jjb/jenkins-job-builder
Code Issues Proposed changes

STORY: 2009856

Browse Source 
added support for Matrix Authorization Stategy 3.0+ version

Change-Id: I46521033d9fd6f7f4ae59d8784f9fbfdd49958ed
This commit is contained in:
trunov_ms 2022-03-05 12:48:37 +05:00 committed by Max Trunov
parent 24f867fa73
commit 2aec5fc2e6
5 changed files with 75 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
jenkins_jobs/modules/properties.py
View File

@ -530,10 +530,24 @@ def authenticated_build(registry, xml_parent, data):
def authorization(registry, xml_parent, data, job_data):
"""yaml: authorization
Specifies an authorization matrix
In 3.0 version of plugin was added support for explicitly assigning permissions
to groups or users with a given name to prevent confusion when names match either.
.. _authorization:
For *matrix-auth >= 3.0*
:arg list prefix:<name>:
* `prefix`
* **GROUP**
* **USER**
* `<name>` is the name of the group or user, containing
For *matrix-auth < 3.0*
:arg list <name>: `<name>` is the name of the group or user, containing
the list of rights to grant.
:<name> rights:
@ -610,7 +624,16 @@ def authorization(registry, xml_parent, data, job_data):
for perm in perms:
pe = XML.SubElement(matrix, "permission")
try:
pe.text = "{0}:{1}".format(mapping[perm], username)
if username.upper().startswith(
"GROUP:"
) or username.upper().startswith("USER:"):
pe.text = "{0}:{1}:{2}".format(
username.split(":")[0].upper(),
mapping[perm],
username.split(":")[1],
)
else:
pe.text = "{0}:{1}".format(mapping[perm], username)
except KeyError:
raise InvalidAttributeError(username, perm, mapping.keys())

45
tests/properties/fixtures/authorization.xml
View File

@ -3,27 +3,30 @@
<properties>
<hudson.security.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:admin</permission>
<permission>hudson.model.Item.Build:admin</permission>
<permission>hudson.model.Item.Cancel:admin</permission>
<permission>hudson.model.Item.Configure:admin</permission>
<permission>hudson.model.Item.Delete:admin</permission>
<permission>hudson.model.Item.Discover:admin</permission>
<permission>hudson.model.Item.Move:admin</permission>
<permission>hudson.model.Item.Read:admin</permission>
<permission>hudson.model.Item.ViewStatus:admin</permission>
<permission>hudson.model.Item.Workspace:admin</permission>
<permission>com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin</permission>
<permission>hudson.model.Run.Delete:admin</permission>
<permission>hudson.model.Run.Replay:admin</permission>
<permission>hudson.model.Run.Update:admin</permission>
<permission>hudson.scm.SCM.Tag:admin</permission>
<permission>hudson.model.Item.Read:anonymous</permission>
<permission>hudson.model.Item.ExtendedRead:anonymous</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:admin</permission>
<permission>USER:hudson.model.Item.Build:admin</permission>
<permission>USER:hudson.model.Item.Cancel:admin</permission>
<permission>USER:hudson.model.Item.Configure:admin</permission>
<permission>USER:hudson.model.Item.Delete:admin</permission>
<permission>USER:hudson.model.Item.Discover:admin</permission>
<permission>USER:hudson.model.Item.Move:admin</permission>
<permission>USER:hudson.model.Item.Read:admin</permission>
<permission>USER:hudson.model.Item.ViewStatus:admin</permission>
<permission>USER:hudson.model.Item.Workspace:admin</permission>
<permission>USER:com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin</permission>
<permission>USER:hudson.model.Run.Delete:admin</permission>
<permission>USER:hudson.model.Run.Replay:admin</permission>
<permission>USER:hudson.model.Run.Update:admin</permission>
<permission>USER:hudson.scm.SCM.Tag:admin</permission>
<permission>GROUP:hudson.model.Item.Read:anonymous</permission>
<permission>GROUP:hudson.model.Item.ExtendedRead:anonymous</permission>
<permission>hudson.model.Item.Read:authenticated</permission>
<permission>hudson.model.Item.Discover:authenticated</permission>
<permission>hudson.model.Item.ExtendedRead:authenticated</permission>
</hudson.security.AuthorizationMatrixProperty>
</properties>
</project>

8
tests/properties/fixtures/authorization.yaml
View File

@ -1,6 +1,6 @@
properties:
- authorization:
admin:
USER:admin:
- credentials-create
- credentials-delete
- credentials-manage-domains
@ -20,6 +20,10 @@ properties:
- run-replay
- run-update
- scm-tag
anonymous:
GROUP:anonymous:
- job-read
- job-extended-read
authenticated:
- job-read
- job-discover
- job-extended-read

30
tests/properties/fixtures/authorization_matrix.xml
View File

@ -3,20 +3,22 @@
<properties>
<hudson.security.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>hudson.model.Item.Delete:admin</permission>
<permission>hudson.model.Item.Configure:admin</permission>
<permission>hudson.model.Item.Read:admin</permission>
<permission>hudson.model.Item.Discover:admin</permission>
<permission>hudson.model.Item.Build:admin</permission>
<permission>hudson.model.Item.Workspace:admin</permission>
<permission>hudson.model.Item.Cancel:admin</permission>
<permission>hudson.model.Run.Delete:admin</permission>
<permission>hudson.model.Run.Replay:admin</permission>
<permission>hudson.model.Run.Update:admin</permission>
<permission>hudson.scm.SCM.Tag:admin</permission>
<permission>hudson.model.Item.Discover:anonymous</permission>
<permission>hudson.model.Item.Read:anonymous</permission>
<permission>hudson.model.Item.ExtendedRead:anonymous</permission>
<permission>USER:hudson.model.Item.Delete:admin</permission>
<permission>USER:hudson.model.Item.Configure:admin</permission>
<permission>USER:hudson.model.Item.Read:admin</permission>
<permission>USER:hudson.model.Item.Discover:admin</permission>
<permission>USER:hudson.model.Item.Build:admin</permission>
<permission>USER:hudson.model.Item.Workspace:admin</permission>
<permission>USER:hudson.model.Item.Cancel:admin</permission>
<permission>USER:hudson.model.Run.Delete:admin</permission>
<permission>USER:hudson.model.Run.Replay:admin</permission>
<permission>USER:hudson.model.Run.Update:admin</permission>
<permission>USER:hudson.scm.SCM.Tag:admin</permission>
<permission>GROUP:hudson.model.Item.Discover:anonymous</permission>
<permission>GROUP:hudson.model.Item.Read:anonymous</permission>
<permission>GROUP:hudson.model.Item.ExtendedRead:anonymous</permission>
<permission>hudson.model.Item.Discover:authenticated</permission>
<permission>hudson.model.Item.Read:authenticated</permission>
</hudson.security.AuthorizationMatrixProperty>
</properties>
</project>

7
tests/properties/fixtures/authorization_matrix.yaml
View File

@ -1,6 +1,6 @@
properties:
- authorization:
admin:
USER:admin:
- job-delete
- job-configure
- job-read
@ -12,7 +12,10 @@ properties:
- run-replay
- run-update
- scm-tag
anonymous:
GROUP:anonymous:
- job-discover
- job-read
- job-extended-read
authenticated:
- job-discover
- job-read