SONAR-8997 SONAR-8998 Filter organization members when selecting user…

…s to change permissions and template permissions

server/sonar-db-dao/src/main/java/org/sonar/db/permission/GroupPermissionDao.java

@@ -44,16 +44,16 @@ public class GroupPermissionDao implements Dao {
    * The virtual group "Anyone" may be returned as the value {@link DefaultGroups#ANYONE}.
    * @return group names, sorted in alphabetical order
    */
-  public List<String> selectGroupNamesByQuery(DbSession dbSession, String organizationUuid, PermissionQuery query) {
-    return mapper(dbSession).selectGroupNamesByQuery(organizationUuid, query, new RowBounds(query.getPageOffset(), query.getPageSize()));
+  public List<String> selectGroupNamesByQuery(DbSession dbSession, PermissionQuery query) {
+    return mapper(dbSession).selectGroupNamesByQuery(query, new RowBounds(query.getPageOffset(), query.getPageSize()));
   }
 
   /**
-   * Count the number of groups returned by {@link #selectGroupNamesByQuery(DbSession, String, PermissionQuery)},
+   * Count the number of groups returned by {@link #selectGroupNamesByQuery(DbSession, PermissionQuery)},
    * without applying pagination.
    */
-  public int countGroupsByQuery(DbSession dbSession, String organizationUuid, PermissionQuery query) {
-    return mapper(dbSession).countGroupsByQuery(organizationUuid, query);
+  public int countGroupsByQuery(DbSession dbSession, PermissionQuery query) {
+    return mapper(dbSession).countGroupsByQuery(query);
   }
 
   /**

server/sonar-db-dao/src/main/java/org/sonar/db/permission/GroupPermissionMapper.java

@@ -28,10 +28,9 @@
 
 public interface GroupPermissionMapper {
 
-  List<String> selectGroupNamesByQuery(@Param("organizationUuid") String organizationUuid,
-    @Param("query") PermissionQuery query, RowBounds rowBounds);
+  List<String> selectGroupNamesByQuery(@Param("query") PermissionQuery query, RowBounds rowBounds);
 
-  int countGroupsByQuery(@Param("organizationUuid") String organizationUuid, @Param("query") PermissionQuery query);
+  int countGroupsByQuery(@Param("query") PermissionQuery query);
 
   List<GroupPermissionDto> selectByGroupIds(@Param("organizationUuid") String organizationUuid,
     @Param("groupIds") List<Integer> groupIds, @Nullable @Param("projectId") Long projectId);

server/sonar-db-dao/src/main/java/org/sonar/db/permission/PermissionQuery.java

@@ -27,6 +27,7 @@
 
 import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.base.Preconditions.checkArgument;
+import static java.util.Objects.requireNonNull;
 import static org.apache.commons.lang.StringUtils.defaultIfBlank;
 import static org.sonar.api.utils.Paging.offset;
 import static org.sonar.db.DaoDatabaseUtils.buildLikeValue;
@@ -41,9 +42,11 @@ public class PermissionQuery {
   public static final int DEFAULT_PAGE_SIZE = 20;
   public static final int DEFAULT_PAGE_INDEX = 1;
 
+  // filter: return only the users or groups that are members of the organization
+  private final String organizationUuid;
   // filter: return only the users or groups who have this permission
   private final String permission;
-  // filter on project, else filter global permissions
+  // filter on project, else filter org permissions
   private final String componentUuid;
   private final String template;
 
@@ -60,6 +63,7 @@ public class PermissionQuery {
   private final int pageOffset;
 
   private PermissionQuery(Builder builder) {
+    this.organizationUuid = builder.organizationUuid;
     this.permission = builder.permission;
     this.withAtLeastOnePermission = builder.withAtLeastOnePermission;
     this.componentUuid = builder.componentUuid;
@@ -71,6 +75,10 @@ private PermissionQuery(Builder builder) {
     this.pageOffset = offset(builder.pageIndex, builder.pageSize);
   }
 
+  public String getOrganizationUuid() {
+    return organizationUuid;
+  }
+
   @CheckForNull
   public String getPermission() {
     return permission;
@@ -120,6 +128,7 @@ public static Builder builder() {
 
   public static class Builder {
     private String permission;
+    private String organizationUuid;
     private String componentUuid;
     private String template;
     private String searchQuery;
@@ -148,6 +157,11 @@ public Builder setComponentUuid(@Nullable String componentUuid) {
       return this;
     }
 
