private Set<String> keepAuthorizedLogins(DbSession dbSession, String projectKey, Set<SubscriberAndChannel> subscriberAndChannels, @Nullable Boolean global, String permission) { Set<String> logins = subscriberAndChannels.stream() .filter(s -> global == null || s.getSubscriber().isGlobal() == global) .map(s -> s.getSubscriber().getLogin()) .collect(Collectors.toSet()); if (logins.isEmpty()) { return Collections.emptySet(); } return dbClient.authorizationDao().keepAuthorizedLoginsOnProject(dbSession, logins, projectKey, permission); }
private void checkNotTryingToDeleteLastAdminGroup(DbSession dbSession, GroupDto group) { int remaining = dbClient.authorizationDao().countUsersWithGlobalPermissionExcludingGroup(dbSession, group.getOrganizationUuid(), OrganizationPermission.ADMINISTER.getKey(), group.getId()); checkArgument(remaining > 0, "The last system admin group cannot be deleted"); }
/** * Ensure that there are still users with admin global permission if user is removed from the group. */ private void ensureLastAdminIsNotRemoved(DbSession dbSession, GroupDto group, UserDto user) { int remainingAdmins = dbClient.authorizationDao().countUsersWithGlobalPermissionExcludingGroupMember(dbSession, group.getOrganizationUuid(), OrganizationPermission.ADMINISTER.getKey(), group.getId(), user.getId()); checkRequest(remainingAdmins > 0, "The last administrator user cannot be removed"); }
private Set<OrganizationPermission> loadOrganizationPermissions(String organizationUuid) { Set<String> permissionKeys; try (DbSession dbSession = dbClient.openSession(false)) { if (userDto != null && userDto.getId() != null) { permissionKeys = dbClient.authorizationDao().selectOrganizationPermissions(dbSession, organizationUuid, userDto.getId()); } else { permissionKeys = dbClient.authorizationDao().selectOrganizationPermissionsOfAnonymous(dbSession, organizationUuid); } } return permissionKeys.stream() .map(OrganizationPermission::fromKey) .collect(MoreCollectors.toSet(permissionKeys.size())); }
private List<String> selectOrganizationsWithNoMoreAdministrators(DbSession dbSession, UserDto user) { Set<String> organizationUuids = dbClient.authorizationDao().selectOrganizationUuidsOfUserWithGlobalPermission( dbSession, user.getId(), OrganizationPermission.ADMINISTER.getKey()); List<String> problematicOrganizations = new ArrayList<>(); for (String organizationUuid : organizationUuids) { int remaining = dbClient.authorizationDao().countUsersWithGlobalPermissionExcludingUser(dbSession, organizationUuid, OrganizationPermission.ADMINISTER.getKey(), user.getId()); if (remaining == 0) { problematicOrganizations.add(organizationUuid); } } return problematicOrganizations; }
private Map<Long, ComponentDto> searchProjects(DbSession dbSession, List<PropertyDto> properties) { Set<Long> componentIds = properties.stream() .map(PropertyDto::getResourceId) .filter(Objects::nonNull) .collect(MoreCollectors.toSet(properties.size())); Set<Long> authorizedProjectIds = dbClient.authorizationDao().keepAuthorizedProjectIds(dbSession, componentIds, userSession.getUserId(), UserRole.USER); return dbClient.componentDao().selectByIds(dbSession, componentIds) .stream() .filter(c -> authorizedProjectIds.contains(c.getId())) .collect(MoreCollectors.uniqueIndex(ComponentDto::getId)); }
@Override protected List<ComponentDto> doKeepAuthorizedComponents(String permission, Collection<ComponentDto> components) { try (DbSession dbSession = dbClient.openSession(false)) { Set<String> projectUuids = components.stream() .map(c -> defaultIfEmpty(c.getMainBranchProjectUuid(), c.projectUuid())) .collect(MoreCollectors.toSet(components.size())); Set<String> authorizedProjectUuids = dbClient.authorizationDao().keepAuthorizedProjectUuids(dbSession, projectUuids, getUserId(), permission); return components.stream() .filter(c -> authorizedProjectUuids.contains(c.projectUuid()) || authorizedProjectUuids.contains(c.getMainBranchProjectUuid())) .collect(MoreCollectors.toList(components.size())); } }
