Merge pull request #5 from ikedam/feature/JENKINS-22469_RestCliBypass…

…esAuthentication [JENKINS-22469] REST/CLI bypasses authentication
jenkinsci · Apr 5, 2014 · 2374674 · 2374674
2 parents ef1e5a4 + ac6f88b
commit 2374674
Show file tree

Hide file tree

Showing 11 changed files with 544 additions and 1 deletion.
diff --git a/...a/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java b/...a/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
@@ -36,9 +36,10 @@
 import hudson.model.Queue;
 import hudson.model.User;
 import hudson.model.AbstractProject;
+import hudson.model.Descriptor;
 import hudson.model.Descriptor.FormException;
+import hudson.security.ACL;
 import hudson.util.FormValidation;
-
 import net.sf.json.JSONObject;
 
 import org.acegisecurity.Authentication;
@@ -180,6 +181,29 @@ protected static SpecificUsersAuthorizationStrategy getCurrentStrategy(AbstractP
         return (SpecificUsersAuthorizationStrategy)prop.getStrategy();
     }
 
+    /**
+     * Called when XSTREAM2 instantiates this from XML configuration.
+     * 
+     * When configured via REST/CLI, {@link Descriptor#newInstance(StaplerRequest, JSONObject)} is not called.
+     * Instead checks authentication here.
+     * 
+     * @return return myself.
+     * @throws IOException authentication failed.
+     */
+    private Object readResolve() throws IOException {
+        if (!ACL.SYSTEM.equals(Jenkins.getAuthentication())) {
+            // This is called via REST/CLI.
+
+            // There's no way to retrieve current strategy.
+            if (isAuthenticateionRequired(this, null)) {
+                // As REST/CLI interface saves configuration after successfully load object from the XML,
+                // this prevents the new configuration saved.
+                throw new IOException(Messages.SpecificUsersAuthorizationStrategy_userid_readResolve());
+            }
+        }
+        return this;
+    }
+
     /**
      *
      */

diff --git a/src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties b/src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages.properties
@@ -24,6 +24,7 @@ TriggeringUsersAuthorizationStrategy.DisplayName=Run as User who Triggered Build
 SpecificUsersAuthorizationStrategy.DisplayName=Run as Specific User
 SpecificUsersAuthorizationStrategy.userid.required=Required
 SpecificUsersAuthorizationStrategy.userid.authenticate=Failed to authenticate the user specified to run builds with its authorization. Please check User ID and Password is valid.
+SpecificUsersAuthorizationStrategy.userid.readResolve=Failed to authenticate the user specified to run builds with its authorization. In REST/CLI interface, you must be an administrator or you can specify yourself.
 SpecificUsersAuthorizationStrategy.password.required=Required
 SpecificUsersAuthorizationStrategy.password.invalid=Failed to authenticate
 SpecificUsersAuthorizationStrategy.noNeedReauthentication.usage=This feature can cause a security problem. Please check CONFIGURE privilege of this project is granted only to proper users.

diff --git a/src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties b/src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/Messages_ja.properties
@@ -28,6 +28,8 @@ SpecificUsersAuthorizationStrategy.DisplayName=\u6307\u5b9a\u3057\u305f\u30e6\u3
 SpecificUsersAuthorizationStrategy.userid.required=\u5165\u529b\u3057\u3066\u304f\u3060\u3055\u3044
 #SpecificUsersAuthorizationStrategy.userid.authenticate=ビルドの実行時権限に指定されたユーザーの認証に失敗しました。ユーザーIDとパスワードが正しいことを確認して下さい。
 SpecificUsersAuthorizationStrategy.userid.authenticate=\u30d3\u30eb\u30c9\u306e\u5b9f\u884c\u6642\u6a29\u9650\u306b\u6307\u5b9a\u3055\u308c\u305f\u30e6\u30fc\u30b6\u30fc\u306e\u8a8d\u8a3c\u306b\u5931\u6557\u3057\u307e\u3057\u305f\u3002\u30e6\u30fc\u30b6\u30fcID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u6b63\u3057\u3044\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3066\u4e0b\u3055\u3044\u3002
+#SpecificUsersAuthorizationStrategy.userid.readResolve=ビルドの実行時権限に指定されたユーザーの認証に失敗しました。 REST/CLI 利用時は、管理者権限をもつユーザーで設定するか、または自分自身を指定する必要があります。
+SpecificUsersAuthorizationStrategy.userid.readResolve=\u30d3\u30eb\u30c9\u306e\u5b9f\u884c\u6642\u6a29\u9650\u306b\u6307\u5b9a\u3055\u308c\u305f\u30e6\u30fc\u30b6\u30fc\u306e\u8a8d\u8a3c\u306b\u5931\u6557\u3057\u307e\u3057\u305f\u3002 REST/CLI \u5229\u7528\u6642\u306f\u3001\u7ba1\u7406\u8005\u6a29\u9650\u3092\u3082\u3064\u30e6\u30fc\u30b6\u30fc\u3067\u8a2d\u5b9a\u3059\u308b\u304b\u3001\u307e\u305f\u306f\u81ea\u5206\u81ea\u8eab\u3092\u6307\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002
 #SpecificUsersAuthorizationStrategy.password.required=入力してください
 SpecificUsersAuthorizationStrategy.password.required=\u5165\u529b\u3057\u3066\u304f\u3060\u3055\u3044
 #SpecificUsersAuthorizationStrategy.password.invalid=認証に失敗しました

diff --git a/...orizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html b/...orizeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication.html
@@ -2,4 +2,6 @@
 Do not require authentication in the <strong>next</strong> configuration if the User ID is not changed.
 Use this feature carefully, for a malicious user can run unintended commands without authentication by changing configuration of the project.
 You should also watch CONFIGURE privilege for this project is granted only to proper users.
+
+This does not work when configuring via REST/CLI.
 </div>
diff --git a/...zeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html b/...zeproject/strategy/SpecificUsersAuthorizationStrategy/help-noNeedReauthentication_ja.html
@@ -2,4 +2,6 @@
 <strong>次回の</strong>設定更新時に、ユーザーIDの指定に変更がなければ認証を要求しません。
 悪意あるユーザーがプロジェクトの設定を変えることで、認証なしに任意のコマンドを実行できてしまうため、この設定の利用には注意が必要です。
 プロジェクトの設定権限が適切なユーザーにだけ付与されていることを確認してから使用するようにしてください。
+
+REST/CLI 利用時にはこの設定は無視されます。
 </div>