Skip to content
Permalink
Browse files

JENKINS-41657 allow filling of credential ids outside of the context …

…of a job, only when ADMINISTER permission is granted
  • Loading branch information
mryan43 authored and Manuel Ryan committed Feb 23, 2017
1 parent 47cc6e0 commit a56bf2d4c4961a0d66bc00e5b1fc637bd6ed12f7
@@ -1056,14 +1056,20 @@ public boolean configure(StaplerRequest req, JSONObject json) throws FormExcepti
}

public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Job<?,?> owner, @QueryParameter String source) {
if (owner == null || !owner.hasPermission(Item.EXTENDED_READ)) {
if (!hasAccessToCredentialsMetadata(owner)) {
return new ListBoxModel();
}
return new StandardUsernameListBoxModel()
.withEmptySelection()
.withAll(availableCredentials(owner, new EnvVars( ).expand( source )));
}

private boolean hasAccessToCredentialsMetadata(Job<?,?> owner) {
if (owner == null){
return Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER);
}
return owner.hasPermission(Item.EXTENDED_READ);
}
}

private static final long serialVersionUID = 1L;
@@ -230,14 +230,21 @@ public long lastModified() {
}

public ListBoxModel doFillCredentialsIdItems(@AncestorInPath SCMSourceOwner owner, @QueryParameter String source) {
if (owner == null || !owner.hasPermission(Item.EXTENDED_READ)) {
if (!hasAccessToCredentialsMetadata(owner)) {
return new ListBoxModel();
}
return new StandardUsernameListBoxModel()
.withEmptySelection()
.withAll(availableCredentials(owner, source));
}

private boolean hasAccessToCredentialsMetadata(SCMSourceOwner owner){
if (owner == null){
return Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER);
}
return owner.hasPermission(Item.EXTENDED_READ);
}

public FormValidation doCheckBranchPattern(@QueryParameter String value) {
try {
Pattern.compile(value);
@@ -49,6 +49,7 @@
import org.junit.Rule;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.MockAuthorizationStrategy;

public class ConfigurationTest {

@@ -91,6 +92,17 @@
assertFalse(scm.isDisableChangeLog());
}

@Test public void doFillCredentialsIdItemsWithoutJobWhenAdmin() throws Exception {
r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
MockAuthorizationStrategy as = new MockAuthorizationStrategy();
// This AuthorizationStrategy has the ADMINISTER permission granted by default
r.jenkins.setAuthorizationStrategy(as);
UsernamePasswordCredentialsImpl c = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, null, "test", "bob", "s3cr3t");
CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), c);
ListBoxModel options = r.jenkins.getDescriptorByType(MercurialSCM.DescriptorImpl.class).doFillCredentialsIdItems(null, "http://nowhere.net/");
assertEquals(CredentialsNameProvider.name(c), options.get(1).name);
}

@Issue("SECURITY-158")
@Test public void doFillCredentialsIdItems() throws Exception {
r.jenkins.setSecurityRealm(r.createDummySecurityRealm());

0 comments on commit a56bf2d

Please sign in to comment.
You can’t perform that action at this time.