java/com/google/gerrit/server/project/CreateRefControl.java - gerrit - Git at Google

 // Copyright (C) 2017 The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 // http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package com.google.gerrit.server.project;

 import static com.google.gerrit.server.project.ProjectCache.noSuchProject;

 import com.google.common.flogger.FluentLogger;
 import com.google.gerrit.entities.BranchNameKey;
 import com.google.gerrit.entities.Project;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.ResourceConflictException;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.permissions.RefPermission;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gerrit.server.update.RetryHelper;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 import java.io.IOException;
 import java.util.List;
 import java.util.Optional;
 import org.eclipse.jgit.lib.Constants;
 import org.eclipse.jgit.lib.PersonIdent;
 import org.eclipse.jgit.lib.Repository;
 import org.eclipse.jgit.revwalk.RevCommit;
 import org.eclipse.jgit.revwalk.RevObject;
 import org.eclipse.jgit.revwalk.RevTag;
 import org.eclipse.jgit.revwalk.RevWalk;

 /** Manages access control for creating Git references (aka branches, tags). */
 @Singleton
 public class CreateRefControl {

   private static final FluentLogger logger = FluentLogger.forEnclosingClass();

   private final PermissionBackend permissionBackend;
   private final ProjectCache projectCache;
   private final Reachable reachable;
   private final RetryHelper retryHelper;

   @Inject
   CreateRefControl(
       PermissionBackend permissionBackend,
       ProjectCache projectCache,
       Reachable reachable,
       RetryHelper retryHelper) {
     this.permissionBackend = permissionBackend;
     this.projectCache = projectCache;
     this.reachable = reachable;
     this.retryHelper = retryHelper;
   }

   /**
    * Checks whether the {@link CurrentUser} can create a new Git ref.
    *
    * @param user the user performing the operation
    * @param repo repository on which user want to create
    * @param destBranch the branch the new {@link RevObject} should be created on
    * @param object the object the user will start the reference with
    * @param sourceBranches the source ref from which the new ref is created from
    * @throws AuthException if creation is denied; the message explains the denial.
    * @throws PermissionBackendException on failure of permission checks.
    * @throws ResourceConflictException if the project state does not permit the operation
    */
   public void checkCreateRef(
       Provider<? extends CurrentUser> user,
       Repository repo,
       BranchNameKey destBranch,
       RevObject object,
       boolean forPush,
       BranchNameKey... sourceBranches)
       throws AuthException, PermissionBackendException, NoSuchProjectException, IOException,
           ResourceConflictException {
     ProjectState ps =
         projectCache.get(destBranch.project()).orElseThrow(noSuchProject(destBranch.project()));
     ps.checkStatePermitsWrite();

     PermissionBackend.ForRef perm = permissionBackend.user(user.get()).ref(destBranch);
     if (object instanceof RevCommit) {
       perm.check(RefPermission.CREATE);
       if (sourceBranches.length == 0) {
         checkCreateCommit(user, repo, (RevCommit) object, ps.getNameKey(), perm, forPush);
       } else {
         for (BranchNameKey src : sourceBranches) {
           PermissionBackend.ForRef forRef = permissionBackend.user(user.get()).ref(src);
           if (forRef.testOrFalse(RefPermission.READ)) {
             return;
           }
         }
         AuthException e =
             new AuthException(
                 String.format(
                     "must have %s on existing ref to create new ref from it",
                     RefPermission.READ.describeForException()));
         e.setAdvice(
             String.format(
                 "use an existing ref visible to you, or get %s permission on the ref",
                 RefPermission.READ.describeForException()));
         throw e;
       }
     } else if (object instanceof RevTag) {
       RevTag tag = (RevTag) object;
       try (RevWalk rw = new RevWalk(repo)) {
         rw.parseBody(tag);
       } catch (IOException e) {
         logger.atSevere().withCause(e).log(
             "RevWalk(%s) parsing %s:", destBranch.project(), tag.name());
         throw e;
       }

