[FIXED JENKINS-10593] Merged pull request #622 to core

Reference: jenkinsci/jenkins#622
jenkinsci · Apr 20, 2014 · 6411fff · 6411fff
1 parent d0ce731
commit 6411fff
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 4 deletions.
diff --git a/src/main/java/hudson/security/AuthorizationMatrixProperty.java b/src/main/java/hudson/security/AuthorizationMatrixProperty.java
@@ -81,6 +81,8 @@ public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {
 
 	private Set<String> sids = new HashSet<String>();
 
+    private boolean blocksInheritance = false;
+
     private AuthorizationMatrixProperty() {
     }
 
@@ -142,6 +144,10 @@ public JobProperty<?> newInstance(StaplerRequest req, JSONObject formData) throw
                 return null;
 
             AuthorizationMatrixProperty amp = new AuthorizationMatrixProperty();
+
+            // Disable inheritance, if so configured
+            amp.setBlocksInheritance(!formData.getJSONObject("blocksInheritance").isNullObject());
+
             for (Map.Entry<String, Object> r : (Set<Map.Entry<String, Object>>) formData.getJSONObject("data").entrySet()) {
                 String sid = r.getKey();
                 if (r.getValue() instanceof JSONObject) {
@@ -198,6 +204,25 @@ public SidACL getACL() {
 		return acl;
 	}
 
+	/**
+	 * Sets the flag to block inheritance
+	 *
+	 * @param blocksInheritance
+	 */
+	private void setBlocksInheritance(boolean blocksInheritance) {
+		this.blocksInheritance = blocksInheritance;
+	}
+
+	/**
+	 * Returns true if the authorization matrix is configured to block
+	 * inheritance from the parent.
+	 *
+	 * @return
+	 */
+	public boolean isBlocksInheritance() {
+		return this.blocksInheritance;
+	}
+
 	/**
 	 * Checks if the given SID has the given permission.
 	 */
@@ -243,7 +268,13 @@ public void marshal(Object source, HierarchicalStreamWriter writer,
 				MarshallingContext context) {
 			AuthorizationMatrixProperty amp = (AuthorizationMatrixProperty) source;
 
-			for (Entry<Permission, Set<String>> e : amp.grantedPermissions
+            if (amp.isBlocksInheritance()) {
+                writer.startNode("blocksInheritance");
+                writer.setValue("true");
+                writer.endNode();
+            }
+
+            for (Entry<Permission, Set<String>> e : amp.grantedPermissions
 					.entrySet()) {
 				String p = e.getKey().getId();
 				for (String sid : e.getValue()) {
@@ -259,12 +290,20 @@ public Object unmarshal(HierarchicalStreamReader reader,
 			AuthorizationMatrixProperty as = new AuthorizationMatrixProperty();
 
 			String prop = reader.peekNextChild();
+
 			if (prop!=null && prop.equals("useProjectSecurity")) {
 				reader.moveDown();
 				reader.getValue(); // we used to use this but not any more.
 				reader.moveUp();
+				prop = reader.peekNextChild();
 			}
-            while (reader.hasMoreChildren()) {
+			else if ("blocksInheritance".equals(prop)) {
+			    reader.moveDown();
+			    as.setBlocksInheritance("true".equals(reader.getValue()));
+			    reader.moveUp();
+			}
+
+			while (reader.hasMoreChildren()) {
                 reader.moveDown();
                 try {
                     as.add(reader.getValue());

diff --git a/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java b/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
@@ -53,7 +53,13 @@ public class ProjectMatrixAuthorizationStrategy extends GlobalMatrixAuthorizatio
     public ACL getACL(Job<?,?> project) {
         AuthorizationMatrixProperty amp = project.getProperty(AuthorizationMatrixProperty.class);
         if (amp != null) {
-            return amp.getACL().newInheritingACL(getACL(project.getParent()));
+            SidACL projectAcl = amp.getACL();
+
+            if (!amp.isBlocksInheritance()) {
+                projectAcl = projectAcl.newInheritingACL(getACL(project.getParent()));
+            }
+
+            return projectAcl;
         } else {
             return getACL(project.getParent());
         }

diff --git a/src/main/resources/hudson/security/AuthorizationMatrixProperty/config.jelly b/src/main/resources/hudson/security/AuthorizationMatrixProperty/config.jelly
@@ -25,6 +25,12 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:optionalBlock name="useProjectSecurity" title="${%Enable project-based security}" checked="${instance!=null}">
-    <st:include class="hudson.security.GlobalMatrixAuthorizationStrategy" page="config.jelly"/>
+    <f:nested>
+      <table style="width:100%">
+        <f:optionalBlock field="blocksInheritance"
+                         title="${%Block inheritance of global authorization matrix}" />
+        <st:include class="hudson.security.GlobalMatrixAuthorizationStrategy" page="config.jelly"/>
+      </table>
+    </f:nested>
   </f:optionalBlock>
 </j:jelly>
diff --git a/src/main/resources/hudson/security/AuthorizationMatrixProperty/help-blocksInheritance.html b/src/main/resources/hudson/security/AuthorizationMatrixProperty/help-blocksInheritance.html
@@ -0,0 +1,9 @@
+<div>
+  If checked, the global configuration matrix will not be inherited.
+  This allows you to configure a job that has a more strict access control list than the rest of the global permission set.
+  <br />
+  <br />
+  <b>WARNING</b>:  because the parent ACL will not be inherited, it is possible to revoke your own configuration access accidentally.
+  If you enable this setting, please also remember to grant yourself or your group configuration access so that you do not lock yourself out of the job.
+  Otherwise the only ways to get back in will be to disable project-based security in global configuration, or manually edit the permissions list in the project's XML configuration.
+</div>