Example 6 with PermissionRule
use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.
the class ContributorAgreementsChecker method check.
/**
* Checks if the user has signed a contributor agreement for the project.
*
* @throws AuthException if the user has not signed a contributor agreement for the project
* @throws IOException if project states could not be loaded
*/
public void check(Project.NameKey project, CurrentUser user) throws IOException, AuthException {
metrics.claCheckCount.increment();
ProjectState projectState = projectCache.get(project).orElseThrow(() -> new IOException("Can't load " + project));
if (!projectState.is(BooleanProjectConfig.USE_CONTRIBUTOR_AGREEMENTS)) {
return;
}
if (!user.isIdentifiedUser()) {
throw new AuthException("Must be logged in to verify Contributor Agreement");
}
IdentifiedUser iUser = user.asIdentifiedUser();
Collection<ContributorAgreement> contributorAgreements = projectCache.getAllProjects().getConfig().getContributorAgreements().values();
List<UUID> okGroupIds = new ArrayList<>();
for (ContributorAgreement ca : contributorAgreements) {
List<AccountGroup.UUID> groupIds;
groupIds = okGroupIds;
// matchProjects defaults to match all projects when missing.
List<String> matchProjectsRegexes = ca.getMatchProjectsRegexes();
if (!matchProjectsRegexes.isEmpty() && !projectMatchesAnyPattern(project.get(), matchProjectsRegexes)) {
// Doesn't match, isn't checked.
continue;
}
// excludeProjects defaults to exclude no projects when missing.
List<String> excludeProjectsRegexes = ca.getExcludeProjectsRegexes();
if (!excludeProjectsRegexes.isEmpty() && projectMatchesAnyPattern(project.get(), excludeProjectsRegexes)) {
// Matches, isn't checked.
continue;
}
for (PermissionRule rule : ca.getAccepted()) {
if ((rule.getAction() == Action.ALLOW) && (rule.getGroup() != null) && (rule.getGroup().getUUID() != null)) {
groupIds.add(AccountGroup.uuid(rule.getGroup().getUUID().get()));
}
}
}
if (!okGroupIds.isEmpty() && !iUser.getEffectiveGroups().containsAnyOf(okGroupIds)) {
final StringBuilder msg = new StringBuilder();
msg.append("No Contributor Agreement on file for user ").append(iUser.getNameEmail()).append(" (id=").append(iUser.getAccountId()).append(")");
msg.append(urlFormatter.get().getSettingsUrl("Agreements").orElse(""));
throw new AuthException(msg.toString());
}
}
Also used :
PermissionRule(com.google.gerrit.entities.PermissionRule)
ArrayList(java.util.ArrayList)
AuthException(com.google.gerrit.extensions.restapi.AuthException)
IOException(java.io.IOException)
IdentifiedUser(com.google.gerrit.server.IdentifiedUser)
ContributorAgreement(com.google.gerrit.entities.ContributorAgreement)
UUID(com.google.gerrit.entities.AccountGroup.UUID)
Example 7 with PermissionRule
use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.
the class AccountLimits method toRange.
private static PermissionRange toRange(String permissionName, List<PermissionRule> ruleList) {
int min = 0;
int max = 0;
if (ruleList.isEmpty()) {
PermissionRange.WithDefaults defaultRange = GlobalCapability.getRange(permissionName);
if (defaultRange != null) {
min = defaultRange.getDefaultMin();
max = defaultRange.getDefaultMax();
}
} else {
for (PermissionRule rule : ruleList) {
min = Math.min(min, rule.getMin());
max = Math.max(max, rule.getMax());
}
}
return new PermissionRange(permissionName, min, max);
}
Also used :
PermissionRange(com.google.gerrit.entities.PermissionRange)
PermissionRule(com.google.gerrit.entities.PermissionRule)
Example 8 with PermissionRule
use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.
the class AccountLimits method getQueueType.
/**
* Returns which priority queue the user's tasks should be submitted to.
*/
public QueueProvider.QueueType getQueueType() {
// If a non-generic group (that is not Anonymous Users or Registered Users)
// grants us INTERACTIVE permission, use the INTERACTIVE queue even if
// BATCH was otherwise granted. This allows site administrators to grant
// INTERACTIVE to Registered Users, and BATCH to 'CI Servers' and have
// the 'CI Servers' actually use the BATCH queue while everyone else gets
// to use the INTERACTIVE queue without additional grants.
