Skip to content

Commit

Permalink
SECURITY-2793
Browse files Browse the repository at this point in the history
  • Loading branch information
snps-schatti committed Feb 1, 2023
1 parent 08343b5 commit 7f90aed
Show file tree
Hide file tree
Showing 6 changed files with 229 additions and 150 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,9 @@
*/
package com.synopsys.integration.jenkins.coverity;

import java.io.IOException;
import java.io.InputStream;
import java.util.Collections;
import java.util.Optional;

import org.jenkinsci.plugins.plaincredentials.FileCredentials;

import com.cloudbees.plugins.credentials.CredentialsMatcher;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.StandardCredentials;
import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
Expand All @@ -26,11 +20,18 @@
import com.synopsys.integration.log.IntLogger;
import com.synopsys.integration.log.SilentIntLogger;
import com.synopsys.integration.rest.credentials.CredentialsBuilder;

import hudson.model.Item;
import hudson.security.ACL;
import hudson.util.ListBoxModel;
import hudson.util.Secret;
import jenkins.model.Jenkins;
import org.jenkinsci.plugins.plaincredentials.FileCredentials;
import org.jetbrains.annotations.Nullable;

import java.io.IOException;
import java.io.InputStream;
import java.util.Collections;
import java.util.Optional;

public class SynopsysCoverityCredentialsHelper extends SynopsysCredentialsHelper {
public static final Class<FileCredentials> AUTH_KEY_FILE_CREDENTIALS_CLASS = FileCredentials.class;
Expand Down Expand Up @@ -106,4 +107,27 @@ public com.synopsys.integration.rest.credentials.Credentials getIntegrationCrede
return credentialsBuilder.build();
}

}
public void checkPermissionToAccessCredentials(Item item) {
Jenkins jenkins = getJenkins();
if (jenkins == null) {
throw new RuntimeException("Jenkins instance is null");
}

if (item == null) {
jenkins.checkPermission(Jenkins.ADMINISTER);
} else {
item.checkPermission(Item.EXTENDED_READ);
item.checkPermission(CredentialsProvider.USE_ITEM);
}
}

@Nullable
private Jenkins getJenkins() {
Optional<Jenkins> optionalJenkins = jenkinsWrapper.getJenkins();
if (optionalJenkins.isPresent()) {
return optionalJenkins.get();
} else {
return null;
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,24 @@
*/
package com.synopsys.integration.jenkins.coverity.extensions;

import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.slf4j.LoggerFactory;

import com.synopsys.integration.jenkins.annotations.HelpMarkdown;
import com.synopsys.integration.jenkins.coverity.SynopsysCoverityCredentialsHelper;
import com.synopsys.integration.jenkins.coverity.extensions.buildstep.CoverityBuildStep;
import com.synopsys.integration.jenkins.coverity.extensions.utils.IssueViewFieldHelper;
import com.synopsys.integration.jenkins.extensions.JenkinsSelectBoxEnum;
import com.synopsys.integration.jenkins.wrapper.JenkinsWrapper;
import com.synopsys.integration.log.Slf4jIntLogger;

import hudson.Extension;
import hudson.RelativePath;
import hudson.model.AbstractDescribableImpl;
import hudson.model.Descriptor;
import hudson.model.Item;
import hudson.util.ListBoxModel;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;
import org.slf4j.LoggerFactory;

public class CheckForIssuesInView extends AbstractDescribableImpl<CheckForIssuesInView> {
// Jenkins directly serializes the names of the fields, so they are an important part of the plugin's API.
Expand Down Expand Up @@ -61,20 +64,25 @@ public DescriptorImpl getDescriptor() {
@Extension
public static class DescriptorImpl extends Descriptor<CheckForIssuesInView> {
private final IssueViewFieldHelper issueViewFieldHelper;
private final SynopsysCoverityCredentialsHelper credentialsHelper;

public DescriptorImpl() {
super(CheckForIssuesInView.class);
load();
Slf4jIntLogger slf4jIntLogger = new Slf4jIntLogger(LoggerFactory.getLogger(CheckForIssuesInView.class));
issueViewFieldHelper = new IssueViewFieldHelper(slf4jIntLogger);
credentialsHelper = new SynopsysCoverityCredentialsHelper(slf4jIntLogger, JenkinsWrapper.initializeFromJenkinsJVM());
}

