DependencyTrack · nscuro · Jun 4, 2025 · Feb 17, 2025 · Feb 24, 2025 · Feb 20, 2025
diff --git a/alpine/alpine-infra/src/main/java/alpine/persistence/AlpineQueryManager.java b/alpine/alpine-infra/src/main/java/alpine/persistence/AlpineQueryManager.java
@@ -50,6 +50,8 @@
 import java.util.Map;
 import java.util.Set;
 
+import org.datanucleus.store.rdbms.query.JDOQLQuery;
+
 /**
  * This QueryManager provides a concrete extension of {@link AbstractAlpineQueryManager} by
  * providing methods that operate on the default Alpine models such as ManagedUser and Team.
@@ -537,8 +539,11 @@ public List<ManagedUser> getManagedUsers() {
      * @since 1.0.0
      */
     public User getUser(String username) {
-        final Query<User> query = pm.newQuery(User.class, "username == :username");
-        query.setParameters(username);
+        final Query<User> query = pm.newQuery(User.class)
+                .filter("username == :username")
+                .setNamedParameters(Map.of("username", username))
+                .extension(JDOQLQuery.EXTENSION_CANDIDATE_DONT_RESTRICT_DISCRIMINATOR, true);
+
         return executeAndCloseUnique(query);
     }
 

diff --git a/apiserver/src/main/java/org/dependencytrack/model/Role.java b/apiserver/src/main/java/org/dependencytrack/model/Role.java
@@ -0,0 +1,152 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.model;
+
+import alpine.common.validation.RegexSequence;
+import alpine.model.Permission;
+import alpine.server.json.TrimmedStringDeserializer;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
+
+import java.io.Serializable;
+
+import java.util.LinkedHashSet;
+import java.util.Objects;
+import java.util.Set;
+import java.util.UUID;
+
+import javax.jdo.annotations.Column;
+import javax.jdo.annotations.Element;
+import javax.jdo.annotations.FetchGroup;
+import javax.jdo.annotations.IdGeneratorStrategy;
+import javax.jdo.annotations.Join;
+import javax.jdo.annotations.PersistenceCapable;
+import javax.jdo.annotations.Persistent;
+import javax.jdo.annotations.PrimaryKey;
+import javax.jdo.annotations.Unique;
+
+/**
+ * Model for tracking roles. Roles define static sets of permissions
+ * that can be applied to a user with the scope of a project.
+ *
+ * @author Allen Shearin
+ * @since 5.6.0
+ */
+@PersistenceCapable
+@FetchGroup(name = "ALL", members = {
+        @Persistent(name = "name"),
+        @Persistent(name = "permissions"),
+        @Persistent(name = "uuid"),
+})
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Role implements Serializable {
+
+    private static final long serialVersionUID = -427858073810766917L;
+
+    /**
+     * Defines JDO fetch groups for this class.
+     */
+    public enum FetchGroup {
+        ALL
+    }
+
+    @PrimaryKey
+    @Persistent(valueStrategy = IdGeneratorStrategy.NATIVE)
+    @JsonIgnore
+    private long id;
+
+    @Persistent
+    @Unique(name = "ROLE_NAME_IDX", deferred = "true")
+    @Column(name = "NAME", jdbcType = "VARCHAR", allowsNull = "false")
+    @NotBlank
+    @Size(min = 1, max = 255)
+    @JsonDeserialize(using = TrimmedStringDeserializer.class)
+    @Pattern(regexp = RegexSequence.Definition.PRINTABLE_CHARS, message = "The name may only contain printable characters")
+    private String name;
+
+    @Persistent(table = "ROLES_PERMISSIONS", defaultFetchGroup = "true")
+    @Join(column = "ROLE_ID")
+    @Element(column = "PERMISSION_ID")
+    private Set<Permission> permissions = new LinkedHashSet<>();
+
+    @Persistent(customValueStrategy = "uuid")
+    @Unique(name = "ROLE_UUID_IDX")
+    @Column(name = "UUID", sqlType = "UUID", allowsNull = "false")
+    @NotNull
+    private UUID uuid;
+
+    public long getId() {
+        return id;
+    }
+
+    public void setId(long id) {
+        this.id = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public Set<Permission> getPermissions() {
+        return permissions;
+    }
+
+    public void setPermissions(Set<Permission> permissions) {
+        this.permissions = permissions;
+    }
+
+    public boolean addPermissions(Permission... permissions) {
+        this.permissions = Objects.requireNonNullElse(this.permissions, new LinkedHashSet<>());
+
+        return this.permissions.addAll(Set.of(permissions));
+    }
+
+    public UUID getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(UUID uuid) {
+        this.uuid = uuid;
+    }
+
+    @Override
+    public String toString() {
+        var permissionStrings = permissions.stream()
+                .map(permission -> permission.getName())
+                .toList();
+
+        return "%s{uuid='%s', name='%s', permissions=%s}".formatted(
+                getClass().getSimpleName(),
+                uuid,
+                name,
+                permissionStrings);
+    }
+
+}
diff --git a/apiserver/src/main/java/org/dependencytrack/model/UserProjectRole.java b/apiserver/src/main/java/org/dependencytrack/model/UserProjectRole.java
@@ -0,0 +1,105 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.model;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+import alpine.model.User;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Objects;
+import java.util.stream.Stream;
+
+import javax.jdo.annotations.Column;
+import javax.jdo.annotations.Element;
+import javax.jdo.annotations.Extension;
+import javax.jdo.annotations.Order;
+import javax.jdo.annotations.PersistenceCapable;
+import javax.jdo.annotations.Persistent;
+import javax.jdo.annotations.PrimaryKey;
+
+/**
+ * Base class for user-project-role mapping.
+ *
+ * @author Jonathan Howard
+ * @since 5.6.0
+ */
+@PersistenceCapable(table = "USER_PROJECT_ROLES")
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@PrimaryKey(name = "USER_PROJECT_ROLES_PK", columns = {
+        @Column(name = "USER_ID"),
+        @Column(name = "PROJECT_ID"),
+        @Column(name = "ROLE_ID")
+})
+public class UserProjectRole implements Serializable {
+
+    @Persistent(defaultFetchGroup = "true")
+    @Column(name = "ROLE_ID", allowsNull = "false")
+    private Role role;
+
+    @Persistent(defaultFetchGroup = "true")
+    @Column(name = "PROJECT_ID", allowsNull = "false")
+    private Project project;
+
+    @Persistent(defaultFetchGroup = "true")
+    @Element(column = "USER_ID")
+    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "username ASC"))
+    private List<User> users;
+
+    public List<User> getUsers() {
+        return users;
+    }
+
+    public void setUsers(List<User> users) {
+        this.users = users;
+    }
+
+    public Role getRole() {
+        return role;
+    }
+
+    public void setRole(Role role) {
+        this.role = role;
+    }
+
+    public Project getProject() {
+        return project;
+    }
+
+    public void setProject(Project project) {
+        this.project = project;
+    }
+
+    @Override
+    public String toString() {
+        // var userStrings = users.stream()
+        //         .map(user -> user.getUsername())
+        //         .toList();
+
+        return "%s{role='%s', project='%s'}".formatted(
+                getClass().getSimpleName(),
+                role,
+                project);
+                //userStrings);
+    }
+}