Skip to content

Commit

Permalink
[JENKINS-36240] Initial stab at rework
Browse files Browse the repository at this point in the history
  • Loading branch information
@stephenc
stephenc committed Jul 14, 2017
1 parent 388545b commit c10b23b
Show file tree
Hide file tree
Showing 7 changed files with 139 additions and 1 deletion.
94 changes: 94 additions & 0 deletions src/main/java/org/jenkinsci/plugins/github_branch_source/ForkPullRequestDiscoveryTrait.java
View file
Expand Up @@ -26,6 +26,7 @@
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.util.ListBoxModel;
import java.io.IOException;
import java.util.EnumSet;
import java.util.List;
import java.util.Set;
Expand All @@ -45,6 +46,7 @@
import jenkins.scm.impl.trait.Discovery;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.github.GHPermissionType;
import org.kohsuke.stapler.DataBoundConstructor;

/**
Expand Down Expand Up @@ -315,6 +317,98 @@ public boolean isApplicableToOrigin(@NonNull Class<? extends SCMHeadOrigin> orig
}
}

/**
* An {@link SCMHeadAuthority} that trusts contributors to the repository.
*/
public static class TrustPermission
extends SCMHeadAuthority<GitHubSCMSourceRequest, PullRequestSCMHead, PullRequestSCMRevision> {
@NonNull
private final GHPermissionType permission;

/**
* Constructor.
*/
@DataBoundConstructor
public TrustPermission(@NonNull String permission) {
GHPermissionType permissionType = GHPermissionType.ADMIN;
for (GHPermissionType p: GHPermissionType.values()) {
if (p.name().equalsIgnoreCase(permission)) {
permissionType = p;
}
}
this.permission = permissionType;
}

public TrustPermission(@NonNull GHPermissionType permission) {
this.permission = permission;
}

@NonNull
public GHPermissionType getPermissionType() {
return permission;
}

@NonNull
public String getPermission() {
return permission.name();
}

/**
* {@inheritDoc}
*/
@Override
protected boolean checkTrusted(@NonNull GitHubSCMSourceRequest request, @NonNull PullRequestSCMHead head) {
if (!head.getOrigin().equals(SCMHeadOrigin.DEFAULT)) {
try {
// TODO get the repository from getTrusted which currently doesn't provide it to the request.
GHPermissionType permission = request.getRepository().getPermission(head.getSourceOwner());
return permission.ordinal() <= this.permission.ordinal();
} catch (IOException e) {
// ignore
}
}
return false;
}

/**
* Our descriptor.
*/
@Extension
public static class DescriptorImpl extends SCMHeadAuthorityDescriptor {

/**
* {@inheritDoc}
*/
@Override
public String getDisplayName() {
return Messages.ForkPullRequestDiscoveryTrait_permissionsDisplayName();
}

/**
* {@inheritDoc}
*/
@Override
public boolean isApplicableToOrigin(@NonNull Class<? extends SCMHeadOrigin> originClass) {
return SCMHeadOrigin.Fork.class.isAssignableFrom(originClass);
}

/**
* Populates the permissions.
* @return the list of permissions.
*/
@Restricted(NoExternalUse.class)
@SuppressWarnings("unused")
public ListBoxModel doFillPermissionItems() {
ListBoxModel result = new ListBoxModel();
for (GHPermissionType p: GHPermissionType.values()) {
result.add(p.name());
}
return result;
}

}
}

/**
* An {@link SCMHeadAuthority} that trusts everyone.
*/
Expand Down
1 change: 1 addition & 0 deletions src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java
View file
Expand Up @@ -842,6 +842,7 @@ protected final void retrieve(@CheckForNull SCMSourceCriteria criteria,
.newRequest(this, listener)) {
// populate the request with its data sources
request.setGitHub(github);
request.setRepository(ghRepository);
if (request.isFetchPRs()) {
request.setPullRequests(new LazyPullRequests(request, ghRepository));
}
Expand Down
24 changes: 24 additions & 0 deletions src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSourceRequest.java
View file
Expand Up @@ -43,6 +43,7 @@
import jenkins.scm.api.trait.SCMSourceRequest;
import org.kohsuke.github.GHBranch;
import org.kohsuke.github.GHPullRequest;
import org.kohsuke.github.GHRepository;
import org.kohsuke.github.GitHub;

