org.jvnet.hudson.test.MockAuthorizationStrategy Java Examples

The following examples show how to use org.jvnet.hudson.test.MockAuthorizationStrategy. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: Security1290Test.java    From configuration-as-code-plugin with MIT License 6 votes vote down vote up
@Test
public void configurationAsCodePagesPermissions() throws Exception {
    final String ADMIN = "admin";
    final String USER = "user";

    j.jenkins.setCrumbIssuer(null);
    j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
    j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
            .grant(Jenkins.ADMINISTER).everywhere().to(ADMIN)
            .grant(Jenkins.READ).everywhere().to(USER)
    );

    JenkinsRule.WebClient adminWc = j.createWebClient();
    adminWc.login(ADMIN);

    JenkinsRule.WebClient userWc = j.createWebClient()
            .withThrowExceptionOnFailingStatusCode(false);
    userWc.login(USER);

    assertRightPermissionConfigurations("configuration-as-code/schema", adminWc, userWc);
    assertRightPermissionConfigurations("configuration-as-code/reference", adminWc, userWc);
}
 
Example #2
Source File: KubernetesPipelineTest.java    From kubernetes-plugin with Apache License 2.0 6 votes vote down vote up
@Test
public void computerCantBeConfigured() throws Exception {
    r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
    r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
            grant(Jenkins.ADMINISTER).everywhere().to("admin"));
    SemaphoreStep.waitForStart("pod/1", b);
    Optional<KubernetesSlave> optionalNode = r.jenkins.getNodes().stream().filter(KubernetesSlave.class::isInstance).map(KubernetesSlave.class::cast).findAny();
    assertTrue(optionalNode.isPresent());
    KubernetesSlave node = optionalNode.get();

    JenkinsRule.WebClient wc = r.createWebClient().login("admin");
    wc.getOptions().setPrintContentOnFailingStatusCode(false);

    HtmlPage nodeIndex = wc.getPage(node);
    assertNotXPath(nodeIndex, "//*[text() = 'configure']");
    wc.assertFails(node.toComputer().getUrl()+"configure", 403);
    SemaphoreStep.success("pod/1", null);
}
 
Example #3
Source File: GithubOrgFolderPermissionsTest.java    From blueocean-plugin with MIT License 5 votes vote down vote up
@Test
public void canCreateWhenHavePermissionsOnDefaultOrg() throws Exception {
    MockAuthorizationStrategy authz = new MockAuthorizationStrategy();
    authz.grant(Jenkins.ADMINISTER).everywhere().to(user);
    j.jenkins.setAuthorizationStrategy(authz);
    // refresh the JWT token otherwise all hell breaks loose.
    jwtToken = getJwtToken(j.jenkins, "vivek", "vivek");
    createGithubPipeline(true);
}
 
Example #4
Source File: GithubOrgFolderPermissionsTest.java    From blueocean-plugin with MIT License 5 votes vote down vote up
@Test
public void canNotCreateWhenHaveNoPermissionOnDefaultOrg() throws Exception {
    MockAuthorizationStrategy authz = new MockAuthorizationStrategy();
    authz.grant(Item.READ, Jenkins.READ).everywhere().to(user);
    j.jenkins.setAuthorizationStrategy(authz);
    // refresh the JWT token otherwise all hell breaks loose.
    jwtToken = getJwtToken(j.jenkins, "vivek", "vivek");
    createGithubPipeline(false);
}
 
Example #5
Source File: GithubOrgFolderPermissionsTest.java    From blueocean-plugin with MIT License 5 votes vote down vote up
@Test
public void canCreateWhenHavePermissionsOnCustomOrg() throws Exception {
    MockAuthorizationStrategy authz = new MockAuthorizationStrategy();
    authz.grant(Item.READ,Jenkins.READ).everywhere().to(user);
    authz.grant(Item.CREATE, Item.CONFIGURE).onFolders(getOrgRoot()).to(user);
    j.jenkins.setAuthorizationStrategy(authz);
    // refresh the JWT token otherwise all hell breaks loose.
    jwtToken = getJwtToken(j.jenkins, user.getId(), user.getId());
    createGithubPipeline(true);
}
 
Example #6
Source File: GithubOrgFolderPermissionsTest.java    From blueocean-plugin with MIT License 5 votes vote down vote up
@Test
public void canNotCreateWhenHaveNoPermissionOnCustomOrg() throws Exception {
    MockAuthorizationStrategy authz = new MockAuthorizationStrategy();
    authz.grant(Item.READ, Jenkins.READ).everywhere().to(user);
    j.jenkins.setAuthorizationStrategy(authz);
    // refresh the JWT token otherwise all hell breaks loose.
    jwtToken = getJwtToken(j.jenkins, "vivek", "vivek");
    createGithubPipeline(false);
}
 
Example #7
Source File: RegistryEndpointStepTest.java    From docker-workflow-plugin with MIT License 5 votes vote down vote up
@Test
public void stepExecutionWithCredentialsAndQueueItemAuthenticator() throws Exception {
    assumeNotWindows();

    r.getInstance().setSecurityRealm(r.createDummySecurityRealm());
    MockAuthorizationStrategy auth = new MockAuthorizationStrategy()
            .grant(Jenkins.READ).everywhere().to("alice", "bob")
            .grant(Computer.BUILD).everywhere().to("alice", "bob")
            // Item.CONFIGURE implies Credentials.USE_ITEM, which is what CredentialsProvider.findCredentialById
            // uses when determining whether to include item-scope credentials in the search.
            .grant(Item.CONFIGURE).everywhere().to("alice");
    r.getInstance().setAuthorizationStrategy(auth);

