root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
gitlab-ce/lib/gitlab/project_authorizations.rb

228 lines
8.2 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
# This class relies on Common Table Expressions to efficiently get all data,
# including data for nested groups.
module Gitlab
class ProjectAuthorizations
attr_reader :user
# user - The User object for which to calculate the authorizations.
def initialize(user)
@user = user
end
def calculate
if Feature.enabled?(:compare_project_authorization_linear_cte, user)
linear_relation = calculate_with_linear_query
recursive_relation = calculate_with_recursive_query
recursive_set = Set.new(recursive_relation.to_a.pluck(:project_id, :access_level))
linear_set = Set.new(linear_relation.to_a.pluck(:project_id, :access_level))
if linear_set == recursive_set
Gitlab::AppJsonLogger.info(event: 'linear_authorized_projects_check',
user_id: user.id,
matching_results: true)
return calculate_with_linear_query
else
Gitlab::AppJsonLogger.warn(event: 'linear_authorized_projects_check',
user_id: user.id,
matching_results: false)
end
end
Gitlab::AppJsonLogger.info(event: 'linear_authorized_projects_check_with_flag',
feature_flag_status: Feature.enabled?(:linear_project_authorization, user))
if Feature.enabled?(:linear_project_authorization, user)
calculate_with_linear_query
else
calculate_with_recursive_query
end
end
private
def calculate_with_linear_query
cte = linear_cte
cte_alias = cte.table.alias(Group.table_name)
ProjectAuthorization
.unscoped
.with(cte.to_arel)
.select_from_union(relations(cte_alias: cte_alias))
end
def calculate_with_recursive_query
cte = recursive_cte
cte_alias = cte.table.alias(Group.table_name)
ProjectAuthorization
.unscoped
.with
.recursive(cte.to_arel)
.select_from_union(relations(cte_alias: cte_alias))
end
# Builds a recursive CTE that gets all the groups the current user has
# access to, including any nested groups and any shared groups.
def recursive_cte
cte = Gitlab::SQL::RecursiveCTE.new(:namespaces_cte)
members = Member.arel_table
namespaces = Namespace.arel_table
group_group_links = GroupGroupLink.arel_table
# Namespaces the user is a member of.
cte << user.groups_with_active_memberships
.select([namespaces[:id], members[:access_level]])
.except(:order)
# Namespaces shared with any of the group
cte << Group.select([namespaces[:id],
least(
members[:access_level],
group_group_links[:group_access],
'access_level'
)])
.joins(join_group_group_links)
.joins(join_members_on_group_group_links)
# Sub groups of any groups the user is a member of.
cte << Group.select([
namespaces[:id],
greatest(members[:access_level], cte.table[:access_level], 'access_level')
])
.joins(join_cte(cte))
.joins(join_members_on_namespaces)
.except(:order)
cte
end
def linear_cte
# Groups shared with user and their parent groups
shared_groups = Group
.select("namespaces.id, MAX(LEAST(members.access_level, group_group_links.group_access)) as access_level")
.joins("INNER JOIN group_group_links ON group_group_links.shared_group_id = namespaces.id
OR namespaces.traversal_ids @> ARRAY[group_group_links.shared_group_id::int]")
.joins("INNER JOIN members ON group_group_links.shared_with_group_id = members.source_id")
.merge(user.group_members)
.merge(GroupMember.active_state)
.group("namespaces.id")
# Groups the user is a member of and their parent groups.
lateral_query = Group.as_ids.where("namespaces.traversal_ids @> ARRAY [members.source_id]")
member_groups_with_ancestors = GroupMember.select("namespaces.id, MAX(members.access_level) as access_level")
.joins("CROSS JOIN LATERAL (#{lateral_query.to_sql}) as namespaces")
.group("namespaces.id")
.merge(user.group_members)
.merge(GroupMember.active_state)
union = Namespace
.select("namespaces.id, access_level")
.from_union([shared_groups, member_groups_with_ancestors])
Gitlab::SQL::CTE.new(:linear_namespaces_cte, union)
end
# Builds a LEFT JOIN to join optional memberships onto the CTE.
def join_members_on_namespaces
members = Member.arel_table
namespaces = Namespace.arel_table
cond = members[:source_id]
.eq(namespaces[:id])
.and(members[:source_type].eq('Namespace'))
.and(members[:requested_at].eq(nil))
.and(members[:user_id].eq(user.id))
.and(members[:state].eq(::Member::STATE_ACTIVE))
.and(members[:access_level].gt(Gitlab::Access::MINIMAL_ACCESS))
Arel::Nodes::OuterJoin.new(members, Arel::Nodes::On.new(cond))
end
def join_group_group_links
group_group_links = GroupGroupLink.arel_table
namespaces = Namespace.arel_table
cond = group_group_links[:shared_group_id].eq(namespaces[:id])
Arel::Nodes::InnerJoin.new(group_group_links, Arel::Nodes::On.new(cond))
end
def join_members_on_group_group_links
group_group_links = GroupGroupLink.arel_table
members = Member.arel_table
cond = group_group_links[:shared_with_group_id].eq(members[:source_id])
.and(members[:source_type].eq('Namespace'))
.and(members[:requested_at].eq(nil))
.and(members[:user_id].eq(user.id))
.and(members[:state].eq(::Member::STATE_ACTIVE))
.and(members[:access_level].gt(Gitlab::Access::MINIMAL_ACCESS))
Arel::Nodes::InnerJoin.new(members, Arel::Nodes::On.new(cond))
end
# Builds an INNER JOIN to join namespaces onto the CTE.
def join_cte(cte)
namespaces = Namespace.arel_table
cond = cte.table[:id].eq(namespaces[:parent_id])
Arel::Nodes::InnerJoin.new(cte.table, Arel::Nodes::On.new(cond))
end
def greatest(left, right, column_alias)
sql_function('GREATEST', [left, right], column_alias)
end
def least(left, right, column_alias)
sql_function('LEAST', [left, right], column_alias)
end
def sql_function(name, args, column_alias)
alias_as_column(Arel::Nodes::NamedFunction.new(name, args), column_alias)
end
def alias_as_column(value, alias_to)
Arel::Nodes::As.new(value, Arel::Nodes::SqlLiteral.new(alias_to))
end
def relations(cte_alias:)
[
user.projects_with_active_memberships.select_for_project_authorization,
user.personal_projects.select_project_owner_for_project_authorization,
projects_belonging_directy_to_any_groups_user_has_access_to(cte_alias: cte_alias),
projects_shared_with_namespaces_user_has_access_to(cte_alias: cte_alias)
]
end
def projects_shared_with_namespaces_user_has_access_to(cte_alias:)
Namespace
.unscoped
.select([
links[:project_id],
least(cte_alias[:access_level], links[:group_access], 'access_level')
])
.from(cte_alias)
.joins('INNER JOIN project_group_links ON project_group_links.group_id = namespaces.id')
.joins('INNER JOIN projects ON projects.id = project_group_links.project_id')
.joins('INNER JOIN namespaces p_ns ON p_ns.id = projects.namespace_id')
.where('p_ns.share_with_group_lock IS FALSE')
end
def projects_belonging_directy_to_any_groups_user_has_access_to(cte_alias:)
Namespace
.unscoped
.select([alias_as_column(projects[:id], 'project_id'),
cte_alias[:access_level]])
.from(cte_alias)
.joins(:projects)
end
def projects
Project.arel_table
end
def links
ProjectGroupLink.arel_table
end
end
end
Reference in New Issue View Git Blame Copy Permalink