Skip to content
Permalink
Browse files
[FIXED JENKINS-39402] Cap the number of group headers printed by Acce…
…ssDeniedException2.

(cherry picked from commit d6f7e41)
  • Loading branch information
jglick authored and olivergondza committed Feb 15, 2017
1 parent da2f57c commit cf78e48b446f34379e2a988d086693e5ca53e251
Showing with 84 additions and 2 deletions.
  1. +11 −2 core/src/main/java/hudson/security/AccessDeniedException2.java
  2. +73 −0 test/src/test/java/hudson/security/AccessDeniedException2Test.java
@@ -12,6 +12,9 @@
* @author Kohsuke Kawaguchi
*/
public class AccessDeniedException2 extends AccessDeniedException {

private static final int MAX_REPORTED_AUTHORITIES = 10;

/**
* This object represents the user being authenticated.
*/
@@ -38,8 +41,14 @@ public AccessDeniedException2(Throwable t, Authentication authentication, Permis
*/
public void reportAsHeaders(HttpServletResponse rsp) {
rsp.addHeader("X-You-Are-Authenticated-As",authentication.getName());
for (GrantedAuthority auth : authentication.getAuthorities()) {
rsp.addHeader("X-You-Are-In-Group",auth.getAuthority());
GrantedAuthority[] authorities = authentication.getAuthorities();
for (int i = 0; i < authorities.length; i++) {
if (i == MAX_REPORTED_AUTHORITIES) {
rsp.addHeader("X-You-Are-In-Group", "<" + (authorities.length - i) + " more>");
break;
} else {
rsp.addHeader("X-You-Are-In-Group", authorities[i].getAuthority());
}
}
rsp.addHeader("X-Required-Permission", permission.getId());
for (Permission p=permission.impliedBy; p!=null; p=p.impliedBy) {
@@ -0,0 +1,73 @@
/*
* The MIT License
*
* Copyright 2017 CloudBees, Inc.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/

package hudson.security;

import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
import com.gargoylesoftware.htmlunit.util.NameValuePair;
import java.net.HttpURLConnection;
import java.util.ArrayList;
import java.util.List;
import org.hamcrest.Matchers;
import static org.junit.Assert.*;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.MockAuthorizationStrategy;

public class AccessDeniedException2Test {

@Rule
public JenkinsRule r = new JenkinsRule();

@Issue("JENKINS-39402")
@Test
public void youAreInGroupHeaders() throws Exception {
JenkinsRule.DummySecurityRealm realm = r.createDummySecurityRealm();
String[] groups = new String[1000];
for (int i = 0; i < groups.length; i++) {
groups[i] = "group" + i;
}
realm.addGroups("user", groups);
r.jenkins.setSecurityRealm(realm);
r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy());
try {
r.createWebClient().login("user").goTo("confgure");
fail("should not have been allowed to access anything");
} catch (FailingHttpStatusCodeException x) {
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, x.getStatusCode());
List<String> reportedGroups = new ArrayList<>();
for (NameValuePair header : x.getResponse().getResponseHeaders()) {
if (header.getName().equals("X-You-Are-In-Group")) {
reportedGroups.add(header.getValue());
}
}
assertThat("capped at a reasonable number", reportedGroups, Matchers.<List<String>>allOf(
Matchers.<String>hasSize(11), // 10 groups plus final warning
Matchers.<String>hasItem("<991 more>"))); // 1000 + SecurityRealm.AUTHENTICATED_AUTHORITY.getAuthority() - 10
}
}

}

0 comments on commit cf78e48

Please sign in to comment.