       // If tagger is present, require it matches the user's email.
       PersonIdent tagger = tag.getTaggerIdent();
       if (tagger != null
           && (!user.get().isIdentifiedUser()
               || !user.get().asIdentifiedUser().hasEmailAddress(tagger.getEmailAddress()))) {
         perm.check(RefPermission.FORGE_COMMITTER);
       }

       RevObject target = tag.getObject();
       if (target instanceof RevCommit) {
         checkCreateCommit(user, repo, (RevCommit) target, ps.getNameKey(), perm, forPush);
       } else {
         checkCreateRef(user, repo, destBranch, target, forPush);
       }

       // If the tag has a PGP signature, allow a lower level of permission
       // than if it doesn't have a PGP signature.
       PermissionBackend.ForRef forRef = permissionBackend.user(user.get()).ref(destBranch);
       if (tag.getRawGpgSignature() != null) {
         forRef.check(RefPermission.CREATE_SIGNED_TAG);
       } else {
         forRef.check(RefPermission.CREATE_TAG);
       }
     }
   }

   /**
    * Check if the user is allowed to create a new commit object if this creation would introduce a
    * new commit to the repository.
    */
   private void checkCreateCommit(
       Provider<? extends CurrentUser> user,
       Repository repo,
       RevCommit commit,
       Project.NameKey project,
       PermissionBackend.ForRef forRef,
       boolean forPush)
       throws AuthException, PermissionBackendException, IOException {
     try {
       // If the user has UPDATE (push) permission, they can set the ref to an arbitrary commit:
       //
       //  * if they don't have access, we don't advertise the data, and a conforming git client
       //  would send the object along with the push as outcome of the negotation.
       //  * a malicious client could try to send the update without sending the object. This
       //  is prevented by JGit's ConnectivityChecker (see receive.checkReferencedObjectsAreReachable
       //  to switch off this costly check).
       //
       // Thus, when using the git command-line client, we don't need to do extra checks for users
       // with push access.
       //
       // When using the REST API, there is no negotiation, and the target commit must already be on
       // the server, so we must check that the user can see that commit.
       if (forPush) {
         // We can only shortcut for UPDATE permission. Pushing a tag (CREATE_TAG, CREATE_SIGNED_TAG)
         // can also introduce new objects. While there may not be a confidentiality problem
         // (the caller supplies the data as documented above), the permission is for creating
         // tags to existing commits.
         forRef.check(RefPermission.UPDATE);
         return;
       }
     } catch (AuthException denied) {
       // Fall through to check reachability.
     }
     if (reachable.fromRefs(
         project,
         repo,
         commit,
         repo.getRefDatabase().getRefsByPrefix(Constants.R_HEADS, Constants.R_TAGS),
         Optional.of(user.get()))) {
       // If the user has no push permissions, check whether the object is
       // merged into a branch or tag readable by this user. If so, they are
       // not effectively "pushing" more objects, so they can create the ref
       // even if they don't have push permission.
       return;
     }

     // Previous check only catches normal branches. Try PatchSet refs too. If we can create refs,
     // we're not a replica, so we can always use the change index.
     List<ChangeData> changes =
         retryHelper
             .changeIndexQuery(
                 "queryChangesByProjectCommitWithLimit1",
                 q -> q.enforceVisibility(true).setLimit(1).byProjectCommit(project, commit))
             .call();
     if (!changes.isEmpty()) {
       return;
     }

