diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt index bb92222f83..d48034ab6c 100644 --- a/Documentation/access-control.txt +++ b/Documentation/access-control.txt @@ -660,7 +660,8 @@ of merge commits. [[category_push_annotated]] -=== Push Annotated Tag +[[category_create_annotated]] +=== Create Annotated Tag This category permits users to push an annotated tag object into the project's repository. Typically this would be done with a command line @@ -687,7 +688,7 @@ tagger email address must be verified for the current user. To push tags created by users other than the current user (such as tags mirrored from an upstream project), `Forge Committer Identity` -must be also granted in addition to `Push Annotated Tag`. +must be also granted in addition to `Create Annotated Tag`. To push lightweight (non annotated) tags, grant <> for reference name @@ -706,7 +707,8 @@ is only allowed by granting `Push` with `force` option on `+refs/tags/*+`. [[category_push_signed]] -=== Push Signed Tag +[[category_create_signed]] +=== Create Signed Tag This category permits users to push a PGP signed tag object into the project's repository. Typically this would be done with a command @@ -1019,7 +1021,7 @@ Suggested access rights to grant: * <> to 'refs/heads/*' * <> to 'refs/for/refs/heads/*' * <> to 'refs/heads/*' -* <> to 'refs/tags/*' +* <> to 'refs/tags/*' [[examples_project-owner]] diff --git a/Documentation/error-prohibited-by-gerrit.txt b/Documentation/error-prohibited-by-gerrit.txt index 3d9bbad2b6..3e5f23b55a 100644 --- a/Documentation/error-prohibited-by-gerrit.txt +++ b/Documentation/error-prohibited-by-gerrit.txt @@ -17,10 +17,10 @@ In particular this error occurs: link:access-control.html#category_create['Create Reference'] access right on `+refs/heads/*+` 4. if you push an annotated tag without - link:access-control.html#category_push_annotated['Push Annotated Tag'] + link:access-control.html#category_create_annotated['Create Annotated Tag'] access right on `+refs/tags/*+` 5. if you push a signed tag without - link:access-control.html#category_push_signed['Push Signed Tag'] + link:access-control.html#category_create_signed['Create Signed Tag'] access right on `+refs/tags/*+` 6. if you push a lightweight tag without the access right link:access-control.html#category_create['Create Reference'] for the reference name `+refs/tags/*+` diff --git a/Documentation/rest-api-access.txt b/Documentation/rest-api-access.txt index ee3e8ce1d0..4531446cd2 100644 --- a/Documentation/rest-api-access.txt +++ b/Documentation/rest-api-access.txt @@ -132,7 +132,7 @@ The entries in the map are sorted by project name. }, "refs/tags/*": { "permissions": { - "pushSignedTag": { + "createSignedTag": { "rules": { "53a4f647a89ea57992571187d8025f830625192a": { "action": "ALLOW" @@ -142,7 +142,7 @@ The entries in the map are sorted by project name. } } }, - "pushTag": { + "createTag": { "rules": { "53a4f647a89ea57992571187d8025f830625192a": { "action": "ALLOW" diff --git a/Documentation/user-upload.txt b/Documentation/user-upload.txt index dc7901836d..7942059fda 100644 --- a/Documentation/user-upload.txt +++ b/Documentation/user-upload.txt @@ -403,11 +403,11 @@ To grant this access, configure link:access-control.html#category_push_direct['Push'] with the 'Force' option ticked. -To push annotated tags, the `Push Annotated Tag` project right must +To push annotated tags, the `Create Annotated Tag` project right must be granted to one (or more) of the user's groups. There is only one level of access in this category. -Project owners may wish to grant themselves `Push Annotated Tag` +Project owners may wish to grant themselves `Create Annotated Tag` only at times when a new release is being prepared, and otherwise grant nothing at all. This ensures that accidental pushes don't make undesired changes to the public repository. diff --git a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/PushTagIT.java b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/PushTagIT.java index 01957df5e6..01a2443620 100644 --- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/PushTagIT.java +++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/PushTagIT.java @@ -42,7 +42,7 @@ import org.junit.Test; public class PushTagIT extends AbstractDaemonTest { enum TagType { LIGHTWEIGHT(Permission.CREATE), - ANNOTATED(Permission.PUSH_TAG); + ANNOTATED(Permission.CREATE_TAG); final String createPermission; diff --git a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/TagsIT.java b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/TagsIT.java index 