RefPermission: Add CREATE_TAG permission

This commit adds CREATE_TAG as a new ref permission so that it can be checked by using permission backend. Since this was the last method with outside callers, RefControl is made package-private. Systems that don't have this permission can provide a custom implementation or map it to another permission in their implementation of PermissionBackend. Change-Id: Iad18dcd4001e0c60b26d57cb1c7d4c0093e4c75f
2018-01-10 09:33:05 +01:00
parent 3029d05f1a
commit aaee674e36
3 changed files with 18 additions and 14 deletions
--- a/java/com/google/gerrit/server/permissions/RefPermission.java
+++ b/java/com/google/gerrit/server/permissions/RefPermission.java
@@ -35,6 +35,9 @@ public enum RefPermission {
  /** Create a change to code review a commit. */
  CREATE_CHANGE,

+  /** Create a tag. */
+  CREATE_TAG(Permission.CREATE_TAG),
+
  /**
   * Creates changes, then also immediately submits them during {@code push}.
   *
--- a/java/com/google/gerrit/server/project/RefControl.java
+++ b/java/com/google/gerrit/server/project/RefControl.java
@@ -45,7 +45,7 @@ import java.util.Map;
 import java.util.Set;

 /** Manages access control for Git references (aka branches, tags). */
-public class RefControl {
+class RefControl {
  private final ProjectControl projectControl;
  private final String refName;

@@ -567,6 +567,9 @@ public class RefControl {
        case CREATE_CHANGE:
          return canUpload();

+        case CREATE_TAG:
+          return canPerform(Permission.CREATE_TAG);
+
        case UPDATE_BY_SUBMIT:
          return projectControl.controlForRef("refs/for/" + getRefName()).canSubmit(true);

--- a/java/com/google/gerrit/server/restapi/project/CreateTag.java
+++ b/java/com/google/gerrit/server/restapi/project/CreateTag.java
@@ -18,7 +18,6 @@ import static org.eclipse.jgit.lib.Constants.R_TAGS;

 import com.google.common.base.Strings;
 import com.google.gerrit.common.TimeUtil;
-import com.google.gerrit.common.data.Permission;
 import com.google.gerrit.extensions.api.projects.TagInfo;
 import com.google.gerrit.extensions.api.projects.TagInput;
 import com.google.gerrit.extensions.restapi.AuthException;
@@ -36,9 +35,7 @@ import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.permissions.RefPermission;
 import com.google.gerrit.server.project.NoSuchProjectException;
-import com.google.gerrit.server.project.ProjectControl;
 import com.google.gerrit.server.project.ProjectResource;
-import com.google.gerrit.server.project.RefControl;
 import com.google.gerrit.server.project.RefUtil;
 import com.google.gerrit.server.project.RefUtil.InvalidRevisionException;
 import com.google.inject.Inject;
@@ -71,7 +68,6 @@ public class CreateTag implements RestModifyView<ProjectResource, TagInput> {
  private final TagCache tagCache;
  private final GitReferenceUpdated referenceUpdated;
  private final WebLinks links;
-  private final ProjectControl.GenericFactory projectControlFactory;
  private String ref;

  @Inject
@@ -82,7 +78,6 @@ public class CreateTag implements RestModifyView<ProjectResource, TagInput> {
      TagCache tagCache,
      GitReferenceUpdated referenceUpdated,
      WebLinks webLinks,
-      ProjectControl.GenericFactory projectControlFactory,
      @Assisted String ref) {
    this.permissionBackend = permissionBackend;
    this.identifiedUser = identifiedUser;
@@ -90,7 +85,6 @@ public class CreateTag implements RestModifyView<ProjectResource, TagInput> {
    this.tagCache = tagCache;
    this.referenceUpdated = referenceUpdated;
    this.links = webLinks;
-    this.projectControlFactory = projectControlFactory;
    this.ref = ref;
  }

@@ -108,12 +102,6 @@ public class CreateTag implements RestModifyView<ProjectResource, TagInput> {
    }

    ref = RefUtil.normalizeTagRef(ref);
-
-    // TODO(hiesel): Remove dependency on RefControl
-    RefControl refControl =
-        projectControlFactory
-            .controlFor(resource.getNameKey(), resource.getUser())
-            .controlForRef(ref);
    PermissionBackend.ForRef perm =
        permissionBackend.user(identifiedUser).project(resource.getNameKey()).ref(ref);

@@ -126,7 +114,7 @@ public class CreateTag implements RestModifyView<ProjectResource, TagInput> {
      boolean isSigned = isAnnotated && input.message.contains("-----BEGIN PGP SIGNATURE-----\n");
      if (isSigned) {
        throw new MethodNotAllowedException("Cannot create signed tag \"" + ref + "\"");
-      } else if (isAnnotated && !refControl.canPerform(Permission.CREATE_TAG)) {
+      } else if (isAnnotated && !check(perm, RefPermission.CREATE_TAG)) {
        throw new AuthException("Cannot create annotated tag \"" + ref + "\"");
      } else {
        perm.check(RefPermission.CREATE);
@@ -169,4 +157,14 @@ public class CreateTag implements RestModifyView<ProjectResource, TagInput> {
      throw new IOException(e);
    }
  }
+
+  private static boolean check(PermissionBackend.ForRef perm, RefPermission permission)
+      throws PermissionBackendException {
+    try {
+      perm.check(permission);
+      return true;
+    } catch (AuthException e) {
+      return false;
+    }
+  }
 }