blob: c80059b965bd764e5d0bd83e05594d1378f96716 [file] [log] [blame]
// Copyright (C) 2012 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.account;
import static java.util.stream.Collectors.toSet;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.UsedAt;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.entities.AccountsSection;
import com.google.gerrit.entities.PermissionRule;
import com.google.gerrit.exceptions.NoSuchGroupException;
import com.google.gerrit.extensions.common.AccountVisibility;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectCache;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.Set;
/** Access control management for one account's access to other accounts. */
public class AccountControl {
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
public static class Factory {
private final PermissionBackend permissionBackend;
private final ProjectCache projectCache;
private final GroupControl.Factory groupControlFactory;
private final Provider<CurrentUser> user;
private final IdentifiedUser.GenericFactory userFactory;
private final AccountVisibility accountVisibility;
@Inject
Factory(
PermissionBackend permissionBackend,
ProjectCache projectCache,
GroupControl.Factory groupControlFactory,
Provider<CurrentUser> user,
IdentifiedUser.GenericFactory userFactory,
AccountVisibility accountVisibility) {
this.permissionBackend = permissionBackend;
this.projectCache = projectCache;
this.groupControlFactory = groupControlFactory;
this.user = user;
this.userFactory = userFactory;
this.accountVisibility = accountVisibility;
}
/**
* Creates a {@link AccountControl} instance that checks whether the current user can see other
* accounts.
*/
public AccountControl get() {
return new AccountControl(
permissionBackend,
projectCache,
groupControlFactory,
user.get(),
userFactory,
accountVisibility);
}
/**
* Creates a {@link AccountControl} instance that checks whether the given user can see other
* accounts.
*/
@UsedAt(UsedAt.Project.PLUGIN_CODE_OWNERS)
public AccountControl get(IdentifiedUser identifiedUser) {
return new AccountControl(
permissionBackend,
projectCache,
groupControlFactory,
identifiedUser,
userFactory,
accountVisibility);
}
}
private final AccountsSection accountsSection;
private final GroupControl.Factory groupControlFactory;
private final PermissionBackend.WithUser perm;
private final CurrentUser user;
private final IdentifiedUser.GenericFactory userFactory;
private final AccountVisibility accountVisibility;
private Boolean viewAll;
private AccountControl(
PermissionBackend permissionBackend,
ProjectCache projectCache,
GroupControl.Factory groupControlFactory,
CurrentUser user,
IdentifiedUser.GenericFactory userFactory,
AccountVisibility accountVisibility) {
this.accountsSection = projectCache.getAllProjects().getConfig().getAccountsSection();
this.groupControlFactory = groupControlFactory;
this.perm = permissionBackend.user(user);
this.user = user;
this.userFactory = userFactory;
this.accountVisibility = accountVisibility;
}
public CurrentUser getUser() {
return user;
}
/**
* Returns true if the current user is allowed to see the otherUser, based on the account
* visibility policy. Depending on the group membership realms supported, this may not be able to
* determine SAME_GROUP or VISIBLE_GROUP correctly (defaulting to not being visible). This is
* because {@link GroupMembership#getKnownGroups()} may only return a subset of the effective
* groups.
*/
public boolean canSee(Account.Id otherUser) {
return canSee(
new OtherUser() {
@Override
Account.Id getId() {
return otherUser;
}
@Override
IdentifiedUser createUser() {
return userFactory.create(otherUser);
}
});
}
/**
* Returns true if the current user is allowed to see the otherUser, based on the account
* visibility policy. Depending on the group membership realms supported, this may not be able to
* determine SAME_GROUP or VISIBLE_GROUP correctly (defaulting to not being visible). This is
* because {@link GroupMembership#getKnownGroups()} may only return a subset of the effective
* groups.
