Search in sources :

Example 6 with PermissionRule

use of com.google.gerrit.common.data.PermissionRule in project gerrit by GerritCodeReview.

the class SetAccess method apply.

@Override
public ProjectAccessInfo apply(ProjectResource rsrc, ProjectAccessInput input) throws ResourceNotFoundException, ResourceConflictException, IOException, AuthException, BadRequestException, UnprocessableEntityException, PermissionBackendException {
    List<AccessSection> removals = getAccessSections(input.remove);
    List<AccessSection> additions = getAccessSections(input.add);
    MetaDataUpdate.User metaDataUpdateUser = metaDataUpdateFactory.get();
    ProjectControl projectControl = rsrc.getControl();
    ProjectConfig config;
    Project.NameKey newParentProjectName = input.parent == null ? null : new Project.NameKey(input.parent);
    try (MetaDataUpdate md = metaDataUpdateUser.create(rsrc.getNameKey())) {
        config = ProjectConfig.read(md);
        // Perform removal checks
        for (AccessSection section : removals) {
            boolean isGlobalCapabilities = AccessSection.GLOBAL_CAPABILITIES.equals(section.getName());
            if (isGlobalCapabilities) {
                checkGlobalCapabilityPermissions(config.getName());
            } else if (!projectControl.controlForRef(section.getName()).isOwner()) {
                throw new AuthException("You are not allowed to edit permissionsfor ref: " + section.getName());
            }
        }
        // Perform addition checks
        for (AccessSection section : additions) {
            String name = section.getName();
            boolean isGlobalCapabilities = AccessSection.GLOBAL_CAPABILITIES.equals(name);
            if (isGlobalCapabilities) {
                checkGlobalCapabilityPermissions(config.getName());
            } else {
                if (!AccessSection.isValid(name)) {
                    throw new BadRequestException("invalid section name");
                }
                if (!projectControl.controlForRef(name).isOwner()) {
                    throw new AuthException("You are not allowed to edit permissionsfor ref: " + name);
                }
                RefPattern.validate(name);
            }
            // Check all permissions for soundness
            for (Permission p : section.getPermissions()) {
                if (isGlobalCapabilities && !GlobalCapability.isCapability(p.getName())) {
                    throw new BadRequestException("Cannot add non-global capability " + p.getName() + " to global capabilities");
                }
            }
        }
        // Apply removals
        for (AccessSection section : removals) {
            if (section.getPermissions().isEmpty()) {
                // Remove entire section
                config.remove(config.getAccessSection(section.getName()));
            }
            // Remove specific permissions
            for (Permission p : section.getPermissions()) {
                if (p.getRules().isEmpty()) {
                    config.remove(config.getAccessSection(section.getName()), p);
                } else {
                    for (PermissionRule r : p.getRules()) {
                        config.remove(config.getAccessSection(section.getName()), p, r);
                    }
                }
            }
        }
        // Apply additions
        for (AccessSection section : additions) {
            AccessSection currentAccessSection = config.getAccessSection(section.getName());
            if (currentAccessSection == null) {
                // Add AccessSection
                config.replace(section);
            } else {
                for (Permission p : section.getPermissions()) {
                    Permission currentPermission = currentAccessSection.getPermission(p.getName());
                    if (currentPermission == null) {
                        // Add Permission
                        currentAccessSection.addPermission(p);
                    } else {
                        for (PermissionRule r : p.getRules()) {
                            // AddPermissionRule
                            currentPermission.add(r);
                        }
                    }
                }
            }
        }
        if (newParentProjectName != null && !config.getProject().getNameKey().equals(allProjects) && !config.getProject().getParent(allProjects).equals(newParentProjectName)) {
            try {
                setParent.get().validateParentUpdate(projectControl, MoreObjects.firstNonNull(newParentProjectName, allProjects).get(), true);
            } catch (UnprocessableEntityException e) {
                throw new ResourceConflictException(e.getMessage(), e);
            }
            config.getProject().setParentName(newParentProjectName);
        }
        if (!Strings.isNullOrEmpty(input.message)) {
            if (!input.message.endsWith("\n")) {
                input.message += "\n";
            }
            md.setMessage(input.message);
        } else {
            md.setMessage("Modify access rules\n");
        }
        config.commit(md);
        projectCache.evict(config.getProject());
    } catch (InvalidNameException e) {
        throw new BadRequestException(e.toString());
    } catch (ConfigInvalidException e) {
        throw new ResourceConflictException(rsrc.getName());
    }
    return getAccess.apply(rsrc.getNameKey());
}
Also used : UnprocessableEntityException(com.google.gerrit.extensions.restapi.UnprocessableEntityException) ConfigInvalidException(org.eclipse.jgit.errors.ConfigInvalidException) PermissionRule(com.google.gerrit.common.data.PermissionRule) AuthException(com.google.gerrit.extensions.restapi.AuthException) AccessSection(com.google.gerrit.common.data.AccessSection) ProjectConfig(com.google.gerrit.server.git.ProjectConfig) Project(com.google.gerrit.reviewdb.client.Project) ResourceConflictException(com.google.gerrit.extensions.restapi.ResourceConflictException) InvalidNameException(com.google.gerrit.common.errors.InvalidNameException) GlobalPermission(com.google.gerrit.server.permissions.GlobalPermission) Permission(com.google.gerrit.common.data.Permission) BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException) MetaDataUpdate(com.google.gerrit.server.git.MetaDataUpdate)