@Test public void selectOrganizationUuidsOfUserWithGlobalPermission_returns_empty_set_if_user_does_not_exist() { // another user db.users().insertPermissionOnUser(user, ADMINISTER_QUALITY_GATES); Set<String> orgUuids = underTest.selectOrganizationUuidsOfUserWithGlobalPermission(dbSession, MISSING_ID, SYSTEM_ADMIN); assertThat(orgUuids).isEmpty(); }
private void ensureLastAdminIsNotRemoved(DbSession dbSession, OrganizationDto organizationDto, UserDto user) { int remainingAdmins = dbClient.authorizationDao().countUsersWithGlobalPermissionExcludingUser(dbSession, organizationDto.getUuid(), ADMINISTER.getKey(), user.getId()); checkRequest(remainingAdmins > 0, "The last administrator member cannot be removed"); } }
private void checkOtherAdminsExist(DbSession dbSession, UserPermissionChange change) { if (SYSTEM_ADMIN.equals(change.getPermission()) && !change.getProjectId().isPresent()) { int remaining = dbClient.authorizationDao().countUsersWithGlobalPermissionExcludingUserPermission(dbSession, change.getOrganizationUuid(), change.getPermission(), change.getUserId().getId()); checkRequest(remaining > 0, "Last user with permission '%s'. Permission cannot be removed.", SYSTEM_ADMIN); } } }
/** * Anonymous user only benefits from the permissions granted to * "Anyone" */ @Test public void selectOrganizationPermissions_for_anonymous_user() { db.users().insertPermissionOnAnyone(organization, "perm1"); // ignored permissions db.users().insertPermissionOnUser(organization, user, "ignored"); db.users().insertPermissionOnGroup(group1, "ignored"); Set<String> permissions = underTest.selectOrganizationPermissionsOfAnonymous(dbSession, organization.getUuid()); assertThat(permissions).containsOnly("perm1"); }
/** * Union of the permissions granted to: * - the user * - the groups which user is member * - anyone */ @Test public void selectOrganizationPermissions_for_logged_in_user() { ComponentDto project = db.components().insertPrivateProject(organization); db.users().insertMember(group1, user); db.users().insertPermissionOnUser(organization, user, "perm1"); db.users().insertProjectPermissionOnUser(user, "perm42", project); db.users().insertPermissionOnGroup(group1, "perm2"); db.users().insertPermissionOnAnyone(organization, "perm3"); // ignored permissions, user is not member of this group db.users().insertPermissionOnGroup(group2, "ignored"); Set<String> permissions = underTest.selectOrganizationPermissions(dbSession, organization.getUuid(), user.getId()); assertThat(permissions).containsOnly("perm1", "perm2", "perm3"); }
private List<ProjectQgateAssociationDto> keepAuthorizedProjects(DbSession dbSession, List<ProjectQgateAssociationDto> projects) { if (userSession.isRoot()) { // the method AuthorizationDao#keepAuthorizedProjectIds() should be replaced by // a call to UserSession, which would transparently support roots. // Meanwhile root is explicitly handled. return projects; } List<Long> projectIds = projects.stream().map(ProjectQgateAssociationDto::getId).collect(MoreCollectors.toList()); Collection<Long> authorizedProjectIds = dbClient.authorizationDao().keepAuthorizedProjectIds(dbSession, projectIds, userSession.getUserId(), UserRole.USER); return projects.stream().filter(project -> authorizedProjectIds.contains(project.getId())).collect(MoreCollectors.toList()); }
@Test public void keepAuthorizedProjectUuids_should_be_able_to_handle_lots_of_projects() { List<ComponentDto> projects = IntStream.range(0, 2000).mapToObj(i -> db.components().insertPublicProject(organization)).collect(Collectors.toList()); Collection<String> uuids = projects.stream().map(ComponentDto::uuid).collect(Collectors.toSet()); assertThat(underTest.keepAuthorizedProjectUuids(dbSession, uuids, null, UserRole.USER)) .containsOnly(uuids.toArray(new String[0])); }
