Skip to content
Permalink
Browse files
Merge pull request #6 from escoem/JENKINS-31425
[JENKINS-31425] should be able to specify multiple users or groups for the submitter of an input step
  • Loading branch information
jglick committed Oct 24, 2016
2 parents 114a36b + cb5cca7 commit 01c72d7b53c857e0fa7de796a7fefce35260c4fc
@@ -1,2 +1,4 @@
target
work
*.iml
.idea
@@ -1,5 +1,6 @@
package org.jenkinsci.plugins.workflow.support.steps.input;

import com.google.common.collect.Sets;
import hudson.Extension;
import hudson.Util;
import hudson.model.ParameterDefinition;
@@ -13,7 +14,9 @@
import org.kohsuke.stapler.DataBoundSetter;
import java.io.Serializable;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

/**
* {@link Step} that pauses for human input.
@@ -116,10 +119,13 @@ public boolean canSubmit() {
*/
@Deprecated
public boolean canSettle(Authentication a) {
if (submitter==null || a.getName().equals(submitter))
if (submitter==null)
return true;
final Set<String> submitters = Sets.newHashSet(submitter.split(","));
if (submitters.contains(a.getName()))
return true;
for (GrantedAuthority ga : a.getAuthorities()) {
if (ga.getAuthority().equals(submitter))
if (submitters.contains(ga.getAuthority()))
return true;
}
return false;
@@ -1,5 +1,6 @@
package org.jenkinsci.plugins.workflow.support.steps.input;

import com.google.common.collect.Sets;
import com.google.inject.Inject;
import hudson.FilePath;
import hudson.Util;
@@ -33,6 +34,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeoutException;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -258,13 +260,14 @@ private boolean canSubmit() {
*/
private boolean canSettle(Authentication a) {
String submitter = input.getSubmitter();
if (submitter==null || a.getName().equals(submitter)) {
if (submitter==null)
return true;
final Set<String> submitters = Sets.newHashSet(submitter.split(","));
if (submitters.contains(a.getName()))
return true;
}
for (GrantedAuthority ga : a.getAuthorities()) {
if (ga.getAuthority().equals(submitter)) {
if (submitters.contains(ga.getAuthority()))
return true;
}
}
return false;
}
@@ -1,3 +1,4 @@
<div>
User ID or <em>external</em> group name of person or people permitted to respond to the input.
User IDs and/or <em>external</em> group names of person or people permitted to respond to the input, separated by ','.
If you configure "alice, bob", will match with "alice" but not with "bob". You need to remove all the white spaces.
</div>
@@ -128,12 +128,9 @@ public void test_cancel_run_by_input() throws Exception {
JenkinsRule.WebClient webClient = j.createWebClient();
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
// Only give "alice" basic privs. That's normally not enough to Job.CANCEL, only for the fact that "alice"
// is listed as the submitter.
grant(Jenkins.READ, Job.READ).everywhere().to("alice").
// Only give "bob" basic privs. That's normally not enough to Job.CANCEL and "bob" is not the submitter,
// so they should be rejected.
grant(Jenkins.READ, Job.READ).everywhere().to("bob").
// Only give "alice" and "bob" basic privs. That's normally not enough to Job.CANCEL, only for the fact that "alice"
// and "bob" are listed as the submitter.
grant(Jenkins.READ, Job.READ).everywhere().to("alice", "bob").
// Give "charlie" basic privs + Job.CANCEL. That should allow user3 cancel.
grant(Jenkins.READ, Job.READ, Job.CANCEL).everywhere().to("charlie"));

@@ -145,6 +142,29 @@ public void test_cancel_run_by_input() throws Exception {
runAndAbort(webClient, foo, "charlie", true); // charlie should work coz he has Job.CANCEL privs
}

@Test
@Issue("JENKINS-31425")
public void test_submitters() throws Exception {
JenkinsRule.WebClient webClient = j.createWebClient();
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
// Only give "alice" basic privs. That's normally not enough to Job.CANCEL, only for the fact that "alice"
// is listed as the submitter.
grant(Jenkins.READ, Job.READ).everywhere().to("alice").
// Only give "bob" basic privs. That's normally not enough to Job.CANCEL, only for the fact that "bob"
// is listed as the submitter.
grant(Jenkins.READ, Job.READ).everywhere().to("bob").
// Give "charlie" basic privs. That's normally not enough to Job.CANCEL, and isn't listed as submiter.
grant(Jenkins.READ, Job.READ).everywhere().to("charlie"));

final WorkflowJob foo = j.jenkins.createProject(WorkflowJob.class, "foo");
foo.setDefinition(new CpsFlowDefinition("input id: 'InputX', message: 'OK?', ok: 'Yes', submitter: 'alice,bob'", true));

runAndAbort(webClient, foo, "alice", true); // alice should work coz she's declared as 'submitter'
runAndAbort(webClient, foo, "bob", true); // bob should work coz he's declared as 'submitter'
runAndAbort(webClient, foo, "charlie", false); // charlie shouldn't work coz he's not declared as 'submitter' and doesn't have Job.CANCEL privs
}

private void runAndAbort(JenkinsRule.WebClient webClient, WorkflowJob foo, String loginAs, boolean expectAbortOk) throws Exception {
// get the build going, and wait until workflow pauses
QueueTaskFuture<WorkflowRun> queueTaskFuture = foo.scheduleBuild2(0);

0 comments on commit 01c72d7

Please sign in to comment.