in rest-api/src/jetbrains/buildServer/server/rest/request/UserRequest.java [389:449]
public Token createToken(Token token,
@PathParam("userLocator") String userLocator,
@QueryParam("fields") String fields) {
if (token.getName() == null) {
throw new BadRequestException("name cannot be empty");
}
final TokenAuthenticationModel tokenAuthenticationModel = myBeanContext.getSingletonService(TokenAuthenticationModel.class);
final SUser user = myUserFinder.getItem(userLocator, true);
try {
final AuthenticationToken authenticationToken;
if (token.getPermissionRestrictions() != null) {
final List<PermissionRestriction> permissionRestrictions = token.getPermissionRestrictions().myPermissionRestrictions;
if (permissionRestrictions == null) {
throw new IllegalArgumentException("Malformed permission restrictions");
}
final Map<RoleScope, Permissions> restrictions = new HashMap<>();
for (PermissionRestriction permissionRestriction : permissionRestrictions) {
final RoleScope roleScope;
if (BooleanUtils.isTrue(permissionRestriction.isGlobalScope)) {
roleScope = RoleScope.globalScope();
} else if (permissionRestriction.project != null && permissionRestriction.project.id != null) {
final SProject project = myBeanContext.getSingletonService(ProjectManager.class).findProjectByExternalId(permissionRestriction.project.id);
if (project == null) {
throw new NotFoundException("Project not found for external id [" + permissionRestriction.project.id + "]");
}
roleScope = RoleScope.projectScope(project.getProjectId());
} else {
throw new IllegalArgumentException("Malformed permission restrictions, either isGlobalScope should be set to true or project should not be null");
}
if (permissionRestriction.permission == null || permissionRestriction.permission.id == null) {
throw new IllegalArgumentException("Permission should not be null");
}
try {
final Permission permission = Permission.valueOf(permissionRestriction.permission.id.toUpperCase());
if (roleScope.isGlobal()) {
if (!user.isPermissionGrantedGlobally(permission)) {
throw new AuthorizationFailedException("User don't have " + permission + " to be restricted globally");
}
} else {
if (!(user.isPermissionGrantedGlobally(permission) || user.isPermissionGrantedForProject(roleScope.getProjectId(), permission))) {
throw new AuthorizationFailedException("User don't have permission " + permission + " to be restricted on project [" + roleScope.getProjectId() + "]");
}
}
restrictions.merge(roleScope, new Permissions(permission), Permissions::mergeWith);
} catch (IllegalArgumentException e) {
throw new BadRequestException("Permission not found for input [" + permissionRestriction.permission.name + "]");
}
}
if (permissionRestrictions.isEmpty()) {
throw new BadRequestException("Malformed permission restrictions");
}
authenticationToken =
tokenAuthenticationModel.createToken(user.getId(), token.getName(), token.getExpirationTime(), new AuthenticationToken.PermissionsRestriction(restrictions));
} else {
authenticationToken = tokenAuthenticationModel.createToken(user.getId(), token.getName(), token.getExpirationTime());
}
return new Token(authenticationToken, authenticationToken.getValue(), new Fields(fields), myBeanContext);
} catch (AuthenticationTokenStorage.CreationException e) {
throw new BadRequestException(e.getMessage());
}
}