Fix Authorization Matrix property - inheritance strategy

Up until now <inheritanceStrategy> tag was only added to jobs-in-a-folder
and folder configs. In JJB the tag's class is always set to
"InheritParentStrategy" which according to the docs means the "item will
inherit its parent items permissions". Apparently <inheritanceStrategy>
tag needs to be present on top-level jobs also. For top-level jobs
setting the tag's class value to "InheritParentStrategy" means the job
"will inherit the global security security settings" and this is the
default behavior.

The code has simplified a bit - if it's a folder then we use a different
property name for authorization matrix property, other than that the
code is the same for all three "variants": folder, job-in-a-folder and
job-outside-a-folder (top-level job).

Also this change fixes the missing <inheritanceStrategy> tag for
job-in-a-folder, where the folder name was specified as part of the
"name" key instead of the standalone "folder" key. With this change we
no longer check if a job is in a folder or not, so it's implicitly
fixed. Added a test case to catch potential regressions in the future.

The copyright notice reflects this and the previous contribution in this
module.

Change-Id: I84b22c09c8a107aab2b4eca20feffc9b61675a92
This commit is contained in:
Adam Romanek 2020-07-15 13:11:33 +02:00
parent 28e43831e9
commit 703a76650f
6 changed files with 43 additions and 22 deletions

View File

@ -1,4 +1,5 @@
# Copyright 2012 Hewlett-Packard Development Company, L.P.
# Copyright 2020 Liberty Global B.V.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -518,9 +519,6 @@ def authorization(registry, xml_parent, data):
:language: yaml
"""
# get the folder name if it exists
in_a_folder = data.pop("_use_folder_perms", None) if data else None
# check if it's a folder or a job
is_a_folder = data.pop("_is_a_folder", None) if data else False
@ -551,23 +549,18 @@ def authorization(registry, xml_parent, data):
}
if data:
if in_a_folder:
if is_a_folder:
element_name = "com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty"
else:
element_name = "hudson.security.AuthorizationMatrixProperty"
matrix = XML.SubElement(xml_parent, element_name)
XML.SubElement(
matrix,
"inheritanceStrategy",
{
"class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
},
)
if is_a_folder:
element_name = "com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty"
else:
matrix = XML.SubElement(
xml_parent, "hudson.security.AuthorizationMatrixProperty"
)
element_name = "hudson.security.AuthorizationMatrixProperty"
matrix = XML.SubElement(xml_parent, element_name)
XML.SubElement(
matrix,
"inheritanceStrategy",
{
"class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
},
)
for (username, perms) in data.items():
for perm in perms:
@ -1271,13 +1264,10 @@ class Properties(jenkins_jobs.modules.base.Base):
# Only projects are placed in folders
if "project-type" in data:
if data["project-type"] in ("folder", "multibranch"):
prop["authorization"]["_use_folder_perms"] = True
prop["authorization"]["_is_a_folder"] = True
else:
prop["authorization"]["_use_folder_perms"] = "folder" in data
prop["authorization"]["_is_a_folder"] = False
else:
prop["authorization"]["_use_folder_perms"] = False
prop["authorization"]["_is_a_folder"] = False
self.registry.dispatch("property", properties, prop)

View File

@ -2,6 +2,7 @@
<project>
<properties>
<hudson.security.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>

View File

@ -2,6 +2,7 @@
<project>
<properties>
<hudson.security.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>hudson.model.Item.Delete:admin</permission>
<permission>hudson.model.Item.Configure:admin</permission>
<permission>hudson.model.Item.Read:admin</permission>

View File

@ -0,0 +1,20 @@
<?xml version="1.0" encoding="utf-8"?>
<project>
<actions/>
<description>&lt;!-- Managed by Jenkins Job Builder --&gt;</description>
<keepDependencies>false</keepDependencies>
<blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding>
<blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding>
<concurrentBuild>false</concurrentBuild>
<canRoam>true</canRoam>
<properties>
<hudson.security.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>hudson.model.Item.Build:auser</permission>
</hudson.security.AuthorizationMatrixProperty>
</properties>
<scm class="hudson.scm.NullSCM"/>
<builders/>
<publishers/>
<buildWrappers/>
</project>

View File

@ -0,0 +1,8 @@
- job:
# folder name specified as part of job name
name: auth-jobs/auth-job-test
project-type: freestyle
properties:
- authorization:
auser:
- job-build

View File

@ -14,6 +14,7 @@
<canRoam>true</canRoam>
<properties>
<hudson.security.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>hudson.model.Item.Build:auser</permission>
</hudson.security.AuthorizationMatrixProperty>
</properties>