Add ProjectPermissions for upload and receive pack, migrate callers

ProjectControl#canRunUploadPack() and #canRunReceivePack() are just
permission checks using group membership. Therefore they can easily be
checked using PermissionBackend.

Installations that do not use these permissions at all (like Google) can
just have their own PermissionBackend implementation always deny that
permission.

Change-Id: I9d12ed4664c94ef77a9a0958bc91595bef6dfd5d

gerrit-acceptance-framework/src/test/java/com/google/gerrit/acceptance/InProcessProtocol.java

@@ -19,6 +19,7 @@ import com.google.common.collect.Lists;
 import com.google.gerrit.acceptance.InProcessProtocol.Context;
 import com.google.gerrit.common.data.Capable;
 import com.google.gerrit.extensions.registration.DynamicSet;
+import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.reviewdb.server.ReviewDb;
@@ -34,8 +35,13 @@ import com.google.gerrit.server.git.TransferConfig;
 import com.google.gerrit.server.git.VisibleRefFilter;
 import com.google.gerrit.server.git.receive.AsyncReceiveCommits;
 import com.google.gerrit.server.git.validators.UploadValidators;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.permissions.ProjectPermission;
 import com.google.gerrit.server.project.NoSuchProjectException;
+import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectControl;
+import com.google.gerrit.server.project.ProjectState;
 import com.google.gerrit.server.util.RequestContext;
 import com.google.gerrit.server.util.RequestScopePropagator;
 import com.google.gerrit.server.util.ThreadLocalRequestContext;
@@ -203,29 +209,32 @@ class InProcessProtocol extends TestProtocol<Context> {
 
   private static class Upload implements UploadPackFactory<Context> {
     private final Provider<CurrentUser> userProvider;
-    private final ProjectControl.GenericFactory projectControlFactory;
     private final VisibleRefFilter.Factory refFilterFactory;
     private final TransferConfig transferConfig;
     private final DynamicSet<PreUploadHook> preUploadHooks;
     private final UploadValidators.Factory uploadValidatorsFactory;
     private final ThreadLocalRequestContext threadContext;
+    private final ProjectCache projectCache;
+    private final PermissionBackend permissionBackend;
 
     @Inject
     Upload(
         Provider<CurrentUser> userProvider,
-        ProjectControl.GenericFactory projectControlFactory,
         VisibleRefFilter.Factory refFilterFactory,
         TransferConfig transferConfig,
         DynamicSet<PreUploadHook> preUploadHooks,
         UploadValidators.Factory uploadValidatorsFactory,
-        ThreadLocalRequestContext threadContext) {
+        ThreadLocalRequestContext threadContext,
+        ProjectCache projectCache,
+        PermissionBackend permissionBackend) {
       this.userProvider = userProvider;
-      this.projectControlFactory = projectControlFactory;
       this.refFilterFactory = refFilterFactory;
       this.transferConfig = transferConfig;
       this.preUploadHooks = preUploadHooks;
       this.uploadValidatorsFactory = uploadValidatorsFactory;
       this.threadContext = threadContext;
+      this.projectCache = projectCache;
+      this.permissionBackend = permissionBackend;
     }
 
     @Override
@@ -236,23 +245,35 @@ class InProcessProtocol extends TestProtocol<Context> {
       // its original context anyway.
       threadContext.setContext(req);
       current.set(req);
+
       try {
-        ProjectControl ctl = projectControlFactory.controlFor(req.project, userProvider.get());
+        permissionBackend
-        if (!ctl.canRunUploadPack()) {
+            .user(userProvider)
+            .project(req.project)
+            .check(ProjectPermission.RUN_UPLOAD_PACK);
+      } catch (AuthException e) {
         throw new ServiceNotAuthorizedException();
+      } catch (PermissionBackendException e) {
+        throw new RuntimeException(e);
       }
 
