[JENKINS-32797] Break the catch clause contents of Jenkins.getTarget(… (

#2652) * [JENKINS-32797] Break the catch clause contents of Jenkins.getTarget() out into a separate, publicly accessible function. This will allow plugins (particularly authentication plugins that override the normal authentication process) to determine if authentication is not required for a particular path by calling isPathUnprotected(restOfPath). * Add @SInCE TODO to comment * Change name of function to something that is accurate and clear isPathUnprotected is misleading, and the Javadoc was worse. isSubjectToMandatoryReadPermissionCheck is a much better name, and the return value is reversed to match the name,
jenkinsci · Dec 15, 2016 · 0060335 · 0060335
1 parent bd6a7d6
commit 0060335
Showing 1 changed file with 29 additions and 16 deletions.
diff --git a/core/src/main/java/jenkins/model/Jenkins.java b/core/src/main/java/jenkins/model/Jenkins.java
@@ -4549,29 +4549,42 @@ public Object getTarget() {
         try {
             checkPermission(READ);
         } catch (AccessDeniedException e) {
-            String rest = Stapler.getCurrentRequest().getRestOfPath();
-            for (String name : ALWAYS_READABLE_PATHS) {
-                if (rest.startsWith(name)) {
-                    return this;
-                }
-            }
-            for (String name : getUnprotectedRootActions()) {
-                if (rest.startsWith("/" + name + "/") || rest.equals("/" + name)) {
-                    return this;
-                }
-            }
-
-            // TODO SlaveComputer.doSlaveAgentJnlp; there should be an annotation to request unprotected access
-            if (rest.matches("/computer/[^/]+/slave-agent[.]jnlp")
-                && "true".equals(Stapler.getCurrentRequest().getParameter("encrypt"))) {
+            if (!isSubjectToMandatoryReadPermissionCheck(Stapler.getCurrentRequest().getRestOfPath())) {
                 return this;
             }
 
-
             throw e;
         }
         return this;
     }
+
+    /**
+     * Test a path to see if it is subject to mandatory read permission checks by container-managed security
+     * @param restOfPath the URI, excluding the Jenkins root URI and query string
+     * @return true if the path is subject to mandatory read permission checks
+     * @since TODO
+     */
+    public boolean isSubjectToMandatoryReadPermissionCheck(String restOfPath) {
+        for (String name : ALWAYS_READABLE_PATHS) {
+            if (restOfPath.startsWith(name)) {
+                return false;
+            }
+        }
+
+        for (String name : getUnprotectedRootActions()) {
+            if (restOfPath.startsWith("/" + name + "/") || restOfPath.equals("/" + name)) {
+                return false;
+            }
+        }
+
+        // TODO SlaveComputer.doSlaveAgentJnlp; there should be an annotation to request unprotected access
+        if (restOfPath.matches("/computer/[^/]+/slave-agent[.]jnlp")
+            && "true".equals(Stapler.getCurrentRequest().getParameter("encrypt"))) {
+            return false;
+        }
+
+        return true;
+    }
 
     /**
      * Gets a list of unprotected root actions.