Add debug logs for global capability checks that show up in trace

For debugging some permission issues it is important to know which global capabilities the user has. Make this information available in traces. Example log entries: [2018-08-30 16:03:30,264] [HTTP-76] TRACE com.google.gerrit.server.permissions.DefaultPermissionBackend : user admin doesn't have global capability modifyAccount [CONTEXT forced=true TRACE_ID="1535637810246-3985dfba" ] [2018-08-30 16:03:30,264] [HTTP-76] TRACE com.google.gerrit.server.permissions.DefaultPermissionBackend : user admin can administrator the server [CONTEXT forced=true TRACE_ID="1535637810246-3985dfba" ] Change-Id: Iabe8a34629830b3ee51e4ee8d32e6fbaf2337246 Signed-off-by: Edwin Kempin <ekempin@google.com>
2018-08-30 16:05:08 +02:00
parent fd6f6cb1e7
commit eacec2dfb9
1 changed files with 33 additions and 2 deletions
--- a/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java
+++ b/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java
@@ -19,6 +19,7 @@ import static com.google.gerrit.server.permissions.DefaultPermissionMappings.glo
 import static java.util.stream.Collectors.toSet;
 import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import com.google.gerrit.common.data.PermissionRule;
 import com.google.gerrit.common.data.PermissionRule.Action;
 import com.google.gerrit.extensions.api.access.GlobalOrPluginPermission;
@@ -46,6 +47,8 @@ import java.util.Set;
@Singleton
 public class DefaultPermissionBackend extends PermissionBackend {
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
  private static final CurrentUser.PropertyKey<Boolean> IS_ADMIN = CurrentUser.PropertyKey.create();
  private final Provider<CurrentUser> currentUser;
@@ -186,6 +189,13 @@ public class DefaultPermissionBackend extends PermissionBackend {
    private boolean isAdmin() {
      if (admin == null) {
        admin = computeAdmin();
        if (admin) {
          logger.atFinest().log(
              "user %s is an administrator of the server", user.getLoggableName());
        } else {
          logger.atFinest().log(
              "user %s is not an administrator of the server", user.getLoggableName());
        }
      }
      return admin;
    }
@@ -210,11 +220,32 @@ public class DefaultPermissionBackend extends PermissionBackend {
    private boolean canEmailReviewers() {
      List<PermissionRule> email = capabilities().emailReviewers;
-      return allow(email) || notDenied(email);
+      if (allow(email)) {
        logger.atFinest().log(
            "user %s can email reviewers (allowed by %s)", user.getLoggableName(), email);
        return true;
      }
      if (notDenied(email)) {
        logger.atFinest().log(
            "user %s can email reviewers (not denied by %s)", user.getLoggableName(), email);
        return true;
      }
      logger.atFinest().log("user %s cannot email reviewers", user.getLoggableName());
      return false;
    }
    private boolean has(String permissionName) {
-      return allow(capabilities().getPermission(checkNotNull(permissionName)));
+      boolean has = allow(capabilities().getPermission(checkNotNull(permissionName)));
      if (has) {
        logger.atFinest().log(
            "user %s has global capability %s", user.getLoggableName(), permissionName);
      } else {
        logger.atFinest().log(
            "user %s doesn't have global capability %s", user.getLoggableName(), permissionName);
      }
      return has;
    }
    private boolean allow(Collection<PermissionRule> rules) {