[FIXED JENKINS-42470] Use CrumbExclusion and Jenkins.READ perms

jenkinsci · Mar 3, 2017 · 3671e8d · 3671e8d
1 parent 5c215ff
commit 3671e8d
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 27 deletions.
diff --git a/...n/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterAction.java b/...n/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterAction.java
@@ -23,6 +23,7 @@
  */
 package org.jenkinsci.plugins.pipeline.modeldefinition.endpoints;
 
+import hudson.security.csrf.CrumbExclusion;
 import org.jenkinsci.plugins.pipeline.modeldefinition.shaded.com.fasterxml.jackson.databind.JsonNode;
 import com.github.fge.jsonschema.tree.SimpleJsonTree;
 import com.github.fge.jsonschema.util.JsonLoader;
@@ -45,13 +46,16 @@
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.util.ArrayList;
 import java.util.List;
 
-import static hudson.security.Permission.READ;
-
 /**
  * Endpoint for converting to/from JSON/Groovy and validating both.
  *
@@ -79,7 +83,7 @@ public String getDisplayName() {
     @SuppressWarnings("unused")
     @RequirePOST
     public HttpResponse doToJenkinsfile(StaplerRequest req) {
-        Jenkins.getInstance().checkPermission(READ);
+        Jenkins.getInstance().checkPermission(Jenkins.READ);
 
         JSONObject result = new JSONObject();
 
@@ -110,7 +114,7 @@ public HttpResponse doToJenkinsfile(StaplerRequest req) {
     @SuppressWarnings("unused")
     @RequirePOST
     public HttpResponse doToJson(StaplerRequest req) {
-        Jenkins.getInstance().checkPermission(READ);
+        Jenkins.getInstance().checkPermission(Jenkins.READ);
 
         JSONObject result = new JSONObject();
 
@@ -138,7 +142,7 @@ public HttpResponse doToJson(StaplerRequest req) {
     @SuppressWarnings("unused")
     @RequirePOST
     public HttpResponse doStepsToJson(StaplerRequest req) {
-        Jenkins.getInstance().checkPermission(READ);
+        Jenkins.getInstance().checkPermission(Jenkins.READ);
 
         JSONObject result = new JSONObject();
 
@@ -166,7 +170,7 @@ public HttpResponse doStepsToJson(StaplerRequest req) {
     @SuppressWarnings("unused")
     @RequirePOST
     public HttpResponse doStepsToJenkinsfile(StaplerRequest req) {
-        Jenkins.getInstance().checkPermission(READ);
+        Jenkins.getInstance().checkPermission(Jenkins.READ);
 
         JSONObject result = new JSONObject();
 
@@ -222,7 +226,7 @@ public HttpResponse doStepsToJenkinsfile(StaplerRequest req) {
     @SuppressWarnings("unused")
     @RequirePOST
     public HttpResponse doValidateJenkinsfile(StaplerRequest req) {
-        Jenkins.getInstance().checkPermission(READ);
+        Jenkins.getInstance().checkPermission(Jenkins.READ);
 
         JSONObject result = new JSONObject();
 
@@ -250,7 +254,7 @@ public HttpResponse doValidateJenkinsfile(StaplerRequest req) {
     @SuppressWarnings("unused")
     @RequirePOST
     public HttpResponse doValidateJson(StaplerRequest req) {
-        Jenkins.getInstance().checkPermission(READ);
+        Jenkins.getInstance().checkPermission(Jenkins.READ);
 
         JSONObject result = new JSONObject();
 
@@ -281,7 +285,7 @@ public HttpResponse doValidateJson(StaplerRequest req) {
     @SuppressWarnings("unused")
     @RequirePOST
     public HttpResponse doValidate(StaplerRequest req) {
-        Jenkins.getInstance().checkPermission(READ);
+        Jenkins.getInstance().checkPermission(Jenkins.READ);
 
         List<String> output = new ArrayList<>();
 
