use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.
the class SetAccess method apply.
@Override
public ProjectAccessInfo apply(ProjectResource rsrc, ProjectAccessInput input) throws ResourceNotFoundException, ResourceConflictException, IOException, AuthException, BadRequestException, UnprocessableEntityException, PermissionBackendException {
List<AccessSection> removals = getAccessSections(input.remove);
List<AccessSection> additions = getAccessSections(input.add);
MetaDataUpdate.User metaDataUpdateUser = metaDataUpdateFactory.get();
ProjectControl projectControl = rsrc.getControl();
ProjectConfig config;
Project.NameKey newParentProjectName = input.parent == null ? null : new Project.NameKey(input.parent);
try (MetaDataUpdate md = metaDataUpdateUser.create(rsrc.getNameKey())) {
config = ProjectConfig.read(md);
// Perform removal checks
for (AccessSection section : removals) {
boolean isGlobalCapabilities = AccessSection.GLOBAL_CAPABILITIES.equals(section.getName());
if (isGlobalCapabilities) {
checkGlobalCapabilityPermissions(config.getName());
} else if (!projectControl.controlForRef(section.getName()).isOwner()) {
throw new AuthException("You are not allowed to edit permissionsfor ref: " + section.getName());
}
}
// Perform addition checks
for (AccessSection section : additions) {
String name = section.getName();
boolean isGlobalCapabilities = AccessSection.GLOBAL_CAPABILITIES.equals(name);
if (isGlobalCapabilities) {
checkGlobalCapabilityPermissions(config.getName());
} else {
if (!AccessSection.isValid(name)) {
throw new BadRequestException("invalid section name");
}
if (!projectControl.controlForRef(name).isOwner()) {
throw new AuthException("You are not allowed to edit permissionsfor ref: " + name);
}
RefPattern.validate(name);
}
// Check all permissions for soundness
for (Permission p : section.getPermissions()) {
if (isGlobalCapabilities && !GlobalCapability.isCapability(p.getName())) {
throw new BadRequestException("Cannot add non-global capability " + p.getName() + " to global capabilities");
}
}
}
// Apply removals
for (AccessSection section : removals) {
if (section.getPermissions().isEmpty()) {
// Remove entire section
config.remove(config.getAccessSection(section.getName()));
}
// Remove specific permissions
for (Permission p : section.getPermissions()) {
if (p.getRules().isEmpty()) {
config.remove(config.getAccessSection(section.getName()), p);
} else {
for (PermissionRule r : p.getRules()) {
config.remove(config.getAccessSection(section.getName()), p, r);
}
}
}
}
// Apply additions
for (AccessSection section : additions) {
AccessSection currentAccessSection = config.getAccessSection(section.getName());
if (currentAccessSection == null) {
// Add AccessSection
config.replace(section);
} else {
for (Permission p : section.getPermissions()) {
Permission currentPermission = currentAccessSection.getPermission(p.getName());
if (currentPermission == null) {
// Add Permission
currentAccessSection.addPermission(p);
} else {
for (PermissionRule r : p.getRules()) {
// AddPermissionRule
currentPermission.add(r);
}
}
}
}
}
if (newParentProjectName != null && !config.getProject().getNameKey().equals(allProjects) && !config.getProject().getParent(allProjects).equals(newParentProjectName)) {
try {
setParent.get().validateParentUpdate(projectControl, MoreObjects.firstNonNull(newParentProjectName, allProjects).get(), true);
} catch (UnprocessableEntityException e) {
throw new ResourceConflictException(e.getMessage(), e);
}
config.getProject().setParentName(newParentProjectName);
}
if (!Strings.isNullOrEmpty(input.message)) {
if (!input.message.endsWith("\n")) {
input.message += "\n";
}
md.setMessage(input.message);
} else {
md.setMessage("Modify access rules\n");
}
config.commit(md);
projectCache.evict(config.getProject());
} catch (InvalidNameException e) {
throw new BadRequestException(e.toString());
} catch (ConfigInvalidException e) {
throw new ResourceConflictException(rsrc.getName());
}
return getAccess.apply(rsrc.getNameKey());
}
use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.
the class DeleteExternalIds method apply.
@Override
public Response<?> apply(AccountResource resource, List<String> extIds) throws RestApiException, IOException, OrmException, ConfigInvalidException {
if (self.get() != resource.getUser() && !self.get().getCapabilities().canAccessDatabase()) {
throw new AuthException("not allowed to delete external IDs");
}
if (extIds == null || extIds.size() == 0) {
throw new BadRequestException("external IDs are required");
}
Map<ExternalId.Key, ExternalId> externalIdMap = externalIds.byAccount(resource.getUser().getAccountId()).stream().collect(toMap(i -> i.key(), i -> i));
List<ExternalId> toDelete = new ArrayList<>();
ExternalId.Key last = resource.getUser().getLastLoginExternalIdKey();
for (String externalIdStr : extIds) {
ExternalId id = externalIdMap.get(ExternalId.Key.parse(externalIdStr));
if (id == null) {
throw new UnprocessableEntityException(String.format("External id %s does not exist", externalIdStr));
}
if ((!id.isScheme(SCHEME_USERNAME)) && ((last == null) || (!last.get().equals(id.key().get())))) {
toDelete.add(id);
} else {
throw new ResourceConflictException(String.format("External id %s cannot be deleted", externalIdStr));
}
}
try {
for (ExternalId extId : toDelete) {
AuthRequest authRequest = new AuthRequest(extId.key());
authRequest.setEmailAddress(extId.email());
accountManager.unlink(extId.accountId(), authRequest);
}
} catch (AccountException e) {
throw new ResourceConflictException(e.getMessage());
}
return Response.none();
}
use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.
the class GetAgreements method apply.