*/
public boolean canSee(AccountState otherUser) {
return canSee(
new OtherUser() {
@Override
Account.Id getId() {
return otherUser.account().id();
}
@Override
IdentifiedUser createUser() {
return userFactory.create(otherUser);
}
});
}
private boolean canSee(OtherUser otherUser) {
if (accountVisibility == AccountVisibility.ALL) {
logger.atFine().log(
"user %s can see account %d (accountVisibility = %s)",
user.getLoggableName(), otherUser.getId().get(), AccountVisibility.ALL);
return true;
} else if (user.isIdentifiedUser() && user.getAccountId().equals(otherUser.getId())) {
// I can always see myself.
logger.atFine().log(
"user %s can see own account %d", user.getLoggableName(), otherUser.getId().get());
return true;
} else if (canViewAll()) {
logger.atFine().log(
"user %s can see account %d (view all accounts = true)",
user.getLoggableName(), otherUser.getId().get());
return true;
}
switch (accountVisibility) {
case SAME_GROUP:
{
Set<AccountGroup.UUID> usersGroups = groupsOf(otherUser.getUser());
for (PermissionRule rule : accountsSection.getSameGroupVisibility()) {
if (rule.isBlock() || rule.isDeny()) {
logger.atFine().log(
"ignoring group %s of user %s for %s account visibility check"
+ " because there is a blocked/denied sameGroupVisibility rule: %s",
rule.getGroup().getUUID(),
otherUser.getUser().getLoggableName(),
AccountVisibility.SAME_GROUP,
rule);
usersGroups.remove(rule.getGroup().getUUID());
}
}
if (user.getEffectiveGroups().containsAnyOf(usersGroups)) {
logger.atFine().log(
"user %s can see account %d because they share a group (accountVisibility = %s)",
user.getLoggableName(), otherUser.getId().get(), AccountVisibility.SAME_GROUP);
return true;
}
logger.atFine().log(
"user %s cannot see account %d because they don't share a group"
+ " (accountVisibility = %s)",
user.getLoggableName(), otherUser.getId().get(), AccountVisibility.SAME_GROUP);
logger.atFine().log("groups of user %s: %s", user.getLoggableName(), groupsOf(user));
logger.atFine().log(
"groups of other user %s: %s", otherUser.getUser().getLoggableName(), usersGroups);
return false;
}
case VISIBLE_GROUP:
{
Set<AccountGroup.UUID> usersGroups = groupsOf(otherUser.getUser());
for (AccountGroup.UUID usersGroup : usersGroups) {
try {
if (groupControlFactory.controlFor(usersGroup).isVisible()) {
logger.atFine().log(
"user %s can see account %d because it is member of the visible group %s"
+ " (accountVisibility = %s)",
user.getLoggableName(),
otherUser.getId().get(),
usersGroup.get(),
AccountVisibility.VISIBLE_GROUP);
return true;
}
} catch (NoSuchGroupException e) {
continue;
}
}
logger.atFine().log(
"user %s cannot see account %d because none of its groups are visible"
+ " (accountVisibility = %s)",
user.getLoggableName(), otherUser.getId().get(), AccountVisibility.VISIBLE_GROUP);
logger.atFine().log(
"groups of other user %s: %s", otherUser.getUser().getLoggableName(), usersGroups);
return false;
}
case NONE:
logger.atFine().log(
"user %s cannot see account %d (accountVisibility = %s)",
user.getLoggableName(), otherUser.getId().get(), AccountVisibility.NONE);
return false;
case ALL:
default:
throw new IllegalStateException("Bad AccountVisibility " + accountVisibility);
}
}
public boolean canViewAll() {
if (viewAll == null) {
try {
viewAll = perm.test(GlobalPermission.VIEW_ALL_ACCOUNTS);
} catch (PermissionBackendException e) {
logger.atFine().withCause(e).log(
"Failed to check %s global capability for user %s",
GlobalPermission.VIEW_ALL_ACCOUNTS, user.getLoggableName());
viewAll = false;
}
}
return viewAll;
}
private Set<AccountGroup.UUID> groupsOf(CurrentUser user) {
return user.getEffectiveGroups().getKnownGroups().stream()
.filter(a -> !SystemGroupBackend.isSystemGroup(a))
.collect(toSet());
}
private abstract static class OtherUser {
IdentifiedUser user;
IdentifiedUser getUser() {
if (user == null) {
user = createUser();
}
return user;
}
abstract IdentifiedUser createUser();
abstract Account.Id getId();
}
}