[SECURITY-1943]

pom.xml

@@ -145,13 +145,13 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <jenkins.version>1.596.1</jenkins.version>
+    <jenkins.version>1.609.1</jenkins.version>
     <maven-compiler-plugin.version>3.2</maven-compiler-plugin.version>
     <maven-resources-plugin.version>2.6</maven-resources-plugin.version>
     <maven-release-plugin.version>2.5.2</maven-release-plugin.version>
     <ssh-credentials.version>1.10</ssh-credentials.version>
     <plain-credentials.version>1.4</plain-credentials.version>
-    <credentials.version>1.16.1</credentials.version>
+    <credentials.version>2.1.0</credentials.version>
     <workflow-step-api.version>1.10</workflow-step-api.version>
     <junit.version>4.12</junit.version>
     <mockito.version>1.10.19</mockito.version>

src/main/java/org/jenkinsci/plugins/ansible/AbstractAnsibleBuilderDescriptor.java

@@ -11,6 +11,7 @@
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
+import hudson.model.Item;
 import org.jenkinsci.plugins.plaincredentials.FileCredentials;
 import org.jenkinsci.plugins.plaincredentials.StringCredentials;
 import hudson.model.AbstractProject;
@@ -23,6 +24,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.ansible.Inventory.InventoryDescriptor;
 import org.kohsuke.stapler.AncestorInPath;
+import org.kohsuke.stapler.QueryParameter;
 
 /**
  * Common descriptor for Ansible build steps
@@ -44,31 +46,58 @@ protected FormValidation checkNotNullOrEmpty(String parameter, String errorMessa
         }
     }
 
-    public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Project project) {
-        return new StandardListBoxModel()
-                .withEmptySelection()
+    public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item,
+                                                 @QueryParameter String credentialsId) {
+
+        StandardListBoxModel result = new StandardListBoxModel();
+        if (item == null) {
+            if (!Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) {
+                return result.includeCurrentValue(credentialsId);
+            }
+        } else {
+            if (!item.hasPermission(Item.EXTENDED_READ)
+                    && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
+                return result.includeCurrentValue(credentialsId);
+            }
+        }
+
+        return result.includeEmptyValue()
                 .withMatching(anyOf(
-                            instanceOf(SSHUserPrivateKey.class),
-                            instanceOf(UsernamePasswordCredentials.class)),
-                        CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class, project));
+                        instanceOf(SSHUserPrivateKey.class),
+                        instanceOf(UsernamePasswordCredentials.class)),
+                        CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class, item))
+                .includeCurrentValue(credentialsId);
+    }
+
+    public ListBoxModel doFillVaultCredentialsIdItems(@AncestorInPath Item item,
+                                                      @QueryParameter String vaultCredentialsId) {
+        return fillVaultCredentials(item, vaultCredentialsId);
     }
 
-    public ListBoxModel doFillVaultCredentialsIdItems(@AncestorInPath Project project) {
-        return new StandardListBoxModel()
-            .withEmptySelection()
-            .withMatching(anyOf(
-                instanceOf(FileCredentials.class),
-                instanceOf(StringCredentials.class)),
-                CredentialsProvider.lookupCredentials(StandardCredentials.class, project));
+    public ListBoxModel doFillNewVaultCredentialsIdItems(@AncestorInPath Item item,
+                                                         @QueryParameter String newVaultCredentialsId) {
+        return fillVaultCredentials(item, newVaultCredentialsId);
     }
 
-    public ListBoxModel doFillNewVaultCredentialsIdItems(@AncestorInPath Project project) {
-        return new StandardListBoxModel()
-            .withEmptySelection()
-            .withMatching(anyOf(
-                instanceOf(FileCredentials.class),
-                instanceOf(StringCredentials.class)),
-                CredentialsProvider.lookupCredentials(StandardCredentials.class, project));
+    private ListBoxModel fillVaultCredentials(Item item, String credentialsId) {
+        StandardListBoxModel result = new StandardListBoxModel();
+        if (item == null) {
+            if (!Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) {
+                return result.includeCurrentValue(credentialsId);
+            }
+        } else {
+            if (!item.hasPermission(Item.EXTENDED_READ)
+                    && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
+                return result.includeCurrentValue(credentialsId);
+            }
+        }
+
+        return result.includeEmptyValue()
+                .withMatching(anyOf(
+                        instanceOf(FileCredentials.class),
+                        instanceOf(StringCredentials.class)),
+                        CredentialsProvider.lookupCredentials(StandardCredentials.class, item))
+                .includeCurrentValue(credentialsId);
     }
 
     public List<InventoryDescriptor> getInventories() {

src/main/java/org/jenkinsci/plugins/ansible/workflow/AnsiblePlaybookStep.java

@@ -32,11 +32,13 @@
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.*;
 import hudson.model.Computer;
+import hudson.model.Item;
 import hudson.model.Node;
 import hudson.model.Project;
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.ListBoxModel;
+import jenkins.model.Jenkins;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.ansible.AnsibleInstallation;
 import org.jenkinsci.plugins.ansible.AnsiblePlaybookBuilder;
@@ -53,6 +55,7 @@
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
+import org.kohsuke.stapler.QueryParameter;
 
 /**
  * The Ansible playbook invocation step for the Jenkins workflow plugin.
@@ -291,22 +294,49 @@ public String getDisplayName() {
             return "Invoke an ansible playbook";
         }
 