//
GroupMembership groups = user.getEffectiveGroups();
boolean batch = false;
for (PermissionRule r : capabilities.priority) {
if (match(groups, r)) {
switch(r.getAction()) {
case INTERACTIVE:
if (!SystemGroupBackend.isAnonymousOrRegistered(r.getGroup())) {
return QueueProvider.QueueType.INTERACTIVE;
}
break;
case BATCH:
batch = true;
break;
case ALLOW:
case BLOCK:
case DENY:
break;
}
}
}
if (batch) {
// If any of our groups matched to the BATCH queue, use it.
return QueueProvider.QueueType.BATCH;
}
return QueueProvider.QueueType.INTERACTIVE;
}
Also used :
PermissionRule(com.google.gerrit.entities.PermissionRule)
Example 9 with PermissionRule
use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.
the class ProjectConfig method replace.
public void replace(ContributorAgreement section) {
ContributorAgreement.Builder ca = section.toBuilder();
ca.setAutoVerify(resolve(section.getAutoVerify()));
ImmutableList.Builder<PermissionRule> newRules = ImmutableList.builder();
for (PermissionRule rule : section.getAccepted()) {
newRules.add(rule.toBuilder().setGroup(resolve(rule.getGroup())).build());
}
ca.setAccepted(newRules.build());
contributorAgreements.put(section.getName(), ca.build());
}
Also used :
PermissionRule(com.google.gerrit.entities.PermissionRule)
ImmutableList.toImmutableList(com.google.common.collect.ImmutableList.toImmutableList)
ImmutableList(com.google.common.collect.ImmutableList)
ContributorAgreement(com.google.gerrit.entities.ContributorAgreement)
Example 10 with PermissionRule
use of com.google.gerrit.entities.PermissionRule in project gerrit by GerritCodeReview.
the class ProjectConfig method loadPermissionRules.
private void loadPermissionRules(Config rc, String section, String subsection, String varName, Permission.Builder perm, boolean useRange) {
for (String ruleString : rc.getStringList(section, subsection, varName)) {
PermissionRule rule;
try {
rule = PermissionRule.fromString(ruleString, useRange);
} catch (IllegalArgumentException notRule) {
error(String.format("Invalid rule in %s.%s: %s", section + (subsection != null ? "." + subsection : ""), varName, notRule.getMessage()));
continue;
}
GroupReference ref = groupList.byName(rule.getGroup().getName());
if (ref == null) {
// The group wasn't mentioned in the groups table, so there is
// no valid UUID for it. Pool the reference anyway so at least
// all rules in the same file share the same GroupReference.
//
ref = groupList.resolve(rule.getGroup());
error(String.format("group \"%s\" not in %s", ref.getName(), GroupList.FILE_NAME));
}
perm.add(rule.toBuilder().setGroup(ref));
}
}
Also used :
PermissionRule(com.google.gerrit.entities.PermissionRule)
GroupReference(com.google.gerrit.entities.GroupReference)
Aggregations
PermissionRule (com.google.gerrit.entities.PermissionRule)18
Permission (com.google.gerrit.entities.Permission)7
ArrayList (java.util.ArrayList)6
AccessSection (com.google.gerrit.entities.AccessSection)5
ContributorAgreement (com.google.gerrit.entities.ContributorAgreement)4
GroupReference (com.google.gerrit.entities.GroupReference)3
AuthException (com.google.gerrit.extensions.restapi.AuthException)3
HashSet (java.util.HashSet)3
ImmutableList (com.google.common.collect.ImmutableList)2
AccountGroup (com.google.gerrit.entities.AccountGroup)2
PermissionRange (com.google.gerrit.entities.PermissionRange)2
IdentifiedUser (com.google.gerrit.server.IdentifiedUser)2
MetaDataUpdate (com.google.gerrit.server.git.meta.MetaDataUpdate)2
GlobalPermission (com.google.gerrit.server.permissions.GlobalPermission)2
ProjectPermission (com.google.gerrit.server.permissions.ProjectPermission)2
RefPermission (com.google.gerrit.server.permissions.RefPermission)2
ProjectConfig (com.google.gerrit.server.project.ProjectConfig)2
ProjectState (com.google.gerrit.server.project.ProjectState)2
IOException (java.io.IOException)2
List (java.util.List)2
