Add accessTeams support to BOM upload auto-create

Mimics createProject: when auto-creating a project during BOM upload,
teams can be specified via accessTeams and are applied to the project
ACL. Same resolution rules as Project API (principal must be member
or have ACCESS_MANAGEMENT).

- BomSubmitRequest: add accessTeams field (JSON)
- BOM multipart: add accessTeams form param (JSON array)
- Apply access teams before updateNewProjectACL

Author: valentijnscholten

src/main/java/org/dependencytrack/resources/v1/BomResource.java

@@ -20,7 +20,10 @@
 
 import alpine.common.logging.Logger;
 import alpine.event.framework.Event;
+import alpine.model.ApiKey;
 import alpine.model.ConfigProperty;
+import alpine.model.Team;
+import alpine.model.UserPrincipal;
 import alpine.notification.Notification;
 import alpine.notification.NotificationLevel;
 import alpine.server.auth.PermissionRequired;
@@ -60,6 +63,8 @@
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.resources.v1.problems.InvalidBomProblemDetails;
 import org.dependencytrack.resources.v1.problems.ProblemDetails;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.dependencytrack.resources.v1.vo.BomSubmitRequest;
 import org.dependencytrack.resources.v1.vo.BomUploadResponse;
 import org.dependencytrack.resources.v1.vo.IsTokenBeingProcessedResponse;
@@ -92,13 +97,17 @@
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 import java.util.UUID;
 import java.util.stream.Collectors;
 
+import jakarta.ws.rs.ClientErrorException;
+import static java.util.Objects.requireNonNullElseGet;
 import static java.util.function.Predicate.not;
+import static org.dependencytrack.util.PersistenceUtil.isPersistent;
 import static org.dependencytrack.model.ConfigPropertyConstants.BOM_VALIDATION_MODE;
 import static org.dependencytrack.model.ConfigPropertyConstants.BOM_VALIDATION_TAGS_EXCLUSIVE;
 import static org.dependencytrack.model.ConfigPropertyConstants.BOM_VALIDATION_TAGS_INCLUSIVE;
@@ -382,6 +391,7 @@ public Response uploadBom(@Parameter(required = true) BomSubmitRequest request)
                                 StringUtils.trimToNull(request.getProjectVersion()), request.getProjectTags(), parent,
                                 null, true, request.isLatest(), true);
                         Principal principal = getPrincipal();
+                        applyAccessTeamsToProject(qm, project, requireNonNullElseGet(request.getAccessTeams(), Collections::emptyList), principal);
                         qm.updateNewProjectACL(project, principal);
                     } else {
                         return Response.status(Response.Status.UNAUTHORIZED).entity("The principal does not have permission to create project.").build();
@@ -444,6 +454,7 @@ public Response uploadBom(
             @FormDataParam("projectName") String projectName,
             @FormDataParam("projectVersion") String projectVersion,
             @FormDataParam("projectTags") String projectTags,
+            @FormDataParam("accessTeams") String accessTeamsJson,
             @FormDataParam("parentName") String parentName,
             @FormDataParam("parentVersion") String parentVersion,
             @FormDataParam("parentUUID") String parentUUID,
@@ -453,6 +464,7 @@ public Response uploadBom(
         final List<org.dependencytrack.model.Tag> requestTags = (projectTags != null && !projectTags.isBlank())
                 ? Arrays.stream(projectTags.split(",")).map(String::trim).filter(not(String::isEmpty)).map(Tag::new).toList()
                 : null;
+        final List<Team> accessTeams = parseAccessTeams(accessTeamsJson);
 
         if (projectUuid != null) { // behavior in v3.0.0
             try (QueryManager qm = new QueryManager()) {
@@ -494,6 +506,7 @@ public Response uploadBom(
                         }
                         project = qm.createProject(trimmedProjectName, null, trimmedProjectVersion, requestTags, parent, null, true, isLatest, true);
                         Principal principal = getPrincipal();
+                        applyAccessTeamsToProject(qm, project, accessTeams, principal);
                         qm.updateNewProjectACL(project, principal);
                     } else {
                         return Response.status(Response.Status.UNAUTHORIZED).entity("The principal does not have permission to create project.").build();
@@ -694,6 +707,69 @@ private static boolean shouldValidate(final Project project) {
         }
     }
 
