Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
REST BuildCompletedJob needs SYSTEM ACL permission
Fix for REST API Build Completed with Locked Down instance

[JENKINS-31199]
  • Loading branch information
Scott Hebert committed Oct 27, 2015
1 parent bd04573 commit 9dd76e6
Show file tree
Hide file tree
Showing 4 changed files with 104 additions and 54 deletions.
Expand Up @@ -36,11 +36,15 @@
import com.sonymobile.tools.gerrit.gerritevents.dto.rest.ReviewLabel;

import hudson.model.TaskListener;
import hudson.security.ACL;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;

/**
* A job for the {@link com.sonymobile.tools.gerrit.gerritevents.GerritSendCommandQueue} that
* sends a build completed message.
Expand Down Expand Up @@ -74,41 +78,48 @@ public BuildCompletedRestCommandJob(IGerritHudsonTriggerConfig config, BuildMemo

@Override
protected ReviewInput createReview() {
String message = parameterExpander.getBuildCompletedMessage(memoryImprint, listener);
Collection<ReviewLabel> scoredLabels = new ArrayList<ReviewLabel>();
if (memoryImprint.getEvent().isScorable()) {
if (config.isRestCodeReview()) {
Integer crValue = parameterExpander.getMinimumCodeReviewValue(memoryImprint, true);
if (crValue != null && crValue != Integer.MAX_VALUE) {
scoredLabels.add(new ReviewLabel(
LABEL_CODEREVIEW,
crValue));
SecurityContext old = ACL.impersonate(ACL.SYSTEM);
try {
String message = parameterExpander.getBuildCompletedMessage(memoryImprint, listener);
Collection<ReviewLabel> scoredLabels = new ArrayList<ReviewLabel>();
if (memoryImprint.getEvent().isScorable()) {
if (config.isRestCodeReview()) {
Integer crValue = parameterExpander.getMinimumCodeReviewValue(memoryImprint, true);
if (crValue != null && crValue != Integer.MAX_VALUE) {
scoredLabels.add(new ReviewLabel(
LABEL_CODEREVIEW,
crValue));
}
}
}
if (config.isRestVerified()) {
Integer verValue = parameterExpander.getMinimumVerifiedValue(memoryImprint, true);
if (verValue != null && verValue != Integer.MAX_VALUE) {
scoredLabels.add(new ReviewLabel(
LABEL_VERIFIED,
parameterExpander.getMinimumVerifiedValue(memoryImprint, true)));
if (config.isRestVerified()) {
Integer verValue = parameterExpander.getMinimumVerifiedValue(memoryImprint, true);
if (verValue != null && verValue != Integer.MAX_VALUE) {
scoredLabels.add(new ReviewLabel(
LABEL_VERIFIED,
parameterExpander.getMinimumVerifiedValue(memoryImprint, true)));
}
}
}
}
Notify notificationLevel = parameterExpander.getHighestNotificationLevel(memoryImprint, true);
List<GerritMessageProvider> gerritMessageProviders = GerritMessageProvider.all();
Collection<CommentedFile> commentedFiles = new ArrayList<CommentedFile>();
if (gerritMessageProviders != null) {
for (GerritMessageProvider gerritMessageProvider : gerritMessageProviders) {
for (BuildMemory.MemoryImprint.Entry e : memoryImprint.getEntries()) {
try {
commentedFiles.addAll(gerritMessageProvider.getFileComments(e.getBuild()));
} catch (Exception ef) {
listener.error(ef.getMessage());
Notify notificationLevel = parameterExpander.getHighestNotificationLevel(memoryImprint, true);
List<GerritMessageProvider> gerritMessageProviders = GerritMessageProvider.all();
Collection<CommentedFile> commentedFiles = new ArrayList<CommentedFile>();
if (gerritMessageProviders != null) {
for (GerritMessageProvider gerritMessageProvider : gerritMessageProviders) {
for (BuildMemory.MemoryImprint.Entry e : memoryImprint.getEntries()) {
try {
commentedFiles.addAll(gerritMessageProvider.getFileComments(e.getBuild()));
} catch (Exception ef) {
listener.error(ef.getMessage());

}
}
}
}

return new ReviewInput(message, scoredLabels, commentedFiles).setNotify(notificationLevel);

} finally {
SecurityContextHolder.setContext(old);
}
return new ReviewInput(message, scoredLabels, commentedFiles).setNotify(notificationLevel);
}
}
Expand Up @@ -31,10 +31,7 @@

import hudson.model.FreeStyleBuild;
import hudson.model.FreeStyleProject;
import hudson.model.Hudson;
import hudson.model.Result;
import hudson.security.GlobalMatrixAuthorizationStrategy;
import hudson.security.SecurityRealm;

import org.apache.sshd.SshServer;
import org.junit.After;
Expand Down Expand Up @@ -104,19 +101,6 @@ public void tearDown() throws Exception {
sshd = null;
}

/**
* Lock down the instance.
* @throws Exception throw if so.
*/
private void lockDown() throws Exception {
SecurityRealm securityRealm = j.createDummySecurityRealm();
j.getInstance().setSecurityRealm(securityRealm);

