Example 1 with AccessCheckInfo
use of com.google.gerrit.extensions.api.config.AccessCheckInfo in project gerrit by GerritCodeReview.
the class CheckAccess method apply.
@Override
public AccessCheckInfo apply(ConfigResource unused, AccessCheckInput input) throws OrmException, PermissionBackendException, RestApiException, IOException {
permissionBackend.user(currentUser.get()).check(GlobalPermission.ADMINISTRATE_SERVER);
if (input == null) {
throw new BadRequestException("input is required");
}
if (Strings.isNullOrEmpty(input.account)) {
throw new BadRequestException("input requires 'account'");
}
if (Strings.isNullOrEmpty(input.project)) {
throw new BadRequestException("input requires 'project'");
}
Account match = accountResolver.find(db.get(), input.account);
if (match == null) {
throw new BadRequestException(String.format("cannot find account %s", input.account));
}
AccessCheckInfo info = new AccessCheckInfo();
Project.NameKey key = new Project.NameKey(input.project);
if (projectCache.get(key) == null) {
info.message = String.format("project %s does not exist", key);
info.status = HttpServletResponse.SC_NOT_FOUND;
return info;
}
IdentifiedUser user = userFactory.create(match.getId());
try {
permissionBackend.user(user).project(key).check(ProjectPermission.ACCESS);
} catch (AuthException | PermissionBackendException e) {
info.message = String.format("user %s (%s) cannot see project %s", user.getNameEmail(), user.getAccount().getId(), key);
info.status = HttpServletResponse.SC_FORBIDDEN;
return info;
}
if (!Strings.isNullOrEmpty(input.ref)) {
try {
permissionBackend.user(user).ref(new Branch.NameKey(key, input.ref)).check(RefPermission.READ);
} catch (AuthException | PermissionBackendException e) {
info.status = HttpServletResponse.SC_FORBIDDEN;
info.message = String.format("user %s (%s) cannot see ref %s in project %s", user.getNameEmail(), user.getAccount().getId(), input.ref, key);
return info;
}
}
info.status = HttpServletResponse.SC_OK;
return info;
}
Also used :
Account(com.google.gerrit.reviewdb.client.Account)
Project(com.google.gerrit.reviewdb.client.Project)
AccessCheckInfo(com.google.gerrit.extensions.api.config.AccessCheckInfo)
BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException)
AuthException(com.google.gerrit.extensions.restapi.AuthException)
PermissionBackendException(com.google.gerrit.server.permissions.PermissionBackendException)
IdentifiedUser(com.google.gerrit.server.IdentifiedUser)
Example 2 with AccessCheckInfo
use of com.google.gerrit.extensions.api.config.AccessCheckInfo in project gerrit by GerritCodeReview.
the class CheckAccessIT method accessible.
@Test
public void accessible() throws Exception {
List<TestCase> inputs = ImmutableList.of(// Test 1
TestCase.projectRefPerm(user.email(), normalProject.get(), "refs/heads/master", Permission.VIEW_PRIVATE_CHANGES, 403, ImmutableList.of("'user1' can perform 'read' with force=false on project '" + normalProject.get() + "' for ref 'refs/heads/*'", "'user1' cannot perform 'viewPrivateChanges' with force=false on project '" + normalProject.get() + "' for ref 'refs/heads/master'")), // Test 2
TestCase.project(user.email(), normalProject.get(), 200, ImmutableList.of("'user1' can perform 'read' with force=false on project '" + normalProject.get() + "' for ref 'refs/heads/*'")), // Test 3
TestCase.project(user.email(), secretProject.get(), 403, ImmutableList.of("'user1' cannot perform 'read' with force=false on project '" + secretProject.get() + "' for ref 'refs/heads/*' because this permission is blocked", "'user1' cannot perform 'read' with force=false on project '" + secretProject.get() + "' for ref 'refs/meta/version' because this permission is blocked")), // Test 4
