Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #19 from ikedam/feature/JENKINS-32769_checkBuiltins
[JENKINS-32769] Raise an error when specified a built-in user with SpecificUsersAuthorizationStrategy
  • Loading branch information
ikedam committed Mar 19, 2016
2 parents c2aaa51 + 0208235 commit 4bd500f
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 18 deletions.
Expand Up @@ -35,7 +35,7 @@
/**
*
*/
/*package*/ class AuthorizeProjectUtil {
public class AuthorizeProjectUtil {
/**
* Create a new {@link Describable} object from user inputs.
*
Expand Down Expand Up @@ -81,4 +81,9 @@ public static <T extends Describable<?>> T bindJSONWithDescriptor(
);
}
}

public static boolean userIdEquals(String a, String b) {
// TODO use Jenkins.getInstance().getSecurityRealm().getUserIdStrategy().equals() once Jenkins 1.566+
return a.equals(b);
}
}
Expand Up @@ -29,34 +29,29 @@
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.servlet.ServletException;

import jenkins.model.Jenkins;
import jenkins.security.ApiTokenProperty;
import hudson.Extension;
import hudson.model.Queue;
import hudson.model.User;
import hudson.model.AbstractProject;
import hudson.model.Descriptor;
import hudson.model.Descriptor.FormException;
import hudson.model.Job;
import hudson.security.ACL;
import hudson.security.AbstractPasswordBasedSecurityRealm;
import hudson.util.FormValidation;
import net.sf.json.JSONObject;

import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategyDescriptor;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectProperty;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectUtil;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;

/**
* Run builds as a user specified in project configuration pages.
Expand All @@ -65,6 +60,11 @@ public class SpecificUsersAuthorizationStrategy extends AuthorizeProjectStrategy
private static Logger LOGGER = Logger.getLogger(SpecificUsersAuthorizationStrategy.class.getName());
private final String userid;

private final static Authentication[] BUILTIN_USERS = {
ACL.SYSTEM,
Jenkins.ANONYMOUS,
};

/**
* @return id of the user to run builds as.
*/
Expand Down Expand Up @@ -138,8 +138,7 @@ protected static boolean isAuthenticateionRequired(
}

User u = User.current();
// TODO use Jenkins.getInstance().getSecurityRealm().getUserIdStrategy().equals() once Jenkins 1.566+
if (u != null && u.getId() != null && u.getId().equals(newStrategy.getUserid())) {
if (u != null && u.getId() != null && AuthorizeProjectUtil.userIdEquals(u.getId(), newStrategy.getUserid())) {
// Any user can specify oneself.
return false;
}
Expand All @@ -149,11 +148,10 @@ protected static boolean isAuthenticateionRequired(
return true;
}

// TODO use Jenkins.getInstance().getSecurityRealm().getUserIdStrategy().equals() once Jenkins 1.566+
if (
currentStrategy.isNoNeedReauthentication()
&& currentStrategy.getUserid() != null
&& currentStrategy.getUserid().equals(newStrategy.getUserid())
&& AuthorizeProjectUtil.userIdEquals(currentStrategy.getUserid(), newStrategy.getUserid())
) {
// the specified user is not changed,
// and specified that authentication is not required in that case.
Expand Down Expand Up @@ -262,9 +260,10 @@ protected SpecificUsersAuthorizationStrategy newInstanceWithoutAuthentication(
if (StringUtils.isBlank(userid)) {
throw new FormException("userid must be specified", "userid");
}
// TODO use Jenkins.getInstance().getSecurityRealm().getUserIdStrategy().equals(userid, ACL.SYSTEM.getPrincipal().toString())) once Jenkins 1.566+
if (userid.equals(ACL.SYSTEM.getPrincipal())) {
throw new FormException(Messages.SpecificUsersAuthorizationStrategy_userid_notSystem(), "userid");
for (Authentication a: BUILTIN_USERS) {
if (AuthorizeProjectUtil.userIdEquals(userid, a.getPrincipal().toString())) {
throw new FormException(Messages.SpecificUsersAuthorizationStrategy_userid_builtin(), "userid");
}
}

