ACLs for superproject subscriptions

This allows submodules of the superproject subscription feature to specify fine grained, who is allowed to subscribe to it. See Documentation/user-submodules.txt for the changed handling of subscriptions. The current tests were kept closely as-is, just enabling the subscription feature. New tests have been written to test for the denial of superproject subscriptions. As of this change the superproject subscription table which was an approximate cache for the subscriptions is dropped, and the superproject subscription is performed as * parse the submodule ACL for potential superprojects * check the .gitmodules file in all potential superprojects for a real subscription * perform the superproject update if the supscription is valid The cache worked semi-reliable (e.g. 2015-04-28 Submodule Subscriptions: Remove subscriptions by deleting .gitmodules, I1eaf452d5499397644e8eea3707a1352af89126d), so drop the cache and trade in correctness over performance. Bug: Issue 3311 Change-Id: Id74dc5a34a50b336a22005c96b79f3c4688a36ec Signed-off-by: Stefan Beller <sbeller@google.com>
2016-03-21 12:14:58 -07:00
parent 8cc252ef0c
commit c62f9fe511
23 changed files with 723 additions and 359 deletions
--- a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/server/ReviewDb.java
+++ b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/server/ReviewDb.java
@@ -96,8 +96,7 @@ public interface ReviewDb extends Schema {
  @Relation(id = 26)
  PatchLineCommentAccess patchComments();

-  @Relation(id = 28)
-  SubmoduleSubscriptionAccess submoduleSubscriptions();
+  // Deleted @Relation(id = 28)

  @Relation(id = 29)
  AccountGroupByIdAccess accountGroupById();
--- a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/server/ReviewDbWrapper.java
+++ b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/server/ReviewDbWrapper.java
@@ -153,11 +153,6 @@ public class ReviewDbWrapper implements ReviewDb {
    return delegate.patchComments();
  }

-  @Override
-  public SubmoduleSubscriptionAccess submoduleSubscriptions() {
-    return delegate.submoduleSubscriptions();
-  }
-
  @Override
  public AccountGroupByIdAccess accountGroupById() {
    return delegate.accountGroupById();
--- a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/server/SubmoduleSubscriptionAccess.java
+++ b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/server/SubmoduleSubscriptionAccess.java
@@ -1,71 +0,0 @@
-// Copyright (C) 2011 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package com.google.gerrit.reviewdb.server;
-
-import com.google.gerrit.reviewdb.client.Branch;
-import com.google.gerrit.reviewdb.client.Project;
-import com.google.gerrit.reviewdb.client.SubmoduleSubscription;
-import com.google.gwtorm.server.Access;
-import com.google.gwtorm.server.OrmException;
-import com.google.gwtorm.server.PrimaryKey;
-import com.google.gwtorm.server.Query;
-import com.google.gwtorm.server.ResultSet;
-
-public interface SubmoduleSubscriptionAccess extends
-    Access<SubmoduleSubscription, SubmoduleSubscription.Key> {
-  @Override
-  @PrimaryKey("key")
-  SubmoduleSubscription get(SubmoduleSubscription.Key key) throws OrmException;
-
-  @Query("WHERE key.superProject = ?")
-  ResultSet<SubmoduleSubscription> bySuperProject(Branch.NameKey superProject)
-      throws OrmException;
-
-  /**
-   * Fetches all {@code SubmoduleSubscription}s in which some branch of
-   * {@code superProject} subscribes a branch.
-   *
-   * Use {@link #bySuperProject(Branch.NameKey)} to fetch for a branch instead
-   * of a project.
-   *
-   * @param superProject the project to fetch subscriptions for
-   * @return {@code SubmoduleSubscription}s that are subscribed by some
-   * branch of {@code superProject}.
-   * @throws OrmException
-   */
-  @Query("WHERE key.superProject.projectName = ?")
-  ResultSet<SubmoduleSubscription> bySuperProjectProject(Project.NameKey superProject)
-      throws OrmException;
-
-  @Query("WHERE submodule = ?")
-  ResultSet<SubmoduleSubscription> bySubmodule(Branch.NameKey submodule)
-      throws OrmException;
-
-  /**
-   * Fetches all {@code SubmoduleSubscription}s in which some branch of
-   * {@code submodule} is subscribed.
-   *
-   * Use {@link #bySubmodule(Branch.NameKey)} to fetch for a branch instead of
-   * a project.
-   *
-   * @param submodule the project to fetch subscriptions for.
-   * @return {@code SubmoduleSubscription}s that subscribe some branch of
-   * {@code submodule}.
-   * @throws OrmException
-   */
-  @Query("WHERE submodule.projectName = ?")
-  ResultSet<SubmoduleSubscription> bySubmoduleProject(Project.NameKey submodule)
-      throws OrmException;
-}