[FIXED JENKINS-19934] Job create permission for RoleBasedProjectNamin…

…gStrategy.
jenkinsci · May 22, 2014 · d5178f3 · d5178f3
1 parent e025ab1
commit d5178f3
Show file tree

Hide file tree

Showing 6 changed files with 139 additions and 2 deletions.
diff --git a/...ain/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java b/...ain/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java
@@ -60,6 +60,9 @@
 import java.util.Set;
 import java.util.SortedMap;
 import javax.servlet.ServletException;
+
+import hudson.util.VersionNumber;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.acegisecurity.acls.sid.PrincipalSid;
 import org.kohsuke.stapler.StaplerRequest;
@@ -361,7 +364,15 @@ void renewMacroRoles()
             }
         }
     }
-
+
+    /**
+     * Control job create using {@link org.jenkinsci.plugins.rolestrategy.RoleBasedProjectNamingStrategy}
+     * @since 2.1.1
+     */
+    public static boolean isCreateAllowed(){
+        return Jenkins.getVersion().isOlderThan(new VersionNumber("1.566"));
+    }
+
   /**
    * Descriptor used to bind the strategy to the Web forms.
    */
@@ -587,7 +598,7 @@ public boolean showPermission(String type, Permission p) {
         return showPermission(p);
       }
       else if(type.equals(PROJECT)) {
-        return p!=Item.CREATE && p.getEnabled();
+        return p == Item.CREATE && isCreateAllowed() && p.getEnabled() || p != Item.CREATE && p.getEnabled();
       }
       else if (type.equals(SLAVE)) {
           return p!=Computer.CREATE && p.getEnabled();

diff --git a/src/main/java/org/jenkinsci/plugins/rolestrategy/RoleBasedProjectNamingStrategy.java b/src/main/java/org/jenkinsci/plugins/rolestrategy/RoleBasedProjectNamingStrategy.java
@@ -0,0 +1,89 @@
+package org.jenkinsci.plugins.rolestrategy;
+
+import com.michelin.cio.hudson.plugins.rolestrategy.Messages;
+import com.michelin.cio.hudson.plugins.rolestrategy.Role;
+import com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy;
+import hudson.Extension;
+import hudson.model.Failure;
+import hudson.model.Item;
+import hudson.security.AuthorizationStrategy;
+import jenkins.model.Jenkins;
+import jenkins.model.ProjectNamingStrategy;
+import org.apache.commons.lang.StringUtils;
+import org.kohsuke.stapler.DataBoundConstructor;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Set;
+import java.util.SortedMap;
+import java.util.logging.Logger;
+import java.util.regex.Pattern;
+
+
+public class RoleBasedProjectNamingStrategy extends ProjectNamingStrategy implements Serializable {
+//    public static final Logger LOGGER = Logger.getLogger(RoleBasedProjectNamingStrategy.class.getName());
+
+    private static final long serialVersionUID = 1L;
+
+    private boolean forceExistingJobs;
+
+    @DataBoundConstructor
+    public RoleBasedProjectNamingStrategy(boolean forceExistingJobs) {
+        this.forceExistingJobs = forceExistingJobs;
+    }
+
+    @Override
+    public void checkName(String name) throws Failure {
+        boolean matches = false;
+        ArrayList<String> badList = null;
+        AuthorizationStrategy auth = Jenkins.getInstance().getAuthorizationStrategy();
+        if (auth instanceof RoleBasedAuthorizationStrategy){
+            RoleBasedAuthorizationStrategy rbas = (RoleBasedAuthorizationStrategy) auth;
+            //firstly check global role
+            SortedMap<Role, Set<String>> gRole = rbas.getGrantedRoles(RoleBasedAuthorizationStrategy.GLOBAL);
+            for (SortedMap.Entry<Role, Set<String>> entry: gRole.entrySet()){
+                if (entry.getKey().hasPermission(Item.CREATE))
+                    return;
+            }
+            // check project role with pattern
+            SortedMap<Role, Set<String>> roles = rbas.getGrantedRoles(RoleBasedAuthorizationStrategy.PROJECT);
+            badList = new ArrayList<String>(roles.size());
+            for (SortedMap.Entry<Role, Set<String>> entry: roles.entrySet())  {
+                Role key = entry.getKey();
+                if (key.hasPermission(Item.CREATE)) {
+                    String namePattern = key.getPattern().toString();
+                    if (StringUtils.isNotBlank(namePattern) && StringUtils.isNotBlank(name)) {
+                        if (Pattern.matches(namePattern, name)){
+                            matches = true;
+                        } else {
+                            badList.add(namePattern);
+                        }
+                    }
+                }
+            }
+        }
+        if (!matches) {
+            String error;
+            if (badList != null && !badList.isEmpty())
+                //TODO beatify long outputs?
+                error = jenkins.model.Messages.Hudson_JobNameConventionNotApplyed(name, badList.toString());
+            else
+                error = Messages.RoleBasedProjectNamingStrategy_NoPermissions();
+            throw new Failure(error);
+        }
+    }
+
+    public boolean isForceExistingJobs() {
+        return forceExistingJobs;
+    }
+
+    @Extension
+    public static final class DescriptorImpl extends ProjectNamingStrategyDescriptor {
+
+        @Override
+        public String getDisplayName() {
+            return Messages.RoleBasedAuthorizationStrategy_DisplayName();
+        }
+
+    }
+}
diff --git a/src/main/resources/com/michelin/cio/hudson/plugins/rolestrategy/Messages.properties b/src/main/resources/com/michelin/cio/hudson/plugins/rolestrategy/Messages.properties
@@ -27,3 +27,5 @@ RoleBasedAuthorizationStrategy.Manage=Manage Roles
 RoleBasedAuthorizationStrategy.ManageAndAssign=Manage and Assign Roles
 RoleBasedAuthorizationStrategy.Assign=Assign Roles
 RoleBasedAuthorizationStrategy.ListAvalMacro=List Available Macros
+RoleBasedProjectNamingStrategy.NoPermissions=No Create Permissions!
+RoleBasedProjectNamingStrategy.NoPattern=Not matches to any pattern from role based privs:
diff --git a/...resources/org/jenkinsci/plugins/rolestrategy/RoleBasedProjectNamingStrategy/config.groovy b/...resources/org/jenkinsci/plugins/rolestrategy/RoleBasedProjectNamingStrategy/config.groovy
@@ -0,0 +1,7 @@
+package org.jenkinsci.plugins.rolestrategy.RoleBasedProjectNamingStrategy
+
+def f=namespace(lib.FormTagLib)
+
+f.entry(title:_("forceExistingJobs"), field:"forceExistingJobs") {
+    f.checkbox(name:"forceExistingJobs")
+}
diff --git a/...urces/org/jenkinsci/plugins/rolestrategy/RoleBasedProjectNamingStrategy/config.properties b/...urces/org/jenkinsci/plugins/rolestrategy/RoleBasedProjectNamingStrategy/config.properties
@@ -0,0 +1,24 @@
+# The MIT License
+#
+# Copyright (c) 2014, Kanstantsin Shautsou
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+description = Description
+forceExistingJobs = Force existing
diff --git a/...ain/resources/org/jenkinsci/plugins/rolestrategy/RoleBasedProjectNamingStrategy/help.html b/...ain/resources/org/jenkinsci/plugins/rolestrategy/RoleBasedProjectNamingStrategy/help.html
@@ -0,0 +1,4 @@
+<p>
+    Restricts Job creation according to role based settings.
+    Global role allows create with any name, project role according to defined pattern.
+</p>