+      ProjectState projectState;
+      try {
+        projectState = projectCache.checkedGet(req.project);
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+      if (projectState == null) {
+        throw new RuntimeException("can't load project state for " + req.project.get());
+      }
       UploadPack up = new UploadPack(repo);
       up.setPackConfig(transferConfig.getPackConfig());
       up.setTimeout(transferConfig.getTimeout());
-        up.setAdvertiseRefsHook(refFilterFactory.create(ctl.getProjectState(), repo));
+      up.setAdvertiseRefsHook(refFilterFactory.create(projectState, repo));
       List<PreUploadHook> hooks = Lists.newArrayList(preUploadHooks);
-        hooks.add(uploadValidatorsFactory.create(ctl.getProject(), repo, "localhost-test"));
+      hooks.add(uploadValidatorsFactory.create(projectState.getProject(), repo, "localhost-test"));
       up.setPreUploadHook(PreUploadHookChain.newChain(hooks));
       return up;
-      } catch (NoSuchProjectException | IOException e) {
-        throw new RuntimeException(e);
-      }
     }
   }
 
@@ -264,6 +285,7 @@ class InProcessProtocol extends TestProtocol<Context> {
     private final DynamicSet<ReceivePackInitializer> receivePackInitializers;
     private final DynamicSet<PostReceiveHook> postReceiveHooks;
     private final ThreadLocalRequestContext threadContext;
+    private final PermissionBackend permissionBackend;
 
     @Inject
     Receive(
@@ -273,7 +295,8 @@ class InProcessProtocol extends TestProtocol<Context> {
         TransferConfig config,
         DynamicSet<ReceivePackInitializer> receivePackInitializers,
         DynamicSet<PostReceiveHook> postReceiveHooks,
-        ThreadLocalRequestContext threadContext) {
+        ThreadLocalRequestContext threadContext,
+        PermissionBackend permissionBackend) {
       this.userProvider = userProvider;
       this.projectControlFactory = projectControlFactory;
       this.factory = factory;
@@ -281,6 +304,7 @@ class InProcessProtocol extends TestProtocol<Context> {
       this.receivePackInitializers = receivePackInitializers;
       this.postReceiveHooks = postReceiveHooks;
       this.threadContext = threadContext;
+      this.permissionBackend = permissionBackend;
     }
 
     @Override
@@ -292,11 +316,17 @@ class InProcessProtocol extends TestProtocol<Context> {
       threadContext.setContext(req);
       current.set(req);
       try {
-        ProjectControl ctl = projectControlFactory.controlFor(req.project, userProvider.get());
+        permissionBackend
-        if (!ctl.canRunReceivePack()) {
+            .user(userProvider)
+            .project(req.project)
+            .check(ProjectPermission.RUN_RECEIVE_PACK);
+      } catch (AuthException e) {
         throw new ServiceNotAuthorizedException();
+      } catch (PermissionBackendException e) {
+        throw new RuntimeException(e);
       }
-
+      try {
+        ProjectControl ctl = projectControlFactory.controlFor(req.project, userProvider.get());
         AsyncReceiveCommits arc = factory.create(ctl, db, null, ImmutableSetMultimap.of());
         ReceivePack rp = arc.getReceivePack();
 

gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpServlet.java

@@ -234,13 +234,16 @@ public class GitOverHttpServlet extends GitServlet {
   static class UploadFilter implements Filter {
     private final VisibleRefFilter.Factory refFilterFactory;
     private final UploadValidators.Factory uploadValidatorsFactory;
+    private final PermissionBackend permissionBackend;
 
     @Inject
     UploadFilter(
         VisibleRefFilter.Factory refFilterFactory,
-        UploadValidators.Factory uploadValidatorsFactory) {
+        UploadValidators.Factory uploadValidatorsFactory,
+        PermissionBackend permissionBackend) {
       this.refFilterFactory = refFilterFactory;
       this.uploadValidatorsFactory = uploadValidatorsFactory;
+      this.permissionBackend = permissionBackend;
     }
 
