Merge "Sync CREATE_GROUP permission from All-Projects to All-Users"

2017-11-09 10:11:20 +00:00
parent c5ba387c8e 6235216491
commit 8d62412a45
8 changed files with 196 additions and 2 deletions
--- a/java/com/google/gerrit/httpd/rpc/project/ChangeProjectAccess.java
+++ b/java/com/google/gerrit/httpd/rpc/project/ChangeProjectAccess.java
@@ -19,6 +19,7 @@ import com.google.gerrit.common.data.AccessSection;
 import com.google.gerrit.common.data.ProjectAccess;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.reviewdb.client.RefNames;
+import com.google.gerrit.server.CreateGroupPermissionSyncer;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.account.GroupBackend;
 import com.google.gerrit.server.config.AllProjectsName;
@@ -54,6 +55,7 @@ class ChangeProjectAccess extends ProjectAccessHandler<ProjectAccess> {
  private final GitReferenceUpdated gitRefUpdated;
  private final ProjectAccessFactory.Factory projectAccessFactory;
  private final ProjectCache projectCache;
+  private final CreateGroupPermissionSyncer createGroupPermissionSyncer;

  @Inject
  ChangeProjectAccess(
@@ -68,6 +70,7 @@ class ChangeProjectAccess extends ProjectAccessHandler<ProjectAccess> {
      ContributorAgreementsChecker contributorAgreements,
      Provider<CurrentUser> user,
      PermissionBackend permissionBackend,
+      CreateGroupPermissionSyncer createGroupPermissionSyncer,
      @Assisted("projectName") Project.NameKey projectName,
      @Nullable @Assisted ObjectId base,
      @Assisted List<AccessSection> sectionList,
@@ -91,6 +94,7 @@ class ChangeProjectAccess extends ProjectAccessHandler<ProjectAccess> {
    this.projectAccessFactory = projectAccessFactory;
    this.projectCache = projectCache;
    this.gitRefUpdated = gitRefUpdated;
+    this.createGroupPermissionSyncer = createGroupPermissionSyncer;
  }

  @Override
@@ -108,6 +112,7 @@ class ChangeProjectAccess extends ProjectAccessHandler<ProjectAccess> {
        user.asIdentifiedUser().getAccount());

