Skip to content
Permalink
Browse files
Merge pull request #21 from ikedam/feature/JENKINS-28298_addCriticalF…
…ield

[JENKINS-28298]  Reject unauthenticated configurations via REST / CLI
  • Loading branch information
ikedam committed Mar 27, 2016
2 parents acf5125 + 2d97cb9 commit 5bcf6ca30231ee09970f6b7b1a1eedefce126bb4
18 pom.xml
@@ -3,8 +3,7 @@
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
<version>1.532</version><!-- QueueItemAuthenticator is since 1.520 -->
<!--<version>1.580.1</version>--><!-- When you test the integration with workflow -->
<version>1.625</version><!-- for JENKINS-28298 -->
</parent>

<groupId>org.jenkins-ci.plugins</groupId>
@@ -44,8 +43,11 @@
</properties>

<dependencies>
<!-- When you test the integration with workflow -->
<!--
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>annotations</artifactId>
<version>3.0.1</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins.workflow</groupId>
<artifactId>workflow-job</artifactId>
@@ -64,7 +66,13 @@
<version>${workflow.version}</version>
<scope>test</scope>
</dependency>
-->
<!-- Required to avoid cyclic dependency -->
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>script-security</artifactId>
<version>1.13</version>
<scope>test</scope>
</dependency>
</dependencies>

<build>
@@ -40,7 +40,10 @@

import hudson.DescriptorExtensionList;
import hudson.Extension;
import hudson.init.InitMilestone;
import hudson.init.Initializer;
import hudson.model.DescriptorVisibilityFilter;
import hudson.model.Items;
import hudson.model.Job;
import hudson.model.JobProperty;
import hudson.model.JobPropertyDescriptor;
@@ -117,6 +120,11 @@ public Authentication authenticate(Queue.Item item) {
return strategy.authenticate(owner, item);
}

@Initializer(after=InitMilestone.PLUGINS_STARTED)
public static void setStrategyCritical() {
Items.XSTREAM2.addCriticalField(AuthorizeProjectProperty.class, "strategy");
}

/**
* Descriptor for {@link AuthorizeProjectProperty}.
*
@@ -49,7 +49,7 @@ public abstract class AuthorizeProjectStrategy extends AbstractDescribableImpl<A
* @return all the registered {@link AuthorizeProjectStrategy}.
*/
public static DescriptorExtensionList<AuthorizeProjectStrategy, Descriptor<AuthorizeProjectStrategy>> all() {
return Jenkins.getInstance().getDescriptorList(AuthorizeProjectStrategy.class);
return Jenkins.getActiveInstance().getDescriptorList(AuthorizeProjectStrategy.class);
}

/**
@@ -71,7 +71,7 @@ public Authentication authenticate(Job<?, ?> project, Queue.Item item) {
}

if (!(project instanceof AbstractProject)) {
Descriptor<?> d = Jenkins.getInstance().getDescriptor(getClass());
Descriptor<?> d = Jenkins.getActiveInstance().getDescriptor(getClass());
LOGGER.log(
Level.WARNING,
"This authorization strategy ({0}) is designed for authorize-project < 1.1.0 and not applicable for non-AbstractProjects (like WorkflowJob). ignored.",
@@ -58,7 +58,7 @@ protected AuthorizeProjectStrategyDescriptor(Class<? extends AuthorizeProjectStr

@Override
protected final XmlFile getConfigFile() {
return new XmlFile(new File(Jenkins.getInstance().getRootDir(),
return new XmlFile(new File(Jenkins.getActiveInstance().getRootDir(),
Constants.CONFIG_FOLDER+"/"+getId()+".xml"));
}

@@ -24,6 +24,8 @@

package org.jenkinsci.plugins.authorizeproject;

import javax.annotation.CheckForNull;

import jenkins.model.Jenkins;
import hudson.model.Describable;
import hudson.model.Descriptor;
@@ -66,8 +68,8 @@ public static <T extends Describable<?>> T bindJSONWithDescriptor(
}
try {
@SuppressWarnings("unchecked")
Class<? extends T> staplerClass = (Class<? extends T>)Jenkins.getInstance().getPluginManager().uberClassLoader.loadClass(staplerClazzName);
Descriptor<?> d = Jenkins.getInstance().getDescriptorOrDie(staplerClass);
Class<? extends T> staplerClass = (Class<? extends T>)Jenkins.getActiveInstance().getPluginManager().uberClassLoader.loadClass(staplerClazzName);
Descriptor<?> d = Jenkins.getActiveInstance().getDescriptorOrDie(staplerClass);

@SuppressWarnings("unchecked")
T instance = (T)d.newInstance(req, formData);
@@ -82,8 +84,13 @@ public static <T extends Describable<?>> T bindJSONWithDescriptor(
}
}

public static boolean userIdEquals(String a, String b) {
// TODO use Jenkins.getInstance().getSecurityRealm().getUserIdStrategy().equals() once Jenkins 1.566+
return a.equals(b);
public static boolean userIdEquals(@CheckForNull String a, @CheckForNull String b) {
if (a == null) {
return b == null;
}
if (b == null) {
return false;
}
return Jenkins.getActiveInstance().getSecurityRealm().getUserIdStrategy().equals(a, b);
}
}
@@ -109,10 +109,6 @@ public Authentication authenticate(Job<?, ?> project, Queue.Item item) {
return Jenkins.ANONYMOUS;
}
Authentication a = u.impersonate();
if (a == null) {
// fallback to anonymous
return Jenkins.ANONYMOUS;
}
return a;
}

