Merged in feature/consolidate_permissions (pull request #196)

Feature consolidate permissions
2025-11-15 09:46:16 +01:00 · 2019-02-20 14:20:03 +00:00
parent 31b71c9892 02a9328a48
commit 17c496222d
26 changed files with 243 additions and 87 deletions
--- a/pom.xml
+++ b/pom.xml
@@ -826,7 +826,7 @@
    <jetty.maven.version>9.4.14.v20181114</jetty.maven.version>

    <!-- security libraries -->
-    <ssp.version>1.1.0</ssp.version>
+    <ssp.version>1.2.0</ssp.version>
    <shiro.version>1.4.0</shiro.version>

    <!-- repository libraries -->
--- a/scm-core/src/main/java/sonia/scm/config/Configuration.java
+++ b/scm-core/src/main/java/sonia/scm/config/Configuration.java
@@ -22,7 +22,8 @@ import com.github.sdorra.ssp.StaticPermissions;
@StaticPermissions(
  value = "configuration",
  permissions = {"read", "write"},
-  globalPermissions = {"list"}
+  globalPermissions = {"list"},
+  custom = true, customGlobal = true
 )
 public interface Configuration extends PermissionObject {
 }
--- a/scm-core/src/main/java/sonia/scm/group/Group.java
+++ b/scm-core/src/main/java/sonia/scm/group/Group.java
@@ -61,7 +61,11 @@ import java.util.List;
 *
 * @author Sebastian Sdorra
 */
-@StaticPermissions(value = "group", globalPermissions = {"create", "list", "autocomplete"})
+@StaticPermissions(
+  value = "group",
+  globalPermissions = {"create", "list", "autocomplete"},
+  custom = true, customGlobal = true
+)
@XmlRootElement(name = "groups")
@XmlAccessorType(XmlAccessType.FIELD)
 public class Group extends BasicPropertiesAware
--- a/scm-core/src/main/java/sonia/scm/plugin/PluginInformation.java
+++ b/scm-core/src/main/java/sonia/scm/plugin/PluginInformation.java
@@ -61,7 +61,8 @@ import java.util.List;
  value = "plugin", 
  generatedClass = "PluginPermissions", 
  permissions = {},
-  globalPermissions = { "read", "manage" }
+  globalPermissions = { "read", "manage" },
+  custom = true, customGlobal = true
 )
@XmlAccessorType(XmlAccessType.FIELD)
@XmlRootElement(name = "plugin-information")
--- a/scm-core/src/main/java/sonia/scm/repository/Repository.java
+++ b/scm-core/src/main/java/sonia/scm/repository/Repository.java
@@ -62,7 +62,8 @@ import java.util.Set;
 */
@StaticPermissions(
  value = "repository",
-  permissions = {"read", "modify", "delete", "healthCheck", "pull", "push", "permissionRead", "permissionWrite"}
+  permissions = {"read", "modify", "delete", "healthCheck", "pull", "push", "permissionRead", "permissionWrite"},
+  custom = true, customGlobal = true
 )
@XmlAccessorType(XmlAccessType.FIELD)
@XmlRootElement(name = "repositories")
--- a/scm-core/src/main/java/sonia/scm/security/Permission.java
+++ b/scm-core/src/main/java/sonia/scm/security/Permission.java
@@ -6,7 +6,8 @@ import com.github.sdorra.ssp.StaticPermissions;
@StaticPermissions(
  value = "permission",
  permissions = {},
-  globalPermissions = {"list", "read", "assign"}
+  globalPermissions = {"list", "read", "assign"},
+  custom = true, customGlobal = true
 )
 public interface Permission extends PermissionObject {
 }
--- a/scm-core/src/main/java/sonia/scm/user/User.java
+++ b/scm-core/src/main/java/sonia/scm/user/User.java
@@ -59,7 +59,9 @@ import java.security.Principal;
@StaticPermissions(
  value = "user",
  globalPermissions = {"create", "list", "autocomplete"},
-  permissions = {"read", "modify", "delete", "changePassword"})
+  permissions = {"read", "modify", "delete", "changePassword"},
+  custom = true, customGlobal = true
+)
@XmlRootElement(name = "users")
@XmlAccessorType(XmlAccessType.FIELD)
 public class User extends BasicPropertiesAware implements Principal, ModelObject, PermissionObject, ReducedModelObject
--- a/scm-plugins/scm-git-plugin/src/main/resources/META-INF/scm/permissions.xml
+++ b/scm-plugins/scm-git-plugin/src/main/resources/META-INF/scm/permissions.xml
@@ -34,10 +34,10 @@
 <permissions>
  
