Examples with AccessSection - com.google.gerrit.entities.AccessSection

Example 1 with AccessSection

use of com.google.gerrit.entities.AccessSection in project gerrit by GerritCodeReview.

the class CreateGroupPermissionSyncer method syncIfNeeded.

/**
 * Checks if {@code GlobalCapability.CREATE_GROUP} and {@code CREATE} permission on {@code
 * refs/groups/*} have diverged and syncs them by applying the {@code CREATE} permission to {@code
 * refs/groups/*}.
 */
public void syncIfNeeded() throws IOException, ConfigInvalidException {
    ProjectState allProjectsState = projectCache.getAllProjects();
    ProjectState allUsersState = projectCache.getAllUsers();
    Set<PermissionRule> createGroupsGlobal = new HashSet<>(allProjectsState.getCapabilityCollection().createGroup);
    Set<PermissionRule> createGroupsRef = new HashSet<>();
    Optional<AccessSection> allUsersCreateGroupAccessSection = allUsersState.getConfig().getAccessSection(RefNames.REFS_GROUPS + "*");
    if (allUsersCreateGroupAccessSection.isPresent()) {
        Permission create = allUsersCreateGroupAccessSection.get().getPermission(Permission.CREATE);
        if (create != null && create.getRules() != null) {
            createGroupsRef.addAll(create.getRules());
        }
    }
    if (Sets.symmetricDifference(createGroupsGlobal, createGroupsRef).isEmpty()) {
        // Nothing to sync
        return;
    }
    try (MetaDataUpdate md = metaDataUpdateFactory.get().create(allUsers)) {
        ProjectConfig config = projectConfigFactory.read(md);
        config.upsertAccessSection(RefNames.REFS_GROUPS + "*", refsGroupsAccessSectionBuilder -> {
            if (createGroupsGlobal.isEmpty()) {
                refsGroupsAccessSectionBuilder.modifyPermissions(permissions -> {
                    permissions.removeIf(p -> Permission.CREATE.equals(p.getName()));
                });
            } else {
                // The create permission is managed by Gerrit at this point only so there is no
                // concern of overwriting user-defined permissions here.
                Permission.Builder createGroupPermission = Permission.builder(Permission.CREATE);
                refsGroupsAccessSectionBuilder.remove(createGroupPermission);
                refsGroupsAccessSectionBuilder.addPermission(createGroupPermission);
                createGroupsGlobal.stream().map(p -> p.toBuilder()).forEach(createGroupPermission::add);
            }
        });
        config.commit(md);
        projectCache.evictAndReindex(config.getProject());
    }
}

Also used : ProjectConfig(com.google.gerrit.server.project.ProjectConfig) AllUsersName(com.google.gerrit.server.config.AllUsersName) ProjectConfig(com.google.gerrit.server.project.ProjectConfig) ConfigInvalidException(org.eclipse.jgit.errors.ConfigInvalidException) ProjectCache(com.google.gerrit.server.project.ProjectCache) AccessSection(com.google.gerrit.entities.AccessSection) Inject(com.google.inject.Inject) Permission(com.google.gerrit.entities.Permission) ProjectState(com.google.gerrit.server.project.ProjectState) Set(java.util.Set) IOException(java.io.IOException) Sets(com.google.common.collect.Sets) ChangeMergedListener(com.google.gerrit.extensions.events.ChangeMergedListener) HashSet(java.util.HashSet) Provider(com.google.inject.Provider) AllProjectsName(com.google.gerrit.server.config.AllProjectsName) PermissionRule(com.google.gerrit.entities.PermissionRule) RefNames(com.google.gerrit.entities.RefNames) Optional(java.util.Optional) FluentLogger(com.google.common.flogger.FluentLogger) MetaDataUpdate(com.google.gerrit.server.git.meta.MetaDataUpdate) Singleton(com.google.inject.Singleton) PermissionRule(com.google.gerrit.entities.PermissionRule) Permission(com.google.gerrit.entities.Permission) ProjectState(com.google.gerrit.server.project.ProjectState) AccessSection(com.google.gerrit.entities.AccessSection) HashSet(java.util.HashSet) MetaDataUpdate(com.google.gerrit.server.git.meta.MetaDataUpdate)

Example 2 with AccessSection

use of com.google.gerrit.entities.AccessSection in project gerrit by GerritCodeReview.

the class PermissionCollection method calculateAllowRules.

