hudson.security.AuthorizationStrategy Java Examples

@Test
public void removeSidFromAgentRole() {
    String sid = "user1";
    AgentRole role = new AgentRole("bar", wrapPermissions(Item.READ), singleton("agentBar"));
    assertEquals(0, role.getSids().size());
    FolderAuthorizationStrategyAPI.addAgentRole(role);
    FolderAuthorizationStrategyAPI.assignSidToAgentRole(sid, "bar");
    FolderAuthorizationStrategyAPI.removeSidFromAgentRole(sid, "bar");

    AuthorizationStrategy a = j.jenkins.getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) a;
    AgentRole updatedRole = strategy.getAgentRoles().stream().filter(r -> r.getName().equals("bar"))
                                .findAny().orElseThrow(() -> new RuntimeException("The created role should exist"));
    assertFalse(updatedRole.getSids().contains(sid));
}
 

@Test
public void removeSidFromFolderRole() {
    String sid = "user1";
    FolderRole role = new FolderRole("foo", wrapPermissions(Item.READ), singleton("folderFoo"));
    assertEquals(0, role.getSids().size());
    FolderAuthorizationStrategyAPI.addFolderRole(role);
    FolderAuthorizationStrategyAPI.assignSidToFolderRole(sid, "foo");
    FolderAuthorizationStrategyAPI.removeSidFromFolderRole(sid, "foo");

    AuthorizationStrategy a = j.jenkins.getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) a;
    FolderRole updatedRole = strategy.getFolderRoles().stream().filter(r -> r.getName().equals("foo"))
                                 .findAny().orElseThrow(() -> new RuntimeException("The created role should exist"));
    assertFalse(updatedRole.getSids().contains(sid));
}
 

@Nonnull
@Override
public FolderBasedAuthorizationStrategy newInstance(@Nullable StaplerRequest req, @Nonnull JSONObject formData) {
    AuthorizationStrategy strategy = Jenkins.get().getAuthorizationStrategy();
    if (strategy instanceof FolderBasedAuthorizationStrategy) {
        // this action was invoked from the 'Configure Global Security' page when the
        // old strategy was FolderBasedAuthorizationStrategy; return it back as formData would be empty
        return (FolderBasedAuthorizationStrategy) strategy;
    } else {
        // when this AuthorizationStrategy is selected for the first time, this makes the current
        // user admin (give all permissions) and prevents him/her from getting access denied.
        // The same thing happens in Role Strategy plugin. See RoleBasedStrategy.DESCRIPTOR.newInstance()

        HashSet<PermissionGroup> groups = new HashSet<>(PermissionGroup.getAll());
        groups.remove(PermissionGroup.get(Permission.class));
        Set<PermissionWrapper> adminPermissions = PermissionWrapper.wrapPermissions(
            FolderAuthorizationStrategyManagementLink.getSafePermissions(groups));

        GlobalRole adminRole = new GlobalRole(ADMIN_ROLE_NAME, adminPermissions,
            Collections.singleton(new PrincipalSid(Jenkins.getAuthentication()).getPrincipal()));

        return new FolderBasedAuthorizationStrategy(Collections.singleton(adminRole), Collections.emptySet(),
            Collections.emptySet());
    }
}
 

@Test
public void removeSidFromGlobalRole() {
    AuthorizationStrategy a = j.jenkins.getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    final String adminRoleName = "admin";
    FolderAuthorizationStrategyAPI.assignSidToGlobalRole("user1", adminRoleName);
    FolderAuthorizationStrategyAPI.removeSidFromGlobalRole("user1", adminRoleName);

    // a new authorization strategy should have been set
    AuthorizationStrategy b = j.jenkins.getAuthorizationStrategy();
    assertTrue(b instanceof FolderBasedAuthorizationStrategy);
    assertNotSame("A new instance of FolderBasedAuthorizationStrategy should have been set.", a, b);
    FolderBasedAuthorizationStrategy newStrategy = (FolderBasedAuthorizationStrategy) b;
    GlobalRole role = newStrategy.getGlobalRoles().stream().filter(r -> r.getName().equals(adminRoleName))
                          .findAny().orElseThrow(() -> new RuntimeException("The admin role should exist"));
    assertFalse(role.getSids().contains("user1"));
}
 

@Test
public void assignSidToFolderRole() {
    String sid = "user1";
    FolderRole role = new FolderRole("foo", wrapPermissions(Item.READ), singleton("folderFoo"));
    assertEquals(0, role.getSids().size());
    FolderAuthorizationStrategyAPI.addFolderRole(role);
    FolderAuthorizationStrategyAPI.assignSidToFolderRole(sid, "foo");


