Examples with GlobalSecurityConfig org.jenkinsci.test.acceptance.po.GlobalSecurityConfig used on opensource projects

Example 6 with GlobalSecurityConfig

use of org.jenkinsci.test.acceptance.po.GlobalSecurityConfig in project acceptance-test-harness by jenkinsci.

the class GitUserContentTest method setUp.

@Before
public void setUp() throws Exception {
    final GlobalSecurityConfig security = new GlobalSecurityConfig(jenkins);
    security.open();
    security.csrf.uncheck();
    security.save();
}

Example 7 with GlobalSecurityConfig

use of org.jenkinsci.test.acceptance.po.GlobalSecurityConfig in project acceptance-test-harness by jenkinsci.

the class JobDslPluginTest method should_run_grooy_sandbox_as_particular_user.

/**
 * Verifies that Groovy sandbox can only used if 'Access Control for Builds'
 * is configured. The DSL job needs to run as a particular user.
 */
@Test
@WithPlugins({ "matrix-auth@2.3", "mock-security-realm", "authorize-project" })
public void should_run_grooy_sandbox_as_particular_user() {
    GlobalSecurityConfig sc = setUpSecurity();
    jenkins.login().doLogin(USER);
    FreeStyleJob seedJob = createSeedJob();
    JobDslBuildStep jobDsl = seedJob.addBuildStep(JobDslBuildStep.class);
    jobDsl.setScript("job('New_Job')");
    jobDsl.setUseSandbox(true);
    seedJob.save();
    // Build should fail because script runs in sandbox but no particular user is specified
    // which should run the build
    Build build = seedJob.scheduleBuild().shouldFail();
    assertThat(build.getConsole(), containsString("You must configure the DSL job to run as a specific user in order to use the Groovy sandbox"));
    runBuildAsUserWhoTriggered(sc);
    jenkins.login().doLogin(USER);
    // Build should succeed because now a particular user is specified
    seedJob.scheduleBuild().shouldSucceed();
}

Example 8 with GlobalSecurityConfig

use of org.jenkinsci.test.acceptance.po.GlobalSecurityConfig in project acceptance-test-harness by jenkinsci.

the class JobDslPluginTest method should_use_script_security.

/**
 * Verifies that if script security for Job DSL scripts is enabled,
 * scripts saved by non administrators that not run in a Groovy sandbox
 * wont be executed, because they are not approved.
 * If script security for Job DSL scripts is disabled, the script can be executed.
 */
@Test
@WithPlugins({ "matrix-auth@2.3", "mock-security-realm" })
public void should_use_script_security() {
    GlobalSecurityConfig sc = setUpSecurity();
    jenkins.login().doLogin(USER);
    FreeStyleJob seedJob = createSeedJob();
    JobDslBuildStep jobDsl = seedJob.addBuildStep(JobDslBuildStep.class);
    jobDsl.setScript("job('New_Job')");
    jobDsl.setUseSandbox(false);
    seedJob.save();
    // Build should fail because script is saved from non administrator an not yet approved
    Build build = seedJob.scheduleBuild().shouldFail();
    assertThat(build.getConsole(), containsString("script not yet approved for use"));
    jenkins.logout();
    jenkins.login().doLogin(ADMIN);
    // Build should fail because script is saved from non administrator an not yet approved
    Build build2 = seedJob.scheduleBuild().shouldFail();
    assertThat(build2.getConsole(), containsString("script not yet approved for use"));
    sc.configure(() -> sc.setJobDslScriptSecurity(false));
    jenkins.logout();
    jenkins.login().doLogin(USER);
    // Build should succeed because script is approved now
    seedJob.scheduleBuild().shouldSucceed();
}

Example 9 with GlobalSecurityConfig

use of org.jenkinsci.test.acceptance.po.GlobalSecurityConfig in project acceptance-test-harness by jenkinsci.

the class JobDslPluginTest method should_use_grooy_sandbox_whitelisted_content.

/**
 * Verifies that if script security for Job DSL scripts is enabled,
 * scripts saved by non administrators can run in a Groovy sandbox
 * without approval. All Job DSL methods are whitelisted by default.
 */
@Test
@WithPlugins({ "matrix-auth@2.3", "mock-security-realm", "authorize-project" })
public void should_use_grooy_sandbox_whitelisted_content() {
    GlobalSecurityConfig sc = setUpSecurity();
    runBuildAsUserWhoTriggered(sc);
    jenkins.login().doLogin(USER);
    FreeStyleJob seedJob = createSeedJob();
    JobDslBuildStep jobDsl = seedJob.addBuildStep(JobDslBuildStep.class);
    jobDsl.setScript("job('New_Job')");
    jobDsl.setUseSandbox(false);
    seedJob.save();
    // Build should fail because script is saved from non administrator an not yet approved
    Build build = seedJob.scheduleBuild().shouldFail();
    assertThat(build.getConsole(), containsString("script not yet approved for use"));
    seedJob.configure(() -> jobDsl.setUseSandbox(true));
    // Build should succeed because the script runs in Groovy sandbox
    // and only Job DSL methods are used.
    seedJob.scheduleBuild().shouldSucceed();
}

Example 10 with GlobalSecurityConfig

use of org.jenkinsci.test.acceptance.po.GlobalSecurityConfig in project acceptance-test-harness by jenkinsci.

the class JobDslPluginTest method should_use_grooy_sandbox_no_whitelisted_content.

/**
 * Verifies that if script security for Job DSL scripts is enabled,
 * scripts with not whitelisted content saved by non administrators
 * wont be executed even it should run in a Groovy sandbox.
 * Administrators can approve this content in the 'Script Approval' of the
 * 'Manage Jenkins' area. Approved scripts can be executed.
 */
@Test
@WithPlugins({ "matrix-auth@2.3", "mock-security-realm", "authorize-project" })
public void should_use_grooy_sandbox_no_whitelisted_content() {
    GlobalSecurityConfig sc = setUpSecurity();
    runBuildAsUserWhoTriggered(sc);
    jenkins.login().doLogin(USER);
    FreeStyleJob seedJob = createSeedJob();
    JobDslBuildStep jobDsl = seedJob.addBuildStep(JobDslBuildStep.class);
    jobDsl.setScript("def jobNames = [\"First_Job\", \"Second_Job\"].toArray()\n" + "\n" + "for(name in jobNames) {\n" + "  job(name)\n" + "}");
    jobDsl.setUseSandbox(true);
    seedJob.save();
    // Build should fail because script contains not whitelisted content.
    // It don't matter that the script runs in sandbox.
    Build build = seedJob.scheduleBuild().shouldFail();
    assertThat(build.getConsole(), containsString("Scripts not permitted to use method java.util.Collection toArray"));
    jenkins.logout();
    jenkins.login().doLogin(ADMIN);
    ScriptApproval sa = new ScriptApproval(jenkins);
    sa.open();
    sa.findSignature("toArray").approve();
    jenkins.logout();
    jenkins.login().doLogin(USER);
    // Build should succeed because the not whitelisted content was approved.
    seedJob.scheduleBuild().shouldSucceed();
}