Merge pull request #3881 from nscuro/tag-management

Add REST endpoints for tag retrieval

src/main/java/org/dependencytrack/model/validation/LowerCase.java

@@ -0,0 +1,44 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.model.validation;
+
+import jakarta.validation.Constraint;
+import jakarta.validation.Payload;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * @since 4.12.0
+ */
+@Documented
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.FIELD, ElementType.PARAMETER})
+@Constraint(validatedBy = LowerCaseValidator.class)
+public @interface LowerCase {
+
+    String message() default "Value must only contain lowercase letters.";
+
+    Class<?>[] groups() default {};
+
+    Class<? extends Payload>[] payload() default {};
+
+}

src/main/java/org/dependencytrack/model/validation/LowerCaseValidator.java

@@ -0,0 +1,39 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.model.validation;
+
+import jakarta.validation.ConstraintValidator;
+import jakarta.validation.ConstraintValidatorContext;
+
+/**
+ * @since 4.12.0
+ */
+public class LowerCaseValidator implements ConstraintValidator<LowerCase, String> {
+
+    @Override
+    public boolean isValid(final String value, final ConstraintValidatorContext validatorContext) {
+        if (value == null) {
+            // null-ness is expected to be validated using @NotNull
+            return true;
+        }
+
+        return value.toLowerCase().equals(value);
+    }
+
+}

src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java

@@ -25,7 +25,6 @@
 import com.github.packageurl.PackageURL;
 import org.dependencytrack.model.Analysis;
 import org.dependencytrack.model.Component;
-import org.dependencytrack.model.ConfigPropertyConstants;
 import org.dependencytrack.model.Finding;
 import org.dependencytrack.model.GroupedFinding;
 import org.dependencytrack.model.RepositoryMetaComponent;
@@ -343,37 +342,14 @@ private void processInputFilter(StringBuilder queryFilter, Map<String, Object> p
     }
 
     private void preprocessACLs(StringBuilder queryFilter, final Map<String, Object> params) {
-        if (!isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED)
-                || hasAccessManagementPermission(this.principal)) {
-            return;
-        }
-
         if (queryFilter.isEmpty()) {
             queryFilter.append(" WHERE ");
         } else {
             queryFilter.append(" AND ");
         }
 
-        final var teamIds = new ArrayList<>(getTeamIds(principal));
-        if (teamIds.isEmpty()) {
-            queryFilter.append(":false");
-            params.put("false", false);
-            return;
-        }
-
-        // NB: Need to work around the fact that the RDBMSes can't agree on how to do member checks. Oh joy! :)))
-        final var teamIdChecks = new ArrayList<String>();
-        for (int i = 0; i < teamIds.size(); i++) {
-            teamIdChecks.add("\"PROJECT_ACCESS_TEAMS\".\"TEAM_ID\" = :teamId" + i);
-            params.put("teamId" + i, teamIds.get(i));
-        }
-
-        queryFilter.append("""
-                EXISTS (
-                  SELECT 1
-                    FROM "PROJECT_ACCESS_TEAMS"
-                   WHERE "PROJECT_ACCESS_TEAMS"."PROJECT_ID" = "PROJECT"."ID"
-                     AND (%s)
-                )""".formatted(String.join(" OR ", teamIdChecks)));
+        final Map.Entry<String, Map<String, Object>> projectAclConditionAndParams = getProjectAclSqlCondition();
+        queryFilter.append(projectAclConditionAndParams.getKey()).append(" ");
+        params.putAll(projectAclConditionAndParams.getValue());
     }
 }

src/main/java/org/dependencytrack/persistence/QueryManager.java

@@ -30,6 +30,7 @@
 import alpine.persistence.PaginatedResult;
 import alpine.persistence.ScopedCustomization;
 import alpine.resources.AlpineRequest;
+import alpine.server.util.DbUtil;
 import com.github.packageurl.PackageURL;
 import com.google.common.collect.Lists;
 import org.apache.commons.lang3.ClassUtils;
@@ -90,14 +91,17 @@
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
 
 import static org.datanucleus.PropertyNames.PROPERTY_QUERY_SQL_ALLOWALL;
+import static org.dependencytrack.model.ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED;
 
