STORY: 2009856

added support for Matrix Authorization Stategy 3.0+ version Change-Id: I46521033d9fd6f7f4ae59d8784f9fbfdd49958ed
2022-03-05 12:48:37 +05:00 · 2022-03-05 12:48:37 +05:00 · 2aec5fc2e6
parent 24f867fa73
commit 2aec5fc2e6
5 changed files with 75 additions and 40 deletions
--- a/jenkins_jobs/modules/properties.py
+++ b/jenkins_jobs/modules/properties.py
@ -530,10 +530,24 @@ def authenticated_build(registry, xml_parent, data):
 def authorization(registry, xml_parent, data, job_data):
    """yaml: authorization
    Specifies an authorization matrix
+    In 3.0 version of plugin was added support for explicitly assigning permissions
+    to groups or users with a given name to prevent confusion when names match either.

    .. _authorization:

+    For *matrix-auth >= 3.0*
+
+    :arg list prefix:<name>:
+            * `prefix`
+                * **GROUP**
+                * **USER**
+            * `<name>` is the name of the group or user, containing
+
+    For *matrix-auth < 3.0*
+
    :arg list <name>: `<name>` is the name of the group or user, containing
+
+
        the list of rights to grant.

       :<name> rights:
@ -610,7 +624,16 @@ def authorization(registry, xml_parent, data, job_data):
            for perm in perms:
                pe = XML.SubElement(matrix, "permission")
                try:
-                    pe.text = "{0}:{1}".format(mapping[perm], username)
+                    if username.upper().startswith(
+                        "GROUP:"
+                    ) or username.upper().startswith("USER:"):
+                        pe.text = "{0}:{1}:{2}".format(
+                            username.split(":")[0].upper(),
+                            mapping[perm],
+                            username.split(":")[1],
+                        )
+                    else:
+                        pe.text = "{0}:{1}".format(mapping[perm], username)
                except KeyError:
                    raise InvalidAttributeError(username, perm, mapping.keys())