0445140e3d..c4aee29fb4 100644 --- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/TagsIT.java +++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/TagsIT.java @@ -248,7 +248,7 @@ public class TagsIT extends AbstractDaemonTest { @Test public void createAnnotatedTagNotAllowed() throws Exception { - block(Permission.PUSH_TAG, REGISTERED_USERS, R_TAGS + "*"); + block(Permission.CREATE_TAG, REGISTERED_USERS, R_TAGS + "*"); TagInput input = new TagInput(); input.ref = "test"; input.message = "annotation"; @@ -339,8 +339,8 @@ public class TagsIT extends AbstractDaemonTest { private void grantTagPermissions() throws Exception { grant(Permission.CREATE, project, R_TAGS + "*"); - grant(Permission.PUSH_TAG, project, R_TAGS + "*"); - grant(Permission.PUSH_SIGNED_TAG, project, R_TAGS + "*"); + grant(Permission.CREATE_TAG, project, R_TAGS + "*"); + grant(Permission.CREATE_SIGNED_TAG, project, R_TAGS + "*"); } private ListRefsRequest getTags() throws Exception { diff --git a/gerrit-common/src/main/java/com/google/gerrit/common/data/Permission.java b/gerrit-common/src/main/java/com/google/gerrit/common/data/Permission.java index 9fc58b49f4..16f28250d1 100644 --- a/gerrit-common/src/main/java/com/google/gerrit/common/data/Permission.java +++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/Permission.java @@ -25,6 +25,8 @@ public class Permission implements Comparable { public static final String ADD_PATCH_SET = "addPatchSet"; public static final String CREATE = "create"; public static final String DELETE = "delete"; + public static final String CREATE_TAG = "createTag"; + public static final String CREATE_SIGNED_TAG = "createSignedTag"; public static final String DELETE_DRAFTS = "deleteDrafts"; public static final String EDIT_HASHTAGS = "editHashtags"; public static final String EDIT_TOPIC_NAME = "editTopicName"; @@ -37,8 +39,6 @@ public class Permission implements Comparable { public static final String PUBLISH_DRAFTS = "publishDrafts"; public static final String PUSH = "push"; public static final String PUSH_MERGE = "pushMerge"; - public static final String PUSH_TAG = "pushTag"; - public static final String PUSH_SIGNED_TAG = "pushSignedTag"; public static final String READ = "read"; public static final String REBASE = "rebase"; public static final String REMOVE_REVIEWER = "removeReviewer"; @@ -57,14 +57,14 @@ public class Permission implements Comparable { NAMES_LC.add(ABANDON.toLowerCase()); NAMES_LC.add(ADD_PATCH_SET.toLowerCase()); NAMES_LC.add(CREATE.toLowerCase()); + NAMES_LC.add(CREATE_TAG.toLowerCase()); + NAMES_LC.add(CREATE_SIGNED_TAG.toLowerCase()); NAMES_LC.add(DELETE.toLowerCase()); NAMES_LC.add(FORGE_AUTHOR.toLowerCase()); NAMES_LC.add(FORGE_COMMITTER.toLowerCase()); NAMES_LC.add(FORGE_SERVER.toLowerCase()); NAMES_LC.add(PUSH.toLowerCase()); NAMES_LC.add(PUSH_MERGE.toLowerCase()); - NAMES_LC.add(PUSH_TAG.toLowerCase()); - NAMES_LC.add(PUSH_SIGNED_TAG.toLowerCase()); NAMES_LC.add(LABEL.toLowerCase()); NAMES_LC.add(LABEL_AS.toLowerCase()); NAMES_LC.add(REBASE.toLowerCase()); diff --git a/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/AdminConstants.properties b/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/AdminConstants.properties index d75a68dde7..3290aacc35 100644 --- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/AdminConstants.properties +++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/AdminConstants.properties @@ -123,6 +123,8 @@ permissionNames = \ abandon, \ addPatchSet, \ create, \ + createTag, \ + createSignedTag, \ delete, \ deleteDrafts, \ editHashtags, \ @@ -134,8 +136,6 @@ permissionNames = \ publishDrafts, \ push, \ pushMerge, \ - pushTag, \ - pushSignedTag, \ read, \ rebase, \ removeReviewer, \ @@ -146,6 +146,8 @@ permissionNames = \ abandon = Abandon addPatchSet = Add Patch Set create = Create Reference +createTag = Create Annotated Tag +createSignedTag = Create Signed Tag delete = Delete Reference deleteDrafts = Delete Drafts editHashtags = Edit Hashtags @@ -157,8 +159,6 @@ owner = Owner publishDrafts = Publish Drafts push = Push pushMerge = Push Merge Commit -pushTag = Push Annotated Tag -pushSignedTag = Push Signed Tag read = Read rebase = Rebase removeReviewer = Remove Reviewer diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/git/ProjectConfig.java b/gerrit-server/src/main/java/com/google/gerrit/server/git/ProjectConfig.java index f4b7c14efd..1429079e42 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/git/ProjectConfig.