Make SetAccessUtil#validateChanges respect plugin capabilities

Bug: Issue 8465
Change-Id: Ic601d542a89310ef1df0360aed962a146e44bcc5
This commit is contained in:
Patrick Hiesel
2018-04-03 15:37:10 +02:00
parent 3c0c757094
commit cf57d19f05
5 changed files with 116 additions and 20 deletions

View File

@@ -273,7 +273,7 @@ public class PermissionEditor extends Composite
lt.getMin().getValue(), lt.getMin().getValue(),
lt.getMax().getValue()); lt.getMax().getValue());
} }
} else if (GlobalCapability.isCapability(value.getName())) { } else if (GlobalCapability.isGlobalCapability(value.getName())) {
validRange = GlobalCapability.getRange(value.getName()); validRange = GlobalCapability.getRange(value.getName());
} else { } else {

View File

@@ -156,7 +156,7 @@ public class GlobalCapability {
} }
/** @return true if the name is recognized as a capability name. */ /** @return true if the name is recognized as a capability name. */
public static boolean isCapability(String varName) { public static boolean isGlobalCapability(String varName) {
return NAMES_LC.contains(varName.toLowerCase()); return NAMES_LC.contains(varName.toLowerCase());
} }

View File

@@ -14,6 +14,7 @@
package com.google.gerrit.server.restapi.config; package com.google.gerrit.server.restapi.config;
import com.google.common.collect.ImmutableMap;
import com.google.gerrit.common.data.GlobalCapability; import com.google.gerrit.common.data.GlobalCapability;
import com.google.gerrit.extensions.config.CapabilityDefinition; import com.google.gerrit.extensions.config.CapabilityDefinition;
import com.google.gerrit.extensions.registration.DynamicMap; import com.google.gerrit.extensions.registration.DynamicMap;
@@ -23,8 +24,8 @@ import com.google.gerrit.server.config.ConfigResource;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.google.inject.Provider; import com.google.inject.Provider;
import com.google.inject.Singleton; import com.google.inject.Singleton;
import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.TreeMap;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -45,23 +46,14 @@ public class ListCapabilities implements RestReadView<ConfigResource> {
@Override @Override
public Map<String, CapabilityInfo> apply(ConfigResource resource) public Map<String, CapabilityInfo> apply(ConfigResource resource)
throws IllegalAccessException, NoSuchFieldException { throws IllegalAccessException, NoSuchFieldException {
Map<String, CapabilityInfo> output = new TreeMap<>(); return ImmutableMap.<String, CapabilityInfo>builder()
collectCoreCapabilities(output); .putAll(collectCoreCapabilities())
collectPluginCapabilities(output); .putAll(collectPluginCapabilities())
return output; .build();
} }
private void collectCoreCapabilities(Map<String, CapabilityInfo> output) public Map<String, CapabilityInfo> collectPluginCapabilities() {
throws IllegalAccessException, NoSuchFieldException { Map<String, CapabilityInfo> output = new HashMap<>();
Class<? extends CapabilityConstants> bundleClass = CapabilityConstants.get().getClass();
CapabilityConstants c = CapabilityConstants.get();
for (String id : GlobalCapability.getAllNames()) {
String name = (String) bundleClass.getField(id).get(c);
output.put(id, new CapabilityInfo(id, name));
}
}
private void collectPluginCapabilities(Map<String, CapabilityInfo> output) {
for (String pluginName : pluginCapabilities.plugins()) { for (String pluginName : pluginCapabilities.plugins()) {
if (!PLUGIN_NAME_PATTERN.matcher(pluginName).matches()) { if (!PLUGIN_NAME_PATTERN.matcher(pluginName).matches()) {
log.warn( log.warn(
@@ -76,6 +68,19 @@ public class ListCapabilities implements RestReadView<ConfigResource> {
output.put(id, new CapabilityInfo(id, entry.getValue().get().getDescription())); output.put(id, new CapabilityInfo(id, entry.getValue().get().getDescription()));
} }
} }
return output;
}
private Map<String, CapabilityInfo> collectCoreCapabilities()
throws IllegalAccessException, NoSuchFieldException {
Map<String, CapabilityInfo> output = new HashMap<>();
Class<? extends CapabilityConstants> bundleClass = CapabilityConstants.get().getClass();
CapabilityConstants c = CapabilityConstants.get();
for (String id : GlobalCapability.getAllNames()) {
String name = (String) bundleClass.getField(id).get(c);
output.put(id, new CapabilityInfo(id, name));
}
return output;
} }
public static class CapabilityInfo { public static class CapabilityInfo {