    AuthorizationStrategy a = j.jenkins.getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) a;
    FolderRole updatedRole = strategy.getFolderRoles().stream().filter(r -> r.getName().equals("foo"))
                                 .findAny().orElseThrow(() -> new RuntimeException("The created role should exist"));
    assertTrue(updatedRole.getSids().contains(sid));
}
 

/**
 * Returns the {@link FolderRole}s used by the {@link FolderBasedAuthorizationStrategy}.
 *
 * @return the {@link FolderRole}s used by the {@link FolderBasedAuthorizationStrategy}
 * @throws IllegalStateException when {@link Jenkins#getAuthorizationStrategy()} is
 *                               not {@link FolderBasedAuthorizationStrategy}
 */
@Nonnull
@Restricted(NoExternalUse.class)
@SuppressWarnings("unused") // used by index.jelly
public SortedSet<FolderRole> getFolderRoles() {
    AuthorizationStrategy strategy = Jenkins.get().getAuthorizationStrategy();
    if (strategy instanceof FolderBasedAuthorizationStrategy) {
        return new TreeSet<>(((FolderBasedAuthorizationStrategy) strategy).getFolderRoles());
    } else {
        throw new IllegalStateException(Messages.FolderBasedAuthorizationStrategy_NotCurrentStrategy());
    }
}
 

@Test
@Issue("Issue #214")
@ConfiguredWithCode("RoleStrategy2.yml")
public void shouldHandleNullItemsAndAgentsCorrectly() throws Exception {
    AuthorizationStrategy s = j.jenkins.getAuthorizationStrategy();
    assertThat("Authorization Strategy has been read incorrectly",
        s, instanceOf(RoleBasedAuthorizationStrategy.class));
    RoleBasedAuthorizationStrategy rbas = (RoleBasedAuthorizationStrategy) s;

    Map<Role, Set<String>> globalRoles = rbas.getGrantedRoles(RoleBasedAuthorizationStrategy.GLOBAL);
    assertThat(globalRoles.size(), equalTo(2));
}
 

@Test
public void assignSidToAgentRole() {
    String sid = "user1";
    AgentRole role = new AgentRole("bar", wrapPermissions(Item.READ), singleton("agentBar"));
    assertEquals(0, role.getSids().size());
    FolderAuthorizationStrategyAPI.addAgentRole(role);
    FolderAuthorizationStrategyAPI.assignSidToAgentRole(sid, "bar");

    AuthorizationStrategy a = j.jenkins.getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) a;
    AgentRole updatedRole = strategy.getAgentRoles().stream().filter(r -> r.getName().equals("bar"))
                                .findAny().orElseThrow(() -> new RuntimeException("The created role should exist"));
    assertTrue(updatedRole.getSids().contains(sid));
}
 

@Test
public void addAgentRole() {
    AgentRole role = new AgentRole("readEverything", wrapPermissions(Jenkins.READ),
        singleton("agent1"), singleton("user1"));
    FolderAuthorizationStrategyAPI.addAgentRole(role);
    AuthorizationStrategy a = j.jenkins.getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) a;
    assertTrue(strategy.getAgentRoles().contains(role));
}
 

@Test
public void addFolderRole() {
    FolderRole role = new FolderRole("readEverything", wrapPermissions(Jenkins.READ),
        singleton("folder1"), singleton("user1"));
    FolderAuthorizationStrategyAPI.addFolderRole(role);
    AuthorizationStrategy a = j.jenkins.getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) a;
    assertTrue(strategy.getFolderRoles().contains(role));
}
 

@Test
public void addGlobalRole() {
    GlobalRole readRole = new GlobalRole("readEverything", wrapPermissions(Jenkins.READ), singleton("user1"));
    FolderAuthorizationStrategyAPI.addGlobalRole(readRole);
    AuthorizationStrategy a = j.jenkins.getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) a;
    assertTrue(strategy.getGlobalRoles().contains(readRole));
}
 

private void checkConfiguration() {
    Jenkins jenkins = Jenkins.get();
    try (ACLContext ignored = ACL.as(User.getById("admin", true))) {
        assertTrue(jenkins.hasPermission(Jenkins.ADMINISTER));
    }

    try (ACLContext ignored = ACL.as(User.getById("user1", true))) {
        Folder folder = (Folder) jenkins.getItem("folder");
        assertNotNull(folder);
        assertTrue(jenkins.hasPermission(Jenkins.READ));
        assertTrue(folder.hasPermission(Item.READ));
        assertFalse(folder.hasPermission(Item.CONFIGURE));
        assertFalse(jenkins.hasPermission(Jenkins.ADMINISTER));

        Computer computer = jenkins.getComputer("foo");
        assertNotNull(computer);
        assertTrue(computer.hasPermission(Computer.CONFIGURE));
        assertFalse(computer.hasPermission(Computer.DELETE));
    }

