Examples with Permission com.google.gerrit.entities.Permission used on opensource projects

Example 11 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class GetAccess method apply.

@Override
public Response<ProjectAccessInfo> apply(ProjectResource rsrc) throws ResourceNotFoundException, ResourceConflictException, IOException, PermissionBackendException {
    // Load the current configuration from the repository, ensuring it's the most
    // recent version available. If it differs from what was in the project
    // state, force a cache flush now.
    Project.NameKey projectName = rsrc.getNameKey();
    ProjectAccessInfo info = new ProjectAccessInfo();
    ProjectState projectState = projectCache.get(projectName).orElseThrow(illegalState(projectName));
    PermissionBackend.ForProject perm = permissionBackend.currentUser().project(projectName);
    ProjectConfig config;
    try (MetaDataUpdate md = metaDataUpdateFactory.get().create(projectName)) {
        config = projectConfigFactory.read(md);
        info.configWebLinks = new ArrayList<>();
        // config may have a null revision if the repo doesn't have its own refs/meta/config.
        if (config.getRevision() != null) {
            info.configWebLinks.addAll(webLinks.getFileHistoryLinks(projectName.get(), config.getRevision().getName(), ProjectConfig.PROJECT_CONFIG));
        }
        if (config.updateGroupNames(groupBackend)) {
            md.setMessage("Update group names\n");
            config.commit(md);
            projectCache.evictAndReindex(config.getProject());
            projectState = projectCache.get(projectName).orElseThrow(illegalState(projectName));
            perm = permissionBackend.currentUser().project(projectName);
        } else if (config.getRevision() != null && !config.getRevision().equals(projectState.getConfig().getRevision().orElse(null))) {
            projectCache.evictAndReindex(config.getProject());
            projectState = projectCache.get(projectName).orElseThrow(illegalState(projectName));
            perm = permissionBackend.currentUser().project(projectName);
        }
    } catch (ConfigInvalidException e) {
        throw new ResourceConflictException(e.getMessage());
    } catch (RepositoryNotFoundException e) {
        throw new ResourceNotFoundException(rsrc.getName(), e);
    }
    // The following implementation must match the ProjectAccessFactory JSON RPC endpoint.
    info.local = new HashMap<>();
    info.ownerOf = new HashSet<>();
    Map<AccountGroup.UUID, GroupInfo> groups = new HashMap<>();
    boolean canReadConfig = check(perm, RefNames.REFS_CONFIG, READ);
    boolean canWriteConfig = check(perm, ProjectPermission.WRITE_CONFIG);
    // config to set the project state to any state that is not HIDDEN.
    if (!canWriteConfig) {
        projectState.checkStatePermitsRead();
    }
    for (AccessSection section : config.getAccessSections()) {
        String name = section.getName();
        if (AccessSection.GLOBAL_CAPABILITIES.equals(name)) {
            if (canWriteConfig) {
                info.local.put(name, createAccessSection(groups, section));
                info.ownerOf.add(name);
            } else if (canReadConfig) {
                info.local.put(section.getName(), createAccessSection(groups, section));
            }
        } else if (AccessSection.isValidRefSectionName(name)) {
            if (check(perm, name, WRITE_CONFIG)) {
                info.local.put(name, createAccessSection(groups, section));
                info.ownerOf.add(name);
            } else if (canReadConfig) {
                info.local.put(name, createAccessSection(groups, section));
            } else if (check(perm, name, READ)) {
                // Filter the section to only add rules describing groups that
                // are visible to the current-user. This includes any group the
                // user is a member of, as well as groups they own or that
                // are visible to all users.
                AccessSection.Builder dst = null;
                for (Permission srcPerm : section.getPermissions()) {
                    Permission.Builder dstPerm = null;
                    for (PermissionRule srcRule : srcPerm.getRules()) {
                        AccountGroup.UUID groupId = srcRule.getGroup().getUUID();
                        if (groupId == null) {
                            continue;
                        }
                        loadGroup(groups, groupId);
                        if (dstPerm == null) {
                            if (dst == null) {
                                dst = AccessSection.builder(name);
                                info.local.put(name, createAccessSection(groups, dst.build()));
                            }
                            dstPerm = dst.upsertPermission(srcPerm.getName());
                        }
                        dstPerm.add(srcRule.toBuilder());
                    }
                }
            }
        }
    }
    if (info.ownerOf.isEmpty()) {
        try {
            permissionBackend.currentUser().check(GlobalPermission.ADMINISTRATE_SERVER);
            // Special case: If the section list is empty, this project has no current
            // access control information. Fall back to site administrators.
            info.ownerOf.add(AccessSection.ALL);
        } catch (AuthException e) {
        // Do nothing.
        }
    }
    if (config.getRevision() != null) {
        info.revision = config.getRevision().name();
    }
    ProjectState parent = Iterables.getFirst(projectState.parents(), null);
    if (parent != null) {
        info.inheritsFrom = projectJson.format(parent.getProject());
    }
    if (projectName.equals(allProjectsName) && permissionBackend.currentUser().testOrFalse(ADMINISTRATE_SERVER)) {
        info.ownerOf.add(AccessSection.GLOBAL_CAPABILITIES);
    }
    info.isOwner = toBoolean(canWriteConfig);
    info.canUpload = toBoolean(projectState.statePermitsWrite() && (canWriteConfig || (canReadConfig && perm.ref(RefNames.REFS_CONFIG).testOrFalse(CREATE_CHANGE))));
    info.canAdd = toBoolean(perm.testOrFalse(CREATE_REF));
    info.canAddTags = toBoolean(perm.testOrFalse(CREATE_TAG_REF));
    info.configVisible = canReadConfig || canWriteConfig;
    info.groups = groups.entrySet().stream().filter(e -> e.getValue() != null).collect(toMap(e -> e.getKey().get(), Map.Entry::getValue));
    return Response.ok(info);
}

