Gitlab integration

alpine/alpine-infra/src/main/java/alpine/persistence/AlpineQueryManager.java

@@ -39,6 +39,7 @@
 import alpine.security.ApiKeyGenerator;
 import org.datanucleus.store.rdbms.query.JDOQLQuery;
 
+import javax.jdo.Extent;
 import javax.jdo.PersistenceManager;
 import javax.jdo.Query;
 import java.security.Principal;
@@ -343,6 +344,20 @@ public OidcUser addUserToTeams(final OidcUser user, final List<String> teamNames
         });
     }
 
+    /**
+     * Returns a complete list of all subclasses extending User.class, in ascending order by username.
+     * @return a list of all Users
+     * @since 1.0.0
+     */
+    public PaginatedResult getAllUsers() {
+        final Query<User> query = pm.newQuery(User.class).orderBy("username ASC");
+        final PaginatedResult result = execute(query);
+
+        pm.refreshAll(result.getObjects());
+
+        return result;
+    }
+
     /**
      * Retrieves an LdapUser containing the specified username. If the username
      * does not exist, returns null.
@@ -546,6 +561,22 @@ public User getUser(String username) {
         return executeAndCloseUnique(query);
     }
 
+    /**
+     * Resolves a type of User.
+     * @param cls the class of the principal to retrieve
+     * @param username the username of the principal to retrieve
+     * @return a User if found, null if not found
+     * @since 1.0.0
+     */
+    public <T extends User> T getUser(String username, Class<T> cls) {
+        final Query<T> query = pm.newQuery(cls)
+                .filter("username == :username")
+                .setNamedParameters(Map.of("username", username))
+                .extension(JDOQLQuery.EXTENSION_CANDIDATE_DONT_RESTRICT_DISCRIMINATOR, true);
+
+        return (T) executeAndCloseUnique(query);
+    }
+
     /**
      * Creates a new Team with the specified name. If createApiKey is true,
      * then {@link #createApiKey} is invoked and a cryptographically secure
@@ -561,7 +592,7 @@ public Team createTeam(final String name, final boolean createApiKey) {
     }
 
     /**
-     * Creates a new Team with the specified name.
+     * Creates a new {@link Team} with the specified name.
      * @param name The name of the team
      * @return a Team
      * @since 3.2.0
@@ -570,7 +601,22 @@ public Team createTeam(final String name) {
         return callInTransaction(() -> {
             final var team = new Team();
             team.setName(name);
-            //todo assign permissions
+            pm.makePersistent(team);
+            return team;
+        });
+    }
+
+    /**
+     * Creates a new {@link Team} with the specified name and initial {@link Permission}s.
+     * @param name The name of the team
+     * @return a Team
+     * @since 5.6.0
+     */
+    public Team createTeam(final String name, final List<Permission> permissions) {
+        return callInTransaction(() -> {
+            final var team = new Team();
+            team.setName(name);
+            team.setPermissions(permissions);
             pm.makePersistent(team);
             return team;
         });

alpine/alpine-model/src/main/java/alpine/model/LdapUser.java

@@ -39,9 +39,9 @@
  */
 @PersistenceCapable
 @Inheritance(strategy = InheritanceStrategy.SUPERCLASS_TABLE)
-@Discriminator(value = "LDAP")
+@Discriminator("LDAP")
 @JsonInclude(JsonInclude.Include.NON_NULL)
-@JsonPropertyOrder(value = { "username", "dn", "email", "teams", "permissions" })
+@JsonPropertyOrder({ "username", "dn", "email", "teams", "permissions" })
 public class LdapUser extends User {
 
     private static final long serialVersionUID = 261924579887470488L;

alpine/alpine-model/src/main/java/alpine/model/ManagedUser.java

@@ -42,9 +42,9 @@
  */
 @PersistenceCapable
 @Inheritance(strategy = InheritanceStrategy.SUPERCLASS_TABLE)
-@Discriminator(value = "MANAGED")
+@Discriminator("MANAGED")
 @JsonInclude(JsonInclude.Include.NON_NULL)
-@JsonPropertyOrder(value = {
+@JsonPropertyOrder({
         "username",
         "lastPasswordChange",
         "fullname",