 /**
  * This QueryManager provides a concrete extension of {@link AlpineQueryManager} by
@@ -1324,6 +1328,18 @@ public boolean hasAccessManagementPermission(final ApiKey apiKey) {
         return getProjectQueryManager().hasAccessManagementPermission(apiKey);
     }
 
+    public List<TagQueryManager.TagListRow> getTags() {
+        return getTagQueryManager().getTags();
+    }
+
+    public List<TagQueryManager.TaggedProjectRow> getTaggedProjects(final String tagName) {
+        return getTagQueryManager().getTaggedProjects(tagName);
+    }
+
+    public List<TagQueryManager.TaggedPolicyRow> getTaggedPolicies(final String tagName) {
+        return getTagQueryManager().getTaggedPolicies(tagName);
+    }
+
     public PaginatedResult getTags(String policyUuid) {
         return getTagQueryManager().getTags(policyUuid);
     }
@@ -1478,4 +1494,72 @@ public List<RepositoryMetaComponent> getRepositoryMetaComponentsBatch(final List
     public List<RepositoryMetaComponent> getRepositoryMetaComponents(final List<RepositoryQueryManager.RepositoryMetaComponentSearch> list) {
         return getRepositoryQueryManager().getRepositoryMetaComponents(list);
     }
+
+    /**
+     * @see #getProjectAclSqlCondition(String)
+     * @since 4.12.0
+     */
+    public Map.Entry<String, Map<String, Object>> getProjectAclSqlCondition() {
+        return getProjectAclSqlCondition("PROJECT");
+    }
+
+    /**
+     * @param projectTableAlias Name or alias of the {@code PROJECT} table to use in the condition.
+     * @return A SQL condition that may be used to check if the {@link #principal} has access to a project
+     * @since 4.12.0
+     */
+    public Map.Entry<String, Map<String, Object>> getProjectAclSqlCondition(final String projectTableAlias) {
+        if (request == null) {
+            return Map.entry(/* true */ "1=1", Collections.emptyMap());
+        }
+
+        if (principal == null || !isEnabled(ACCESS_MANAGEMENT_ACL_ENABLED) || hasAccessManagementPermission(principal)) {
+            return Map.entry(/* true */ "1=1", Collections.emptyMap());
+        }
+
+        final var teamIds = new ArrayList<>(getTeamIds(principal));
+        if (teamIds.isEmpty()) {
+            return Map.entry(/* false */ "1=2", Collections.emptyMap());
+        }
+
+
+        // NB: Need to work around the fact that the RDBMSes can't agree on how to do member checks. Oh joy! :)))
+        final var params = new HashMap<String, Object>();
+        final var teamIdChecks = new ArrayList<String>();
+        for (int i = 0; i < teamIds.size(); i++) {
+            teamIdChecks.add("\"PROJECT_ACCESS_TEAMS\".\"TEAM_ID\" = :teamId" + i);
+            params.put("teamId" + i, teamIds.get(i));
+        }
+
+        return Map.entry("""
+                EXISTS (
+                  SELECT 1
+                    FROM "PROJECT_ACCESS_TEAMS"
+                   WHERE "PROJECT_ACCESS_TEAMS"."PROJECT_ID" = "%s"."ID"
+                     AND (%s)
+                )""".formatted(projectTableAlias, String.join(" OR ", teamIdChecks)), params);
+    }
+
+    /**
+     * @since 4.12.0
+     * @return A SQL {@code OFFSET ... LIMIT ...} clause if pagination is requested, otherwise an empty string
+     */
+    public String getOffsetLimitSqlClause() {
+        if (pagination == null || !pagination.isPaginated()) {
+            return "";
+        }
+
+        final String clauseTemplate;
+        if (DbUtil.isMssql()) {
+            clauseTemplate = "OFFSET %d ROWS FETCH NEXT %d ROWS ONLY";
+        } else if (DbUtil.isMysql()) {
+            // NB: Order of limit and offset is different for MySQL...
+            return "LIMIT %s OFFSET %s".formatted(pagination.getLimit(), pagination.getOffset());
+        } else {
+            clauseTemplate = "OFFSET %d FETCH NEXT %d ROWS ONLY";
+        }
+
+        return clauseTemplate.formatted(pagination.getOffset(), pagination.getLimit());
+    }
+
 }