    AuthorizationStrategy a = Jenkins.get().getAuthorizationStrategy();
    assertTrue(a instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) a;
    assertEquals(strategy.getGlobalRoles().size(), 2);
    assertEquals(strategy.getFolderRoles().size(), 1);
    assertEquals(strategy.getAgentRoles().size(), 1);
}
 

@Test
@ConfiguredWithCode("config2.yml")
public void shouldNotThrowErrorWithEmptyFolderRoles() {
    AuthorizationStrategy authorizationStrategy = j.jenkins.getAuthorizationStrategy();
    assertTrue(authorizationStrategy instanceof FolderBasedAuthorizationStrategy);
    FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) authorizationStrategy;
    assertEquals(0, strategy.getFolderRoles().size());
    assertEquals(0, strategy.getAgentRoles().size());
    assertEquals(2, strategy.getGlobalRoles().size());
}
 

@Nonnull
@Restricted(NoExternalUse.class)
@SuppressWarnings("unused") // used by index.jelly
public SortedSet<AgentRole> getAgentRoles() {
    AuthorizationStrategy strategy = Jenkins.get().getAuthorizationStrategy();
    if (strategy instanceof FolderBasedAuthorizationStrategy) {
        return new TreeSet<>(((FolderBasedAuthorizationStrategy) strategy).getAgentRoles());
    } else {
        throw new IllegalStateException(Messages.FolderBasedAuthorizationStrategy_NotCurrentStrategy());
    }
}
 

@Nonnull
@Restricted(NoExternalUse.class)
@SuppressWarnings("unused") // used by index.jelly
public SortedSet<GlobalRole> getGlobalRoles() {
    AuthorizationStrategy strategy = Jenkins.get().getAuthorizationStrategy();
    if (strategy instanceof FolderBasedAuthorizationStrategy) {
        return new TreeSet<>(((FolderBasedAuthorizationStrategy) strategy).getGlobalRoles());
    } else {
        throw new IllegalStateException(Messages.FolderBasedAuthorizationStrategy_NotCurrentStrategy());
    }
}
 

@NonNull
@Override
public Class getImplementedAPI() {
    return AuthorizationStrategy.class;
}
 

@Override
protected Unsecured instance(Mapping mapping, ConfigurationContext context) {
    return (Unsecured)AuthorizationStrategy.UNSECURED;
}
 

@Test
@Issue("Issue #48")
@ConfiguredWithCode("RoleStrategy1.yml")
public void shouldReadRolesCorrectly() throws Exception {
    j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
    User admin = User.getById("admin", false);
    User user1 = User.getById("user1", false);
    User user2 = User.getById("user2", true);
    Computer agent1 = j.jenkins.getComputer("agent1");
    Computer agent2 = j.jenkins.getComputer("agent2");
    Folder folderA = j.jenkins.createProject(Folder.class, "A");
    FreeStyleProject jobA1 = folderA.createProject(FreeStyleProject.class, "1");
    Folder folderB = j.jenkins.createProject(Folder.class, "B");
    folderB.createProject(FreeStyleProject.class, "2");

    AuthorizationStrategy s = j.jenkins.getAuthorizationStrategy();
    assertThat("Authorization Strategy has been read incorrectly",
            s, instanceOf(RoleBasedAuthorizationStrategy.class));
    RoleBasedAuthorizationStrategy rbas = (RoleBasedAuthorizationStrategy) s;

    Map<Role, Set<String>> globalRoles = rbas.getGrantedRoles(RoleBasedAuthorizationStrategy.GLOBAL);
    assertThat(globalRoles.size(), equalTo(2));

    // Admin has configuration access
    assertHasPermission(admin, j.jenkins, Jenkins.ADMINISTER, Jenkins.READ);
    assertHasPermission(user1, j.jenkins, Jenkins.READ);
    assertHasNoPermission(user1, j.jenkins, Jenkins.ADMINISTER);

    // Folder A is restricted to admin
    assertHasPermission(admin, folderA, Item.CONFIGURE);
    assertHasPermission(user1, folderA, Item.READ, Item.DISCOVER);
    assertHasNoPermission(user1, folderA, Item.CONFIGURE, Item.DELETE, Item.BUILD);

    // But they have access to jobs in Folder A
    assertHasPermission(admin, folderA, Item.CONFIGURE, Item.CANCEL);
    assertHasPermission(user1, jobA1, Item.READ, Item.DISCOVER, Item.CONFIGURE, Item.BUILD, Item.DELETE);
    assertHasPermission(user2, jobA1, Item.READ, Item.DISCOVER, Item.CONFIGURE, Item.BUILD, Item.DELETE);
    assertHasNoPermission(user1, folderA, Item.CANCEL);

