[JENKINS-50324] User without READ cannot logout - or even ask who the…

…y are (cherry picked from commit b5ed977)
jenkinsci · Apr 19, 2018 · 8a2f986 · 8a2f986
1 parent 5e8cd50
commit 8a2f986
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/core/src/main/java/hudson/cli/CLICommand.java b/core/src/main/java/hudson/cli/CLICommand.java
@@ -275,7 +275,7 @@ public int main(List<String> args, Locale locale, InputStream stdin, PrintStream
             if (auth==Jenkins.ANONYMOUS)
                 auth = loadStoredAuthentication();
             sc.setAuthentication(auth); // run the CLI with the right credential
-            if (!(this instanceof LoginCommand || this instanceof HelpCommand))
+            if (!(this instanceof LoginCommand || this instanceof LogoutCommand || this instanceof HelpCommand || this instanceof WhoAmICommand))
                 Jenkins.getActiveInstance().checkPermission(Jenkins.READ);
             return run();
         } catch (CmdLineException e) {

diff --git a/test/src/test/java/hudson/cli/CLIActionTest.java b/test/src/test/java/hudson/cli/CLIActionTest.java
@@ -295,6 +295,32 @@ public void noPreAuthOptionHandlerInfoLeak() throws Exception {
         assertExitCode(6, false, jar, "get-view", "v2"); // Error code 3 before SECURITY-754
     }
 
+    @Test
+    @Issue("JENKINS-50324")
+    public void userWithoutReadCanLogout() throws Exception {
+        String userWithRead = "userWithRead";
+        String userWithoutRead = "userWithoutRead";
+
+        File jar = tmp.newFile("jenkins-cli.jar");
+        FileUtils.copyURLToFile(j.jenkins.getJnlpJars("jenkins-cli.jar").getURL(), jar);
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.ADMINISTER).everywhere().to(ADMIN)
+                .grant(Jenkins.READ).everywhere().to(userWithRead)
+                // nothing to userWithoutRead
+        );
+
+        checkCanLogout(jar, ADMIN);
+        checkCanLogout(jar, userWithRead);
+        checkCanLogout(jar, userWithoutRead);
+    }
+
+    private void checkCanLogout(File cliJar, String userLoginAndPassword) throws Exception {
+        assertExitCode(0, false, cliJar, "-remoting", "login", "--username", userLoginAndPassword, "--password", userLoginAndPassword);
+        assertExitCode(0, false, cliJar, "-remoting", "who-am-i");
+        assertExitCode(0, false, cliJar, "-remoting", "logout");
+    }
+
     @TestExtension("encodingAndLocale")
     public static class TestDiagnosticCommand extends CLICommand {