Skip to content
Permalink
Browse files

REST BuildCompletedJob needs SYSTEM ACL permission

Fix for REST API Build Completed with Locked Down instance

[JENKINS-31199]
  • Loading branch information
Scott Hebert
Scott Hebert committed Oct 27, 2015
1 parent bd04573 commit 9dd76e6fda49b10306bffa0c92003a2aabacd635
@@ -36,11 +36,15 @@
import com.sonymobile.tools.gerrit.gerritevents.dto.rest.ReviewLabel;

import hudson.model.TaskListener;
import hudson.security.ACL;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;

/**
* A job for the {@link com.sonymobile.tools.gerrit.gerritevents.GerritSendCommandQueue} that
* sends a build completed message.
@@ -74,41 +78,48 @@ public BuildCompletedRestCommandJob(IGerritHudsonTriggerConfig config, BuildMemo

@Override
protected ReviewInput createReview() {
String message = parameterExpander.getBuildCompletedMessage(memoryImprint, listener);
Collection<ReviewLabel> scoredLabels = new ArrayList<ReviewLabel>();
if (memoryImprint.getEvent().isScorable()) {
if (config.isRestCodeReview()) {
Integer crValue = parameterExpander.getMinimumCodeReviewValue(memoryImprint, true);
if (crValue != null && crValue != Integer.MAX_VALUE) {
scoredLabels.add(new ReviewLabel(
LABEL_CODEREVIEW,
crValue));
SecurityContext old = ACL.impersonate(ACL.SYSTEM);
try {
String message = parameterExpander.getBuildCompletedMessage(memoryImprint, listener);
Collection<ReviewLabel> scoredLabels = new ArrayList<ReviewLabel>();
if (memoryImprint.getEvent().isScorable()) {
if (config.isRestCodeReview()) {
Integer crValue = parameterExpander.getMinimumCodeReviewValue(memoryImprint, true);
if (crValue != null && crValue != Integer.MAX_VALUE) {
scoredLabels.add(new ReviewLabel(
LABEL_CODEREVIEW,
crValue));
}
}
}
if (config.isRestVerified()) {
Integer verValue = parameterExpander.getMinimumVerifiedValue(memoryImprint, true);
if (verValue != null && verValue != Integer.MAX_VALUE) {
scoredLabels.add(new ReviewLabel(
LABEL_VERIFIED,
parameterExpander.getMinimumVerifiedValue(memoryImprint, true)));
if (config.isRestVerified()) {
Integer verValue = parameterExpander.getMinimumVerifiedValue(memoryImprint, true);
if (verValue != null && verValue != Integer.MAX_VALUE) {
scoredLabels.add(new ReviewLabel(
LABEL_VERIFIED,
parameterExpander.getMinimumVerifiedValue(memoryImprint, true)));
}
}
}
}
Notify notificationLevel = parameterExpander.getHighestNotificationLevel(memoryImprint, true);
List<GerritMessageProvider> gerritMessageProviders = GerritMessageProvider.all();
Collection<CommentedFile> commentedFiles = new ArrayList<CommentedFile>();
if (gerritMessageProviders != null) {
for (GerritMessageProvider gerritMessageProvider : gerritMessageProviders) {
for (BuildMemory.MemoryImprint.Entry e : memoryImprint.getEntries()) {
try {
commentedFiles.addAll(gerritMessageProvider.getFileComments(e.getBuild()));
} catch (Exception ef) {
listener.error(ef.getMessage());
Notify notificationLevel = parameterExpander.getHighestNotificationLevel(memoryImprint, true);
List<GerritMessageProvider> gerritMessageProviders = GerritMessageProvider.all();
Collection<CommentedFile> commentedFiles = new ArrayList<CommentedFile>();
if (gerritMessageProviders != null) {
for (GerritMessageProvider gerritMessageProvider : gerritMessageProviders) {
for (BuildMemory.MemoryImprint.Entry e : memoryImprint.getEntries()) {
try {
commentedFiles.addAll(gerritMessageProvider.getFileComments(e.getBuild()));
} catch (Exception ef) {
listener.error(ef.getMessage());

}
}
}
}

return new ReviewInput(message, scoredLabels, commentedFiles).setNotify(notificationLevel);

} finally {
SecurityContextHolder.setContext(old);
}
return new ReviewInput(message, scoredLabels, commentedFiles).setNotify(notificationLevel);
}
}
@@ -31,10 +31,7 @@

import hudson.model.FreeStyleBuild;
import hudson.model.FreeStyleProject;
import hudson.model.Hudson;
import hudson.model.Result;
import hudson.security.GlobalMatrixAuthorizationStrategy;
import hudson.security.SecurityRealm;

import org.apache.sshd.SshServer;
import org.junit.After;
@@ -104,19 +101,6 @@ public void tearDown() throws Exception {
sshd = null;
}

