/*
* SonarQube
* Copyright (C) 2009-2017 SonarSource SA
* mailto:info AT sonarsource DOT com
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 3 of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package org.sonar.server.user;
import com.google.common.base.Joiner;
import com.google.common.base.Strings;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Random;
import javax.annotation.Nullable;
import org.apache.commons.codec.digest.DigestUtils;
import org.sonar.api.platform.NewUserHandler;
import org.sonar.api.server.ServerSide;
import org.sonar.api.utils.System2;
import org.sonar.core.util.stream.MoreCollectors;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.organization.OrganizationMemberDto;
import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto;
import org.sonar.db.user.UserGroupDto;
import org.sonar.server.organization.DefaultOrganizationProvider;
import org.sonar.server.organization.OrganizationCreation;
import org.sonar.server.organization.OrganizationFlags;
import org.sonar.server.user.index.UserIndexer;
import org.sonar.server.usergroups.DefaultGroupFinder;
import org.sonar.server.util.Validation;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Strings.isNullOrEmpty;
import static com.google.common.collect.Lists.newArrayList;
import static java.lang.String.format;
import static org.sonar.db.user.UserDto.encryptPassword;
import static org.sonar.server.ws.WsUtils.checkFound;
import static org.sonar.server.ws.WsUtils.checkRequest;
@ServerSide
public class UserUpdater {
private static final String SQ_AUTHORITY = "sonarqube";
private static final String LOGIN_PARAM = "Login";
private static final String PASSWORD_PARAM = "Password";
private static final String NAME_PARAM = "Name";
private static final String EMAIL_PARAM = "Email";
private static final int LOGIN_MIN_LENGTH = 2;
private static final int LOGIN_MAX_LENGTH = 255;
private static final int EMAIL_MAX_LENGTH = 100;
private static final int NAME_MAX_LENGTH = 200;
private final NewUserNotifier newUserNotifier;
private final DbClient dbClient;
private final UserIndexer userIndexer;
private final System2 system2;
private final OrganizationFlags organizationFlags;
private final DefaultOrganizationProvider defaultOrganizationProvider;
private final OrganizationCreation organizationCreation;
private final DefaultGroupFinder defaultGroupFinder;
public UserUpdater(NewUserNotifier newUserNotifier, DbClient dbClient, UserIndexer userIndexer, System2 system2, OrganizationFlags organizationFlags,
DefaultOrganizationProvider defaultOrganizationProvider, OrganizationCreation organizationCreation, DefaultGroupFinder defaultGroupFinder) {
this.newUserNotifier = newUserNotifier;
this.dbClient = dbClient;
this.userIndexer = userIndexer;
this.system2 = system2;
this.organizationFlags = organizationFlags;
this.defaultOrganizationProvider = defaultOrganizationProvider;
this.organizationCreation = organizationCreation;
this.defaultGroupFinder = defaultGroupFinder;
}
public UserDto create(DbSession dbSession, NewUser newUser) {
String login = newUser.login();
UserDto userDto = dbClient.userDao().selectByLogin(dbSession, newUser.login());
if (userDto == null) {
userDto = saveUser(dbSession, createNewUserDto(dbSession, newUser));
} else {
reactivateUser(dbSession, userDto, login, newUser);
}
notifyNewUser(userDto.getLogin(), userDto.getName(), newUser.email());
return userDto;
}
private void reactivateUser(DbSession dbSession, UserDto existingUser, String login, NewUser newUser) {
checkArgument(!existingUser.isActive(), "An active user with login '%s' already exists", login);
UpdateUser updateUser = UpdateUser.create(login)
