Skip to content

Commit

Permalink
Add REST endpoints for tag retrieval
Browse files Browse the repository at this point in the history
Signed-off-by: nscuro <[email protected]>
  • Loading branch information
nscuro committed Jun 26, 2024
1 parent e3217a3 commit 43e8101
Show file tree
Hide file tree
Showing 8 changed files with 668 additions and 32 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
import com.github.packageurl.PackageURL;
import org.dependencytrack.model.Analysis;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.ConfigPropertyConstants;
import org.dependencytrack.model.Finding;
import org.dependencytrack.model.GroupedFinding;
import org.dependencytrack.model.RepositoryMetaComponent;
Expand Down Expand Up @@ -343,37 +342,14 @@ private void processInputFilter(StringBuilder queryFilter, Map<String, Object> p
}

private void preprocessACLs(StringBuilder queryFilter, final Map<String, Object> params) {
if (!isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED)
|| hasAccessManagementPermission(this.principal)) {
return;
}

if (queryFilter.isEmpty()) {
queryFilter.append(" WHERE ");
} else {
queryFilter.append(" AND ");
}

final var teamIds = new ArrayList<>(getTeamIds(principal));
if (teamIds.isEmpty()) {
queryFilter.append(":false");
params.put("false", false);
return;
}

// NB: Need to work around the fact that the RDBMSes can't agree on how to do member checks. Oh joy! :)))
final var teamIdChecks = new ArrayList<String>();
for (int i = 0; i < teamIds.size(); i++) {
teamIdChecks.add("\"PROJECT_ACCESS_TEAMS\".\"TEAM_ID\" = :teamId" + i);
params.put("teamId" + i, teamIds.get(i));
}

queryFilter.append("""
EXISTS (
SELECT 1
FROM "PROJECT_ACCESS_TEAMS"
WHERE "PROJECT_ACCESS_TEAMS"."PROJECT_ID" = "PROJECT"."ID"
AND (%s)
)""".formatted(String.join(" OR ", teamIdChecks)));
final Map.Entry<String, Map<String, Object>> projectAclConditionAndParams = getProjectAclSqlCondition();
queryFilter.append(projectAclConditionAndParams.getKey()).append(" ");
params.putAll(projectAclConditionAndParams.getValue());
}
}
84 changes: 84 additions & 0 deletions src/main/java/org/dependencytrack/persistence/QueryManager.java
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import alpine.persistence.PaginatedResult;
import alpine.persistence.ScopedCustomization;
import alpine.resources.AlpineRequest;
import alpine.server.util.DbUtil;
import com.github.packageurl.PackageURL;
import com.google.common.collect.Lists;
import org.apache.commons.lang3.ClassUtils;
Expand Down Expand Up @@ -90,14 +91,17 @@
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;

import static org.datanucleus.PropertyNames.PROPERTY_QUERY_SQL_ALLOWALL;
import static org.dependencytrack.model.ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED;

/**
* This QueryManager provides a concrete extension of {@link AlpineQueryManager} by
Expand Down Expand Up @@ -1324,6 +1328,18 @@ public boolean hasAccessManagementPermission(final ApiKey apiKey) {
return getProjectQueryManager().hasAccessManagementPermission(apiKey);
}

public List<TagQueryManager.TagListRow> getTags() {
return getTagQueryManager().getTags();
}

public List<TagQueryManager.TaggedProjectRow> getTaggedProjects(final String tagName) {
return getTagQueryManager().getTaggedProjects(tagName);
}

public List<TagQueryManager.TaggedPolicyRow> getTaggedPolicies(final String tagName) {
return getTagQueryManager().getTaggedPolicies(tagName);
}

public PaginatedResult getTags(String policyUuid) {
return getTagQueryManager().getTags(policyUuid);
}
Expand Down Expand Up @@ -1478,4 +1494,72 @@ public List<RepositoryMetaComponent> getRepositoryMetaComponentsBatch(final List
public List<RepositoryMetaComponent> getRepositoryMetaComponents(final List<RepositoryQueryManager.RepositoryMetaComponentSearch> list) {
return getRepositoryQueryManager().getRepositoryMetaComponents(list);
}

/**
* @see #getProjectAclSqlCondition(String)
* @since 4.12.0
*/
public Map.Entry<String, Map<String, Object>> getProjectAclSqlCondition() {
return getProjectAclSqlCondition("PROJECT");
}

/**
* @param projectTableAlias Name or alias of the {@code PROJECT} table to use in the condition.
* @return A SQL condition that may be used to check if the {@link #principal} has access to a project
* @since 4.12.0
*/
public Map.Entry<String, Map<String, Object>> getProjectAclSqlCondition(final String projectTableAlias) {
if (request == null) {
return Map.entry(/* true */ "1=1", Collections.emptyMap());
}

if (principal == null || !isEnabled(ACCESS_MANAGEMENT_ACL_ENABLED) || hasAccessManagementPermission(principal)) {
return Map.entry(/* true */ "1=1", Collections.emptyMap());
}

final var teamIds = new ArrayList<>(getTeamIds(principal));
if (teamIds.isEmpty()) {
return Map.entry(/* false */ "1=2", Collections.emptyMap());
}


