Line data Source code
1 : // Copyright (C) 2013 The Android Open Source Project
2 : //
3 : // Licensed under the Apache License, Version 2.0 (the "License");
4 : // you may not use this file except in compliance with the License.
5 : // You may obtain a copy of the License at
6 : //
7 : // http://www.apache.org/licenses/LICENSE-2.0
8 : //
9 : // Unless required by applicable law or agreed to in writing, software
10 : // distributed under the License is distributed on an "AS IS" BASIS,
11 : // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 : // See the License for the specific language governing permissions and
13 : // limitations under the License.
14 :
15 : package com.google.gerrit.server.schema;
16 :
17 : import static com.google.common.base.Preconditions.checkArgument;
18 : import static com.google.gerrit.entities.RefNames.REFS_SEQUENCES;
19 : import static com.google.gerrit.server.group.SystemGroupBackend.ANONYMOUS_USERS;
20 : import static com.google.gerrit.server.group.SystemGroupBackend.PROJECT_OWNERS;
21 : import static com.google.gerrit.server.group.SystemGroupBackend.REGISTERED_USERS;
22 : import static com.google.gerrit.server.schema.AclUtil.grant;
23 : import static com.google.gerrit.server.schema.AclUtil.rule;
24 :
25 : import com.google.gerrit.common.Version;
26 : import com.google.gerrit.common.data.GlobalCapability;
27 : import com.google.gerrit.entities.AccessSection;
28 : import com.google.gerrit.entities.GroupReference;
29 : import com.google.gerrit.entities.LabelType;
30 : import com.google.gerrit.entities.Permission;
31 : import com.google.gerrit.entities.PermissionRule.Action;
32 : import com.google.gerrit.entities.RefNames;
33 : import com.google.gerrit.server.GerritPersonIdent;
34 : import com.google.gerrit.server.config.AllProjectsName;
35 : import com.google.gerrit.server.extensions.events.GitReferenceUpdated;
36 : import com.google.gerrit.server.git.GitRepositoryManager;
37 : import com.google.gerrit.server.git.meta.MetaDataUpdate;
38 : import com.google.gerrit.server.group.SystemGroupBackend;
39 : import com.google.gerrit.server.notedb.RepoSequence;
40 : import com.google.gerrit.server.notedb.Sequences;
41 : import com.google.gerrit.server.project.ProjectConfig;
42 : import com.google.inject.Inject;
43 : import java.io.IOException;
44 : import org.eclipse.jgit.errors.ConfigInvalidException;
45 : import org.eclipse.jgit.errors.RepositoryNotFoundException;
46 : import org.eclipse.jgit.lib.BatchRefUpdate;
47 : import org.eclipse.jgit.lib.Constants;
48 : import org.eclipse.jgit.lib.NullProgressMonitor;
49 : import org.eclipse.jgit.lib.ObjectInserter;
50 : import org.eclipse.jgit.lib.PersonIdent;
51 : import org.eclipse.jgit.lib.RefUpdate;
52 : import org.eclipse.jgit.lib.Repository;
53 : import org.eclipse.jgit.revwalk.RevWalk;
54 : import org.eclipse.jgit.transport.ReceiveCommand;
55 :
56 : /** Creates the {@code All-Projects} repository and initial ACLs. */
57 : public class AllProjectsCreator {
58 : private final GitRepositoryManager repositoryManager;
59 : private final AllProjectsName allProjectsName;
60 : private final PersonIdent serverUser;
61 : private final NoteDbSchemaVersionManager versionManager;
62 : private final ProjectConfig.Factory projectConfigFactory;
63 : private final GroupReference anonymous;
64 : private final GroupReference registered;
65 : private final GroupReference owners;
66 :
67 : @Inject
68 : AllProjectsCreator(
69 : GitRepositoryManager repositoryManager,
70 : AllProjectsName allProjectsName,
71 : @GerritPersonIdent PersonIdent serverUser,
72 : NoteDbSchemaVersionManager versionManager,
73 : SystemGroupBackend systemGroupBackend,
74 151 : ProjectConfig.Factory projectConfigFactory) {
75 151 : this.repositoryManager = repositoryManager;
76 151 : this.allProjectsName = allProjectsName;
77 151 : this.serverUser = serverUser;
78 151 : this.versionManager = versionManager;
79 151 : this.projectConfigFactory = projectConfigFactory;
80 :
81 151 : this.anonymous = systemGroupBackend.getGroup(ANONYMOUS_USERS);
82 151 : this.registered = systemGroupBackend.getGroup(REGISTERED_USERS);
83 151 : this.owners = systemGroupBackend.getGroup(PROJECT_OWNERS);
84 151 : }
85 :
86 : public void create(AllProjectsInput input) throws IOException, ConfigInvalidException {
87 1 : try (Repository git = repositoryManager.openRepository(allProjectsName)) {
88 1 : initAllProjects(git, input);
89 151 : } catch (RepositoryNotFoundException notFound) {
90 : // A repository may be missing if this project existed only to store
91 : // inheritable permissions. For example 'All-Projects'.