/**
 * calculates permissions for ALLOW processing.
 */
private List<PermissionRule> calculateAllowRules(String permName) {
    Set<SeenRule> seen = new HashSet<>();
    List<PermissionRule> r = new ArrayList<>();
    for (AccessSection s : accessSectionsUpward) {
        Permission p = s.getPermission(permName);
        if (p == null) {
            continue;
        }
        for (PermissionRule pr : p.getRules()) {
            SeenRule sr = SeenRule.create(s, pr);
            if (seen.contains(sr)) {
                // negating access.
                continue;
            }
            seen.add(sr);
            if (pr.getAction() == BLOCK) {
                // Block rules are handled elsewhere.
                continue;
            }
            if (pr.getAction() == PermissionRule.Action.DENY) {
                // DENY rules work by not adding ALLOW rules. Nothing else to do.
                continue;
            }
            r.add(pr);
        }
        if (p.getExclusiveGroup()) {
            // We found an exclusive permission, so no need to further go up the hierarchy.
            break;
        }
    }
    return r;
}

Also used : PermissionRule(com.google.gerrit.entities.PermissionRule) ArrayList(java.util.ArrayList) Permission(com.google.gerrit.entities.Permission) AccessSection(com.google.gerrit.entities.AccessSection) HashSet(java.util.HashSet)

Example 3 with AccessSection

use of com.google.gerrit.entities.AccessSection in project gerrit by GerritCodeReview.

the class PermissionCollection method calculateBlockRules.

// Calculates the inputs for determining BLOCK status, grouped by project.
private List<List<Permission>> calculateBlockRules(String permName) {
    List<List<Permission>> result = new ArrayList<>();
    for (List<AccessSection> secs : this.accessSectionsPerProjectDownward) {
        List<Permission> perms = new ArrayList<>();
        boolean blockFound = false;
        for (AccessSection sec : secs) {
            Permission p = sec.getPermission(permName);
            if (p == null) {
                continue;
            }
            for (PermissionRule pr : p.getRules()) {
                if (blockFound || pr.getAction() == Action.BLOCK) {
                    blockFound = true;
                    break;
                }
            }
            perms.add(p);
        }
        if (blockFound) {
            result.add(perms);
        }
    }
    return result;
}

Also used : PermissionRule(com.google.gerrit.entities.PermissionRule) ArrayList(java.util.ArrayList) Permission(com.google.gerrit.entities.Permission) ArrayList(java.util.ArrayList) Collectors.toList(java.util.stream.Collectors.toList) List(java.util.List) AccessSection(com.google.gerrit.entities.AccessSection)

Example 4 with AccessSection

use of com.google.gerrit.entities.AccessSection in project gerrit by GerritCodeReview.

the class ProjectControl method allRefPatterns.

private Set<String> allRefPatterns(String permissionName) {
    Set<String> all = new HashSet<>();
    for (SectionMatcher matcher : access()) {
        AccessSection section = matcher.getSection();
        Permission permission = section.getPermission(permissionName);
        if (permission != null) {
            all.add(section.getName());
        }
    }
    return all;
}

Also used : Permission(com.google.gerrit.entities.Permission) CoreOrPluginProjectPermission(com.google.gerrit.extensions.api.access.CoreOrPluginProjectPermission) PluginProjectPermission(com.google.gerrit.extensions.api.access.PluginProjectPermission) SectionMatcher(com.google.gerrit.server.project.SectionMatcher) AccessSection(com.google.gerrit.entities.AccessSection) HashSet(java.util.HashSet)

Example 5 with AccessSection

use of com.google.gerrit.entities.AccessSection in project gerrit by GerritCodeReview.

the class ProjectConfigTest method readConfig.

