// Copyright (C) 2013 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.group;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.gerrit.audit.AuditService;
import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.extensions.common.AccountInfo;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.DefaultInput;
import com.google.gerrit.extensions.restapi.MethodNotAllowedException;
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.reviewdb.client.AccountGroupMember;
import com.google.gerrit.reviewdb.server.ReviewDb;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.AccountCache;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AccountLoader;
import com.google.gerrit.server.account.AccountManager;
import com.google.gerrit.server.account.AccountResolver;
import com.google.gerrit.server.account.AccountsCollection;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.GroupControl;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.group.AddMembers.Input;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
@Singleton
public class AddMembers implements RestModifyView<GroupResource, Input> {
public static class Input {
@DefaultInput String _oneMember;
List<String> members;
public static Input fromMembers(List<String> members) {
Input in = new Input();
in.members = members;
return in;
}
static Input init(Input in) {
if (in == null) {
in = new Input();
}
if (in.members == null) {
in.members = Lists.newArrayListWithCapacity(1);
}
if (!Strings.isNullOrEmpty(in._oneMember)) {
in.members.add(in._oneMember);
}
return in;
}
}
private final Provider<IdentifiedUser> self;
private final AccountManager accountManager;
private final AuthType authType;
private final AccountsCollection accounts;
private final AccountResolver accountResolver;
private final AccountCache accountCache;
private final AccountLoader.Factory infoFactory;
private final Provider<ReviewDb> db;
private final AuditService auditService;
@Inject
AddMembers(
Provider<IdentifiedUser> self,
AccountManager accountManager,
AuthConfig authConfig,
AccountsCollection accounts,
AccountResolver accountResolver,
AccountCache accountCache,
AccountLoader.Factory infoFactory,
Provider<ReviewDb> db,
AuditService auditService) {
this.self = self;
this.accountManager = accountManager;
this.auditService = auditService;
this.authType = authConfig.getAuthType();
this.accounts = accounts;
this.accountResolver = accountResolver;
this.accountCache = accountCache;
this.infoFactory = infoFactory;
this.db = db;
}
@Override
public List<AccountInfo> apply(GroupResource resource, Input input)
throws AuthException, MethodNotAllowedException, UnprocessableEntityException, OrmException,
IOException {
AccountGroup internalGroup = resource.toAccountGroup();
if (internalGroup == null) {
throw new MethodNotAllowedException();
}
input = Input.init(input);
GroupControl control = resource.getControl();
Set<Account.Id> newMemberIds = new HashSet<>();
for (String nameOrEmailOrId : input.members) {
Account a = findAccount(nameOrEmailOrId);
if (!a.isActive()) {
throw new UnprocessableEntityException(
String.format("Account Inactive: %s", nameOrEmailOrId));
}
if (!control.canAddMember()) {
throw new AuthException("Cannot add member: " + a.getFullName());
}
newMemberIds.add(a.getId());
}
addMembers(internalGroup.getId(), newMemberIds);
return toAccountInfoList(newMemberIds);
}
Account findAccount(String nameOrEmailOrId)
throws AuthException, UnprocessableEntityException, OrmException, IOException {
try {
return accounts.parse(nameOrEmailOrId).getAccount();
} catch (UnprocessableEntityException e) {
// might be because the account does not exist or because the account is
// not visible
switch (authType) {
case HTTP_LDAP:
case CLIENT_SSL_CERT_LDAP:
case LDAP:
if (accountResolver.find(db.get(), nameOrEmailOrId) == null) {
// account does not exist, try to create it
Account a = createAccountByLdap(nameOrEmailOrId);
if (a != null) {
return a;
}
}
break;
case CUSTOM_EXTENSION:
case DEVELOPMENT_BECOME_ANY_ACCOUNT:
case HTTP:
case LDAP_BIND:
case OAUTH:
case OPENID:
case OPENID_SSO:
default:
}
throw e;
}
}
public void addMembers(AccountGroup.Id groupId, Collection<? extends Account.Id> newMemberIds)
throws OrmException, IOException {
Map<Account.Id, AccountGroupMember> newAccountGroupMembers = new HashMap<>();
for (Account.Id accId : newMemberIds) {
if (!newAccountGroupMembers.containsKey(accId)) {
AccountGroupMember.Key key = new AccountGroupMember.Key(accId, groupId);
AccountGroupMember m = db.get().accountGroupMembers().get(key);
if (m == null) {
m = new AccountGroupMember(key);
newAccountGroupMembers.put(m.getAccountId(), m);
}
}
}
if (!newAccountGroupMembers.isEmpty()) {
auditService.dispatchAddAccountsToGroup(
self.get().getAccountId(), newAccountGroupMembers.values());
db.get().accountGroupMembers().insert(newAccountGroupMembers.values());
for (AccountGroupMember m : newAccountGroupMembers.values()) {
accountCache.evict(m.getAccountId());
}
}
}
private Account createAccountByLdap(String user) throws IOException {
if (!user.matches(Account.USER_NAME_PATTERN)) {
return null;
}
try {
AuthRequest req = AuthRequest.forUser(user);
req.setSkipAuthentication(true);
return accountCache.get(accountManager.authenticate(req).getAccountId()).getAccount();
} catch (AccountException e) {
return null;
}
}
private List<AccountInfo> toAccountInfoList(Set<Account.Id> accountIds) throws OrmException {
List<AccountInfo> result = new ArrayList<>();
AccountLoader loader = infoFactory.create(true);
for (Account.Id accId : accountIds) {
result.add(loader.get(accId));
}
loader.fill();
return result;
}
static class PutMember implements RestModifyView<GroupResource, PutMember.Input> {
static class Input {}
private final AddMembers put;
private final String id;
PutMember(AddMembers put, String id) {
this.put = put;
this.id = id;
}
@Override
public AccountInfo apply(GroupResource resource, PutMember.Input input)
throws AuthException, MethodNotAllowedException, ResourceNotFoundException, OrmException,
IOException {
AddMembers.Input in = new AddMembers.Input();
in._oneMember = id;
try {
List<AccountInfo> list = put.apply(resource, in);
if (list.size() == 1) {
return list.get(0);
}
throw new IllegalStateException();
} catch (UnprocessableEntityException e) {
throw new ResourceNotFoundException(id);
}
}
}
@Singleton
static class UpdateMember implements RestModifyView<MemberResource, PutMember.Input> {
private final GetMember get;
@Inject
UpdateMember(GetMember get) {
this.get = get;
}
@Override
public AccountInfo apply(MemberResource resource, PutMember.Input input) throws OrmException {
// Do nothing, the user is already a member.
return get.apply(resource);
}
}
}