/**
* Lock down the instance.
* @throws Exception throw if so.
*/
private void lockDown() throws Exception {
SecurityRealm securityRealm = j.createDummySecurityRealm();
j.getInstance().setSecurityRealm(securityRealm);

GlobalMatrixAuthorizationStrategy authorizationStrategy = new GlobalMatrixAuthorizationStrategy();
authorizationStrategy.add(Hudson.READ, "authenticated");
j.getInstance().setAuthorizationStrategy(authorizationStrategy);
}

/**
* Test that a build can still be triggered if only authenticated
* users can login.
@@ -134,7 +118,7 @@ private void lockDown() throws Exception {
public void testTriggerWithLockedDownInstance() throws Exception {
FreeStyleProject project = DuplicatesUtil.createGerritTriggeredJob(j, projectName);

lockDown();
Setup.lockDown(j);

GerritTrigger trigger = project.getTrigger(GerritTrigger.class);
trigger.setSilentStartMode(false);
@@ -34,11 +34,14 @@
import com.sonyericsson.hudson.plugins.gerrit.trigger.mock.Setup;
import com.sonyericsson.hudson.plugins.gerrit.trigger.mock.TestUtils;
import com.sonymobile.tools.gerrit.gerritevents.dto.events.PatchsetCreated;

import hudson.model.FreeStyleProject;
import hudson.model.RootAction;
import hudson.model.UnprotectedRootAction;
import hudson.util.IOUtils;
import jenkins.model.Jenkins;
import net.sf.json.JSONObject;

import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.JenkinsRule;
@@ -68,13 +71,19 @@
public JenkinsRule j = new JenkinsRule();

/**
* The test.
*
* @throws IOException if so
* @throws InterruptedException if so.
* Unlock the instance if secured.
* @throws Exception if it occurs.
*/
@Test
public void testIt() throws IOException, InterruptedException {
@Before
public void unlockInstance() throws Exception {
Setup.unLock(j);
}

/**
* Guts of the test.
* @throws Exception if it occurs.
*/
private void runTest() throws Exception {
j.jenkins.setCrumbIssuer(null);
GerritServer server1 = new GerritServer(PluginImpl.DEFAULT_SERVER_NAME);
PluginImpl.getInstance().addServer(server1);
@@ -122,9 +131,27 @@ public void testIt() throws IOException, InterruptedException {
JSONObject labels = json.getJSONObject("labels");
assertEquals(1, labels.getInt("Code-Review"));
assertEquals(1, labels.getInt("Verified"));

}
/**
* The test with a locked down instance.
*
* @throws Exception if so
*/
@Test
public void testItWithSecurity() throws Exception {
Setup.lockDown(j);
runTest();
}

/**
* The test.
*
* @throws Exception if so
*/
@Test
public void testIt() throws Exception {
runTest();
}
/**
* Finds the registered {@link FakeHttpGerrit}.
*
@@ -138,7 +165,7 @@ private FakeHttpGerrit getGerrit() {
* Acts as a fake REST endpoint to receive the REST commands from the command job.
*/
@TestExtension
public static class FakeHttpGerrit implements RootAction {
public static class FakeHttpGerrit implements UnprotectedRootAction {

String lastPath;
String lastContent;
@@ -56,15 +56,19 @@
import hudson.model.AbstractProject;
import hudson.model.Cause;
import hudson.model.CauseAction;
import hudson.model.Hudson;
import hudson.model.Job;
import hudson.model.Result;
import hudson.model.TaskListener;
import hudson.security.GlobalMatrixAuthorizationStrategy;
import hudson.security.SecurityRealm;
import hudson.triggers.Trigger;
import hudson.triggers.TriggerDescriptor;
import net.sf.json.JSONObject;

import org.jenkinsci.plugins.workflow.job.WorkflowJob;
import org.junit.Assert;
import org.jvnet.hudson.test.JenkinsRule;
import org.powermock.api.mockito.PowerMockito;

import java.io.IOException;
@@ -787,4 +791,28 @@ public static RefReplicated createRefReplicatedEvent(String project, String ref,
refReplicated.setStatus(status);
return refReplicated;
}

/**
* Lock down the instance.
* @param j JenkinsRule.
* @throws Exception throw if so.
*/
public static void lockDown(JenkinsRule j) throws Exception {
SecurityRealm securityRealm = j.createDummySecurityRealm();
j.getInstance().setSecurityRealm(securityRealm);

GlobalMatrixAuthorizationStrategy authorizationStrategy = new GlobalMatrixAuthorizationStrategy();
authorizationStrategy.add(Hudson.READ, "authenticated");
j.getInstance().setAuthorizationStrategy(authorizationStrategy);
}

/**
* Unlock the instance.
* @param j JenkinsRule.
* @throws Exception throw if so.
*/
public static void unLock(JenkinsRule j) throws Exception {
j.getInstance().setSecurityRealm(SecurityRealm.NO_AUTHENTICATION);
}

}

0 comments on commit 9dd76e6

Please sign in to comment.
You can’t perform that action at this time.