View File

@@ -35,6 +35,7 @@ import com.google.gerrit.server.config.AllProjectsName;
import com.google.gerrit.server.git.ProjectConfig; import com.google.gerrit.server.git.ProjectConfig;
import com.google.gerrit.server.permissions.PermissionBackendException; import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.RefPattern; import com.google.gerrit.server.project.RefPattern;
import com.google.gerrit.server.restapi.config.ListCapabilities;
import com.google.gerrit.server.restapi.group.GroupsCollection; import com.google.gerrit.server.restapi.group.GroupsCollection;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.google.inject.Provider; import com.google.inject.Provider;
@@ -43,21 +44,25 @@ import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set;
@Singleton @Singleton
public class SetAccessUtil { public class SetAccessUtil {
private final GroupsCollection groupsCollection; private final GroupsCollection groupsCollection;
private final AllProjectsName allProjects; private final AllProjectsName allProjects;
private final Provider<SetParent> setParent; private final Provider<SetParent> setParent;
private final ListCapabilities listCapabilities;
@Inject @Inject
private SetAccessUtil( private SetAccessUtil(
GroupsCollection groupsCollection, GroupsCollection groupsCollection,
AllProjectsName allProjects, AllProjectsName allProjects,
Provider<SetParent> setParent) { Provider<SetParent> setParent,
ListCapabilities listCapabilities) {
this.groupsCollection = groupsCollection; this.groupsCollection = groupsCollection;
this.allProjects = allProjects; this.allProjects = allProjects;
this.setParent = setParent; this.setParent = setParent;
this.listCapabilities = listCapabilities;
} }
List<AccessSection> getAccessSections(Map<String, AccessSectionInfo> sectionInfos) List<AccessSection> getAccessSections(Map<String, AccessSectionInfo> sectionInfos)
@@ -148,7 +153,7 @@ public class SetAccessUtil {
} else { } else {
// Check all permissions for soundness // Check all permissions for soundness
for (Permission p : section.getPermissions()) { for (Permission p : section.getPermissions()) {
if (!GlobalCapability.isCapability(p.getName())) { if (!isCapability(p.getName())) {
throw new BadRequestException( throw new BadRequestException(
"Cannot add non-global capability " + p.getName() + " to global capabilities"); "Cannot add non-global capability " + p.getName() + " to global capabilities");
} }
@@ -234,4 +239,12 @@ public class SetAccessUtil {
config.getProject().setParentName(newParentProjectName); config.getProject().setParentName(newParentProjectName);
} }
} }
private boolean isCapability(String name) {
if (GlobalCapability.isGlobalCapability(name)) {
return true;
}
Set<String> pluginCapabilities = listCapabilities.collectPluginCapabilities().keySet();
return pluginCapabilities.contains(name);
}
} }

View File

@@ -0,0 +1,78 @@
// Copyright (C) 2018 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.acceptance.rest.project;
import static com.google.common.truth.Truth.assertThat;
import com.google.common.collect.ImmutableMap;
import com.google.gerrit.acceptance.AbstractDaemonTest;
import com.google.gerrit.common.data.AccessSection;
import com.google.gerrit.extensions.annotations.Exports;
import com.google.gerrit.extensions.api.access.AccessSectionInfo;
import com.google.gerrit.extensions.api.access.PermissionInfo;
import com.google.gerrit.extensions.api.access.PermissionRuleInfo;
import com.google.gerrit.extensions.api.access.ProjectAccessInfo;
import com.google.gerrit.extensions.api.access.ProjectAccessInput;
import com.google.gerrit.extensions.config.CapabilityDefinition;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.inject.AbstractModule;
import com.google.inject.Module;
import org.junit.Test;
public class PluginAccessIT extends AbstractDaemonTest {
private static final String CORE_PLUGIN_PREFIX = "gerrit-";
private static final String PLUGIN_CAPABILITY = "printHello";
@Override
public Module createModule() {
return new AbstractModule() {
@Override
protected void configure() {
bind(CapabilityDefinition.class)
.annotatedWith(Exports.named(PLUGIN_CAPABILITY))
.toInstance(
new CapabilityDefinition() {
@Override
public String getDescription() {
return "Print Hello";
}
});
}
};
}
@Test
public void addPluginCapability() throws Exception {
ProjectAccessInput accessInput = new ProjectAccessInput();
AccessSectionInfo accessSectionInfo = new AccessSectionInfo();
PermissionInfo email = new PermissionInfo(null, null);
PermissionRuleInfo pri = new PermissionRuleInfo(PermissionRuleInfo.Action.ALLOW, false);
email.rules = ImmutableMap.of(SystemGroupBackend.REGISTERED_USERS.get(), pri);
accessSectionInfo.permissions = ImmutableMap.of(CORE_PLUGIN_PREFIX + PLUGIN_CAPABILITY, email);
accessInput.add = ImmutableMap.of(AccessSection.GLOBAL_CAPABILITIES, accessSectionInfo);
ProjectAccessInfo updatedAccessSectionInfo =
gApi.projects().name(allProjects.get()).access(accessInput);
assertThat(
updatedAccessSectionInfo
.local
.get(AccessSection.GLOBAL_CAPABILITIES)
.permissions
.keySet())
.containsAllIn(accessSectionInfo.permissions.keySet());
}
}