Search in sources :

Example 11 with AuthException

use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.

the class SetAccess method apply.

@Override
public ProjectAccessInfo apply(ProjectResource rsrc, ProjectAccessInput input) throws ResourceNotFoundException, ResourceConflictException, IOException, AuthException, BadRequestException, UnprocessableEntityException, PermissionBackendException {
    List<AccessSection> removals = getAccessSections(input.remove);
    List<AccessSection> additions = getAccessSections(input.add);
    MetaDataUpdate.User metaDataUpdateUser = metaDataUpdateFactory.get();
    ProjectControl projectControl = rsrc.getControl();
    ProjectConfig config;
    Project.NameKey newParentProjectName = input.parent == null ? null : new Project.NameKey(input.parent);
    try (MetaDataUpdate md = metaDataUpdateUser.create(rsrc.getNameKey())) {
        config = ProjectConfig.read(md);
        // Perform removal checks
        for (AccessSection section : removals) {
            boolean isGlobalCapabilities = AccessSection.GLOBAL_CAPABILITIES.equals(section.getName());
            if (isGlobalCapabilities) {
                checkGlobalCapabilityPermissions(config.getName());
            } else if (!projectControl.controlForRef(section.getName()).isOwner()) {
                throw new AuthException("You are not allowed to edit permissionsfor ref: " + section.getName());
            }
        }
        // Perform addition checks
        for (AccessSection section : additions) {
            String name = section.getName();
            boolean isGlobalCapabilities = AccessSection.GLOBAL_CAPABILITIES.equals(name);
            if (isGlobalCapabilities) {
                checkGlobalCapabilityPermissions(config.getName());
            } else {
                if (!AccessSection.isValid(name)) {
                    throw new BadRequestException("invalid section name");
                }
                if (!projectControl.controlForRef(name).isOwner()) {
                    throw new AuthException("You are not allowed to edit permissionsfor ref: " + name);
                }
                RefPattern.validate(name);
            }
            // Check all permissions for soundness
            for (Permission p : section.getPermissions()) {
                if (isGlobalCapabilities && !GlobalCapability.isCapability(p.getName())) {
                    throw new BadRequestException("Cannot add non-global capability " + p.getName() + " to global capabilities");
                }
            }
        }
        // Apply removals
        for (AccessSection section : removals) {
            if (section.getPermissions().isEmpty()) {
                // Remove entire section
                config.remove(config.getAccessSection(section.getName()));
            }
            // Remove specific permissions
            for (Permission p : section.getPermissions()) {
                if (p.getRules().isEmpty()) {
                    config.remove(config.getAccessSection(section.getName()), p);
                } else {
                    for (PermissionRule r : p.getRules()) {
                        config.remove(config.getAccessSection(section.getName()), p, r);
                    }
                }
            }
        }
        // Apply additions
        for (AccessSection section : additions) {
            AccessSection currentAccessSection = config.getAccessSection(section.getName());
            if (currentAccessSection == null) {
                // Add AccessSection
                config.replace(section);
            } else {
                for (Permission p : section.getPermissions()) {
                    Permission currentPermission = currentAccessSection.getPermission(p.getName());
                    if (currentPermission == null) {
                        // Add Permission
                        currentAccessSection.addPermission(p);
                    } else {
                        for (PermissionRule r : p.getRules()) {
                            // AddPermissionRule
                            currentPermission.add(r);
                        }
                    }
                }
            }
        }
        if (newParentProjectName != null && !config.getProject().getNameKey().equals(allProjects) && !config.getProject().getParent(allProjects).equals(newParentProjectName)) {
            try {
                setParent.get().validateParentUpdate(projectControl, MoreObjects.firstNonNull(newParentProjectName, allProjects).get(), true);
            } catch (UnprocessableEntityException e) {
                throw new ResourceConflictException(e.getMessage(), e);
            }
            config.getProject().setParentName(newParentProjectName);
        }
        if (!Strings.isNullOrEmpty(input.message)) {
            if (!input.message.endsWith("\n")) {
                input.message += "\n";
            }
            md.setMessage(input.message);
        } else {
            md.setMessage("Modify access rules\n");
        }
        config.commit(md);
        projectCache.evict(config.getProject());
    } catch (InvalidNameException e) {
        throw new BadRequestException(e.toString());
    } catch (ConfigInvalidException e) {
        throw new ResourceConflictException(rsrc.getName());
    }
    return getAccess.apply(rsrc.getNameKey());
}
Also used : UnprocessableEntityException(com.google.gerrit.extensions.restapi.UnprocessableEntityException) ConfigInvalidException(org.eclipse.jgit.errors.ConfigInvalidException) PermissionRule(com.google.gerrit.common.data.PermissionRule) AuthException(com.google.gerrit.extensions.restapi.AuthException) AccessSection(com.google.gerrit.common.data.AccessSection) ProjectConfig(com.google.gerrit.server.git.ProjectConfig) Project(com.google.gerrit.reviewdb.client.Project) ResourceConflictException(com.google.gerrit.extensions.restapi.ResourceConflictException) InvalidNameException(com.google.gerrit.common.errors.InvalidNameException) GlobalPermission(com.google.gerrit.server.permissions.GlobalPermission) Permission(com.google.gerrit.common.data.Permission) BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException) MetaDataUpdate(com.google.gerrit.server.git.MetaDataUpdate)