    // FolderB is editable by user2, but he cannot delete it
    assertHasPermission(user2, folderB, Item.READ, Item.DISCOVER, Item.CONFIGURE, Item.BUILD);
    assertHasNoPermission(user2, folderB, Item.DELETE);
    assertHasNoPermission(user1, folderB, Item.CONFIGURE, Item.BUILD, Item.DELETE);

    // Only user1 can run on agent1, but he still cannot configure it
    assertHasPermission(admin, agent1, Computer.CONFIGURE, Computer.DELETE, Computer.BUILD);
    assertHasPermission(user1, agent1, Computer.BUILD);
    assertHasNoPermission(user1, agent1, Computer.CONFIGURE, Computer.DISCONNECT);

    // Same user still cannot build on agent2
    assertHasNoPermission(user1, agent2, Computer.BUILD);
}
 

@Test
@ConfiguredWithCode("UnsecuredAuthorizationStrategyConfiguratorTest.yml")
public void unsecured() throws Exception {
    assertSame(AuthorizationStrategy.UNSECURED, j.jenkins.getAuthorizationStrategy());
}
 

/**
 * {@inheritDoc}
 */
@Override
public String getStateJson() {
    StringWriter writer = new StringWriter();
    Jenkins jenkins = Jenkins.getInstance();
    VersionNumber versionNumber = Jenkins.getVersion();
    String version = versionNumber != null ? versionNumber.toString() : Jenkins.VERSION;

    AuthorizationStrategy authorizationStrategy = jenkins.getAuthorizationStrategy();
    boolean allowAnonymousRead = true;
    if(authorizationStrategy instanceof FullControlOnceLoggedInAuthorizationStrategy){
        allowAnonymousRead = ((FullControlOnceLoggedInAuthorizationStrategy) authorizationStrategy).isAllowAnonymousRead();
    }

    String jwtTokenEndpointHostUrl = Jenkins.getInstance().getRootUrl();
    JwtTokenServiceEndpoint jwtTokenServiceEndpoint = JwtTokenServiceEndpoint.first();
    if(jwtTokenServiceEndpoint != null){
        jwtTokenEndpointHostUrl = jwtTokenServiceEndpoint.getHostUrl();
    }
    addFeatures(new JSONBuilder(writer)
        .object()
            .key("version").value(getBlueOceanPluginVersion())
            .key("jenkinsConfig")
            .object()
                .key("analytics").value(Analytics.isAnalyticsEnabled())
                .key("version").value(version)
                .key("security")
                .object()
                    .key("enabled").value(jenkins.isUseSecurity())
                    .key("loginUrl").value(jenkins.getSecurityRealm() == SecurityRealm.NO_AUTHENTICATION ? null : jenkins.getSecurityRealm().getLoginUrl())
                    .key("authorizationStrategy").object()
                        .key("allowAnonymousRead").value(allowAnonymousRead)
                    .endObject()
                    .key("enableJWT").value(BlueOceanConfigProperties.BLUEOCEAN_FEATURE_JWT_AUTHENTICATION)
                    .key("jwtServiceHostUrl").value(jwtTokenEndpointHostUrl)
                .endObject()
            .endObject()
            ) // addFeatures here
        .endObject();

    return writer.toString();
}
 

/**
 * Checks the {@link AuthorizationStrategy} and runs the {@link Consumer} when it is an instance of
 * {@link FolderBasedAuthorizationStrategy}.
 * <p>
 * All attempts to access the {@link FolderBasedAuthorizationStrategy} must go through this method
 * for thread-safety.
 *
 * @param runner a function that consumes the current {@link FolderBasedAuthorizationStrategy} and returns a non
 *               null {@link FolderBasedAuthorizationStrategy} object. The object may be the same as the one
 *               consumed if no modification was needed.
 * @throws IllegalStateException when {@link Jenkins#getAuthorizationStrategy()} is not
 *                               {@link FolderBasedAuthorizationStrategy}
 */
private synchronized static void run(Function<FolderBasedAuthorizationStrategy, FolderBasedAuthorizationStrategy> runner) {
    Jenkins jenkins = Jenkins.get();
    AuthorizationStrategy strategy = jenkins.getAuthorizationStrategy();
    if (strategy instanceof FolderBasedAuthorizationStrategy) {
        FolderBasedAuthorizationStrategy newStrategy = runner.apply((FolderBasedAuthorizationStrategy) strategy);
        jenkins.setAuthorizationStrategy(newStrategy);
    } else {
        throw new IllegalStateException("FolderBasedAuthorizationStrategy is not the" + " current authorization strategy");
    }
}
 

public void configRoundTripUnsecure(Job job) throws Exception {
        final AuthorizationStrategy before = j.getInstance().getAuthorizationStrategy();

        j.jenkins.setAuthorizationStrategy(new AuthorizationStrategy.Unsecured());

//        j.configRoundtrip(job);

        j.getInstance().setAuthorizationStrategy(before);
    }