  <permission>
-    <value>configuration:read:git</value>
+    <value>configuration:read,write:git</value>
  </permission>
  <permission>
-    <value>configuration:write:git</value>
+    <value>repository:git:*</value>
  </permission>

 </permissions>
--- a/scm-plugins/scm-git-plugin/src/main/resources/META-INF/scm/repository-permissions.xml
+++ b/scm-plugins/scm-git-plugin/src/main/resources/META-INF/scm/repository-permissions.xml
@@ -0,0 +1,7 @@
+<repository-permissions>
+  <verbs>
+    <verb>git</verb>
+  </verbs>
+  <roles>
+  </roles>
+</repository-permissions>
--- a/scm-plugins/scm-git-plugin/src/main/resources/locales/de/plugins.json
+++ b/scm-plugins/scm-git-plugin/src/main/resources/locales/de/plugins.json
@@ -39,18 +39,28 @@
  },
  "permissions" : {
    "configuration": {
-      "read": {
+      "read,write": {
        "git": {
-          "displayName": "Git Konfiguration lesen",
-          "description": "Darf die git Konfiguration lesen."
-        }
-      },
-      "write": {
-        "git": {
-          "displayName": "Git Konfiguration schreiben",
+          "displayName": "Git Konfiguration ändern",
          "description": "Darf die git Konfiguration verändern."
        }
      }
+    },
+    "repository": {
+      "git": {
+        "*": {
+          "displayName": "Repository-spezifische Git Konfiguration ändern",
+          "description": "Darf die git Konfiguration für alle Repositories verändern."
+        }
+      }
+    }
+  },
+  "verbs": {
+    "repository": {
+      "git": {
+        "displayName": "Git konfigurieren",
+        "description": "Darf die git Konfiguration für dieses Repository verändern."
+      }
    }
  }
 }
--- a/scm-plugins/scm-git-plugin/src/main/resources/locales/en/plugins.json
+++ b/scm-plugins/scm-git-plugin/src/main/resources/locales/en/plugins.json
@@ -39,18 +39,28 @@
  },
  "permissions" : {
    "configuration": {
-      "read": {
+      "read,write": {
        "git": {
-          "displayName": "Read git configuration",
-          "description": "May read the git configuration"
-        }
-      },
-      "write": {
-        "git": {
-          "displayName": "Write git configuration",
+          "displayName": "Modify git configuration",
          "description": "May change the git configuration"
        }
      }
+    },
+    "repository": {
+      "git": {
+        "*": {
+          "displayName": "Modify repository specific git configuration",
+          "description": "May change the git configuration for repositories"
+        }
+      }
+    }
+  },
+  "verbs": {
+    "repository": {
+      "git": {
+        "displayName": "configure Git",
+        "description": "May change the git configuration for this repository"
+      }
    }
  }
 }
--- a/scm-plugins/scm-hg-plugin/src/main/resources/META-INF/scm/permissions.xml
+++ b/scm-plugins/scm-hg-plugin/src/main/resources/META-INF/scm/permissions.xml
@@ -34,10 +34,10 @@
 <permissions>
  
  <permission>
-    <value>configuration:read:hg</value>
+    <value>configuration:read,write:hg</value>
  </permission>
  <permission>
-    <value>configuration:write:hg</value>
+    <value>repository:hg:*</value>
  </permission>