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/git/ProjectConfig.java @@ -91,7 +91,7 @@ public class ProjectConfig extends VersionedMetaData implements ValidationError. private static final String PROJECT = "project"; private static final String KEY_DESCRIPTION = "description"; - private static final String ACCESS = "access"; + public static final String ACCESS = "access"; private static final String KEY_INHERIT_FROM = "inheritFrom"; private static final String KEY_GROUP_PERMISSIONS = "exclusiveGroupPermissions"; @@ -155,6 +155,9 @@ public class ProjectConfig extends VersionedMetaData implements ValidationError. private static final Set LABEL_FUNCTIONS = ImmutableSet.of( "MaxWithBlock", "AnyWithBlock", "MaxNoBlock", "NoBlock", "NoOp", "PatchSetLock"); + private static final String LEGACY_PERMISSION_PUSH_TAG = "pushTag"; + private static final String LEGACY_PERMISSION_PUSH_SIGNED_TAG = "pushSignedTag"; + private static final String PLUGIN = "plugin"; private static final SubmitType defaultSubmitAction = @@ -180,6 +183,7 @@ public class ProjectConfig extends VersionedMetaData implements ValidationError. private Map pluginConfigs; private boolean checkReceivedObjects; private Set sectionsWithUnknownPermissions; + private boolean hasLegacyPermissions; public static ProjectConfig read(MetaDataUpdate update) throws IOException, ConfigInvalidException { @@ -627,6 +631,7 @@ public class ProjectConfig extends VersionedMetaData implements ValidationError. for (String varName : rc.getStringList(ACCESS, refName, KEY_GROUP_PERMISSIONS)) { for (String n : varName.split("[, \t]{1,}")) { + n = convertLegacyPermission(n); if (isPermission(n)) { as.getPermission(n, true).setExclusiveGroup(true); } @@ -634,10 +639,11 @@ public class ProjectConfig extends VersionedMetaData implements ValidationError. } for (String varName : rc.getNames(ACCESS, refName)) { - if (isPermission(varName)) { - Permission perm = as.getPermission(varName, true); + String convertedName = convertLegacyPermission(varName); + if (isPermission(convertedName)) { + Permission perm = as.getPermission(convertedName, true); loadPermissionRules(rc, ACCESS, refName, varName, groupsByName, - perm, Permission.hasRange(varName)); + perm, Permission.hasRange(convertedName)); } else { sectionsWithUnknownPermissions.add(as.getName()); } @@ -1147,7 +1153,8 @@ public class ProjectConfig extends VersionedMetaData implements ValidationError. } for (String varName : rc.getNames(ACCESS, refName)) { - if (isPermission(varName) && !have.contains(varName.toLowerCase())) { + if (isPermission(convertLegacyPermission(varName)) + && !have.contains(varName.toLowerCase())) { rc.unset(ACCESS, refName, varName); } } @@ -1282,4 +1289,21 @@ public class ProjectConfig extends VersionedMetaData implements ValidationError. Collections.sort(r); return r; } + + public boolean hasLegacyPermissions() { + return hasLegacyPermissions; + } + + private String convertLegacyPermission(String permissionName) { + switch(permissionName) { + case LEGACY_PERMISSION_PUSH_TAG: + hasLegacyPermissions = true; + return Permission.CREATE_TAG; + case LEGACY_PERMISSION_PUSH_SIGNED_TAG: + hasLegacyPermissions = true; + return Permission.CREATE_SIGNED_TAG; + default: + return permissionName; + } + } } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/CreateTag.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/CreateTag.java index 446fa72ab7..9e090c4f37 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/CreateTag.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/CreateTag.java @@ -116,7 +116,7 @@ public class CreateTag implements RestModifyView { if (isSigned) { throw new MethodNotAllowedException( "Cannot create signed tag \"" + ref + "\""); - } else if (isAnnotated && !refControl.canPerform(Permission.PUSH_TAG)) { + } else if (isAnnotated && !refControl.canPerform(Permission.CREATE_TAG)) { throw new AuthException("Cannot create annotated tag \"" + ref + "\""); } else if (!refControl.canPerform(Permission.CREATE)) { throw new AuthException("Cannot create tag \"" + ref + "\""); diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java index 99f05a77db..d9cc59ca37 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java @@ -328,8 +328,8 @@ public class ProjectControl { /** @return true if the user can upload to at least one reference */ public Capable canPushToAtLeastOneRef() { - if (! canPerformOnAnyRef(Permission.PUSH) && - ! canPerformOnAnyRef(Permission.PUSH_TAG)) { + if (!canPerformOnAnyRef(Permission.PUSH) && + !canPerformOnAnyRef(Permission.CREATE_TAG)) { String pName = state.getProject().getName(); return new Capable("Upload denied for project '" + pName + "'"); } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java index 8fbf06f543..03658553fa 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java @@ -317,9 +317,9 @@ public class RefControl { // than if it doesn't have a PGP signature. // if (tag.getFullMessage().contains("-----BEGIN PGP SIGNATURE-----\n")) { - return canPerform(Permission.PUSH_SIGNED_TAG); + return canPerform(Permission.CREATE_SIGNED_TAG); } - return canPerform(Permission.PUSH_TAG); + return canPerform(Permission.CREATE_TAG); } else { return false; } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/AllProjectsCreator.