DependencyTrack
diff --git a/‎pom.xml
Lines changed: 1 addition & 0 deletions b/‎pom.xml
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
Lines changed: 52 additions & 72 deletions b/‎src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
Lines changed: 52 additions & 72 deletions
diff --git a/‎src/main/java/org/dependencytrack/persistence/QueryManager.java
Lines changed: 5 additions & 17 deletions b/‎src/main/java/org/dependencytrack/persistence/QueryManager.java
Lines changed: 5 additions & 17 deletions
diff --git a/‎src/main/java/org/dependencytrack/persistence/datanucleus/method/ProjectIsAccessibleByMethod.java
Lines changed: 109 additions & 0 deletions b/‎src/main/java/org/dependencytrack/persistence/datanucleus/method/ProjectIsAccessibleByMethod.java
Lines changed: 109 additions & 0 deletions
diff --git a/‎src/main/java/org/dependencytrack/persistence/jdbi/ApiRequestStatementCustomizer.java
Lines changed: 4 additions & 10 deletions b/‎src/main/java/org/dependencytrack/persistence/jdbi/ApiRequestStatementCustomizer.java
Lines changed: 4 additions & 10 deletions
diff --git a/‎src/main/resources/META-INF/MANIFEST.MF
Lines changed: 7 additions & 0 deletions b/‎src/main/resources/META-INF/MANIFEST.MF
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/main/resources/migration/changelog-procedures.xml
Lines changed: 3 additions & 0 deletions b/‎src/main/resources/migration/changelog-procedures.xml
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/main/resources/migration/procedures/function_has-project-access.sql
Lines changed: 29 additions & 0 deletions b/‎src/main/resources/migration/procedures/function_has-project-access.sql
Lines changed: 29 additions & 0 deletions
@@ -568,6 +568,7 @@
                 <directory>src/main/resources</directory>
                 <filtering>true</filtering>
                 <includes>
+                    <include>META-INF/MANIFEST.MF</include>
                     <include>application.version</include>
                     <include>openapi-configuration.yaml</include>
                 </includes>
 
@@ -32,7 +32,6 @@
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import com.github.packageurl.PackageURL;
 import org.apache.commons.collections4.CollectionUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.datanucleus.api.jdo.JDOQuery;
 import org.dependencytrack.auth.Permissions;
 import org.dependencytrack.event.kafka.KafkaEventDispatcher;
@@ -71,6 +70,7 @@
 import java.util.UUID;
 import java.util.concurrent.atomic.AtomicReference;
 
+import static java.util.Objects.requireNonNullElse;
 import static org.dependencytrack.util.PersistenceUtil.assertPersistent;
 import static org.dependencytrack.util.PersistenceUtil.assertPersistentAll;
 
@@ -940,45 +940,54 @@ public Project updateLastBomImport(Project p, Date date, String bomFormat) {
 
     @Override
     public boolean hasAccess(final Principal principal, final Project project) {
-        if (isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED)) {
-            if (principal instanceof UserPrincipal userPrincipal) {
-                if (super.hasAccessManagementPermission(userPrincipal)) {
-                    return true;
-                }
-                if (userPrincipal.getTeams() != null) {
-                    for (final Team userInTeam : userPrincipal.getTeams()) {
-                        for (final Team accessTeam : project.getAccessTeams()) {
-                            if (userInTeam.getId() == accessTeam.getId()) {
-                                return true;
-                            }
-                        }
-                    }
-                }
-            } else if (principal instanceof ApiKey apiKey) {
-                if (super.hasAccessManagementPermission(apiKey)) {
-                    return true;
-                }
-                if (apiKey.getTeams() != null) {
-                    for (final Team userInTeam : apiKey.getTeams()) {
-                        for (final Team accessTeam : project.getAccessTeams()) {
-                            if (userInTeam.getId() == accessTeam.getId()) {
-                                return true;
-                            }
-                        }
-                    }
-                }
-            } else if (principal == null) {
-                // This is a system request being made (e.g. MetricsUpdateTask, etc) where there isn't a principal
-                return true;
-            }
-            return false;
-        } else {
+        if (principal == null) {
+            // This is a system request being made (e.g. MetricsUpdateTask, etc) where there isn't a principal
+            return true;
+        }
+
+        if (!isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED)) {
+            return true;
+        }
+
+        // TODO: After upgrading to Alpine >= 3.2.0, this should become:
+        //   request.getEffectivePermission().contains(Permissions.ACCESS_MANAGEMENT.name())
+        // https://github.com/stevespringett/Alpine/pull/764
+        if (super.hasAccessManagementPermission(principal)) {
             return true;
         }
+
+        final Set<Long> teamIds = getTeamIds(principal);
+        if (teamIds.isEmpty()) {
+            return false;
+        }
+
+        final Query<?> query = pm.newQuery(Query.SQL, "SELECT HAS_PROJECT_ACCESS(:projectId, :teamIds)");
+        query.setNamedParameters(Map.ofEntries(
+                Map.entry("projectId", project.getId()),
+                Map.entry("teamIds", teamIds.toArray(new Long[0]))));
+        return executeAndCloseResultUnique(query, Boolean.class);
     }
 