@@ -388,4 +392,20 @@ private void reportFailure(JSONObject result, JSONArray errors) {
         result.accumulate("result", "failure");
         result.accumulate("errors", errors);
     }
+
+    @Extension
+    public static class ModelConverterActionCrumbExclusion extends CrumbExclusion {
+        @Override
+        public boolean process(HttpServletRequest req, HttpServletResponse resp, FilterChain chain)
+                throws IOException, ServletException {
+            String pathInfo = req.getPathInfo();
+
+            if (pathInfo != null && pathInfo.startsWith("/" + PIPELINE_CONVERTER_URL + "/")) {
+                chain.doFilter(req, resp);
+                return true;
+            }
+
+            return false;
+        }
+    }
 }
diff --git a/...efinition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/WhenStageTest.java b/...efinition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/WhenStageTest.java
@@ -38,6 +38,7 @@
 import org.jvnet.hudson.test.JenkinsRule;
 
 import java.io.IOException;
+import java.net.URL;
 import java.util.Collections;
 
 import static org.jenkinsci.plugins.pipeline.modeldefinition.util.IsJsonObjectContaining.hasEntry;
@@ -86,7 +87,7 @@ public void whenEmpty() throws Exception {
     public void toJson() throws IOException {
         final String rawJenkinsfile = fileContentsFromResources("when/simpleWhen.groovy", true);
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJson"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJson"), HttpMethod.POST);
 
         assertNotNull(rawJenkinsfile);
 
@@ -101,7 +102,7 @@ public void toJson() throws IOException {
         assertThat(result, hasEntry("status", "ok"));
         assertThat(result, hasEntry("data", hasEntry("result", "success")));
 
-        req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJenkinsfile"), HttpMethod.POST);
+        req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJenkinsfile"), HttpMethod.POST);
         pair = new NameValuePair("json", result.getJSONObject("data").getJSONObject("json").toString());
         req.setRequestParameters(Collections.singletonList(pair));
 

diff --git a/.../java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ErrorsEndpointOpsTest.java b/.../java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ErrorsEndpointOpsTest.java
@@ -34,6 +34,7 @@
 import org.junit.runners.Parameterized;
 import org.jvnet.hudson.test.JenkinsRule;
 
+import java.net.URL;
 import java.util.Collections;
 
 import static org.junit.Assert.assertEquals;
@@ -58,7 +59,7 @@ public static Iterable<Object[]> generateParameters() {
     @Test
     public void testFailedValidateJson() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJson"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJson"), HttpMethod.POST);
         String simpleJson = fileContentsFromResources("json/errors/" + configName + ".json");
 
         assertNotNull(simpleJson);
@@ -87,7 +88,7 @@ public void testFailedValidateJenkinsfile() throws Exception {
         if (rawJenkinsfile != null) {
 
             JenkinsRule.WebClient wc = j.createWebClient();
-            WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
+            WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
 
             assertNotNull(rawJenkinsfile);
 
@@ -109,7 +110,7 @@ public void testFailedValidateJenkinsfile() throws Exception {
     @Test
     public void testFailedToJenkinsfile() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJenkinsfile"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJenkinsfile"), HttpMethod.POST);
         String simpleJson = fileContentsFromResources("json/errors/" + configName + ".json");
 
         assertNotNull(simpleJson);
@@ -131,7 +132,7 @@ public void testFailedToJenkinsfile() throws Exception {
     @Test
     public void testFailedToJson() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJson"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJson"), HttpMethod.POST);
         String initialGroovy = fileContentsFromResources("errors/" + configName + ".groovy", true);
 
         assertNotNull(initialGroovy);

diff --git a/...g/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterActionStepsTest.java b/...g/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterActionStepsTest.java
@@ -34,6 +34,7 @@
 import org.kohsuke.stapler.StaplerRequest;
 
 import java.io.IOException;
+import java.net.URL;
 import java.util.Collections;
 
 import static org.hamcrest.collection.IsCollectionWithSize.hasSize;
@@ -158,7 +159,7 @@ public void simpleScriptToJson() throws IOException {
 
     private JSONObject callStepToJenkinsFile(String jsonFileName) throws IOException {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/stepsToJenkinsfile"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/stepsToJenkinsfile"), HttpMethod.POST);
         String simpleJson = fileContentsFromResources(jsonFileName);
 
         assertNotNull(simpleJson);
@@ -174,7 +175,7 @@ private JSONObject callStepToJenkinsFile(String jsonFileName) throws IOException
 
     private JSONObject callStepsToJson(String jenkinsFileContent) throws IOException {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/stepsToJson"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/stepsToJson"), HttpMethod.POST);
 
         assertNotNull(jenkinsFileContent);
 

diff --git a/...va/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterActionTest.java b/...va/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterActionTest.java
@@ -35,6 +35,7 @@
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;
 