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/AllProjectsCreator.java index 5409ed6688..1bc878efc5 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/schema/AllProjectsCreator.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/AllProjectsCreator.java @@ -166,8 +166,8 @@ public class AllProjectsCreator { grant(config, heads, Permission.EDIT_TOPIC_NAME, true, admin, owners); grant(config, tags, Permission.CREATE, admin, owners); - grant(config, tags, Permission.PUSH_TAG, admin, owners); - grant(config, tags, Permission.PUSH_SIGNED_TAG, admin, owners); + grant(config, tags, Permission.CREATE_TAG, admin, owners); + grant(config, tags, Permission.CREATE_SIGNED_TAG, admin, owners); grant(config, magic, Permission.PUSH, registered); grant(config, magic, Permission.PUSH_MERGE, registered); diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/ProjectConfigSchemaUpdate.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/ProjectConfigSchemaUpdate.java new file mode 100644 index 0000000000..53ed5ac9d0 --- /dev/null +++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/ProjectConfigSchemaUpdate.java @@ -0,0 +1,109 @@ +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.server.schema; + +import static com.google.gerrit.server.git.ProjectConfig.ACCESS; + +import com.google.common.base.Function; +import com.google.common.collect.Lists; +import com.google.gerrit.common.data.PermissionRule; +import com.google.gerrit.reviewdb.client.RefNames; +import com.google.gerrit.server.git.MetaDataUpdate; +import com.google.gerrit.server.git.ProjectConfig; +import com.google.gerrit.server.git.VersionedMetaData; +import com.google.gwtorm.server.OrmException; + +import org.eclipse.jgit.errors.ConfigInvalidException; +import org.eclipse.jgit.lib.CommitBuilder; +import org.eclipse.jgit.lib.Config; +import org.eclipse.jgit.lib.PersonIdent; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import java.util.Set; + +public class ProjectConfigSchemaUpdate extends VersionedMetaData { + + private final MetaDataUpdate update; + private Config config; + private boolean updated; + + public static ProjectConfigSchemaUpdate read(MetaDataUpdate update) + throws IOException, ConfigInvalidException { + ProjectConfigSchemaUpdate r = new ProjectConfigSchemaUpdate(update); + r.load(update); + return r; + } + + private ProjectConfigSchemaUpdate(MetaDataUpdate update) { + this.update = update; + } + + @Override + protected String getRefName() { + return RefNames.REFS_CONFIG; + } + + @Override + protected void onLoad() throws IOException, ConfigInvalidException { + config = readConfig(ProjectConfig.PROJECT_CONFIG); + } + + public void removeForceFromPermission(String name) { + for (String subsection : config.getSubsections(ACCESS)) { + Set names = config.getNames(ACCESS, subsection); + if (names.contains(name)) { + List values = + Arrays.asList(config.getStringList(ACCESS, subsection, name)); + values = Lists.transform(values, new Function() { + @Override + public String apply(String ruleString) { + PermissionRule rule = PermissionRule.fromString(ruleString, false); + if (rule.getForce()) { + rule.setForce(false); + updated = true; + } + return rule.asString(false); + } + }); + config.setStringList(ACCESS, subsection, name, values); + } + } + } + + @Override + protected boolean onSave(CommitBuilder commit) + throws IOException, ConfigInvalidException { + saveConfig(ProjectConfig.PROJECT_CONFIG, config); + return true; + } + + public void save(PersonIdent personIdent, String commitMessage) + throws OrmException { + if (!updated) { + return; + } + + update.getCommitBuilder().setAuthor(personIdent); + update.getCommitBuilder().setCommitter(personIdent); + update.setMessage(commitMessage); + try { + commit(update); + } catch (IOException e) { + throw new OrmException(e); + } + } +} diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaVersion.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaVersion.java index a68c9d0077..5d1e579ce9 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaVersion.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaVersion.java @@ -33,7 +33,7 @@ import java.util.List; /** A version of the database schema. */ public abstract class SchemaVersion { /** The current schema version. */ - public static final Class C = Schema_130.class; + public static final Class C = Schema_131.class; public static int getBinaryVersion() { return guessVersion(C); diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_130.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_130.java index e18462ca49..d7fcc3b7c0 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_130.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_130.java @@ -14,16 +14,12 @@ package com.google.gerrit.server.schema; -import com.google.gerrit.common.data.AccessSection; -import com.google.gerrit.common.data.Permission; -import com.google.gerrit.common.data.PermissionRule; import com.google.gerrit.reviewdb.client.Project; import com.google.gerrit.reviewdb.server.ReviewDb; import com.google.gerrit.server.GerritPersonIdent; import com.google.gerrit.server.extensions.events.GitReferenceUpdated; import com.google.gerrit.server.git.GitRepositoryManager; import com.google.gerrit.server.git.MetaDataUpdate; -import com.google.gerrit.server.git.ProjectConfig; import com.google.gwtorm.server.OrmException; import com.google.inject.Inject; import com.google.inject.Provider; @@ -59,30 +55,9 @@ public class Schema_130 extends SchemaVersion { try (Repository git = repoManager.openRepository(projectName); MetaDataUpdate md = new MetaDataUpdate(GitReferenceUpdated.DISABLED, projectName, git)) { - ProjectConfig config = ProjectConfig.read(md); - - boolean update = false; - for (AccessSection accessSection : config.getAccessSections()) { - Permission pushTagPermission = - accessSection.getPermission(Permission.PUSH_TAG); - if (pushTagPermission == null) { - continue; - } - for (PermissionRule rule : pushTagPermission.getRules()) { - if (rule.getForce()) { - rule.setForce(false); - update = true; - } - } - } - - if (!update) { - continue; - } - md.getCommitBuilder().setAuthor(serverUser); - md.getCommitBuilder().setCommitter(serverUser); - md.setMessage(COMMIT_MSG); - config.commit(md); + ProjectConfigSchemaUpdate cfg = ProjectConfigSchemaUpdate.read(md); + cfg.removeForceFromPermission("pushTag"); + cfg.save(serverUser, COMMIT_MSG); } catch (ConfigInvalidException | IOException ex) { throw new OrmException(ex); } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_131.java b/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_131.java new file mode 100644 index 0000000000..1be4c3e016 --- /dev/null +++ b/gerrit-server/src/main/java/com/google/gerrit/server/schema/Schema_131.java @@ -0,0 +1,68 @@ +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.server.schema; + +import com.google.gerrit.reviewdb.client.Project; +import com.google.gerrit.reviewdb.server.ReviewDb; +import com.google.gerrit.server.GerritPersonIdent; +import com.google.gerrit.server.extensions.events.GitReferenceUpdated; +import com.google.gerrit.server.git.GitRepositoryManager; +import com.google.gerrit.server.git.MetaDataUpdate; +import com.google.gerrit.server.git.ProjectConfig; +import com.google.gwtorm.server.OrmException; +import com.google.inject.Inject; +import com.google.inject.Provider; + +import org.eclipse.jgit.errors.ConfigInvalidException; +import org.eclipse.jgit.lib.PersonIdent; +import org.eclipse.jgit.lib.Repository; + +import java.io.IOException; + +public class Schema_131 extends SchemaVersion { + private static final String COMMIT_MSG = + "Rename 'Push Annotated/Signed Tag' permission to 'Create Annotated/Signed Tag'"; + + private final GitRepositoryManager repoManager; + private final PersonIdent serverUser; + + @Inject + Schema_131(Provider prior, + GitRepositoryManager repoManager, + @GerritPersonIdent PersonIdent serverUser) { + super(prior); + this.repoManager = repoManager; + this.serverUser = serverUser; + } + + @Override + protected void migrateData(ReviewDb db, UpdateUI ui) throws OrmException { + for (Project.NameKey projectName : repoManager.list()) { + try (Repository git = repoManager.openRepository(projectName); + MetaDataUpdate md = new MetaDataUpdate(GitReferenceUpdated.DISABLED, + projectName, git)) { + ProjectConfig config = ProjectConfig.read(md); + if (config.hasLegacyPermissions()) { + md.getCommitBuilder().setAuthor(serverUser); + md.getCommitBuilder().setCommitter(serverUser); + md.setMessage(COMMIT_MSG); + config.commit(md); + } + } catch (ConfigInvalidException | IOException ex) { + throw new OrmException(ex); + } + } + } +}