Example 12 with AuthException

use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.

the class DeleteExternalIds method apply.

@Override
public Response<?> apply(AccountResource resource, List<String> extIds) throws RestApiException, IOException, OrmException, ConfigInvalidException {
    if (self.get() != resource.getUser() && !self.get().getCapabilities().canAccessDatabase()) {
        throw new AuthException("not allowed to delete external IDs");
    }
    if (extIds == null || extIds.size() == 0) {
        throw new BadRequestException("external IDs are required");
    }
    Map<ExternalId.Key, ExternalId> externalIdMap = externalIds.byAccount(resource.getUser().getAccountId()).stream().collect(toMap(i -> i.key(), i -> i));
    List<ExternalId> toDelete = new ArrayList<>();
    ExternalId.Key last = resource.getUser().getLastLoginExternalIdKey();
    for (String externalIdStr : extIds) {
        ExternalId id = externalIdMap.get(ExternalId.Key.parse(externalIdStr));
        if (id == null) {
            throw new UnprocessableEntityException(String.format("External id %s does not exist", externalIdStr));
        }
        if ((!id.isScheme(SCHEME_USERNAME)) && ((last == null) || (!last.get().equals(id.key().get())))) {
            toDelete.add(id);
        } else {
            throw new ResourceConflictException(String.format("External id %s cannot be deleted", externalIdStr));
        }
    }
    try {
        for (ExternalId extId : toDelete) {
            AuthRequest authRequest = new AuthRequest(extId.key());
            authRequest.setEmailAddress(extId.email());
            accountManager.unlink(extId.accountId(), authRequest);
        }
    } catch (AccountException e) {
        throw new ResourceConflictException(e.getMessage());
    }
    return Response.none();
}
Also used : CurrentUser(com.google.gerrit.server.CurrentUser) OrmException(com.google.gwtorm.server.OrmException) ConfigInvalidException(org.eclipse.jgit.errors.ConfigInvalidException) UnprocessableEntityException(com.google.gerrit.extensions.restapi.UnprocessableEntityException) Inject(com.google.inject.Inject) IOException(java.io.IOException) BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException) Response(com.google.gerrit.extensions.restapi.Response) ExternalIds(com.google.gerrit.server.account.externalids.ExternalIds) ArrayList(java.util.ArrayList) RestModifyView(com.google.gerrit.extensions.restapi.RestModifyView) Provider(com.google.inject.Provider) List(java.util.List) Collectors.toMap(java.util.stream.Collectors.toMap) SCHEME_USERNAME(com.google.gerrit.server.account.externalids.ExternalId.SCHEME_USERNAME) ResourceConflictException(com.google.gerrit.extensions.restapi.ResourceConflictException) Map(java.util.Map) AuthException(com.google.gerrit.extensions.restapi.AuthException) ExternalId(com.google.gerrit.server.account.externalids.ExternalId) RestApiException(com.google.gerrit.extensions.restapi.RestApiException) UnprocessableEntityException(com.google.gerrit.extensions.restapi.UnprocessableEntityException) ExternalId(com.google.gerrit.server.account.externalids.ExternalId) ArrayList(java.util.ArrayList) AuthException(com.google.gerrit.extensions.restapi.AuthException) ResourceConflictException(com.google.gerrit.extensions.restapi.ResourceConflictException) BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException)