     AuthException e =
         new AuthException(
             String.format(
                 "%s for creating new commit object not permitted",
                 RefPermission.UPDATE.describeForException()));
     e.setAdvice(
         String.format(
             "use a SHA1 visible to you, or get %s permission on the ref",
             RefPermission.UPDATE.describeForException()));
     throw e;
   }
 }
	// Copyright (C) 2017 The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package com.google.gerrit.server.project;

	import static com.google.gerrit.server.project.ProjectCache.noSuchProject;

	import com.google.common.flogger.FluentLogger;
	import com.google.gerrit.entities.BranchNameKey;
	import com.google.gerrit.entities.Project;
	import com.google.gerrit.extensions.restapi.AuthException;
	import com.google.gerrit.extensions.restapi.ResourceConflictException;
	import com.google.gerrit.server.CurrentUser;
	import com.google.gerrit.server.permissions.PermissionBackend;
	import com.google.gerrit.server.permissions.PermissionBackendException;
	import com.google.gerrit.server.permissions.RefPermission;
	import com.google.gerrit.server.query.change.ChangeData;
	import com.google.gerrit.server.update.RetryHelper;
	import com.google.inject.Inject;
	import com.google.inject.Provider;
	import com.google.inject.Singleton;
	import java.io.IOException;
	import java.util.List;
	import java.util.Optional;
	import org.eclipse.jgit.lib.Constants;
	import org.eclipse.jgit.lib.PersonIdent;
	import org.eclipse.jgit.lib.Repository;
	import org.eclipse.jgit.revwalk.RevCommit;
	import org.eclipse.jgit.revwalk.RevObject;
	import org.eclipse.jgit.revwalk.RevTag;
	import org.eclipse.jgit.revwalk.RevWalk;

	/** Manages access control for creating Git references (aka branches, tags). */
	@Singleton
	public class CreateRefControl {

	private static final FluentLogger logger = FluentLogger.forEnclosingClass();

	private final PermissionBackend permissionBackend;
	private final ProjectCache projectCache;
	private final Reachable reachable;
	private final RetryHelper retryHelper;

	@Inject
	CreateRefControl(
	PermissionBackend permissionBackend,
	ProjectCache projectCache,
	Reachable reachable,
	RetryHelper retryHelper) {
	this.permissionBackend = permissionBackend;
	this.projectCache = projectCache;
	this.reachable = reachable;
	this.retryHelper = retryHelper;
	}

	/**
	* Checks whether the {@link CurrentUser} can create a new Git ref.
	*
	* @param user the user performing the operation
	* @param repo repository on which user want to create
	* @param destBranch the branch the new {@link RevObject} should be created on
	* @param object the object the user will start the reference with
	* @param sourceBranches the source ref from which the new ref is created from
	* @throws AuthException if creation is denied; the message explains the denial.
	* @throws PermissionBackendException on failure of permission checks.
	* @throws ResourceConflictException if the project state does not permit the operation
	*/
	public void checkCreateRef(
	Provider<? extends CurrentUser> user,
	Repository repo,
	BranchNameKey destBranch,
	RevObject object,
	boolean forPush,
	BranchNameKey... sourceBranches)
	throws AuthException, PermissionBackendException, NoSuchProjectException, IOException,
	ResourceConflictException {
	ProjectState ps =
	projectCache.get(destBranch.project()).orElseThrow(noSuchProject(destBranch.project()));
	ps.checkStatePermitsWrite();

	PermissionBackend.ForRef perm = permissionBackend.user(user.get()).ref(destBranch);
	if (object instanceof RevCommit) {
	perm.check(RefPermission.CREATE);
	if (sourceBranches.length == 0) {
	checkCreateCommit(user, repo, (RevCommit) object, ps.getNameKey(), perm, forPush);
	} else {
	for (BranchNameKey src : sourceBranches) {
	PermissionBackend.ForRef forRef = permissionBackend.user(user.get()).ref(src);
	if (forRef.testOrFalse(RefPermission.READ)) {
	return;
	}
	}
	AuthException e =
	new AuthException(
	String.format(
	"must have %s on existing ref to create new ref from it",
	RefPermission.READ.describeForException()));
	e.setAdvice(
	String.format(
	"use an existing ref visible to you, or get %s permission on the ref",
	RefPermission.READ.describeForException()));
	throw e;
	}
	} else if (object instanceof RevTag) {
	RevTag tag = (RevTag) object;
	try (RevWalk rw = new RevWalk(repo)) {
	rw.parseBody(tag);
	} catch (IOException e) {
	logger.atSevere().withCause(e).log(
	"RevWalk(%s) parsing %s:", destBranch.project(), tag.name());
	throw e;
	}

