Skip to content
Permalink
Browse files

moved remaining checks from JobDslWhitelist to JenkinsJobManagement

  • Loading branch information...
daspilker committed Mar 31, 2017
1 parent 23dfd1c commit 1f1cff83ad4ba0a21bfed7bc059df4b31c681b8f
@@ -21,9 +21,9 @@ import javaposse.jobdsl.dsl.ExtensibleContext
@ThreadInterrupt
class InterruptibleJobManagement implements JobManagement {
// can't use @Delegate because @ThreadInterrupt is evaluated before @Delegate
final JenkinsJobManagement delegate
private final JobManagement delegate

InterruptibleJobManagement(JenkinsJobManagement delegate) {
InterruptibleJobManagement(JobManagement delegate) {
this.delegate = delegate
}

@@ -27,6 +27,7 @@ protected void extractGeneratedItems(GeneratedItems generatedItems, JenkinsJobPa
for (Object o : jobParent.getReferencedConfigs()) {
Config config = (Config) o;
if (!(scriptRequest.getIgnoreExisting() && globalConfigFiles.getById(config.id) != null)) {
Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER);
globalConfigFiles.save(config);
}
generatedItems.getConfigFiles().add(new GeneratedConfigFile(config.id, config.name));
@@ -80,8 +80,8 @@
private final Map<String, ?> envVars;
private final Run<?, ?> run;
private final FilePath workspace;
final Item project;
final LookupStrategy lookupStrategy;
private final Item project;
private final LookupStrategy lookupStrategy;
private final Map<javaposse.jobdsl.dsl.Item, DslEnvironment> environments =
new HashMap<javaposse.jobdsl.dsl.Item, DslEnvironment>();
private boolean failOnMissingPlugin;
@@ -164,6 +164,7 @@ public void createOrUpdateView(String path, String config, boolean ignoreExistin
View view = ((ViewGroup) parent).getView(viewBaseName);
if (view == null) {
if (parent instanceof ModifiableViewGroup) {
((ModifiableViewGroup) parent).checkPermission(View.CREATE);
((ModifiableViewGroup) parent).addView(createViewFromXML(viewBaseName, inputStream));
} else {
LOGGER.log(Level.WARNING, format("Could not create view within %s", parent.getClass()));
@@ -190,6 +191,7 @@ public void createOrUpdateView(String path, String config, boolean ignoreExistin
@Deprecated
public String createOrUpdateConfigFile(ConfigFile configFile, boolean ignoreExisting) {
validateNameArg(configFile.getName());
Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER);

Jenkins jenkins = Jenkins.getInstance();

@@ -261,12 +263,14 @@ public void queueJob(String path) throws NameNotProvidedException {

@Override
public InputStream streamFileInWorkspace(String relLocation) throws IOException, InterruptedException {
project.checkPermission(Item.WORKSPACE);
FilePath filePath = locateValidFileInWorkspace(workspace, relLocation);
return filePath.read();
}

@Override
public String readFileInWorkspace(String relLocation) throws IOException, InterruptedException {
project.checkPermission(Item.WORKSPACE);
FilePath filePath = locateValidFileInWorkspace(workspace, relLocation);
return filePath.readToString();
}
@@ -1,82 +1,16 @@
package javaposse.jobdsl.plugin

import hudson.model.Item
import hudson.model.ItemGroup
import hudson.model.View
import hudson.model.ViewGroup
import hudson.security.AccessControlled
import javaposse.jobdsl.dsl.ConfigFile
import javaposse.jobdsl.dsl.Context
import javaposse.jobdsl.dsl.DslFactory
import javaposse.jobdsl.dsl.JobManagement
import javaposse.jobdsl.dsl.ViewFactory
import jenkins.model.Jenkins
import org.apache.commons.io.FilenameUtils
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.AbstractWhitelist

import java.lang.reflect.Method

/**
* Allows methods defined in {@link Context}.
* The exception is top-level methods until the right permission checks have been made.
* @see org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.AclAwareWhitelist
*/
class JobDslWhitelist extends AbstractWhitelist {
private final JenkinsJobManagement jobManagement

JobDslWhitelist(JobManagement jobManagement) {
if (jobManagement instanceof InterruptibleJobManagement) {
this.jobManagement = ((InterruptibleJobManagement) jobManagement).delegate
} else if (jobManagement instanceof JenkinsJobManagement) {
this.jobManagement = (JenkinsJobManagement) jobManagement
} else {
throw new IllegalArgumentException("jobManagement must be an instance of ${JenkinsJobManagement.name}")
}
}

@Override
boolean permitsMethod(Method method, Object receiver, Object[] args) {
Class<?> declaringClass = method.declaringClass
if (!Context.isAssignableFrom(declaringClass)) {
return false
} else if (declaringClass == ViewFactory) {
ItemGroup parent = jobManagement.lookupStrategy.getParent(jobManagement.project, (String) args[0])
if (parent instanceof ViewGroup) {
View view = ((ViewGroup) parent).getView(FilenameUtils.getName((String) args[0]))
if (view == null) {
((ViewGroup) parent).checkPermission(View.CREATE)
} else {
view.checkPermission(View.CONFIGURE)
}
} else {
// Not sure what we got; safest to restrict to admins.
Jenkins.activeInstance.checkPermission(Jenkins.ADMINISTER)
}
return true
} else if (declaringClass == DslFactory) {
Class<?> returnType = method.returnType
if (javaposse.jobdsl.dsl.Item.isAssignableFrom(returnType)) {
Item existing = jobManagement.lookupStrategy.getItem(jobManagement.project, (String) args[0], Item)
if (existing != null) {
existing.checkPermission(Item.CONFIGURE)
} else {
ItemGroup parent = jobManagement.lookupStrategy.getParent(jobManagement.project, (String) args[0])
if (parent instanceof AccessControlled) {
((AccessControlled) parent).checkPermission(Item.CREATE)
} else {
// Not sure what we got; safest to restrict to admins.
Jenkins.activeInstance.checkPermission(Jenkins.ADMINISTER)
}
}
return true
} else if (ConfigFile.isAssignableFrom(returnType)) {
Jenkins.activeInstance.checkPermission(Jenkins.ADMINISTER)
return true
} else {
return true // need to do per-method access control checks in JenkinsJobManagement
}
} else { // internal DSL method which on its own does nothing
return true
}
Context.isAssignableFrom(method.declaringClass)
}
}
@@ -40,7 +40,7 @@ class SandboxDslScriptLoader extends SecureDslScriptLoader {
}

try {
GroovySandbox.run(script, new ProxyWhitelist(Whitelist.all(), new JobDslWhitelist(jobManagement)))
GroovySandbox.run(script, new ProxyWhitelist(Whitelist.all(), new JobDslWhitelist()))
} catch (RejectedAccessException e) {
ScriptApproval.get().accessRejected(e, ApprovalContext.create().withItem(seedJob))
throw new DslException(e.message, e)

0 comments on commit 1f1cff8

Please sign in to comment.
You can’t perform that action at this time.