All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.google.gerrit.server.restapi.project.SetAccess Maven / Gradle / Ivy

There is a newer version: 3.11.0-rc3
Show newest version
// Copyright (C) 2016 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package com.google.gerrit.server.restapi.project;

import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
import com.google.gerrit.entities.AccessSection;
import com.google.gerrit.entities.Project;
import com.google.gerrit.exceptions.InvalidNameException;
import com.google.gerrit.extensions.api.access.AccessSectionInfo;
import com.google.gerrit.extensions.api.access.PermissionInfo;
import com.google.gerrit.extensions.api.access.PermissionRuleInfo;
import com.google.gerrit.extensions.api.access.ProjectAccessInfo;
import com.google.gerrit.extensions.api.access.ProjectAccessInput;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
import com.google.gerrit.extensions.restapi.Response;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.GroupBackend;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.gerrit.server.project.ProjectResource;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.util.Map;
import org.eclipse.jgit.errors.ConfigInvalidException;

@Singleton
public class SetAccess implements RestModifyView {
  protected final GroupBackend groupBackend;
  private final PermissionBackend permissionBackend;
  private final GetAccess getAccess;
  private final Provider identifiedUser;
  private final SetAccessUtil accessUtil;
  private final RepoMetaDataUpdater repoMetaDataUpdater;

  @Inject
  private SetAccess(
      GroupBackend groupBackend,
      PermissionBackend permissionBackend,
      GetAccess getAccess,
      Provider identifiedUser,
      SetAccessUtil accessUtil,
      RepoMetaDataUpdater repoMetaDataUpdater) {
    this.groupBackend = groupBackend;
    this.permissionBackend = permissionBackend;
    this.getAccess = getAccess;
    this.identifiedUser = identifiedUser;
    this.accessUtil = accessUtil;
    this.repoMetaDataUpdater = repoMetaDataUpdater;
  }

  @Override
  public Response apply(ProjectResource rsrc, ProjectAccessInput input)
      throws Exception {
    validateInput(input);

    ImmutableList removals =
        accessUtil.getAccessSections(input.remove, /* rejectNonResolvableGroups= */ false);
    ImmutableList additions =
        accessUtil.getAccessSections(input.add, /* rejectNonResolvableGroups= */ true);
    String message = !Strings.isNullOrEmpty(input.message) ? input.message : "Modify access rules";
    try {
      this.repoMetaDataUpdater.updateWithoutReview(
          rsrc.getNameKey(),
          message,
          /*skipPermissionsCheck=*/ true,
          config -> {
            // Check that the user has the right permissions.
            boolean checkedAdmin = false;
            for (AccessSection section : Iterables.concat(additions, removals)) {
              boolean isGlobalCapabilities =
                  AccessSection.GLOBAL_CAPABILITIES.equals(section.getName());
              if (isGlobalCapabilities) {
                if (!checkedAdmin) {
                  permissionBackend.currentUser().check(GlobalPermission.ADMINISTRATE_SERVER);
                  checkedAdmin = true;
                }
              } else {
                permissionBackend
                    .currentUser()
                    .project(rsrc.getNameKey())
                    .ref(section.getName())
                    .check(RefPermission.WRITE_CONFIG);
              }
            }

            accessUtil.validateChanges(config, removals, additions);
            accessUtil.applyChanges(config, removals, additions);

            accessUtil.setParentName(
                identifiedUser.get(),
                config,
                rsrc.getNameKey(),
                input.parent == null ? null : Project.nameKey(input.parent),
                !checkedAdmin);
          });
    } catch (InvalidNameException e) {
      throw new BadRequestException(e.toString());
    } catch (ConfigInvalidException e) {
      throw new ResourceConflictException(rsrc.getName(), e);
    }

    return Response.ok(getAccess.apply(rsrc.getNameKey()));
  }

  private static void validateInput(ProjectAccessInput input) throws BadRequestException {
    if (input.add != null) {
      for (Map.Entry accessSectionEntry : input.add.entrySet()) {
        validateAccessSection(accessSectionEntry.getKey(), accessSectionEntry.getValue());
      }
    }
  }

  private static void validateAccessSection(String ref, AccessSectionInfo accessSectionInfo)
      throws BadRequestException {
    if (accessSectionInfo != null) {
      for (Map.Entry permissionEntry :
          accessSectionInfo.permissions.entrySet()) {
        validatePermission(ref, permissionEntry.getKey(), permissionEntry.getValue());
      }
    }
  }

  private static void validatePermission(
      String ref, String permission, PermissionInfo permissionInfo) throws BadRequestException {
    if (permissionInfo != null) {
      for (Map.Entry permissionRuleEntry :
          permissionInfo.rules.entrySet()) {
        validatePermissionRule(
            ref, permission, permissionRuleEntry.getKey(), permissionRuleEntry.getValue());
      }
    }
  }

  private static void validatePermissionRule(
      String ref, String permission, String groupId, PermissionRuleInfo permissionRuleInfo)
      throws BadRequestException {
    if (permissionRuleInfo != null) {
      if (permissionRuleInfo.min != null || permissionRuleInfo.max != null) {
        if (permissionRuleInfo.min == null) {
          throw new BadRequestException(
              String.format(
                  "Invalid range for permission rule that assigns %s to group %s on ref %s:"
                      + " ..%d (min is required if max is set)",
                  permission, groupId, ref, permissionRuleInfo.max));
        }

        if (permissionRuleInfo.max == null) {
          throw new BadRequestException(
              String.format(
                  "Invalid range for permission rule that assigns %s to group %s on ref %s:"
                      + " %d.. (max is required if min is set)",
                  permission, groupId, ref, permissionRuleInfo.min));
        }

        if (permissionRuleInfo.min > permissionRuleInfo.max) {
          throw new BadRequestException(
              String.format(
                  "Invalid range for permission rule that assigns %s to group %s on ref %s:"
                      + " %d..%d (min must be <= max)",
                  permission, groupId, ref, permissionRuleInfo.min, permissionRuleInfo.max));
        }
      }
    }
  }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy