Examples with Permission com.google.gerrit.entities.Permission used on opensource projects

Example 1 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class CreateGroupPermissionSyncer method syncIfNeeded.

/**
 * Checks if {@code GlobalCapability.CREATE_GROUP} and {@code CREATE} permission on {@code
 * refs/groups/*} have diverged and syncs them by applying the {@code CREATE} permission to {@code
 * refs/groups/*}.
 */
public void syncIfNeeded() throws IOException, ConfigInvalidException {
    ProjectState allProjectsState = projectCache.getAllProjects();
    ProjectState allUsersState = projectCache.getAllUsers();
    Set<PermissionRule> createGroupsGlobal = new HashSet<>(allProjectsState.getCapabilityCollection().createGroup);
    Set<PermissionRule> createGroupsRef = new HashSet<>();
    Optional<AccessSection> allUsersCreateGroupAccessSection = allUsersState.getConfig().getAccessSection(RefNames.REFS_GROUPS + "*");
    if (allUsersCreateGroupAccessSection.isPresent()) {
        Permission create = allUsersCreateGroupAccessSection.get().getPermission(Permission.CREATE);
        if (create != null && create.getRules() != null) {
            createGroupsRef.addAll(create.getRules());
        }
    }
    if (Sets.symmetricDifference(createGroupsGlobal, createGroupsRef).isEmpty()) {
        // Nothing to sync
        return;
    }
    try (MetaDataUpdate md = metaDataUpdateFactory.get().create(allUsers)) {
        ProjectConfig config = projectConfigFactory.read(md);
        config.upsertAccessSection(RefNames.REFS_GROUPS + "*", refsGroupsAccessSectionBuilder -> {
            if (createGroupsGlobal.isEmpty()) {
                refsGroupsAccessSectionBuilder.modifyPermissions(permissions -> {
                    permissions.removeIf(p -> Permission.CREATE.equals(p.getName()));
                });
            } else {
                // The create permission is managed by Gerrit at this point only so there is no
                // concern of overwriting user-defined permissions here.
                Permission.Builder createGroupPermission = Permission.builder(Permission.CREATE);
                refsGroupsAccessSectionBuilder.remove(createGroupPermission);
                refsGroupsAccessSectionBuilder.addPermission(createGroupPermission);
                createGroupsGlobal.stream().map(p -> p.toBuilder()).forEach(createGroupPermission::add);
            }
        });
        config.commit(md);
        projectCache.evictAndReindex(config.getProject());
    }
}

Example 2 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class AccountManager method create.

private AuthResult create(AuthRequest who) throws AccountException, IOException, ConfigInvalidException {
    Account.Id newId = Account.id(sequences.nextAccountId());
    logger.atFine().log("Assigning new Id %s to account", newId);
    ExternalId extId = externalIdFactory.createWithEmail(who.getExternalIdKey(), newId, who.getEmailAddress());
    logger.atFine().log("Created external Id: %s", extId);
    checkEmailNotUsed(newId, extId);
    ExternalId userNameExtId = who.getUserName().isPresent() ? createUsername(newId, who.getUserName().get()) : null;
    boolean isFirstAccount = awaitsFirstAccountCheck.getAndSet(false) && !accounts.hasAnyAccount();
    AccountState accountState;
    try {
        accountState = accountsUpdateProvider.get().insert("Create Account on First Login", newId, u -> {
            u.setFullName(who.getDisplayName()).setPreferredEmail(extId.email()).addExternalId(extId);
            if (userNameExtId != null) {
                u.addExternalId(userNameExtId);
            }
        });
    } catch (DuplicateExternalIdKeyException e) {
        throw new AccountException("Cannot assign external ID \"" + e.getDuplicateKey().get() + "\" to account " + newId + "; external ID already in use.");
    } finally {
        // If adding the account failed, it may be that it actually was the
        // first account. So we reset the 'check for first account'-guard, as
        // otherwise the first account would not get administration permissions.
        awaitsFirstAccountCheck.set(isFirstAccount);
    }
    if (userNameExtId != null) {
        who.getUserName().ifPresent(sshKeyCache::evict);
    }
    IdentifiedUser user = userFactory.create(newId);
    if (isFirstAccount) {
        // This is the first user account on our site. Assume this user
        // is going to be the site's administrator and just make them that
        // to bootstrap the authentication database.
        // 
        Permission admin = projectCache.getAllProjects().getConfig().getAccessSection(AccessSection.GLOBAL_CAPABILITIES).orElseThrow(() -> new IllegalStateException("access section does not exist")).getPermission(GlobalCapability.ADMINISTRATE_SERVER);
        AccountGroup.UUID adminGroupUuid = admin.getRules().get(0).getGroup().getUUID();
        addGroupMember(adminGroupUuid, user);
    }
    realm.onCreateAccount(who, accountState.account());
    return new AuthResult(newId, extId.key(), true);
}

Example 3 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class PermissionCollection method calculateAllowRules.

/**
 * calculates permissions for ALLOW processing.
 */
private List<PermissionRule> calculateAllowRules(String permName) {
    Set<SeenRule> seen = new HashSet<>();
    List<PermissionRule> r = new ArrayList<>();
    for (AccessSection s : accessSectionsUpward) {
        Permission p = s.getPermission(permName);
        if (p == null) {
            continue;
        }
        for (PermissionRule pr : p.getRules()) {
            SeenRule sr = SeenRule.create(s, pr);
            if (seen.contains(sr)) {
                // negating access.
                continue;
            }
            seen.add(sr);
            if (pr.getAction() == BLOCK) {
                // Block rules are handled elsewhere.
                continue;
            }
            if (pr.getAction() == PermissionRule.Action.DENY) {
                // DENY rules work by not adding ALLOW rules. Nothing else to do.
                continue;
            }
            r.add(pr);
        }
        if (p.getExclusiveGroup()) {
            // We found an exclusive permission, so no need to further go up the hierarchy.
            break;
        }
    }
    return r;
}

Example 4 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class PermissionCollection method calculateBlockRules.

// Calculates the inputs for determining BLOCK status, grouped by project.
private List<List<Permission>> calculateBlockRules(String permName) {
    List<List<Permission>> result = new ArrayList<>();
    for (List<AccessSection> secs : this.accessSectionsPerProjectDownward) {
        List<Permission> perms = new ArrayList<>();
        boolean blockFound = false;
        for (AccessSection sec : secs) {
            Permission p = sec.getPermission(permName);
            if (p == null) {
                continue;
            }
            for (PermissionRule pr : p.getRules()) {
                if (blockFound || pr.getAction() == Action.BLOCK) {
                    blockFound = true;
                    break;
                }
            }
            perms.add(p);
        }
        if (blockFound) {
            result.add(perms);
        }
    }
    return result;
}

Example 5 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class ProjectControl method allRefPatterns.

private Set<String> allRefPatterns(String permissionName) {
    Set<String> all = new HashSet<>();
    for (SectionMatcher matcher : access()) {
        AccessSection section = matcher.getSection();
        Permission permission = section.getPermission(permissionName);
        if (permission != null) {
            all.add(section.getName());
        }
    }
    return all;
}