Always set ACL on new projects when using API key with team

src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java

@@ -1032,13 +1032,13 @@ public void deleteProjectsByUUIDs(Collection<UUID> uuids) {
                 );
                 executeAndCloseWithArray(sqlQuery, queryParameter);
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "DEPENDENCYMETRICS" WHERE "PROJECT_ID" = ANY(?);
                     """.replaceAll(Pattern.quote("= ANY(?)"), inExpression)
                 );
                 executeAndCloseWithArray(sqlQuery, queryParameter);
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "FINDINGATTRIBUTION" WHERE "PROJECT_ID" = ANY(?);
                     """.replaceAll(Pattern.quote("= ANY(?)"), inExpression)
                 );
@@ -1060,13 +1060,13 @@ public void deleteProjectsByUUIDs(Collection<UUID> uuids) {
                 );
                 executeAndCloseWithArray(sqlQuery, queryParameter);
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "ANALYSIS" WHERE "PROJECT_ID" = ANY(?);
                     """.replace("= ANY(?)", inExpression)
                 );
                 executeAndCloseWithArray(sqlQuery, queryParameter);
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "COMPONENT_PROPERTY" WHERE "COMPONENT_ID" IN (
                         SELECT "ID" FROM "COMPONENT" WHERE "PROJECT_ID" = ANY(?)
                     );
@@ -1119,7 +1119,7 @@ WHERE PROJECT.ID IN (SELECT value FROM STRING_SPLIT(?, ','))
                     executeAndCloseWithArray(sqlQuery, queryParameter);
                 }
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "COMPONENT" WHERE "PROJECT_ID" = ANY(?);
                     """.replace("= ANY(?)", inExpression)
                 );
@@ -1318,7 +1318,7 @@ WHERE PROJECT.ID IN (SELECT value FROM STRING_SPLIT(?, ','))
                     executeAndCloseWithArray(sqlQuery, queryParameter);
                 }
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "PROJECT" WHERE "ID" = ANY(?);
                     """.replace("= ANY(?)", inExpression)
                 );
@@ -1564,7 +1564,7 @@ void preprocessACLs(final Query<?> query, final String inputFilter, final Map<St
 
     /**
      * Updates a Project ACL to add the principals Team to the AccessTeams
-     * This only happens if Portfolio Access Control is enabled and the @param principal is an ApyKey
+     * This only happens if @param principal is an ApyKey
      * For a UserPrincipal we don't know which Team(s) to add to the ACL,
      * See https://github.com/DependencyTrack/dependency-track/issues/1435
      * @param project
@@ -1573,7 +1573,7 @@ void preprocessACLs(final Query<?> query, final String inputFilter, final Map<St
      */
     @Override
     public boolean updateNewProjectACL(Project project, Principal principal) {
-        if (isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED) && principal instanceof ApiKey apiKey) {
+        if (principal instanceof ApiKey apiKey) {
             final var apiTeam = apiKey.getTeams().stream().findFirst();
             if (apiTeam.isPresent()) {
                 LOGGER.debug("adding Team to ACL of newly created project");

src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java

@@ -20,6 +20,7 @@
 
 import alpine.common.util.UuidUtil;
 import alpine.model.IConfigProperty;
+import alpine.model.Team;
 import alpine.server.filters.ApiFilter;
 import alpine.server.filters.AuthenticationFilter;
 import com.fasterxml.jackson.core.StreamReadConstraints;
@@ -947,6 +948,23 @@ void uploadBomAutoCreateTest() throws Exception {
         Assertions.assertNotNull(project);
     }
 
+    @Test
+    void uploadBomAutoCreateWithAclDisabledAddsApiKeyTeamTest() throws Exception {
+        initializeWithPermissions(Permissions.BOM_UPLOAD, Permissions.PROJECT_CREATION_UPLOAD);
+        // ACL is not enabled - updateNewProjectACL should still add the API key's team
+        String bomString = Base64.getEncoder().encodeToString(resourceToByteArray("/unit/bom-1.xml"));
+        BomSubmitRequest request = new BomSubmitRequest(null, "AclDisabled Example", "1.0", null, true, false, bomString);
+        Response response = jersey.target(V1_BOM).request()
+                .header(X_API_KEY, apiKey)
+                .put(Entity.entity(request, MediaType.APPLICATION_JSON));
+        Assertions.assertEquals(200, response.getStatus(), 0);
+        Project project = qm.getProject("AclDisabled Example", "1.0");
+        Assertions.assertNotNull(project);
+        assertThat(project.getAccessTeams())
+                .extracting(Team::getName)
+                .containsOnly(team.getName());
+    }
+
     @Test
     void uploadBomAutoCreateWithTagsTest() throws Exception {
         initializeWithPermissions(Permissions.BOM_UPLOAD, Permissions.PROJECT_CREATION_UPLOAD);

src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java

@@ -933,6 +933,22 @@ void createProjectAsApiKeyWithAclEnabledAndWithExistentTeamTest() {
         assertThat(qm.getProject("acme-app", null)).satisfies(project ->
                 assertThat(project.getAccessTeams()).extracting(Team::getName).containsOnly(team.getName()));
     }
+
+    @Test
+    void createProjectWithAclDisabledAddsApiKeyTeamTest() {
+        // ACL is not enabled - updateNewProjectACL should still add the API key's team
+        Project project = new Project();
+        project.setName("acme-app-acl-disabled");
+        project.setVersion("1.0");
+        Response response = jersey.target(V1_PROJECT)
+                .request()
+                .header(X_API_KEY, apiKey)
+                .put(Entity.entity(project, MediaType.APPLICATION_JSON));
+        assertThat(response.getStatus()).isEqualTo(201);
+        assertThat(qm.getProject("acme-app-acl-disabled", "1.0")).satisfies(created ->
+                assertThat(created.getAccessTeams()).extracting(Team::getName).containsOnly(team.getName()));
+    }
+
     @Test
     void createProjectAsLatestTest() {
         Project project = new Project();