Use PermissionDescriptor instead of String

scm-core/src/main/java/sonia/scm/security/AssignedPermission.java

@@ -89,8 +89,12 @@ public class AssignedPermission implements PermissionObject, Serializable
    */
   public AssignedPermission(String name, String permission)
   {
-    this.name = name;
+    this(name, new PermissionDescriptor(permission));
-    this.permission = permission;
+  }
+
+  public AssignedPermission(String name, PermissionDescriptor permission)
+  {
+    this(name, false, permission);
   }
 
   /**
@@ -103,6 +107,12 @@ public class AssignedPermission implements PermissionObject, Serializable
    */
   public AssignedPermission(String name, boolean groupPermission,
     String permission)
+  {
+    this(name, groupPermission, new PermissionDescriptor(permission));
+  }
+
+  public AssignedPermission(String name, boolean groupPermission,
+    PermissionDescriptor permission)
   {
     this.name = name;
     this.groupPermission = groupPermission;
@@ -173,12 +183,9 @@ public class AssignedPermission implements PermissionObject, Serializable
   }
 
   /**
-   * Returns the string representation of the permission.
+   * Returns the description of the permission.
-   *
-   *
-   * @return string representation of the permission
    */
-  public String getPermission()
+  public PermissionDescriptor getPermission()
   {
     return permission;
   }
@@ -205,5 +212,5 @@ public class AssignedPermission implements PermissionObject, Serializable
   private String name;
 
   /** string representation of the permission */
-  private String permission;
+  private PermissionDescriptor permission;
 }

scm-core/src/main/java/sonia/scm/security/SecuritySystem.java

@@ -52,7 +52,7 @@ public interface SecuritySystem
    *
    * @return stored permission
    */
-  public void addPermission(AssignedPermission permission);
+  void addPermission(AssignedPermission permission);
 
   /**
    * Delete stored permission.
@@ -60,7 +60,7 @@ public interface SecuritySystem
    *
    * @param permission permission to be deleted
    */
-  public void deletePermission(AssignedPermission permission);
+  void deletePermission(AssignedPermission permission);
 
   //~--- get methods ----------------------------------------------------------
 
@@ -70,7 +70,7 @@ public interface SecuritySystem
    *
    * @return available permissions
    */
-  public Collection<PermissionDescriptor> getAvailablePermissions();
+  Collection<PermissionDescriptor> getAvailablePermissions();
 
   /**
    * Returns all stored permissions which are matched by the given
@@ -81,6 +81,5 @@ public interface SecuritySystem
    *
    * @return filtered permissions
    */
-  public Collection<AssignedPermission> getPermissions(
+  Collection<AssignedPermission> getPermissions(Predicate<AssignedPermission> predicate);
-    Predicate<AssignedPermission> predicate);
 }

scm-dao-xml/src/test/java/sonia/scm/store/JAXBConfigurationEntryStoreTest.java

@@ -141,7 +141,7 @@ public class JAXBConfigurationEntryStoreTest
 
     assertNotNull(ap);
     assertEquals("tuser4", ap.getName());
-    assertEquals("repository:create", ap.getPermission());
+    assertEquals("repository:create", ap.getPermission().getValue());
   }
 
  @Test

scm-test/src/main/java/sonia/scm/store/InMemoryConfigurationEntryStore.java

@@ -0,0 +1,52 @@
+package sonia.scm.store;
+
+import com.google.common.base.Predicate;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+public class InMemoryConfigurationEntryStore<V> implements ConfigurationEntryStore<V> {
+
+  private final Map<String, V> values = new HashMap<>();
+
+  @Override
+  public Collection<V> getMatchingValues(Predicate<V> predicate) {
+    return values.values().stream().filter(predicate).collect(Collectors.toList());
+  }
+
+  @Override
+  public String put(V item) {
+    String key = UUID.randomUUID().toString();
+    values.put(key, item);
+    return key;
+  }
+
+  @Override
+  public void put(String id, V item) {
+    values.put(id, item);
+  }
+
+  @Override
+  public Map<String, V> getAll() {
+    return Collections.unmodifiableMap(values);
+  }
+
+  @Override
+  public void clear() {
+    values.clear();
+  }
+
+  @Override
+  public void remove(String id) {
+    values.remove(id);
+  }
+
+  @Override
+  public V get(String id) {
+    return values.get(id);
+  }
+}

scm-test/src/main/java/sonia/scm/store/InMemoryConfigurationEntryStoreFactory.java

