Skip to content
Permalink
Browse files

Merge pull request #45 from armfergom/JENKINS-33944

[JENKINS-33944] User-scoped credentials cannot be looked up
  • Loading branch information...
stephenc committed Apr 4, 2016
2 parents 4d648bf + ca43c6a commit 590caa7a9da0b61e8b3214125652135b1c79d02a
@@ -145,8 +145,8 @@
UserCredentialsProperty property = user.getProperty(UserCredentialsProperty.class);
if (property != null) {
// we need to impersonate if the requesting authentication is not the current authentication.
boolean needImpersonation = user.equals(User.current());
SecurityContext old = needImpersonation ? null : ACL.impersonate(user.impersonate());
boolean needImpersonation = !user.equals(User.current());
SecurityContext old = needImpersonation ? ACL.impersonate(user.impersonate()) : null;
try {
return DomainCredentials
.getCredentials(property.getDomainCredentialsMap(), type, domainRequirements, always());
@@ -25,40 +25,56 @@

import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
import com.cloudbees.plugins.credentials.domains.Domain;
import com.cloudbees.plugins.credentials.domains.DomainRequirement;
import com.cloudbees.plugins.credentials.impl.DummyCredentials;
import com.cloudbees.plugins.credentials.impl.DummyLegacyCredentials;
import hudson.model.Descriptor;
import hudson.model.FreeStyleProject;
import hudson.model.Hudson;
import hudson.model.Item;
import hudson.model.ItemGroup;
import hudson.model.User;
import hudson.security.ACL;
import jenkins.model.Jenkins;
import org.acegisecurity.Authentication;
import org.jvnet.hudson.test.HudsonTestCase;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.JenkinsRule;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.Collections;
import java.util.List;

public class CredentialsProviderTest extends HudsonTestCase {
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;

public class CredentialsProviderTest {

@Rule
public JenkinsRule r = new JenkinsRule();

@Test
public void testNoCredentialsUntilWeAddSome() throws Exception {
FreeStyleProject project = createFreeStyleProject();
FreeStyleProject project = r.createFreeStyleProject();
assertTrue(CredentialsProvider.lookupCredentials(Credentials.class).isEmpty());
SystemCredentialsProvider.getInstance().getCredentials().add(
new DummyCredentials(CredentialsScope.SYSTEM, "foo", "bar"));
assertFalse(CredentialsProvider.lookupCredentials(Credentials.class).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class).isEmpty());

assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Hudson.ANONYMOUS).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty());
assertFalse("null auth -> ACL.SYSTEM",
CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty());

assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Hudson.getInstance()).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.getInstance()).isEmpty());
assertFalse("null item -> Root",
CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null).isEmpty());
assertFalse("null item -> Root",
@@ -72,11 +88,11 @@ public void testNoCredentialsUntilWeAddSome() throws Exception {
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class).isEmpty());

assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Hudson.ANONYMOUS).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty());
assertFalse("null auth -> ACL.SYSTEM",
CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty());

assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Hudson.getInstance()).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.getInstance()).isEmpty());
assertFalse("null item -> Root",
CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null).isEmpty());
assertFalse("null item -> Root",
@@ -88,21 +104,22 @@ public void testNoCredentialsUntilWeAddSome() throws Exception {
"manchu");

}


@Test
public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception {
FreeStyleProject project = createFreeStyleProject();
FreeStyleProject project = r.createFreeStyleProject();
assertTrue(CredentialsProvider.lookupCredentials(Credentials.class).isEmpty());
CredentialsStore store = CredentialsProvider.lookupStores(Jenkins.getInstance()).iterator().next();
store.addCredentials(Domain.global(), new DummyCredentials(CredentialsScope.SYSTEM, "foo", "bar"));
assertFalse(CredentialsProvider.lookupCredentials(Credentials.class).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class).isEmpty());

assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Hudson.ANONYMOUS).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty());
assertFalse("null auth -> ACL.SYSTEM",
CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty());

assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Hudson.getInstance()).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.getInstance()).isEmpty());
assertFalse("null item -> Root",
CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null).isEmpty());
assertFalse("null item -> Root",
@@ -115,11 +132,11 @@ public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception {
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class).isEmpty());

assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Hudson.ANONYMOUS).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty());
assertFalse("null auth -> ACL.SYSTEM",
CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty());

assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Hudson.getInstance()).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.getInstance()).isEmpty());
assertFalse("null item -> Root",
CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null).isEmpty());
assertFalse("null item -> Root",
@@ -132,6 +149,74 @@ public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception {

}

@Test
public void testManageUserCredentials() throws IOException {
final User alice = User.get("alice");
DummyCredentials aliceCred1 = new DummyCredentials(CredentialsScope.USER, "aliceCred1", "pwd");
DummyCredentials aliceCred2 = new DummyCredentials(CredentialsScope.USER, "aliceCred2", "pwd");
DummyCredentials aliceCred3 = new DummyCredentials(CredentialsScope.USER, "aliceCred3", "pwd");

r.jenkins.setSecurityRealm(r.createDummySecurityRealm());

CredentialsStore userStore;
SecurityContext ctx = ACL.impersonate(alice.impersonate());
userStore = CredentialsProvider.lookupStores(alice).iterator().next();
userStore.addCredentials(Domain.global(), aliceCred1);
userStore.addCredentials(Domain.global(), aliceCred2);

assertEquals(2, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.<DomainRequirement>emptyList()).size());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS, Collections.<DomainRequirement>emptyList()).isEmpty());