.setName(newUser.name())
.setEmail(newUser.email())
.setScmAccounts(newUser.scmAccounts());
if (newUser.password() != null) {
updateUser.setPassword(newUser.password());
}
if (newUser.externalIdentity() != null) {
updateUser.setExternalIdentity(newUser.externalIdentity());
}
// Hack to allow to change the password of the user
existingUser.setLocal(true);
updateUserDto(dbSession, updateUser, existingUser);
updateUser(dbSession, existingUser);
addUserToDefaultOrganizationAndDefaultGroup(dbSession, existingUser);
dbSession.commit();
}
public void update(DbSession dbSession, UpdateUser updateUser) {
UserDto user = dbClient.userDao().selectByLogin(dbSession, updateUser.login());
checkFound(user, "User with login '%s' has not been found", updateUser.login());
boolean isUserUpdated = updateUserDto(dbSession, updateUser, user);
if (!isUserUpdated) {
return;
}
updateUser(dbSession, user);
notifyNewUser(user.getLogin(), user.getName(), user.getEmail());
}
private UserDto createNewUserDto(DbSession dbSession, NewUser newUser) {
UserDto userDto = new UserDto();
List<String> messages = newArrayList();
String login = newUser.login();
if (validateLoginFormat(login, messages)) {
userDto.setLogin(login);
}
String name = newUser.name();
if (validateNameFormat(name, messages)) {
userDto.setName(name);
}
String email = newUser.email();
if (email != null && validateEmailFormat(email, messages)) {
userDto.setEmail(email);
}
String password = newUser.password();
if (password != null && validatePasswords(password, messages)) {
setEncryptedPassWord(password, userDto);
}
List<String> scmAccounts = sanitizeScmAccounts(newUser.scmAccounts());
if (scmAccounts != null && !scmAccounts.isEmpty() && validateScmAccounts(dbSession, scmAccounts, login, email, null, messages)) {
userDto.setScmAccounts(scmAccounts);
}
setExternalIdentity(userDto, newUser.externalIdentity());
checkRequest(messages.isEmpty(), messages);
return userDto;
}
private boolean updateUserDto(DbSession dbSession, UpdateUser updateUser, UserDto userDto) {
List<String> messages = newArrayList();
boolean changed = updateName(updateUser, userDto, messages);
changed |= updateEmail(updateUser, userDto, messages);
changed |= updateExternalIdentity(updateUser, userDto);
changed |= updatePassword(updateUser, userDto, messages);
changed |= updateScmAccounts(dbSession, updateUser, userDto, messages);
checkRequest(messages.isEmpty(), messages);
return changed;
}
private static boolean updateName(UpdateUser updateUser, UserDto userDto, List<String> messages) {
String name = updateUser.name();
if (updateUser.isNameChanged() && validateNameFormat(name, messages) && !Objects.equals(userDto.getName(), name)) {
userDto.setName(name);
return true;
}
return false;
}
private static boolean updateEmail(UpdateUser updateUser, UserDto userDto, List<String> messages) {
String email = updateUser.email();
if (updateUser.isEmailChanged() && validateEmailFormat(email, messages) && !Objects.equals(userDto.getEmail(), email)) {
userDto.setEmail(email);
return true;
}
return false;
}
private static boolean updateExternalIdentity(UpdateUser updateUser, UserDto userDto) {
ExternalIdentity externalIdentity = updateUser.externalIdentity();
if (updateUser.isExternalIdentityChanged() && !isSameExternalIdentity(userDto, externalIdentity)) {
setExternalIdentity(userDto, externalIdentity);
userDto.setSalt(null);
userDto.setCryptedPassword(null);
return true;
}
return false;
}
private static boolean updatePassword(UpdateUser updateUser, UserDto userDto, List<String> messages) {
String password = updateUser.password();