Example 7 with PermissionRule

use of com.google.gerrit.common.data.PermissionRule in project gerrit by GerritCodeReview.

the class AllProjectsCreator method initAllProjects.

private void initAllProjects(Repository git) throws IOException, ConfigInvalidException {
    BatchRefUpdate bru = git.getRefDatabase().newBatchUpdate();
    try (MetaDataUpdate md = new MetaDataUpdate(GitReferenceUpdated.DISABLED, allProjectsName, git, bru)) {
        md.getCommitBuilder().setAuthor(serverUser);
        md.getCommitBuilder().setCommitter(serverUser);
        md.setMessage(MoreObjects.firstNonNull(Strings.emptyToNull(message), "Initialized Gerrit Code Review " + Version.getVersion()));
        ProjectConfig config = ProjectConfig.read(md);
        Project p = config.getProject();
        p.setDescription("Access inherited by all other projects.");
        p.setRequireChangeID(InheritableBoolean.TRUE);
        p.setUseContentMerge(InheritableBoolean.TRUE);
        p.setUseContributorAgreements(InheritableBoolean.FALSE);
        p.setUseSignedOffBy(InheritableBoolean.FALSE);
        p.setEnableSignedPush(InheritableBoolean.FALSE);
        AccessSection cap = config.getAccessSection(AccessSection.GLOBAL_CAPABILITIES, true);
        AccessSection all = config.getAccessSection(AccessSection.ALL, true);
        AccessSection heads = config.getAccessSection(AccessSection.HEADS, true);
        AccessSection tags = config.getAccessSection("refs/tags/*", true);
        AccessSection meta = config.getAccessSection(RefNames.REFS_CONFIG, true);
        AccessSection refsFor = config.getAccessSection("refs/for/*", true);
        AccessSection magic = config.getAccessSection("refs/for/" + AccessSection.ALL, true);
        grant(config, cap, GlobalCapability.ADMINISTRATE_SERVER, admin);
        grant(config, all, Permission.READ, admin, anonymous);
        grant(config, refsFor, Permission.ADD_PATCH_SET, registered);
        if (batch != null) {
            Permission priority = cap.getPermission(GlobalCapability.PRIORITY, true);
            PermissionRule r = rule(config, batch);
            r.setAction(Action.BATCH);
            priority.add(r);
            Permission stream = cap.getPermission(GlobalCapability.STREAM_EVENTS, true);
            stream.add(rule(config, batch));
        }
        LabelType cr = initCodeReviewLabel(config);
        grant(config, heads, cr, -1, 1, registered);
        grant(config, heads, cr, -2, 2, admin, owners);
        grant(config, heads, Permission.CREATE, admin, owners);
        grant(config, heads, Permission.PUSH, admin, owners);
        grant(config, heads, Permission.SUBMIT, admin, owners);
        grant(config, heads, Permission.FORGE_AUTHOR, registered);
        grant(config, heads, Permission.FORGE_COMMITTER, admin, owners);
        grant(config, heads, Permission.EDIT_TOPIC_NAME, true, admin, owners);
        grant(config, tags, Permission.CREATE, admin, owners);
        grant(config, tags, Permission.CREATE_TAG, admin, owners);
        grant(config, tags, Permission.CREATE_SIGNED_TAG, admin, owners);
        grant(config, magic, Permission.PUSH, registered);
        grant(config, magic, Permission.PUSH_MERGE, registered);
        meta.getPermission(Permission.READ, true).setExclusiveGroup(true);
        grant(config, meta, Permission.READ, admin, owners);
        grant(config, meta, cr, -2, 2, admin, owners);
        grant(config, meta, Permission.CREATE, admin, owners);
        grant(config, meta, Permission.PUSH, admin, owners);
        grant(config, meta, Permission.SUBMIT, admin, owners);
        config.commitToNewRef(md, RefNames.REFS_CONFIG);
        initSequences(git, bru);
        execute(git, bru);
    }
}
Also used : ProjectConfig(com.google.gerrit.server.git.ProjectConfig) Project(com.google.gerrit.reviewdb.client.Project) PermissionRule(com.google.gerrit.common.data.PermissionRule) LabelType(com.google.gerrit.common.data.LabelType) Permission(com.google.gerrit.common.data.Permission) BatchRefUpdate(org.eclipse.jgit.lib.BatchRefUpdate) AccessSection(com.google.gerrit.common.data.AccessSection) MetaDataUpdate(com.google.gerrit.server.git.MetaDataUpdate)