@POST
public ListBoxModel doFillViewNameItems(
@RelativePath(PATH_TO_COVERITY_BUILD_STEP) @QueryParameter(CoverityBuildStep.FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl,
@RelativePath(PATH_TO_COVERITY_BUILD_STEP) @QueryParameter(CoverityBuildStep.FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials,
@RelativePath(PATH_TO_COVERITY_BUILD_STEP) @QueryParameter(CoverityBuildStep.FIELD_CREDENTIALS_ID) String credentialsId,
@QueryParameter("updateNow") boolean updateNow
@AncestorInPath Item item,
@RelativePath(PATH_TO_COVERITY_BUILD_STEP) @QueryParameter(CoverityBuildStep.FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl,
@RelativePath(PATH_TO_COVERITY_BUILD_STEP) @QueryParameter(CoverityBuildStep.FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials,
@RelativePath(PATH_TO_COVERITY_BUILD_STEP) @QueryParameter(CoverityBuildStep.FIELD_CREDENTIALS_ID) String credentialsId,
@QueryParameter("updateNow") boolean updateNow
) throws InterruptedException {
credentialsHelper.checkPermissionToAccessCredentials(item);
if (updateNow) {
issueViewFieldHelper.updateNow(coverityInstanceUrl, overrideDefaultCredentials, credentialsId);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,6 @@
*/
package com.synopsys.integration.jenkins.coverity.extensions.buildstep;

import java.io.IOException;

import javax.annotation.Nonnull;
import javax.annotation.Nullable;

import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.slf4j.LoggerFactory;

import com.synopsys.integration.jenkins.annotations.HelpMarkdown;
import com.synopsys.integration.jenkins.coverity.SynopsysCoverityCredentialsHelper;
import com.synopsys.integration.jenkins.coverity.extensions.CheckForIssuesInView;
Expand All @@ -33,19 +22,30 @@
import com.synopsys.integration.jenkins.wrapper.JenkinsVersionHelper;
import com.synopsys.integration.jenkins.wrapper.JenkinsWrapper;
import com.synopsys.integration.log.Slf4jIntLogger;

import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.model.AbstractBuild;
import hudson.model.AbstractProject;
import hudson.model.BuildListener;
import hudson.model.Item;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.BuildStepMonitor;
import hudson.tasks.Builder;
import hudson.util.ComboBoxModel;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;
import org.slf4j.LoggerFactory;

import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import java.io.IOException;

public class CoverityBuildStep extends Builder {
// Jenkins directly serializes the names of the fields, so they are an important part of the plugin's API.
Expand Down Expand Up @@ -248,26 +248,36 @@ public boolean isApplicable(Class<? extends AbstractProject> jobType) {
return true;
}

public ListBoxModel doFillCoverityInstanceUrlItems() {
@POST
public ListBoxModel doFillCoverityInstanceUrlItems(@AncestorInPath Item item) {
credentialsHelper.checkPermissionToAccessCredentials(item);
return coverityConnectionFieldHelper.doFillCoverityInstanceUrlItems();
}

public ListBoxModel doFillCredentialsIdItems() {
@POST
public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item) {
credentialsHelper.checkPermissionToAccessCredentials(item);
return credentialsHelper.listSupportedCredentials();
}

public FormValidation doCheckCoverityInstanceUrl(@QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId) {
@POST
public FormValidation doCheckCoverityInstanceUrl(@AncestorInPath Item item, @QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId) {
credentialsHelper.checkPermissionToAccessCredentials(item);
return coverityConnectionFieldHelper.doCheckCoverityInstanceUrl(coverityInstanceUrl, overrideDefaultCredentials, credentialsId);
}

public ComboBoxModel doFillProjectNameItems(@QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId, @QueryParameter("updateNow") boolean updateNow) throws InterruptedException {
@POST
public ComboBoxModel doFillProjectNameItems(@AncestorInPath Item item, @QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId, @QueryParameter("updateNow") boolean updateNow) throws InterruptedException {
credentialsHelper.checkPermissionToAccessCredentials(item);
if (updateNow) {
projectStreamFieldHelper.updateNow(coverityInstanceUrl, overrideDefaultCredentials, credentialsId);
}
return projectStreamFieldHelper.getProjectNamesForComboBox(coverityInstanceUrl, overrideDefaultCredentials, credentialsId);
}