alpine/alpine-model/src/main/java/alpine/model/OidcUser.java

@@ -38,9 +38,9 @@
  */
 @PersistenceCapable
 @Inheritance(strategy = InheritanceStrategy.SUPERCLASS_TABLE)
-@Discriminator(value = "OIDC")
+@Discriminator("OIDC")
 @JsonInclude(JsonInclude.Include.NON_NULL)
-@JsonPropertyOrder(value = { "username", "subjectIdentifier", "email", "teams", "permissions" })
+@JsonPropertyOrder({ "username", "subjectIdentifier", "email", "teams", "permissions" })
 public class OidcUser extends User {
 
     private static final long serialVersionUID = -6852825148699565269L;

apiserver/src/main/java/org/dependencytrack/event/EventSubsystemInitializer.java

@@ -40,6 +40,8 @@
 import org.dependencytrack.tasks.EpssMirrorTask;
 import org.dependencytrack.tasks.FortifySscUploadTask;
 import org.dependencytrack.tasks.GitHubAdvisoryMirrorTask;
+import org.dependencytrack.tasks.GitLabIntegrationStateTask;
+import org.dependencytrack.tasks.GitLabSyncTask;
 import org.dependencytrack.tasks.IntegrityAnalysisTask;
 import org.dependencytrack.tasks.IntegrityMetaInitializerTask;
 import org.dependencytrack.tasks.InternalComponentIdentificationTask;
@@ -96,6 +98,8 @@ public void contextInitialized(final ServletContextEvent event) {
         EVENT_SERVICE.subscribe(VexUploadEvent.class, VexUploadProcessingTask.class);
         EVENT_SERVICE.subscribe(LdapSyncEvent.class, LdapSyncTaskWrapper.class);
         EVENT_SERVICE.subscribe(GitHubAdvisoryMirrorEvent.class, GitHubAdvisoryMirrorTask.class);
+        EVENT_SERVICE.subscribe(GitLabIntegrationStateEvent.class, GitLabIntegrationStateTask.class);
+        EVENT_SERVICE.subscribe(GitLabSyncEvent.class, GitLabSyncTask.class);
         EVENT_SERVICE.subscribe(OsvMirrorEvent.class, OsvMirrorTask.class);
         EVENT_SERVICE.subscribe(ProjectVulnerabilityAnalysisEvent.class, VulnerabilityAnalysisTask.class);
         EVENT_SERVICE.subscribe(PortfolioVulnerabilityAnalysisEvent.class, VulnerabilityAnalysisTask.class);
@@ -143,6 +147,8 @@ public void contextDestroyed(final ServletContextEvent event) {
         EVENT_SERVICE.unsubscribe(VexUploadProcessingTask.class);
         EVENT_SERVICE.unsubscribe(LdapSyncTaskWrapper.class);
         EVENT_SERVICE.unsubscribe(GitHubAdvisoryMirrorTask.class);
+        EVENT_SERVICE.unsubscribe(GitLabIntegrationStateTask.class);
+        EVENT_SERVICE.unsubscribe(GitLabSyncTask.class);
         EVENT_SERVICE.unsubscribe(OsvMirrorTask.class);
         EVENT_SERVICE.unsubscribe(VulnerabilityAnalysisTask.class);
         EVENT_SERVICE.unsubscribe(RepositoryMetaAnalysisTask.class);

apiserver/src/main/java/org/dependencytrack/event/GitLabIntegrationStateEvent.java