// NB: Need to work around the fact that the RDBMSes can't agree on how to do member checks. Oh joy! :)))
final var params = new HashMap<String, Object>();
final var teamIdChecks = new ArrayList<String>();
for (int i = 0; i < teamIds.size(); i++) {
teamIdChecks.add("\"PROJECT_ACCESS_TEAMS\".\"TEAM_ID\" = :teamId" + i);
params.put("teamId" + i, teamIds.get(i));
}

return Map.entry("""
EXISTS (
SELECT 1
FROM "PROJECT_ACCESS_TEAMS"
WHERE "PROJECT_ACCESS_TEAMS"."PROJECT_ID" = "%s"."ID"
AND (%s)
)""".formatted(projectTableAlias, String.join(" OR ", teamIdChecks)), params);
}

/**
* @since 4.12.0
* @return A SQL {@code OFFSET ... LIMIT ...} clause if pagination is requested, otherwise an empty string
*/
public String getPaginationSqlClause() {
if (pagination == null || !pagination.isPaginated()) {
return "";
}

final String clauseTemplate;
if (DbUtil.isMssql()) {
clauseTemplate = "OFFSET %d ROWS FETCH NEXT %d ROWS ONLY";
} else if (DbUtil.isMysql()) {
// NB: Order of limit and offset is different for MySQL...
return "LIMIT %s OFFSET %s".formatted(pagination.getLimit(), pagination.getOffset());
} else {
clauseTemplate = "OFFSET %d FETCH NEXT %d ROWS ONLY";
}

return clauseTemplate.formatted(pagination.getOffset(), pagination.getLimit());
}

}
194 changes: 194 additions & 0 deletions src/main/java/org/dependencytrack/persistence/TagQueryManager.java
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,20 @@
package org.dependencytrack.persistence;

import alpine.common.logging.Logger;
import alpine.persistence.OrderDirection;
import alpine.persistence.PaginatedResult;
import alpine.resources.AlpineRequest;
import org.dependencytrack.model.Policy;
import org.dependencytrack.model.Project;
import org.dependencytrack.model.Tag;

import javax.jdo.PersistenceManager;
import javax.jdo.Query;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Stream;

public class TagQueryManager extends QueryManager implements IQueryManager {
Expand All @@ -54,6 +59,195 @@ public class TagQueryManager extends QueryManager implements IQueryManager {
super(pm, request);
}

/**
* @since 4.12.0
*/
public record TagListRow(String name, long projectCount, long policyCount, long totalCount) {

@SuppressWarnings("unused") // DataNucleus will use this for MSSQL.
public TagListRow(String name, int projectCount, int policyCount, int totalCount) {
this(name, (long) projectCount, (long) policyCount, (long) totalCount);
}

}

/**
* @since 4.12.0
*/
@Override
public List<TagListRow> getTags() {
final Map.Entry<String, Map<String, Object>> projectAclConditionAndParams = getProjectAclSqlCondition();
final String projectAclCondition = projectAclConditionAndParams.getKey();
final Map<String, Object> projectAclConditionParams = projectAclConditionAndParams.getValue();

// language=SQL
var sqlQuery = """
SELECT "NAME" AS "name"
, (SELECT COUNT(*)
FROM "PROJECTS_TAGS"
INNER JOIN "PROJECT"
ON "PROJECT"."ID" = "PROJECTS_TAGS"."PROJECT_ID"
WHERE "PROJECTS_TAGS"."TAG_ID" = "TAG"."ID"
AND %s
) AS "projectCount"
, (SELECT COUNT(*)
FROM "POLICY_TAGS"
WHERE "POLICY_TAGS"."TAG_ID" = "TAG"."ID"
) AS "policyCount"
, COUNT(*) OVER() AS "totalCount"
FROM "TAG"
""".formatted(projectAclCondition);

final var params = new HashMap<>(projectAclConditionParams);

if (filter != null) {
sqlQuery += " WHERE \"NAME\" LIKE :nameFilter";
params.put("nameFilter", "%" + filter + "%");
}

if (orderBy == null) {
sqlQuery += " ORDER BY \"name\" ASC";
} else if ("name".equals(orderBy) || "projectCount".equals(orderBy) || "policyCount".equals(orderBy)) {
sqlQuery += " ORDER BY \"%s\" %s, \"ID\" ASC".formatted(orderBy,
orderDirection == OrderDirection.DESCENDING ? "DESC" : "ASC");
} else {
throw new IllegalArgumentException("Cannot sort by " + orderBy);
}

sqlQuery += " " + getPaginationSqlClause();

final Query<?> query = pm.newQuery(Query.SQL, sqlQuery);
query.setNamedParameters(params);
try {
return new ArrayList<>(query.executeResultList(TagListRow.class));
} finally {
query.closeAll();
}
}