+    public Builder setOrganizationUuid(String organizationUuid) {
+      this.organizationUuid = organizationUuid;
+      return this;
+    }
+
     public Builder setSearchQuery(@Nullable String s) {
       this.searchQuery = defaultIfBlank(s, null);
       return this;
@@ -169,6 +183,7 @@ public Builder withAtLeastOnePermission() {
     }
 
     public PermissionQuery build() {
+      this.organizationUuid = requireNonNull(organizationUuid, "Organization UUID cannot be null");
       this.pageIndex = firstNonNull(pageIndex, DEFAULT_PAGE_INDEX);
       this.pageSize = firstNonNull(pageSize, DEFAULT_PAGE_SIZE);
       checkArgument(searchQuery == null || searchQuery.length() >= SEARCH_QUERY_MIN_LENGTH, "Search query should contains at least %s characters", SEARCH_QUERY_MIN_LENGTH);

server/sonar-db-dao/src/main/java/org/sonar/db/permission/UserPermissionDao.java

@@ -37,12 +37,11 @@ public class UserPermissionDao implements Dao {
 
   /**
    * List of user permissions ordered by alphabetical order of user names
-   *
-   * @param query non-null query including optional filters.
+   *  @param query non-null query including optional filters.
    * @param userLogins if null, then filter on all active users. If not null, then filter on logins, including disabled users.
-   *                   Must not be empty. If not null then maximum size is {@link org.sonar.db.DatabaseUtils#PARTITION_SIZE_FOR_ORACLE}.
+   *                   Must not be empty. If not null then maximum size is {@link DatabaseUtils#PARTITION_SIZE_FOR_ORACLE}.
    */
-  public List<UserPermissionDto> select(DbSession dbSession, String organizationUuid, PermissionQuery query, @Nullable Collection<String> userLogins) {
+  public List<UserPermissionDto> select(DbSession dbSession, PermissionQuery query, @Nullable Collection<String> userLogins) {
     if (userLogins != null) {
       if (userLogins.isEmpty()) {
         return emptyList();
@@ -51,15 +50,15 @@ public List<UserPermissionDto> select(DbSession dbSession, String organizationUu
     }
 
     RowBounds rowBounds = new RowBounds(query.getPageOffset(), query.getPageSize());
-    return mapper(dbSession).selectByQuery(organizationUuid, query, userLogins, rowBounds);
+    return mapper(dbSession).selectByQuery(query, userLogins, rowBounds);
   }
 
   /**
-   * Shortcut over {@link #select(DbSession, String, PermissionQuery, Collection)} to return only distinct user
+   * Shortcut over {@link #select(DbSession, PermissionQuery, Collection)} to return only distinct user
    * ids, keeping the same order.
    */
-  public List<Integer> selectUserIds(DbSession dbSession, String organizationUuid, PermissionQuery query) {
-    List<UserPermissionDto> dtos = select(dbSession, organizationUuid, query, null);
+  public List<Integer> selectUserIds(DbSession dbSession, PermissionQuery query) {
+    List<UserPermissionDto> dtos = select(dbSession, query, null);
     return dtos.stream()
       .map(UserPermissionDto::getUserId)
       .distinct()

server/sonar-db-dao/src/main/java/org/sonar/db/permission/UserPermissionMapper.java

@@ -27,15 +27,14 @@
 
 public interface UserPermissionMapper {
 
-  List<UserPermissionDto> selectByQuery(@Param("organizationUuid") String organizationUuid,
-    @Param("query") PermissionQuery query, @Nullable @Param("userLogins") Collection<String> userLogins, RowBounds rowBounds);
+  List<UserPermissionDto> selectByQuery(@Param("query") PermissionQuery query, @Nullable @Param("userLogins") Collection<String> userLogins, RowBounds rowBounds);
 
