Skip to content

Commit

Permalink
[JENKINS-41004] Do not report credentials with IDs masked by nearer f…
Browse files Browse the repository at this point in the history 
…olders

- Also fix a permission but where folder credentials were only available to SYSTEM and not available to authentications with USE_ITEM permission
  • Loading branch information
@stephenc
stephenc committed Jan 23, 2017
1 parent 0776cd4 commit 6beb07a
Showing 1 changed file with 88 additions and 16 deletions.
104 changes: 88 additions & 16 deletions src/main/java/com/cloudbees/hudson/plugins/folder/properties/FolderCredentialsProvider.java
View file
Expand Up @@ -28,11 +28,14 @@
import com.cloudbees.hudson.plugins.folder.AbstractFolderProperty;
import com.cloudbees.hudson.plugins.folder.AbstractFolderPropertyDescriptor;
import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsMatcher;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsNameProvider;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.CredentialsStoreAction;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import com.cloudbees.plugins.credentials.domains.Domain;
import com.cloudbees.plugins.credentials.domains.DomainCredentials;
import com.cloudbees.plugins.credentials.domains.DomainRequirement;
Expand All @@ -52,12 +55,14 @@
import hudson.security.AccessDeniedException2;
import hudson.security.Permission;
import hudson.util.CopyOnWriteMap;
import hudson.util.ListBoxModel;
import java.io.IOException;
import java.io.ObjectStreamException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
Expand Down Expand Up @@ -123,25 +128,33 @@ public <C extends Credentials> List<C> getCredentials(@NonNull Class<C> type, @N
authentication = ACL.SYSTEM;
}
List<C> result = new ArrayList<C>();
if (ACL.SYSTEM.equals(authentication)) {
while (itemGroup != null) {
if (itemGroup instanceof AbstractFolder) {
final AbstractFolder<?> folder = AbstractFolder.class.cast(itemGroup);
FolderCredentialsProperty property = folder.getProperties().get(FolderCredentialsProperty.class);
if (property != null) {
result.addAll(DomainCredentials.getCredentials(
property.getDomainCredentialsMap(),
type,
domainRequirements,
CredentialsMatchers.always()));
}
Set<String> ids = new HashSet<String>();
while (itemGroup != null) {
if (itemGroup instanceof AbstractFolder) {
if (!((AbstractFolder) itemGroup).getACL().hasPermission(authentication, USE_ITEM)) {
continue;
}
if (itemGroup instanceof Item) {
itemGroup = Item.class.cast(itemGroup).getParent();
} else {
break;
final AbstractFolder<?> folder = AbstractFolder.class.cast(itemGroup);
FolderCredentialsProperty property = folder.getProperties().get(FolderCredentialsProperty.class);
if (property != null) {
for (C c : DomainCredentials.getCredentials(
property.getDomainCredentialsMap(),
type,
domainRequirements,
CredentialsMatchers.always())) {
if (!(c instanceof IdCredentials) || ids.add(((IdCredentials) c).getId())) {
// if IdCredentials, only add if we havent added already
// if not IdCredentials, always add
result.add(c);
}
}
}
}
if (itemGroup instanceof Item) {
itemGroup = Item.class.cast(itemGroup).getParent();
} else {
break;
}
}
return result;
}
Expand All @@ -161,6 +174,65 @@ public <C extends Credentials> List<C> getCredentials(@NonNull Class<C> type, @N
return super.getCredentials(type, item, authentication, domainRequirements);
}

/**
* {@inheritDoc}
*/
@NonNull
@Override
public <C extends IdCredentials> ListBoxModel getCredentialIds(@NonNull Class<C> type,
@Nullable ItemGroup itemGroup,
@Nullable Authentication authentication,
@NonNull List<DomainRequirement> domainRequirements,
@NonNull CredentialsMatcher matcher) {
if (authentication == null) {
authentication = ACL.SYSTEM;
}
ListBoxModel result = new ListBoxModel();
Set<String> ids = new HashSet<String>();
while (itemGroup != null) {
if (itemGroup instanceof AbstractFolder) {
if (!((AbstractFolder) itemGroup).getACL().hasPermission(authentication, USE_ITEM)) {
continue;
}
final AbstractFolder<?> folder = AbstractFolder.class.cast(itemGroup);
FolderCredentialsProperty property = folder.getProperties().get(FolderCredentialsProperty.class);
if (property != null) {
for (C c : DomainCredentials.getCredentials(
property.getDomainCredentialsMap(),
type,
domainRequirements,
matcher)) {
if (ids.add(c.getId())) {
result.add(CredentialsNameProvider.name(c), c.getId());
}
}
}
}
if (itemGroup instanceof Item) {
itemGroup = Item.class.cast(itemGroup).getParent();
} else {
break;
}
}
return result;
}

/**
* {@inheritDoc}
*/
@NonNull
@Override
public <C extends IdCredentials> ListBoxModel getCredentialIds(@NonNull Class<C> type, @NonNull Item item,
@Nullable Authentication authentication,
@NonNull List<DomainRequirement> domainRequirements,
@NonNull CredentialsMatcher matcher) {
if (item instanceof AbstractFolder) {
// credentials defined in the folder should be available in the context of the folder
return getCredentialIds(type, (ItemGroup) item, authentication, domainRequirements, matcher);
}
return getCredentialIds(type, item.getParent(), authentication, domainRequirements, matcher);
}

/**
* {@inheritDoc}
*/
Expand Down

0 comments on commit 6beb07a

Please sign in to comment.