Skip to content
Permalink
Browse files
[JENKINS-42707] AccessDeniedException exception in ReverseBuildTrigger (
#2846)

* [JENKINS-42707] AccessDeniedException vulnerability in ReverseBuildTrigger.

* [JENKINS-42707] Added tests to expose the issue

* [JENKINS-42707] Log message according to permission (DISCOVER/READ)

* [JENKINS-42707] Use MockAuthorizationStrategy

* [JENKINS-42707] Remove internationalization for logger
  • Loading branch information
Dohbedoh authored and oleg-nenashev committed May 5, 2017
1 parent f36917c commit 17eedcfde8043829b247e639ae985ddb97dd0571
@@ -66,6 +66,7 @@
import jenkins.model.Jenkins;
import jenkins.model.ParameterizedJobMixIn;
import jenkins.security.QueueItemAuthenticatorConfiguration;
import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.Authentication;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
@@ -112,29 +113,47 @@ private boolean shouldTrigger(Run upstreamBuild, TaskListener listener) {
if (job == null) {
return false;
}

boolean downstreamVisible = false;
boolean downstreamDiscoverable = false;

// This checks Item.READ also on parent folders; note we are checking as the upstream auth currently:
boolean downstreamVisible = jenkins.getItemByFullName(job.getFullName()) == job;
try {
downstreamVisible = jenkins.getItemByFullName(job.getFullName()) == job;
} catch (AccessDeniedException ex) {
// Fails because of missing Item.READ but upstream user has Item.DISCOVER
downstreamDiscoverable = true;
}

Authentication originalAuth = Jenkins.getAuthentication();
Job upstream = upstreamBuild.getParent();
Authentication auth = Tasks.getAuthenticationOf((Queue.Task) job);
if (auth.equals(ACL.SYSTEM) && !QueueItemAuthenticatorConfiguration.get().getAuthenticators().isEmpty()) {
auth = Jenkins.ANONYMOUS; // cf. BuildTrigger
}

SecurityContext orig = ACL.impersonate(auth);
Item authUpstream = null;
try {
if (jenkins.getItemByFullName(upstream.getFullName()) != upstream) {
if (downstreamVisible) {
// TODO ModelHyperlink
listener.getLogger().println(Messages.ReverseBuildTrigger_running_as_cannot_even_see_for_trigger_f(auth.getName(), upstream.getFullName(), job.getFullName()));
} else {
LOGGER.log(Level.WARNING, "Running as {0} cannot even see {1} for trigger from {2} (but cannot tell {3} that)", new Object[] {auth.getName(), upstream, job, originalAuth.getName()});
}
return false;
}
authUpstream = jenkins.getItemByFullName(upstream.getFullName());
// No need to check Item.BUILD on downstream, because the downstream project’s configurer has asked for this.
} catch (AccessDeniedException ade) {
// Fails because of missing Item.READ but downstream user has Item.DISCOVER
} finally {
SecurityContextHolder.setContext(orig);
}

if(authUpstream != upstream) {
if (downstreamVisible) {
// TODO ModelHyperlink
listener.getLogger().println(Messages.ReverseBuildTrigger_running_as_cannot_even_see_for_trigger_f(auth.getName(),
upstream.getFullName(), job.getFullName()));
} else {
LOGGER.log(Level.WARNING, "Running as {0} cannot even {1} {2} for trigger from {3}, (but cannot tell {4} that)",
new Object [] { auth.getName(), downstreamDiscoverable ? "READ" : "DISCOVER", upstream, job, originalAuth.getName()});
}
return false;
}
Result result = upstreamBuild.getResult();
return result != null && result.isBetterOrEqualTo(threshold);
}
@@ -202,7 +221,7 @@ public FormValidation doCheckUpstreamProjects(@AncestorInPath Job project, @Quer
}

@Extension public static final class RunListenerImpl extends RunListener<Run> {

static RunListenerImpl get() {
return ExtensionList.lookup(RunListener.class).get(RunListenerImpl.class);
}
@@ -33,19 +33,13 @@
import hudson.model.Result;
import hudson.model.Run;
import hudson.model.User;
import hudson.security.AuthorizationMatrixProperty;
import hudson.security.Permission;
import hudson.security.ProjectMatrixAuthorizationStrategy;
import hudson.tasks.BuildTrigger;
import hudson.tasks.BuildTriggerTest;
import hudson.triggers.Trigger;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import jenkins.model.Jenkins;
import jenkins.security.QueueItemAuthenticatorConfiguration;
import org.acegisecurity.Authentication;
@@ -58,6 +52,7 @@
import org.junit.Test;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.MockAuthorizationStrategy;
import org.jvnet.hudson.test.MockQueueItemAuthenticator;