   /**
-   * Count the number of distinct users returned by {@link #selectByQuery(String, PermissionQuery, Collection, RowBounds)}
+   * Count the number of distinct users returned by {@link #selectByQuery(PermissionQuery, Collection, RowBounds)}
    * {@link PermissionQuery#getPageOffset()} and {@link PermissionQuery#getPageSize()} are ignored.
    *
    * @param useNull must always be null. It is needed for using the sql of 
-   * {@link #selectByQuery(String, PermissionQuery, Collection, RowBounds)}
+   * {@link #selectByQuery(PermissionQuery, Collection, RowBounds)}
    */
   int countUsersByQuery(@Param("organizationUuid") String organizationUuid, @Param("query") PermissionQuery query,
     @Nullable @Param("userLogins") Collection<String> useNull);

server/sonar-db-dao/src/main/java/org/sonar/db/permission/template/PermissionTemplateDao.java

@@ -69,8 +69,8 @@ public List<PermissionTemplateUserDto> selectUserPermissionsByTemplateId(DbSessi
     return mapper(dbSession).selectUserPermissionsByTemplateIdAndUserLogins(templateId, Collections.emptyList());
   }
 
-  public List<String> selectGroupNamesByQueryAndTemplate(DbSession session, PermissionQuery query, String organizationUuid, long templateId) {
-    return mapper(session).selectGroupNamesByQueryAndTemplate(organizationUuid, templateId, query, new RowBounds(query.getPageOffset(), query.getPageSize()));
+  public List<String> selectGroupNamesByQueryAndTemplate(DbSession session, PermissionQuery query, long templateId) {
+    return mapper(session).selectGroupNamesByQueryAndTemplate(templateId, query, new RowBounds(query.getPageOffset(), query.getPageSize()));
   }
 
   public int countGroupNamesByQueryAndTemplate(DbSession session, PermissionQuery query, String organizationUuid, long templateId) {

server/sonar-db-dao/src/main/java/org/sonar/db/permission/template/PermissionTemplateMapper.java

@@ -72,8 +72,7 @@ public interface PermissionTemplateMapper {
 
   int countUserLoginsByQueryAndTemplate(@Param("query") PermissionQuery query, @Param("templateId") long templateId);
 
-  List<String> selectGroupNamesByQueryAndTemplate(@Param("organizationUuid") String organizationUuid,
-    @Param("templateId") long templateId, @Param("query") PermissionQuery query, RowBounds rowBounds);
+  List<String> selectGroupNamesByQueryAndTemplate(@Param("templateId") long templateId, @Param("query") PermissionQuery query, RowBounds rowBounds);
 
   int countGroupNamesByQueryAndTemplate(@Param("organizationUuid") String organizationUuid, @Param("query") PermissionQuery query, @Param("templateId") long templateId);
 

server/sonar-db-dao/src/main/resources/org/sonar/db/permission/GroupPermissionMapper.xml

@@ -43,15 +43,15 @@
       from groups g
       left join group_roles gr on g.id = gr.group_id
       where
-      g.organization_uuid = #{organizationUuid,jdbcType=VARCHAR}
+      g.organization_uuid = #{query.organizationUuid,jdbcType=VARCHAR}
 
     union all
 
     select 0 as groupId, 'Anyone' as name, gr.role as permission, gr.resource_id as componentId, gr.id as id
     from group_roles gr
     <if test="query.withAtLeastOnePermission()">
       where
-      gr.organization_uuid = #{organizationUuid,jdbcType=VARCHAR} and
+      gr.organization_uuid = #{query.organizationUuid,jdbcType=VARCHAR} and
       gr.group_id is null
     </if>
 

server/sonar-db-dao/src/main/resources/org/sonar/db/permission/UserPermissionMapper.xml

@@ -22,6 +22,7 @@
     from users u
     left join user_roles ur on ur.user_id = u.id
     left join projects p on ur.resource_id = p.id
+    inner join organization_members om on u.id=om.user_id and om.organization_uuid=#{query.organizationUuid,jdbcType=VARCHAR}
     <where>
       <if test="userLogins == null">
         and u.active = ${_true}
@@ -38,7 +39,7 @@
       </if>
       <!-- filter rows with user permissions -->
       <if test="query.withAtLeastOnePermission()">
-        and ur.organization_uuid = #{organizationUuid,jdbcType=VARCHAR}
+        and ur.organization_uuid = #{query.organizationUuid,jdbcType=VARCHAR}
         and ur.role is not null
         <if test="query.componentUuid==null">
           and ur.resource_id is null

server/sonar-db-dao/src/main/resources/org/sonar/db/permission/template/PermissionTemplateMapper.xml