Example 13 with AuthException

use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.

the class GetAgreements method apply.

@Override
public List<AgreementInfo> apply(AccountResource resource) throws RestApiException {
    if (!agreementsEnabled) {
        throw new MethodNotAllowedException("contributor agreements disabled");
    }
    if (!self.get().isIdentifiedUser()) {
        throw new AuthException("not allowed to get contributor agreements");
    }
    IdentifiedUser user = self.get().asIdentifiedUser();
    if (user != resource.getUser()) {
        throw new AuthException("not allowed to get contributor agreements");
    }
    List<AgreementInfo> results = new ArrayList<>();
    Collection<ContributorAgreement> cas = projectCache.getAllProjects().getConfig().getContributorAgreements();
    for (ContributorAgreement ca : cas) {
        List<AccountGroup.UUID> groupIds = new ArrayList<>();
        for (PermissionRule rule : ca.getAccepted()) {
            if ((rule.getAction() == Action.ALLOW) && (rule.getGroup() != null)) {
                if (rule.getGroup().getUUID() != null) {
                    groupIds.add(rule.getGroup().getUUID());
                } else {
                    log.warn("group \"" + rule.getGroup().getName() + "\" does not " + "exist, referenced in CLA \"" + ca.getName() + "\"");
                }
            }
        }
        if (user.getEffectiveGroups().containsAnyOf(groupIds)) {
            results.add(agreementJson.format(ca));
        }
    }
    return results;
}
Also used : MethodNotAllowedException(com.google.gerrit.extensions.restapi.MethodNotAllowedException) PermissionRule(com.google.gerrit.common.data.PermissionRule) AgreementInfo(com.google.gerrit.extensions.common.AgreementInfo) ContributorAgreement(com.google.gerrit.common.data.ContributorAgreement) ArrayList(java.util.ArrayList) AuthException(com.google.gerrit.extensions.restapi.AuthException) IdentifiedUser(com.google.gerrit.server.IdentifiedUser)

Example 14 with AuthException

use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.

the class ReceiveCommits method parseCommands.

private void parseCommands(Collection<ReceiveCommand> commands) throws PermissionBackendException {
    List<String> optionList = rp.getPushOptions();
    if (optionList != null) {
        for (String option : optionList) {
            int e = option.indexOf('=');
            if (e > 0) {
                pushOptions.put(option.substring(0, e), option.substring(e + 1));
            } else {
                pushOptions.put(option, "");
            }
        }
    }
    logDebug("Parsing {} commands", commands.size());
    for (ReceiveCommand cmd : commands) {
        if (cmd.getResult() != NOT_ATTEMPTED) {
            // Already rejected by the core receive process.
            logDebug("Already processed by core: {} {}", cmd.getResult(), cmd);
            continue;
        }
        if (!Repository.isValidRefName(cmd.getRefName()) || cmd.getRefName().contains("//")) {
            reject(cmd, "not valid ref");
            continue;
        }
        if (MagicBranch.isMagicBranch(cmd.getRefName())) {
            parseMagicBranch(cmd);
            continue;
        }
        if (projectControl.getProjectState().isAllUsers() && RefNames.REFS_USERS_SELF.equals(cmd.getRefName())) {
            String newName = RefNames.refsUsers(user.getAccountId());
            logDebug("Swapping out command for {} to {}", RefNames.REFS_USERS_SELF, newName);
            final ReceiveCommand orgCmd = cmd;
            cmd = new ReceiveCommand(cmd.getOldId(), cmd.getNewId(), newName, cmd.getType()) {