    projectCache.evict(config.getProject());
+    createGroupPermissionSyncer.syncIfNeeded();
    return projectAccessFactory.create(projectName).call();
  }
 }
--- a/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java
+++ b/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java
@@ -57,6 +57,7 @@ import com.google.inject.Provider;
 import com.google.inject.assistedinject.Assisted;
 import java.io.IOException;
 import java.util.List;
+import org.eclipse.jgit.errors.ConfigInvalidException;
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.ObjectInserter;
 import org.eclipse.jgit.lib.ObjectReader;
@@ -135,7 +136,8 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
  @Override
  protected Change.Id updateProjectConfig(
      ProjectConfig config, MetaDataUpdate md, boolean parentProjectUpdate)
-      throws IOException, OrmException, PermissionDeniedException, PermissionBackendException {
+      throws IOException, OrmException, PermissionDeniedException, PermissionBackendException,
+          ConfigInvalidException {
    PermissionBackend.ForProject perm = permissionBackend.user(user).project(config.getName());
    if (!check(perm, ProjectPermission.READ_CONFIG)) {
      throw new PermissionDeniedException(RefNames.REFS_CONFIG + " not visible");
--- a/java/com/google/gerrit/server/CreateGroupPermissionSyncer.java
+++ b/java/com/google/gerrit/server/CreateGroupPermissionSyncer.java
@@ -0,0 +1,131 @@
+// Copyright (C) 2017 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.server;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import com.google.common.collect.Sets;
+import com.google.gerrit.common.data.AccessSection;
+import com.google.gerrit.common.data.Permission;
+import com.google.gerrit.common.data.PermissionRule;
+import com.google.gerrit.extensions.events.ChangeMergedListener;
+import com.google.gerrit.reviewdb.client.RefNames;
+import com.google.gerrit.server.config.AllProjectsName;
+import com.google.gerrit.server.config.AllUsersName;
+import com.google.gerrit.server.git.MetaDataUpdate;
+import com.google.gerrit.server.git.ProjectConfig;
+import com.google.gerrit.server.project.ProjectCache;
+import com.google.gerrit.server.project.ProjectState;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
+import org.eclipse.jgit.errors.ConfigInvalidException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * With groups in NoteDb, the capability of creating a group is expressed as a {@code CREATE}
+ * permission on {@code refs/groups/*} rather than a global capability in {@code All-Projects}.
+ *
+ * <p>During the transition phase, we have to keep these permissions in sync with the global
+ * capabilities that serve as the source of truth.
+ *
+ * <p><This class implements a one-way synchronization from the the global {@code CREATE_GROUP}
+ * capability in {@code All-Projects} to a {@code CREATE} permission on {@code refs/groups/*} in
+ * {@code All-Users}.
+ */
+@Singleton
+public class CreateGroupPermissionSyncer implements ChangeMergedListener {
+  private static final Logger log = LoggerFactory.getLogger(CreateGroupPermissionSyncer.class);
+
+  private final AllProjectsName allProjects;
+  private final AllUsersName allUsers;
+  private final ProjectCache projectCache;
+  private final Provider<MetaDataUpdate.Server> metaDataUpdateFactory;
+
+  @Inject
+  CreateGroupPermissionSyncer(
+      AllProjectsName allProjects,
+      AllUsersName allUsers,
+      ProjectCache projectCache,
+      Provider<MetaDataUpdate.Server> metaDataUpdateFactory) {
+    this.allProjects = allProjects;
+    this.allUsers = allUsers;
+    this.projectCache = projectCache;
+    this.metaDataUpdateFactory = metaDataUpdateFactory;
+  }
+
+  /**
+   * Checks if {@code GlobalCapability.CREATE_GROUP} and {@code CREATE} permission on {@code
+   * refs/groups/*} have diverged and syncs them by applying the {@code CREATE} permission to {@code
+   * refs/groups/*}.
+   */
+  public void syncIfNeeded() throws IOException, ConfigInvalidException {
+    ProjectState allProjectsState = projectCache.checkedGet(allProjects);
+    checkNotNull(allProjectsState, "Can't obtain project state for " + allProjects);
+    ProjectState allUsersState = projectCache.checkedGet(allUsers);
+    checkNotNull(allUsersState, "Can't obtain project state for " + allUsers);
+
+    Set<PermissionRule> createGroupsGlobal =
+        new HashSet<>(allProjectsState.getCapabilityCollection().createGroup);
+    Set<PermissionRule> createGroupsRef = new HashSet<>();
+
+    AccessSection allUsersCreateGroupAccessSection =
+        allUsersState.getConfig().getAccessSection(RefNames.REFS_GROUPS + "*");
+    if (allUsersCreateGroupAccessSection != null) {
+      Permission create = allUsersCreateGroupAccessSection.getPermission(Permission.CREATE);
+      if (create != null && create.getRules() != null) {
+        createGroupsRef.addAll(create.getRules());
+      }
+    }
+
+    if (Sets.symmetricDifference(createGroupsGlobal, createGroupsRef).isEmpty()) {
+      // Nothing to sync
+      return;
+    }
+
+    try (MetaDataUpdate md = metaDataUpdateFactory.get().create(allUsers)) {
+      ProjectConfig config = ProjectConfig.read(md);
+      AccessSection createGroupAccessSection = new AccessSection(RefNames.REFS_GROUPS + "*");
+      if (createGroupsGlobal.isEmpty()) {
+        config.remove(createGroupAccessSection);
+      } else {
+        Permission createGroupPermission = new Permission(Permission.CREATE);
+        createGroupAccessSection.addPermission(createGroupPermission);
+        createGroupsGlobal.forEach(pr -> createGroupPermission.add(pr));
+        config.replace(createGroupAccessSection);
+      }
+
+      config.commit(md);
+      projectCache.evict(config.getProject());
+    }
+  }
+
+  @Override
+  public void onChangeMerged(Event event) {
+    if (!allProjects.get().equals(event.getChange().project)
+        || !RefNames.REFS_CONFIG.equals(event.getChange().branch)) {
+      return;
+    }
+    try {
+      syncIfNeeded();
+    } catch (IOException | ConfigInvalidException e) {
+      log.error("Can't sync create group permissions", e);
+    }
+  }
+}
--- a/java/com/google/gerrit/server/account/CapabilityCollection.java
+++ b/java/com/google/gerrit/server/account/CapabilityCollection.java
@@ -49,6 +49,7 @@ public class CapabilityCollection {
  public final ImmutableList<PermissionRule> emailReviewers;
  public final ImmutableList<PermissionRule> priority;
  public final ImmutableList<PermissionRule> queryLimit;
+  public final ImmutableList<PermissionRule> createGroup;