	// If tagger is present, require it matches the user's email.
	PersonIdent tagger = tag.getTaggerIdent();
	if (tagger != null
	&& (!user.get().isIdentifiedUser()
	\|\| !user.get().asIdentifiedUser().hasEmailAddress(tagger.getEmailAddress()))) {
	perm.check(RefPermission.FORGE_COMMITTER);
	}

	RevObject target = tag.getObject();
	if (target instanceof RevCommit) {
	checkCreateCommit(user, repo, (RevCommit) target, ps.getNameKey(), perm, forPush);
	} else {
	checkCreateRef(user, repo, destBranch, target, forPush);
	}

	// If the tag has a PGP signature, allow a lower level of permission
	// than if it doesn't have a PGP signature.
	PermissionBackend.ForRef forRef = permissionBackend.user(user.get()).ref(destBranch);
	if (tag.getRawGpgSignature() != null) {
	forRef.check(RefPermission.CREATE_SIGNED_TAG);
	} else {
	forRef.check(RefPermission.CREATE_TAG);
	}
	}
	}

	/**
	* Check if the user is allowed to create a new commit object if this creation would introduce a
	* new commit to the repository.
	*/
	private void checkCreateCommit(
	Provider<? extends CurrentUser> user,
	Repository repo,
	RevCommit commit,
	Project.NameKey project,
	PermissionBackend.ForRef forRef,
	boolean forPush)
	throws AuthException, PermissionBackendException, IOException {
	try {
	// If the user has UPDATE (push) permission, they can set the ref to an arbitrary commit:
	//
	// * if they don't have access, we don't advertise the data, and a conforming git client
	// would send the object along with the push as outcome of the negotation.
	// * a malicious client could try to send the update without sending the object. This
	// is prevented by JGit's ConnectivityChecker (see receive.checkReferencedObjectsAreReachable
	// to switch off this costly check).
	//
	// Thus, when using the git command-line client, we don't need to do extra checks for users
	// with push access.
	//
	// When using the REST API, there is no negotiation, and the target commit must already be on
	// the server, so we must check that the user can see that commit.
	if (forPush) {
	// We can only shortcut for UPDATE permission. Pushing a tag (CREATE_TAG, CREATE_SIGNED_TAG)
	// can also introduce new objects. While there may not be a confidentiality problem
	// (the caller supplies the data as documented above), the permission is for creating
	// tags to existing commits.
	forRef.check(RefPermission.UPDATE);
	return;
	}
	} catch (AuthException denied) {
	// Fall through to check reachability.
	}
	if (reachable.fromRefs(
	project,
	repo,
	commit,
	repo.getRefDatabase().getRefsByPrefix(Constants.R_HEADS, Constants.R_TAGS),
	Optional.of(user.get()))) {
	// If the user has no push permissions, check whether the object is
	// merged into a branch or tag readable by this user. If so, they are
	// not effectively "pushing" more objects, so they can create the ref
	// even if they don't have push permission.
	return;
	}

	// Previous check only catches normal branches. Try PatchSet refs too. If we can create refs,
	// we're not a replica, so we can always use the change index.
	List<ChangeData> changes =
	retryHelper
	.changeIndexQuery(
	"queryChangesByProjectCommitWithLimit1",
	q -> q.enforceVisibility(true).setLimit(1).byProjectCommit(project, commit))
	.call();
	if (!changes.isEmpty()) {
	return;
	}

	AuthException e =
	new AuthException(
	String.format(
	"%s for creating new commit object not permitted",
	RefPermission.UPDATE.describeForException()));
	e.setAdvice(
	String.format(
	"use a SHA1 visible to you, or get %s permission on the ref",
	RefPermission.UPDATE.describeForException()));
	throw e;
	}
	}