use of hudson.security.GlobalMatrixAuthorizationStrategy in project workflow-cps-plugin by jenkinsci.
the class CpsFlowDefinition2Test method sandboxInvokerUsed.
@Test
public void sandboxInvokerUsed() throws Exception {
jenkins.jenkins.setSecurityRealm(jenkins.createDummySecurityRealm());
GlobalMatrixAuthorizationStrategy gmas = new GlobalMatrixAuthorizationStrategy();
// Set up a user with RUN_SCRIPTS and one without..
gmas.add(Jenkins.RUN_SCRIPTS, "runScriptsUser");
gmas.add(Jenkins.READ, "runScriptsUser");
gmas.add(Item.READ, "runScriptsUser");
gmas.add(Jenkins.READ, "otherUser");
gmas.add(Item.READ, "otherUser");
jenkins.jenkins.setAuthorizationStrategy(gmas);
WorkflowJob job = jenkins.jenkins.createProject(WorkflowJob.class, "p");
job.setDefinition(new CpsFlowDefinition("[a: 1, b: 2].collectEntries { k, v ->\n" + " Jenkins.getInstance()\n" + " [(v): k]\n" + "}\n", true));
WorkflowRun r = jenkins.assertBuildStatus(Result.FAILURE, job.scheduleBuild2(0).get());
jenkins.assertLogContains("org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance", r);
jenkins.assertLogContains("Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink(), r);
JenkinsRule.WebClient wc = jenkins.createWebClient();
wc.login("runScriptsUser");
// make sure we see the annotation for the RUN_SCRIPTS user.
HtmlPage rsp = wc.getPage(r, "console");
assertEquals(1, DomNodeUtil.selectNodes(rsp, "//A[@href='" + jenkins.contextPath + "/scriptApproval']").size());
// make sure raw console output doesn't include the garbage and has the right message.
TextPage raw = (TextPage) wc.goTo(r.getUrl() + "consoleText", "text/plain");
assertThat(raw.getContent(), containsString(" getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink()));
wc.login("otherUser");
// make sure we don't see the link for the other user.
HtmlPage rsp2 = wc.getPage(r, "console");
assertEquals(0, DomNodeUtil.selectNodes(rsp2, "//A[@href='" + jenkins.contextPath + "/scriptApproval']").size());
// make sure raw console output doesn't include the garbage and has the right message.
TextPage raw2 = (TextPage) wc.goTo(r.getUrl() + "consoleText", "text/plain");
assertThat(raw2.getContent(), containsString(" getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink()));
}
use of hudson.security.GlobalMatrixAuthorizationStrategy in project configuration-as-code-plugin by jenkinsci.
the class GlobalMatrixAuthorizationStrategyConfigurator method configure.
@Override
public GlobalMatrixAuthorizationStrategy configure(Object config) throws Exception {
Map map = (Map) config;
Collection o = (Collection<?>) map.get("grantedPermissions");
Configurator<GroupPermissionDefinition> permissionConfigurator = Configurator.lookup(GroupPermissionDefinition.class);
Map<Permission, Set<String>> grantedPermissions = new HashMap<>();
for (Object entry : o) {
GroupPermissionDefinition gpd = permissionConfigurator.configure(entry);
// We transform the linear list to a matrix (Where permission is the key instead)
gpd.grantPermission(grantedPermissions);
}
// TODO: Once change is in place for GlobalMatrixAuthentication. Switch away from reflection
GlobalMatrixAuthorizationStrategy gms = new GlobalMatrixAuthorizationStrategy();
Field f = gms.getClass().getDeclaredField("grantedPermissions");
f.setAccessible(true);
f.set(gms, grantedPermissions);
return gms;
}
use of hudson.security.GlobalMatrixAuthorizationStrategy in project blueocean-plugin by jenkinsci.
the class BitbucketServerEndpointSecuredTest method setupSecurity.
@Before
public void setupSecurity() throws Exception {
HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(true);
readUser = realm.createAccount("read_user", "pacific_ale");
writeUser = realm.createAccount("write_user", "pale_ale");
j.jenkins.setSecurityRealm(realm);
GlobalMatrixAuthorizationStrategy as = new GlobalMatrixAuthorizationStrategy();
j.jenkins.setAuthorizationStrategy(as);
as.add(Jenkins.READ, (String) Jenkins.ANONYMOUS.getPrincipal());
{
as.add(Jenkins.READ, readUser.getId());
}
{
as.add(Item.BUILD, writeUser.getId());
as.add(Item.CREATE, writeUser.getId());
as.add(Item.CONFIGURE, writeUser.getId());
}
this.crumb = getCrumb(j.jenkins);
}
use of hudson.security.GlobalMatrixAuthorizationStrategy in project blueocean-plugin by jenkinsci.
the class GithubServerSecuredTest method setupSecurity.
@Before
public void setupSecurity() throws Exception {
HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(true);
readUser = realm.createAccount("read_user", "pacific_ale");
writeUser = realm.createAccount("write_user", "pale_ale");
j.jenkins.setSecurityRealm(realm);
GlobalMatrixAuthorizationStrategy as = new GlobalMatrixAuthorizationStrategy();
j.jenkins.setAuthorizationStrategy(as);
as.add(Jenkins.READ, (String) Jenkins.ANONYMOUS.getPrincipal());
{
as.add(Jenkins.READ, readUser.getId());
}
{
as.add(Item.BUILD, writeUser.getId());
as.add(Item.CREATE, writeUser.getId());
as.add(Item.CONFIGURE, writeUser.getId());
}
this.crumb = getCrumb(j.jenkins);
}
use of hudson.security.GlobalMatrixAuthorizationStrategy in project blueocean-plugin by jenkinsci.
the class ProfileApiTest method shouldFailForUnauthorizedUser.
@Test
public void shouldFailForUnauthorizedUser() throws IOException, UnirestException {
HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(false);
realm.createAccount("alice", "alice");
realm.createAccount("bob", "bob");
j.jenkins.setSecurityRealm(realm);
GlobalMatrixAuthorizationStrategy as = new GlobalMatrixAuthorizationStrategy();
j.jenkins.setAuthorizationStrategy(as);
as.add(Hudson.READ, "alice");
Map resp = new RequestBuilder(baseUrl).status(403).auth("bob", "bob").get("/users/").build(Map.class);
assertEquals(403, resp.get("code"));
}
Aggregations