Permalink
Browse files

Merge pull request #20 from apcj/master

  • Loading branch information...
2 parents 211f5f3 + eb3d598 commit 18497488224c3ca8d707e2a9fbe1713bf8e25375 @mocleiri committed Mar 16, 2012
View
@@ -3,3 +3,5 @@ work
.classpath
.project
.settings
+*.iml
+.idea
View
32 pom.xml
@@ -5,7 +5,7 @@
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
- <version>1.420</version><!-- which version of Jenkins is this plugin built
+ <version>1.431</version><!-- which version of Jenkins is this plugin built
against? -->
</parent>
@@ -39,23 +39,21 @@
<url>https://github.com/jenkinsci/github-oauth-plugin</url>
</scm>
- <!-- get every artifact through maven.glassfish.org, which proxies all the
- artifacts that we need -->
- <repositories>
- <repository>
- <id>m.g.o-public</id>
- <url>http://maven.glassfish.org/content/groups/public/</url>
- </repository>
- </repositories>
+ <!-- Use repositories suggested in plugin tutorial: https://wiki.jenkins-ci.org/display/JENKINS/Plugin+tutorial -->
+ <repositories>
+ <repository>
+ <id>repo.jenkins-ci.org</id>
+ <url>http://repo.jenkins-ci.org/public/</url>
+ </repository>
+ </repositories>
+ <pluginRepositories>
+ <pluginRepository>
+ <id>repo.jenkins-ci.org</id>
+ <url>http://repo.jenkins-ci.org/public/</url>
+ </pluginRepository>
+ </pluginRepositories>
- <pluginRepositories>
- <pluginRepository>
- <id>m.g.o-public</id>
- <url>http://maven.glassfish.org/content/groups/public/</url>
- </pluginRepository>
- </pluginRepositories>
-
- <dependencies>
+ <dependencies>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
@@ -68,13 +68,13 @@ of this software and associated documentation files (the "Software"), to deal
@DataBoundConstructor
public GithubAuthorizationStrategy(String adminUserNames,
boolean authenticatedUserReadPermission, String organizationNames,
- boolean allowGithubWebHookPermission,
+ boolean allowGithubWebHookPermission, boolean allowCcTrayPermission,
boolean allowAnonymousReadPermission) {
super();
rootACL = new GithubRequireOrganizationMembershipACL(adminUserNames,
organizationNames, authenticatedUserReadPermission,
- allowGithubWebHookPermission, allowAnonymousReadPermission);
+ allowGithubWebHookPermission, allowCcTrayPermission, allowAnonymousReadPermission);
}
private final GithubRequireOrganizationMembershipACL rootACL;
@@ -110,15 +110,15 @@ private Object readResolve() {
* @see org.jenkinsci.plugins.GithubRequireOrganizationMembershipACL#getOrganizationNameList()
*/
public String getOrganizationNames() {
- return StringUtils.join(rootACL.getOrganizationNameList(), ", ");
+ return StringUtils.join(rootACL.getOrganizationNameList().iterator(), ", ");
}
/**
* @return
* @see org.jenkinsci.plugins.GithubRequireOrganizationMembershipACL#getAdminUserNameList()
*/
public String getAdminUserNames() {
- return StringUtils.join(rootACL.getAdminUserNameList(), ", ");
+ return StringUtils.join(rootACL.getAdminUserNameList().iterator(), ", ");
}
/**
@@ -137,6 +137,14 @@ public boolean isAllowGithubWebHookPermission() {
return rootACL.isAllowGithubWebHookPermission();
}
+ /**
+ * @return
+ * @see org.jenkinsci.plugins.GithubRequireOrganizationMembershipACL#isAllowCcTrayPermission()
+ */
+ public boolean isAllowCcTrayPermission() {
+ return rootACL.isAllowCcTrayPermission();
+ }
+
/**
* @return
@@ -29,10 +29,12 @@ of this software and associated documentation files (the "Software"), to deal
import hudson.security.ACL;
import hudson.security.Permission;
+import java.net.URI;
import java.util.LinkedList;
import java.util.List;
import java.util.logging.Logger;
+import jenkins.model.Jenkins;
import org.acegisecurity.Authentication;
import org.kohsuke.stapler.Stapler;
@@ -49,7 +51,8 @@ of this software and associated documentation files (the "Software"), to deal
private final List<String> adminUserNameList;
private final boolean authenticatedUserReadPermission;
private final boolean allowGithubWebHookPermission;
- private final boolean allowAnonymousReadPermission;
+ private final boolean allowCcTrayPermission;
+ private final boolean allowAnonymousReadPermission;
/*
* (non-Javadoc)
@@ -131,25 +134,37 @@ public boolean hasPermission(Authentication a, Permission permission) {
return true;
}
- String requestURI = Stapler.getCurrentRequest()
- .getOriginalRequestURI();
+ if (allowGithubWebHookPermission &&
+ (currentUriPathEquals( "github-webhook" ) ||
+ currentUriPathEquals( "github-webhook/" ))) {
- if (requestURI.matches(".*github-webhook.*")