@@ -0,0 +1,29 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.event;
+
+import alpine.event.framework.Event;
+
+/**
+ * Defines an event used to start a state change task for the GitLab Integration.
+ *
+ * @author Allen Shearin
+ */
+public class GitLabIntegrationStateEvent implements Event {
+}

apiserver/src/main/java/org/dependencytrack/event/GitLabSyncEvent.java

@@ -0,0 +1,64 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.event;
+
+import alpine.event.framework.Event;
+import alpine.model.OidcUser;
+
+/**
+ * Defines an event used to start a sync task of current user's GitLab groups.
+ *
+ * @author Jonathan Howard
+ */
+public class GitLabSyncEvent implements Event {
+
+    private String accessToken;
+    private OidcUser user;
+
+    public GitLabSyncEvent() {
+
+    }
+
+    public GitLabSyncEvent(final String accessToken, final OidcUser user) {
+        this.accessToken = accessToken;
+        this.user = user;
+    }
+
+    public String getAccessToken() {
+        return accessToken;
+    }
+
+    public void setAccessToken(final String accessToken) {
+        this.accessToken = accessToken;
+    }
+
+    public OidcUser getUser() {
+        return user;
+    }
+
+    public void setUser(OidcUser user) {
+        this.user = user;
+    }
+
+    @Override
+    public String toString() {
+        return "%s{accessToken=%s, user=%s}".formatted(getClass().getSimpleName(), accessToken, user);
+    }
+
+}

apiserver/src/main/java/org/dependencytrack/integrations/PermissionsSyncer.java

@@ -0,0 +1,31 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.integrations;
+
+import org.dependencytrack.persistence.QueryManager;
+
+public interface PermissionsSyncer extends IntegrationPoint {
+
+    boolean isEnabled();
+
+    void setQueryManager(QueryManager qm);
+
+    void synchronize();
+
+}

apiserver/src/main/java/org/dependencytrack/integrations/gitlab/GitLabAuthenticationCustomizer.java

@@ -0,0 +1,82 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.integrations.gitlab;
+
+import alpine.Config;
+import alpine.event.framework.Event;
+import alpine.model.OidcUser;
+import alpine.server.auth.DefaultOidcAuthenticationCustomizer;
+import alpine.server.auth.OidcProfile;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+
+import org.dependencytrack.event.GitLabSyncEvent;
+import org.dependencytrack.persistence.QueryManager;
+
+import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
+import com.nimbusds.openid.connect.sdk.claims.UserInfo;
+import net.minidev.json.JSONObject;
+
+public class GitLabAuthenticationCustomizer extends DefaultOidcAuthenticationCustomizer {
+
+    @Override
+    public OidcProfile createProfile(ClaimsSet claimsSet) {
+        final String teamsClaimName = Config.getInstance().getProperty(Config.AlpineKey.OIDC_TEAMS_CLAIM);
+        String usernameClaimName = Config.getInstance().getProperty(Config.AlpineKey.OIDC_USERNAME_CLAIM);
+        final var profile = new OidcProfile();
+
+        if (claimsSet.getStringClaim("user_login") != null)
+            usernameClaimName = "user_login";
+
+        profile.setSubject(Objects.requireNonNullElse(claimsSet.getStringClaim("user_id"),
+                claimsSet.getStringClaim(UserInfo.SUB_CLAIM_NAME)));
+        profile.setUsername(claimsSet.getStringClaim(usernameClaimName));
+        profile.setEmail(Objects.requireNonNullElse(claimsSet.getStringClaim("user_email"),
+                claimsSet.getStringClaim(UserInfo.EMAIL_CLAIM_NAME)));
+
+        JSONObject claimsObj = claimsSet.toJSONObject();
+        claimsObj.remove(UserInfo.EMAIL_CLAIM_NAME);
+        claimsObj.remove(UserInfo.SUB_CLAIM_NAME);
+        claimsObj.remove(teamsClaimName);
+        claimsObj.remove(usernameClaimName);
+
+        profile.setCustomValues(claimsObj);
+
+        return profile;
+    }
+
+    @Override
+    public OidcUser onAuthenticationSuccess(OidcUser user, OidcProfile profile, String idToken, String accessToken) {
+        try (final QueryManager qm = new QueryManager()) {
+            final List<String> groups = Objects.requireNonNullElse(profile.getGroups(), Collections.emptyList());
+
+            groups.stream()
+                    .filter(Objects::nonNull)
+                    .filter(group -> qm.getOidcGroup(group) == null)
+                    .forEach(qm::createOidcGroup);
+        }
+
+        Event.dispatch(new GitLabSyncEvent(accessToken, user));
+
+        return user;
+    }
+
+}