// Copyright (C) 2011 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.account;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.common.data.AccessSection;
import com.google.gerrit.common.data.GlobalCapability;
import com.google.gerrit.common.data.GroupReference;
import com.google.gerrit.common.data.Permission;
import com.google.gerrit.common.data.PermissionRange;
import com.google.gerrit.common.data.PermissionRule;
import com.google.gerrit.server.config.AdministrateServerGroups;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.inject.Inject;
import com.google.inject.assistedinject.Assisted;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
/** Caches active {@link GlobalCapability} set for a site. */
public class CapabilityCollection {
public interface Factory {
CapabilityCollection create(@Nullable AccessSection section);
}
private final SystemGroupBackend systemGroupBackend;
private final ImmutableMap<String, ImmutableList<PermissionRule>> permissions;
public final ImmutableList<PermissionRule> administrateServer;
public final ImmutableList<PermissionRule> batchChangesLimit;
public final ImmutableList<PermissionRule> emailReviewers;
public final ImmutableList<PermissionRule> priority;
public final ImmutableList<PermissionRule> queryLimit;
@Inject
CapabilityCollection(
SystemGroupBackend systemGroupBackend,
@AdministrateServerGroups ImmutableSet<GroupReference> admins,
@Assisted @Nullable AccessSection section) {
this.systemGroupBackend = systemGroupBackend;
if (section == null) {
section = new AccessSection(AccessSection.GLOBAL_CAPABILITIES);
}
Map<String, List<PermissionRule>> tmp = new HashMap<>();
for (Permission permission : section.getPermissions()) {
for (PermissionRule rule : permission.getRules()) {
if (!permission.getName().equals(GlobalCapability.EMAIL_REVIEWERS)
&& rule.getAction() == PermissionRule.Action.DENY) {
continue;
}
List<PermissionRule> r = tmp.get(permission.getName());
if (r == null) {
r = new ArrayList<>(2);
tmp.put(permission.getName(), r);
}
r.add(rule);
}
}
configureDefaults(tmp, section);
if (!tmp.containsKey(GlobalCapability.ADMINISTRATE_SERVER) && !admins.isEmpty()) {
tmp.put(GlobalCapability.ADMINISTRATE_SERVER, ImmutableList.<PermissionRule>of());
}
ImmutableMap.Builder<String, ImmutableList<PermissionRule>> m = ImmutableMap.builder();
for (Map.Entry<String, List<PermissionRule>> e : tmp.entrySet()) {
List<PermissionRule> rules = e.getValue();
if (GlobalCapability.ADMINISTRATE_SERVER.equals(e.getKey())) {
rules = mergeAdmin(admins, rules);
}
m.put(e.getKey(), ImmutableList.copyOf(rules));
}
permissions = m.build();
administrateServer = getPermission(GlobalCapability.ADMINISTRATE_SERVER);
batchChangesLimit = getPermission(GlobalCapability.BATCH_CHANGES_LIMIT);
emailReviewers = getPermission(GlobalCapability.EMAIL_REVIEWERS);
priority = getPermission(GlobalCapability.PRIORITY);
queryLimit = getPermission(GlobalCapability.QUERY_LIMIT);
}
private static List<PermissionRule> mergeAdmin(
Set<GroupReference> admins, List<PermissionRule> rules) {
if (admins.isEmpty()) {
return rules;
}
List<PermissionRule> r = new ArrayList<>(admins.size() + rules.size());
for (GroupReference g : admins) {
r.add(new PermissionRule(g));
}
for (PermissionRule rule : rules) {
if (!admins.contains(rule.getGroup())) {
r.add(rule);
}
}
return r;
}
public ImmutableList<PermissionRule> getPermission(String permissionName) {
ImmutableList<PermissionRule> r = permissions.get(permissionName);
return r != null ? r : ImmutableList.<PermissionRule>of();
}
private void configureDefaults(Map<String, List<PermissionRule>> out, AccessSection section) {
configureDefault(
out,
section,
GlobalCapability.QUERY_LIMIT,
systemGroupBackend.getGroup(SystemGroupBackend.ANONYMOUS_USERS));
}
private static void configureDefault(
Map<String, List<PermissionRule>> out,
AccessSection section,
String capName,
GroupReference group) {
if (doesNotDeclare(section, capName)) {
PermissionRange.WithDefaults range = GlobalCapability.getRange(capName);
if (range != null) {
PermissionRule rule = new PermissionRule(group);
rule.setRange(range.getDefaultMin(), range.getDefaultMax());
out.put(capName, Collections.singletonList(rule));
}
}
}
private static boolean doesNotDeclare(AccessSection section, String capName) {
return section.getPermission(capName) == null;
}
}