Skip to content
Permalink
Browse files
[JENKINS-31425] multiple submitters are allowed
  • Loading branch information
escoem committed Oct 7, 2016
1 parent 47ea607 commit e2563fbbac634b6c9f64cd00755478064fcdd2bf
@@ -1,5 +1,6 @@
package org.jenkinsci.plugins.workflow.support.steps.input;

import com.google.common.collect.Sets;
import hudson.Extension;
import hudson.Util;
import hudson.model.ParameterDefinition;
@@ -13,7 +14,9 @@
import org.kohsuke.stapler.DataBoundSetter;
import java.io.Serializable;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

/**
* {@link Step} that pauses for human input.
@@ -116,10 +119,13 @@ public boolean canSubmit() {
*/
@Deprecated
public boolean canSettle(Authentication a) {
if (submitter==null || a.getName().equals(submitter))
if (submitter==null)
return true;
final Set<String> submitters = Sets.newHashSet(submitter.split(","));
if (submitters.contains(a.getName()))
return true;
for (GrantedAuthority ga : a.getAuthorities()) {
if (ga.getAuthority().equals(submitter))
if (submitters.contains(ga.getAuthority()))
return true;
}
return false;
@@ -1,5 +1,6 @@
package org.jenkinsci.plugins.workflow.support.steps.input;

import com.google.common.collect.Sets;
import com.google.inject.Inject;
import hudson.FilePath;
import hudson.Util;
@@ -33,6 +34,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeoutException;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -258,13 +260,14 @@ private boolean canSubmit() {
*/
private boolean canSettle(Authentication a) {
String submitter = input.getSubmitter();
if (submitter==null || a.getName().equals(submitter)) {
if (submitter==null)
return true;
final Set<String> submitters = Sets.newHashSet(submitter.split(","));
if (submitters.contains(a.getName()))
return true;
}
for (GrantedAuthority ga : a.getAuthorities()) {
if (ga.getAuthority().equals(submitter)) {
if (submitters.contains(ga.getAuthority()))
return true;
}
}
return false;
}
@@ -1,3 +1,3 @@
<div>
User ID or <em>external</em> group name of person or people permitted to respond to the input.
User IDs and/or <em>external</em> group names of person or people permitted to respond to the input, splitted by ','.
</div>
@@ -145,6 +145,29 @@ public void test_cancel_run_by_input() throws Exception {
runAndAbort(webClient, foo, "charlie", true); // charlie should work coz he has Job.CANCEL privs
}

@Test
@Issue("JENKINS-31425")
public void test_submitters() throws Exception {
JenkinsRule.WebClient webClient = j.createWebClient();
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
// Only give "alice" basic privs. That's normally not enough to Job.CANCEL, only for the fact that "alice"
// is listed as the submitter.
grant(Jenkins.READ, Job.READ).everywhere().to("alice").
// Only give "bob" basic privs. That's normally not enough to Job.CANCEL, only for the fact that "bob"
// is listed as the submitter.
grant(Jenkins.READ, Job.READ).everywhere().to("bob").
// Give "charlie" basic privs. That's normally not enough to Job.CANCEL, and isn't listed as submiter.
grant(Jenkins.READ, Job.READ).everywhere().to("charlie"));

final WorkflowJob foo = j.jenkins.createProject(WorkflowJob.class, "foo");
foo.setDefinition(new CpsFlowDefinition("input id: 'InputX', message: 'OK?', ok: 'Yes', submitter: 'alice,bob'", true));

runAndAbort(webClient, foo, "alice", true); // alice should work coz she's declared as 'submitter'
runAndAbort(webClient, foo, "bob", true); // bob should work coz he's declared as 'submitter'
runAndAbort(webClient, foo, "charlie", false); // charlie shouldn't work coz he's not declared as 'submitter' and doesn't have Job.CANCEL privs
}

private void runAndAbort(JenkinsRule.WebClient webClient, WorkflowJob foo, String loginAs, boolean expectAbortOk) throws Exception {
// get the build going, and wait until workflow pauses
QueueTaskFuture<WorkflowRun> queueTaskFuture = foo.scheduleBuild2(0);

0 comments on commit e2563fb

Please sign in to comment.