 </permissions>
--- a/scm-plugins/scm-hg-plugin/src/main/resources/META-INF/scm/repository-permissions.xml
+++ b/scm-plugins/scm-hg-plugin/src/main/resources/META-INF/scm/repository-permissions.xml
@@ -0,0 +1,7 @@
+<repository-permissions>
+  <verbs>
+    <verb>hg</verb>
+  </verbs>
+  <roles>
+  </roles>
+</repository-permissions>
--- a/scm-plugins/scm-hg-plugin/src/main/resources/locales/de/plugins.json
+++ b/scm-plugins/scm-hg-plugin/src/main/resources/locales/de/plugins.json
@@ -31,18 +31,28 @@
  },
  "permissions" : {
    "configuration": {
-      "read": {
+      "read,write": {
        "hg": {
-          "displayName": "Mercurial Konfiguration lesen",
-          "description": "Darf die Mercurial Konfiguration lesen"
-        }
-      },
-      "write": {
-        "hg": {
-          "displayName": "Mercurial Konfiguration schreiben",
+          "displayName": "Mercurial Konfiguration ändern",
          "description": "Darf die Mercurial Konfiguration verändern"
        }
      }
+    },
+    "repository": {
+      "hg": {
+        "*": {
+          "displayName": "Repository-spezifische Mercurial Konfiguration ändern",
+          "description": "Darf die Mercurial Konfiguration für alle Repositories verändern."
+        }
+      }
+    }
+  },
+  "verbs": {
+    "repository": {
+      "hg": {
+        "displayName": "Mercurial konfigurieren",
+        "description": "Darf die Mercurial Konfiguration für dieses Repository verändern."
+      }
    }
  }
 }
--- a/scm-plugins/scm-hg-plugin/src/main/resources/locales/en/plugins.json
+++ b/scm-plugins/scm-hg-plugin/src/main/resources/locales/en/plugins.json
@@ -31,18 +31,28 @@
  },
  "permissions" : {
    "configuration": {
-      "read": {
+      "read,write": {
        "hg": {
-          "displayName": "Read Mercurial configuration",
-          "description": "May read the Mercurial configuration"
-        }
-      },
-      "write": {
-        "hg": {
-          "displayName": "Write Mercurial configuration",
+          "displayName": "Modify Mercurial configuration",
          "description": "May change the Mercurial configuration"
        }
      }
+    },
+    "repository": {
+      "hg": {
+        "*": {
+          "displayName": "Modify repository specific Mercurial configuration",
+          "description": "May change the Mercurial configuration for repositories"
+        }
+      }
+    }
+  },
+  "verbs": {
+    "repository": {
+      "hg": {
+        "displayName": "configure Mercurial",
+        "description": "May change the Mercurial configuration for this repository"
+      }
    }
  }
 }
--- a/scm-plugins/scm-svn-plugin/src/main/resources/META-INF/scm/permissions.xml
+++ b/scm-plugins/scm-svn-plugin/src/main/resources/META-INF/scm/permissions.xml
@@ -34,10 +34,10 @@
 <permissions>
  
  <permission>
-    <value>configuration:read:svn</value>
+    <value>configuration:read,write:svn</value>
  </permission>
  <permission>
-    <value>configuration:write:svn</value>
+    <value>repository:svn:*</value>
  </permission>

 </permissions>
--- a/scm-plugins/scm-svn-plugin/src/main/resources/META-INF/scm/repository-permissions.xml
+++ b/scm-plugins/scm-svn-plugin/src/main/resources/META-INF/scm/repository-permissions.xml
@@ -0,0 +1,7 @@
+<repository-permissions>
+  <verbs>
+    <verb>svn</verb>
+  </verbs>
+  <roles>
+  </roles>
+</repository-permissions>
--- a/scm-plugins/scm-svn-plugin/src/main/resources/locales/de/plugins.json
+++ b/scm-plugins/scm-svn-plugin/src/main/resources/locales/de/plugins.json
@@ -25,18 +25,28 @@
  },
  "permissions": {
    "configuration": {
-      "read": {
+      "read,write": {
        "svn": {
-          "displayName": "Subversion Konfiguration lesen",
-          "description": "Darf die Subversion Konfiguration lesen"
-        }
-      },
-      "write": {
-        "svn": {
-          "displayName": "Subversion Konfiguration schreiben",
+          "displayName": "Subversion Konfiguration ändern",
          "description": "Darf die Subversion Konfiguration verändern"
        }
      }
+    },
+    "repository": {
+      "svn": {
+        "*": {
+          "displayName": "Repository-spezifische Subversion Konfiguration ändern",
+          "description": "Darf die Subversion Konfiguration für alle Repositories verändern."
+        }
+      }
+    }
+  },
+  "verbs": {
+    "repository": {
+      "svn": {
+        "displayName": "Subversion konfigurieren",
+        "description": "Darf die Subversion Konfiguration für dieses Repository verändern."
+      }
    }
  }
 }
--- a/scm-plugins/scm-svn-plugin/src/main/resources/locales/en/plugins.json
+++ b/scm-plugins/scm-svn-plugin/src/main/resources/locales/en/plugins.json
@@ -25,18 +25,28 @@
  },
  "permissions": {
    "configuration": {
-      "read": {
+      "read,write": {
        "svn": {
-          "displayName": "Read Subversion configuration",
-          "description": "May read the Subversion configuration"
+          "displayName": "Modify Subversion configuration",
+          "description": "May modify the Subversion configuration"
        }
-      },
-      "write": {
-        "svn": {
-          "displayName": "Write Subversion configuration",
-          "description": "May change the Subversion configuration"
+      }
+    },
+    "repository": {
+      "svn": {
+        "*": {
+          "displayName": "Modify repository specific Subversion configuration",
+          "description": "May change the Subversion configuration for repositories"
        }
      }
    }
+  },
+  "verbs": {
+    "repository": {
+      "svn": {
+        "displayName": "configure Subversion",
+        "description": "May change the Subversion configuration for this repository"
+      }
+    }
  }
 }
--- a/scm-webapp/src/main/java/sonia/scm/security/RepositoryPermissionProvider.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/RepositoryPermissionProvider.java
@@ -18,6 +18,7 @@ import java.util.Collection;
 import java.util.Enumeration;
 import java.util.LinkedHashSet;
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;

 import static java.util.Collections.unmodifiableCollection;
@@ -63,7 +64,7 @@ public class RepositoryPermissionProvider {

