All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.google.gerrit.server.account.AccountControl Maven / Gradle / Ivy

There is a newer version: 3.11.0-rc3
Show newest version
// Copyright (C) 2012 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package com.google.gerrit.server.account;

import static java.util.stream.Collectors.toSet;

import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.UsedAt;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.entities.AccountsSection;
import com.google.gerrit.entities.PermissionRule;
import com.google.gerrit.exceptions.NoSuchGroupException;
import com.google.gerrit.extensions.common.AccountVisibility;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectCache;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.Set;

/** Access control management for one account's access to other accounts. */
public class AccountControl {
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();

  public static class Factory {
    private final PermissionBackend permissionBackend;
    private final ProjectCache projectCache;
    private final GroupControl.Factory groupControlFactory;
    private final Provider user;
    private final IdentifiedUser.GenericFactory userFactory;
    private final AccountVisibility accountVisibility;

    @Inject
    Factory(
        PermissionBackend permissionBackend,
        ProjectCache projectCache,
        GroupControl.Factory groupControlFactory,
        Provider user,
        IdentifiedUser.GenericFactory userFactory,
        AccountVisibility accountVisibility) {
      this.permissionBackend = permissionBackend;
      this.projectCache = projectCache;
      this.groupControlFactory = groupControlFactory;
      this.user = user;
      this.userFactory = userFactory;
      this.accountVisibility = accountVisibility;
    }

    /**
     * Creates a {@link AccountControl} instance that checks whether the current user can see other
     * accounts.
     */
    public AccountControl get() {
      return new AccountControl(
          permissionBackend,
          projectCache,
          groupControlFactory,
          user.get(),
          userFactory,
          accountVisibility);
    }

    /**
     * Creates a {@link AccountControl} instance that checks whether the given user can see other
     * accounts.
     */
    @UsedAt(UsedAt.Project.PLUGIN_CODE_OWNERS)
    public AccountControl get(CurrentUser user) {
      return new AccountControl(
          permissionBackend,
          projectCache,
          groupControlFactory,
          user,
          userFactory,
          accountVisibility);
    }
  }

  private final AccountsSection accountsSection;
  private final GroupControl.Factory groupControlFactory;
  private final PermissionBackend.WithUser perm;
  private final CurrentUser user;
  private final IdentifiedUser.GenericFactory userFactory;
  private final AccountVisibility accountVisibility;

  private Boolean viewAll;

  private AccountControl(
      PermissionBackend permissionBackend,
      ProjectCache projectCache,
      GroupControl.Factory groupControlFactory,
      CurrentUser user,
      IdentifiedUser.GenericFactory userFactory,
      AccountVisibility accountVisibility) {
    this.accountsSection = projectCache.getAllProjects().getConfig().getAccountsSection();
    this.groupControlFactory = groupControlFactory;
    this.perm = permissionBackend.user(user);
    this.user = user;
    this.userFactory = userFactory;
    this.accountVisibility = accountVisibility;
  }

  public CurrentUser getUser() {
    return user;
  }

  /**
   * Returns true if the current user is allowed to see the otherUser, based on the account
   * visibility policy. Depending on the group membership realms supported, this may not be able to
   * determine SAME_GROUP or VISIBLE_GROUP correctly (defaulting to not being visible). This is
   * because {@link GroupMembership#getKnownGroups()} may only return a subset of the effective
   * groups.
   */
  public boolean canSee(Account.Id otherUser) {
    return canSee(
        new OtherUser() {
          @Override
          Account.Id getId() {
            return otherUser;
          }

          @Override
          IdentifiedUser createUser() {
            return userFactory.create(otherUser);
          }
        });
  }

  /**
   * Returns true if the current user is allowed to see the otherUser, based on the account
   * visibility policy. Depending on the group membership realms supported, this may not be able to
   * determine SAME_GROUP or VISIBLE_GROUP correctly (defaulting to not being visible). This is
   * because {@link GroupMembership#getKnownGroups()} may only return a subset of the effective
   * groups.
   */
  public boolean canSee(AccountState otherUser) {
    return canSee(
        new OtherUser() {
          @Override
          Account.Id getId() {
            return otherUser.account().id();
          }

