From 2dac0ceeb68f9cfc4f3eb0043030b81cbb94caa7 Mon Sep 17 00:00:00 2001
From: Jesse Glick <jglick@cloudbees.com>
Date: Thu, 9 Mar 2017 17:10:40 -0500
Subject: [PATCH] [FIXED JENKINS-42556] Make PlaceholderTask.getFullDisplayName
 ignore thread authentication.

---
 .../support/steps/ExecutorStepExecution.java  |  9 ++++-
 .../support/pickles/ExecutorPickleTest.java   | 36 +++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java b/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java
index d06f51cb..1d745cb9 100644
--- a/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java
+++ b/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java
@@ -48,6 +48,8 @@
 import jenkins.util.Timer;
 import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.Authentication;
+import org.acegisecurity.context.SecurityContext;
+import org.acegisecurity.context.SecurityContextHolder;
 import org.jenkinsci.plugins.durabletask.executors.ContinuableExecutable;
 import org.jenkinsci.plugins.durabletask.executors.ContinuedTask;
 import org.jenkinsci.plugins.workflow.flow.FlowExecution;
@@ -381,7 +383,12 @@ private Object readResolve() {
         public @CheckForNull Run<?,?> runForDisplay() {
             Run<?,?> r = run();
             if (r == null && /* not stored prior to 1.13 */runId != null) {
-                return Run.fromExternalizableId(runId);
+                SecurityContext orig = ACL.impersonate(ACL.SYSTEM);
+                try {
+                    return Run.fromExternalizableId(runId);
+                } finally {
+                    SecurityContextHolder.setContext(orig);
+                }
             }
             return r;
         }
diff --git a/src/test/java/org/jenkinsci/plugins/workflow/support/pickles/ExecutorPickleTest.java b/src/test/java/org/jenkinsci/plugins/workflow/support/pickles/ExecutorPickleTest.java
index 8c5f217c..9fdb2377 100644
--- a/src/test/java/org/jenkinsci/plugins/workflow/support/pickles/ExecutorPickleTest.java
+++ b/src/test/java/org/jenkinsci/plugins/workflow/support/pickles/ExecutorPickleTest.java
@@ -24,9 +24,13 @@
 
 package org.jenkinsci.plugins.workflow.support.pickles;
 
+import hudson.model.Item;
 import hudson.model.Label;
 import hudson.model.Queue;
+import hudson.model.User;
 import hudson.slaves.DumbSlave;
+import hudson.slaves.OfflineCause;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
@@ -38,12 +42,15 @@
 import org.junit.Rule;
 import org.junit.runners.model.Statement;
 import org.jvnet.hudson.test.BuildWatcher;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
 import org.jvnet.hudson.test.RestartableJenkinsRule;
 
 public class ExecutorPickleTest {
 
     @ClassRule public static BuildWatcher buildWatcher = new BuildWatcher();
     @Rule public RestartableJenkinsRule r = new RestartableJenkinsRule();
+    //@Rule public LoggerRule logging = new LoggerRule().record(Queue.class, Level.FINE);
 
     @Test public void canceledQueueItem() throws Exception {
         r.addStep(new Statement() {
@@ -71,4 +78,33 @@ public class ExecutorPickleTest {
         });
     }
 
+    @Issue("JENKINS-42556")
+    @Test public void anonDiscover() {
+        r.addStep(new Statement() {
+            @Override public void evaluate() throws Throwable {
+                r.j.jenkins.setSecurityRealm(r.j.createDummySecurityRealm());
+                r.j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
+                    grant(Jenkins.ADMINISTER).everywhere().to("admin").
+                    grant(Jenkins.READ, Item.DISCOVER).everywhere().toEveryone());
+                r.j.jenkins.save(); // TODO pending https://github.com/jenkinsci/jenkins/pull/2790
+                DumbSlave remote = r.j.createSlave("remote", null, null);
+                WorkflowJob p = r.j.createProject(WorkflowJob.class, "p");
+                p.setDefinition(new CpsFlowDefinition("node('remote') {semaphore 'wait'}", true));
+                SemaphoreStep.waitForStart("wait/1", p.scheduleBuild2(0).waitForStart());
+                remote.toComputer().setTemporarilyOffline(true, new OfflineCause.UserCause(User.get("admin"), "hold"));
+            }
+        });
+        r.addStep(new Statement() {
+            @Override public void evaluate() throws Throwable {
+                SemaphoreStep.success("wait/1", null);
+                WorkflowJob p = r.j.jenkins.getItemByFullName("p", WorkflowJob.class);
+                assertFalse(p.getACL().hasPermission(Jenkins.ANONYMOUS, Item.READ));
+                WorkflowRun b = p.getBuildByNumber(1);
+                r.j.waitForMessage(Messages.ExecutorPickle_waiting_to_resume(Messages.ExecutorStepExecution_PlaceholderTask_displayName(b.getFullDisplayName())), b);
+                r.j.jenkins.getNode("remote").toComputer().setTemporarilyOffline(false, null);
+                r.j.assertBuildStatusSuccess(r.j.waitForCompletion(b));
+            }
+        });
+    }
+
 }