blob: b60d78e3c1e7c98d1baf9a21b9b4f7612c3456cc [file] [log] [blame]
// Copyright (C) 2013 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.restapi.group;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.google.gerrit.common.data.GroupDescription;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.exceptions.NoSuchGroupException;
import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.extensions.common.AccountInfo;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.DefaultInput;
import com.google.gerrit.extensions.restapi.IdString;
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
import com.google.gerrit.extensions.restapi.Response;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestCollectionCreateView;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
import com.google.gerrit.server.UserInitiated;
import com.google.gerrit.server.account.AccountCache;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AccountLoader;
import com.google.gerrit.server.account.AccountManager;
import com.google.gerrit.server.account.AccountResolver;
import com.google.gerrit.server.account.AccountResolver.UnresolvableAccountException;
import com.google.gerrit.server.account.AccountState;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.GroupControl;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.group.GroupResource;
import com.google.gerrit.server.group.MemberResource;
import com.google.gerrit.server.group.db.GroupsUpdate;
import com.google.gerrit.server.group.db.InternalGroupUpdate;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.restapi.group.AddMembers.Input;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import java.util.ArrayList;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import org.eclipse.jgit.errors.ConfigInvalidException;
@Singleton
public class AddMembers implements RestModifyView<GroupResource, Input> {
public static class Input {
@DefaultInput String _oneMember;
List<String> members;
public static Input fromMembers(List<String> members) {
Input in = new Input();
in.members = members;
return in;
}
static Input init(Input in) {
if (in == null) {
in = new Input();
}
if (in.members == null) {
in.members = Lists.newArrayListWithCapacity(1);
}
if (!Strings.isNullOrEmpty(in._oneMember)) {
in.members.add(in._oneMember);
}
return in;
}
}
private final AccountManager accountManager;
private final AuthType authType;
private final AccountResolver accountResolver;
private final AccountCache accountCache;
private final AccountLoader.Factory infoFactory;
private final Provider<GroupsUpdate> groupsUpdateProvider;
@Inject
AddMembers(
AccountManager accountManager,
AuthConfig authConfig,
AccountResolver accountResolver,
AccountCache accountCache,
AccountLoader.Factory infoFactory,
@UserInitiated Provider<GroupsUpdate> groupsUpdateProvider) {
this.accountManager = accountManager;
this.authType = authConfig.getAuthType();
this.accountResolver = accountResolver;
this.accountCache = accountCache;
this.infoFactory = infoFactory;
this.groupsUpdateProvider = groupsUpdateProvider;
}
@Override
public Response<List<AccountInfo>> apply(GroupResource resource, Input input)
throws AuthException, NotInternalGroupException, UnprocessableEntityException, IOException,
ConfigInvalidException, ResourceNotFoundException, PermissionBackendException {
GroupDescription.Internal internalGroup =
resource.asInternalGroup().orElseThrow(NotInternalGroupException::new);
input = Input.init(input);
GroupControl control = resource.getControl();
if (!control.canAddMember()) {
throw new AuthException("Cannot add members to group " + internalGroup.getName());
}
Set<Account.Id> newMemberIds = new LinkedHashSet<>();
for (String nameOrEmailOrId : input.members) {
Account a = findAccount(nameOrEmailOrId);
if (!a.isActive()) {
throw new UnprocessableEntityException(
String.format("Account Inactive: %s", nameOrEmailOrId));
}
newMemberIds.add(a.id());
}
AccountGroup.UUID groupUuid = internalGroup.getGroupUUID();
try {
addMembers(groupUuid, newMemberIds);
} catch (NoSuchGroupException e) {
throw new ResourceNotFoundException(String.format("Group %s not found", groupUuid));
}
return Response.ok(toAccountInfoList(newMemberIds));
}
Account findAccount(String nameOrEmailOrId)
throws UnprocessableEntityException, IOException, ConfigInvalidException {
AccountResolver.Result result = accountResolver.resolve(nameOrEmailOrId);
try {
return result.asUnique().account();
} catch (UnresolvableAccountException e) {
switch (authType) {
case HTTP_LDAP:
case CLIENT_SSL_CERT_LDAP:
case LDAP:
if (!e.isSelf() && result.asList().isEmpty()) {
// Account does not exist, try to create it. This may leak account existence, since we
// can't distinguish between a nonexistent account and one that the caller can't see.
Optional<Account> a = createAccountByLdap(nameOrEmailOrId);
if (a.isPresent()) {
return a.get();
}
}
break;
case CUSTOM_EXTENSION:
case DEVELOPMENT_BECOME_ANY_ACCOUNT:
case HTTP:
case LDAP_BIND:
case OAUTH:
case OPENID:
case OPENID_SSO:
default:
}
throw e;
}
}
public void addMembers(AccountGroup.UUID groupUuid, Set<Account.Id> newMemberIds)
throws IOException, NoSuchGroupException, ConfigInvalidException {
InternalGroupUpdate groupUpdate =
InternalGroupUpdate.builder()
.setMemberModification(memberIds -> Sets.union(memberIds, newMemberIds))
.build();
groupsUpdateProvider.get().updateGroup(groupUuid, groupUpdate);
}
private Optional<Account> createAccountByLdap(String user) throws IOException {
if (!ExternalId.isValidUsername(user)) {
return Optional.empty();
}
try {
AuthRequest req = AuthRequest.forUser(user);
req.setSkipAuthentication(true);
return accountCache
.get(accountManager.authenticate(req).getAccountId())
.map(AccountState::account);
} catch (AccountException e) {
return Optional.empty();
}
}
private List<AccountInfo> toAccountInfoList(Set<Account.Id> accountIds)
throws PermissionBackendException {
List<AccountInfo> result = new ArrayList<>();
AccountLoader loader = infoFactory.create(true);
for (Account.Id accId : accountIds) {
result.add(loader.get(accId));
}
loader.fill();
return result;
}
@Singleton
public static class CreateMember
implements RestCollectionCreateView<GroupResource, MemberResource, Input> {
private final AddMembers put;
@Inject
public CreateMember(AddMembers put) {
this.put = put;
}
@Override
public Response<AccountInfo> apply(GroupResource resource, IdString id, Input input)
throws RestApiException, NotInternalGroupException, IOException, ConfigInvalidException,
PermissionBackendException {
AddMembers.Input in = new AddMembers.Input();
in._oneMember = id.get();
try {
List<AccountInfo> list = put.apply(resource, in).value();
if (list.size() == 1) {
return Response.created(list.get(0));
}
throw new IllegalStateException();
} catch (UnprocessableEntityException e) {
throw new ResourceNotFoundException(id);
}
}
}
@Singleton
public static class UpdateMember implements RestModifyView<MemberResource, Input> {
private final GetMember get;
@Inject
public UpdateMember(GetMember get) {
this.get = get;
}
@Override
public Response<AccountInfo> apply(MemberResource resource, Input input)
throws PermissionBackendException {
// Do nothing, the user is already a member.
return get.apply(resource);
}
}
}