Search in sources :

Example 1 with GroupReference

use of com.google.gerrit.entities.GroupReference in project gerrit by GerritCodeReview.

the class LdapGroupBackend method suggestLdap.

private Set<GroupReference> suggestLdap(String name) {
    if (name.isEmpty()) {
        return Collections.emptySet();
    }
    Set<GroupReference> out = Sets.newTreeSet(GROUP_REF_NAME_COMPARATOR);
    try {
        DirContext ctx = helper.open();
        try {
            // Do exact lookups until there are at least 3 characters.
            name = Rdn.escapeValue(name) + ((name.length() >= 3) ? "*" : "");
            LdapSchema schema = helper.getSchema(ctx);
            ParameterizedString filter = ParameterizedString.asis(schema.groupPattern.replace(GROUPNAME, name).toString());
            Set<String> returnAttrs = new HashSet<>(schema.groupName.getParameterNames());
            Map<String, String> params = Collections.emptyMap();
            for (String groupBase : schema.groupBases) {
                LdapQuery query = new LdapQuery(groupBase, schema.groupScope, filter, returnAttrs);
                for (LdapQuery.Result res : query.query(ctx, params, helper.getGroupSearchLatencyTimer())) {
                    out.add(groupReference(schema.groupName, res));
                }
            }
        } finally {
            helper.close(ctx);
        }
    } catch (IOException | NamingException | LoginException e) {
        logger.atWarning().withCause(e).log("Cannot query LDAP for groups matching requested name");
    }
    return out;
}
Also used : DirContext(javax.naming.directory.DirContext) ParameterizedString(com.google.gerrit.common.data.ParameterizedString) IOException(java.io.IOException) ParameterizedString(com.google.gerrit.common.data.ParameterizedString) LdapSchema(com.google.gerrit.auth.ldap.Helper.LdapSchema) LoginException(javax.security.auth.login.LoginException) NamingException(javax.naming.NamingException) GroupReference(com.google.gerrit.entities.GroupReference) HashSet(java.util.HashSet)

Example 2 with GroupReference

use of com.google.gerrit.entities.GroupReference in project gerrit by GerritCodeReview.

the class LdapRealm method authenticate.

@Override
public AuthRequest authenticate(AuthRequest who) throws AccountException {
    if (config.getBoolean("ldap", "localUsernameToLowerCase", false)) {
        who.setLocalUser(who.getLocalUser().toLowerCase(Locale.US));
    }
    final String username = who.getLocalUser();
    try {
        final DirContext ctx;
        if (authConfig.getAuthType() == AuthType.LDAP_BIND) {
            ctx = helper.authenticate(username, who.getPassword());
        } else {
            ctx = helper.open();
        }
        try {
            final Helper.LdapSchema schema = helper.getSchema(ctx);
            LdapQuery.Result m;
            who.setAuthProvidesAccountActiveStatus(true);
            m = helper.findAccount(schema, ctx, username, fetchMemberOfEagerly);
            who.setActive(true);
            if (authConfig.getAuthType() == AuthType.LDAP && !who.isSkipAuthentication()) {
                // We found the user account, but we need to verify
                // the password matches it before we can continue.
                // 
                helper.close(helper.authenticate(m.getDN(), who.getPassword()));
            }
            who.setDisplayName(apply(schema.accountFullName, m));
            who.setUserName(apply(schema.accountSshUserName, m));
            if (schema.accountEmailAddress != null) {
                who.setEmailAddress(apply(schema.accountEmailAddress, m));
            } else if (emailExpander.canExpand(username)) {
                // If LDAP cannot give us a valid email address for this user
                // try expanding it through the older email expander code which
                // assumes a user name within a domain.
                // 
                who.setEmailAddress(emailExpander.expand(username));
            }
            // 
            if (fetchMemberOfEagerly || mandatoryGroup != null) {
                Set<AccountGroup.UUID> groups = helper.queryForGroups(ctx, username, m);
                if (mandatoryGroup != null) {
                    GroupReference mandatoryGroupRef = GroupBackends.findExactSuggestion(groupBackend, mandatoryGroup);
                    if (mandatoryGroupRef == null) {
                        throw new AccountException("Could not identify mandatory group: " + mandatoryGroup);
                    }
                    if (!groups.contains(mandatoryGroupRef.getUUID())) {
                        throw new AccountException("Not member of mandatory LDAP group: " + mandatoryGroupRef.getName());
                    }
                }
                // Regardless if we enabled fetchMemberOfEagerly, we already have the
                // groups and it would be a waste not to cache them.
                membershipCache.put(username, groups);
            }
            return who;
        } finally {
            helper.close(ctx);
        }
    } catch (IOException | NamingException e) {
        logger.atSevere().withCause(e).log("Cannot query LDAP to authenticate user");
        throw new AuthenticationUnavailableException("Cannot query LDAP for account", e);
    } catch (LoginException e) {
        logger.atSevere().withCause(e).log("Cannot authenticate server via JAAS");
        throw new AuthenticationUnavailableException("Cannot query LDAP for account", e);
    }
}
Also used : AuthenticationUnavailableException(com.google.gerrit.server.auth.AuthenticationUnavailableException) ParameterizedString(com.google.gerrit.common.data.ParameterizedString) DirContext(javax.naming.directory.DirContext) IOException(java.io.IOException) AccountException(com.google.gerrit.server.account.AccountException) LoginException(javax.security.auth.login.LoginException) NamingException(javax.naming.NamingException) GroupReference(com.google.gerrit.entities.GroupReference)

