Skip to content

Commit

Permalink
[SECURITY-201] - ParameterizedDependency graph should consult with BU…
Browse files Browse the repository at this point in the history
…ILD permissions
  • Loading branch information
oleg-nenashev committed Jun 9, 2017
1 parent 2759f6c commit 2c6d1d0
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -532,13 +532,8 @@ protected Future schedule(AbstractBuild<?, ?> build, final Job project, int quie

// We check the user permissions.
// QueueItemAuthenticator should provide the user if it is configured correctly.
if (!project.hasPermission(Item.BUILD)) {
//TODO: It would be also great to print it to the build log, but there is no TaskListener
if (LOGGER.isLoggable(Level.WARNING)) {
LOGGER.log(Level.WARNING, "Cannot schedule the build of {0} from {1}. "
+ "The authenticated build user {2} has no Item.BUILD permission",
new Object[] {project, build, Jenkins.getAuthentication()});
}
//TODO: It would be also great to print it to the build log, but there is no TaskListener
if (!canTriggerProject(build, project, null)) {
return null;
}

Expand All @@ -549,6 +544,38 @@ protected Future schedule(AbstractBuild<?, ?> build, final Job project, int quie
return null;
}

/**
* Checks if the build can trigger a project.
* @param build Build, which is about to trigger the project
* @param job Job to be triggered
* @param taskListener Optional task listener
* @return {@code true} if the project can be scheduled.
* {@code false} if there is a lack of permissions, details will be printed to the logs then.
*/
/*package*/ static boolean canTriggerProject(@Nonnull AbstractBuild<?, ?> build,
@Nonnull final Job job, @CheckForNull TaskListener taskListener) {
if (!job.hasPermission(Item.BUILD)) {
//TODO: It would be also great to print it to the build log, but there is no TaskListener
String message = null;
if (LOGGER.isLoggable(Level.WARNING) || taskListener != null) {
message = String.format("Cannot schedule the build of %s from %s. "
+ "The authenticated build user %s has no Item.BUILD permission",
job, build, Jenkins.getAuthentication());
}

if (message != null) {
LOGGER.log(Level.WARNING, message);
}

if (taskListener != null) {
taskListener.error(message);
}

return false;
}
return true;
}

/**
* Checks if the project is buildable.
* The method also takes the security implications from {@link QueueItemAuthenticator} into account.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,10 @@ public boolean shouldTriggerBuild(AbstractBuild build, TaskListener listener, Li
if (!config.getCondition().isMet(build.getResult())){
return false;
}

if (!BuildTriggerConfig.canTriggerProject(build, getDownstreamProject(), listener)) {
return false;
}
try {
List<Action> actionList = config.getBaseActions(build, listener);
if (!actionList.isEmpty()) {
Expand Down

0 comments on commit 2c6d1d0

Please sign in to comment.