[SECURITY-1290]

jenkinsci · Jul 29, 2019 · 1c531c1 · 1c531c1
1 parent 73afe3c
commit 1c531c1
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 0 deletions.
diff --git a/plugin/src/main/java/io/jenkins/plugins/casc/ConfigurationAsCode.java b/plugin/src/main/java/io/jenkins/plugins/casc/ConfigurationAsCode.java
@@ -414,6 +414,24 @@ public void doViewExport(StaplerRequest req, StaplerResponse res) throws Excepti
         req.getView(this, "viewExport.jelly").forward(req, res);
     }
 
+    public void doReference(StaplerRequest req, StaplerResponse res) throws Exception {
+        if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+            res.sendError(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        }
+
+        req.getView(this, "reference.jelly").forward(req, res);
+    }
+
+    public void doSchema(StaplerRequest req, StaplerResponse res) throws Exception {
+        if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+            res.sendError(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        }
+
+        req.getView(this, "schema.jelly").forward(req, res);
+    }
+
     @Restricted(NoExternalUse.class)
     public void export(OutputStream out) throws Exception {
 

diff --git a/plugin/src/test/java/io/jenkins/plugins/casc/Security1290Test.java b/plugin/src/test/java/io/jenkins/plugins/casc/Security1290Test.java
@@ -0,0 +1,51 @@
+package io.jenkins.plugins.casc;
+
+import com.gargoylesoftware.htmlunit.HttpMethod;
+import com.gargoylesoftware.htmlunit.WebRequest;
+import io.jenkins.plugins.casc.misc.JenkinsConfiguredWithCodeRule;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import jenkins.model.Jenkins;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
+
+import static org.junit.Assert.assertEquals;
+
+public class Security1290Test {
+
+    @Rule
+    public JenkinsConfiguredWithCodeRule j = new JenkinsConfiguredWithCodeRule();
+
+    @Test
+    public void configurationAsCodePagesPermissions() throws Exception {
+        final String ADMIN = "admin";
+        final String USER = "user";
+
+        j.jenkins.setCrumbIssuer(null);
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.ADMINISTER).everywhere().to(ADMIN)
+                .grant(Jenkins.READ).everywhere().to(USER)
+        );
+
+        JenkinsRule.WebClient adminWc = j.createWebClient();
+        adminWc.login(ADMIN);
+
+        JenkinsRule.WebClient userWc = j.createWebClient()
+                .withThrowExceptionOnFailingStatusCode(false);
+        userWc.login(USER);
+
+        assertRightPermissionConfigurations("configuration-as-code/schema", adminWc, userWc);
+        assertRightPermissionConfigurations("configuration-as-code/reference", adminWc, userWc);
+    }
+
+    private void assertRightPermissionConfigurations(String relativeUrl, JenkinsRule.WebClient adminWc, JenkinsRule.WebClient userWc) throws IOException {
+        WebRequest request = new WebRequest(new URL(j.getURL() + relativeUrl), HttpMethod.GET);
+
+        assertEquals(HttpURLConnection.HTTP_OK, adminWc.getPage(request).getWebResponse().getStatusCode());
+        assertEquals(HttpURLConnection.HTTP_FORBIDDEN, userWc.getPage(request).getWebResponse().getStatusCode());
+    }
+}