@Override
public List<AgreementInfo> apply(AccountResource resource) throws RestApiException {
if (!agreementsEnabled) {
throw new MethodNotAllowedException("contributor agreements disabled");
}
if (!self.get().isIdentifiedUser()) {
throw new AuthException("not allowed to get contributor agreements");
}
IdentifiedUser user = self.get().asIdentifiedUser();
if (user != resource.getUser()) {
throw new AuthException("not allowed to get contributor agreements");
}
List<AgreementInfo> results = new ArrayList<>();
Collection<ContributorAgreement> cas = projectCache.getAllProjects().getConfig().getContributorAgreements();
for (ContributorAgreement ca : cas) {
List<AccountGroup.UUID> groupIds = new ArrayList<>();
for (PermissionRule rule : ca.getAccepted()) {
if ((rule.getAction() == Action.ALLOW) && (rule.getGroup() != null)) {
if (rule.getGroup().getUUID() != null) {
groupIds.add(rule.getGroup().getUUID());
} else {
log.warn("group \"" + rule.getGroup().getName() + "\" does not " + "exist, referenced in CLA \"" + ca.getName() + "\"");
}
}
}
if (user.getEffectiveGroups().containsAnyOf(groupIds)) {
results.add(agreementJson.format(ca));
}
}
return results;
}
use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.
the class ReceiveCommits method parseCommands.
private void parseCommands(Collection<ReceiveCommand> commands) throws PermissionBackendException {
List<String> optionList = rp.getPushOptions();
if (optionList != null) {
for (String option : optionList) {
int e = option.indexOf('=');
if (e > 0) {
pushOptions.put(option.substring(0, e), option.substring(e + 1));
} else {
pushOptions.put(option, "");
}
}
}
logDebug("Parsing {} commands", commands.size());
for (ReceiveCommand cmd : commands) {
if (cmd.getResult() != NOT_ATTEMPTED) {
// Already rejected by the core receive process.
logDebug("Already processed by core: {} {}", cmd.getResult(), cmd);
continue;
}
if (!Repository.isValidRefName(cmd.getRefName()) || cmd.getRefName().contains("//")) {
reject(cmd, "not valid ref");
continue;
}
if (MagicBranch.isMagicBranch(cmd.getRefName())) {
parseMagicBranch(cmd);
continue;
}
if (projectControl.getProjectState().isAllUsers() && RefNames.REFS_USERS_SELF.equals(cmd.getRefName())) {
String newName = RefNames.refsUsers(user.getAccountId());
logDebug("Swapping out command for {} to {}", RefNames.REFS_USERS_SELF, newName);
final ReceiveCommand orgCmd = cmd;
cmd = new ReceiveCommand(cmd.getOldId(), cmd.getNewId(), newName, cmd.getType()) {
@Override
public void setResult(Result s, String m) {
super.setResult(s, m);
orgCmd.setResult(s, m);
}
};
}
Matcher m = NEW_PATCHSET.matcher(cmd.getRefName());
if (m.matches()) {
// The referenced change must exist and must still be open.