if (!updateUser.isExternalIdentityChanged() && updateUser.isPasswordChanged() && validatePasswords(password, messages) && checkPasswordChangeAllowed(userDto, messages)) {
setEncryptedPassWord(password, userDto);
return true;
}
return false;
}
private boolean updateScmAccounts(DbSession dbSession, UpdateUser updateUser, UserDto userDto, List<String> messages) {
String email = updateUser.email();
List<String> scmAccounts = sanitizeScmAccounts(updateUser.scmAccounts());
List<String> existingScmAccounts = userDto.getScmAccountsAsList();
if (updateUser.isScmAccountsChanged() && !(existingScmAccounts.containsAll(scmAccounts) && scmAccounts.containsAll(existingScmAccounts))) {
if (!scmAccounts.isEmpty()) {
String newOrOldEmail = email != null ? email : userDto.getEmail();
if (validateScmAccounts(dbSession, scmAccounts, userDto.getLogin(), newOrOldEmail, userDto, messages)) {
userDto.setScmAccounts(scmAccounts);
}
} else {
userDto.setScmAccounts((String) null);
}
return true;
}
return false;
}
private static boolean isSameExternalIdentity(UserDto dto, @Nullable ExternalIdentity externalIdentity) {
return (externalIdentity == null && dto.getExternalIdentity() == null) ||
(externalIdentity != null
&& Objects.equals(dto.getExternalIdentity(), externalIdentity.getId())
&& Objects.equals(dto.getExternalIdentityProvider(), externalIdentity.getProvider()));
}
private static void setExternalIdentity(UserDto dto, @Nullable ExternalIdentity externalIdentity) {
if (externalIdentity == null) {
dto.setExternalIdentity(dto.getLogin());
dto.setExternalIdentityProvider(SQ_AUTHORITY);
dto.setLocal(true);
} else {
dto.setExternalIdentity(externalIdentity.getId());
dto.setExternalIdentityProvider(externalIdentity.getProvider());
dto.setLocal(false);
}
}
private static boolean checkNotEmptyParam(@Nullable String value, String param, List<String> messages) {
if (isNullOrEmpty(value)) {
messages.add(format(Validation.CANT_BE_EMPTY_MESSAGE, param));
return false;
}
return true;
}
private static boolean validateLoginFormat(@Nullable String login, List<String> messages) {
boolean isValid = checkNotEmptyParam(login, LOGIN_PARAM, messages);
if (!isNullOrEmpty(login)) {
if (login.length() < LOGIN_MIN_LENGTH) {
messages.add(format(Validation.IS_TOO_SHORT_MESSAGE, LOGIN_PARAM, LOGIN_MIN_LENGTH));
return false;
} else if (login.length() > LOGIN_MAX_LENGTH) {
messages.add(format(Validation.IS_TOO_LONG_MESSAGE, LOGIN_PARAM, LOGIN_MAX_LENGTH));
return false;
} else if (!login.matches("\\A\\w[\\w\\.\\-_@]+\\z")) {
messages.add("Use only letters, numbers, and .-_@ please.");
return false;
}
}
return isValid;
}
private static boolean validateNameFormat(@Nullable String name, List<String> messages) {
boolean isValid = checkNotEmptyParam(name, NAME_PARAM, messages);
if (name != null && name.length() > NAME_MAX_LENGTH) {
messages.add(format(Validation.IS_TOO_LONG_MESSAGE, NAME_PARAM, 200));
return false;
}
return isValid;
}
private static boolean validateEmailFormat(@Nullable String email, List<String> messages) {
if (email != null && email.length() > EMAIL_MAX_LENGTH) {
messages.add(format(Validation.IS_TOO_LONG_MESSAGE, EMAIL_PARAM, 100));
return false;
}
return true;
}
private static boolean checkPasswordChangeAllowed(UserDto userDto, List<String> messages) {
if (!userDto.isLocal()) {
messages.add("Password cannot be changed when external authentication is used");
return false;
}
return true;
}
private static boolean validatePasswords(@Nullable String password, List<String> messages) {
if (password == null || password.length() == 0) {
messages.add(format(Validation.CANT_BE_EMPTY_MESSAGE, PASSWORD_PARAM));
return false;
}
return true;
}
