[JENKINS-28298] Reject unauthenticated configurations via REST / CLI

[ikedam]

JENKINS-28298

See also https://wiki.jenkins-ci.org/display/JENKINS/JENKINS-28298

When using authorize-project <= 1.1.0 with Jenkins >= 1.545,
users can inject unauthenticated SpecificUserAuthorizationStrategy and SystemAuthorizationStrategy (SystemAuthorizationStrategy is not released yet).

Followings are required for the fundamental resolution:

• Call XStream2#addCriticalField
  • Required Jenkins >= 1.551.
• Use Jenkins >= 1.625

Jenkins 1.532 - 1.544 is not affected by this issue, and I know I can support those versions by using Java reflections to call XStream2#addCriticalField.

But I decided to change the target version to 1.625 as:

• It results unnecessarily complicated codes to use Java reflections.
• Those who use Jenkins 1.545 - 1.624 will be still affected this issue.

[ikedam]

Following tests failed as I don't call XStream2#addCriticalField yet: https://jenkins.ci.cloudbees.com/job/plugins/job/authorize-project-plugin/73/

• org.jenkinsci.plugins.authorizeproject.strategy.SpecificUsersAuthorizationStrategyTest.testCliFailure
• org.jenkinsci.plugins.authorizeproject.strategy.SpecificUsersAuthorizationStrategyTest.testRestInterfaceFailure
• org.jenkinsci.plugins.authorizeproject.strategy.SystemAuthorizationStrategyTest.testCliFailure
• org.jenkinsci.plugins.authorizeproject.strategy.SystemAuthorizationStrategyTest.testRestInterfaceFailure

I'll add a commit to call XStream2#addCriticalField.

[oleg-nenashev]

Looks good to me 👍
Maybe next time makes sense to use the SECURITY project next time.

[jenkinsadmin]

Thank you for this pull request! Please check this document for how the Jenkins project handles pull requests.

[ikedam]

Rebased after merging other pull requests.

[ikedam]

Updated:

• Added dependency to script-security to avoid cyclic dependencies (test scope)
• Use IdStrategy#equals to compare user ids.
• Fixed findbugs warnings. Mainly null checks for Jenkins.getInstance.