diff options
Diffstat (limited to 'java/com/google/gerrit/server/account/CapabilityCollection.java')
| -rw-r--r-- | java/com/google/gerrit/server/account/CapabilityCollection.java | 155 |
1 files changed, 155 insertions, 0 deletions
diff --git a/java/com/google/gerrit/server/account/CapabilityCollection.java b/java/com/google/gerrit/server/account/CapabilityCollection.java new file mode 100644 index 0000000000..1abc33f726 --- /dev/null +++ b/java/com/google/gerrit/server/account/CapabilityCollection.java @@ -0,0 +1,155 @@ +// Copyright (C) 2011 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.server.account; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; +import com.google.gerrit.common.Nullable; +import com.google.gerrit.common.data.AccessSection; +import com.google.gerrit.common.data.GlobalCapability; +import com.google.gerrit.common.data.GroupReference; +import com.google.gerrit.common.data.Permission; +import com.google.gerrit.common.data.PermissionRange; +import com.google.gerrit.common.data.PermissionRule; +import com.google.gerrit.server.config.AdministrateServerGroups; +import com.google.gerrit.server.group.SystemGroupBackend; +import com.google.inject.Inject; +import com.google.inject.assistedinject.Assisted; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; + +/** Caches active {@link GlobalCapability} set for a site. */ +public class CapabilityCollection { + public interface Factory { + CapabilityCollection create(@Nullable AccessSection section); + } + + private final SystemGroupBackend systemGroupBackend; + private final ImmutableMap<String, ImmutableList<PermissionRule>> permissions; + + public final ImmutableList<PermissionRule> administrateServer; + public final ImmutableList<PermissionRule> batchChangesLimit; + public final ImmutableList<PermissionRule> emailReviewers; + public final ImmutableList<PermissionRule> priority; + public final ImmutableList<PermissionRule> readAs; + public final ImmutableList<PermissionRule> queryLimit; + public final ImmutableList<PermissionRule> createGroup; + + @Inject + CapabilityCollection( + SystemGroupBackend systemGroupBackend, + @AdministrateServerGroups ImmutableSet<GroupReference> admins, + @Assisted @Nullable AccessSection section) { + this.systemGroupBackend = systemGroupBackend; + + if (section == null) { + section = new AccessSection(AccessSection.GLOBAL_CAPABILITIES); + } + + Map<String, List<PermissionRule>> tmp = new HashMap<>(); + for (Permission permission : section.getPermissions()) { + for (PermissionRule rule : permission.getRules()) { + if (!permission.getName().equals(GlobalCapability.EMAIL_REVIEWERS) + && rule.getAction() == PermissionRule.Action.DENY) { + continue; + } + + List<PermissionRule> r = tmp.get(permission.getName()); + if (r == null) { + r = new ArrayList<>(2); + tmp.put(permission.getName(), r); + } + r.add(rule); + } + } + configureDefaults(tmp, section); + if (!tmp.containsKey(GlobalCapability.ADMINISTRATE_SERVER) && !admins.isEmpty()) { + tmp.put(GlobalCapability.ADMINISTRATE_SERVER, ImmutableList.<PermissionRule>of()); + } + + ImmutableMap.Builder<String, ImmutableList<PermissionRule>> m = ImmutableMap.builder(); + for (Map.Entry<String, List<PermissionRule>> e : tmp.entrySet()) { + List<PermissionRule> rules = e.getValue(); + if (GlobalCapability.ADMINISTRATE_SERVER.equals(e.getKey())) { + rules = mergeAdmin(admins, rules); + } + m.put(e.getKey(), ImmutableList.copyOf(rules)); + } + permissions = m.build(); + + administrateServer = getPermission(GlobalCapability.ADMINISTRATE_SERVER); + batchChangesLimit = getPermission(GlobalCapability.BATCH_CHANGES_LIMIT); + emailReviewers = getPermission(GlobalCapability.EMAIL_REVIEWERS); + priority = getPermission(GlobalCapability.PRIORITY); + readAs = getPermission(GlobalCapability.READ_AS); + queryLimit = getPermission(GlobalCapability.QUERY_LIMIT); + createGroup = getPermission(GlobalCapability.CREATE_GROUP); + } + + private static List<PermissionRule> mergeAdmin( + Set<GroupReference> admins, List<PermissionRule> rules) { + if (admins.isEmpty()) { + return rules; + } + + List<PermissionRule> r = new ArrayList<>(admins.size() + rules.size()); + for (GroupReference g : admins) { + r.add(new PermissionRule(g)); + } + for (PermissionRule rule : rules) { + if (!admins.contains(rule.getGroup())) { + r.add(rule); + } + } + return r; + } + + public ImmutableList<PermissionRule> getPermission(String permissionName) { + ImmutableList<PermissionRule> r = permissions.get(permissionName); + return r != null ? r : ImmutableList.<PermissionRule>of(); + } + + private void configureDefaults(Map<String, List<PermissionRule>> out, AccessSection section) { + configureDefault( + out, + section, + GlobalCapability.QUERY_LIMIT, + systemGroupBackend.getGroup(SystemGroupBackend.ANONYMOUS_USERS)); + } + + private static void configureDefault( + Map<String, List<PermissionRule>> out, + AccessSection section, + String capName, + GroupReference group) { + if (doesNotDeclare(section, capName)) { + PermissionRange.WithDefaults range = GlobalCapability.getRange(capName); + if (range != null) { + PermissionRule rule = new PermissionRule(group); + rule.setRange(range.getDefaultMin(), range.getDefaultMax()); + out.put(capName, Collections.singletonList(rule)); + } + } + } + + private static boolean doesNotDeclare(AccessSection section, String capName) { + return section.getPermission(capName) == null; + } +} |