targeting stacks for particular groups or projects (#1560)

Author: tulinkry

src/org/opensolaris/opengrok/authorization/AuthorizationEntity.java

@@ -24,7 +24,9 @@
 
 import java.io.Serializable;
 import java.util.Map;
+import java.util.Set;
 import java.util.TreeMap;
+import java.util.TreeSet;
 import java.util.function.Predicate;
 import org.opensolaris.opengrok.configuration.Nameable;
 
@@ -53,6 +55,52 @@
  */
 public abstract class AuthorizationEntity implements Nameable, Serializable, Cloneable {
 
+    /**
+     * Predicate specialized for the the plugin decisions. The caller should
+     * implement the <code>decision</code> method. Returning true if the plugin
+     * allows the action or false when the plugin forbids the action.
+     */
+    public static abstract class PluginDecisionPredicate implements Predicate<IAuthorizationPlugin> {
+
+        @Override
+        public boolean test(IAuthorizationPlugin t) {
+            return decision(t);
+        }
+
+        /**
+         * Perform the authorization check for this plugin.
+         *
+         * @param t the plugin
+         * @return true if plugin allows the action; false otherwise
+         */
+        public abstract boolean decision(IAuthorizationPlugin t);
+
+    }
+
+    /**
+     * Predicate specialized for the the entity skipping decisions. The caller
+     * should implement the <code>shouldSkip</code> method. Returning true if
+     * the entity should be skipped for this action and false if the entity
+     * should be used.
+     */
+    public static abstract class PluginSkippingPredicate implements Predicate<AuthorizationEntity> {
+
+        @Override
+        public boolean test(AuthorizationEntity t) {
+            return shouldSkip(t);
+        }
+
+        /**
+         * Decide if the entity should be skipped in this step of authorization.
+         *
+         * @param t the entity
+         * @return true if skipped (authorization decision will not be affected
+         * by this entity) or false if it should be used (authorization decision
+         * will be affected by this entity)
+         */
+        public abstract boolean shouldSkip(AuthorizationEntity t);
+    }
+
     private static final long serialVersionUID = 1L;
     /**
      * One of "required", "requisite", "sufficient".
@@ -61,6 +109,9 @@ public abstract class AuthorizationEntity implements Nameable, Serializable, Clo
     protected String name;
     protected Map<String, Object> setup = new TreeMap<>();
 
+    private Set<String> forProjects = new TreeSet<>();
+    private Set<String> forGroups = new TreeSet<>();
+
     protected transient boolean working = true;
 
     public AuthorizationEntity() {
@@ -82,6 +133,8 @@ public AuthorizationEntity(AuthorizationEntity x) {
         name = x.name;
         setup = new TreeMap<>(x.setup);
         working = x.working;
+        forGroups = new TreeSet<>(x.forGroups);
+        forProjects = new TreeSet<>(x.forProjects);
     }
 
     public AuthorizationEntity(AuthControlFlag flag, String name) {
@@ -111,12 +164,16 @@ public AuthorizationEntity(AuthControlFlag flag, String name) {
      *
      * @param entity the given entity - this is either group or project and is
      * passed just for the logging purposes.
-     * @param predicate predicate returning true or false for the given entity
-     * which determines if the authorization for such entity is successful or
-     * failed
+     * @param pluginPredicate predicate returning true or false for the given
+     * entity which determines if the authorization for such entity is
+     * successful or failed
+     * @param skippingPredicate predicate returning true if this authorization
+     * entity should be omitted from the authorization process
      * @return true if successful; false otherwise
      */
-    abstract public boolean isAllowed(Nameable entity, Predicate<IAuthorizationPlugin> predicate);
+    abstract public boolean isAllowed(Nameable entity,
+            PluginDecisionPredicate pluginPredicate,
+            PluginSkippingPredicate skippingPredicate);
 
     /**
      * Set the plugin to all classes which requires this class in the
@@ -201,6 +258,104 @@ public void setSetup(Map<String, Object> setup) {
         this.setup = setup;
     }
 