                @Override
                public void setResult(Result s, String m) {
                    super.setResult(s, m);
                    orgCmd.setResult(s, m);
                }
            };
        }
        Matcher m = NEW_PATCHSET.matcher(cmd.getRefName());
        if (m.matches()) {
            // The referenced change must exist and must still be open.
            //
            Change.Id changeId = Change.Id.parse(m.group(1));
            parseReplaceCommand(cmd, changeId);
            continue;
        }
        switch(cmd.getType()) {
            case CREATE:
                parseCreate(cmd);
                break;
            case UPDATE:
                parseUpdate(cmd);
                break;
            case DELETE:
                parseDelete(cmd);
                break;
            case UPDATE_NONFASTFORWARD:
                parseRewind(cmd);
                break;
            default:
                reject(cmd, "prohibited by Gerrit: unknown command type " + cmd.getType());
                continue;
        }
        if (cmd.getResult() != NOT_ATTEMPTED) {
            continue;
        }
        if (isConfig(cmd)) {
            logDebug("Processing {} command", cmd.getRefName());
            if (!projectControl.isOwner()) {
                reject(cmd, "not project owner");
                continue;
            }
            switch(cmd.getType()) {
                case CREATE:
                case UPDATE:
                case UPDATE_NONFASTFORWARD:
                    try {
                        ProjectConfig cfg = new ProjectConfig(project.getNameKey());
                        cfg.load(rp.getRevWalk(), cmd.getNewId());
                        if (!cfg.getValidationErrors().isEmpty()) {
                            addError("Invalid project configuration:");
                            for (ValidationError err : cfg.getValidationErrors()) {
                                addError("  " + err.getMessage());
                            }
                            reject(cmd, "invalid project configuration");
                            logError("User " + user.getUserName() + " tried to push invalid project configuration " + cmd.getNewId().name() + " for " + project.getName());
                            continue;
                        }
                        Project.NameKey newParent = cfg.getProject().getParent(allProjectsName);
                        Project.NameKey oldParent = project.getParent(allProjectsName);
                        if (oldParent == null) {
                            // update of the 'All-Projects' project
                            if (newParent != null) {
                                reject(cmd, "invalid project configuration: root project cannot have parent");
                                continue;
                            }
                        } else {
                            if (!oldParent.equals(newParent)) {
                                try {
                                    permissionBackend.user(user).check(GlobalPermission.ADMINISTRATE_SERVER);
                                } catch (AuthException e) {
                                    reject(cmd, "invalid project configuration: only Gerrit admin can set parent");
                                    continue;
                                }
                            }
                            if (projectCache.get(newParent) == null) {
                                reject(cmd, "invalid project configuration: parent does not exist");
                                continue;
                            }
                        }
                        for (Entry<ProjectConfigEntry> e : pluginConfigEntries) {
                            PluginConfig pluginCfg = cfg.getPluginConfig(e.getPluginName());