private Set<OrganizationPermission> loadOrganizationPermissions(String organizationUuid) { Set<String> permissionKeys; try (DbSession dbSession = dbClient.openSession(false)) { if (userDto != null && userDto.getId() != null) { permissionKeys = dbClient.authorizationDao().selectOrganizationPermissions(dbSession, organizationUuid, userDto.getId()); } else { permissionKeys = dbClient.authorizationDao().selectOrganizationPermissionsOfAnonymous(dbSession, organizationUuid); } } return permissionKeys.stream() .map(OrganizationPermission::fromKey) .collect(MoreCollectors.toSet(permissionKeys.size())); }
private List<String> selectOrganizationsWithNoMoreAdministrators(DbSession dbSession, UserDto user) { Set<String> organizationUuids = dbClient.authorizationDao().selectOrganizationUuidsOfUserWithGlobalPermission( dbSession, user.getId(), OrganizationPermission.ADMINISTER.getKey()); List<String> problematicOrganizations = new ArrayList<>(); for (String organizationUuid : organizationUuids) { int remaining = dbClient.authorizationDao().countUsersWithGlobalPermissionExcludingUser(dbSession, organizationUuid, OrganizationPermission.ADMINISTER.getKey(), user.getId()); if (remaining == 0) { problematicOrganizations.add(organizationUuid); } } return problematicOrganizations; }
@Test public void selectOrganizationUuidsOfUserWithGlobalPermission_returns_empty_set_if_user_does_not_have_permission_at_all() { db.users().insertPermissionOnUser(user, ADMINISTER_QUALITY_GATES); // user is not part of this group db.users().insertPermissionOnGroup(group1, SCAN); Set<String> orgUuids = underTest.selectOrganizationUuidsOfUserWithGlobalPermission(dbSession, user.getId(), SCAN.getKey()); assertThat(orgUuids).isEmpty(); }
assertThat(underTest.countUsersWithGlobalPermissionExcludingUser(db.getSession(), organization.getUuid(), "p1", user1.getId())).isEqualTo(2); assertThat(underTest.countUsersWithGlobalPermissionExcludingUser(db.getSession(), organization.getUuid(), "p1", user3.getId())).isEqualTo(2); assertThat(underTest.countUsersWithGlobalPermissionExcludingUser(db.getSession(), organization.getUuid(), "p1", -1)).isEqualTo(3); assertThat(underTest.countUsersWithGlobalPermissionExcludingUser(db.getSession(), organization.getUuid(), "missingPermission", group1.getId())).isEqualTo(0);
@Test public void countUsersWithGlobalPermissionExcludingUserPermission() { // u1 and u2 have the direct permission, u3 has the permission through his group UserDto u1 = db.users().insertUser(); db.users().insertPermissionOnUser(organization, u1, A_PERMISSION); UserDto u2 = db.users().insertUser(); db.users().insertPermissionOnUser(organization, u2, A_PERMISSION); db.users().insertPermissionOnGroup(group1, A_PERMISSION); UserDto u3 = db.users().insertUser(); db.users().insertMember(group1, u3); // excluding u2 permission --> remain u1 and u3 int count = underTest.countUsersWithGlobalPermissionExcludingUserPermission(dbSession, organization.getUuid(), A_PERMISSION, u2.getId()); assertThat(count).isEqualTo(2); // excluding unknown user count = underTest.countUsersWithGlobalPermissionExcludingUserPermission(dbSession, organization.getUuid(), A_PERMISSION, MISSING_ID); assertThat(count).isEqualTo(3); // another organization count = underTest.countUsersWithGlobalPermissionExcludingUserPermission(dbSession, DOES_NOT_EXIST, A_PERMISSION, u2.getId()); assertThat(count).isEqualTo(0); // another permission count = underTest.countUsersWithGlobalPermissionExcludingUserPermission(dbSession, organization.getUuid(), DOES_NOT_EXIST, u2.getId()); assertThat(count).isEqualTo(0); }
@Test public void keepAuthorizedProjectIds_returns_empty_for_group_AnyOne_and_any_permission_on_private_project_without_any_permission_in_DB() { PermissionsTestHelper.ALL_PERMISSIONS .forEach(perm -> { assertThat(underTest.keepAuthorizedProjectIds(dbSession, randomPrivateProjectIds, null, perm)) .isEmpty(); }); assertThat(underTest.keepAuthorizedProjectIds(dbSession, randomPrivateProjectIds, null, randomPermission)) .isEmpty(); }