  @Inject
  CapabilityCollection(
@@ -97,6 +98,7 @@ public class CapabilityCollection {
    emailReviewers = getPermission(GlobalCapability.EMAIL_REVIEWERS);
    priority = getPermission(GlobalCapability.PRIORITY);
    queryLimit = getPermission(GlobalCapability.QUERY_LIMIT);
+    createGroup = getPermission(GlobalCapability.CREATE_GROUP);
  }

  private static List<PermissionRule> mergeAdmin(
--- a/java/com/google/gerrit/server/config/GerritGlobalModule.java
+++ b/java/com/google/gerrit/server/config/GerritGlobalModule.java
@@ -72,6 +72,7 @@ import com.google.gerrit.server.AnonymousUser;
 import com.google.gerrit.server.ApprovalsUtil;
 import com.google.gerrit.server.ChangeFinder;
 import com.google.gerrit.server.CmdLineParserModule;
+import com.google.gerrit.server.CreateGroupPermissionSyncer;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.PluginUser;
 import com.google.gerrit.server.Sequences;
@@ -315,6 +316,10 @@ public class GerritGlobalModule extends FactoryModule {
    DynamicSet.setOf(binder(), CommentAddedListener.class);
    DynamicSet.setOf(binder(), HashtagsEditedListener.class);
    DynamicSet.setOf(binder(), ChangeMergedListener.class);
+    bind(ChangeMergedListener.class)
+        .annotatedWith(Exports.named("CreateGroupPermissionSyncer"))
+        .to(CreateGroupPermissionSyncer.class);
+
    DynamicSet.setOf(binder(), ChangeRestoredListener.class);
    DynamicSet.setOf(binder(), ChangeRevertedListener.class);
    DynamicSet.setOf(binder(), ReviewerAddedListener.class);
--- a/java/com/google/gerrit/server/git/receive/ReceiveCommits.java
+++ b/java/com/google/gerrit/server/git/receive/ReceiveCommits.java
@@ -86,6 +86,7 @@ import com.google.gerrit.reviewdb.client.RevId;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.ApprovalsUtil;
 import com.google.gerrit.server.ChangeUtil;
+import com.google.gerrit.server.CreateGroupPermissionSyncer;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.PatchSetUtil;
 import com.google.gerrit.server.Sequences;
@@ -327,6 +328,7 @@ class ReceiveCommits {
  private final SubmoduleOp.Factory subOpFactory;
  private final TagCache tagCache;
  private final CreateRefControl createRefControl;
+  private final CreateGroupPermissionSyncer createGroupPermissionSyncer;

  // Assisted injected fields.
  private final AllRefsWatcher allRefsWatcher;
@@ -413,6 +415,7 @@ class ReceiveCommits {
      TagCache tagCache,
      CreateRefControl createRefControl,
      DynamicItem<ChangeReportFormatter> changeFormatterProvider,
+      CreateGroupPermissionSyncer createGroupPermissionSyncer,
      @Assisted ProjectState projectState,
      @Assisted IdentifiedUser user,
      @Assisted ReceivePack rp,
@@ -453,6 +456,7 @@ class ReceiveCommits {
    this.subOpFactory = subOpFactory;
    this.tagCache = tagCache;
    this.createRefControl = createRefControl;
+    this.createGroupPermissionSyncer = createGroupPermissionSyncer;

    // Assisted injected fields.
    this.allRefsWatcher = allRefsWatcher;
@@ -2606,6 +2610,13 @@ class ReceiveCommits {
        } catch (IOException e) {
          log.warn("cannot update description of " + project.getName(), e);
        }
+        if (allProjectsName.equals(project.getNameKey())) {
+          try {
+            createGroupPermissionSyncer.syncIfNeeded();
+          } catch (IOException | ConfigInvalidException e) {
+            log.error("Can't sync create group permissions", e);
+          }
+        }
      }
    }
  }
--- a/java/com/google/gerrit/server/project/SetAccess.java
+++ b/java/com/google/gerrit/server/project/SetAccess.java
@@ -27,6 +27,7 @@ import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
 import com.google.gerrit.extensions.restapi.RestModifyView;
 import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
 import com.google.gerrit.reviewdb.client.Project;
+import com.google.gerrit.server.CreateGroupPermissionSyncer;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.GroupBackend;
 import com.google.gerrit.server.git.MetaDataUpdate;
@@ -52,6 +53,7 @@ public class SetAccess implements RestModifyView<ProjectResource, ProjectAccessI
  private final ProjectCache projectCache;
  private final Provider<IdentifiedUser> identifiedUser;
  private final SetAccessUtil accessUtil;
+  private final CreateGroupPermissionSyncer createGroupPermissionSyncer;