                            ProjectConfigEntry configEntry = e.getProvider().get();
                            String value = pluginCfg.getString(e.getExportName());
                            String oldValue = projectControl.getProjectState().getConfig().getPluginConfig(e.getPluginName()).getString(e.getExportName());
                            if (configEntry.getType() == ProjectConfigEntryType.ARRAY) {
                                oldValue = Arrays.stream(projectControl.getProjectState().getConfig().getPluginConfig(e.getPluginName()).getStringList(e.getExportName())).collect(joining("\n"));
                            }
                            if ((value == null ? oldValue != null : !value.equals(oldValue)) && !configEntry.isEditable(projectControl.getProjectState())) {
                                reject(cmd, String.format("invalid project configuration: Not allowed to set parameter" + " '%s' of plugin '%s' on project '%s'.", e.getExportName(), e.getPluginName(), project.getName()));
                                continue;
                            }
                            if (ProjectConfigEntryType.LIST.equals(configEntry.getType()) && value != null && !configEntry.getPermittedValues().contains(value)) {
                                reject(cmd, String.format("invalid project configuration: The value '%s' is " + "not permitted for parameter '%s' of plugin '%s'.", value, e.getExportName(), e.getPluginName()));
                            }
                        }
                    } catch (Exception e) {
                        reject(cmd, "invalid project configuration");
                        logError("User " + user.getUserName() + " tried to push invalid project configuration " + cmd.getNewId().name() + " for " + project.getName(), e);
                        continue;
                    }
                    break;
                case DELETE:
                    break;
                default:
                    reject(cmd, "prohibited by Gerrit: don't know how to handle config update of type " + cmd.getType());
                    continue;
            }
        }
    }
}
Also used : ReceiveCommand(org.eclipse.jgit.transport.ReceiveCommand) Matcher(java.util.regex.Matcher) AuthException(com.google.gerrit.extensions.restapi.AuthException) Change(com.google.gerrit.reviewdb.client.Change) BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException) NoSuchChangeException(com.google.gerrit.server.project.NoSuchChangeException) PermissionBackendException(com.google.gerrit.server.permissions.PermissionBackendException) RefOperationValidationException(com.google.gerrit.server.git.validators.RefOperationValidationException) RestApiException(com.google.gerrit.extensions.restapi.RestApiException) IOException(java.io.IOException) ExecutionException(java.util.concurrent.ExecutionException) OrmException(com.google.gwtorm.server.OrmException) MissingObjectException(org.eclipse.jgit.errors.MissingObjectException) UpdateException(com.google.gerrit.server.update.UpdateException) AuthException(com.google.gerrit.extensions.restapi.AuthException) CmdLineException(org.kohsuke.args4j.CmdLineException) IncorrectObjectTypeException(org.eclipse.jgit.errors.IncorrectObjectTypeException) CommitValidationException(com.google.gerrit.server.git.validators.CommitValidationException) ServiceMayNotContinueException(org.eclipse.jgit.transport.ServiceMayNotContinueException) ResourceConflictException(com.google.gerrit.extensions.restapi.ResourceConflictException) Result(org.eclipse.jgit.transport.ReceiveCommand.Result) PluginConfig(com.google.gerrit.server.config.PluginConfig) Project(com.google.gerrit.reviewdb.client.Project) ProjectConfigEntry(com.google.gerrit.server.config.ProjectConfigEntry)

