From 3b38d767aba8bd98d6f4fb53c1f1678d95b5e752 Mon Sep 17 00:00:00 2001
From: Joseph Petersen <josephp90@gmail.com>
Date: Tue, 26 Jul 2022 12:24:27 +0200
Subject: [PATCH] [SECURITY-2593]

---
 .../common/VaultCertificateCredentialsImpl.java           | 3 +++
 .../vault/credentials/common/VaultFileCredentialImpl.java | 2 ++
 .../vault/credentials/common/VaultGCRLoginImpl.java       | 2 ++
 .../credentials/common/VaultSSHUserPrivateKeyImpl.java    | 3 +++
 .../credentials/common/VaultStringCredentialImpl.java     | 3 +++
 .../common/VaultUsernamePasswordCredentialImpl.java       | 3 +++
 .../VaultCertificateCredentialsImpl/credentials.jelly     | 8 +++++---
 .../common/VaultFileCredentialImpl/credentials.jelly      | 8 +++++---
 .../common/VaultGCRLoginImpl/credentials.jelly            | 8 +++++---
 .../common/VaultSSHUserPrivateKeyImpl/credentials.jelly   | 8 +++++---
 .../common/VaultStringCredentialImpl/credentials.jelly    | 8 +++++---
 .../VaultUsernamePasswordCredentialImpl/credentials.jelly | 8 +++++---
 12 files changed, 46 insertions(+), 18 deletions(-)

diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl.java
index d9c6650e..97f099c3 100644
--- a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl.java
+++ b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl.java
@@ -22,6 +22,7 @@
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -145,6 +146,8 @@ public FormValidation doTestConnection(
                                     @QueryParameter("namespace") String namespace,
                                     @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             try {
                 getVaultSecretKey(path, defaultIfBlank(keyStoreKey, DEFAULT_KEYSTORE_KEY), prefixPath, namespace, engineVersion, context);
             } catch (Exception e) {
diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl.java
index 9fd29b89..b38def70 100644
--- a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl.java
+++ b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl.java
@@ -12,6 +12,7 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.UUID;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -97,6 +98,7 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
             String okMessage = "Successfully retrieved secret " + path;
 
diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl.java
index 1621c9e4..8edf69f9 100644
--- a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl.java
+++ b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl.java
@@ -10,6 +10,7 @@
 import hudson.util.Secret;
 import java.util.Map;
 import java.util.logging.Logger;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -64,6 +65,7 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
             String okMessage = "Successfully retrieved secret " + path;
 
diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl.java
index 3f263cf4..100b8ac7 100644
--- a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl.java
+++ b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl.java
@@ -11,6 +11,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.logging.Logger;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -122,6 +123,8 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             String username;
             try {
                 username = getVaultSecretKey(path, defaultIfBlank(usernameKey, DEFAULT_USERNAME_KEY), prefixPath, namespace, engineVersion, context);
diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl.java
index 398197a4..e00e27f3 100644
--- a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl.java
+++ b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl.java
@@ -8,6 +8,7 @@
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import hudson.util.Secret;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -64,6 +65,8 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             try {
                 getVaultSecretKey(path, defaultIfBlank(vaultKey, DEFAULT_VAULT_KEY), prefixPath, namespace, engineVersion, context);
             } catch (Exception e) {
diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl.java b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl.java
index 476e9131..9fab81d1 100644
--- a/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl.java
+++ b/src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl.java
@@ -8,6 +8,7 @@
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import hudson.util.Secret;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -87,6 +88,8 @@ public FormValidation doTestConnection(
             @QueryParameter("namespace") String namespace,
             @QueryParameter("engineVersion") Integer engineVersion) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             String username = null;
             try {
                 username = getVaultSecretKey(path, defaultIfBlank(usernameKey, DEFAULT_USERNAME_KEY), prefixPath, namespace, engineVersion, context);
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl/credentials.jelly
index d295d82c..64648d8e 100644
--- a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl/credentials.jelly
+++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultCertificateCredentialsImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -21,7 +21,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of certificate...}"
-		method="testConnection" with="path,keyStoreKey,passwordKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of certificate...}"
+		  method="testConnection" with="path,keyStoreKey,passwordKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl/credentials.jelly
index 41471d0a..5602fcee 100644
--- a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl/credentials.jelly
+++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -24,7 +24,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
-    method="testConnection" with="path,useKey,vaultKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
+      method="testConnection" with="path,useKey,vaultKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl/credentials.jelly
index 8979fd05..06e0580c 100644
--- a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl/credentials.jelly
+++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultGCRLoginImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -15,7 +15,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
-    method="testConnection" with="path,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
+      method="testConnection" with="path,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl/credentials.jelly
index 5dc0b8d9..8ba562ac 100644
--- a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl/credentials.jelly
+++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultSSHUserPrivateKeyImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -24,7 +24,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of username key...}"
-		method="testConnection" with="path,usernameKey,privateKeyKey,passphraseKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of username key...}"
+      method="testConnection" with="path,usernameKey,privateKeyKey,passphraseKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl/credentials.jelly
index 305a5c61..d002762b 100644
--- a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl/credentials.jelly
+++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultStringCredentialImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -18,7 +18,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
-		method="testConnection" with="path,vaultKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of key...}"
+		  method="testConnection" with="path,vaultKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl/credentials.jelly
index 2c529eb5..50aa3207 100644
--- a/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl/credentials.jelly
+++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultUsernamePasswordCredentialImpl/credentials.jelly
@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 
-<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
   <f:entry title="${%Namespace}" field="namespace">
     <f:textbox/>
   </f:entry>
@@ -21,7 +21,9 @@
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 
-  <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of username key...}"
-		method="testConnection" with="path,usernameKey,passwordKey,prefixPath,namespace,engineVersion" />
+  <l:isAdmin>
+    <f:validateButton title="${%Test Vault Secrets retrieval}" progress="${%Testing retrieval of username key...}"
+      method="testConnection" with="path,usernameKey,passwordKey,prefixPath,namespace,engineVersion" />
+  </l:isAdmin>
 
 </j:jelly>