Ericsson · dkrupp · Sep 4, 2017 · Aug 14, 2017 · Aug 17, 2017 · Aug 18, 2017
diff --git a/README.md b/README.md
@@ -244,4 +244,5 @@ Additional documentation
   * [Database schema migration](docs/db_schema_guide.md)
   * [Usage of PostgreSQL data
F438
base](docs/postgresql_setup.md)
   * [Requiring credentials to view analysis results (Authentication)](docs/authentication.md)
+  * [Permission management](docs/permissions.md)
   * [Connecting multiple separate defect databases on the same server (Products)](docs/products.md)
diff --git a/api/authentication.thrift b/api/authentication.thrift
@@ -11,10 +11,41 @@ namespace js codeCheckerAuthentication
 
 struct HandshakeInformation {
   1: bool requiresAuthentication,       // true if the server has a privileged zone --- the state of having a valid access is not considered here
-  2: bool sessionStillActive,           // whether the session in which the HandshakeInformation is returned is a valid one
+  2: bool sessionStillActive            // whether the session in which the HandshakeInformation is returned is a valid one
+}
+
+/**
+ * The following permission scopes exist.
+ *
+ * SYSTEM: These permissions are global to the running CodeChecker server.
+ *   In this case, the 'extraParams' field is empty.
+ *
+ * PRODUCT: These permissions are configured per-product.
+ *   The extra data field looks like the following object:
+ *     { i64 productID }
+*/
+enum Permission {
+  SUPERUSER        = 1,         // scope: SYSTEM
+
+  PRODUCT_ADMIN    = 16,        // scope: PRODUCT
+  PRODUCT_ACCESS   = 17,        // scope: PRODUCT
+  PRODUCT_STORE    = 18         // scope: PRODUCT
+}
+
+struct AuthorisationList {
+  1: list<string> users,
+  2: list<string> groups
+}
+
+// A conjunctive set of filters (a bit mask) that are applied when permissions
+// are queried.
+struct PermissionFilter {
+  1: bool given,      // The user has access the permission.
+  2: bool canManage   // The user can manage other users' authorisation to this permission.
 }
 
 service codeCheckerAuthentication {
+  // ============= Authentication and session handling =============
   // get basic authentication information from the server
   HandshakeInformation getAuthParameters(),
 
@@ -28,11 +59,70 @@ service codeCheckerAuthentication {
 
   // performs logout action for the user (must be called from the corresponding valid session)
   bool destroySession()
-             throws (1: shared.RequestFailed requestError),
+                      throws (1: shared.RequestFailed requestError),
 
   // returns currently logged in user within the active session
   // returns empty string if the session is not active
   string getLoggedInUser()
-             throws (1: shared.RequestFailed requestError)
+                         throws (1: shared.RequestFailed requestError),
+
+
+  // ============= Authorization, permission management =============
+  // Returns the list of permissions.
+  // scope acts as a filter for which scope's permissions to list. Refer to
+  // the documentation in api/shared.thrift for the list of valid scopes.
+  list<Permission> getPermissions(1: string scope),
+
+
+  // ----------------------------------------------------------------
+  // Refer to the documentation in api/shared.thrift on what data the
+  // 'extraParams' field for a particular permission requires.
+  // In each case, it has to be a JSON representation of a dict.
+  // ----------------------------------------------------------------
+
+  // Get the list of permissions from the CURRENTLY LOGGED IN USER's perspective
+  // in the given scope and scope parameters, and filter it based on certain
+  // criteria.
+  // If no criteria are given, this behaves identically to
+  // getPermissions(scope).
+  list<Permission> getPermissionsForUser(
+    1: string           scope,
+    2: string           extraParams,
+    3: PermissionFilter filter)
+    throws (1: shared.RequestFailed requestError),
+
+  // Returns the list of users and groups with the given permission.
+  //
+  // This call does NOT honour permission inheritance and only return users
+  // and groups whom are DIRECTLY granted the permission.
+  //
+  // This call is only applicable, if the CURRENTLY LOGGED IN USER has access
+  // to manage the given permission.
+  AuthorisationList getAuthorisedNames(
+    1: Permission permission,
+    2: string     extraParams)
+    throws (1: shared.RequestFailed requestError),
+
+  // PERMISSION: Have at least one of the managers of permission argument.
+  bool addPermission(1: Permission permission,
+                     2: string     authName,
+                     3: bool       isGroup,
+                     4: string     extraParams)
+                     throws (1: shared.RequestFailed requestError),
+
+  // PERMISSION: Have at least one of the managers of permission argument.
+  bool removePermission(1: Permission permission,
+                        2: string     authName,
+                        3: bool       isGroup,
+                        4: string     extraParams)
+                        throws (1: shared.RequestFailed requestError),
+
+  // Returns whether or not the CURRENTLY LOGGED IN USER is authorised with
+  // the given permission. Works even if authentication is disabled on the
+  // server, based on the permission's default values. This API call honours
+  // permission inheritance.
+  bool hasPermission(1: Permission permission,
+                     2: string     extraParams)
+                     throws (1: shared.RequestFailed requestError)
 
 }
diff --git a/api/products.thrift b/api/products.thrift
@@ -10,14 +10,6 @@ namespace py ProductManagement
 namespace js codeCheckerProductManagement
 
 
-/*
-struct PrivilegeRecord {
-  1: string   name,
-  2: bool     isGroup
-}
-typedef list<PrivilegeRecord> PrivilegeRecords
-*/
-
 struct DatabaseConnection {
   1:          string engine,         // The database engine, such as "sqlite" or "postgresql".
   2:          string host,
@@ -44,7 +36,8 @@ struct Product {
   3: string displayedName_b64,
   4: string description_b64,
   5: bool   connected,         // Indicates that the server could set up the database connection properly.
-  6: bool   accessible         // Indicates whether the current user can access this product.
+  6: bool   accessible,        // Indicates whether the current user can access this product.
+  7: bool   administrating     // Indicates that the current user can administrate the product.
 }
 typedef list<Product> Products
 
@@ -58,6 +51,11 @@ service codeCheckerProductService {
 
   // *** Handling of product lists and metadata querying *** //
 
+  // Returns true if the current user is a PRODUCT_ADMIN of any product
+  // on the server.
+  bool isAdministratorOfAnyProduct()
+                                   throws (1: shared.RequestFailed requestError),
+
   // Get the list of product that matches the display name and endpoint
   // filters specified.
   Products getProducts(1: string productEndpointFilter,
@@ -67,11 +65,22 @@ service codeCheckerProductService {
   Product getCurrentProduct()
                             throws (1: shared.RequestFailed requestError),
 
-  // *** Handling the add-modify-remove of products registered *** //
+  // *** Handling the add-modify-remove of registered products *** //
 
+  ProductConfiguration getProductConfiguration(1: i64 productId)
+                                               throws (1: shared.RequestFailed requestError),
+
+  // PERMISSION: SUPERUSER
   bool addProduct(1: ProductConfiguration product)
                   throws (1: shared.RequestFailed requestError),
 
+  // PERMISSION: PRODUCT_ADMIN (for basic metadata editing),
+  //             SUPERUSER     (for connection configuration editing)
+  bool editProduct(1: i64 productId,
+                   2: ProductConfiguration newConfiguration)
+                   throws (1: shared.RequestFailed requestError),
+
+  // PERMISSION: SUPERUSER
   bool removeProduct(1: i64 productId)
                      throws (1: shared.RequestFailed requestError)