Search in sources :

Example 1 with RefPermission

use of com.google.gerrit.server.permissions.RefPermission in project gerrit by GerritCodeReview.

the class CheckAccess method apply.

public Response<AccessCheckInfo> apply(ProjectResource rsrc, AccessCheckInput input) throws PermissionBackendException, RestApiException, IOException, ConfigInvalidException {
    permissionBackend.user(rsrc.getUser()).check(GlobalPermission.VIEW_ACCESS);
    rsrc.getProjectState().checkStatePermitsRead();
    if (input == null) {
        throw new BadRequestException("input is required");
    }
    if (Strings.isNullOrEmpty(input.account)) {
        throw new BadRequestException("input requires 'account'");
    }
    try (TraceContext traceContext = TraceContext.open()) {
        traceContext.enableAclLogging();
        Account.Id match = accountResolver.resolve(input.account).asUnique().account().id();
        try {
            permissionBackend.absentUser(match).project(rsrc.getNameKey()).check(ProjectPermission.ACCESS);
        } catch (AuthException e) {
            return Response.ok(createInfo(HttpServletResponse.SC_FORBIDDEN, String.format("user %s cannot see project %s", match, rsrc.getName())));
        }
        RefPermission refPerm;
        if (!Strings.isNullOrEmpty(input.permission)) {
            if (Strings.isNullOrEmpty(input.ref)) {
                throw new BadRequestException("must set 'ref' when specifying 'permission'");
            }
            Optional<RefPermission> rp = DefaultPermissionMappings.refPermission(input.permission);
            if (!rp.isPresent()) {
                throw new BadRequestException(String.format("'%s' is not recognized as ref permission", input.permission));
            }
            refPerm = rp.get();
        } else {
            refPerm = RefPermission.READ;
        }
        String message = null;
        if (!Strings.isNullOrEmpty(input.ref)) {
            try {
                permissionBackend.absentUser(match).ref(BranchNameKey.create(rsrc.getNameKey(), input.ref)).check(refPerm);
            } catch (AuthException e) {
                return Response.ok(createInfo(HttpServletResponse.SC_FORBIDDEN, String.format("user %s lacks permission %s for %s in project %s", match, input.permission, input.ref, rsrc.getName())));
            }
        } else {
            // as access denied looks the same as no branches to the user.
            try (Repository repo = gitRepositoryManager.openRepository(rsrc.getNameKey())) {
                if (repo.getRefDatabase().getRefsByPrefix(REFS_HEADS).isEmpty()) {
                    message = "access is OK, but repository has no branches under refs/heads/";
                }
            }
        }
        return Response.ok(createInfo(HttpServletResponse.SC_OK, message));
    }
}
Also used : Account(com.google.gerrit.entities.Account) Repository(org.eclipse.jgit.lib.Repository) RefPermission(com.google.gerrit.server.permissions.RefPermission) BadRequestException(com.google.gerrit.extensions.restapi.BadRequestException) TraceContext(com.google.gerrit.server.logging.TraceContext) AuthException(com.google.gerrit.extensions.restapi.AuthException)

Aggregations

Account (com.google.gerrit.entities.Account)1 AuthException (com.google.gerrit.extensions.restapi.AuthException)1 BadRequestException (com.google.gerrit.extensions.restapi.BadRequestException)1 TraceContext (com.google.gerrit.server.logging.TraceContext)1 RefPermission (com.google.gerrit.server.permissions.RefPermission)1 Repository (org.eclipse.jgit.lib.Repository)1