Example 8 with PermissionRule

use of com.google.gerrit.common.data.PermissionRule in project gerrit by GerritCodeReview.

the class AclUtil method grant.

public static void grant(ProjectConfig config, AccessSection section, LabelType type, int min, int max, GroupReference... groupList) {
    String name = Permission.LABEL + type.getName();
    Permission p = section.getPermission(name, true);
    for (GroupReference group : groupList) {
        if (group != null) {
            PermissionRule r = rule(config, group);
            r.setRange(min, max);
            p.add(r);
        }
    }
}
Also used : PermissionRule(com.google.gerrit.common.data.PermissionRule) Permission(com.google.gerrit.common.data.Permission) GroupReference(com.google.gerrit.common.data.GroupReference)

Example 9 with PermissionRule

use of com.google.gerrit.common.data.PermissionRule in project gerrit by GerritCodeReview.

the class AclUtil method grant.

public static void grant(ProjectConfig config, AccessSection section, String permission, boolean force, Boolean exclusive, GroupReference... groupList) {
    Permission p = section.getPermission(permission, true);
    if (exclusive != null) {
        p.setExclusiveGroup(exclusive);
    }
    for (GroupReference group : groupList) {
        if (group != null) {
            PermissionRule r = rule(config, group);
            r.setForce(force);
            p.add(r);
        }
    }
}
Also used : PermissionRule(com.google.gerrit.common.data.PermissionRule) Permission(com.google.gerrit.common.data.Permission) GroupReference(com.google.gerrit.common.data.GroupReference)

Example 10 with PermissionRule

use of com.google.gerrit.common.data.PermissionRule in project gerrit by GerritCodeReview.

the class AclUtil method block.

public static void block(ProjectConfig config, AccessSection section, String permission, GroupReference... groupList) {
    Permission p = section.getPermission(permission, true);
    for (GroupReference group : groupList) {
        if (group != null) {
            PermissionRule r = rule(config, group);
            r.setBlock();
            p.add(r);
        }
    }
}
Also used : PermissionRule(com.google.gerrit.common.data.PermissionRule) Permission(com.google.gerrit.common.data.Permission) GroupReference(com.google.gerrit.common.data.GroupReference)

Aggregations

PermissionRule (com.google.gerrit.common.data.PermissionRule)51 Permission (com.google.gerrit.common.data.Permission)18 AccessSection (com.google.gerrit.common.data.AccessSection)14 GroupReference (com.google.gerrit.common.data.GroupReference)11 ProjectConfig (com.google.gerrit.server.git.ProjectConfig)10 ArrayList (java.util.ArrayList)9 MetaDataUpdate (com.google.gerrit.server.git.MetaDataUpdate)8 ContributorAgreement (com.google.gerrit.common.data.ContributorAgreement)6 HashSet (java.util.HashSet)6 PermissionRange (com.google.gerrit.common.data.PermissionRange)5 AccountGroup (com.google.gerrit.reviewdb.client.AccountGroup)5 Project (com.google.gerrit.reviewdb.client.Project)4 HashMap (java.util.HashMap)4 Test (org.junit.Test)4 GroupDescription (com.google.gerrit.common.data.GroupDescription)3 ConfigInvalidException (org.eclipse.jgit.errors.ConfigInvalidException)3 NoSuchGroupException (com.google.gerrit.common.errors.NoSuchGroupException)2 AccessSectionInfo (com.google.gerrit.extensions.api.access.AccessSectionInfo)2 PermissionInfo (com.google.gerrit.extensions.api.access.PermissionInfo)2 PermissionRuleInfo (com.google.gerrit.extensions.api.access.PermissionRuleInfo)2