@Test
public void readConfig() throws Exception {
    RevCommit rev = tr.commit().add("groups", group(developers)).add("project.config", "[access \"refs/heads/*\"]\n" + "  exclusiveGroupPermissions = read submit create\n" + "  submit = group Developers\n" + "  push = group Developers\n" + "  read = group Developers\n" + "[accounts]\n" + "  sameGroupVisibility = deny group Developers\n" + "  sameGroupVisibility = block group Staff\n" + "[contributor-agreement \"Individual\"]\n" + "  description = A simple description\n" + "  matchProjects = ^/ourproject\n" + "  matchProjects = ^/ourotherproject\n" + "  matchProjects = ^/someotherroot/ourproject\n" + "  excludeProjects = ^/theirproject\n" + "  excludeProjects = ^/theirotherproject\n" + "  excludeProjects = ^/someotherroot/theirproject\n" + "  excludeProjects = ^/someotherroot/theirotherproject\n" + "  accepted = group Developers\n" + "  accepted = group Staff\n" + "  autoVerify = group Developers\n" + "  agreementUrl = http://www.example.com/agree\n").create();
    ProjectConfig cfg = read(rev);
    assertThat(cfg.getAccountsSection().getSameGroupVisibility()).hasSize(2);
    ContributorAgreement ca = cfg.getContributorAgreement("Individual");
    assertThat(ca.getName()).isEqualTo("Individual");
    assertThat(ca.getDescription()).isEqualTo("A simple description");
    assertThat(ca.getMatchProjectsRegexes()).containsExactly("^/ourproject", "^/ourotherproject", "^/someotherroot/ourproject");
    assertThat(ca.getExcludeProjectsRegexes()).containsExactly("^/theirproject", "^/theirotherproject", "^/someotherroot/theirproject", "^/someotherroot/theirotherproject");
    assertThat(ca.getAgreementUrl()).isEqualTo("http://www.example.com/agree");
    assertThat(ca.getAccepted()).hasSize(2);
    assertThat(ca.getAccepted().get(0).getGroup()).isEqualTo(developers);
    assertThat(ca.getAccepted().get(1).getGroup().getName()).isEqualTo("Staff");
    assertThat(ca.getAutoVerify().getName()).isEqualTo("Developers");
    AccessSection section = cfg.getAccessSection("refs/heads/*");
    assertThat(section).isNotNull();
    assertThat(cfg.getAccessSection("refs/*")).isNull();
    Permission create = section.getPermission(Permission.CREATE);
    Permission submit = section.getPermission(Permission.SUBMIT);
    Permission read = section.getPermission(Permission.READ);
    Permission push = section.getPermission(Permission.PUSH);
    assertThat(create.getExclusiveGroup()).isTrue();
    assertThat(submit.getExclusiveGroup()).isTrue();
    assertThat(read.getExclusiveGroup()).isTrue();
    assertThat(push.getExclusiveGroup()).isFalse();
}

Also used : ContributorAgreement(com.google.gerrit.entities.ContributorAgreement) Permission(com.google.gerrit.entities.Permission) AccessSection(com.google.gerrit.entities.AccessSection) RevCommit(org.eclipse.jgit.revwalk.RevCommit) Test(org.junit.Test)

Aggregations

AccessSection (com.google.gerrit.entities.AccessSection)22 Permission (com.google.gerrit.entities.Permission)16 PermissionRule (com.google.gerrit.entities.PermissionRule)7 MetaDataUpdate (com.google.gerrit.server.git.meta.MetaDataUpdate)6 ProjectConfig (com.google.gerrit.server.project.ProjectConfig)6 ArrayList (java.util.ArrayList)5 HashSet (java.util.HashSet)5 Test (org.junit.Test)5 ConfigInvalidException (org.eclipse.jgit.errors.ConfigInvalidException)4 Project (com.google.gerrit.entities.Project)3 InvalidNameException (com.google.gerrit.exceptions.InvalidNameException)3 CoreOrPluginProjectPermission (com.google.gerrit.extensions.api.access.CoreOrPluginProjectPermission)3 PluginProjectPermission (com.google.gerrit.extensions.api.access.PluginProjectPermission)3 BadRequestException (com.google.gerrit.extensions.restapi.BadRequestException)3 SectionMatcher (com.google.gerrit.server.project.SectionMatcher)3 ImmutableList (com.google.common.collect.ImmutableList)2 AbstractDaemonTest (com.google.gerrit.acceptance.AbstractDaemonTest)2 GroupDescription (com.google.gerrit.entities.GroupDescription)2 GroupReference (com.google.gerrit.entities.GroupReference)2 LabelType (com.google.gerrit.entities.LabelType)2