Example 15 with AuthException

use of com.google.gerrit.extensions.restapi.AuthException in project gerrit by GerritCodeReview.

the class CreateTag method apply.

@Override
public TagInfo apply(ProjectResource resource, TagInput input) throws RestApiException, IOException, PermissionBackendException {
    if (input == null) {
        input = new TagInput();
    }
    if (input.ref != null && !ref.equals(input.ref)) {
        throw new BadRequestException("ref must match URL");
    }
    if (input.revision == null) {
        input.revision = Constants.HEAD;
    }
    ref = RefUtil.normalizeTagRef(ref);
    RefControl refControl = resource.getControl().controlForRef(ref);
    PermissionBackend.ForRef perm = permissionBackend.user(identifiedUser).project(resource.getNameKey()).ref(ref);
    try (Repository repo = repoManager.openRepository(resource.getNameKey())) {
        ObjectId revid = RefUtil.parseBaseRevision(repo, resource.getNameKey(), input.revision);
        RevWalk rw = RefUtil.verifyConnected(repo, revid);
        RevObject object = rw.parseAny(revid);
        rw.reset();
        boolean isAnnotated = Strings.emptyToNull(input.message) != null;
        boolean isSigned = isAnnotated && input.message.contains("-----BEGIN PGP SIGNATURE-----\n");
        if (isSigned) {
            throw new MethodNotAllowedException("Cannot create signed tag \"" + ref + "\"");
        } else if (isAnnotated && !refControl.canPerform(Permission.CREATE_TAG)) {
            throw new AuthException("Cannot create annotated tag \"" + ref + "\"");
        } else {
            perm.check(RefPermission.CREATE);
        }
        if (repo.getRefDatabase().exactRef(ref) != null) {
            throw new ResourceConflictException("tag \"" + ref + "\" already exists");
        }
        try (Git git = new Git(repo)) {
            TagCommand tag = git.tag().setObjectId(object).setName(ref.substring(R_TAGS.length())).setAnnotated(isAnnotated).setSigned(isSigned);
            if (isAnnotated) {
                tag.setMessage(input.message).setTagger(identifiedUser.get().newCommitterIdent(TimeUtil.nowTs(), TimeZone.getDefault()));
            }
            Ref result = tag.call();
            tagCache.updateFastForward(resource.getNameKey(), ref, ObjectId.zeroId(), result.getObjectId());
            referenceUpdated.fire(resource.getNameKey(), ref, ObjectId.zeroId(), result.getObjectId(), identifiedUser.get().getAccount());
            try (RevWalk w = new RevWalk(repo)) {
                return ListTags.createTagInfo(perm, result, w);
            }
        }
    } catch (InvalidRevisionException e) {
        throw new BadRequestException("Invalid base revision");
    } catch (GitAPIException e) {
        log.error("Cannot create tag \"" + ref + "\"", e);
        throw new IOException(e);
    }
}
Also used : MethodNotAllowedException(com.google.gerrit.extensions.restapi.MethodNotAllowedException) PermissionBackend(com.google.gerrit.server.permissions.PermissionBackend) ObjectId(org.eclipse.jgit.lib.ObjectId) RevObject(org.eclipse.jgit.revwalk.RevObject) AuthException(com.google.gerrit.extensions.restapi.AuthException) TagInput(com.google.gerrit.extensions.api.projects.TagInput) IOException(java.io.IOException) RevWalk(org.eclipse.jgit.revwalk.RevWalk) TagCommand(org.eclipse.jgit.api.TagCommand) GitAPIException(org.eclipse.jgit.api.errors.GitAPIException) Repository(org.eclipse.jgit.lib.Repository) ResourceConflictException(com.google.gerrit.extensions.restapi.ResourceConflictException) Ref(org.eclipse.jgit.lib.Ref) Git(org.eclipse.jgit.api.Git) BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException) InvalidRevisionException(com.google.gerrit.server.project.RefUtil.InvalidRevisionException)

Aggregations

AuthException (com.google.gerrit.extensions.restapi.AuthException)68 ResourceConflictException (com.google.gerrit.extensions.restapi.ResourceConflictException)22 BadRequestException (com.google.gerrit.extensions.restapi.BadRequestException)20 UnprocessableEntityException (com.google.gerrit.extensions.restapi.UnprocessableEntityException)16 ResourceNotFoundException (com.google.gerrit.extensions.restapi.ResourceNotFoundException)15 MethodNotAllowedException (com.google.gerrit.extensions.restapi.MethodNotAllowedException)14 Change (com.google.gerrit.reviewdb.client.Change)13 IOException (java.io.IOException)12 Account (com.google.gerrit.reviewdb.client.Account)11 Project (com.google.gerrit.reviewdb.client.Project)11 CurrentUser (com.google.gerrit.server.CurrentUser)11 IdentifiedUser (com.google.gerrit.server.IdentifiedUser)11 PermissionBackendException (com.google.gerrit.server.permissions.PermissionBackendException)11 ArrayList (java.util.ArrayList)11 AccountGroup (com.google.gerrit.reviewdb.client.AccountGroup)10 BatchUpdate (com.google.gerrit.server.update.BatchUpdate)8 ChangeControl (com.google.gerrit.server.project.ChangeControl)7 PermissionBackend (com.google.gerrit.server.permissions.PermissionBackend)6 OrmException (com.google.gwtorm.server.OrmException)6 RepositoryNotFoundException (org.eclipse.jgit.errors.RepositoryNotFoundException)6