     @Override
     void preprocessACLs(final Query<?> query, final String inputFilter, final Map<String, Object> params, final boolean bypass) {
+        if (bypass
+            || principal == null
+            || !isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED)
+            || hasAccessManagementPermission(principal)) {
+            query.setFilter(inputFilter);
+            return;
+        }
+
+        final Set<Long> teamIds = getTeamIds(principal);
+        if (teamIds.isEmpty()) {
+            if (inputFilter != null && !inputFilter.isBlank()) {
+                query.setFilter(inputFilter + " && false");
+            } else {
+                query.setFilter("false");
+            }
+            return;
+        }
+
         String projectMemberFieldName = null;
         final org.datanucleus.store.query.Query<?> internalQuery = ((JDOQuery<?>)query).getInternalQuery();
         if (!Project.class.equals(internalQuery.getCandidateClass())) {
@@ -1006,45 +1015,16 @@ void preprocessACLs(final Query<?> query, final String inputFilter, final Map<St
                         .formatted(internalQuery.getCandidateClassName(), Project.class.getName()));
             }
         }
-        if (super.principal != null && isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED) && !bypass) {
-            final List<Team> teams;
-            if (super.principal instanceof UserPrincipal userPrincipal) {
-                teams = userPrincipal.getTeams();
-                if (super.hasAccessManagementPermission(userPrincipal)) {
-                    query.setFilter(inputFilter);
-                    return;
-                }
-            } else {
-                final ApiKey apiKey = ((ApiKey) super.principal);
-                teams = apiKey.getTeams();
-                if (super.hasAccessManagementPermission(apiKey)) {
-                    query.setFilter(inputFilter);
-                    return;
-                }
-            }
-            if (teams != null && !teams.isEmpty()) {
-                final StringBuilder sb = new StringBuilder();
-                for (int i = 0, teamsSize = teams.size(); i < teamsSize; i++) {
-                    final Team team = super.getObjectById(Team.class, teams.get(i).getId());
-                    sb.append(" ");
-                    if (projectMemberFieldName != null) {
-                        sb.append(projectMemberFieldName).append(".");
-                    }
-                    sb.append(" accessTeams.contains(:team").append(i).append(") ");
-                    params.put("team" + i, team);
-                    if (i < teamsSize - 1) {
-                        sb.append(" || ");
-                    }
-                }
-                if (inputFilter != null && !inputFilter.isBlank()) {
-                    query.setFilter(inputFilter + " && (" + sb + ")");
-                } else {
-                    query.setFilter(sb.toString());
-                }
-            }
-        } else if (StringUtils.trimToNull(inputFilter) != null) {
-            query.setFilter(inputFilter);
+
+        final var aclCondition = "%s.isAccessibleBy(:projectAclTeamIds)".formatted(
+                requireNonNullElse(projectMemberFieldName, "this"));
+        if (inputFilter != null && !inputFilter.isBlank()) {
+            query.setFilter("%s && (%s)".formatted(inputFilter, aclCondition));
+        } else {
+            query.setFilter("(%s)".formatted(aclCondition));
         }
+
+        params.put("projectAclTeamIds", teamIds.toArray(new Long[0]));
     }
 
     /**
 
@@ -2052,34 +2052,22 @@ public Map.Entry<String, Map<String, Object>> getProjectAclSqlCondition() {
      */
     public Map.Entry<String, Map<String, Object>> getProjectAclSqlCondition(final String projectTableAlias) {
         if (request == null) {
-            return Map.entry(/* true */ "1=1", Collections.emptyMap());
+            return Map.entry("TRUE", Collections.emptyMap());
         }
 
         if (principal == null || !isEnabled(ACCESS_MANAGEMENT_ACL_ENABLED) || hasAccessManagementPermission(principal)) {
-            return Map.entry(/* true */ "1=1", Collections.emptyMap());
+            return Map.entry("TRUE", Collections.emptyMap());
         }
 
         final var teamIds = new ArrayList<>(getTeamIds(principal));
         if (teamIds.isEmpty()) {
-            return Map.entry(/* false */ "1=2", Collections.emptyMap());
+            return Map.entry("FALSE", Collections.emptyMap());
         }
 