     @Override
@@ -251,13 +254,20 @@ public class GitOverHttpServlet extends GitServlet {
       ProjectControl pc = (ProjectControl) request.getAttribute(ATT_CONTROL);
       UploadPack up = (UploadPack) request.getAttribute(ServletUtils.ATTRIBUTE_HANDLER);
 
-      if (!pc.canRunUploadPack()) {
+      try {
+        permissionBackend
+            .user(pc.getUser())
+            .project(pc.getProject().getNameKey())
+            .check(ProjectPermission.RUN_UPLOAD_PACK);
+      } catch (AuthException e) {
         GitSmartHttpTools.sendError(
             (HttpServletRequest) request,
             (HttpServletResponse) response,
             HttpServletResponse.SC_FORBIDDEN,
             "upload-pack not permitted on this server");
         return;
+      } catch (PermissionBackendException e) {
+        throw new ServletException(e);
       }
       // We use getRemoteHost() here instead of getRemoteAddr() because REMOTE_ADDR
       // may have been overridden by a proxy server -- we'll try to avoid this.
@@ -312,10 +322,14 @@ public class GitOverHttpServlet extends GitServlet {
 
   static class ReceiveFilter implements Filter {
     private final Cache<AdvertisedObjectsCacheKey, Set<ObjectId>> cache;
+    private final PermissionBackend permissionBackend;
 
     @Inject
-    ReceiveFilter(@Named(ID_CACHE) Cache<AdvertisedObjectsCacheKey, Set<ObjectId>> cache) {
+    ReceiveFilter(
+        @Named(ID_CACHE) Cache<AdvertisedObjectsCacheKey, Set<ObjectId>> cache,
+        PermissionBackend permissionBackend) {
       this.cache = cache;
+      this.permissionBackend = permissionBackend;
     }
 
     @Override
@@ -329,13 +343,20 @@ public class GitOverHttpServlet extends GitServlet {
       ProjectControl pc = (ProjectControl) request.getAttribute(ATT_CONTROL);
       Project.NameKey projectName = pc.getProject().getNameKey();
 
-      if (!pc.canRunReceivePack()) {
+      try {
+        permissionBackend
+            .user(pc.getUser())
+            .project(pc.getProject().getNameKey())
+            .check(ProjectPermission.RUN_RECEIVE_PACK);
+      } catch (AuthException e) {
         GitSmartHttpTools.sendError(
             (HttpServletRequest) request,
             (HttpServletResponse) response,
             HttpServletResponse.SC_FORBIDDEN,
             "receive-pack not permitted on this server");
         return;
+      } catch (PermissionBackendException e) {
+        throw new RuntimeException(e);
       }
 
       Capable s = arc.canUpload();

gerrit-server/src/main/java/com/google/gerrit/server/permissions/ProjectPermission.java

@@ -70,7 +70,13 @@ public enum ProjectPermission {
    *    .check(RefPermission.CREATE_CHANGE);
    * </pre>
    */
-  CREATE_CHANGE;
+  CREATE_CHANGE,
+
+  /** Can run receive pack. */
+  RUN_RECEIVE_PACK,
+
+  /** Can run upload pack. */
+  RUN_UPLOAD_PACK;
 
   private final String name;
 

gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java

@@ -234,8 +234,13 @@ public class ProjectControl {
     return Capable.OK;
   }
 
+  /** Does this user have ownership on at least one reference name? */
+  public boolean isOwnerAnyRef() {
+    return canPerformOnAnyRef(Permission.OWNER) || isAdmin();
+  }
+
   /** Can the user run upload pack? */
-  public boolean canRunUploadPack() {
+  private boolean canRunUploadPack() {
     for (AccountGroup.UUID group : uploadGroups) {
       if (match(group)) {
         return true;
@@ -245,7 +250,7 @@ public class ProjectControl {
   }
 