+    /**
+     * Get the value of forProjects
+     *
+     * @return the value of forProjects
+     */
+    public Set<String> forProjects() {
+        return getForProjects();
+    }
+
+    /**
+     * Get the value of forProjects
+     *
+     * @return the value of forProjects
+     */
+    public Set<String> getForProjects() {
+        return forProjects;
+    }
+
+    /**
+     * Set the value of forProjects
+     *
+     * @param forProjects new value of forProjects
+     */
+    public void setForProjects(Set<String> forProjects) {
+        this.forProjects = forProjects;
+    }
+
+    /**
+     * Set the value of forProjects
+     *
+     * @param project add this project into the set
+     */
+    public void setForProjects(String project) {
+        this.forProjects.add(project);
+    }
+
+    /**
+     * Set the value of forProjects
+     *
+     * @param projects add all projects in this array into the set
+     *
+     * @see #setForProjects(java.lang.String)
+     */
+    public void setForProjects(String[] projects) {
+        for (String project : projects) {
+            setForProjects(project);
+        }
+    }
+
+    /**
+     * Get the value of forGroups
+     *
+     * @return the value of forGroups
+     */
+    public Set<String> forGroups() {
+        return getForGroups();
+    }
+
+    /**
+     * Get the value of forGroups
+     *
+     * @return the value of forGroups
+     */
+    public Set<String> getForGroups() {
+        return forGroups;
+    }
+
+    /**
+     * Set the value of forGroups
+     *
+     * @param forGroups new value of forGroups
+     */
+    public void setForGroups(Set<String> forGroups) {
+        this.forGroups = forGroups;
+    }
+
+    /**
+     * Set the value of forGroups
+     *
+     * @param group add this group into the set
+     */
+    public void setForGroups(String group) {
+        this.forGroups.add(group);
+    }
+
+    /**
+     * Set the value of forGroups
+     *
+     * @param groups add all groups in this array into the set
+     *
+     * @see #setForGroups(java.lang.String)
+     */
+    public void setForGroups(String[] groups) {
+        for (String group : groups) {
+            setForGroups(group);
+        }
+    }
+
     /**
      * Check if the plugin exists and has not failed while loading.
      *

src/org/opensolaris/opengrok/authorization/AuthorizationFramework.java

@@ -35,7 +35,6 @@
 import java.util.TreeMap;
 import java.util.concurrent.locks.ReadWriteLock;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
-import java.util.function.Predicate;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.logging.Level;
@@ -145,11 +144,26 @@ public boolean isAllowed(HttpServletRequest request, Project project) {
                 request,
                 "plugin_framework_project_cache",
                 project,
-                new Predicate<IAuthorizationPlugin>() {
+                new AuthorizationEntity.PluginDecisionPredicate() {
             @Override
-            public boolean test(IAuthorizationPlugin plugin) {
+            public boolean decision(IAuthorizationPlugin plugin) {
                 return plugin.isAllowed(request, project);
             }
+        }, new AuthorizationEntity.PluginSkippingPredicate() {
+            @Override
+            public boolean shouldSkip(AuthorizationEntity authEntity) {
+                // shouldn't skip if there is no setup
+                if (authEntity.forProjects().isEmpty() && authEntity.forGroups().isEmpty()) {
+                    return false;
+                }
+
+                // shouldn't skip if the project is contained in the setup
+                if (authEntity.forProjects().contains(project.getName())) {
+                    return false;
+                }
+
+                return true;
+            }
         });
     }
 
@@ -168,11 +182,22 @@ public boolean isAllowed(HttpServletRequest request, Group group) {
                 request,
                 "plugin_framework_group_cache",
                 group,
-                new Predicate<IAuthorizationPlugin>() {
+                new AuthorizationEntity.PluginDecisionPredicate() {
             @Override
-            public boolean test(IAuthorizationPlugin plugin) {
+            public boolean decision(IAuthorizationPlugin plugin) {
                 return plugin.isAllowed(request, group);
             }
+        }, new AuthorizationEntity.PluginSkippingPredicate() {
+            @Override
+            public boolean shouldSkip(AuthorizationEntity authEntity) {
+                // shouldn't skip if there is no setup
+                if (authEntity.forProjects().isEmpty() && authEntity.forGroups().isEmpty()) {
+                    return false;
+                }
+
+                // shouldn't skip if the group is contained in the setup
+                return !authEntity.forGroups().contains(group.getName());
+            }
         });
     }
 