+    private static List<Team> parseAccessTeams(final String accessTeamsJson) {
+        if (accessTeamsJson == null || accessTeamsJson.isBlank()) {
+            return Collections.emptyList();
+        }
+        try {
+            return new ObjectMapper().readValue(accessTeamsJson, new TypeReference<>() {});
+        } catch (Exception e) {
+            throw new ClientErrorException(Response.status(Response.Status.BAD_REQUEST)
+                    .entity("accessTeams must be a valid JSON array of team objects with uuid or name")
+                    .build());
+        }
+    }
+
+    private void applyAccessTeamsToProject(final QueryManager qm, final Project project,
+            final List<Team> chosenTeams, final Principal principal) {
+        if (chosenTeams.isEmpty()) {
+            return;
+        }
+        for (final Team chosenTeam : chosenTeams) {
+            if (chosenTeam.getUuid() == null && chosenTeam.getName() == null) {
+                throw new ClientErrorException(Response.status(Response.Status.BAD_REQUEST)
+                        .entity("""
+                                accessTeams must either specify a UUID or a name,\
+                                but the team at index %d has neither.""".formatted(chosenTeams.indexOf(chosenTeam)))
+                        .build());
+            }
+        }
+        final List<Team> userTeams;
+        if (principal instanceof final UserPrincipal userPrincipal) {
+            userTeams = userPrincipal.getTeams();
+        } else if (principal instanceof final ApiKey apiKey) {
+            userTeams = apiKey.getTeams();
+        } else {
+            userTeams = Collections.emptyList();
+        }
+        final boolean isAdmin = qm.hasAccessManagementPermission(principal);
+        final List<Team> visibleTeams = isAdmin ? qm.getTeams() : userTeams;
+        final var visibleTeamByUuid = new HashMap<UUID, Team>(visibleTeams.size());
+        final var visibleTeamByName = new HashMap<String, Team>(visibleTeams.size());
+        for (final Team visibleTeam : visibleTeams) {
+            visibleTeamByUuid.put(visibleTeam.getUuid(), visibleTeam);
+            visibleTeamByName.put(visibleTeam.getName(), visibleTeam);
+        }
+        for (final Team chosenTeam : chosenTeams) {
+            Team visibleTeam = visibleTeamByUuid.getOrDefault(
+                    chosenTeam.getUuid(),
+                    visibleTeamByName.get(chosenTeam.getName()));
+            if (visibleTeam == null) {
+                throw new ClientErrorException(Response.status(Response.Status.BAD_REQUEST)
+                        .entity("""
+                                The team with %s can not be assigned because it does not exist, \
+                                or is not accessible to the authenticated principal.""".formatted(
+                                chosenTeam.getUuid() != null ? "UUID " + chosenTeam.getUuid() : "name " + chosenTeam.getName()))
+                        .build());
+            }
+            if (!isPersistent(visibleTeam)) {
+                visibleTeam = qm.getObjectById(Team.class, visibleTeam.getId());
+            }
+            project.addAccessTeam(visibleTeam);
+        }
+        qm.persist(project);
+    }
+
     private void maybeBindTags(final QueryManager qm, final Project project, final List<Tag> tags) {
         if (tags == null) {
             return;

src/main/java/org/dependencytrack/resources/v1/vo/BomSubmitRequest.java

@@ -25,6 +25,7 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import io.swagger.v3.oas.annotations.media.Schema;
+import alpine.model.Team;
 import org.dependencytrack.model.Tag;
 
 import jakarta.validation.constraints.NotBlank;
@@ -75,14 +76,16 @@ public final class BomSubmitRequest {
 
     private final boolean isLatest;
 
+    private final List<Team> accessTeams;
+
     public BomSubmitRequest(String project,
                             String projectName,
                             String projectVersion,
                             List<Tag> projectTags,
                             boolean autoCreate,
                             boolean isLatest,
                             String bom) {
-        this(project, projectName, projectVersion, projectTags, autoCreate, null, null, null, isLatest, bom);
+        this(project, projectName, projectVersion, projectTags, autoCreate, null, null, null, isLatest, null, bom);
     }
 
     @JsonCreator
@@ -96,6 +99,7 @@ public BomSubmitRequest(
             @JsonProperty(value = "parentName") String parentName,
             @JsonProperty(value = "parentVersion") String parentVersion,
             @JsonProperty(value = "isLatest", defaultValue = "false") @JsonAlias("isLatestProjectVersion") boolean isLatest,
+            @JsonProperty(value = "accessTeams") List<Team> accessTeams,
             @JsonProperty(value = "bom", required = true) String bom) {
         this.project = project;
         this.projectName = projectName;
@@ -106,6 +110,7 @@ public BomSubmitRequest(
         this.parentName = parentName;
         this.parentVersion = parentVersion;
         this.isLatest = isLatest;
+        this.accessTeams = accessTeams;
         this.bom = bom;
     }
 
@@ -153,6 +158,14 @@ public boolean isAutoCreate() {
     @JsonProperty("isLatest")
     public boolean isLatest() { return isLatest; }
 
+    @Schema(description = """
+            Teams to grant access to when auto-creating a project. Either uuid or name of a team must be specified. \
+            Only teams which the authenticated principal is a member of can be assigned. \
+            Principals with ACCESS_MANAGEMENT permission can assign any team.""")
+    public List<Team> getAccessTeams() {
+        return accessTeams;
+    }
+
     @Schema(
             description = "Base64 encoded BOM",
             required = true,

src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java

@@ -20,6 +20,7 @@
 
 import alpine.common.util.UuidUtil;
 import alpine.model.IConfigProperty;
+import alpine.model.Team;
 import alpine.server.filters.ApiFilter;
 import alpine.server.filters.AuthenticationFilter;
 import com.fasterxml.jackson.core.StreamReadConstraints;
@@ -947,6 +948,30 @@ void uploadBomAutoCreateTest() throws Exception {
         Assertions.assertNotNull(project);
     }
 
