Merge pull request #60 from pascal-hofmann/configurable-minimum-permi…

…ssions

Add configurable minimum permissions for triggers

src/main/java/com/adobe/jenkins/github_pr_comment_build/GithubHelper.java

@@ -7,6 +7,7 @@
 import jenkins.scm.api.SCMSource;
 import org.jenkinsci.plugins.github_branch_source.Connector;
 import org.jenkinsci.plugins.github_branch_source.GitHubSCMSource;
+import org.kohsuke.github.GHPermissionType;
 import org.kohsuke.github.GHRepository;
 import org.kohsuke.github.GitHub;
 import org.slf4j.LoggerFactory;
@@ -23,10 +24,28 @@ private GithubHelper() {
         // private
     }
 
-    public static boolean isAuthorized(final Job<?, ?> job, final String author) {
+    public static boolean isAuthorized(final Job<?, ?> job, final String author, String minimumPermissions) {
         try {
             GHRepository ghRepository = getGHRepository(job);
-            boolean authorized = ghRepository.getCollaboratorNames().contains(author);
+            GHPermissionType authorPermissions = ghRepository.getPermission(author);
+            boolean authorized = false;
+            switch (GHPermissionType.valueOf(minimumPermissions)) {
+                case NONE:
+                    authorized = true;
+                    break;
+                default: // break intentionally omitted
+                case WRITE:
+                    if(authorPermissions == GHPermissionType.WRITE || authorPermissions == GHPermissionType.ADMIN) {
+                        authorized = true;
+                    }
+                    break;
+                case ADMIN:
+                    if(authorPermissions == GHPermissionType.ADMIN) {
+                        authorized = true;
+                    }
+                    break;
+            }
+
             LOG.debug("User {} authorized: {}", author, authorized);
             return authorized;
         } catch (final IOException | IllegalArgumentException e) {

src/main/java/com/adobe/jenkins/github_pr_comment_build/IssueCommentGHEventSubscriber.java

@@ -149,7 +149,7 @@ protected void onEvent(GHEvent event, String payload) {
                                     propFound = true;
                                     TriggerPRCommentBranchProperty branchProp = (TriggerPRCommentBranchProperty)prop;
                                     String expectedCommentBody = branchProp.getCommentBody();
-                                    if (!branchProp.isAllowUntrusted() && !GithubHelper.isAuthorized(job, commentAuthor)) {
+                                    if (!GithubHelper.isAuthorized(job, commentAuthor, branchProp.getMinimumPermissions())) {
                                         continue;
                                     }
                                     Pattern pattern = Pattern.compile(expectedCommentBody,

src/main/java/com/adobe/jenkins/github_pr_comment_build/PRReviewGHEventSubscriber.java

@@ -120,7 +120,7 @@ protected void onEvent(GHEvent event, String payload) {
                                         continue;
                                     }
                                     TriggerPRReviewBranchProperty branchProp = (TriggerPRReviewBranchProperty)prop;
-                                    if (!branchProp.isAllowUntrusted() && !GithubHelper.isAuthorized(job, author)) {
+                                    if (!GithubHelper.isAuthorized(job, author, branchProp.getMinimumPermissions())) {
                                         continue;
                                     }
                                     propFound = true;

src/main/java/com/adobe/jenkins/github_pr_comment_build/PRUpdateGHEventSubscriber.java

@@ -135,7 +135,7 @@ protected void onEvent(GHEvent event, String payload) {
                                         continue;
                                     }
                                     TriggerPRUpdateBranchProperty branchProp = (TriggerPRUpdateBranchProperty)prop;
-                                    if (!branchProp.isAllowUntrusted() && !GithubHelper.isAuthorized(job, author)) {
+                                    if (!GithubHelper.isAuthorized(job, author, branchProp.getMinimumPermissions())) {
                                         continue;
                                     }
                                     propFound = true;