92 151 : try (Repository git = repositoryManager.createRepository(allProjectsName)) {
93 151 : initAllProjects(git, input);
94 151 : RefUpdate u = git.updateRef(Constants.HEAD);
95 151 : u.link(RefNames.REFS_CONFIG);
96 0 : } catch (RepositoryNotFoundException err) {
97 0 : String name = allProjectsName.get();
98 0 : throw new IOException("Cannot create repository " + name, err);
99 151 : }
100 1 : }
101 151 : }
102 :
103 : private void initAllProjects(Repository git, AllProjectsInput input)
104 : throws ConfigInvalidException, IOException {
105 151 : BatchRefUpdate bru = git.getRefDatabase().newBatchUpdate();
106 151 : try (MetaDataUpdate md =
107 : new MetaDataUpdate(GitReferenceUpdated.DISABLED, allProjectsName, git, bru)) {
108 151 : md.getCommitBuilder().setAuthor(serverUser);
109 151 : md.getCommitBuilder().setCommitter(serverUser);
110 151 : md.setMessage(
111 151 : input.commitMessage().isPresent()
112 0 : ? input.commitMessage().get()
113 151 : : "Initialized Gerrit Code Review " + Version.getVersion());
114 :
115 : // init basic project configs.
116 151 : ProjectConfig config = projectConfigFactory.read(md);
117 151 : config.updateProject(
118 : p -> {
119 151 : p.setDescription(
120 151 : input.projectDescription().orElse("Access inherited by all other projects."));
121 : // init boolean project configs.
122 151 : input.booleanProjectConfigs().forEach(p::setBooleanConfig);
123 151 : });
124 :
125 : // init labels.
126 151 : input.codeReviewLabel().ifPresent(codeReviewLabel -> config.upsertLabelType(codeReviewLabel));
127 :
128 151 : if (input.initDefaultAcls()) {
129 : // init access sections.
130 151 : initDefaultAcls(config, input);
131 : }
132 :
133 : // commit all the above configs as a commit in "refs/meta/config" branch of the All-Projects.
134 151 : config.commitToNewRef(md, RefNames.REFS_CONFIG);
135 :
136 : // init sequence number.
137 151 : initSequences(git, bru, input.firstChangeIdForNoteDb());
138 :
139 : // init schema
140 151 : versionManager.init();
141 :
142 151 : execute(git, bru);
143 : }
144 151 : }
145 :
146 : private void initDefaultAcls(ProjectConfig config, AllProjectsInput input) {
147 151 : checkArgument(input.codeReviewLabel().isPresent());
148 151 : LabelType codeReviewLabel = input.codeReviewLabel().get();
149 :
150 151 : config.upsertAccessSection(
151 : AccessSection.HEADS,
152 151 : heads -> initDefaultAclsForRegisteredUsers(heads, codeReviewLabel, config));
153 :
154 151 : config.upsertAccessSection(
155 : AccessSection.GLOBAL_CAPABILITIES,
156 : capabilities ->
157 151 : input
158 151 : .serviceUsersGroup()
159 151 : .ifPresent(
160 : batchUsersGroup ->
161 151 : initDefaultAclsForBatchUsers(capabilities, config, batchUsersGroup)));
162 :
163 151 : input
164 151 : .administratorsGroup()
165 151 : .ifPresent(adminsGroup -> initDefaultAclsForAdmins(config, codeReviewLabel, adminsGroup));
166 151 : }
167 :
168 : private void initDefaultAclsForRegisteredUsers(
169 : AccessSection.Builder heads, LabelType codeReviewLabel, ProjectConfig config) {
170 151 : config.upsertAccessSection(
171 151 : "refs/for/*", refsFor -> grant(config, refsFor, Permission.ADD_PATCH_SET, registered));
172 :
173 151 : config.upsertAccessSection(
174 151 : "refs/meta/version", version -> grant(config, version, Permission.READ, anonymous));
175 :
176 151 : grant(config, heads, codeReviewLabel, -1, 1, registered);
177 151 : grant(config, heads, Permission.FORGE_AUTHOR, registered);
178 151 : grant(config, heads, Permission.READ, anonymous);
179 151 : grant(config, heads, Permission.REVERT, registered);
180 :
181 151 : config.upsertAccessSection(
