Add namespace owner on namespace creation

Namespace owner may see the namespace configuration page.

Committed-by: René Pfeuffer<rene.pfeuffer@cloudogu.com>

scm-webapp/src/main/java/sonia/scm/api/v2/resources/NamespaceToNamespaceDtoMapper.java

@@ -75,7 +75,7 @@ public abstract class NamespaceToNamespaceDtoMapper extends BaseMapper<Namespace
       .self(links.namespace().self(namespace.getNamespace()))
       .single(link("repositories", links.repositoryCollection().forNamespace(namespace.getNamespace())));
 
-    if (NamespacePermissions.permissionRead().isPermitted()) {
+    if (NamespacePermissions.permissionRead().isPermitted(namespace)) {
       linkingTo
         .single(link("permissions", links.namespacePermission().all(namespace.getNamespace())));
     }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryPermissionCollectionToDtoMapper.java

@@ -78,10 +78,10 @@ public class RepositoryPermissionCollectionToDtoMapper {
   }
 
   private Links createLinks(Namespace namespace) {
-    NamespacePermissions.permissionRead().check();
+    NamespacePermissions.permissionRead().check(namespace);
     Links.Builder linksBuilder = linkingTo()
       .with(Links.linkingTo().self(resourceLinks.namespacePermission().all(namespace.getNamespace())).build());
-    if (NamespacePermissions.permissionWrite().isPermitted()) {
+    if (NamespacePermissions.permissionWrite().isPermitted(namespace)) {
       linksBuilder.single(link("create", resourceLinks.namespacePermission().create(namespace.getNamespace())));
     }
     return linksBuilder.build();

scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryPermissionToRepositoryPermissionDtoMapper.java

@@ -72,7 +72,7 @@ public abstract class RepositoryPermissionToRepositoryPermissionDtoMapper {
     String permissionName = getUrlPermissionName(target);
     Links.Builder linksBuilder = linkingTo()
       .self(resourceLinks.namespacePermission().self(namespace.getNamespace(), permissionName));
-    if (NamespacePermissions.permissionWrite().isPermitted()) {
+    if (NamespacePermissions.permissionWrite().isPermitted(namespace)) {
       linksBuilder.single(link("update", resourceLinks.namespacePermission().update(namespace.getNamespace(), permissionName)));
       linksBuilder.single(link("delete", resourceLinks.namespacePermission().delete(namespace.getNamespace(), permissionName)));
     }

scm-webapp/src/main/java/sonia/scm/repository/DefaultNamespaceManager.java

@@ -27,13 +27,15 @@ package sonia.scm.repository;
 import com.github.legman.Subscribe;
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
+import org.apache.shiro.SecurityUtils;
 import sonia.scm.HandlerEventType;
 import sonia.scm.event.ScmEventBus;
+import sonia.scm.web.security.AdministrationContext;
 
 import java.util.Collection;
 import java.util.Optional;
-import java.util.stream.Collectors;
 
+import static java.util.Collections.singletonList;
 import static sonia.scm.ContextEntry.ContextBuilder.entity;
 import static sonia.scm.NotFoundException.notFound;
 
@@ -43,12 +45,14 @@ public class DefaultNamespaceManager implements NamespaceManager {
   private final RepositoryManager repositoryManager;
   private final NamespaceDao dao;
   private final ScmEventBus eventBus;
+  private final AdministrationContext administrationContext;
 
   @Inject
-  public DefaultNamespaceManager(RepositoryManager repositoryManager, NamespaceDao dao, ScmEventBus eventBus) {
+  public DefaultNamespaceManager(RepositoryManager repositoryManager, NamespaceDao dao, ScmEventBus eventBus, AdministrationContext administrationContext) {
     this.repositoryManager = repositoryManager;
     this.dao = dao;
     this.eventBus = eventBus;
+    this.administrationContext = administrationContext;
   }
 
   @Override
@@ -67,12 +71,12 @@ public class DefaultNamespaceManager implements NamespaceManager {
       .getAllNamespaces()
       .stream()
       .map(this::createNamespaceForName)
-      .collect(Collectors.toList());
+      .toList();
   }
 
   @Override
   public void modify(Namespace namespace) {
-    NamespacePermissions.permissionWrite().check();
+    NamespacePermissions.permissionWrite().check(namespace);
     Namespace oldNamespace = get(namespace.getNamespace())
       .orElseThrow(() -> notFound(entity(Namespace.class, namespace.getNamespace())));
     fireEvent(HandlerEventType.BEFORE_MODIFY, namespace, oldNamespace);
@@ -80,18 +84,41 @@ public class DefaultNamespaceManager implements NamespaceManager {
     fireEvent(HandlerEventType.MODIFY, namespace, oldNamespace);
   }
 