@@ -135,6 +135,7 @@
   <sql id="userLoginsByQueryAndTemplate">
     FROM users u
     LEFT JOIN perm_templates_users ptu ON ptu.user_id=u.id AND ptu.template_id=#{templateId}
+    INNER JOIN organization_members om ON u.id=om.user_id AND om.organization_uuid=#{query.organizationUuid}
     <where>
       u.active = ${_true}
       <if test="query.getSearchQueryToSql() != null">
@@ -173,7 +174,7 @@
     LEFT JOIN perm_templates_groups ptg ON
       ptg.group_id=g.id
     where
-      g.organization_uuid=#{organizationUuid,jdbcType=VARCHAR}
+      g.organization_uuid=#{query.organizationUuid,jdbcType=VARCHAR}
     UNION ALL
     SELECT
       0 AS group_id,

server/sonar-db-dao/src/test/java/org/sonar/db/DbTester.java

@@ -158,6 +158,10 @@ private void insertDefaultOrganization() {
     }
   }
 
+  public boolean hasDefaultOrganization() {
+    return defaultOrganization != null;
+  }
+
   public OrganizationDto getDefaultOrganization() {
     checkState(defaultOrganization != null, "Default organization has not been created");
     return defaultOrganization;

server/sonar-db-dao/src/test/java/org/sonar/db/permission/GroupPermissionDaoTest.java

@@ -103,7 +103,7 @@ public void selectGroupNamesByQuery_is_ordered_by_group_names() {
     GroupDto group1 = db.users().insertGroup(organizationDto, "Group-1");
     db.users().insertPermissionOnAnyone(organizationDto, SCAN);
 
-    assertThat(underTest.selectGroupNamesByQuery(dbSession, organizationDto.getUuid(), PermissionQuery.builder().build()))
+    assertThat(underTest.selectGroupNamesByQuery(dbSession, newQuery().setOrganizationUuid(organizationDto.getUuid()).build()))
       .containsExactly(ANYONE, group1.getName(), group2.getName(), group3.getName());
   }
 
@@ -117,15 +117,15 @@ public void countGroupsByQuery() {
     db.users().insertPermissionOnGroup(group1, PROVISION_PROJECTS);
 
     assertThat(underTest.countGroupsByQuery(dbSession,
-      defaultOrganizationUuid, PermissionQuery.builder().build())).isEqualTo(4);
+      newQuery().build())).isEqualTo(4);
     assertThat(underTest.countGroupsByQuery(dbSession,
-      defaultOrganizationUuid, PermissionQuery.builder().setPermission(PROVISION_PROJECTS.getKey()).build())).isEqualTo(1);
+      newQuery().setPermission(PROVISION_PROJECTS.getKey()).build())).isEqualTo(1);
     assertThat(underTest.countGroupsByQuery(dbSession,
-      defaultOrganizationUuid, PermissionQuery.builder().withAtLeastOnePermission().build())).isEqualTo(2);
+      newQuery().withAtLeastOnePermission().build())).isEqualTo(2);
     assertThat(underTest.countGroupsByQuery(dbSession,
-      defaultOrganizationUuid, PermissionQuery.builder().setSearchQuery("Group-").build())).isEqualTo(3);
+      newQuery().setSearchQuery("Group-").build())).isEqualTo(3);
     assertThat(underTest.countGroupsByQuery(dbSession,
-      defaultOrganizationUuid, PermissionQuery.builder().setSearchQuery("Any").build())).isEqualTo(1);
+      newQuery().setSearchQuery("Any").build())).isEqualTo(1);
   }
 
   @Test
@@ -144,13 +144,13 @@ public void selectGroupNamesByQuery_with_global_permission() {
     db.users().insertProjectPermissionOnGroup(group2, UserRole.ADMIN, project);
 
     assertThat(underTest.selectGroupNamesByQuery(dbSession,
-      organizationDto.getUuid(), PermissionQuery.builder().setPermission(SCAN.getKey()).build())).containsExactly(ANYONE, group1.getName());
+      newQuery().setOrganizationUuid(organizationDto.getUuid()).setPermission(SCAN.getKey()).build())).containsExactly(ANYONE, group1.getName());
 