TestCase.projectRef(user.email(), secretRefProject.get(), "refs/heads/secret/master", 403, ImmutableList.of("'user1' can perform 'read' with force=false on project '" + secretRefProject.get() + "' for ref 'refs/heads/*'", "'user1' cannot perform 'read' with force=false on project '" + secretRefProject.get() + "' for ref 'refs/heads/secret/master' because this permission is blocked")), // Test 5
TestCase.projectRef(privilegedUser.email(), secretRefProject.get(), "refs/heads/secret/master", 200, ImmutableList.of("'privilegedUser' can perform 'read' with force=false on project '" + secretRefProject.get() + "' for ref 'refs/heads/*'", "'privilegedUser' can perform 'read' with force=false on project '" + secretRefProject.get() + "' for ref 'refs/heads/secret/master'")), // Test 6
TestCase.projectRef(privilegedUser.email(), normalProject.get(), null, 200, ImmutableList.of("'privilegedUser' can perform 'read' with force=false on project '" + normalProject.get() + "' for ref 'refs/heads/*'")), // Test 7
TestCase.projectRef(privilegedUser.email(), secretProject.get(), null, 200, ImmutableList.of("'privilegedUser' can perform 'read' with force=false on project '" + secretProject.get() + "' for ref 'refs/*'")), // Test 8
TestCase.projectRefPerm(privilegedUser.email(), normalProject.get(), "refs/heads/master", Permission.VIEW_PRIVATE_CHANGES, 200, ImmutableList.of("'privilegedUser' can perform 'read' with force=false on project '" + normalProject.get() + "' for ref 'refs/heads/*'", "'privilegedUser' can perform 'viewPrivateChanges' with force=false on project '" + normalProject.get() + "' for ref 'refs/heads/master'")), // Test 9
TestCase.projectRefPerm(privilegedUser.email(), normalProject.get(), "refs/heads/master", Permission.FORGE_SERVER, 200, ImmutableList.of("'privilegedUser' can perform 'read' with force=false on project '" + normalProject.get() + "' for ref 'refs/heads/*'", "'privilegedUser' can perform 'forgeServerAsCommitter' with force=false on project '" + normalProject.get() + "' for ref 'refs/heads/master'")));
for (TestCase tc : inputs) {
String in = newGson().toJson(tc.input);
AccessCheckInfo info = null;
try {
info = gApi.projects().name(tc.project).checkAccess(tc.input);
} catch (RestApiException e) {
assertWithMessage(String.format("check.access(%s, %s): exception %s", tc.project, in, e)).fail();
}
int want = tc.want;
if (want != info.status) {
assertWithMessage(String.format("check.access(%s, %s) = %d, want %d", tc.project, in, info.status, want)).fail();
}
switch(want) {
case 403:
if (tc.permission != null) {
assertThat(info.message).contains("lacks permission " + tc.permission);
}
break;
case 404:
assertThat(info.message).contains("does not exist");
break;
case 200:
assertThat(info.message).isNull();
break;
default:
assertWithMessage(String.format("unknown code %d", want)).fail();
}
if (!info.debugLogs.equals(tc.expectedDebugLogs)) {
assertWithMessage(String.format("check.access(%s, %s) = %s, want %s", tc.project, in, info.debugLogs, tc.expectedDebugLogs)).fail();
}
}
}
Also used :
AccessCheckInfo(com.google.gerrit.extensions.api.config.AccessCheckInfo)
RestApiException(com.google.gerrit.extensions.restapi.RestApiException)
Test(org.junit.Test)
AbstractDaemonTest(com.google.gerrit.acceptance.AbstractDaemonTest)
Example 3 with AccessCheckInfo
use of com.google.gerrit.extensions.api.config.AccessCheckInfo in project gerrit by GerritCodeReview.
the class CheckAccessIT method accessible.
@Test
public void accessible() {
Map<AccessCheckInput, Integer> inputs = ImmutableMap.of(new AccessCheckInput(user.email, normalProject.get(), null), 200, new AccessCheckInput(user.email, secretProject.get(), null), 403, new AccessCheckInput(user.email, "nonexistent", null), 404, new AccessCheckInput(privilegedUser.email, normalProject.get(), null), 200, new AccessCheckInput(privilegedUser.email, secretProject.get(), null), 200);
for (Map.Entry<AccessCheckInput, Integer> entry : inputs.entrySet()) {
String in = newGson().toJson(entry.getKey());
AccessCheckInfo info = null;
try {
info = gApi.config().server().checkAccess(entry.getKey());
} catch (RestApiException e) {
fail(String.format("check.check(%s): exception %s", in, e));
}
int want = entry.getValue();
if (want != info.status) {
fail(String.format("check.access(%s) = %d, want %d", in, info.status, want));
}
switch(want) {
case 403:
assertThat(info.message).contains("cannot see");
break;
case 404:
assertThat(info.message).contains("does not exist");
break;
case 200:
assertThat(info.message).isNull();
break;
default:
fail(String.format("unknown code %d", want));
}
}
}
Also used :
AccessCheckInput(com.google.gerrit.extensions.api.config.AccessCheckInput)
AccessCheckInfo(com.google.gerrit.extensions.api.config.AccessCheckInfo)
RestApiException(com.google.gerrit.extensions.restapi.RestApiException)
ImmutableMap(com.google.common.collect.ImmutableMap)
Map(java.util.Map)
Test(org.junit.Test)
AbstractDaemonTest(com.google.gerrit.acceptance.AbstractDaemonTest)
Example 4 with AccessCheckInfo
use of com.google.gerrit.extensions.api.config.AccessCheckInfo in project gerrit by GerritCodeReview.
the class CheckAccess method createInfo.
private AccessCheckInfo createInfo(int statusCode, String message) {
AccessCheckInfo info = new AccessCheckInfo();
info.status = statusCode;
info.message = message;
info.debugLogs = TraceContext.getAclLogRecords();
if (info.debugLogs.isEmpty()) {
info.debugLogs = ImmutableList.of("Found no rules that apply, so defaulting to no permission");
}
return info;
}
Also used :
AccessCheckInfo(com.google.gerrit.extensions.api.config.AccessCheckInfo)
Example 5 with AccessCheckInfo
use of com.google.gerrit.extensions.api.config.AccessCheckInfo in project gerrit by GerritCodeReview.
the class CheckAccessIT method noBranches.
@Test
public void noBranches() throws Exception {
try (Repository repo = repoManager.openRepository(normalProject)) {
RefUpdate u = repo.updateRef(RefNames.REFS_HEADS + "master");
u.setForceUpdate(true);
assertThat(u.delete()).isEqualTo(Result.FORCED);
}
AccessCheckInput input = new AccessCheckInput();
input.account = privilegedUser.email();
AccessCheckInfo info = gApi.projects().name(normalProject.get()).checkAccess(input);
assertThat(info.status).isEqualTo(200);
assertThat(info.message).contains("no branches");
}
Also used :
AccessCheckInput(com.google.gerrit.extensions.api.config.AccessCheckInput)
Repository(org.eclipse.jgit.lib.Repository)
AccessCheckInfo(com.google.gerrit.extensions.api.config.AccessCheckInfo)
RefUpdate(org.eclipse.jgit.lib.RefUpdate)
Test(org.junit.Test)
AbstractDaemonTest(com.google.gerrit.acceptance.AbstractDaemonTest)
Aggregations
AccessCheckInfo (com.google.gerrit.extensions.api.config.AccessCheckInfo)6
AbstractDaemonTest (com.google.gerrit.acceptance.AbstractDaemonTest)4
Test (org.junit.Test)4
AccessCheckInput (com.google.gerrit.extensions.api.config.AccessCheckInput)3
RestApiException (com.google.gerrit.extensions.restapi.RestApiException)2
ImmutableMap (com.google.common.collect.ImmutableMap)1
Sandboxed (com.google.gerrit.acceptance.Sandboxed)1
AccessSection (com.google.gerrit.entities.AccessSection)1
Permission (com.google.gerrit.entities.Permission)1
AuthException (com.google.gerrit.extensions.restapi.AuthException)1
BadRequestException (com.google.gerrit.extensions.restapi.BadRequestException)1
Account (com.google.gerrit.reviewdb.client.Account)1
Project (com.google.gerrit.reviewdb.client.Project)1
IdentifiedUser (com.google.gerrit.server.IdentifiedUser)1
PermissionBackendException (com.google.gerrit.server.permissions.PermissionBackendException)1
Map (java.util.Map)1
RefUpdate (org.eclipse.jgit.lib.RefUpdate)1
Repository (org.eclipse.jgit.lib.Repository)1