@@ -579,7 +604,7 @@ public void setPluginVersion(int pluginVersion) {
      * <p>
      * The order of plugin invokation is given by the configuration
      * {@link RuntimeEnvironment#getPluginStack()} and appropriate actions are
-     * taken when traversing the list with set of keywords, such as:</p>
+     * taken when traversing the stack with set of keywords, such as:</p>
      *
      * <h4>required</h4>
      * Failure of such a plugin will ultimately lead to the authorization
@@ -617,7 +642,8 @@ public void setPluginVersion(int pluginVersion) {
      */
     @SuppressWarnings("unchecked")
     private boolean checkAll(HttpServletRequest request, String cache, Nameable entity,
-            Predicate<IAuthorizationPlugin> predicate) {
+            AuthorizationEntity.PluginDecisionPredicate pluginPredicate,
+            AuthorizationEntity.PluginSkippingPredicate skippingPredicate) {
         if (stack == null) {
             return true;
         }
@@ -639,7 +665,7 @@ private boolean checkAll(HttpServletRequest request, String cache, Nameable enti
 
         long time = System.currentTimeMillis();
 
-        boolean overallDecision = performCheck(entity, predicate);
+        boolean overallDecision = performCheck(entity, pluginPredicate, skippingPredicate);
 
         time = System.currentTimeMillis() - time;
 
@@ -663,14 +689,18 @@ private boolean checkAll(HttpServletRequest request, String cache, Nameable enti
      * Perform the actual check for the entity.
      *
      * @param entity either a project or a group
-     * @param predicate a predicate that decides if the authorization is
+     * @param pluginPredicate a predicate that decides if the authorization is
      * successful for the given plugin
+     * @param skippingPredicate predicate that decides if given authorization
+     * entity should be omitted from the authorization process
      * @return true if entity is allowed; false otherwise
      */
-    private boolean performCheck(Nameable entity, Predicate<IAuthorizationPlugin> predicate) {
+    private boolean performCheck(Nameable entity,
+            AuthorizationEntity.PluginDecisionPredicate pluginPredicate,
+            AuthorizationEntity.PluginSkippingPredicate skippingPredicate) {
         lock.readLock().lock();
         try {
-            return stack.isAllowed(entity, predicate);
+            return stack.isAllowed(entity, pluginPredicate, skippingPredicate);
         } finally {
             lock.readLock().unlock();
         }

src/org/opensolaris/opengrok/authorization/AuthorizationPlugin.java

@@ -24,7 +24,6 @@
 
 import java.util.Map;
 import java.util.TreeMap;
-import java.util.function.Predicate;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.servlet.http.HttpServletRequest;
@@ -99,6 +98,12 @@ public synchronized void load(Map<String, Object> parameters) {
                     + "This can cause the authorization to fail always.",
                     getName());
             setFailed();
+            LOGGER.log(Level.INFO, "[{0}] Plugin \"{1}\" {2} and is {3}.",
+                    new Object[]{
+                        getFlag().toString().toUpperCase(),
+                        getName(),
+                        hasPlugin() ? "found" : "not found",
+                        isWorking() ? "working" : "failed"});
             return;
         }
 
@@ -147,9 +152,11 @@ public synchronized void unload() {
      *
      * @param entity the given entity - this is either group or project and is
      * passed just for the logging purposes.
-     * @param predicate predicate returning true or false for the given entity
-     * which determines if the authorization for such entity is successful or
-     * failed for particular request and plugin
+     * @param pluginPredicate predicate returning true or false for the given
+     * entity which determines if the authorization for such entity is
+     * successful or failed for particular request and plugin
+     * @param skippingPredicate predicate returning true if this authorization
+     * entity should be omitted from the authorization process
      * @return true if the plugin is not failed and the project is allowed;
      * false otherwise
      *
@@ -158,11 +165,22 @@ public synchronized void unload() {
      * @see IAuthorizationPlugin#isAllowed(HttpServletRequest, Group)
      */
     @Override
-    public boolean isAllowed(Nameable entity, Predicate<IAuthorizationPlugin> predicate) {
+    public boolean isAllowed(Nameable entity,
+            AuthorizationEntity.PluginDecisionPredicate pluginPredicate,
+            AuthorizationEntity.PluginSkippingPredicate skippingPredicate) {
+        /**
+         * We don't check the skippingPredicate here as this instance is
+         * <b>always</b> a part of some stack (may be the default stack) and the
+         * stack checks the skipping predicate before invoking this method.
+         *
+         * @see AuthorizationStack#processStack
+         */
+
         if (isFailed()) {
             return false;
         }
-        return predicate.test(plugin);
+
+        return pluginPredicate.decision(this.plugin);
     }
 
     /**