return new SpecificUsersAuthorizationStrategy(
Expand Down Expand Up @@ -406,9 +405,10 @@ public FormValidation doCheckUserid(@QueryParameter String userid) {
if (StringUtils.isBlank(userid)) {
return FormValidation.error(Messages.SpecificUsersAuthorizationStrategy_userid_required());
}
// TODO use Jenkins.getInstance().getSecurityRealm().getUserIdStrategy().equals(userid, ACL.SYSTEM.getPrincipal().toString())) once Jenkins 1.566+
if (userid.equals(ACL.SYSTEM.getPrincipal())) {
return FormValidation.error(Messages.SpecificUsersAuthorizationStrategy_userid_notSystem());
for (Authentication a: BUILTIN_USERS) {
if (AuthorizeProjectUtil.userIdEquals(userid, a.getPrincipal().toString())) {
return FormValidation.error(Messages.SpecificUsersAuthorizationStrategy_userid_builtin());
}
}
return FormValidation.ok();
}
Expand Down
Expand Up @@ -23,7 +23,7 @@
TriggeringUsersAuthorizationStrategy.DisplayName=Run as User who Triggered Build
SpecificUsersAuthorizationStrategy.DisplayName=Run as Specific User
SpecificUsersAuthorizationStrategy.userid.required=Required
SpecificUsersAuthorizationStrategy.userid.notSystem=You cannot specify SYSTEM as the user with this strategy
SpecificUsersAuthorizationStrategy.userid.builtin=You cannot specify a built-in user with this strategy
SpecificUsersAuthorizationStrategy.userid.authenticate=Failed to authenticate the user specified to run builds with its authorization. Please check User ID and Password is valid.
SpecificUsersAuthorizationStrategy.userid.readResolve=Failed to authenticate the user specified to run builds with its authorization. In REST/CLI interface, you must be an administrator or you can specify yourself.
SpecificUsersAuthorizationStrategy.password.required=Required
Expand Down
Expand Up @@ -26,6 +26,8 @@ TriggeringUsersAuthorizationStrategy.DisplayName=\u30d3\u30eb\u30c9\u3092\u8d77\
SpecificUsersAuthorizationStrategy.DisplayName=\u6307\u5b9a\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u306e\u6a29\u9650\u3067\u5b9f\u884c\u3059\u308b
#SpecificUsersAuthorizationStrategy.userid.required=入力してください
SpecificUsersAuthorizationStrategy.userid.required=\u5165\u529b\u3057\u3066\u304f\u3060\u3055\u3044
#SpecificUsersAuthorizationStrategy.userid.builtin=組み込みユーザーは指定できません
SpecificUsersAuthorizationStrategy.userid.builtin=\u7d44\u307f\u8fbc\u307f\u30e6\u30fc\u30b6\u30fc\u306f\u6307\u5b9a\u3067\u304d\u307e\u305b\u3093
#SpecificUsersAuthorizationStrategy.userid.authenticate=ビルドの実行時権限に指定されたユーザーの認証に失敗しました。ユーザーIDとパスワードが正しいことを確認して下さい。
SpecificUsersAuthorizationStrategy.userid.authenticate=\u30d3\u30eb\u30c9\u306e\u5b9f\u884c\u6642\u6a29\u9650\u306b\u6307\u5b9a\u3055\u308c\u305f\u30e6\u30fc\u30b6\u30fc\u306e\u8a8d\u8a3c\u306b\u5931\u6557\u3057\u307e\u3057\u305f\u3002\u30e6\u30fc\u30b6\u30fcID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u6b63\u3057\u3044\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3066\u4e0b\u3055\u3044\u3002
#SpecificUsersAuthorizationStrategy.userid.readResolve=ビルドの実行時権限に指定されたユーザーの認証に失敗しました。 REST/CLI 利用時は、管理者権限をもつユーザーで設定するか、または自分自身を指定する必要があります。
Expand Down

0 comments on commit 4bd500f

Please sign in to comment.