//
Change.Id changeId = Change.Id.parse(m.group(1));
parseReplaceCommand(cmd, changeId);
continue;
}
switch(cmd.getType()) {
case CREATE:
parseCreate(cmd);
break;
case UPDATE:
parseUpdate(cmd);
break;
case DELETE:
parseDelete(cmd);
break;
case UPDATE_NONFASTFORWARD:
parseRewind(cmd);
break;
default:
reject(cmd, "prohibited by Gerrit: unknown command type " + cmd.getType());
continue;
}
if (cmd.getResult() != NOT_ATTEMPTED) {
continue;
}
if (isConfig(cmd)) {
logDebug("Processing {} command", cmd.getRefName());
if (!projectControl.isOwner()) {
reject(cmd, "not project owner");
continue;
}
switch(cmd.getType()) {
case CREATE:
case UPDATE:
case UPDATE_NONFASTFORWARD:
try {
ProjectConfig cfg = new ProjectConfig(project.getNameKey());
cfg.load(rp.getRevWalk(), cmd.getNewId());
if (!cfg.getValidationErrors().isEmpty()) {
addError("Invalid project configuration:");
for (ValidationError err : cfg.getValidationErrors()) {
addError(" " + err.getMessage());
}
reject(cmd, "invalid project configuration");
logError("User " + user.getUserName() + " tried to push invalid project configuration " + cmd.getNewId().name() + " for " + project.getName());
continue;
}
Project.NameKey newParent = cfg.getProject().getParent(allProjectsName);
Project.NameKey oldParent = project.getParent(allProjectsName);
if (oldParent == null) {
// update of the 'All-Projects' project
if (newParent != null) {
reject(cmd, "invalid project configuration: root project cannot have parent");
continue;
}
} else {
if (!oldParent.equals(newParent)) {
try {
permissionBackend.user(user).check(GlobalPermission.ADMINISTRATE_SERVER);
} catch (AuthException e) {
reject(cmd, "invalid project configuration: only Gerrit admin can set parent");
continue;
}
}
if (projectCache.get(newParent) == null) {
reject(cmd, "invalid project configuration: parent does not exist");
continue;
}
}
for (Entry<ProjectConfigEntry> e : pluginConfigEntries) {
PluginConfig pluginCfg = cfg.getPluginConfig(e.getPluginName());
ProjectConfigEntry configEntry = e.getProvider().get();
String value = pluginCfg.getString(e.getExportName());
String oldValue = projectControl.getProjectState().getConfig().getPluginConfig(e.getPluginName()).getString(e.getExportName());
if (configEntry.getType() == ProjectConfigEntryType.ARRAY) {
oldValue = Arrays.stream(projectControl.getProjectState().getConfig().getPluginConfig(e.getPluginName()).getStringList(e.getExportName())).collect(joining("\n"));
}
if ((value == null ? oldValue != null : !value.equals(oldValue)) && !configEntry.isEditable(projectControl.getProjectState())) {
reject(cmd, String.format("invalid project configuration: Not allowed to set parameter" + " '%s' of plugin '%s' on project '%s'.", e.getExportName(), e.getPluginName(), project.getName()));
continue;
}
if (ProjectConfigEntryType.LIST.equals(configEntry.getType()) && value != null && !configEntry.getPermittedValues().contains(value)) {
reject(cmd, String.format("invalid project configuration: The value '%s' is " + "not permitted for parameter '%s' of plugin '%s'.", value, e.getExportName(), e.getPluginName()));
}
}
} catch (Exception e) {
reject(cmd, "invalid project configuration");
logError("User " + user.getUserName() + " tried to push invalid project configuration " + cmd.getNewId().name() + " for " + project.getName(), e);
continue;
}
break;
case DELETE:
break;
default:
reject(cmd, "prohibited by Gerrit: don't know how to handle config update of type " + cmd.getType());
continue;
}
}
}
}
use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.
the class CreateTag method apply.
@Override
public TagInfo apply(ProjectResource resource, TagInput input) throws RestApiException, IOException, PermissionBackendException {
if (input == null) {
input = new TagInput();
}
if (input.ref != null && !ref.equals(input.ref)) {
throw new BadRequestException("ref must match URL");
}
if (input.revision == null) {
input.revision = Constants.HEAD;
}
ref = RefUtil.normalizeTagRef(ref);
RefControl refControl = resource.getControl().controlForRef(ref);
PermissionBackend.ForRef perm = permissionBackend.user(identifiedUser).project(resource.getNameKey()).ref(ref);
try (Repository repo = repoManager.openRepository(resource.getNameKey())) {
ObjectId revid = RefUtil.parseBaseRevision(repo, resource.getNameKey(), input.revision);
RevWalk rw = RefUtil.verifyConnected(repo, revid);
RevObject object = rw.parseAny(revid);
rw.reset();
boolean isAnnotated = Strings.emptyToNull(input.message) != null;
boolean isSigned = isAnnotated && input.message.contains("-----BEGIN PGP SIGNATURE-----\n");
if (isSigned) {
throw new MethodNotAllowedException("Cannot create signed tag \"" + ref + "\"");
} else if (isAnnotated && !refControl.canPerform(Permission.CREATE_TAG)) {
throw new AuthException("Cannot create annotated tag \"" + ref + "\"");
} else {
perm.check(RefPermission.CREATE);
}
if (repo.getRefDatabase().exactRef(ref) != null) {
throw new ResourceConflictException("tag \"" + ref + "\" already exists");
}
try (Git git = new Git(repo)) {
TagCommand tag = git.tag().setObjectId(object).setName(ref.substring(R_TAGS.length())).setAnnotated(isAnnotated).setSigned(isSigned);
if (isAnnotated) {
tag.setMessage(input.message).setTagger(identifiedUser.get().newCommitterIdent(TimeUtil.nowTs(), TimeZone.getDefault()));
}
Ref result = tag.call();
tagCache.updateFastForward(resource.getNameKey(), ref, ObjectId.zeroId(), result.getObjectId());
referenceUpdated.fire(resource.getNameKey(), ref, ObjectId.zeroId(), result.getObjectId(), identifiedUser.get().getAccount());
try (RevWalk w = new RevWalk(repo)) {
return ListTags.createTagInfo(perm, result, w);
}
}
} catch (InvalidRevisionException e) {
throw new BadRequestException("Invalid base revision");
} catch (GitAPIException e) {
log.error("Cannot create tag \"" + ref + "\"", e);
throw new IOException(e);
}
}
Aggregations