Skip to content

Commit

Permalink
SONAR-5927 Prevent access to batch/global when no permission
Browse files Browse the repository at this point in the history
  • Loading branch information
@henryju
henryju committed Jan 30, 2015
1 parent 2442551 commit 093671e
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 7 deletions.
16 changes: 10 additions & 6 deletions server/sonar-server/src/main/java/org/sonar/server/batch/GlobalRepositoryAction.java
View file
Expand Up @@ -33,6 +33,7 @@
import org.sonar.core.properties.PropertiesDao; import org.sonar.core.properties.PropertiesDao;
import org.sonar.core.properties.PropertyDto; import org.sonar.core.properties.PropertyDto;
import org.sonar.server.db.DbClient; import org.sonar.server.db.DbClient;
import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.plugins.MimeTypes; import org.sonar.server.plugins.MimeTypes;
import org.sonar.server.user.UserSession; import org.sonar.server.user.UserSession;


Expand All @@ -58,13 +59,16 @@ void define(WebService.NewController controller) {
public void handle(Request request, Response response) throws Exception { public void handle(Request request, Response response) throws Exception {
UserSession userSession = UserSession.get(); UserSession userSession = UserSession.get();
boolean hasScanPerm = userSession.hasGlobalPermission(GlobalPermissions.SCAN_EXECUTION); boolean hasScanPerm = userSession.hasGlobalPermission(GlobalPermissions.SCAN_EXECUTION);
boolean hasDryRunPerm = userSession.hasGlobalPermission(GlobalPermissions.PREVIEW_EXECUTION); boolean hasPreviewPerm = userSession.hasGlobalPermission(GlobalPermissions.PREVIEW_EXECUTION);
if (!hasPreviewPerm && !hasScanPerm) {
throw new ForbiddenException(Messages.NO_PERMISSION);
}


DbSession session = dbClient.openSession(false); DbSession session = dbClient.openSession(false);
try { try {
GlobalRepositories ref = new GlobalRepositories(); GlobalRepositories ref = new GlobalRepositories();
addMetrics(ref, session); addMetrics(ref, session);
addSettings(ref, hasScanPerm, hasDryRunPerm, session); addSettings(ref, hasScanPerm, hasPreviewPerm, session);


response.stream().setMediaType(MimeTypes.JSON); response.stream().setMediaType(MimeTypes.JSON);
IOUtils.write(ref.toJson(), response.stream().output()); IOUtils.write(ref.toJson(), response.stream().output());
Expand All @@ -90,19 +94,19 @@ private void addMetrics(GlobalRepositories ref, DbSession session) {
} }
} }


private void addSettings(GlobalRepositories ref, boolean hasScanPerm, boolean hasDryRunPerm, DbSession session) { private void addSettings(GlobalRepositories ref, boolean hasScanPerm, boolean hasPreviewPerm, DbSession session) {
for (PropertyDto propertyDto : propertiesDao.selectGlobalProperties(session)) { for (PropertyDto propertyDto : propertiesDao.selectGlobalProperties(session)) {
String key = propertyDto.getKey(); String key = propertyDto.getKey();
String value = propertyDto.getValue(); String value = propertyDto.getValue();


if (isPropertyAllowed(key, hasScanPerm, hasDryRunPerm)) { if (isPropertyAllowed(key, hasScanPerm, hasPreviewPerm)) {
ref.addGlobalSetting(key, value); ref.addGlobalSetting(key, value);
} }
} }
} }


private static boolean isPropertyAllowed(String key, boolean hasScanPerm, boolean hasDryRunPerm) { private static boolean isPropertyAllowed(String key, boolean hasScanPerm, boolean hasPreviewPerm) {
return !key.contains(".secured") || hasScanPerm || (key.contains(".license") && hasDryRunPerm); return !key.contains(".secured") || hasScanPerm || (key.contains(".license") && hasPreviewPerm);
} }


} }
26 changes: 26 additions & 0 deletions server/sonar-server/src/main/java/org/sonar/server/batch/Messages.java
View file
@@ -0,0 +1,26 @@
/*
* SonarQube, open source software quality management tool.
* Copyright (C) 2008-2014 SonarSource
* mailto:contact AT sonarsource DOT com
*
* SonarQube is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 3 of the License, or (at your option) any later version.
*
* SonarQube is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package org.sonar.server.batch;

public interface Messages {

String NO_PERMISSION = "You're not authorized to execute any SonarQube analysis. Please contact your SonarQube administrator.";

}
2 changes: 1 addition & 1 deletion server/sonar-server/src/main/java/org/sonar/server/batch/ProjectRepositoryLoader.java
View file
Expand Up @@ -276,7 +276,7 @@ private void checkPermission(boolean preview) {
boolean hasScanPerm = userSession.hasGlobalPermission(GlobalPermissions.SCAN_EXECUTION); boolean hasScanPerm = userSession.hasGlobalPermission(GlobalPermissions.SCAN_EXECUTION);
boolean hasPreviewPerm = userSession.hasGlobalPermission(GlobalPermissions.PREVIEW_EXECUTION); boolean hasPreviewPerm = userSession.hasGlobalPermission(GlobalPermissions.PREVIEW_EXECUTION);
if (!hasPreviewPerm && !hasScanPerm) { if (!hasPreviewPerm && !hasScanPerm) {
throw new ForbiddenException("You're not authorized to execute any SonarQube analysis. Please contact your SonarQube administrator."); throw new ForbiddenException(Messages.NO_PERMISSION);
} }
if (!preview && !hasScanPerm) { if (!preview && !hasScanPerm) {
throw new ForbiddenException("You're only authorized to execute a local (preview) SonarQube analysis without pushing the results to the SonarQube server. " + throw new ForbiddenException("You're only authorized to execute a local (preview) SonarQube analysis without pushing the results to the SonarQube server. " +
Expand Down

0 comments on commit 093671e

Please sign in to comment.