Skip to content
Permalink
Browse files
[JENKINS-36240] Initial stab at rework
  • Loading branch information
stephenc committed Jul 14, 2017
1 parent 388545b commit c10b23bbe37efca325340c5ac65d6876d3fe7684
Show file tree
Hide file tree
Showing 7 changed files with 139 additions and 1 deletion.
@@ -26,6 +26,7 @@
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.util.ListBoxModel;
import java.io.IOException;
import java.util.EnumSet;
import java.util.List;
import java.util.Set;
@@ -45,6 +46,7 @@
import jenkins.scm.impl.trait.Discovery;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.github.GHPermissionType;
import org.kohsuke.stapler.DataBoundConstructor;

/**
@@ -315,6 +317,98 @@ public boolean isApplicableToOrigin(@NonNull Class<? extends SCMHeadOrigin> orig
}
}

/**
* An {@link SCMHeadAuthority} that trusts contributors to the repository.
*/
public static class TrustPermission
extends SCMHeadAuthority<GitHubSCMSourceRequest, PullRequestSCMHead, PullRequestSCMRevision> {
@NonNull
private final GHPermissionType permission;

/**
* Constructor.
*/
@DataBoundConstructor
public TrustPermission(@NonNull String permission) {
GHPermissionType permissionType = GHPermissionType.ADMIN;
for (GHPermissionType p: GHPermissionType.values()) {
if (p.name().equalsIgnoreCase(permission)) {
permissionType = p;
}
}
this.permission = permissionType;
}

public TrustPermission(@NonNull GHPermissionType permission) {
this.permission = permission;
}

@NonNull
public GHPermissionType getPermissionType() {
return permission;
}

@NonNull
public String getPermission() {
return permission.name();
}

/**
* {@inheritDoc}
*/
@Override
protected boolean checkTrusted(@NonNull GitHubSCMSourceRequest request, @NonNull PullRequestSCMHead head) {
if (!head.getOrigin().equals(SCMHeadOrigin.DEFAULT)) {
try {
// TODO get the repository from getTrusted which currently doesn't provide it to the request.
GHPermissionType permission = request.getRepository().getPermission(head.getSourceOwner());
return permission.ordinal() <= this.permission.ordinal();
} catch (IOException e) {
// ignore
}
}
return false;
}

/**
* Our descriptor.
*/
@Extension
public static class DescriptorImpl extends SCMHeadAuthorityDescriptor {

/**
* {@inheritDoc}
*/
@Override
public String getDisplayName() {
return Messages.ForkPullRequestDiscoveryTrait_permissionsDisplayName();
}

/**
* {@inheritDoc}
*/
@Override
public boolean isApplicableToOrigin(@NonNull Class<? extends SCMHeadOrigin> originClass) {
return SCMHeadOrigin.Fork.class.isAssignableFrom(originClass);
}

/**
* Populates the permissions.
* @return the list of permissions.
*/
@Restricted(NoExternalUse.class)
@SuppressWarnings("unused")
public ListBoxModel doFillPermissionItems() {
ListBoxModel result = new ListBoxModel();
for (GHPermissionType p: GHPermissionType.values()) {
result.add(p.name());
}
return result;
}

}
}

/**
* An {@link SCMHeadAuthority} that trusts everyone.
*/
@@ -842,6 +842,7 @@ protected final void retrieve(@CheckForNull SCMSourceCriteria criteria,
.newRequest(this, listener)) {
// populate the request with its data sources
request.setGitHub(github);
request.setRepository(ghRepository);
if (request.isFetchPRs()) {
request.setPullRequests(new LazyPullRequests(request, ghRepository));
}
@@ -43,6 +43,7 @@
import jenkins.scm.api.trait.SCMSourceRequest;
import org.kohsuke.github.GHBranch;
import org.kohsuke.github.GHPullRequest;
import org.kohsuke.github.GHRepository;
import org.kohsuke.github.GitHub;

/**
@@ -113,6 +114,11 @@ public class GitHubSCMSourceRequest extends SCMSourceRequest {
*/
@CheckForNull
private GitHub gitHub;
/**
* The repository.
*/
@CheckForNull
private GHRepository repository;

/**
* Constructor.
@@ -377,6 +383,24 @@ public void setGitHub(@CheckForNull GitHub gitHub) {
this.gitHub = gitHub;
}

/**
* Returns the {@link GHRepository}.
*
* @return the {@link GHRepository}.
*/
public GHRepository getRepository() {
return repository;
}

/**
* Sets the {@link GHRepository}.
*
* @param repository the {@link GHRepository}.
*/
public void setRepository(GHRepository repository) {
this.repository = repository;
}

/**
* {@inheritDoc}
*/
@@ -0,0 +1,6 @@
<?jelly escape-by-default='true'?>
<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
<f:entry title="${%Minimum permissions}" field="permission">
<f:select default="WRITE"/>
</f:entry>
</j:jelly>
@@ -0,0 +1,4 @@
<div>
The minimum effective permissions the owner of the pull request must have in order for the pull request to be trusted.
Typically you will want either <code>ADMIN</code> or <code>WRITE</code>.
</div>
@@ -21,7 +21,7 @@
<dd>
Pull requests from <a href="https://developer.github.com/v3/repos/collaborators/">collaborators</a>
to the origin repository will be treated as trusted, all other pull requests from fork repositories
will be treated as untrusted..
will be treated as untrusted.
Note that if credentials used by Jenkins for scanning the repository does not have permission to
query the list of contributors to the origin repository then only the origin account will be treated
as trusted - i.e. this will fall back to <code>Nobody</code>.
@@ -31,5 +31,13 @@
All pull requests from forks will be treated as trusted. <strong>NOTE:</strong> this option can be dangerous
if used on a public repository hosted on GitHub.
</dd>
<dt>Permissions</dt>
<dd>
Pull requests forks will be treated as trusted if the fork owner has the specified minimum permissions
against the origin repository.
Note that this strategy requires the
<a href="https://developer.github.com/v3/repos/collaborators/#review-a-users-permission-level">Review
a user's permission level</a> API.
</dd>
</dl>
</div>
@@ -1,6 +1,7 @@
BranchSCMHead.Pronoun=Branch

ForkPullRequestDiscoveryTrait.contributorsDisplayName=Contributors
ForkPullRequestDiscoveryTrait.permissionsDisplayName=Permissions
ForkPullRequestDiscoveryTrait.displayName=Discover pull requests from forks
ForkPullRequestDiscoveryTrait.everyoneDisplayName=Everyone
ForkPullRequestDiscoveryTrait.headAndMerge=Both the current pull request revision and the pull request merged with \

0 comments on commit c10b23b

Please sign in to comment.