src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerBranchProperty.java

@@ -0,0 +1,44 @@
+package com.adobe.jenkins.github_pr_comment_build;
+
+import hudson.model.Job;
+import hudson.model.Run;
+import jenkins.branch.BranchProperty;
+import jenkins.branch.JobDecorator;
+import org.kohsuke.stapler.DataBoundSetter;
+
+/**
+ * Common parts of TriggerPR*BranchProperty classes
+ */
+abstract public class TriggerBranchProperty extends BranchProperty {
+    protected boolean allowUntrusted;
+    protected String minimumPermissions;
+
+    @Deprecated
+    public boolean isAllowUntrusted() {
+        return allowUntrusted;
+    }
+
+    @DataBoundSetter
+    @Deprecated
+    public void setAllowUntrusted(boolean allowUntrusted) {
+        this.allowUntrusted = allowUntrusted;
+    }
+
+    @DataBoundSetter
+    public void setMinimumPermissions(String minimumPermissions) {
+        this.minimumPermissions = minimumPermissions;
+    }
+
+    public String getMinimumPermissions() {
+        if (minimumPermissions == null || minimumPermissions.isEmpty()) {
+            return this.allowUntrusted ? "NONE" : "WRITE";
+        }
+        return minimumPermissions;
+    }
+
+    @Override
+    public <P extends Job<P, B>, B extends Run<P, B>> JobDecorator<P, B> jobDecorator(Class<P> clazz) {
+        return null;
+    }
+}
+

src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerBranchPropertyDescriptorImpl.java

@@ -0,0 +1,28 @@
+package com.adobe.jenkins.github_pr_comment_build;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.util.ListBoxModel;
+import jenkins.branch.BranchPropertyDescriptor;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+import org.kohsuke.github.GHPermissionType;
+
+abstract public class TriggerBranchPropertyDescriptorImpl extends BranchPropertyDescriptor {
+
+    /**
+     * Populates the minimum permissions options.
+     *
+     * @return the minimum permissions options.
+     */
+    @NonNull
+    @Restricted(NoExternalUse.class)
+    @SuppressWarnings("unused") // stapler
+    public ListBoxModel doFillMinimumPermissionsItems() {
+        ListBoxModel result = new ListBoxModel();
+        result.add("Only users with admin permission", String.valueOf(GHPermissionType.ADMIN));
+        result.add("Only users that can push to the repository", String.valueOf(GHPermissionType.WRITE));
+        result.add("Allow untrusted users to trigger the build", String.valueOf(GHPermissionType.NONE));
+        return result;
+    }
+
+}

src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerPRCommentBranchProperty.java

@@ -1,23 +1,16 @@
 package com.adobe.jenkins.github_pr_comment_build;
 
 import hudson.Extension;
-import hudson.model.Job;
-import hudson.model.Run;
-import jenkins.branch.BranchProperty;
-import jenkins.branch.BranchPropertyDescriptor;
-import jenkins.branch.JobDecorator;
 import org.kohsuke.stapler.DataBoundConstructor;
-import org.kohsuke.stapler.DataBoundSetter;
 
 /**
  * Allows a GitHub pull request comment to trigger an immediate build based on a comment string.
  */
-public class TriggerPRCommentBranchProperty extends BranchProperty {
+public class TriggerPRCommentBranchProperty extends TriggerBranchProperty {
     /**
      * The comment body to trigger a new build on.
      */
     private final String commentBody;
-    private boolean allowUntrusted;
 
     /**
      * Constructor.
@@ -39,27 +32,12 @@ public String getCommentBody() {
         return commentBody;
     }
 
-    public boolean isAllowUntrusted() {
-        return allowUntrusted;
-    }
-
-    @DataBoundSetter
-    public void setAllowUntrusted(boolean allowUntrusted) {
-        this.allowUntrusted = allowUntrusted;
-    }
-
-    @Override
-    public <P extends Job<P, B>, B extends Run<P, B>> JobDecorator<P, B> jobDecorator(Class<P> clazz) {
-        return null;
-    }
-
     @Extension
-    public static class DescriptorImpl extends BranchPropertyDescriptor {
+    public static class DescriptorImpl extends TriggerBranchPropertyDescriptorImpl {
 
         @Override
         public String getDisplayName() {
             return Messages.TriggerPRCommentBranchProperty_trigger_on_pull_request_comment();
         }
-
     }
 }

src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerPRReviewBranchProperty.java

@@ -1,47 +1,25 @@
 package com.adobe.jenkins.github_pr_comment_build;
 
 import hudson.Extension;
-import hudson.model.Job;
-import hudson.model.Run;
-import jenkins.branch.BranchProperty;
-import jenkins.branch.BranchPropertyDescriptor;
-import jenkins.branch.JobDecorator;
 import org.kohsuke.stapler.DataBoundConstructor;
-import org.kohsuke.stapler.DataBoundSetter;
 
 /**
  * Allows a GitHub pull request update to trigger an immediate build.
  */
-public class TriggerPRReviewBranchProperty extends BranchProperty {
-    private boolean allowUntrusted;
+public class TriggerPRReviewBranchProperty extends TriggerBranchProperty {
 