-
-        // NB: Need to work around the fact that the RDBMSes can't agree on how to do member checks. Oh joy! :)))
         final var params = new HashMap<String, Object>();
-        final var teamIdChecks = new ArrayList<String>();
-        for (int i = 0; i < teamIds.size(); i++) {
-            teamIdChecks.add("\"PROJECT_ACCESS_TEAMS\".\"TEAM_ID\" = :teamId" + i);
-            params.put("teamId" + i, teamIds.get(i));
-        }
+        params.put("projectAclTeamIds", teamIds.toArray(new Long[0]));
 
-        return Map.entry("""
-                EXISTS (
-                  SELECT 1
-                    FROM "PROJECT_ACCESS_TEAMS"
-                   WHERE "PROJECT_ACCESS_TEAMS"."PROJECT_ID" = "%s"."ID"
-                     AND (%s)
-                )""".formatted(projectTableAlias, String.join(" OR ", teamIdChecks)), params);
+        return Map.entry("HAS_PROJECT_ACCESS(\"%s\".\"ID\", :projectAclTeamIds)".formatted(projectTableAlias), params);
     }
 
     /**
 
@@ -0,0 +1,109 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.persistence.datanucleus.method;
+
+import org.datanucleus.store.query.expression.Expression;
+import org.datanucleus.store.rdbms.mapping.java.JavaTypeMapping;
+import org.datanucleus.store.rdbms.sql.SQLStatement;
+import org.datanucleus.store.rdbms.sql.expression.ArrayLiteral;
+import org.datanucleus.store.rdbms.sql.expression.BooleanExpression;
+import org.datanucleus.store.rdbms.sql.expression.BooleanLiteral;
+import org.datanucleus.store.rdbms.sql.expression.ObjectExpression;
+import org.datanucleus.store.rdbms.sql.expression.SQLExpression;
+import org.datanucleus.store.rdbms.sql.expression.StringExpression;
+import org.datanucleus.store.rdbms.sql.expression.StringLiteral;
+import org.datanucleus.store.rdbms.sql.method.SQLMethod;
+import org.dependencytrack.model.Project;
+
+import java.util.List;
+import java.util.StringJoiner;
+
+/**
+ * @since 5.6.0
+ */
+public class ProjectIsAccessibleByMethod implements SQLMethod {
+
+    @Override
+    public SQLExpression getExpression(
+            final SQLStatement stmt,
+            final SQLExpression expr,
+            final List<SQLExpression> args) {
+        if (!(expr instanceof final ObjectExpression objectExpr)) {
+            // DataNucleus should prevent this from ever happening since
+            // the method is explicitly registered for java.lang.Object.
+            throw new IllegalStateException(
+                    "Expected expression to be of type %s, but got: %s".formatted(
+                            ObjectExpression.class.getName(), expr.getClass().getName()));
+        }
+
+        final String objectTypeName = objectExpr.getJavaTypeMapping().getType();
+        if (!Project.class.getName().equals(objectTypeName)) {
+            throw new IllegalStateException(
+                    "isAccessibleBy is only allowed for objects of type %s, but was called on %s".formatted(
+                            Project.class.getName(), objectTypeName));
+        }
+
+        if (args == null) {
+            throw new IllegalArgumentException();
+        } else if (args.size() != 1) {
+            throw new IllegalArgumentException("Expected exactly one argument, but got " + args.size());
+        }
+
+        // TODO: When a list, set, etc. is passed as argument, it will be of type CollectionLiteral.
+        //  Array literals are easier to verify the type of, hence we're focusing on that for now.
+
+        if (!(args.getFirst() instanceof final ArrayLiteral arrayLiteralArg)) {
+            throw new IllegalArgumentException(
+                    "Expected argument to be of type %s, but got %s".formatted(
+                            ArrayLiteral.class.getName(), args.getFirst().getClass().getName()));
+        }
+        if (!(arrayLiteralArg.getValue() instanceof final Long[] teamIds)) {
+            throw new IllegalArgumentException(
+                    "Expected array argument to be of type %s, but got %s".formatted(
+                            Long[].class.getName(), arrayLiteralArg.getValue().getClass().getName()));
+        }
+
+        final JavaTypeMapping booleanTypeMapping = stmt.getSQLExpressionFactory().getMappingForType(Boolean.class);
+        final JavaTypeMapping stringTypeMapping = stmt.getSQLExpressionFactory().getMappingForType(String.class);
+
+        // Transform the array literal to have the correct type for Postgres.
+        // Will result in the following expression: cast('{1,2,3}' as bigint[])
+        final StringJoiner joiner = new StringJoiner(",", "{", "}");
+        for (final Long teamId : teamIds) {
+            joiner.add(String.valueOf(teamId));
+        }
+        final var teamIdsLiteral = new StringLiteral(
+                stmt, stringTypeMapping, joiner.toString(), null);
+        final var teamIdsExpr = new StringExpression(
+                stmt, stringTypeMapping, "cast", List.of(teamIdsLiteral), List.of("bigint[]"));
+
+        // NB: objectExpr will compile to a reference of the object table's ID column, e.g.:
+        //   * "A0"."ID"
+        //   * "B0"."PROJECT_ID"
+        final var hasProjectAccessFunctionExpr = new StringExpression(
+                stmt, stringTypeMapping, "has_project_access", List.of(objectExpr, teamIdsExpr));
+
+        // Wrap the function call in a boolean expression. Final result(s) will be:
+        //   * has_project_access("A0"."ID", cast('{1,2,3}' as bigint[])) = TRUE
+        //   * has_project_access("B0"."PROJECT_ID", cast('{1,2,3}' as bigint[])) = TRUE
+        final var booleanTrueLiteral = new BooleanLiteral(stmt, booleanTypeMapping, Boolean.TRUE, null);
+        return new BooleanExpression(hasProjectAccessFunctionExpr, Expression.OP_EQ, booleanTrueLiteral);
+    }
+
+}
@@ -71,13 +71,7 @@
 class ApiRequestStatementCustomizer implements StatementCustomizer {
 
