From 0e51e36023d0533f099226ba7a0035dae7b02a84 Mon Sep 17 00:00:00 2001
From: Antonio Muniz <amuniz@users.noreply.github.com>
Date: Fri, 16 Feb 2018 20:08:31 +0100
Subject: [PATCH] [JENKINS-49044] Apply visibility filters to SecurityRealm and
 AuthorizationStrategy (#3246)

* [JENKINS-49044] Honor DescriptorVisibilityFilter for SecurityRealm and AuthorizationStrategy

* [JENKINS-49044] The test
---
 .../GlobalSecurityConfiguration/index.groovy  |  4 +-
 .../model/DescriptorVisibilityFilterTest.java | 70 +++++++++++++++++++
 2 files changed, 72 insertions(+), 2 deletions(-)

diff --git a/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy b/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
index 9d1b0917e9fc..e7fe82bba4f8 100644
--- a/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
+++ b/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
@@ -32,8 +32,8 @@ l.layout(norefresh:true, permission:app.ADMINISTER, title:my.displayName, csscla
 
                 f.entry(title:_("Access Control")) {
                     table(style:"width:100%") {
-                        f.descriptorRadioList(title:_("Security Realm"),varName:"realm",         instance:app.securityRealm,         descriptors:SecurityRealm.all())
-                        f.descriptorRadioList(title:_("Authorization"), varName:"authorization", instance:app.authorizationStrategy, descriptors:AuthorizationStrategy.all())
+                        f.descriptorRadioList(title:_("Security Realm"),varName:"realm",         instance:app.securityRealm,         descriptors:h.filterDescriptors(app, SecurityRealm.all()))
+                        f.descriptorRadioList(title:_("Authorization"), varName:"authorization", instance:app.authorizationStrategy, descriptors:h.filterDescriptors(app, AuthorizationStrategy.all()))
                     }
                 }
             }
diff --git a/test/src/test/java/hudson/model/DescriptorVisibilityFilterTest.java b/test/src/test/java/hudson/model/DescriptorVisibilityFilterTest.java
index dfbc4ea1c2bf..727ddbc4079e 100644
--- a/test/src/test/java/hudson/model/DescriptorVisibilityFilterTest.java
+++ b/test/src/test/java/hudson/model/DescriptorVisibilityFilterTest.java
@@ -8,13 +8,22 @@
 import static org.junit.Assert.*;
 
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.Extension;
+import hudson.security.ACL;
+import hudson.security.AuthorizationStrategy;
+import hudson.security.SecurityRealm;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.LoggerRule;
 import org.jvnet.hudson.test.TestExtension;
+import org.xml.sax.SAXException;
 
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.util.Collection;
 import java.util.logging.Level;
 import java.util.logging.LogRecord;
 
@@ -43,6 +52,67 @@ public void jenkins40545() throws Exception {
         assertThat(page.getWebResponse().getContentAsString(), containsString("descriptors found: .")); // No output written from expression
     }
 
+    @Test @Issue("JENKINS-49044")
+    public void securityRealmAndAuthStrategyHidden() throws Exception {
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(AuthorizationStrategy.UNSECURED);
+        HtmlPage page = j.createWebClient().goTo("configureSecurity");
+        String response = page.getWebResponse().getContentAsString();
+        assertThat(response, not(containsString("TestSecurityRealm")));
+        assertThat(response, not(containsString("TestAuthStrategy")));
+    }
+
+    public static final class TestSecurityRealm extends SecurityRealm {
+
+        @Override
+        public SecurityComponents createSecurityComponents() { return null; }
+
+        @TestExtension
+        public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
+            @Nonnull
+            @Override
+            public String getDisplayName() {
+                return "TestSecurityRealm";
+            }
+        }
+
+        @TestExtension
+        public static final class HideDescriptor extends DescriptorVisibilityFilter {
+            @Override
+            public boolean filter(@CheckForNull Object context, @Nonnull Descriptor descriptor) {
+                return !(descriptor instanceof DescriptorImpl);
+            }
+        }
+    }
+
+    public static final class TestAuthStrategy extends AuthorizationStrategy {
+
+        @Nonnull
+        @Override
+        public ACL getRootACL() { return null; }
+
+        @Nonnull
+        @Override
+        public Collection<String> getGroups() { return null; }
+
+        @TestExtension
+        public static final class DescriptorImpl extends Descriptor<AuthorizationStrategy> {
+            @Nonnull
+            @Override
+            public String getDisplayName() {
+                return "TestAuthStrategy";
+            }
+        }
+
+        @TestExtension
+        public static final class HideDescriptor extends DescriptorVisibilityFilter {
+            @Override
+            public boolean filter(@CheckForNull Object context, @Nonnull Descriptor descriptor) {
+                return !(descriptor instanceof DescriptorImpl);
+            }
+        }
+    }
+
     @TestExtension("jenkins40545")
     public static final class Jenkins40545 implements UnprotectedRootAction {