  @Inject
  private SetAccess(
@@ -61,7 +63,8 @@ public class SetAccess implements RestModifyView<ProjectResource, ProjectAccessI
      ProjectCache projectCache,
      GetAccess getAccess,
      Provider<IdentifiedUser> identifiedUser,
-      SetAccessUtil accessUtil) {
+      SetAccessUtil accessUtil,
+      CreateGroupPermissionSyncer createGroupPermissionSyncer) {
    this.groupBackend = groupBackend;
    this.permissionBackend = permissionBackend;
    this.metaDataUpdateFactory = metaDataUpdateFactory;
@@ -69,6 +72,7 @@ public class SetAccess implements RestModifyView<ProjectResource, ProjectAccessI
    this.projectCache = projectCache;
    this.identifiedUser = identifiedUser;
    this.accessUtil = accessUtil;
+    this.createGroupPermissionSyncer = createGroupPermissionSyncer;
  }

  @Override
@@ -124,6 +128,7 @@ public class SetAccess implements RestModifyView<ProjectResource, ProjectAccessI

      config.commit(md);
      projectCache.evict(config.getProject());
+      createGroupPermissionSyncer.syncIfNeeded();
    } catch (InvalidNameException e) {
      throw new BadRequestException(e.toString());
    } catch (ConfigInvalidException e) {
--- a/javatests/com/google/gerrit/acceptance/rest/project/AccessIT.java
+++ b/javatests/com/google/gerrit/acceptance/rest/project/AccessIT.java
@@ -47,6 +47,7 @@ import com.google.gerrit.server.group.InternalGroup;
 import com.google.gerrit.server.group.SystemGroupBackend;
 import com.google.inject.Inject;
 import java.util.HashMap;
+import java.util.Map;
 import org.eclipse.jgit.internal.storage.dfs.InMemoryRepository;
 import org.eclipse.jgit.junit.TestRepository;
 import org.eclipse.jgit.lib.Config;
@@ -556,6 +557,38 @@ public class AccessIT extends AbstractDaemonTest {
    gApi.projects().name(allUsers.get()).access(accessInput);
  }

+  @Test
+  public void syncCreateGroupPermission() throws Exception {
+    // Grant CREATE_GROUP to Registered Users
+    ProjectAccessInput accessInput = newProjectAccessInput();
+    AccessSectionInfo accessSection = newAccessSectionInfo();
+    PermissionInfo createGroup = newPermissionInfo();
+    PermissionRuleInfo pri = new PermissionRuleInfo(PermissionRuleInfo.Action.ALLOW, false);
+    createGroup.rules.put(SystemGroupBackend.REGISTERED_USERS.get(), pri);
+    accessSection.permissions.put(GlobalCapability.CREATE_GROUP, createGroup);
+    accessInput.add.put(AccessSection.GLOBAL_CAPABILITIES, accessSection);
+    gApi.projects().name(allProjects.get()).access(accessInput);
+
+    // Assert that the permission was synced from All-Projects (global) to All-Users (ref)
+    Map<String, AccessSectionInfo> local = gApi.projects().name("All-Users").access().local;
+    assertThat(local).isNotNull();
+    assertThat(local).containsKey(RefNames.REFS_GROUPS + "*");
+    Map<String, PermissionInfo> permissions = local.get(RefNames.REFS_GROUPS + "*").permissions;
+    assertThat(permissions).containsKey(Permission.CREATE);
+    Map<String, PermissionRuleInfo> rules = permissions.get(Permission.CREATE).rules;
+    assertThat(rules.values()).containsExactly(pri);
+
+    // Revoke the permission
+    accessInput.add.clear();
+    accessInput.remove.put(AccessSection.GLOBAL_CAPABILITIES, accessSection);
+    gApi.projects().name(allProjects.get()).access(accessInput);
+
+    // Assert that the permission was synced from All-Projects (global) to All-Users (ref)
+    Map<String, AccessSectionInfo> local2 = gApi.projects().name("All-Users").access().local;
+    assertThat(local2).isNotNull();
+    assertThat(local2).doesNotContainKey(RefNames.REFS_GROUPS + "*");
+  }
+
  private ProjectAccessInput newProjectAccessInput() {
    ProjectAccessInput p = new ProjectAccessInput();
    p.add = new HashMap<>();