public class ReverseBuildTriggerTest {
@@ -85,23 +80,17 @@
/** @see BuildTriggerTest#testDownstreamProjectSecurity */
@Test public void upstreamProjectSecurity() throws Exception {
r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
ProjectMatrixAuthorizationStrategy auth = new ProjectMatrixAuthorizationStrategy();
auth.add(Jenkins.READ, "alice");
auth.add(Computer.BUILD, "alice");
auth.add(Jenkins.ADMINISTER, "admin");
auth.add(Jenkins.READ, "bob");
auth.add(Computer.BUILD, "bob");
MockAuthorizationStrategy auth = new MockAuthorizationStrategy()
.grant(Jenkins.READ).everywhere().to("alice", "bob")
.grant(Computer.BUILD).everywhere().to("alice", "bob")
.grant(Jenkins.ADMINISTER).everywhere().to("admin");
r.jenkins.setAuthorizationStrategy(auth);
String upstreamName = "upstr3@m"; // do not clash with English messages!
final FreeStyleProject upstream = r.createFreeStyleProject(upstreamName);
String downstreamName = "d0wnstr3am";
FreeStyleProject downstream = r.createFreeStyleProject(downstreamName);
Map<Permission,Set<String>> perms = new HashMap<Permission,Set<String>>();
perms.put(Item.READ, Collections.singleton("alice"));
downstream.addProperty(new AuthorizationMatrixProperty(perms));
perms = new HashMap<Permission,Set<String>>();
perms.put(Item.READ, Collections.singleton("bob"));
upstream.addProperty(new AuthorizationMatrixProperty(perms));
auth.grant(Item.READ).onItems(downstream).to("alice")
.grant(Item.READ).onItems(upstream).to("bob");
@SuppressWarnings("rawtypes") Trigger<Job> t = new ReverseBuildTrigger(upstreamName, Result.SUCCESS);
downstream.addTrigger(t);
t.start(downstream, true); // as in AbstractProject.submit
@@ -129,10 +118,7 @@
r.waitUntilNoActivity();
assertEquals(1, downstream.getLastBuild().number);
// Alice can see upstream, so downstream gets built, but the upstream build cannot see downstream:
perms = new HashMap<Permission,Set<String>>();
perms.put(Item.READ, new HashSet<String>(Arrays.asList("alice", "bob")));
upstream.removeProperty(AuthorizationMatrixProperty.class);
upstream.addProperty(new AuthorizationMatrixProperty(perms));
auth.grant(Item.READ).onItems(upstream).to("alice", "bob");
Map<String,Authentication> qiaConfig = new HashMap<String,Authentication>();
qiaConfig.put(upstreamName, User.get("bob").impersonate());
qiaConfig.put(downstreamName, User.get("alice").impersonate());
@@ -152,6 +138,37 @@
r.waitUntilNoActivity();
assertEquals(3, downstream.getLastBuild().number);
assertEquals(new Cause.UpstreamCause((Run) b), downstream.getLastBuild().getCause(Cause.UpstreamCause.class));

// Alice can only DISCOVER upstream, so downstream does not get built, but the upstream build cannot DISCOVER downstream
auth = new MockAuthorizationStrategy()
.grant(Jenkins.READ).everywhere().to("alice", "bob")
.grant(Computer.BUILD).everywhere().to("alice", "bob")
.grant(Jenkins.ADMINISTER).everywhere().to("admin")
.grant(Item.READ).onItems(upstream).to("bob")
.grant(Item.DISCOVER).onItems(upstream).to("alice");
r.jenkins.setAuthorizationStrategy(auth);
auth.grant(Item.READ).onItems(downstream).to("alice");
qiaConfig = new HashMap<String,Authentication>();
qiaConfig.put(upstreamName, User.get("bob").impersonate());
qiaConfig.put(downstreamName, User.get("alice").impersonate());
QueueItemAuthenticatorConfiguration.get().getAuthenticators().replace(new MockQueueItemAuthenticator(qiaConfig));
b = r.buildAndAssertSuccess(upstream);
r.assertLogNotContains(downstreamName, b);
r.waitUntilNoActivity();
assertEquals(3, downstream.getLastBuild().number);

// A QIA is configured but does not specify any authentication for downstream, anonymous can only DISCOVER upstream
// so no message is printed about it, and no Exception neither (JENKINS-42707)
auth.grant(Item.READ).onItems(upstream).to("bob");
auth.grant(Item.DISCOVER).onItems(upstream).to("anonymous");
qiaConfig = new HashMap<String,Authentication>();
qiaConfig.put(upstreamName, User.get("bob").impersonate());
QueueItemAuthenticatorConfiguration.get().getAuthenticators().replace(new MockQueueItemAuthenticator(qiaConfig));
b = r.buildAndAssertSuccess(upstream);
r.assertLogNotContains(downstreamName, b);
r.assertLogNotContains("Please login to access job " + upstreamName, b);
r.waitUntilNoActivity();
assertEquals(3, downstream.getLastBuild().number);
}

@Issue("JENKINS-29876")

0 comments on commit 17eedcf

Please sign in to comment.