/**
* @since 4.12.0
*/
public record TaggedProjectRow(String uuid, String name, String version, long totalCount) {

@SuppressWarnings("unused") // DataNucleus will use this for MSSQL.
public TaggedProjectRow(String uuid, String name, String version, int totalCount) {
this(uuid, name, version, (long) totalCount);
}

}

/**
* @since 4.12.0
*/
@Override
public List<TaggedProjectRow> getTaggedProjects(final String tagName) {
final Map.Entry<String, Map<String, Object>> projectAclConditionAndParams = getProjectAclSqlCondition();
final String projectAclCondition = projectAclConditionAndParams.getKey();
final Map<String, Object> projectAclConditionParams = projectAclConditionAndParams.getValue();

// language=SQL
var sqlQuery = """
SELECT "PROJECT"."UUID" AS "uuid"
, "PROJECT"."NAME" AS "name"
, "PROJECT"."VERSION" AS "version"
, COUNT(*) OVER() AS "totalCount"
FROM "PROJECT"
INNER JOIN "PROJECTS_TAGS"
ON "PROJECTS_TAGS"."PROJECT_ID" = "PROJECT"."ID"
INNER JOIN "TAG"
ON "TAG"."ID" = "PROJECTS_TAGS"."TAG_ID"
WHERE "TAG"."NAME" = :tag
AND %s
""".formatted(projectAclCondition);

final var params = new HashMap<>(projectAclConditionParams);
params.put("tag", tagName);

if (filter != null) {
sqlQuery += " AND \"PROJECT\".\"NAME\" LIKE :nameFilter";
params.put("nameFilter", "%" + filter + "%");
}

if (orderBy == null) {
sqlQuery += " ORDER BY \"name\" ASC, \"version\" DESC";
} else if ("name".equals(orderBy) || "version".equals(orderBy)) {
sqlQuery += " ORDER BY \"%s\" %s, \"ID\" ASC".formatted(orderBy,
orderDirection == OrderDirection.DESCENDING ? "DESC" : "ASC");
} else {
throw new IllegalArgumentException("Cannot sort by " + orderBy);
}

sqlQuery += " " + getPaginationSqlClause();

final Query<?> query = pm.newQuery(Query.SQL, sqlQuery);
query.setNamedParameters(params);
try {
return new ArrayList<>(query.executeResultList(TaggedProjectRow.class));
} finally {
query.closeAll();
}
}

/**
* @since 4.12.0
*/
public record TaggedPolicyRow(String uuid, String name, long totalCount) {

@SuppressWarnings("unused") // DataNucleus will use this for MSSQL.
public TaggedPolicyRow(String uuid, String name, int totalCount) {
this(uuid, name, (long) totalCount);
}

}

/**
* @since 4.12.0
*/
@Override
public List<TaggedPolicyRow> getTaggedPolicies(final String tagName) {
// language=SQL
var sqlQuery = """
SELECT "POLICY"."UUID" AS "uuid"
, "POLICY"."NAME" AS "name"
, COUNT(*) OVER() AS "totalCount"
FROM "POLICY"
INNER JOIN "POLICY_TAGS"
ON "POLICY_TAGS"."POLICY_ID" = "POLICY"."ID"
INNER JOIN "TAG"
ON "TAG"."ID" = "POLICY_TAGS"."TAG_ID"
WHERE "TAG"."NAME" = :tag
""";

final var params = new HashMap<String, Object>();
params.put("tag", tagName);

if (filter != null) {
sqlQuery += " AND \"POLICY\".\"NAME\" LIKE :nameFilter";
params.put("nameFilter", "%" + filter + "%");
}

if (orderBy == null) {
sqlQuery += " ORDER BY \"name\" ASC";
} else if ("name".equals(orderBy)) {
sqlQuery += " ORDER BY \"%s\" %s".formatted(orderBy,
orderDirection == OrderDirection.DESCENDING ? "DESC" : "ASC");
} else {
throw new IllegalArgumentException("Cannot sort by " + orderBy);
}

sqlQuery += " " + getPaginationSqlClause();

final Query<?> query = pm.newQuery(Query.SQL, sqlQuery);
query.setNamedParameters(params);
try {
return new ArrayList<>(query.executeResultList(TaggedPolicyRow.class));
} finally {
query.closeAll();
}
}

@Override
public PaginatedResult getTags(String policyUuid) {

LOGGER.debug("Retrieving tags under policy " + policyUuid);
Expand Down
Loading

0 comments on commit 43e8101

Please sign in to comment.