@@ -0,0 +1,28 @@
+package sonia.scm.store;
+
+public class InMemoryConfigurationEntryStoreFactory implements ConfigurationEntryStoreFactory {
+
+
+
+
+  private ConfigurationEntryStore store;
+
+  public static ConfigurationEntryStoreFactory create() {
+    return new InMemoryConfigurationEntryStoreFactory(new InMemoryConfigurationEntryStore());
+  }
+
+  public InMemoryConfigurationEntryStoreFactory() {
+  }
+
+  public InMemoryConfigurationEntryStoreFactory(ConfigurationEntryStore store) {
+    this.store = store;
+  }
+
+  @Override
+  public <T> ConfigurationEntryStore<T> getStore(TypedStoreParameters<T> storeParameters) {
+    if (store != null) {
+      return store;
+    }
+    return new InMemoryConfigurationEntryStore<>();
+  }
+}

scm-webapp/src/main/java/sonia/scm/api/v2/resources/GlobalPermissionPocResource.java

@@ -86,15 +86,15 @@ public class GlobalPermissionPocResource {
   @Path("")
   public Response getAll() {
     String[] permissions = securitySystem.getAvailablePermissions().stream().map(PermissionDescriptor::getValue).toArray(String[]::new);
-    return Response.ok(new PerminssionListDto(permissions)).build();
+    return Response.ok(new PermissionListDto(permissions)).build();
   }
 
   protected void assignExemplaryPermissions() {
-    AssignedPermission groupPermission = new AssignedPermission("configurers", true,"configuration:*");
+    AssignedPermission groupPermission = new AssignedPermission("configurers", true, new PermissionDescriptor("configuration:*"));
     log.info("try to add new permission: {}", groupPermission);
     securitySystem.addPermission(groupPermission);
 
-    AssignedPermission userPermission = new AssignedPermission("rene", "group:*");
+    AssignedPermission userPermission = new AssignedPermission("rene", new PermissionDescriptor("group:*"));
     log.info("try to add new permission: {}", userPermission);
     securitySystem.addPermission(userPermission);
   }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionListDto.java

@@ -9,7 +9,7 @@ import lombok.Setter;
 @Setter
 @AllArgsConstructor
 @NoArgsConstructor
-public class PerminssionListDto {
+public class PermissionListDto {
 
   private String[] permissions;
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java

@@ -5,6 +5,7 @@ import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
 import org.apache.shiro.authc.credential.PasswordService;
 import sonia.scm.security.AssignedPermission;
+import sonia.scm.security.PermissionDescriptor;
 import sonia.scm.security.SecuritySystem;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
@@ -153,7 +154,34 @@ public class UserResource {
     @ResponseCode(code = 500, condition = "internal server error")
   })
   public Response getPermissions(@PathParam("id") String id) {
-    String[] permissions = securitySystem.getPermissions(p -> !p.isGroupPermission() && p.getName().equals(id)).stream().map(AssignedPermission::getPermission).toArray(String[]::new);
+    String[] permissions =
-    return Response.ok(new PerminssionListDto(permissions)).build();
+      securitySystem.getPermissions(p -> !p.isGroupPermission() && p.getName().equals(id))
+        .stream()
+        .map(AssignedPermission::getPermission)
+        .map(PermissionDescriptor::getValue)
+        .toArray(String[]::new);
+    return Response.ok(new PermissionListDto(permissions)).build();
+  }
+
+  /**
+   * Sets permissions for a user. Overwrites all existing permissions.
+   *
+   * @param id             id of the user to be modified
+   * @param newPermissions New list of permissions for the user
+   */
+  @PUT
+  @Path("permissions")
+  @Consumes(VndMediaType.PASSWORD_OVERWRITE)
+  @StatusCodes({
+    @ResponseCode(code = 204, condition = "update success"),
+    @ResponseCode(code = 400, condition = "Invalid body"),
+    @ResponseCode(code = 401, condition = "not authenticated / invalid credentials"),
+    @ResponseCode(code = 403, condition = "not authorized, the current user does not have the correct privilege"),
+    @ResponseCode(code = 404, condition = "not found, no user with the specified id/name available"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  @TypeHint(TypeHint.NO_CONTENT.class)
+  public Response overwritePermissions(@PathParam("id") String id, PermissionListDto newPermissions) {
+    return Response.noContent().build();
   }
 }

scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java

@@ -180,7 +180,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
 
     for (AssignedPermission gp : globalPermissions)
     {
-      String permission = gp.getPermission();
+      String permission = gp.getPermission().getValue();
 
       logger.trace("add permission {} for user {}", permission, user.getName());
       builder.add(permission);

scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java

@@ -39,11 +39,10 @@ import com.github.legman.Subscribe;
 import com.google.common.base.Objects;
 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableSet.Builder;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.ImmutableSet.Builder;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
-import org.apache.shiro.SecurityUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import sonia.scm.HandlerEventType;
@@ -68,6 +67,9 @@ import java.util.Enumeration;
 import java.util.List;
 import java.util.Map.Entry;
 import java.util.function.Predicate;
+import java.util.stream.Collectors;
+
+import static java.util.Objects.isNull;
 
 //~--- JDK imports ------------------------------------------------------------
 
@@ -251,14 +253,13 @@ public class DefaultSecuritySystem implements SecuritySystem
    */
   private boolean deletePermissions(Predicate<AssignedPermission> predicate)
   {
-    boolean found = false;
+    List<Entry<String, AssignedPermission>> toRemove =
-    for (Entry<String, AssignedPermission> e : store.getAll().entrySet()) {
+      store.getAll()
-      if ((predicate == null) || predicate.test(e.getValue())) {
+        .entrySet()
-        store.remove(e.getKey());
+        .stream()
-        found = true;
+        .filter(e -> (predicate == null) || predicate.test(e.getValue())).collect(Collectors.toList());
-      }
+    toRemove.forEach(e -> store.remove(e.getKey()));
-    }
+    return !toRemove.isEmpty();
-    return found;
   }
 
   /**
@@ -346,7 +347,7 @@ public class DefaultSecuritySystem implements SecuritySystem
   {
     Preconditions.checkArgument(!Strings.isNullOrEmpty(perm.getName()),
       "name is required");
-    Preconditions.checkArgument(!Strings.isNullOrEmpty(perm.getPermission()),
+    Preconditions.checkArgument(!isNull(perm.getPermission()),
       "permission is required");
   }
 

scm-webapp/src/main/java/sonia/scm/security/PermissionAssigner.java

@@ -0,0 +1,35 @@
+package sonia.scm.security;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class PermissionAssigner {
+
+  private final SecuritySystem securitySystem;
+
+  public PermissionAssigner(SecuritySystem securitySystem) {
+    this.securitySystem = securitySystem;
+  }
+
+  public Collection<PermissionDescriptor> getAvailablePermissions() {
+    return securitySystem.getAvailablePermissions();
+  }
+
+  public Collection<PermissionDescriptor> readPermissionsForUser(String id) {
+    return securitySystem.getPermissions(p -> !p.isGroupPermission() && p.getName().equals(id)).stream().map(AssignedPermission::getPermission).collect(Collectors.toSet());
+  }
+
+  public void setPermissionsForUser(String id, Collection<PermissionDescriptor> permissions) {
+    Collection<AssignedPermission> existingPermissions = securitySystem.getPermissions(p -> !p.isGroupPermission() && p.getName().equals(id));
+    List<AssignedPermission> toRemove = existingPermissions.stream()
+      .filter(p -> !permissions.contains(p.getPermission()))
+      .collect(Collectors.toList());
+    toRemove.forEach(securitySystem::deletePermission);
+
+    permissions.stream()
+      .map(p -> new AssignedPermission(id, false, p))
+      .filter(p -> !existingPermissions.contains(p))
+      .forEach(securitySystem::addPermission);
+  }
+}

scm-webapp/src/test/java/sonia/scm/security/DefaultAuthorizationCollectorTest.java

@@ -33,7 +33,6 @@ package sonia.scm.security;
 
 import com.github.sdorra.shiro.ShiroRule;
 import com.github.sdorra.shiro.SubjectAware;
-import com.google.common.base.Predicate;
 import com.google.common.collect.Lists;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
@@ -219,7 +218,7 @@ public class DefaultAuthorizationCollectorTest {
 