     assertThat(underTest.selectGroupNamesByQuery(dbSession,
-      organizationDto.getUuid(), PermissionQuery.builder().setPermission(ADMINISTER.getKey()).build())).containsExactly(group3.getName());
+      newQuery().setOrganizationUuid(organizationDto.getUuid()).setPermission(ADMINISTER.getKey()).build())).containsExactly(group3.getName());
 
     assertThat(underTest.selectGroupNamesByQuery(dbSession,
-      organizationDto.getUuid(), PermissionQuery.builder().setPermission(PROVISION_PROJECTS.getKey()).build())).containsExactly(ANYONE);
+      newQuery().setOrganizationUuid(organizationDto.getUuid()).setPermission(PROVISION_PROJECTS.getKey()).build())).containsExactly(ANYONE);
   }
 
   @Test
@@ -171,21 +171,21 @@ public void select_groups_by_query_with_project_permissions() {
     db.users().insertProjectPermissionOnGroup(group3, SCAN_EXECUTION, anotherProject);
     db.users().insertPermissionOnGroup(group2, SCAN);
 
-    PermissionQuery.Builder builderOnComponent = PermissionQuery.builder().setComponentUuid(project.uuid());
+    PermissionQuery.Builder builderOnComponent = newQuery().setComponentUuid(project.uuid());
     assertThat(underTest.selectGroupNamesByQuery(dbSession,
-      defaultOrganizationUuid, builderOnComponent.withAtLeastOnePermission().build())).containsOnlyOnce(group1.getName());
+      builderOnComponent.withAtLeastOnePermission().build())).containsOnlyOnce(group1.getName());
     assertThat(underTest.selectGroupNamesByQuery(dbSession,
-      defaultOrganizationUuid, builderOnComponent.setPermission(SCAN_EXECUTION).build())).containsOnlyOnce(group1.getName());
+      builderOnComponent.setPermission(SCAN_EXECUTION).build())).containsOnlyOnce(group1.getName());
     assertThat(underTest.selectGroupNamesByQuery(dbSession,
-      defaultOrganizationUuid, builderOnComponent.setPermission(USER).build())).containsOnlyOnce(ANYONE);
+      builderOnComponent.setPermission(USER).build())).containsOnlyOnce(ANYONE);
   }
 
   @Test
   public void selectGroupNamesByQuery_is_paginated() {
     IntStream.rangeClosed(0, 9).forEach(i -> db.users().insertGroup(db.getDefaultOrganization(), i + "-name"));
 
     List<String> groupNames = underTest.selectGroupNamesByQuery(dbSession,
-      defaultOrganizationUuid, PermissionQuery.builder().setPageIndex(2).setPageSize(3).build());
+      newQuery().setPageIndex(2).setPageSize(3).build());
     assertThat(groupNames).containsExactly("3-name", "4-name", "5-name");
   }
 
@@ -196,15 +196,15 @@ public void selectGroupNamesByQuery_with_search_query() {
     db.users().insertPermissionOnGroup(group, SCAN);
 
     assertThat(underTest.selectGroupNamesByQuery(dbSession,
-      defaultOrganizationUuid, PermissionQuery.builder().setSearchQuery("any").build())).containsOnlyOnce(ANYONE, group.getName());
+      newQuery().setSearchQuery("any").build())).containsOnlyOnce(ANYONE, group.getName());
   }
 
   @Test
   public void selectGroupNamesByQuery_does_not_return_anyone_when_group_roles_is_empty() {
     GroupDto group = db.users().insertGroup();
 
     assertThat(underTest.selectGroupNamesByQuery(dbSession,
-      defaultOrganizationUuid, PermissionQuery.builder().build()))
+      newQuery().build()))
         .doesNotContain(ANYONE)
         .containsExactly(group.getName());
   }
@@ -461,6 +461,10 @@ public void deleteByOrganization_deletes_all_groups_of_organization() {
     verifyOrganizationUuidsInTable();
   }
 
+  private PermissionQuery.Builder newQuery() {
+    return PermissionQuery.builder().setOrganizationUuid(db.getDefaultOrganization().getUuid());
+  }
+
   private void verifyOrganizationUuidsInTable(String... organizationUuids) {
     assertThat(db.select("select distinct organization_uuid as \"organizationUuid\" from group_roles"))
       .extracting((row) -> (String) row.get("organizationUuid"))