--- a/tests/properties/fixtures/authorization.xml
+++ b/tests/properties/fixtures/authorization.xml
@ -3,27 +3,30 @@
  <properties>
    <hudson.security.AuthorizationMatrixProperty>
      <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
-      <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
-      <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
-      <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
-      <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin</permission>
-      <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:admin</permission>
-      <permission>hudson.model.Item.Build:admin</permission>
-      <permission>hudson.model.Item.Cancel:admin</permission>
-      <permission>hudson.model.Item.Configure:admin</permission>
-      <permission>hudson.model.Item.Delete:admin</permission>
-      <permission>hudson.model.Item.Discover:admin</permission>
-      <permission>hudson.model.Item.Move:admin</permission>
-      <permission>hudson.model.Item.Read:admin</permission>
-      <permission>hudson.model.Item.ViewStatus:admin</permission>
-      <permission>hudson.model.Item.Workspace:admin</permission>
-      <permission>com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin</permission>
-      <permission>hudson.model.Run.Delete:admin</permission>
-      <permission>hudson.model.Run.Replay:admin</permission>
-      <permission>hudson.model.Run.Update:admin</permission>
-      <permission>hudson.scm.SCM.Tag:admin</permission>
-      <permission>hudson.model.Item.Read:anonymous</permission>
-      <permission>hudson.model.Item.ExtendedRead:anonymous</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:admin</permission>
+      <permission>USER:hudson.model.Item.Build:admin</permission>
+      <permission>USER:hudson.model.Item.Cancel:admin</permission>
+      <permission>USER:hudson.model.Item.Configure:admin</permission>
+      <permission>USER:hudson.model.Item.Delete:admin</permission>
+      <permission>USER:hudson.model.Item.Discover:admin</permission>
+      <permission>USER:hudson.model.Item.Move:admin</permission>
+      <permission>USER:hudson.model.Item.Read:admin</permission>
+      <permission>USER:hudson.model.Item.ViewStatus:admin</permission>
+      <permission>USER:hudson.model.Item.Workspace:admin</permission>
+      <permission>USER:com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin</permission>
+      <permission>USER:hudson.model.Run.Delete:admin</permission>
+      <permission>USER:hudson.model.Run.Replay:admin</permission>
+      <permission>USER:hudson.model.Run.Update:admin</permission>
+      <permission>USER:hudson.scm.SCM.Tag:admin</permission>
+      <permission>GROUP:hudson.model.Item.Read:anonymous</permission>
+      <permission>GROUP:hudson.model.Item.ExtendedRead:anonymous</permission>
+      <permission>hudson.model.Item.Read:authenticated</permission>
+      <permission>hudson.model.Item.Discover:authenticated</permission>
+      <permission>hudson.model.Item.ExtendedRead:authenticated</permission>
    </hudson.security.AuthorizationMatrixProperty>
  </properties>
 </project>
--- a/tests/properties/fixtures/authorization.yaml
+++ b/tests/properties/fixtures/authorization.yaml
@ -1,6 +1,6 @@
 properties:
    - authorization:
-        admin:
+        USER:admin:
            - credentials-create
            - credentials-delete
            - credentials-manage-domains
@ -20,6 +20,10 @@ properties:
            - run-replay
            - run-update
            - scm-tag
-        anonymous:
+        GROUP:anonymous:
            - job-read
            - job-extended-read
+        authenticated:
+            - job-read
+            - job-discover
+            - job-extended-read
--- a/tests/properties/fixtures/authorization_matrix.xml
+++ b/tests/properties/fixtures/authorization_matrix.xml
@ -3,20 +3,22 @@
  <properties>
    <hudson.security.AuthorizationMatrixProperty>
      <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
-      <permission>hudson.model.Item.Delete:admin</permission>
-      <permission>hudson.model.Item.Configure:admin</permission>
-      <permission>hudson.model.Item.Read:admin</permission>
-      <permission>hudson.model.Item.Discover:admin</permission>
-      <permission>hudson.model.Item.Build:admin</permission>
-      <permission>hudson.model.Item.Workspace:admin</permission>
-      <permission>hudson.model.Item.Cancel:admin</permission>
-      <permission>hudson.model.Run.Delete:admin</permission>
-      <permission>hudson.model.Run.Replay:admin</permission>
-      <permission>hudson.model.Run.Update:admin</permission>
-      <permission>hudson.scm.SCM.Tag:admin</permission>
-      <permission>hudson.model.Item.Discover:anonymous</permission>
-      <permission>hudson.model.Item.Read:anonymous</permission>
-      <permission>hudson.model.Item.ExtendedRead:anonymous</permission>
+      <permission>USER:hudson.model.Item.Delete:admin</permission>
+      <permission>USER:hudson.model.Item.Configure:admin</permission>
+      <permission>USER:hudson.model.Item.Read:admin</permission>
+      <permission>USER:hudson.model.Item.Discover:admin</permission>
+      <permission>USER:hudson.model.Item.Build:admin</permission>
+      <permission>USER:hudson.model.Item.Workspace:admin</permission>
+      <permission>USER:hudson.model.Item.Cancel:admin</permission>
+      <permission>USER:hudson.model.Run.Delete:admin</permission>
+      <permission>USER:hudson.model.Run.Replay:admin</permission>
+      <permission>USER:hudson.model.Run.Update:admin</permission>
+      <permission>USER:hudson.scm.SCM.Tag:admin</permission>
+      <permission>GROUP:hudson.model.Item.Discover:anonymous</permission>
+      <permission>GROUP:hudson.model.Item.Read:anonymous</permission>
+      <permission>GROUP:hudson.model.Item.ExtendedRead:anonymous</permission>
+      <permission>hudson.model.Item.Discover:authenticated</permission>
+      <permission>hudson.model.Item.Read:authenticated</permission>
    </hudson.security.AuthorizationMatrixProperty>
  </properties>
 </project>
--- a/tests/properties/fixtures/authorization_matrix.yaml
+++ b/tests/properties/fixtures/authorization_matrix.yaml
@ -1,6 +1,6 @@
 properties:
  - authorization:
-      admin:
+      USER:admin:
        - job-delete
        - job-configure
        - job-read
@ -12,7 +12,10 @@ properties:
        - run-replay
        - run-update
        - scm-tag
-      anonymous:
+      GROUP:anonymous:
        - job-discover
        - job-read
        - job-extended-read
+      authenticated:
+        - job-discover
+        - job-read