public FormValidation doCheckProjectName(@QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId, @QueryParameter(FIELD_PROJECT_NAME) String projectName) {
@POST
public FormValidation doCheckProjectName(@AncestorInPath Item item, @QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId, @QueryParameter(FIELD_PROJECT_NAME) String projectName) {
credentialsHelper.checkPermissionToAccessCredentials(item);
FormValidation urlValidation = coverityConnectionFieldHelper.doCheckCoverityInstanceUrlIgnoreMessage(coverityInstanceUrl, overrideDefaultCredentials, credentialsId);
if (urlValidation.kind == FormValidation.Kind.ERROR) {
return urlValidation;
Expand All @@ -276,11 +286,15 @@ public FormValidation doCheckProjectName(@QueryParameter(FIELD_COVERITY_INSTANCE
}
}

public ComboBoxModel doFillStreamNameItems(@QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId, @QueryParameter(FIELD_PROJECT_NAME) String projectName) throws InterruptedException {
return projectStreamFieldHelper.getStreamNamesForComboBox(coverityInstanceUrl, overrideDefaultCredentials,credentialsId, projectName);
@POST
public ComboBoxModel doFillStreamNameItems(@AncestorInPath Item item, @QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId, @QueryParameter(FIELD_PROJECT_NAME) String projectName) throws InterruptedException {
credentialsHelper.checkPermissionToAccessCredentials(item);
return projectStreamFieldHelper.getStreamNamesForComboBox(coverityInstanceUrl, overrideDefaultCredentials, credentialsId, projectName);
}

public FormValidation doCheckStreamName(@QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId, @QueryParameter(FIELD_PROJECT_NAME) String projectName, @QueryParameter(FIELD_STREAM_NAME) String streamName) {
@POST
public FormValidation doCheckStreamName(@AncestorInPath Item item, @QueryParameter(FIELD_COVERITY_INSTANCE_URL) String coverityInstanceUrl, @QueryParameter(FIELD_OVERRIDE_CREDENTIALS) Boolean overrideDefaultCredentials, @QueryParameter(FIELD_CREDENTIALS_ID) String credentialsId, @QueryParameter(FIELD_PROJECT_NAME) String projectName, @QueryParameter(FIELD_STREAM_NAME) String streamName) {
credentialsHelper.checkPermissionToAccessCredentials(item);
FormValidation urlValidation = coverityConnectionFieldHelper.doCheckCoverityInstanceUrlIgnoreMessage(coverityInstanceUrl, overrideDefaultCredentials, credentialsId);
if (urlValidation.kind == FormValidation.Kind.ERROR) {
return urlValidation;
Expand All @@ -303,4 +317,4 @@ public CoverityRunConfiguration getDefaultCoverityRunConfiguration() {

}

}
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,22 +7,6 @@
*/
package com.synopsys.integration.jenkins.coverity.extensions.global;

import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Optional;

import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.plugins.plaincredentials.FileCredentials;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;
import org.slf4j.LoggerFactory;

import com.synopsys.integration.coverity.config.CoverityServerConfig;
import com.synopsys.integration.jenkins.annotations.HelpMarkdown;
import com.synopsys.integration.jenkins.coverity.SynopsysCoverityCredentialsHelper;
Expand All @@ -32,13 +16,29 @@
import com.synopsys.integration.log.IntLogger;
import com.synopsys.integration.log.Slf4jIntLogger;
import com.synopsys.integration.rest.credentials.Credentials;

import hudson.Extension;
import hudson.model.AbstractDescribableImpl;
import hudson.model.Descriptor;
import hudson.model.Item;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import jenkins.model.Jenkins;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.plugins.plaincredentials.FileCredentials;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;
import org.slf4j.LoggerFactory;

import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Optional;

public class CoverityConnectInstance extends AbstractDescribableImpl<CoverityConnectInstance> {
@HelpMarkdown("Specify the URL for your Coverity Connect instance. \r\n"
Expand Down Expand Up @@ -163,7 +163,9 @@ public FormValidation doCheckUrl(@QueryParameter("url") String url) {
return FormValidation.ok();
}

public ListBoxModel doFillDefaultCredentialsIdItems() {
@POST
public ListBoxModel doFillDefaultCredentialsIdItems(@AncestorInPath Item item) {
credentialsHelper.checkPermissionToAccessCredentials(item);
return credentialsHelper.listSupportedCredentials();
}

Expand All @@ -184,4 +186,4 @@ public FormValidation doTestConnection(@QueryParameter("url") String url, @Query
}
}

}
}
Loading

0 comments on commit 7f90aed

Please sign in to comment.