   /** Can the user run receive pack? */
-  public boolean canRunReceivePack() {
+  private boolean canRunReceivePack() {
     for (AccountGroup.UUID group : receiveGroups) {
       if (match(group)) {
         return true;
@@ -521,6 +526,11 @@ public class ProjectControl {
           return canAddRefs();
         case CREATE_CHANGE:
           return canCreateChanges();
+
+        case RUN_RECEIVE_PACK:
+          return canRunReceivePack();
+        case RUN_UPLOAD_PACK:
+          return canRunUploadPack();
       }
       throw new PermissionBackendException(perm + " unsupported");
     }

gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/Receive.java

@@ -17,11 +17,15 @@ package com.google.gerrit.sshd.commands;
 import com.google.common.collect.MultimapBuilder;
 import com.google.common.collect.SetMultimap;
 import com.google.gerrit.common.data.Capable;
+import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.git.VisibleRefFilter;
 import com.google.gerrit.server.git.receive.AsyncReceiveCommits;
 import com.google.gerrit.server.notedb.ReviewerStateInternal;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.permissions.ProjectPermission;
 import com.google.gerrit.sshd.AbstractGitCommand;
 import com.google.gerrit.sshd.CommandMetaData;
 import com.google.gerrit.sshd.SshSession;
@@ -51,6 +55,7 @@ final class Receive extends AbstractGitCommand {
   @Inject private AsyncReceiveCommits.Factory factory;
   @Inject private IdentifiedUser currentUser;
   @Inject private SshSession session;
+  @Inject private PermissionBackend permissionBackend;
 
   private final SetMultimap<ReviewerStateInternal, Account.Id> reviewers =
       MultimapBuilder.hashKeys(2).hashSetValues().build();
@@ -77,8 +82,15 @@ final class Receive extends AbstractGitCommand {
 
   @Override
   protected void runImpl() throws IOException, Failure {
-    if (!projectControl.canRunReceivePack()) {
+    try {
+      permissionBackend
+          .user(currentUser)
+          .project(project.getNameKey())
+          .check(ProjectPermission.RUN_RECEIVE_PACK);
+    } catch (AuthException e) {
       throw new Failure(1, "fatal: receive-pack not permitted on this server");
+    } catch (PermissionBackendException e) {
+      throw new Failure(1, "fatal: unable to check permissions " + e);
     }
 
     AsyncReceiveCommits arc = factory.create(projectControl, repo, null, reviewers);

gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/Upload.java

@@ -16,10 +16,14 @@ package com.google.gerrit.sshd.commands;
 
 import com.google.common.collect.Lists;
 import com.google.gerrit.extensions.registration.DynamicSet;
+import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.server.git.TransferConfig;
 import com.google.gerrit.server.git.VisibleRefFilter;
 import com.google.gerrit.server.git.validators.UploadValidationException;
 import com.google.gerrit.server.git.validators.UploadValidators;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.permissions.ProjectPermission;
 import com.google.gerrit.sshd.AbstractGitCommand;
 import com.google.gerrit.sshd.SshSession;
 import com.google.inject.Inject;
@@ -39,11 +43,19 @@ final class Upload extends AbstractGitCommand {
   @Inject private DynamicSet<PostUploadHook> postUploadHooks;
   @Inject private UploadValidators.Factory uploadValidatorsFactory;
   @Inject private SshSession session;
+  @Inject private PermissionBackend permissionBackend;
 
   @Override
   protected void runImpl() throws IOException, Failure {
-    if (!projectControl.canRunUploadPack()) {
+    try {
+      permissionBackend
+          .user(projectControl.getUser())
+          .project(projectControl.getProject().getNameKey())
+          .check(ProjectPermission.RUN_UPLOAD_PACK);
+    } catch (AuthException e) {
       throw new Failure(1, "fatal: upload-pack not permitted on this server");
+    } catch (PermissionBackendException e) {
+      throw new Failure(1, "fatal: unable to check permissions " + e);
     }
 
     final UploadPack up = new UploadPack(repo);