     /**
      * Constructor.
      */
     @DataBoundConstructor
-    public TriggerPRReviewBranchProperty() { }
-
-    public boolean isAllowUntrusted() {
-        return allowUntrusted;
-    }
-
-    @DataBoundSetter
-    public void setAllowUntrusted(boolean allowUntrusted) {
-        this.allowUntrusted = allowUntrusted;
-    }
-
-    @Override
-    public <P extends Job<P, B>, B extends Run<P, B>> JobDecorator<P, B> jobDecorator(Class<P> clazz) {
-        return null;
-    }
+    public TriggerPRReviewBranchProperty() {}
 
     @Extension
-    public static class DescriptorImpl extends BranchPropertyDescriptor {
+    public static class DescriptorImpl extends TriggerBranchPropertyDescriptorImpl {
 
         @Override
         public String getDisplayName() {
             return Messages.TriggerPRReviewBranchProperty_trigger_on_pull_request_review();
         }
-
     }
-}
+}

src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerPRUpdateBranchProperty.java

@@ -1,47 +1,25 @@
 package com.adobe.jenkins.github_pr_comment_build;
 
 import hudson.Extension;
-import hudson.model.Job;
-import hudson.model.Run;
-import jenkins.branch.BranchProperty;
-import jenkins.branch.BranchPropertyDescriptor;
-import jenkins.branch.JobDecorator;
 import org.kohsuke.stapler.DataBoundConstructor;
-import org.kohsuke.stapler.DataBoundSetter;
 
 /**
  * Allows a GitHub pull request update to trigger an immediate build.
  */
-public class TriggerPRUpdateBranchProperty extends BranchProperty {
-    private boolean allowUntrusted;
+public class TriggerPRUpdateBranchProperty extends TriggerBranchProperty {
 
     /**
      * Constructor.
      */
     @DataBoundConstructor
-    public TriggerPRUpdateBranchProperty() { }
-
-    public boolean isAllowUntrusted() {
-        return allowUntrusted;
-    }
-
-    @DataBoundSetter
-    public void setAllowUntrusted(boolean allowUntrusted) {
-        this.allowUntrusted = allowUntrusted;
-    }
-
-    @Override
-    public <P extends Job<P, B>, B extends Run<P, B>> JobDecorator<P, B> jobDecorator(Class<P> clazz) {
-        return null;
-    }
+    public TriggerPRUpdateBranchProperty() {}
 
     @Extension
-    public static class DescriptorImpl extends BranchPropertyDescriptor {
+    public static class DescriptorImpl extends TriggerBranchPropertyDescriptorImpl {
 
         @Override
         public String getDisplayName() {
             return Messages.TriggerPRUpdateBranchProperty_trigger_on_pull_request_update();
         }
-
     }
 }

src/main/resources/com/adobe/jenkins/github_pr_comment_build/TriggerPRCommentBranchProperty/config.jelly

@@ -5,7 +5,7 @@
     <f:entry title="Comment Body" field="commentBody">
         <f:textbox />
     </f:entry>
-    <f:entry title="Allow untrusted users to trigger the build" field="allowUntrusted">
-        <f:checkbox default="false"/>
+    <f:entry field="minimumPermissions" title="Minimum Permissions on repository to trigger the build">
+        <f:select default="WRITE" />
     </f:entry>
 </j:jelly>

src/main/resources/com/adobe/jenkins/github_pr_comment_build/TriggerPRCommentBranchProperty/help-commentBody.html

@@ -1,4 +1,4 @@
 <div>
     The comment body to trigger a new build for a PR job when it is received. This is compiled as a
-    case insensitive regular expression, so use ".*" to trigger a build on any comment whatsoever.
+    case-insensitive regular expression, so use ".*" to trigger a build on any comment whatsoever.
 </div>

src/main/resources/com/adobe/jenkins/github_pr_comment_build/TriggerPRReviewBranchProperty/config.jelly

@@ -2,7 +2,7 @@
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-    <f:entry title="Allow untrusted users to trigger the build" field="allowUntrusted">
-        <f:checkbox default="false"/>
+    <f:entry field="minimumPermissions" title="Minimum Permissions on repository to trigger the build">
+        <f:select default="WRITE" />
     </f:entry>
 </j:jelly>

src/main/resources/com/adobe/jenkins/github_pr_comment_build/TriggerPRUpdateBranchProperty/config.jelly

@@ -2,7 +2,7 @@
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-    <f:entry title="Allow untrusted users to trigger the build" field="allowUntrusted">
-        <f:checkbox default="false"/>
+    <f:entry field="minimumPermissions" title="Minimum Permissions on repository to trigger the build">
+        <f:select default="WRITE" />
     </f:entry>
 </j:jelly>