          @Override
          IdentifiedUser createUser() {
            return userFactory.create(otherUser);
          }
        });
  }

  private boolean canSee(OtherUser otherUser) {
    if (accountVisibility == AccountVisibility.ALL) {
      logger.atFine().log(
          "user %s can see account %d (accountVisibility = %s)",
          user.getLoggableName(), otherUser.getId().get(), AccountVisibility.ALL);
      return true;
    } else if (user.isIdentifiedUser() && user.getAccountId().equals(otherUser.getId())) {
      // I can always see myself.
      logger.atFine().log(
          "user %s can see own account %d", user.getLoggableName(), otherUser.getId().get());
      return true;
    } else if (canViewAll()) {
      logger.atFine().log(
          "user %s can see account %d (view all accounts = true)",
          user.getLoggableName(), otherUser.getId().get());
      return true;
    }

    switch (accountVisibility) {
      case SAME_GROUP:
        {
          Set usersGroups = groupsOf(otherUser.getUser());
          for (PermissionRule rule : accountsSection.getSameGroupVisibility()) {
            if (rule.isBlock() || rule.isDeny()) {
              logger.atFine().log(
                  "ignoring group %s of user %s for %s account visibility check"
                      + " because there is a blocked/denied sameGroupVisibility rule: %s",
                  rule.getGroup().getUUID(),
                  otherUser.getUser().getLoggableName(),
                  AccountVisibility.SAME_GROUP,
                  rule);
              usersGroups.remove(rule.getGroup().getUUID());
            }
          }

          if (user.getEffectiveGroups().containsAnyOf(usersGroups)) {
            logger.atFine().log(
                "user %s can see account %d because they share a group (accountVisibility = %s)",
                user.getLoggableName(), otherUser.getId().get(), AccountVisibility.SAME_GROUP);
            return true;
          }

          logger.atFine().log(
              "user %s cannot see account %d because they don't share a group"
                  + " (accountVisibility = %s)",
              user.getLoggableName(), otherUser.getId().get(), AccountVisibility.SAME_GROUP);
          logger.atFine().log("groups of user %s: %s", user.getLoggableName(), groupsOf(user));
          logger.atFine().log(
              "groups of other user %s: %s", otherUser.getUser().getLoggableName(), usersGroups);
          return false;
        }
      case VISIBLE_GROUP:
        {
          Set usersGroups = groupsOf(otherUser.getUser());
          for (AccountGroup.UUID usersGroup : usersGroups) {
            try {
              if (groupControlFactory.controlFor(usersGroup).isVisible()) {
                logger.atFine().log(
                    "user %s can see account %d because it is member of the visible group %s"
                        + " (accountVisibility = %s)",
                    user.getLoggableName(),
                    otherUser.getId().get(),
                    usersGroup.get(),
                    AccountVisibility.VISIBLE_GROUP);
                return true;
              }
            } catch (NoSuchGroupException e) {
              continue;
            }
          }

          logger.atFine().log(
              "user %s cannot see account %d because none of its groups are visible"
                  + " (accountVisibility = %s)",
              user.getLoggableName(), otherUser.getId().get(), AccountVisibility.VISIBLE_GROUP);
          logger.atFine().log(
              "groups of other user %s: %s", otherUser.getUser().getLoggableName(), usersGroups);
          return false;
        }
      case NONE:
        logger.atFine().log(
            "user %s cannot see account %d (accountVisibility = %s)",
            user.getLoggableName(), otherUser.getId().get(), AccountVisibility.NONE);
        return false;
      case ALL:
      default:
        throw new IllegalStateException("Bad AccountVisibility " + accountVisibility);
    }
  }

  public boolean canViewAll() {
    if (viewAll == null) {
      try {
        viewAll = perm.test(GlobalPermission.VIEW_ALL_ACCOUNTS);
      } catch (PermissionBackendException e) {
        logger.atFine().withCause(e).log(
            "Failed to check %s global capability for user %s",
            GlobalPermission.VIEW_ALL_ACCOUNTS, user.getLoggableName());
        viewAll = false;
      }
    }
    return viewAll;
  }

  private Set groupsOf(CurrentUser user) {
    return user.getEffectiveGroups().getKnownGroups().stream()
        .filter(a -> !SystemGroupBackend.isSystemGroup(a))
        .collect(toSet());
  }

  private abstract static class OtherUser {
    IdentifiedUser user;

    IdentifiedUser getUser() {
      if (user == null) {
        user = createUser();
      }
      return user;
    }

    abstract IdentifiedUser createUser();

    abstract Account.Id getId();
  }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy