Search in sources :

Example 1 with Permission

use of com.google.gerrit.common.data.Permission in project gerrit by GerritCodeReview.

the class Schema_135 method migrateData.

@Override
protected void migrateData(ReviewDb db, UpdateUI ui) throws OrmException {
    try (Repository git = repoManager.openRepository(allProjectsName);
        MetaDataUpdate md = new MetaDataUpdate(GitReferenceUpdated.DISABLED, allProjectsName, git)) {
        ProjectConfig config = ProjectConfig.read(md);
        AccessSection meta = config.getAccessSection(RefNames.REFS_CONFIG, true);
        Permission createRefsMetaConfigPermission = meta.getPermission(Permission.CREATE, true);
        Set<GroupReference> groups = Stream.concat(config.getAccessSection(AccessSection.GLOBAL_CAPABILITIES, true).getPermission(GlobalCapability.ADMINISTRATE_SERVER, true).getRules().stream().map(PermissionRule::getGroup), Stream.of(systemGroupBackend.getGroup(PROJECT_OWNERS))).filter(g -> createRefsMetaConfigPermission.getRule(g) == null).collect(toSet());
        for (GroupReference group : groups) {
            createRefsMetaConfigPermission.add(new PermissionRule(config.resolve(group)));
        }
        md.getCommitBuilder().setAuthor(serverUser);
        md.getCommitBuilder().setCommitter(serverUser);
        md.setMessage(COMMIT_MSG);
        config.commit(md);
    } catch (ConfigInvalidException | IOException ex) {
        throw new OrmException(ex);
    }
}
Also used : PermissionRule(com.google.gerrit.common.data.PermissionRule) ReviewDb(com.google.gerrit.reviewdb.server.ReviewDb) OrmException(com.google.gwtorm.server.OrmException) ConfigInvalidException(org.eclipse.jgit.errors.ConfigInvalidException) GlobalCapability(com.google.gerrit.common.data.GlobalCapability) MetaDataUpdate(com.google.gerrit.server.git.MetaDataUpdate) Inject(com.google.inject.Inject) AccessSection(com.google.gerrit.common.data.AccessSection) SystemGroupBackend(com.google.gerrit.server.group.SystemGroupBackend) PROJECT_OWNERS(com.google.gerrit.server.group.SystemGroupBackend.PROJECT_OWNERS) Collectors.toSet(java.util.stream.Collectors.toSet) Permission(com.google.gerrit.common.data.Permission) Set(java.util.Set) IOException(java.io.IOException) PersonIdent(org.eclipse.jgit.lib.PersonIdent) Provider(com.google.inject.Provider) AllProjectsName(com.google.gerrit.server.config.AllProjectsName) Stream(java.util.stream.Stream) GitRepositoryManager(com.google.gerrit.server.git.GitRepositoryManager) RefNames(com.google.gerrit.reviewdb.client.RefNames) ProjectConfig(com.google.gerrit.server.git.ProjectConfig) GroupReference(com.google.gerrit.common.data.GroupReference) GerritPersonIdent(com.google.gerrit.server.GerritPersonIdent) GitReferenceUpdated(com.google.gerrit.server.extensions.events.GitReferenceUpdated) Repository(org.eclipse.jgit.lib.Repository) ConfigInvalidException(org.eclipse.jgit.errors.ConfigInvalidException) PermissionRule(com.google.gerrit.common.data.PermissionRule) IOException(java.io.IOException) AccessSection(com.google.gerrit.common.data.AccessSection) ProjectConfig(com.google.gerrit.server.git.ProjectConfig) Repository(org.eclipse.jgit.lib.Repository) OrmException(com.google.gwtorm.server.OrmException) Permission(com.google.gerrit.common.data.Permission) GroupReference(com.google.gerrit.common.data.GroupReference) MetaDataUpdate(com.google.gerrit.server.git.MetaDataUpdate)

Example 2 with Permission

use of com.google.gerrit.common.data.Permission in project gerrit by GerritCodeReview.

the class ProjectConfig method saveAccessSections.

private void saveAccessSections(Config rc, Set<AccountGroup.UUID> keepGroups) {
    AccessSection capability = accessSections.get(AccessSection.GLOBAL_CAPABILITIES);
    if (capability != null) {
        Set<String> have = new HashSet<>();
        for (Permission permission : sort(capability.getPermissions())) {
            have.add(permission.getName().toLowerCase());
            boolean needRange = GlobalCapability.hasRange(permission.getName());
            List<String> rules = new ArrayList<>();
            for (PermissionRule rule : sort(permission.getRules())) {
                GroupReference group = resolve(rule.getGroup());
                if (group.getUUID() != null) {
                    keepGroups.add(group.getUUID());
                }
                rules.add(rule.asString(needRange));
            }
            rc.setStringList(CAPABILITY, null, permission.getName(), rules);
        }
        for (String varName : rc.getNames(CAPABILITY)) {
            if (!have.contains(varName.toLowerCase())) {
                rc.unset(CAPABILITY, null, varName);
            }
        }
    } else {
        rc.unsetSection(CAPABILITY, null);
    }
    for (AccessSection as : sort(accessSections.values())) {
        String refName = as.getName();
        if (AccessSection.GLOBAL_CAPABILITIES.equals(refName)) {
            continue;
        }
        StringBuilder doNotInherit = new StringBuilder();
        for (Permission perm : sort(as.getPermissions())) {
            if (perm.getExclusiveGroup()) {
                if (0 < doNotInherit.length()) {
                    doNotInherit.append(' ');
                }
                doNotInherit.append(perm.getName());
            }
        }
        if (0 < doNotInherit.length()) {
            rc.setString(ACCESS, refName, KEY_GROUP_PERMISSIONS, doNotInherit.toString());
        } else {
            rc.unset(ACCESS, refName, KEY_GROUP_PERMISSIONS);
        }
        Set<String> have = new HashSet<>();
        for (Permission permission : sort(as.getPermissions())) {
            have.add(permission.getName().toLowerCase());
            boolean needRange = Permission.hasRange(permission.getName());
            List<String> rules = new ArrayList<>();
            for (PermissionRule rule : sort(permission.getRules())) {
                GroupReference group = resolve(rule.getGroup());
                if (group.getUUID() != null) {
                    keepGroups.add(group.getUUID());
                }
                rules.add(rule.asString(needRange));
            }
            rc.setStringList(ACCESS, refName, permission.getName(), rules);
        }
        for (String varName : rc.getNames(ACCESS, refName)) {
            if (isPermission(convertLegacyPermission(varName)) && !have.contains(varName.toLowerCase())) {
                rc.unset(ACCESS, refName, varName);
            }
        }
    }
    for (String name : rc.getSubsections(ACCESS)) {
        if (RefConfigSection.isValid(name) && !accessSections.containsKey(name)) {
            rc.unsetSection(ACCESS, name);
        }
    }
}
Also used : PermissionRule(com.google.gerrit.common.data.PermissionRule) Permission(com.google.gerrit.common.data.Permission) Permission.isPermission(com.google.gerrit.common.data.Permission.isPermission) ArrayList(java.util.ArrayList) GroupReference(com.google.gerrit.common.data.GroupReference) AccessSection(com.google.gerrit.common.data.AccessSection) HashSet(java.util.HashSet)

Example 3 with Permission

use of com.google.gerrit.common.data.Permission in project gerrit by GerritCodeReview.

the class ProjectConfig method loadPermissionRules.

private List<PermissionRule> loadPermissionRules(Config rc, String section, String subsection, String varName, Map<String, GroupReference> groupsByName, boolean useRange) {
    Permission perm = new Permission(varName);
    loadPermissionRules(rc, section, subsection, varName, groupsByName, perm, useRange);
    return perm.getRules();
}
Also used : Permission(com.google.gerrit.common.data.Permission) Permission.isPermission(com.google.gerrit.common.data.Permission.isPermission)

Example 4 with Permission

use of com.google.gerrit.common.data.Permission in project gerrit by GerritCodeReview.

the class GetAccess method apply.

@Override
public ProjectAccessInfo apply(ProjectResource rsrc) throws ResourceNotFoundException, ResourceConflictException, IOException {
    // Load the current configuration from the repository, ensuring it's the most
    // recent version available. If it differs from what was in the project
    // state, force a cache flush now.
    //
    Project.NameKey projectName = rsrc.getNameKey();
    ProjectAccessInfo info = new ProjectAccessInfo();
    ProjectConfig config;
    ProjectControl pc = createProjectControl(projectName);
    RefControl metaConfigControl = pc.controlForRef(RefNames.REFS_CONFIG);
    try (MetaDataUpdate md = metaDataUpdateFactory.create(projectName)) {
        config = ProjectConfig.read(md);
        if (config.updateGroupNames(groupBackend)) {
            md.setMessage("Update group names\n");
            config.commit(md);
            projectCache.evict(config.getProject());
            pc = createProjectControl(projectName);
        } else if (config.getRevision() != null && !config.getRevision().equals(pc.getProjectState().getConfig().getRevision())) {
            projectCache.evict(config.getProject());
            pc = createProjectControl(projectName);
        }
    } catch (ConfigInvalidException e) {
        throw new ResourceConflictException(e.getMessage());
    } catch (RepositoryNotFoundException e) {
        throw new ResourceNotFoundException(rsrc.getName());
    }
    info.local = new HashMap<>();
    info.ownerOf = new HashSet<>();
    Map<AccountGroup.UUID, Boolean> visibleGroups = new HashMap<>();
    for (AccessSection section : config.getAccessSections()) {
        String name = section.getName();
        if (AccessSection.GLOBAL_CAPABILITIES.equals(name)) {
            if (pc.isOwner()) {
                info.local.put(name, createAccessSection(section));
                info.ownerOf.add(name);
            } else if (metaConfigControl.isVisible()) {
                info.local.put(section.getName(), createAccessSection(section));
            }
        } else if (RefConfigSection.isValid(name)) {
            RefControl rc = pc.controlForRef(name);
            if (rc.isOwner()) {
                info.local.put(name, createAccessSection(section));
                info.ownerOf.add(name);
            } else if (metaConfigControl.isVisible()) {
                info.local.put(name, createAccessSection(section));
            } else if (rc.isVisible()) {
                // Filter the section to only add rules describing groups that
                // are visible to the current-user. This includes any group the
                // user is a member of, as well as groups they own or that
                // are visible to all users.
                AccessSection dst = null;
                for (Permission srcPerm : section.getPermissions()) {
                    Permission dstPerm = null;
                    for (PermissionRule srcRule : srcPerm.getRules()) {
                        AccountGroup.UUID group = srcRule.getGroup().getUUID();
                        if (group == null) {
                            continue;
                        }
                        Boolean canSeeGroup = visibleGroups.get(group);
                        if (canSeeGroup == null) {
                            try {
                                canSeeGroup = groupControlFactory.controlFor(group).isVisible();
                            } catch (NoSuchGroupException e) {
                                canSeeGroup = Boolean.FALSE;
                            }
                            visibleGroups.put(group, canSeeGroup);
                        }
                        if (canSeeGroup) {
                            if (dstPerm == null) {
                                if (dst == null) {
                                    dst = new AccessSection(name);
                                    info.local.put(name, createAccessSection(dst));
                                }
                                dstPerm = dst.getPermission(srcPerm.getName(), true);
                            }
                            dstPerm.add(srcRule);
                        }
                    }
                }
            }
        }
    }
    if (info.ownerOf.isEmpty() && pc.isOwnerAnyRef()) {
        // Special case: If the section list is empty, this project has no current
        // access control information. Rely on what ProjectControl determines
        // is ownership, which probably means falling back to site administrators.
        info.ownerOf.add(AccessSection.ALL);
    }
    if (config.getRevision() != null) {
        info.revision = config.getRevision().name();
    }
    ProjectState parent = Iterables.getFirst(pc.getProjectState().parents(), null);
    if (parent != null) {
        info.inheritsFrom = projectJson.format(parent.getProject());
    }
    if (pc.getProject().getNameKey().equals(allProjectsName)) {
        if (pc.isOwner()) {
            info.ownerOf.add(AccessSection.GLOBAL_CAPABILITIES);
        }
    }
    info.isOwner = toBoolean(pc.isOwner());
    info.canUpload = toBoolean(pc.isOwner() || (metaConfigControl.isVisible() && metaConfigControl.canUpload()));
    info.canAdd = toBoolean(pc.canAddRefs());
    info.configVisible = pc.isOwner() || metaConfigControl.isVisible();
    return info;
}
Also used : ConfigInvalidException(org.eclipse.jgit.errors.ConfigInvalidException) HashMap(java.util.HashMap) PermissionRule(com.google.gerrit.common.data.PermissionRule) ProjectAccessInfo(com.google.gerrit.extensions.api.access.ProjectAccessInfo) RepositoryNotFoundException(org.eclipse.jgit.errors.RepositoryNotFoundException) AccessSection(com.google.gerrit.common.data.AccessSection) NoSuchGroupException(com.google.gerrit.common.errors.NoSuchGroupException) ProjectConfig(com.google.gerrit.server.git.ProjectConfig) Project(com.google.gerrit.reviewdb.client.Project) ResourceConflictException(com.google.gerrit.extensions.restapi.ResourceConflictException) Permission(com.google.gerrit.common.data.Permission) ResourceNotFoundException(com.google.gerrit.extensions.restapi.ResourceNotFoundException) MetaDataUpdate(com.google.gerrit.server.git.MetaDataUpdate)

Example 5 with Permission

use of com.google.gerrit.common.data.Permission in project gerrit by GerritCodeReview.

the class GetAccess method createAccessSection.

private AccessSectionInfo createAccessSection(AccessSection section) {
    AccessSectionInfo accessSectionInfo = new AccessSectionInfo();
    accessSectionInfo.permissions = new HashMap<>();
    for (Permission p : section.getPermissions()) {
        PermissionInfo pInfo = new PermissionInfo(p.getLabel(), p.getExclusiveGroup() ? true : null);
        pInfo.rules = new HashMap<>();
        for (PermissionRule r : p.getRules()) {
            PermissionRuleInfo info = new PermissionRuleInfo(ACTION_TYPE.get(r.getAction()), r.getForce());
            if (r.hasRange()) {
                info.max = r.getMax();
                info.min = r.getMin();
            }
            AccountGroup.UUID group = r.getGroup().getUUID();
            if (group != null) {
                pInfo.rules.put(group.get(), info);
            }
        }
        accessSectionInfo.permissions.put(p.getName(), pInfo);
    }
    return accessSectionInfo;
}
Also used : PermissionInfo(com.google.gerrit.extensions.api.access.PermissionInfo) AccountGroup(com.google.gerrit.reviewdb.client.AccountGroup) PermissionRule(com.google.gerrit.common.data.PermissionRule) Permission(com.google.gerrit.common.data.Permission) PermissionRuleInfo(com.google.gerrit.extensions.api.access.PermissionRuleInfo) AccessSectionInfo(com.google.gerrit.extensions.api.access.AccessSectionInfo)

Aggregations

Permission (com.google.gerrit.common.data.Permission)29 AccessSection (com.google.gerrit.common.data.AccessSection)19 PermissionRule (com.google.gerrit.common.data.PermissionRule)18 ProjectConfig (com.google.gerrit.server.git.ProjectConfig)10 MetaDataUpdate (com.google.gerrit.server.git.MetaDataUpdate)9 GroupReference (com.google.gerrit.common.data.GroupReference)6 Permission.isPermission (com.google.gerrit.common.data.Permission.isPermission)4 ProjectPermission (com.google.gerrit.server.permissions.ProjectPermission)4 ConfigInvalidException (org.eclipse.jgit.errors.ConfigInvalidException)4 AccountGroup (com.google.gerrit.reviewdb.client.AccountGroup)3 Project (com.google.gerrit.reviewdb.client.Project)3 OrmException (com.google.gwtorm.server.OrmException)3 HashSet (java.util.HashSet)3 RevCommit (org.eclipse.jgit.revwalk.RevCommit)3 Test (org.junit.Test)3 ContributorAgreement (com.google.gerrit.common.data.ContributorAgreement)2 GroupDescription (com.google.gerrit.common.data.GroupDescription)2 LabelType (com.google.gerrit.common.data.LabelType)2 NoSuchGroupException (com.google.gerrit.common.errors.NoSuchGroupException)2 AccessSectionInfo (com.google.gerrit.extensions.api.access.AccessSectionInfo)2