the current one come first.
sorter.sort(ref, sections);
Set<SeenRule> seen = new HashSet<>();
Set<String> exclusiveGroupPermissions = new HashSet<>();
HashMap<String, List<PermissionRule>> permissions = new HashMap<>();
HashMap<String, List<PermissionRule>> overridden = new HashMap<>();
Map<PermissionRule, ProjectRef> ruleProps = Maps.newIdentityHashMap();
ListMultimap<Project.NameKey, String> exclusivePermissionsByProject =
MultimapBuilder.hashKeys().arrayListValues().build();
for (AccessSection section : sections) {
Project.NameKey project = sectionToProject.get(section);
for (Permission permission : section.getPermissions()) {
boolean exclusivePermissionExists =
exclusiveGroupPermissions.contains(permission.getName());
for (PermissionRule rule : permission.getRules()) {
SeenRule s = SeenRule.create(section, permission, rule);
boolean addRule;
if (rule.isBlock()) {
addRule = !exclusivePermissionsByProject.containsEntry(project, permission.getName());
} else {
addRule = seen.add(s) && !rule.isDeny() && !exclusivePermissionExists;
}
HashMap<String, List<PermissionRule>> p = null;
if (addRule) {
p = permissions;
} else if (!rule.isDeny() && !exclusivePermissionExists) {
p = overridden;
}
if (p != null) {
List<PermissionRule> r = p.get(permission.getName());
if (r == null) {
r = new ArrayList<>(2);
p.put(permission.getName(), r);
}
r.add(rule);
ruleProps.put(rule, ProjectRef.create(project, section.getName()));
}
}
if (permission.getExclusiveGroup()) {
exclusivePermissionsByProject.put(project, permission.getName());
exclusiveGroupPermissions.add(permission.getName());
}
}
}
return new PermissionCollection(permissions, overridden, ruleProps, perUser);
}
}
private final Map<String, List<PermissionRule>> rules;
private final Map<String, List<PermissionRule>> overridden;
private final Map<PermissionRule, ProjectRef> ruleProps;
private final boolean perUser;
private PermissionCollection(
Map<String, List<PermissionRule>> rules,
Map<String, List<PermissionRule>> overridden,
Map<PermissionRule, ProjectRef> ruleProps,
boolean perUser) {
this.rules = rules;
this.overridden = overridden;
this.ruleProps = ruleProps;
this.perUser = perUser;
}
/**
* @return true if a "${username}" pattern might need to be expanded to build this collection,
* making the results user specific.
*/
public boolean isUserSpecific() {
return perUser;
}
/**
* Obtain all permission rules for a given type of permission.
*
* @param permissionName type of permission.
* @return all rules that apply to this reference, for any group. Never null; the empty list is
* returned when there are no rules for the requested permission name.
*/
public List<PermissionRule> getPermission(String permissionName) {
List<PermissionRule> r = rules.get(permissionName);
return r != null ? r : Collections.<PermissionRule>emptyList();
}
List<PermissionRule> getOverridden(String permissionName) {
return firstNonNull(overridden.get(permissionName), Collections.<PermissionRule>emptyList());
}
ProjectRef getRuleProps(PermissionRule rule) {
return ruleProps.get(rule);
}
/**
* Obtain all declared permission rules that match the reference.
*
* @return all rules. The collection will iterate a permission if it was declared in the project
* configuration, either directly or inherited. If the project owner did not use a known
* permission (for example {@link Permission#FORGE_SERVER}, then it will not be represented in
* the result even if {@link #getPermission(String)} returns an empty list for the same
* permission.
*/
public Iterable<Map.Entry<String, List<PermissionRule>>> getDeclaredPermissions() {
return rules.entrySet();
}
/** (ref, permission, group) tuple. */
@AutoValue
abstract static class SeenRule {
public abstract String refPattern();
public abstract String permissionName();
@Nullable
public abstract AccountGroup.UUID group();
static SeenRule create(
AccessSection section, Permission permission, @Nullable PermissionRule rule) {
AccountGroup.UUID group =
rule != null && rule.getGroup() != null ? rule.getGroup().getUUID() : null;
return new AutoValue_PermissionCollection_SeenRule(
section.getName(), permission.getName(), group);
}
}
}