GlobalMatrixAuthorizationStrategy authorizationStrategy = new GlobalMatrixAuthorizationStrategy();
authorizationStrategy.add(Hudson.READ, "authenticated");
j.getInstance().setAuthorizationStrategy(authorizationStrategy);
}

/**
* Test that a build can still be triggered if only authenticated
* users can login.
Expand All @@ -134,7 +118,7 @@ private void lockDown() throws Exception {
public void testTriggerWithLockedDownInstance() throws Exception {
FreeStyleProject project = DuplicatesUtil.createGerritTriggeredJob(j, projectName);

lockDown();
Setup.lockDown(j);

GerritTrigger trigger = project.getTrigger(GerritTrigger.class);
trigger.setSilentStartMode(false);
Expand Down
Expand Up @@ -34,11 +34,14 @@
import com.sonyericsson.hudson.plugins.gerrit.trigger.mock.Setup;
import com.sonyericsson.hudson.plugins.gerrit.trigger.mock.TestUtils;
import com.sonymobile.tools.gerrit.gerritevents.dto.events.PatchsetCreated;

import hudson.model.FreeStyleProject;
import hudson.model.RootAction;
import hudson.model.UnprotectedRootAction;
import hudson.util.IOUtils;
import jenkins.model.Jenkins;
import net.sf.json.JSONObject;

import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.JenkinsRule;
Expand Down Expand Up @@ -68,13 +71,19 @@ public class BuildCompletedRestCommandJobHudsonTest {
public JenkinsRule j = new JenkinsRule();

/**
* The test.
*
* @throws IOException if so
* @throws InterruptedException if so.
* Unlock the instance if secured.
* @throws Exception if it occurs.
*/
@Test
public void testIt() throws IOException, InterruptedException {
@Before
public void unlockInstance() throws Exception {
Setup.unLock(j);
}

/**
* Guts of the test.
* @throws Exception if it occurs.
*/
private void runTest() throws Exception {
j.jenkins.setCrumbIssuer(null);
GerritServer server1 = new GerritServer(PluginImpl.DEFAULT_SERVER_NAME);
PluginImpl.getInstance().addServer(server1);
Expand Down Expand Up @@ -122,9 +131,27 @@ public void testIt() throws IOException, InterruptedException {
JSONObject labels = json.getJSONObject("labels");
assertEquals(1, labels.getInt("Code-Review"));
assertEquals(1, labels.getInt("Verified"));

}
/**
* The test with a locked down instance.
*
* @throws Exception if so
*/
@Test
public void testItWithSecurity() throws Exception {
Setup.lockDown(j);
runTest();
}

/**
* The test.
*
* @throws Exception if so
*/
@Test
public void testIt() throws Exception {
runTest();
}
/**
* Finds the registered {@link FakeHttpGerrit}.
*
Expand All @@ -138,7 +165,7 @@ private FakeHttpGerrit getGerrit() {
* Acts as a fake REST endpoint to receive the REST commands from the command job.
*/
@TestExtension
public static class FakeHttpGerrit implements RootAction {
public static class FakeHttpGerrit implements UnprotectedRootAction {

String lastPath;
String lastContent;
Expand Down
Expand Up @@ -56,15 +56,19 @@
import hudson.model.AbstractProject;
import hudson.model.Cause;
import hudson.model.CauseAction;
import hudson.model.Hudson;
import hudson.model.Job;
import hudson.model.Result;
import hudson.model.TaskListener;
import hudson.security.GlobalMatrixAuthorizationStrategy;
import hudson.security.SecurityRealm;
import hudson.triggers.Trigger;
import hudson.triggers.TriggerDescriptor;
import net.sf.json.JSONObject;

import org.jenkinsci.plugins.workflow.job.WorkflowJob;
import org.junit.Assert;
import org.jvnet.hudson.test.JenkinsRule;
import org.powermock.api.mockito.PowerMockito;

import java.io.IOException;
Expand Down Expand Up @@ -787,4 +791,28 @@ public static RefReplicated createRefReplicatedEvent(String project, String ref,
refReplicated.setStatus(status);
return refReplicated;
}

/**
* Lock down the instance.
* @param j JenkinsRule.
* @throws Exception throw if so.
*/
public static void lockDown(JenkinsRule j) throws Exception {
SecurityRealm securityRealm = j.createDummySecurityRealm();
j.getInstance().setSecurityRealm(securityRealm);

GlobalMatrixAuthorizationStrategy authorizationStrategy = new GlobalMatrixAuthorizationStrategy();
authorizationStrategy.add(Hudson.READ, "authenticated");
j.getInstance().setAuthorizationStrategy(authorizationStrategy);
}

/**
* Unlock the instance.
* @param j JenkinsRule.
* @throws Exception throw if so.
*/
public static void unLock(JenkinsRule j) throws Exception {
j.getInstance().setSecurityRealm(SecurityRealm.NO_AUTHENTICATION);
}

}

0 comments on commit 9dd76e6

Please sign in to comment.