[SECURITY-2593]

jenkinsci · Jul 26, 2022 · 3b38d76 · 3b38d76
1 parent db858fd
commit 3b38d76
Show file tree

Hide file tree

Showing 12 changed files with 46 additions and 18 deletions.
diff --git a/...n/java/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl.java b/...n/java/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl.java
@@ -22,6 +22,7 @@
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -145,6 +146,8 @@ public FormValidation doTestConnection(
                                     @QueryParameter("namespace") String namespace,
                                     @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             try {
                 getVaultSecretKey(path, defaultIfBlank(keyStoreKey, DEFAULT_KEYSTORE_KEY), prefixPath, namespace, engineVersion, context);
             } catch (Exception e) {

diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl.java
@@ -12,6 +12,7 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.UUID;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -97,6 +98,7 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
             String okMessage = "Successfully retrieved secret " + path;
 

diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl.java
@@ -10,6 +10,7 @@
 import hudson.util.Secret;
 import java.util.Map;
 import java.util.logging.Logger;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -64,6 +65,7 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
             String okMessage = "Successfully retrieved secret " + path;
 

diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl.java
@@ -11,6 +11,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.logging.Logger;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -122,6 +123,8 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             String username;
             try {
                 username = getVaultSecretKey(path, defaultIfBlank(usernameKey, DEFAULT_USERNAME_KEY), prefixPath, namespace, engineVersion, context);

diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl.java
@@ -8,6 +8,7 @@
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import hudson.util.Secret;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -64,6 +65,8 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             try {
                 getVaultSecretKey(path, defaultIfBlank(vaultKey, DEFAULT_VAULT_KEY), prefixPath, namespace, engineVersion, context);
             } catch (Exception e) {

diff --git a/...va/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl.java b/...va/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl.java
@@ -8,6 +8,7 @@
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import hudson.util.Secret;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -87,6 +88,8 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             String username = null;
             try {
                 username = getVaultSecretKey(path, defaultIfBlank(usernameKey, DEFAULT_USERNAME_KEY), prefixPath, namespace, engineVersion, context);

diff --git a/...tapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl/credentials.jelly b/...tapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -21,7 +21,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of certificate...}"
-		method="testConnection" with="path,keyStoreKey,passwordKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of certificate...}"
+		  method="testConnection" with="path,keyStoreKey,passwordKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/...s/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl/credentials.jelly b/...s/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -24,7 +24,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
-    method="testConnection" with="path,useKey,vaultKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
+      method="testConnection" with="path,useKey,vaultKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/...sources/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl/credentials.jelly b/...sources/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -15,7 +15,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
-    method="testConnection" with="path,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
+      method="testConnection" with="path,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/...om/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl/credentials.jelly b/...om/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -24,7 +24,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of username key...}"
-		method="testConnection" with="path,usernameKey,privateKeyKey,passphraseKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of username key...}"
+      method="testConnection" with="path,usernameKey,privateKeyKey,passphraseKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/...com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl/credentials.jelly b/...com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -18,7 +18,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
-		method="testConnection" with="path,vaultKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
+		  method="testConnection" with="path,vaultKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/...pe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl/credentials.jelly b/...pe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -21,7 +21,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of username key...}"
-		method="testConnection" with="path,usernameKey,passwordKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of username key...}"
+      method="testConnection" with="path,usernameKey,passwordKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>