// Remove credentials
userStore.removeCredentials(Domain.global(), aliceCred2);

assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.<DomainRequirement>emptyList()).size());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS, Collections.<DomainRequirement>emptyList()).isEmpty());

// Update credentials
userStore.updateCredentials(Domain.global(), aliceCred1, aliceCred3);

assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.<DomainRequirement>emptyList()).size());
assertEquals(aliceCred3.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.<DomainRequirement>emptyList()).get(0).getUsername());
SecurityContextHolder.setContext(ctx);
}

@Test
public void testUpdateAndDeleteCredentials() throws IOException {
FreeStyleProject project = r.createFreeStyleProject();
DummyCredentials systemCred = new DummyCredentials(CredentialsScope.SYSTEM, "systemCred", "pwd");
DummyCredentials systemCred2 = new DummyCredentials(CredentialsScope.SYSTEM, "systemCred2", "pwd");
DummyCredentials globalCred = new DummyCredentials(CredentialsScope.GLOBAL, "globalCred", "pwd");
DummyCredentials modCredential = new DummyCredentials(CredentialsScope.GLOBAL, "modCredential", "pwd");

CredentialsStore store = CredentialsProvider.lookupStores(Jenkins.getInstance()).iterator().next();

// Add credentials
store.addCredentials(Domain.global(), systemCred);
store.addCredentials(Domain.global(), systemCred2);
store.addCredentials(Domain.global(), globalCred);

assertEquals(3, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).size());
assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).size());
assertEquals(globalCred.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).get(0).getUsername());

// Update credentials
store.updateCredentials(Domain.global(), globalCred, modCredential);

assertEquals(3, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).size());
assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).size());
assertEquals(modCredential.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).get(0).getUsername());

// Remove credentials
store.removeCredentials(Domain.global(), systemCred2);

assertEquals(2, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).size());
assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.<DomainRequirement>emptyList()).size());
}

@Test
public void testHaveDummyCredentialsType() throws Exception {
assertTrue(!CredentialsProvider.allCredentialsDescriptors().isEmpty());
DummyCredentials.DescriptorImpl descriptor = null;
@@ -145,6 +230,7 @@ public void testHaveDummyCredentialsType() throws Exception {
assertNotNull(new DummyCredentials(CredentialsScope.SYSTEM, "foo", "bar").getDescriptor());
}

@Test
public void testLegacyCredentialMigration() throws Exception {
DummyLegacyCredentials legacyCredentials = new DummyLegacyCredentials(CredentialsScope.GLOBAL, "foo", "bar");
ByteArrayOutputStream bos = new ByteArrayOutputStream();
@@ -24,15 +24,34 @@

package com.cloudbees.plugins.credentials.domains;

import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.JenkinsRule;

import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.impl.DummyCredentials;

import hudson.security.ACL;
import jenkins.model.Jenkins;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;

import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;

public class DomainTest {

@Rule
public JenkinsRule r = new JenkinsRule();

@Test
public void smokes() throws Exception {
Domain instance =
@@ -59,4 +78,51 @@ public void pathRequirements() throws Exception {
assertThat(instance.test(URIRequirementBuilder.fromUri("http://updates.jenkins-ci.org/download/1/2/3/jenkins.war").build()), is(false));

}

@Test
public void testCredentialsInCustomDomains() throws IOException {
Domain domainFoo = new Domain("domainFoo", "Hostname domain", Arrays.asList(new DomainSpecification[] { new HostnameSpecification("foo.com", "") }));
Domain domainBar = new Domain("domainBar", "Path domain", Arrays.asList(new DomainSpecification[] { new HostnameSpecification("bar.com", "") }));
DummyCredentials systemCred = new DummyCredentials(CredentialsScope.SYSTEM, "systemCred", "pwd");
DummyCredentials systemCred1 = new DummyCredentials(CredentialsScope.SYSTEM, "systemCred1", "pwd");
DummyCredentials systemCredMod = new DummyCredentials(CredentialsScope.SYSTEM, "systemCredMod", "pwd");

CredentialsStore store = CredentialsProvider.lookupStores(Jenkins.getInstance()).iterator().next();

// Add domains with credentials
store.addDomain(domainFoo, Collections.<Credentials>emptyList());
store.addDomain(domainBar, Collections.<Credentials>emptyList());

// Domain requirements for credential queries
List<DomainRequirement> reqFoo = Arrays.asList(new DomainRequirement[] { new HostnameRequirement("foo.com") });
List<DomainRequirement> reqBar = Arrays.asList(new DomainRequirement[] { new HostnameRequirement("bar.com") });

assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).isEmpty());

// Add credentials to domains
store.addCredentials(domainFoo, systemCred);
store.addCredentials(domainBar, systemCred1);

// Search creadentials with specific domain restrictions
assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).size());
assertEquals(systemCred.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).get(0).getUsername());
assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size());
assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername());

// Update credential from domain
store.updateCredentials(domainFoo, systemCred, systemCredMod);

assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).size());
assertEquals(systemCredMod.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).get(0).getUsername());
assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size());
assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername());

// Remove credential from domain
store.removeCredentials(domainFoo, systemCredMod);

assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).isEmpty());
assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size());
assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername());
}
}

0 comments on commit 590caa7

Please sign in to comment.
You can’t perform that action at this time.