     StoredAssignedPermission p1 = new StoredAssignedPermission("one", new AssignedPermission("one", "one:one"));
     StoredAssignedPermission p2 = new StoredAssignedPermission("two", new AssignedPermission("two", "two:two"));
-    when(securitySystem.getPermissions(Mockito.any(Predicate.class))).thenReturn(Lists.newArrayList(p1, p2));
+    when(securitySystem.getPermissions(any())).thenReturn(Lists.newArrayList(p1, p2));
 
     // execute and assert
     AuthorizationInfo authInfo = collector.collect();
@@ -246,7 +245,7 @@ public class DefaultAuthorizationCollectorTest {
     verify(cache).clear();
 
     collector.invalidateCache(AuthorizationChangedEvent.createForUser("dent"));
-    verify(cache).removeAll(Mockito.any(Predicate.class));
+    verify(cache).removeAll(any());
   }
 
 }

scm-webapp/src/test/java/sonia/scm/security/DefaultSecuritySystemTest.java

@@ -95,7 +95,7 @@ public class DefaultSecuritySystemTest extends AbstractTestBase
     AssignedPermission sap = createPermission("trillian", false, "repository:*:READ");
 
     assertEquals("trillian", sap.getName());
-    assertEquals("repository:*:READ", sap.getPermission());
+    assertEquals("repository:*:READ", sap.getPermission().getValue());
     assertEquals(false, sap.isGroupPermission());
   }
 
@@ -256,7 +256,7 @@ public class DefaultSecuritySystemTest extends AbstractTestBase
 
     return securitySystem.getPermissions(permission -> Objects.equal(name, permission.getName())
       && Objects.equal(groupPermission, permission.isGroupPermission())
-      && Objects.equal(value, permission.getPermission())).stream().findAny().orElseThrow(() -> new AssertionError("created permission not found"));
+      && Objects.equal(value, permission.getPermission().getValue())).stream().findAny().orElseThrow(() -> new AssertionError("created permission not found"));
   }
 
   //~--- set methods ----------------------------------------------------------

scm-webapp/src/test/java/sonia/scm/security/PermissionAssignerTest.java

@@ -0,0 +1,57 @@
+package sonia.scm.security;
+
+import com.github.sdorra.shiro.ShiroRule;
+import com.github.sdorra.shiro.SubjectAware;
+import org.assertj.core.api.Assertions;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import sonia.scm.plugin.PluginLoader;
+import sonia.scm.store.InMemoryConfigurationEntryStoreFactory;
+import sonia.scm.util.ClassLoaders;
+
+import java.util.Collection;
+
+import static java.util.Arrays.asList;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+@SubjectAware(configuration = "classpath:sonia/scm/shiro-001.ini", username = "dent", password = "secret")
+public class PermissionAssignerTest {
+
+  @Rule
+  public ShiroRule shiroRule = new ShiroRule();
+
+  private DefaultSecuritySystem securitySystem;
+  private PermissionAssigner permissionAssigner;
+
+  @Before
+  public void init() {
+    PluginLoader pluginLoader = mock(PluginLoader.class);
+    when(pluginLoader.getUberClassLoader()).thenReturn(ClassLoaders.getContextClassLoader(DefaultSecuritySystem.class));
+
+    securitySystem = new DefaultSecuritySystem(new InMemoryConfigurationEntryStoreFactory(), pluginLoader);
+
+    securitySystem.addPermission(new AssignedPermission("1", "perm:read:1"));
+    securitySystem.addPermission(new AssignedPermission("1", "perm:read:2"));
+    securitySystem.addPermission(new AssignedPermission("2", "perm:read:2"));
+    securitySystem.addPermission(new AssignedPermission("1", true, "perm:read:2"));
+    permissionAssigner = new PermissionAssigner(securitySystem);
+  }
+
+  @Test
+  public void shouldFindUserPermissions() {
+    Collection<PermissionDescriptor> permissionDescriptors = permissionAssigner.readPermissionsForUser("1");
+
+    Assertions.assertThat(permissionDescriptors).hasSize(2);
+  }
+
+  @Test
+  public void shouldOverwriteUserPermissions() {
+    permissionAssigner.setPermissionsForUser("2", asList(new PermissionDescriptor("perm:read:3"), new PermissionDescriptor("perm:read:4")));
+
+    Collection<PermissionDescriptor> permissionDescriptors = permissionAssigner.readPermissionsForUser("2");
+
+    Assertions.assertThat(permissionDescriptors).hasSize(2);
+  }
+}