182 : "refs/for/" + AccessSection.ALL,
183 : magic -> {
184 151 : grant(config, magic, Permission.PUSH, registered);
185 151 : grant(config, magic, Permission.PUSH_MERGE, registered);
186 151 : });
187 151 : }
188 :
189 : private void initDefaultAclsForBatchUsers(
190 : AccessSection.Builder capabilities, ProjectConfig config, GroupReference batchUsersGroup) {
191 151 : Permission.Builder priority = capabilities.upsertPermission(GlobalCapability.PRIORITY);
192 151 : priority.add(rule(config, batchUsersGroup).setAction(Action.BATCH));
193 :
194 151 : Permission.Builder stream = capabilities.upsertPermission(GlobalCapability.STREAM_EVENTS);
195 151 : stream.add(rule(config, batchUsersGroup));
196 151 : }
197 :
198 : private void initDefaultAclsForAdmins(
199 : ProjectConfig config, LabelType codeReviewLabel, GroupReference adminsGroup) {
200 151 : config.upsertAccessSection(
201 : AccessSection.GLOBAL_CAPABILITIES,
202 : capabilities ->
203 151 : grant(config, capabilities, GlobalCapability.ADMINISTRATE_SERVER, adminsGroup));
204 :
205 151 : config.upsertAccessSection(
206 151 : AccessSection.ALL, all -> grant(config, all, Permission.READ, adminsGroup));
207 :
208 151 : config.upsertAccessSection(
209 : AccessSection.HEADS,
210 : heads -> {
211 151 : grant(config, heads, codeReviewLabel, -2, 2, adminsGroup, owners);
212 151 : grant(config, heads, Permission.CREATE, adminsGroup, owners);
213 151 : grant(config, heads, Permission.PUSH, adminsGroup, owners);
214 151 : grant(config, heads, Permission.SUBMIT, adminsGroup, owners);
215 151 : grant(config, heads, Permission.FORGE_COMMITTER, adminsGroup, owners);
216 151 : grant(config, heads, Permission.EDIT_TOPIC_NAME, true, adminsGroup, owners);
217 151 : });
218 :
219 151 : config.upsertAccessSection(
220 : "refs/tags/*",
221 : tags -> {
222 151 : grant(config, tags, Permission.CREATE, adminsGroup, owners);
223 151 : grant(config, tags, Permission.CREATE_TAG, adminsGroup, owners);
224 151 : grant(config, tags, Permission.CREATE_SIGNED_TAG, adminsGroup, owners);
225 151 : });
226 :
227 151 : config.upsertAccessSection(
228 : RefNames.REFS_CONFIG,
229 : meta -> {
230 151 : meta.upsertPermission(Permission.READ).setExclusiveGroup(true);
231 151 : grant(config, meta, Permission.READ, adminsGroup, owners);
232 151 : grant(config, meta, codeReviewLabel, -2, 2, adminsGroup, owners);
233 151 : grant(config, meta, Permission.CREATE, adminsGroup, owners);
234 151 : grant(config, meta, Permission.PUSH, adminsGroup, owners);
235 151 : grant(config, meta, Permission.SUBMIT, adminsGroup, owners);
236 151 : });
237 151 : }
238 :
239 : private void initSequences(Repository git, BatchRefUpdate bru, int firstChangeId)
240 : throws IOException {
241 151 : if (git.exactRef(REFS_SEQUENCES + Sequences.NAME_CHANGES) == null) {
242 : // Can't easily reuse the inserter from MetaDataUpdate, but this shouldn't slow down site
243 : // initialization unduly.
244 151 : try (ObjectInserter ins = git.newObjectInserter()) {
245 151 : bru.addCommand(RepoSequence.storeNew(ins, Sequences.NAME_CHANGES, firstChangeId));
246 151 : ins.flush();
247 : }
248 : }
249 151 : }
250 :
251 : private void execute(Repository git, BatchRefUpdate bru) throws IOException {
252 151 : try (RevWalk rw = new RevWalk(git)) {
253 151 : bru.execute(rw, NullProgressMonitor.INSTANCE);
254 : }
255 151 : for (ReceiveCommand cmd : bru.getCommands()) {
256 151 : if (cmd.getResult() != ReceiveCommand.Result.OK) {
257 0 : throw new IOException("Failed to initialize " + allProjectsName + " refs:\n" + bru);
258 : }
259 151 : }
260 151 : }
261 : }
|