     static final String PARAMETER_PROJECT_ACL_TEAM_IDS = "projectAclTeamIds";
-    static final String TEMPLATE_PROJECT_ACL_CONDITION = """
-            EXISTS (
-              SELECT 1
-                FROM "PROJECT_ACCESS_TEAMS"
-               WHERE "PROJECT_ACCESS_TEAMS"."PROJECT_ID" = "%s"."ID"
-                 AND "PROJECT_ACCESS_TEAMS"."TEAM_ID" = ANY(:projectAclTeamIds)
-            )""";
+    static final String TEMPLATE_PROJECT_ACL_CONDITION = "HAS_PROJECT_ACCESS(\"%s\".\"ID\", :projectAclTeamIds)";
 
     private final AlpineRequest apiRequest;
 
@@ -214,9 +208,9 @@ private boolean isAclEnabled(final StatementContext ctx) throws SQLException {
     }
 
     private boolean hasAccessManagementPermission(final StatementContext ctx, final Principal principal) throws SQLException {
-        // NB: This could be simplified if Alpine's AuthenticationFilter would load all
-        // effective permissions of the authenticated user, and make them available in
-        // the Principal object. Then, we wouldn't need to perform any database queries here.
+        // TODO: After upgrading to Alpine >= 3.2.0, this should become:
+        //   apiRequest.getEffectivePermission().contains(Permissions.ACCESS_MANAGEMENT.name())
+        // https://github.com/stevespringett/Alpine/pull/764
 
         return switch (principal) {
             case ApiKey apiKey -> hasAccessManagementPermission(ctx, apiKey);
 
@@ -0,0 +1,7 @@
+Manifest-Version: 1.0
+Bundle-Description: DataNucleus plugin for Dependency-Track-specific functionality
+Bundle-License: https://apache.org/licenses/LICENSE-2.0.txt
+Bundle-ManifestVersion: 2
+Bundle-Name: datanucleus-dependencytrack
+Bundle-SymbolicName: org.dependencytrack.persistence.datanucleus;singleton:=true
+Bundle-Version: ${project.version}
@@ -23,4 +23,7 @@
     <changeSet id="procedure_update-portfolio-metrics" author="nscuro@protonmail.com" runOnChange="true">
         <createProcedure path="procedures/procedure_update-portfolio-metrics.sql" relativeToChangelogFile="true"/>
     </changeSet>
+    <changeSet id="function_has-project-access" author="nscuro" runOnChange="true">
+        <createProcedure path="procedures/function_has-project-access.sql" relativeToChangelogFile="true"/>
+    </changeSet>
 </databaseChangeLog>
@@ -0,0 +1,29 @@
+create or replace function has_project_access(
+  project_id bigint
+, team_ids bigint[]
+) returns bool
+  language "sql"
+  parallel safe
+  stable
+as
+$$
+with recursive project_hierarchy(id, parent_id) as(
+  select "ID" as id
+       , "PARENT_PROJECT_ID" as parent_id
+    from "PROJECT"
+   where "ID" = project_id
+   union all
+  select "PROJECT"."ID" as id
+       , "PROJECT"."PARENT_PROJECT_ID" as parent_id
+    from "PROJECT"
+   inner join project_hierarchy
+      on project_hierarchy.parent_id = "PROJECT"."ID"
+)
+select exists(
+  select 1
+    from project_hierarchy
+   inner join "PROJECT_ACCESS_TEAMS"
+      on "PROJECT_ACCESS_TEAMS"."PROJECT_ID" = project_hierarchy.id
+   where "PROJECT_ACCESS_TEAMS"."TEAM_ID" = any(team_ids)
+)
+$$;