+import java.net.URL;
 import java.util.Collections;
 
 import static org.junit.Assert.assertEquals;
@@ -66,7 +67,7 @@ public void validateJenkinsfileEmptyParam() throws Exception {
 
     private void getExpectedErrorNoParam(String param, String endpoint) throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/" + endpoint), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/" + endpoint), HttpMethod.POST);
         String rawResult = wc.getPage(req).getWebResponse().getContentAsString();
         assertNotNull(rawResult);
 
@@ -86,7 +87,7 @@ private void getExpectedErrorNoParam(String param, String endpoint) throws Excep
     @Test
     public void errorOnNoPipeline() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
         String groovyAsString = "echo 'nothing to see here'";
         NameValuePair pair = new NameValuePair("jenkinsfile", groovyAsString);
         req.setRequestParameters(Collections.singletonList(pair));
@@ -110,7 +111,7 @@ public void errorOnNoPipeline() throws Exception {
     @Test
     public void testFailedValidateJsonInvalidBuildCondition() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJson"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJson"), HttpMethod.POST);
         String simpleJson = fileContentsFromResources("json/errors/invalidBuildCondition.json");
 
         assertNotNull(simpleJson);
@@ -140,7 +141,7 @@ public void testFailedValidateJenkinsfileInvalidBuildCondition() throws Exceptio
         if (rawJenkinsfile != null) {
 
             JenkinsRule.WebClient wc = j.createWebClient();
-            WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
+            WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
 
             assertNotNull(rawJenkinsfile);
 
@@ -162,7 +163,7 @@ public void testFailedValidateJenkinsfileInvalidBuildCondition() throws Exceptio
     @Test
     public void testFailedValidateJsonUnlistedToolType() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJson"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJson"), HttpMethod.POST);
         String simpleJson = fileContentsFromResources("json/errors/unlistedToolType.json");
 
         assertNotNull(simpleJson);
@@ -193,7 +194,7 @@ public void testFailedValidateJenkinsfileUnlistedToolType() throws Exception {
         if (rawJenkinsfile != null) {
 
             JenkinsRule.WebClient wc = j.createWebClient();
-            WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
+            WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
 
             assertNotNull(rawJenkinsfile);
 

diff --git a/...a/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/SuccessfulEndpointOpsTest.java b/...a/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/SuccessfulEndpointOpsTest.java
@@ -37,6 +37,7 @@
 import org.junit.runners.Parameterized;
 import org.jvnet.hudson.test.JenkinsRule;
 
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -65,7 +66,7 @@ public static Iterable<Object[]> generateParameters() {
     @Test
     public void testSuccessfulValidateJson() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJson"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJson"), HttpMethod.POST);
         String simpleJson = fileContentsFromResources("json/" + configName + ".json");
 
         assertNotNull(simpleJson);
@@ -86,7 +87,7 @@ public void testSuccessfulValidateJson() throws Exception {
     @Test
     public void testSuccessfulValidateJenkinsfile() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/validateJenkinsfile"), HttpMethod.POST);
         String rawJenkinsfile = fileContentsFromResources(configName + ".groovy");
 
         assertNotNull(rawJenkinsfile);
@@ -107,7 +108,7 @@ public void testSuccessfulValidateJenkinsfile() throws Exception {
     @Test
     public void testSuccessfulToJenkinsfile() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJenkinsfile"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJenkinsfile"), HttpMethod.POST);
         String simpleJson = fileContentsFromResources("json/" + configName + ".json");
 
         assertNotNull(simpleJson);
@@ -133,7 +134,7 @@ public void testSuccessfulToJenkinsfile() throws Exception {
     @Test
     public void testSuccessfulToJson() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
-        WebRequest req = new WebRequest(wc.createCrumbedUrl(ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJson"), HttpMethod.POST);
+        WebRequest req = new WebRequest(new URL(wc.getContextPath() + ModelConverterAction.PIPELINE_CONVERTER_URL + "/toJson"), HttpMethod.POST);
         String initialGroovy = fileContentsFromResources(configName + ".groovy");
 
         assertNotNull(initialGroovy);