        RepositoryPermissionsRoot repositoryPermissionsRoot = parsePermissionDescriptor(context, descriptorUrl);
        availableVerbs.addAll(repositoryPermissionsRoot.verbs.verbs);
-        availableRoles.addAll(repositoryPermissionsRoot.roles.roles);
+        mergeRolesInto(availableRoles, repositoryPermissionsRoot.roles.roles);
      }
    } catch (IOException ex) {
      logger.error("could not read permission descriptors", ex);
@@ -75,7 +76,22 @@ public class RepositoryPermissionProvider {
    return new AvailableRepositoryPermissions(availableVerbs, availableRoles);
  }

-  @SuppressWarnings("unchecked")
+  private static void mergeRolesInto(Collection<RoleDescriptor> targetRoles, List<RoleDescriptor> additionalRoles) {
+    additionalRoles.forEach(r -> addOrMergeInto(targetRoles, r));
+  }
+
+  private static void addOrMergeInto(Collection<RoleDescriptor> targetRoles, RoleDescriptor additionalRole) {
+    Optional<RoleDescriptor> existingRole = targetRoles
+      .stream()
+      .filter(r -> r.name.equals(additionalRole.name))
+      .findFirst();
+    if (existingRole.isPresent()) {
+      existingRole.get().verbs.verbs.addAll(additionalRole.verbs.verbs);
+    } else {
+      targetRoles.add(additionalRole);
+    }
+  }
+
  private static RepositoryPermissionsRoot parsePermissionDescriptor(JAXBContext context, URL descriptorUrl) {
    try {
      RepositoryPermissionsRoot descriptorWrapper =
--- a/scm-webapp/src/main/resources/META-INF/scm/permissions.xml
+++ b/scm-webapp/src/main/resources/META-INF/scm/permissions.xml
@@ -40,7 +40,7 @@
    <value>repository:read,pull,push:*</value>
  </permission>
  <permission>
-    <value>repository:*:*</value>
+    <value>repository:*</value>
  </permission>
  <permission>
    <value>repository:create</value>
@@ -51,5 +51,14 @@
  <permission>
    <value>group:*</value>
  </permission>
+  <permission>
+    <value>configuration:list</value>
+  </permission>
+  <permission>
+    <value>configuration:read,write:global</value>
+  </permission>
+  <permission>
+    <value>configuration:read,write:*</value>
+  </permission>

