Examples with PermissionRule com.google.gerrit.entities.PermissionRule used on opensource projects

Example 1 with PermissionRule

use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.

the class CreateGroupPermissionSyncer method syncIfNeeded.

/**
 * Checks if {@code GlobalCapability.CREATE_GROUP} and {@code CREATE} permission on {@code
 * refs/groups/*} have diverged and syncs them by applying the {@code CREATE} permission to {@code
 * refs/groups/*}.
 */
public void syncIfNeeded() throws IOException, ConfigInvalidException {
    ProjectState allProjectsState = projectCache.getAllProjects();
    ProjectState allUsersState = projectCache.getAllUsers();
    Set<PermissionRule> createGroupsGlobal = new HashSet<>(allProjectsState.getCapabilityCollection().createGroup);
    Set<PermissionRule> createGroupsRef = new HashSet<>();
    Optional<AccessSection> allUsersCreateGroupAccessSection = allUsersState.getConfig().getAccessSection(RefNames.REFS_GROUPS + "*");
    if (allUsersCreateGroupAccessSection.isPresent()) {
        Permission create = allUsersCreateGroupAccessSection.get().getPermission(Permission.CREATE);
        if (create != null && create.getRules() != null) {
            createGroupsRef.addAll(create.getRules());
        }
    }
    if (Sets.symmetricDifference(createGroupsGlobal, createGroupsRef).isEmpty()) {
        // Nothing to sync
        return;
    }
    try (MetaDataUpdate md = metaDataUpdateFactory.get().create(allUsers)) {
        ProjectConfig config = projectConfigFactory.read(md);
        config.upsertAccessSection(RefNames.REFS_GROUPS + "*", refsGroupsAccessSectionBuilder -> {
            if (createGroupsGlobal.isEmpty()) {
                refsGroupsAccessSectionBuilder.modifyPermissions(permissions -> {
                    permissions.removeIf(p -> Permission.CREATE.equals(p.getName()));
                });
            } else {
                // The create permission is managed by Gerrit at this point only so there is no
                // concern of overwriting user-defined permissions here.
                Permission.Builder createGroupPermission = Permission.builder(Permission.CREATE);
                refsGroupsAccessSectionBuilder.remove(createGroupPermission);
                refsGroupsAccessSectionBuilder.addPermission(createGroupPermission);
                createGroupsGlobal.stream().map(p -> p.toBuilder()).forEach(createGroupPermission::add);
            }
        });
        config.commit(md);
        projectCache.evictAndReindex(config.getProject());
    }
}

Example 2 with PermissionRule

use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.

the class AccountLimits method getRules.

private List<PermissionRule> getRules(String permissionName) {
    List<PermissionRule> rules = capabilities.getPermission(permissionName);
    GroupMembership groups = user.getEffectiveGroups();
    List<PermissionRule> mine = new ArrayList<>(rules.size());
    for (PermissionRule rule : rules) {
        if (match(groups, rule)) {
            mine.add(rule);
        }
    }
    return mine;
}

Example 3 with PermissionRule

use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.

the class PermissionCollection method calculateAllowRules.

/**
 * calculates permissions for ALLOW processing.
 */
private List<PermissionRule> calculateAllowRules(String permName) {
    Set<SeenRule> seen = new HashSet<>();
    List<PermissionRule> r = new ArrayList<>();
    for (AccessSection s : accessSectionsUpward) {
        Permission p = s.getPermission(permName);
        if (p == null) {
            continue;
        }
        for (PermissionRule pr : p.getRules()) {
            SeenRule sr = SeenRule.create(s, pr);
            if (seen.contains(sr)) {
                // negating access.
                continue;
            }
            seen.add(sr);
            if (pr.getAction() == BLOCK) {
                // Block rules are handled elsewhere.
                continue;
            }
            if (pr.getAction() == PermissionRule.Action.DENY) {
                // DENY rules work by not adding ALLOW rules. Nothing else to do.
                continue;
            }
            r.add(pr);
        }
        if (p.getExclusiveGroup()) {
            // We found an exclusive permission, so no need to further go up the hierarchy.
            break;
        }
    }
    return r;
}

Example 4 with PermissionRule

use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.

the class PermissionCollection method calculateBlockRules.

// Calculates the inputs for determining BLOCK status, grouped by project.
private List<List<Permission>> calculateBlockRules(String permName) {
    List<List<Permission>> result = new ArrayList<>();
    for (List<AccessSection> secs : this.accessSectionsPerProjectDownward) {
        List<Permission> perms = new ArrayList<>();
        boolean blockFound = false;
        for (AccessSection sec : secs) {
            Permission p = sec.getPermission(permName);
            if (p == null) {
                continue;
            }
            for (PermissionRule pr : p.getRules()) {
                if (blockFound || pr.getAction() == Action.BLOCK) {
                    blockFound = true;
                    break;
                }
            }
            perms.add(p);
        }
        if (blockFound) {
            result.add(perms);
        }
    }
    return result;
}

Example 5 with PermissionRule

use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.

the class ContributorAgreementsChecker method check.

/**
 * Checks if the user has signed a contributor agreement for the project.
 *
 * @throws AuthException if the user has not signed a contributor agreement for the project
 * @throws IOException if project states could not be loaded
 */
public void check(Project.NameKey project, CurrentUser user) throws IOException, AuthException {
    metrics.claCheckCount.increment();
    ProjectState projectState = projectCache.get(project).orElseThrow(() -> new IOException("Can't load " + project));
    if (!projectState.is(BooleanProjectConfig.USE_CONTRIBUTOR_AGREEMENTS)) {
        return;
    }
    if (!user.isIdentifiedUser()) {
        throw new AuthException("Must be logged in to verify Contributor Agreement");
    }
    IdentifiedUser iUser = user.asIdentifiedUser();
    Collection<ContributorAgreement> contributorAgreements = projectCache.getAllProjects().getConfig().getContributorAgreements().values();
    List<UUID> okGroupIds = new ArrayList<>();
    for (ContributorAgreement ca : contributorAgreements) {
        List<AccountGroup.UUID> groupIds;
        groupIds = okGroupIds;
        // matchProjects defaults to match all projects when missing.
        List<String> matchProjectsRegexes = ca.getMatchProjectsRegexes();
        if (!matchProjectsRegexes.isEmpty() && !projectMatchesAnyPattern(project.get(), matchProjectsRegexes)) {
            // Doesn't match, isn't checked.
            continue;
        }
        // excludeProjects defaults to exclude no projects when missing.
        List<String> excludeProjectsRegexes = ca.getExcludeProjectsRegexes();
        if (!excludeProjectsRegexes.isEmpty() && projectMatchesAnyPattern(project.get(), excludeProjectsRegexes)) {
            // Matches, isn't checked.
            continue;
        }
        for (PermissionRule rule : ca.getAccepted()) {
            if ((rule.getAction() == Action.ALLOW) && (rule.getGroup() != null) && (rule.getGroup().getUUID() != null)) {
                groupIds.add(AccountGroup.uuid(rule.getGroup().getUUID().get()));
            }
        }
    }
    if (!okGroupIds.isEmpty() && !iUser.getEffectiveGroups().containsAnyOf(okGroupIds)) {
        final StringBuilder msg = new StringBuilder();
        msg.append("No Contributor Agreement on file for user ").append(iUser.getNameEmail()).append(" (id=").append(iUser.getAccountId()).append(")");
        msg.append(urlFormatter.get().getSettingsUrl("Agreements").orElse(""));
        throw new AuthException(msg.toString());
    }
}