    IdCredentials registryCredentials = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "registryCreds", null, "me", "pass");
    CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), registryCredentials);

    String script = "node {\n" +
            "  mockDockerLoginWithEcho {\n" +
            "    withDockerRegistry(url: 'https://my-reg:1234', credentialsId: 'registryCreds') {\n" +
            "    }\n" +
            "  }\n" +
            "}";
    WorkflowJob p1 = r.createProject(WorkflowJob.class, "prj1");
    p1.setDefinition(new CpsFlowDefinition(script, true));
    WorkflowJob p2 = r.createProject(WorkflowJob.class, "prj2");
    p2.setDefinition(new CpsFlowDefinition(script, true));

    Map<String, Authentication> jobsToAuths = new HashMap<>();
    jobsToAuths.put(p1.getFullName(), User.getById("alice", true).impersonate());
    jobsToAuths.put(p2.getFullName(), User.getById("bob", true).impersonate());
    QueueItemAuthenticatorConfiguration.get().getAuthenticators().replace(new MockQueueItemAuthenticator(jobsToAuths));

    // Alice has Credentials.USE_ITEM permission and should be able to use the credential.
    WorkflowRun b1 = r.buildAndAssertSuccess(p1);
    r.assertLogContains("docker login -u me -p pass https://my-reg:1234", b1);

    // Bob does not have Credentials.USE_ITEM permission and should not be able to use the credential.
    r.assertBuildStatus(Result.FAILURE, p2.scheduleBuild2(0));
}
 
Example #8
Source File: EndpointTest.java    From github-branch-source-plugin with MIT License 5 votes vote down vote up
@Before
public void setUp() throws Exception {
    j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
    MockAuthorizationStrategy auth = new MockAuthorizationStrategy();
    auth.grant(Jenkins.ADMINISTER).everywhere().to("alice");
    auth.grant(Jenkins.READ).everywhere().toEveryone();
    j.jenkins.setAuthorizationStrategy(auth);
    testUrl = Util.rawEncode(j.getURL().toString() + "testroot/");
}
 
Example #9
Source File: ServerEndpointStepTest.java    From docker-workflow-plugin with MIT License 4 votes vote down vote up
@Test public void stepExecutionWithCredentialsAndQueueItemAuthenticator() throws Exception {
    assumeNotWindows();
    story.then(r -> {
        story.j.getInstance().setSecurityRealm(story.j.createDummySecurityRealm());
        MockAuthorizationStrategy auth = new MockAuthorizationStrategy()
                .grant(Jenkins.READ).everywhere().to("alice", "bob")
                .grant(Computer.BUILD).everywhere().to("alice", "bob")
                // Item.CONFIGURE implies Credentials.USE_ITEM, which is what CredentialsProvider.findCredentialById
                // uses when determining whether to include item-scope credentials in the search.
                .grant(Item.CONFIGURE).everywhere().to("alice");
        story.j.getInstance().setAuthorizationStrategy(auth);

        IdCredentials serverCredentials = new DockerServerCredentials(CredentialsScope.GLOBAL, "serverCreds", null, "clientKey", "clientCertificate", "serverCaCertificate");
        CredentialsProvider.lookupStores(story.j.jenkins).iterator().next().addCredentials(Domain.global(), serverCredentials);

        String script = "node {\n" +
                "  withDockerServer(server: [uri: 'tcp://host:1234', credentialsId: 'serverCreds']) {\n" +
                "    sh 'echo would be connecting to $DOCKER_HOST'\n" +
                "    sh 'echo DOCKER_TLS_VERIFY=$DOCKER_TLS_VERIFY'\n" +
                "    sh 'echo DOCKER_CERT_PATH=$DOCKER_CERT_PATH is not empty'\n" +
                "  }\n" +
                "}";
        WorkflowJob p1 = story.j.jenkins.createProject(WorkflowJob.class, "prj1");
        p1.setDefinition(new CpsFlowDefinition(script, true));
        WorkflowJob p2 = story.j.jenkins.createProject(WorkflowJob.class, "prj2");
        p2.setDefinition(new CpsFlowDefinition(script, true));

        Map<String, Authentication> jobsToAuths = new HashMap<>();
        jobsToAuths.put(p1.getFullName(), User.getById("alice", true).impersonate());
        jobsToAuths.put(p2.getFullName(), User.getById("bob", true).impersonate());
        QueueItemAuthenticatorConfiguration.get().getAuthenticators().replace(new MockQueueItemAuthenticator(jobsToAuths));

        // Alice has Credentials.USE_ITEM permission and should be able to use the credential.
        WorkflowRun b1 = story.j.buildAndAssertSuccess(p1);
        story.j.assertLogContains("would be connecting to tcp://host:1234", b1);
        story.j.assertLogContains("DOCKER_TLS_VERIFY=1", b1);
        story.j.assertLogNotContains("DOCKER_CERT_PATH= is not empty", b1);

        // Bob does not have Credentials.USE_ITEM permission and should not be able to use the credential.
        WorkflowRun b2 = story.j.buildAndAssertSuccess(p2);
        story.j.assertLogContains("would be connecting to tcp://host:1234", b2);
        story.j.assertLogContains("DOCKER_TLS_VERIFY=\n", b2);
        story.j.assertLogContains("DOCKER_CERT_PATH= is not empty", b2);
    });
}