 </permissions>
--- a/scm-webapp/src/main/resources/META-INF/scm/repository-permissions.xml
+++ b/scm-webapp/src/main/resources/META-INF/scm/repository-permissions.xml
@@ -7,7 +7,6 @@
    <verb>push</verb>
    <verb>permissionRead</verb>
    <verb>permissionWrite</verb>
-    <verb>healthCheck</verb>
    <verb>*</verb>
  </verbs>
  <roles>
@@ -26,12 +25,6 @@
        <verb>push</verb>
      </verbs>
    </role>
-    <role>
-      <name>HEALTH</name>
-      <verbs>
-        <verb>healthCheck</verb>
-      </verbs>
-    </role>
    <role>
      <name>OWNER</name>
      <verbs>
--- a/scm-webapp/src/main/resources/locales/de/plugins.json
+++ b/scm-webapp/src/main/resources/locales/de/plugins.json
@@ -14,10 +14,8 @@
        }
      },
      "*": {
-        "*": {
-          "displayName": "Alle Repositories besitzen (Owner)",
-          "description": "Darf alle Repositories lesen, klonen, schreiben, konfigurieren und löschen."
-        }
+        "displayName": "Alle Repositories besitzen (Owner)",
+        "description": "Darf alle Repositories lesen, klonen, schreiben, konfigurieren und löschen."
      },
      "create": {
        "displayName": "Repositories erstellen",
@@ -36,6 +34,22 @@
        "description": "Darf Gruppen administrieren."
      }
    },
+    "configuration": {
+      "list": {
+        "displayName": "Basis für Administration",
+        "description": "Voraussetzung für alle anderen Administrationsberechtigungen. Ohne diese Berechtigung wird keine Administrationsansicht gezeigt."
+      },
+      "read,write": {
+        "global": {
+          "displayName": "zentrale Konfiguration",
+          "description": "Darf die Konfiguration des SCM-Manager anpassen"
+        },
+        "*": {
+          "displayName": "zentrale + Plugin Konfiguration",
+          "description": "Darf die Konfiguration des SCM-Manager und aller Plugins anpassen"
+        }
+      }
+    },
    "unknown": "Unbekannte Berechtigung"
  },
  "verbs": {
@@ -68,10 +82,6 @@
        "displayName": "Berechtigungen modifizieren",
        "description": "Darf die Berechtigungen des Repository bearbeiten."
      },
-      "healthCheck": {
-        "displayName": "Health Check",
-        "description": "Darf den Repository Health Check ausführen."
-      },
      "*": {
        "displayName": "Alle Repository Rechte",
        "description": "Darf im Repository Kontext alles ausführen. Dies beinhaltet alle Repository Berechtigungen."
--- a/scm-webapp/src/main/resources/locales/en/plugins.json
+++ b/scm-webapp/src/main/resources/locales/en/plugins.json
@@ -14,10 +14,8 @@
        }
      },
      "*": {
-        "*": {
-          "displayName": "Own all repositories",
-          "description": "May see, clone, push to, configure and delete all repositories"
-        }
+        "displayName": "Own all repositories",
+        "description": "May see, clone, push to, configure and delete all repositories"
      },
      "create": {
        "displayName": "Create repositories",
@@ -36,6 +34,22 @@
        "description": "May administer all groups"
      }
    },
+    "configuration": {
+      "list": {
+        "displayName": "Basic administration",
+        "description": "Prerequisite for all other administration permissions. Without this, no configuration will be visible."
+      },
+      "read,write": {
+        "global": {
+          "displayName": "Administer core",
+          "description": "May configure core settings of SCM-Manager"
+        },
+        "*": {
+          "displayName": "Administer core and plugins",
+          "description": "May configure settings of SCM-Manager core and all plugins"
+        }
+      }
+    },
    "unknown": "Unknown permission"
  },
  "verbs": {
@@ -68,10 +82,6 @@
        "displayName": "modify permissions",
        "description": "May modify the permissions of the repository"
      },
-      "healthCheck": {
-        "displayName": "health check",
-        "description": "May run the health check for the repository"
-      },
      "*": {
        "displayName": "overall",
        "description": "May change everything for the repository (includes all other permissions)"
--- a/scm-webapp/src/test/java/sonia/scm/security/RepositoryPermissionProviderTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/RepositoryPermissionProviderTest.java
@@ -8,6 +8,7 @@ import sonia.scm.util.ClassLoaders;

 import java.lang.reflect.Field;
 import java.util.Arrays;
+import java.util.Collection;

 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -27,6 +28,7 @@ class RepositoryPermissionProviderTest {
    repositoryPermissionProvider = new RepositoryPermissionProvider(pluginLoader);
    allVerbsFromRepositoryClass = Arrays.stream(RepositoryPermissions.class.getDeclaredFields())
      .filter(field -> field.getName().startsWith("ACTION_"))
+      .filter(field -> !field.getName().equals("ACTION_HEALTHCHECK"))
      .map(this::getString)
      .filter(verb -> !"create".equals(verb))
      .toArray(String[]::new);
@@ -47,6 +49,18 @@ class RepositoryPermissionProviderTest {
    assertThat(repositoryPermissionProvider.availableVerbs()).contains(allVerbsFromRepositoryClass);
  }

+  @Test
+  void shouldMergeRepositoryRoles() {
+    Collection<String> verbsInMergedRole = repositoryPermissionProvider
+      .availableRoles()
+      .stream()
+      .filter(r -> "READ".equals(r.getName()))
+      .findFirst()
+      .get()
+      .getVerbs();
+    assertThat(verbsInMergedRole).contains("read", "pull", "test");
+  }
+
  private String getString(Field field) {
    try {
      return (String) field.get(null);
--- a/scm-webapp/src/test/resources/META-INF/scm/repository-permissions.xml
+++ b/scm-webapp/src/test/resources/META-INF/scm/repository-permissions.xml
@@ -0,0 +1,13 @@
+<repository-permissions>
+  <verbs>
+    <verb>test</verb>
+  </verbs>
+  <roles>
+    <role>
+      <name>READ</name>
+      <verbs>
+        <verb>test</verb>
+      </verbs>
+    </role>
+  </roles>
+</repository-permissions>