- && allowGithubWebHookPermission == true) {
// allow if the permission was configured.
if (checkReadPermission(permission)) {
log.info("Granting READ access for github-webhook url: "
- + requestURI);
+ + requestURI());
+ return true;
+ }
+
+ // else fall through to false.
+ }
+
+ if (allowCcTrayPermission && currentUriPathEquals("cc.xml")) {
+
+ // allow if the permission was configured.
+
+ if (checkReadPermission(permission)) {
+ log.info("Granting READ access for cctray url: "
+ + requestURI());
return true;
}
// else fall through to false.
}
log.finer("Denying anonymous READ permission to url: "
- + requestURI);
+ + requestURI());
return false;
}
@@ -168,7 +183,16 @@ public boolean hasPermission(Authentication a, Permission permission) {
}
- private boolean testBuildPermission(Permission permission) {
+ private boolean currentUriPathEquals( String specificPath ) {
+ String basePath = URI.create(Jenkins.getInstance().getRootUrl()).getPath();
+ return URI.create(requestURI()).getPath().equals(basePath + specificPath);
+ }
+
+ private String requestURI() {
+ return Stapler.getCurrentRequest().getOriginalRequestURI();
+ }
+
+ private boolean testBuildPermission(Permission permission) {
if (permission.getId().equals("hudson.model.Hudson.Build")
|| permission.getId().equals("hudson.model.Item.Build")) {
return true;
@@ -187,11 +211,13 @@ private boolean checkReadPermission(Permission permission) {
public GithubRequireOrganizationMembershipACL(String adminUserNames,
String organizationNames, boolean authenticatedUserReadPermission,
boolean allowGithubWebHookPermission,
+ boolean allowCcTrayPermission,
boolean allowAnonymousReadPermission) {
super();
this.authenticatedUserReadPermission = authenticatedUserReadPermission;
this.allowGithubWebHookPermission = allowGithubWebHookPermission;
- this.allowAnonymousReadPermission = allowAnonymousReadPermission;
+ this.allowCcTrayPermission = allowCcTrayPermission;
+ this.allowAnonymousReadPermission = allowAnonymousReadPermission;
this.adminUserNameList = new LinkedList<String>();
@@ -227,7 +253,11 @@ public boolean isAllowGithubWebHookPermission() {
return allowGithubWebHookPermission;
}
- /**
+ public boolean isAllowCcTrayPermission() {
+ return allowCcTrayPermission;
+ }
+
+ /**
* @return the allowAnonymousReadPermission
*/
public boolean isAllowAnonymousReadPermission() {
@@ -20,6 +20,10 @@
<f:checkbox />
</f:entry>
+ <f:entry title="Grant READ permissions for /cc.xml" field="allowCcTrayPermission" help="/plugin/github-oauth/help/auth/grant-read-to-cctray-help.html">
+ <f:checkbox />
+ </f:entry>
+
<f:entry title="Grant READ permissions for Anonymous Users" field="allowAnonymousReadPermission" help="/plugin/github-oauth/help/auth/grant-read-to-anonymous-help.html">
<f:checkbox />
</f:entry>
@@ -0,0 +1,7 @@
+<div>
+Open a hole in security to allow unauthenticated access to /cc.xml at the root of the server.
+This URI provides <a href="https://wiki.jenkins-ci.org/display/JENKINS/Monitoring+Jenkins">monitoring capability</a>
+to a range of desktop clients.
+
+Enabling this option reveals limited information about your build to the whole world. Use with care.
+</div>
@@ -1,84 +0,0 @@
-/**
- The MIT License
-
-Copyright (c) 2011 Michael O'Cleirigh
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
-
-
- */
-package org.jenkinsci.plugins.api;
-
-import junit.framework.TestCase;
-
-/**
- * @author mocleiri
- *
- */
-public class TestGithubWebHookUrlRegEx extends TestCase {
-
- /**
- *
- */
- public TestGithubWebHookUrlRegEx() {
- // TODO Auto-generated constructor stub
- }
-
- /**
- * @param name
- */
- public TestGithubWebHookUrlRegEx(String name) {
- super(name);
- // TODO Auto-generated constructor stub
- }
-
-
- public void testRootedWebHookRegEx() {
-
- String regex = ".*github-webhook.*";
-
- String url = "/github-webhook";
-
- assertTrue(url.matches(regex));
-
- String questionUrl = "/github-webhook/?";
-
- assertTrue(questionUrl.matches(regex));
-
- String nested= "/nesting/github-webhook";
-
- assertTrue(nested.matches(regex));
-
- String questionNested= "/nesting/github-webhook";
-
- assertTrue(questionNested.matches(regex));
-
-
- String full = "http://hostname.com/jenkins/github-webhook";
-
- assertTrue(full.matches(regex));
-
- String fullNested = "http://hostname.com/subfolder/jenkins/github-webhook";
-
- assertTrue(fullNested.matches(regex));
-
- }
-
-}

0 comments on commit 1849748

Please sign in to comment.