+    @Test
+    void uploadBomAutoCreateWithAccessTeamsTest() throws Exception {
+        initializeWithPermissions(Permissions.BOM_UPLOAD, Permissions.PROJECT_CREATION_UPLOAD);
+        String bomString = Base64.getEncoder().encodeToString(resourceToByteArray("/unit/bom-1.xml"));
+        String json = """
+                {
+                  "projectName": "AccessTeams Example",
+                  "projectVersion": "1.0",
+                  "autoCreate": true,
+                  "accessTeams": [{"name": "%s"}],
+                  "bom": "%s"
+                }
+                """.formatted(team.getName(), bomString);
+        Response response = jersey.target(V1_BOM).request()
+                .header(X_API_KEY, apiKey)
+                .put(Entity.entity(json, MediaType.APPLICATION_JSON));
+        Assertions.assertEquals(200, response.getStatus(), 0);
+        Project project = qm.getProject("AccessTeams Example", "1.0");
+        Assertions.assertNotNull(project);
+        assertThat(project.getAccessTeams())
+                .extracting(Team::getName)
+                .containsOnly(team.getName());
+    }
+
     @Test
     void uploadBomAutoCreateWithTagsTest() throws Exception {
         initializeWithPermissions(Permissions.BOM_UPLOAD, Permissions.PROJECT_CREATION_UPLOAD);
@@ -1134,7 +1159,7 @@ void uploadBomAutoCreateTestWithParentTest() throws Exception {
         String parentUUID = parent.getUuid().toString();
 
         // Upload first child, search parent by UUID
-        request = new BomSubmitRequest(null, "Acme Example", "1.0", null, true, parentUUID, null, null, false, bomString);
+        request = new BomSubmitRequest(null, "Acme Example", "1.0", null, true, parentUUID, null, null, false, null, bomString);
         response = jersey.target(V1_BOM).request()
                 .header(X_API_KEY, apiKey)
                 .put(Entity.entity(request, MediaType.APPLICATION_JSON));
@@ -1150,7 +1175,7 @@ void uploadBomAutoCreateTestWithParentTest() throws Exception {
 
 
         // Upload second child, search parent by name+ver
-        request = new BomSubmitRequest(null, "Acme Example", "2.0", null, true, null, "Acme Parent", "1.0", false, bomString);
+        request = new BomSubmitRequest(null, "Acme Example", "2.0", null, true, null, "Acme Parent", "1.0", false, null, bomString);
         response = jersey.target(V1_BOM).request()
                 .header(X_API_KEY, apiKey)
                 .put(Entity.entity(request, MediaType.APPLICATION_JSON));
@@ -1165,7 +1190,7 @@ void uploadBomAutoCreateTestWithParentTest() throws Exception {
         Assertions.assertEquals(parentUUID, child.getParent().getUuid().toString());
 
         // Upload third child, specify parent's UUID, name, ver. Name and ver are ignored when UUID is specified.
-        request = new BomSubmitRequest(null, "Acme Example", "3.0", null, true, parentUUID, "Non-existent parent", "1.0", false, bomString);
+        request = new BomSubmitRequest(null, "Acme Example", "3.0", null, true, parentUUID, "Non-existent parent", "1.0", false, null, bomString);
         response = jersey.target(V1_BOM).request()
                 .header(X_API_KEY, apiKey)
                 .put(Entity.entity(request, MediaType.APPLICATION_JSON));
@@ -1184,15 +1209,15 @@ void uploadBomAutoCreateTestWithParentTest() throws Exception {
     void uploadBomInvalidParentTest() throws Exception {
         initializeWithPermissions(Permissions.BOM_UPLOAD, Permissions.PROJECT_CREATION_UPLOAD);
         String bomString = Base64.getEncoder().encodeToString(resourceToByteArray("/unit/bom-1.xml"));
-        BomSubmitRequest request = new BomSubmitRequest(null, "Acme Example", "1.0", null, true, UUID.randomUUID().toString(), null, null, false, bomString);
+        BomSubmitRequest request = new BomSubmitRequest(null, "Acme Example", "1.0", null, true, UUID.randomUUID().toString(), null, null, false, null, bomString);
         Response response = jersey.target(V1_BOM).request()
                 .header(X_API_KEY, apiKey)
                 .put(Entity.entity(request, MediaType.APPLICATION_JSON));
         Assertions.assertEquals(404, response.getStatus(), 0);
         String body = getPlainTextBody(response);
         Assertions.assertEquals("The parent component could not be found.", body);
 
-        request = new BomSubmitRequest(null, "Acme Example", "2.0", null, true, null, "Non-existent parent", null, false, bomString);
+        request = new BomSubmitRequest(null, "Acme Example", "2.0", null, true, null, "Non-existent parent", null, false, null, bomString);
         response = jersey.target(V1_BOM).request()
                 .header(X_API_KEY, apiKey)
                 .put(Entity.entity(request, MediaType.APPLICATION_JSON));