Skip to content
Permalink
Browse files

[JENKINS-30326] Added test case to catch failure when run as user.

  • Loading branch information
jtnord committed Sep 10, 2015
1 parent d3abea3 commit c16c47f94483982df7fb55306363647a020520ac
Showing with 67 additions and 0 deletions.
  1. +6 −0 pom.xml
  2. +61 −0 src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
@@ -83,6 +83,12 @@
<classifier>tests</classifier>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>authorize-project</artifactId>
<version>1.1.0</version>
<scope>test</scope>
</dependency>
<!-- For some reason this is otherwise missing and causes many verbose errors: -->
<dependency>
<groupId>org.jenkins-ci.modules</groupId>
@@ -29,37 +29,55 @@
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
import com.cloudbees.plugins.credentials.domains.Domain;
import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;

import jenkins.security.QueueItemAuthenticatorConfiguration;

import hudson.FilePath;
import hudson.model.FileParameterValue;
import hudson.model.Node;
import hudson.model.Result;
import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
import hudson.slaves.DumbSlave;
import hudson.slaves.NodeProperty;
import hudson.slaves.RetentionStrategy;
import hudson.util.Secret;

import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;

import javax.inject.Inject;

import org.apache.commons.io.FileUtils;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectProperty;
import org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator;
import org.jenkinsci.plugins.authorizeproject.strategy.SpecificUsersAuthorizationStrategy;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy;
import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl;
import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl;
import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.BlanketWhitelist;
import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
import org.jenkinsci.plugins.workflow.job.WorkflowJob;
import org.jenkinsci.plugins.workflow.job.WorkflowRun;
import org.jenkinsci.plugins.workflow.steps.StepConfigTester;
import org.jenkinsci.plugins.workflow.test.steps.SemaphoreStep;

import static org.junit.Assert.*;

import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.junit.runners.model.Statement;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.RestartableJenkinsRule;
import org.jvnet.hudson.test.recipes.WithPlugin;

public class BindingStepTest {

@@ -240,6 +258,49 @@
});
}

@Issue("JENKINS-30326")
@Test
public void testGlobalBindingWithAuthorization() {
story.addStep(new Statement() {
@Override public void evaluate() throws Throwable {
// configure security
story.j.jenkins.setSecurityRealm(story.j.createDummySecurityRealm());
story.j.jenkins.setAuthorizationStrategy(new FullControlOnceLoggedInAuthorizationStrategy());
// create the user.
story.j.jenkins.getUser("dummy");

// enable the run as user strategy for the AuthorizeProject plugin
Map<String, Boolean> strategies = new HashMap<String, Boolean>();
strategies.put(story.j.jenkins.getDescriptor(SpecificUsersAuthorizationStrategy.class).getId(), true);
QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(new ProjectQueueItemAuthenticator(strategies));

// blanket whitelist all methods (easier than whitelisting Jenkins.getAuthentication)
story.j.jenkins.getExtensionList(Whitelist.class).add(new BlanketWhitelist());

String credentialsId = "creds";
String secret = "s3cr3t";
CredentialsProvider.lookupStores(story.j.jenkins).iterator().next().addCredentials(Domain.global(), new StringCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, "sample", Secret.fromString(secret)));
WorkflowJob p = story.j.jenkins.createProject(WorkflowJob.class, "p");

p.setDefinition(new CpsFlowDefinition(""
+ "node {\n"
+ " def authentication = Jenkins.getAuthentication()\n"
+ " echo \"running as user: $authentication.principal\"\n"
+ " withCredentials([[$class: 'StringBinding', credentialsId: '" + credentialsId + "', variable: 'SECRET']]) {\n"
+ " echo 'this will fail if the credentials can not be found'\n"
+ " }\n"
+ "}", true));
// run the job as a specific user
p.addProperty(new AuthorizeProjectProperty(new SpecificUsersAuthorizationStrategy("dummy", true)));

// the build will fail if we can not locate the credentials
WorkflowRun b = story.j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());
// make sure this was actually run as a user and not system
story.j.assertLogContains("running as user: dummy", b);
}
});
}

private static Set<String> grep(File dir, String text) throws IOException {
Set<String> matches = new TreeSet<String>();
grep(dir, text, "", matches);

0 comments on commit c16c47f

Please sign in to comment.
You can’t perform that action at this time.