Example 3 with GroupReference

use of com.google.gerrit.entities.GroupReference in project gerrit by GerritCodeReview.

the class ProjectOperationsImpl method newRule.

private static PermissionRule.Builder newRule(ProjectConfig project, AccountGroup.UUID groupUUID) {
    GroupReference group = GroupReference.create(groupUUID, groupUUID.get());
    group = project.resolve(group);
    return PermissionRule.builder(group);
}
Also used : GroupReference(com.google.gerrit.entities.GroupReference)

Example 4 with GroupReference

use of com.google.gerrit.entities.GroupReference in project gerrit by GerritCodeReview.

the class ChangeQueryBuilder method ownerin.

@Operator
public Predicate<ChangeData> ownerin(String group) throws QueryParseException, IOException {
    GroupReference g = GroupBackends.findBestSuggestion(args.groupBackend, group);
    if (g == null) {
        throw error("Group " + group + " not found");
    }
    AccountGroup.UUID groupId = g.getUUID();
    GroupDescription.Basic groupDescription = args.groupBackend.get(groupId);
    if (!(groupDescription instanceof GroupDescription.Internal)) {
        return new OwnerinPredicate(args.userFactory, groupId);
    }
    Set<Account.Id> accounts = getMembers(groupId);
    List<Predicate<ChangeData>> p = Lists.newArrayListWithCapacity(accounts.size());
    for (Account.Id id : accounts) {
        p.add(ChangePredicates.owner(id));
    }
    return Predicate.or(p);
}
Also used : Account(com.google.gerrit.entities.Account) ReviewerStateInternal(com.google.gerrit.server.notedb.ReviewerStateInternal) LimitPredicate(com.google.gerrit.index.query.LimitPredicate) Predicate(com.google.gerrit.index.query.Predicate) GroupDescription(com.google.gerrit.entities.GroupDescription) AccountGroup(com.google.gerrit.entities.AccountGroup) GroupReference(com.google.gerrit.entities.GroupReference)

Example 5 with GroupReference

use of com.google.gerrit.entities.GroupReference in project gerrit by GerritCodeReview.

the class ListGroups method suggestGroups.

private List<GroupInfo> suggestGroups() throws BadRequestException, PermissionBackendException {
    if (conflictingSuggestParameters()) {
        throw new BadRequestException("You should only have no more than one --project and -n with --suggest");
    }
    List<GroupReference> groupRefs = groupBackend.suggest(suggest, projects.stream().findFirst().orElse(null)).stream().limit(limit <= 0 ? 10 : Math.min(limit, 10)).collect(toList());
    List<GroupInfo> groupInfos = Lists.newArrayListWithCapacity(groupRefs.size());
    for (GroupReference ref : groupRefs) {
        GroupDescription.Basic desc = groupBackend.get(ref.getUUID());
        if (desc != null) {
            groupInfos.add(json.addOptions(options).format(desc));
        }
    }
    return groupInfos;
}
Also used : GroupDescription(com.google.gerrit.entities.GroupDescription) InternalGroupDescription(com.google.gerrit.server.group.InternalGroupDescription) GroupInfo(com.google.gerrit.extensions.common.GroupInfo) BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException) GroupReference(com.google.gerrit.entities.GroupReference)

Aggregations

GroupReference (com.google.gerrit.entities.GroupReference)59 Test (org.junit.Test)24 AccountGroup (com.google.gerrit.entities.AccountGroup)18 AbstractDaemonTest (com.google.gerrit.acceptance.AbstractDaemonTest)8 GroupDescription (com.google.gerrit.entities.GroupDescription)8 InternalGroup (com.google.gerrit.entities.InternalGroup)7 ProjectConfig (com.google.gerrit.server.project.ProjectConfig)7 IOException (java.io.IOException)7 Repository (org.eclipse.jgit.lib.Repository)7 MetaDataUpdate (com.google.gerrit.server.git.meta.MetaDataUpdate)6 Config (org.eclipse.jgit.lib.Config)6 CachedProjectConfig (com.google.gerrit.entities.CachedProjectConfig)5 InMemoryRepository (org.eclipse.jgit.internal.storage.dfs.InMemoryRepository)5 NotifyConfig (com.google.gerrit.entities.NotifyConfig)4 ArrayList (java.util.ArrayList)4 Account (com.google.gerrit.entities.Account)3 BooleanProjectConfig (com.google.gerrit.entities.BooleanProjectConfig)3 Permission (com.google.gerrit.entities.Permission)3 PermissionRule (com.google.gerrit.entities.PermissionRule)3 ProjectAccessInfo (com.google.gerrit.extensions.api.access.ProjectAccessInfo)3