Merge "PermissionBackend: Make considering admin credential configurable"
This commit is contained in:
Saša Živkov
@@ -33,4 +33,7 @@ public @interface RequiresAnyCapability {
|
|||||||
|
|
||||||
/** Scope of the named capabilities. */
|
/** Scope of the named capabilities. */
|
||||||
CapabilityScope scope() default CapabilityScope.CONTEXT;
|
CapabilityScope scope() default CapabilityScope.CONTEXT;
|
||||||
|
|
||||||
|
/** Fall back to admin credentials. Only applies to plugin capability check. */
|
||||||
|
boolean fallBackToAdmin() default true;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -32,4 +32,7 @@ public @interface RequiresCapability {
|
|||||||
|
|
||||||
/** Scope of the named capability. */
|
/** Scope of the named capability. */
|
||||||
CapabilityScope scope() default CapabilityScope.CONTEXT;
|
CapabilityScope scope() default CapabilityScope.CONTEXT;
|
||||||
|
|
||||||
|
/** Fall back to admin credentials. Only applies to plugin capability check. */
|
||||||
|
boolean fallBackToAdmin() default true;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -22,10 +22,16 @@ import java.util.Objects;
|
|||||||
public class PluginPermission implements GlobalOrPluginPermission {
|
public class PluginPermission implements GlobalOrPluginPermission {
|
||||||
private final String pluginName;
|
private final String pluginName;
|
||||||
private final String capability;
|
private final String capability;
|
||||||
|
private final boolean fallBackToAdmin;
|
||||||
|
|
||||||
public PluginPermission(String pluginName, String capability) {
|
public PluginPermission(String pluginName, String capability) {
|
||||||
|
this(pluginName, capability, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
public PluginPermission(String pluginName, String capability, boolean fallBackToAdmin) {
|
||||||
this.pluginName = checkNotNull(pluginName, "pluginName");
|
this.pluginName = checkNotNull(pluginName, "pluginName");
|
||||||
this.capability = checkNotNull(capability, "capability");
|
this.capability = checkNotNull(capability, "capability");
|
||||||
|
this.fallBackToAdmin = fallBackToAdmin;
|
||||||
}
|
}
|
||||||
|
|
||||||
public String pluginName() {
|
public String pluginName() {
|
||||||
@@ -36,6 +42,10 @@ public class PluginPermission implements GlobalOrPluginPermission {
|
|||||||
return capability;
|
return capability;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public boolean fallBackToAdmin() {
|
||||||
|
return fallBackToAdmin;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String permissionName() {
|
public String permissionName() {
|
||||||
return pluginName + '-' + capability;
|
return pluginName + '-' + capability;
|
||||||
|
|||||||
@@ -238,7 +238,9 @@ public class CapabilityControl {
|
|||||||
if (perm instanceof GlobalPermission) {
|
if (perm instanceof GlobalPermission) {
|
||||||
return can((GlobalPermission) perm);
|
return can((GlobalPermission) perm);
|
||||||
} else if (perm instanceof PluginPermission) {
|
} else if (perm instanceof PluginPermission) {
|
||||||
return canPerform(perm.permissionName()) || isAdmin_DoNotUse();
|
PluginPermission pluginPermission = (PluginPermission) perm;
|
||||||
|
return canPerform(pluginPermission.permissionName())
|
||||||
|
|| (pluginPermission.fallBackToAdmin() && isAdmin_DoNotUse());
|
||||||
}
|
}
|
||||||
throw new PermissionBackendException(perm + " unsupported");
|
throw new PermissionBackendException(perm + " unsupported");
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -91,11 +91,24 @@ public enum GlobalPermission implements GlobalOrPluginPermission {
|
|||||||
throw new PermissionBackendException("cannot extract permission");
|
throw new PermissionBackendException("cannot extract permission");
|
||||||
} else if (rc != null) {
|
} else if (rc != null) {
|
||||||
return Collections.singleton(
|
return Collections.singleton(
|
||||||
resolve(pluginName, rc.value(), rc.scope(), clazz, RequiresCapability.class));
|
resolve(
|
||||||
|
pluginName,
|
||||||
|
rc.value(),
|
||||||
|
rc.scope(),
|
||||||
|
rc.fallBackToAdmin(),
|
||||||
|
clazz,
|
||||||
|
RequiresCapability.class));
|
||||||
} else if (rac != null) {
|
} else if (rac != null) {
|
||||||
Set<GlobalOrPluginPermission> r = new LinkedHashSet<>();
|
Set<GlobalOrPluginPermission> r = new LinkedHashSet<>();
|
||||||
for (String capability : rac.value()) {
|
for (String capability : rac.value()) {
|
||||||
r.add(resolve(pluginName, capability, rac.scope(), clazz, RequiresAnyCapability.class));
|
r.add(
|
||||||
|
resolve(
|
||||||
|
pluginName,
|
||||||
|
capability,
|
||||||
|
rac.scope(),
|
||||||
|
rac.fallBackToAdmin(),
|
||||||
|
clazz,
|
||||||
|
RequiresAnyCapability.class));
|
||||||
}
|
}
|
||||||
return Collections.unmodifiableSet(r);
|
return Collections.unmodifiableSet(r);
|
||||||
} else {
|
} else {
|
||||||
@@ -129,13 +142,14 @@ public enum GlobalPermission implements GlobalOrPluginPermission {
|
|||||||
@Nullable String pluginName,
|
@Nullable String pluginName,
|
||||||
String capability,
|
String capability,
|
||||||
CapabilityScope scope,
|
CapabilityScope scope,
|
||||||
|
boolean fallBackToAdmin,
|
||||||
Class<?> clazz,
|
Class<?> clazz,
|
||||||
Class<?> annotationClass)
|
Class<?> annotationClass)
|
||||||
throws PermissionBackendException {
|
throws PermissionBackendException {
|
||||||
if (pluginName != null
|
if (pluginName != null
|
||||||
&& !"gerrit".equals(pluginName)
|
&& !"gerrit".equals(pluginName)
|
||||||
&& (scope == CapabilityScope.PLUGIN || scope == CapabilityScope.CONTEXT)) {
|
&& (scope == CapabilityScope.PLUGIN || scope == CapabilityScope.CONTEXT)) {
|
||||||
return new PluginPermission(pluginName, capability);
|
return new PluginPermission(pluginName, capability, fallBackToAdmin);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (scope == CapabilityScope.PLUGIN) {
|
if (scope == CapabilityScope.PLUGIN) {
|
||||||
|
|||||||
Reference in New Issue
Block a user