-  @Subscribe
-  public void cleanupDeletedNamespaces(RepositoryEvent repositoryEvent) {
-    if (namespaceRelevantChange(repositoryEvent)) {
-      Collection<String> allNamespaces = repositoryManager.getAllNamespaces();
-      String oldNamespace = getOldNamespace(repositoryEvent);
-      if (!allNamespaces.contains(oldNamespace)) {
-        dao.delete(oldNamespace);
-      }
+  @Subscribe(async = false)
+  public void handleRepositoryEvent(RepositoryEvent repositoryEvent) {
+    if (repositoryRemovedFromNamespace(repositoryEvent)) {
+      cleanUpNamespaceIfEmpty(repositoryEvent);
+    }
+    if (repositoryCreatedInNamespace(repositoryEvent)) {
+      initializeIfNeeded(repositoryEvent);
     }
   }
 
-  public boolean namespaceRelevantChange(RepositoryEvent repositoryEvent) {
+  private static boolean repositoryCreatedInNamespace(RepositoryEvent repositoryEvent) {
+    return repositoryEvent.getEventType() == HandlerEventType.CREATE;
+  }
+
+  private void cleanUpNamespaceIfEmpty(RepositoryEvent repositoryEvent) {
+    Collection<String> allNamespaces = repositoryManager.getAllNamespaces();
+    String oldNamespace = getOldNamespace(repositoryEvent);
+    if (!allNamespaces.contains(oldNamespace)) {
+      dao.delete(oldNamespace);
+    }
+  }
+
+  private void initializeIfNeeded(RepositoryEvent repositoryEvent) {
+    Namespace namespace = createNamespaceForName(repositoryEvent.getItem().getNamespace());
+    if (repositoryManager.getAll(r -> r.getNamespace().equals(namespace.getNamespace())).size() == 1) {
+      String creatingUser = SecurityUtils.getSubject().getPrincipal().toString();
+      administrationContext.runAsAdmin(() -> {
+          namespace.setPermissions(singletonList(new RepositoryPermission(creatingUser, "OWNER", false)));
+          modify(namespace);
+        }
+      );
+    }
+  }
+
+  public boolean repositoryRemovedFromNamespace(RepositoryEvent repositoryEvent) {
     HandlerEventType eventType = repositoryEvent.getEventType();
     return eventType == HandlerEventType.DELETE
       || eventType == HandlerEventType.MODIFY && !repositoryEvent.getItem().getNamespace().equals(repositoryEvent.getOldItem().getNamespace());
@@ -106,7 +133,7 @@ public class DefaultNamespaceManager implements NamespaceManager {
   }
 
   private Namespace createNamespaceForName(String namespace) {
-    if (NamespacePermissions.permissionRead().isPermitted()) {
+    if (NamespacePermissions.permissionRead().isPermitted(namespace)) {
       return dao.get(namespace)
         .map(Namespace::clone)
         .orElse(new Namespace(namespace));

scm-webapp/src/main/java/sonia/scm/update/security/NamespacePermissionsUpdateStep.java

@@ -0,0 +1,79 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.update.security;
+
+import jakarta.inject.Inject;
+import sonia.scm.migration.UpdateStep;
+import sonia.scm.plugin.Extension;
+import sonia.scm.security.AssignedPermission;
+import sonia.scm.store.ConfigurationEntryStore;
+import sonia.scm.store.ConfigurationEntryStoreFactory;
+import sonia.scm.version.Version;
+
+import java.util.HashSet;
+
+@Extension
+public class NamespacePermissionsUpdateStep implements UpdateStep {
+
+  private final ConfigurationEntryStoreFactory configurationEntryStoreFactory;
+
+  @Inject
+  public NamespacePermissionsUpdateStep(ConfigurationEntryStoreFactory configurationEntryStoreFactory) {
+    this.configurationEntryStoreFactory = configurationEntryStoreFactory;
+  }
+
+  @Override
+  public void doUpdate() throws Exception {
+    ConfigurationEntryStore<AssignedPermission> securityStore = createSecurityStore();
+    HashSet<String> toBeRemoved = new HashSet<>();
+    HashSet<AssignedPermission> toBeAdded = new HashSet<>();
+    securityStore.getAll().forEach((k, v) -> {
+      if (v.getPermission().getValue().equals("namespace:permissionRead")) {
+        toBeAdded.add(new AssignedPermission(v.getName(), v.isGroupPermission(), "namespace:permissionRead:*"));
+        toBeRemoved.add(k);
+      }
+      if (v.getPermission().getValue().equals("namespace:permissionRead,permissionWrite")) {
+        toBeAdded.add(new AssignedPermission(v.getName(), v.isGroupPermission(), "namespace:permissionRead,permissionWrite:*"));
+        toBeRemoved.add(k);
+      }
+    });
+    toBeAdded.forEach(securityStore::put);
+    toBeRemoved.forEach(securityStore::remove);
+  }
+
+  private ConfigurationEntryStore<AssignedPermission> createSecurityStore() {
+    return configurationEntryStoreFactory.withType(AssignedPermission.class).withName("security").build();
+  }
+
+  @Override
+  public Version getTargetVersion() {
+    return Version.parse("3.1.0");
+  }
+
+  @Override
+  public String getAffectedDataType() {
+    return "sonia.scm.security.xml";
+  }
+}