@@ -132,13 +128,13 @@ protected static boolean isAuthenticateionRequired(
return false;
}

if (Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
if (Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) {
// Administrator can specify any user.
return false;
}

User u = User.current();
if (u != null && u.getId() != null && AuthorizeProjectUtil.userIdEquals(u.getId(), newStrategy.getUserid())) {
if (u != null && AuthorizeProjectUtil.userIdEquals(u.getId(), newStrategy.getUserid())) {
// Any user can specify oneself.
return false;
}
@@ -150,7 +146,6 @@ protected static boolean isAuthenticateionRequired(

if (
currentStrategy.isNoNeedReauthentication()
&& currentStrategy.getUserid() != null
&& AuthorizeProjectUtil.userIdEquals(currentStrategy.getUserid(), newStrategy.getUserid())
) {
// the specified user is not changed,
@@ -261,7 +256,7 @@ protected SpecificUsersAuthorizationStrategy newInstanceWithoutAuthentication(
throw new FormException("userid must be specified", "userid");
}
for (Authentication a: BUILTIN_USERS) {
if (AuthorizeProjectUtil.userIdEquals(userid, a.getPrincipal().toString())) {
if (AuthorizeProjectUtil.userIdEquals(userid, (a.getPrincipal() != null)?a.getPrincipal().toString():null)) {
throw new FormException(Messages.SpecificUsersAuthorizationStrategy_userid_builtin(), "userid");
}
}
@@ -286,7 +281,7 @@ protected boolean authenticate(
String password
) {
try {
Jenkins.getInstance().getSecurityRealm().getSecurityComponents().manager.authenticate(
Jenkins.getActiveInstance().getSecurityRealm().getSecurityComponents().manager.authenticate(
new UsernamePasswordAuthenticationToken(strategy.getUserid(), password)
);
} catch (Exception e) { // handles any exception including NPE.
@@ -472,7 +467,7 @@ public FormValidation doCheckNoNeedReauthentication(@QueryParameter boolean noNe
}

public boolean isUseApitoken() {
return !(Jenkins.getInstance().getSecurityRealm() instanceof AbstractPasswordBasedSecurityRealm);
return !(Jenkins.getActiveInstance().getSecurityRealm() instanceof AbstractPasswordBasedSecurityRealm);
}

/**
@@ -43,6 +43,8 @@
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;

/**
* Run builds as {@link ACL#SYSTEM}. Using this strategy becomes important when
* {@link org.jenkinsci.plugins.authorizeproject.GlobalQueueItemAuthenticator}
@@ -126,6 +128,7 @@ public final int hashCode() {
* @param obj the object to test equality with.
* @return {@code true} if and only if this is a equivalent {@link SystemAuthorizationStrategy} instance.
*/
@SuppressFBWarnings(value="EQ_GETCLASS_AND_CLASS_CONSTANT", justification="Should be the same class")
@Override
public final boolean equals(Object obj) {
return obj != null && SystemAuthorizationStrategy.class == obj.getClass();
@@ -61,8 +61,6 @@
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlTextInput;

/*
// classes for workflowTest
import java.io.IOException;
import jenkins.tasks.SimpleBuildStep;
import hudson.FilePath;
@@ -76,15 +74,13 @@
import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
import org.jenkinsci.plugins.workflow.job.WorkflowJob;
import org.jenkinsci.plugins.workflow.job.WorkflowRun;
import org.kohsuke.stapler.DataBoundConstructor;
*/

/**
*
*/
public class ProjectQueueItemAuthenticatorTest {
@Rule
public JenkinsRule j = new AuthorizeProjectJenkinsRule();
public JenkinsRule j = new AuthorizeProjectJenkinsRule(SpecificUsersAuthorizationStrategy.class);

public static class NullAuthorizeProjectStrategy extends AuthorizeProjectStrategy {
@DataBoundConstructor
@@ -489,7 +485,7 @@ public Authentication authenticate(AbstractProject<?, ?> project, Queue.Item ite
return User.get(name).impersonate();
}

@TestExtension("testOldSignature")
@TestExtension
public static class DescriptorImpl extends AuthorizeProjectStrategyDescriptor {
@Override
public String getDisplayName() {
@@ -511,10 +507,6 @@ public void testOldSignature() throws Exception {
assertEquals("test1", checker.authentication.getName());
}

/*
// A test for workflow plugin (which extends Job, not AbstractProject).
// This is disabled as workflow requires Jenkins >= 1.580.1
// but authorize-project targets Jenkins >= 1.532.
public static class AuthorizationRecordAction extends InvisibleAction {
public final Authentication authentication;

@@ -580,5 +572,4 @@ public void testWorkflow() throws Exception {
assertEquals(User.get("test1").impersonate(), b.getAction(AuthorizationRecordAction.class).authentication);
}
}
*/
}

0 comments on commit 5bcf6ca

Please sign in to comment.