private boolean validateScmAccounts(DbSession dbSession, List<String> scmAccounts, @Nullable String login, @Nullable String email, @Nullable UserDto existingUser,
List<String> messages) {
boolean isValid = true;
for (String scmAccount : scmAccounts) {
if (scmAccount.equals(login) || scmAccount.equals(email)) {
messages.add("Login and email are automatically considered as SCM accounts");
isValid = false;
} else {
List<UserDto> matchingUsers = dbClient.userDao().selectByScmAccountOrLoginOrEmail(dbSession, scmAccount);
List<String> matchingUsersWithoutExistingUser = newArrayList();
for (UserDto matchingUser : matchingUsers) {
if (existingUser != null && matchingUser.getId().equals(existingUser.getId())) {
continue;
}
matchingUsersWithoutExistingUser.add(matchingUser.getName() + " (" + matchingUser.getLogin() + ")");
}
if (!matchingUsersWithoutExistingUser.isEmpty()) {
messages.add(format("The scm account '%s' is already used by user(s) : '%s'", scmAccount, Joiner.on(", ").join(matchingUsersWithoutExistingUser)));
isValid = false;
}
}
}
return isValid;
}
private static List<String> sanitizeScmAccounts(@Nullable List<String> scmAccounts) {
if (scmAccounts != null) {
return scmAccounts.stream().filter(s -> !Strings.isNullOrEmpty(s)).collect(MoreCollectors.toList());
}
return Collections.emptyList();
}
private UserDto saveUser(DbSession dbSession, UserDto userDto) {
long now = system2.now();
userDto.setActive(true).setCreatedAt(now).setUpdatedAt(now);
UserDto res = dbClient.userDao().insert(dbSession, userDto);
addUserToDefaultOrganizationAndDefaultGroup(dbSession, userDto);
organizationCreation.createForUser(dbSession, userDto);
dbSession.commit();
userIndexer.index(userDto.getLogin());
return res;
}
private void updateUser(DbSession dbSession, UserDto userDto) {
long now = system2.now();
userDto.setActive(true).setUpdatedAt(now);
dbClient.userDao().update(dbSession, userDto);
dbSession.commit();
userIndexer.index(userDto.getLogin());
}
private static void setEncryptedPassWord(String password, UserDto userDto) {
Random random = new SecureRandom();
byte[] salt = new byte[32];
random.nextBytes(salt);
String saltHex = DigestUtils.sha1Hex(salt);
userDto.setSalt(saltHex);
userDto.setCryptedPassword(encryptPassword(password, saltHex));
}
private void notifyNewUser(String login, String name, String email) {
newUserNotifier.onNewUser(NewUserHandler.Context.builder()
.setLogin(login)
.setName(name)
.setEmail(email)
.build());
}
private static boolean isUserAlreadyMemberOfDefaultGroup(GroupDto defaultGroup, List<GroupDto> userGroups) {
return userGroups.stream().anyMatch(group -> defaultGroup.getId().equals(group.getId()));
}
private void addUserToDefaultOrganizationAndDefaultGroup(DbSession dbSession, UserDto userDto) {
if (organizationFlags.isEnabled(dbSession)) {
return;
}
addUserToDefaultOrganization(dbSession, userDto);
addDefaultGroup(dbSession, userDto);
}
private void addUserToDefaultOrganization(DbSession dbSession, UserDto userDto) {
String defOrgUuid = defaultOrganizationProvider.get().getUuid();
dbClient.organizationMemberDao().insert(dbSession, new OrganizationMemberDto().setOrganizationUuid(defOrgUuid).setUserId(userDto.getId()));
}
private void addDefaultGroup(DbSession dbSession, UserDto userDto) {
String defOrgUuid = defaultOrganizationProvider.get().getUuid();
List<GroupDto> userGroups = dbClient.groupDao().selectByUserLogin(dbSession, userDto.getLogin());
GroupDto defaultGroup = defaultGroupFinder.findDefaultGroup(dbSession, defOrgUuid);
if (isUserAlreadyMemberOfDefaultGroup(defaultGroup, userGroups)) {
return;
}
dbClient.userGroupDao().insert(dbSession, new UserGroupDto().setUserId(userDto.getId()).setGroupId(defaultGroup.getId()));
}
}