Example 12 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class GetAccess method createAccessSection.

private AccessSectionInfo createAccessSection(Map<AccountGroup.UUID, GroupInfo> groups, AccessSection section) {
    AccessSectionInfo accessSectionInfo = new AccessSectionInfo();
    accessSectionInfo.permissions = new HashMap<>();
    for (Permission p : section.getPermissions()) {
        PermissionInfo pInfo = new PermissionInfo(p.getLabel(), p.getExclusiveGroup() ? true : null);
        pInfo.rules = new HashMap<>();
        for (PermissionRule r : p.getRules()) {
            PermissionRuleInfo info = new PermissionRuleInfo(ACTION_TYPE.get(r.getAction()), r.getForce());
            if (r.hasRange()) {
                info.max = r.getMax();
                info.min = r.getMin();
            }
            AccountGroup.UUID group = r.getGroup().getUUID();
            if (group != null) {
                // First entry for the group wins
                pInfo.rules.putIfAbsent(group.get(), info);
                loadGroup(groups, group);
            }
        }
        accessSectionInfo.permissions.put(p.getName(), pInfo);
    }
    return accessSectionInfo;
}

Example 13 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class AccountIT method assertLabelPermission.

protected void assertLabelPermission(Project.NameKey project, GroupReference groupReference, String ref, boolean exclusive, String labelName, int min, int max) {
    Optional<AccessSection> accessSection = projectCache.get(project).orElseThrow(illegalState(project)).getConfig().getAccessSection(ref);
    assertThat(accessSection).isPresent();
    String permissionName = Permission.LABEL + labelName;
    Permission permission = accessSection.get().getPermission(permissionName);
    assertPermission(permission, permissionName, exclusive, labelName);
    assertPermissionRule(permission.getRule(groupReference), groupReference, Action.ALLOW, false, min, max);
}

Example 14 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class AbstractDaemonTest method assertPermissions.

protected void assertPermissions(Project.NameKey project, GroupReference groupReference, String ref, boolean exclusive, String... permissionNames) {
    Optional<AccessSection> accessSection = projectCache.get(project).orElseThrow(illegalState(project)).getConfig().getAccessSection(ref);
    assertThat(accessSection).isPresent();
    for (String permissionName : permissionNames) {
        Permission permission = accessSection.get().getPermission(permissionName);
        assertPermission(permission, permissionName, exclusive, null);
        assertPermissionRule(permission.getRule(groupReference), groupReference, Action.ALLOW, false, 0, 0);
    }
}

Example 15 with Permission

use of com.google.gerrit.entities.Permission in project gerrit by GerritCodeReview.

the class ProjectControl method canPerformOnAnyRef.

private boolean canPerformOnAnyRef(String permissionName) {
    for (SectionMatcher matcher : access()) {
        AccessSection section = matcher.getSection();
        Permission permission = section.getPermission(permissionName);
        if (permission == null) {
            continue;
        }
        Boolean can = canPerform(permissionName, section, permission);
        if (can != null) {
            return can;
        }
    }
    return false;
}