-        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Project project) {
-            return new StandardListBoxModel()
-                .withEmptySelection()
-                .withMatching(anyOf(
-                    instanceOf(SSHUserPrivateKey.class),
-                    instanceOf(UsernamePasswordCredentials.class)),
-                    CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class, project));
+        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item,
+                                                     @QueryParameter String credentialsId) {
+
+            StandardListBoxModel result = new StandardListBoxModel();
+            if (item == null) {
+                if (!Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) {
+                    return result.includeCurrentValue(credentialsId);
+                }
+            } else {
+                if (!item.hasPermission(Item.EXTENDED_READ)
+                        && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
+                    return result.includeCurrentValue(credentialsId);
+                }
+            }
+
+            return result.includeEmptyValue()
+                    .withMatching(anyOf(
+                            instanceOf(SSHUserPrivateKey.class),
+                            instanceOf(UsernamePasswordCredentials.class)),
+                            CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class, item))
+                    .includeCurrentValue(credentialsId);
         }
 
-        public ListBoxModel doFillVaultCredentialsIdItems(@AncestorInPath Project project) {
-            return new StandardListBoxModel()
-                .withEmptySelection()
-                .withMatching(anyOf(
-                    instanceOf(FileCredentials.class),
-                    instanceOf(StringCredentials.class)),
-                    CredentialsProvider.lookupCredentials(StandardCredentials.class, project));
+        public ListBoxModel doFillVaultCredentialsIdItems(@AncestorInPath Item item,
+                                                          @QueryParameter String vaultCredentialsId) {
+            StandardListBoxModel result = new StandardListBoxModel();
+            if (item == null) {
+                if (!Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) {
+                    return result.includeCurrentValue(vaultCredentialsId);
+                }
+            } else {
+                if (!item.hasPermission(Item.EXTENDED_READ)
+                        && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
+                    return result.includeCurrentValue(vaultCredentialsId);
+                }
+            }
+
+            return result.includeEmptyValue()
+                    .withMatching(anyOf(
+                            instanceOf(FileCredentials.class),
+                            instanceOf(StringCredentials.class)),
+                            CredentialsProvider.lookupCredentials(StandardCredentials.class, item))
+                    .includeCurrentValue(vaultCredentialsId);
         }
 
         public ListBoxModel doFillInstallationItems() {

src/main/java/org/jenkinsci/plugins/ansible/workflow/AnsibleVaultStep.java

@@ -24,11 +24,13 @@
 import com.google.inject.Inject;
 import hudson.*;
 import hudson.model.Computer;
+import hudson.model.Item;
 import hudson.model.Node;
 import hudson.model.Project;
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.ListBoxModel;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.ansible.AnsibleInstallation;
 import org.jenkinsci.plugins.ansible.AnsibleVaultBuilder;
 import org.jenkinsci.plugins.plaincredentials.FileCredentials;
@@ -40,6 +42,7 @@
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
+import org.kohsuke.stapler.QueryParameter;
 
 /**
  * The Ansible vault invocation step for the Jenkins workflow plugin.
@@ -139,22 +142,14 @@ public String getDisplayName() {
             return "Invoke ansible vault";
         }
 
-        public ListBoxModel doFillVaultCredentialsIdItems(@AncestorInPath Project project) {
-            return new StandardListBoxModel()
-                .withEmptySelection()
-                .withMatching(anyOf(
-                    instanceOf(FileCredentials.class),
-                    instanceOf(StringCredentials.class)),
-                    CredentialsProvider.lookupCredentials(StandardCredentials.class, project));
+        public ListBoxModel doFillVaultCredentialsIdItems(@AncestorInPath Item item,
+                                                          @QueryParameter String vaultCredentialsId) {
+            return fillVaultCredentials(item, vaultCredentialsId);
         }
 
-        public ListBoxModel doFillNewVaultCredentialsIdItems(@AncestorInPath Project project) {
-            return new StandardListBoxModel()
-                .withEmptySelection()
-                .withMatching(anyOf(
-                    instanceOf(FileCredentials.class),
-                    instanceOf(StringCredentials.class)),
-                    CredentialsProvider.lookupCredentials(StandardCredentials.class, project));
+        public ListBoxModel doFillNewVaultCredentialsIdItems(@AncestorInPath Item item,
+                                                             @QueryParameter String newVaultCredentialsId) {
+            return fillVaultCredentials(item, newVaultCredentialsId);
         }
 
         public ListBoxModel doFillInstallationItems() {
@@ -164,6 +159,28 @@ public ListBoxModel doFillInstallationItems() {
             }
             return model;
         }
+
+
+        private ListBoxModel fillVaultCredentials(Item item, String credentialsId) {
+            StandardListBoxModel result = new StandardListBoxModel();
+            if (item == null) {
+                if (!Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) {
+                    return result.includeCurrentValue(credentialsId);
+                }
+            } else {
+                if (!item.hasPermission(Item.EXTENDED_READ)
+                        && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
+                    return result.includeCurrentValue(credentialsId);
+                }
+            }
+
+            return result.includeEmptyValue()
+                    .withMatching(anyOf(
+                            instanceOf(FileCredentials.class),
+                            instanceOf(StringCredentials.class)),
+                            CredentialsProvider.lookupCredentials(StandardCredentials.class, item))
+                    .includeCurrentValue(credentialsId);
+        }
     }
 
     public static final class AnsibleVaultExecution extends AbstractSynchronousNonBlockingStepExecution<Void> {