/**
Expand Down Expand Up @@ -113,6 +114,11 @@ public class GitHubSCMSourceRequest extends SCMSourceRequest {
*/
@CheckForNull
private GitHub gitHub;
/**
* The repository.
*/
@CheckForNull
private GHRepository repository;

/**
* Constructor.
Expand Down Expand Up @@ -377,6 +383,24 @@ public void setGitHub(@CheckForNull GitHub gitHub) {
this.gitHub = gitHub;
}

/**
* Returns the {@link GHRepository}.
*
* @return the {@link GHRepository}.
*/
public GHRepository getRepository() {
return repository;
}

/**
* Sets the {@link GHRepository}.
*
* @param repository the {@link GHRepository}.
*/
public void setRepository(GHRepository repository) {
this.repository = repository;
}

/**
* {@inheritDoc}
*/
Expand Down
6 changes: 6 additions & 0 deletions ...i/plugins/github_branch_source/ForkPullRequestDiscoveryTrait/TrustPermission/config.jelly
View file
@@ -0,0 +1,6 @@
<?jelly escape-by-default='true'?>
<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
<f:entry title="${%Minimum permissions}" field="permission">
<f:select default="WRITE"/>
</f:entry>
</j:jelly>
4 changes: 4 additions & 0 deletions ...s/github_branch_source/ForkPullRequestDiscoveryTrait/TrustPermission/help-permission.html
View file
@@ -0,0 +1,4 @@
<div>
The minimum effective permissions the owner of the pull request must have in order for the pull request to be trusted.
Typically you will want either <code>ADMIN</code> or <code>WRITE</code>.
</div>
10 changes: 9 additions & 1 deletion .../org/jenkinsci/plugins/github_branch_source/ForkPullRequestDiscoveryTrait/help-trust.html
View file
Expand Up @@ -21,7 +21,7 @@
<dd>
Pull requests from <a href="https://developer.github.com/v3/repos/collaborators/">collaborators</a>
to the origin repository will be treated as trusted, all other pull requests from fork repositories
will be treated as untrusted..
will be treated as untrusted.
Note that if credentials used by Jenkins for scanning the repository does not have permission to
query the list of contributors to the origin repository then only the origin account will be treated
as trusted - i.e. this will fall back to <code>Nobody</code>.
Expand All @@ -31,5 +31,13 @@
All pull requests from forks will be treated as trusted. <strong>NOTE:</strong> this option can be dangerous
if used on a public repository hosted on GitHub.
</dd>
<dt>Permissions</dt>
<dd>
Pull requests forks will be treated as trusted if the fork owner has the specified minimum permissions
against the origin repository.
Note that this strategy requires the
<a href="https://developer.github.com/v3/repos/collaborators/#review-a-users-permission-level">Review
a user's permission level</a> API.
</dd>
</dl>
</div>
1 change: 1 addition & 0 deletions src/main/resources/org/jenkinsci/plugins/github_branch_source/Messages.properties
View file
@@ -1,6 +1,7 @@
BranchSCMHead.Pronoun=Branch

ForkPullRequestDiscoveryTrait.contributorsDisplayName=Contributors
ForkPullRequestDiscoveryTrait.permissionsDisplayName=Permissions
ForkPullRequestDiscoveryTrait.displayName=Discover pull requests from forks
ForkPullRequestDiscoveryTrait.everyoneDisplayName=Everyone
ForkPullRequestDiscoveryTrait.headAndMerge=Both the current pull request revision and the pull request merged with \
Expand Down

0 comments on commit c10b23b

Please sign in to comment.