Fix Authorization Matrix property - inheritance strategy

Up until now <inheritanceStrategy> tag was only added to jobs-in-a-folder and folder configs. In JJB the tag's class is always set to "InheritParentStrategy" which according to the docs means the "item will inherit its parent items permissions". Apparently <inheritanceStrategy> tag needs to be present on top-level jobs also. For top-level jobs setting the tag's class value to "InheritParentStrategy" means the job "will inherit the global security security settings" and this is the default behavior. The code has simplified a bit - if it's a folder then we use a different property name for authorization matrix property, other than that the code is the same for all three "variants": folder, job-in-a-folder and job-outside-a-folder (top-level job). Also this change fixes the missing <inheritanceStrategy> tag for job-in-a-folder, where the folder name was specified as part of the "name" key instead of the standalone "folder" key. With this change we no longer check if a job is in a folder or not, so it's implicitly fixed. Added a test case to catch potential regressions in the future. The copyright notice reflects this and the previous contribution in this module. Change-Id: I84b22c09c8a107aab2b4eca20feffc9b61675a92
2020-07-15 13:11:33 +02:00 · 2020-07-15 13:11:33 +02:00 · 703a76650f
parent 28e43831e9
commit 703a76650f
6 changed files with 43 additions and 22 deletions
--- a/jenkins_jobs/modules/properties.py
+++ b/jenkins_jobs/modules/properties.py
@ -1,4 +1,5 @@
 # Copyright 2012 Hewlett-Packard Development Company, L.P.
+# Copyright 2020 Liberty Global B.V.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -518,9 +519,6 @@ def authorization(registry, xml_parent, data):
       :language: yaml
    """

-    # get the folder name if it exists
-    in_a_folder = data.pop("_use_folder_perms", None) if data else None
-
    # check if it's a folder or a job
    is_a_folder = data.pop("_is_a_folder", None) if data else False

@ -551,23 +549,18 @@ def authorization(registry, xml_parent, data):
    }

    if data:
-        if in_a_folder:
-            if is_a_folder:
-                element_name = "com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty"
-            else:
-                element_name = "hudson.security.AuthorizationMatrixProperty"
-            matrix = XML.SubElement(xml_parent, element_name)
-            XML.SubElement(
-                matrix,
-                "inheritanceStrategy",
-                {
-                    "class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
-                },
-            )
+        if is_a_folder:
+            element_name = "com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty"
        else:
-            matrix = XML.SubElement(
-                xml_parent, "hudson.security.AuthorizationMatrixProperty"
-            )
+            element_name = "hudson.security.AuthorizationMatrixProperty"
+        matrix = XML.SubElement(xml_parent, element_name)
+        XML.SubElement(
+            matrix,
+            "inheritanceStrategy",
+            {
+                "class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
+            },
+        )

        for (username, perms) in data.items():
            for perm in perms:
@ -1271,13 +1264,10 @@ class Properties(jenkins_jobs.modules.base.Base):
                # Only projects are placed in folders
                if "project-type" in data:
                    if data["project-type"] in ("folder", "multibranch"):
-                        prop["authorization"]["_use_folder_perms"] = True
                        prop["authorization"]["_is_a_folder"] = True
                    else:
-                        prop["authorization"]["_use_folder_perms"] = "folder" in data
                        prop["authorization"]["_is_a_folder"] = False
                else:
-                    prop["authorization"]["_use_folder_perms"] = False
                    prop["authorization"]["_is_a_folder"] = False

            self.registry.dispatch("property", properties, prop)
--- a/tests/properties/fixtures/authorization.xml
+++ b/tests/properties/fixtures/authorization.xml
@ -2,6 +2,7 @@
 <project>
  <properties>
    <hudson.security.AuthorizationMatrixProperty>
+      <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
      <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
      <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
      <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
--- a/tests/properties/fixtures/authorization_matrix.xml
+++ b/tests/properties/fixtures/authorization_matrix.xml
@ -2,6 +2,7 @@
 <project>
  <properties>
    <hudson.security.AuthorizationMatrixProperty>
+      <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
      <permission>hudson.model.Item.Delete:admin</permission>
      <permission>hudson.model.Item.Configure:admin</permission>
      <permission>hudson.model.Item.Read:admin</permission>
--- a/tests/yamlparser/fixtures/auth-jobs/project-in-folder-with-auth-properties2.xml
+++ b/tests/yamlparser/fixtures/auth-jobs/project-in-folder-with-auth-properties2.xml
@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <actions/>
+  <description>&lt;!-- Managed by Jenkins Job Builder --&gt;</description>
+  <keepDependencies>false</keepDependencies>
+  <blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding>
+  <blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding>
+  <concurrentBuild>false</concurrentBuild>
+  <canRoam>true</canRoam>
+  <properties>
+    <hudson.security.AuthorizationMatrixProperty>
+      <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
+      <permission>hudson.model.Item.Build:auser</permission>
+    </hudson.security.AuthorizationMatrixProperty>
+  </properties>
+  <scm class="hudson.scm.NullSCM"/>
+  <builders/>
+  <publishers/>
+  <buildWrappers/>
+</project>
--- a/tests/yamlparser/fixtures/project-in-folder-with-auth-properties2.yaml
+++ b/tests/yamlparser/fixtures/project-in-folder-with-auth-properties2.yaml
@ -0,0 +1,8 @@
+- job:
+    # folder name specified as part of job name
+    name: auth-jobs/auth-job-test
+    project-type: freestyle
+    properties:
+    - authorization:
+        auser:
+          - job-build
--- a/tests/yamlparser/fixtures/project-with-auth-properties.xml
+++ b/tests/yamlparser/fixtures/project-with-auth-properties.xml
@ -14,6 +14,7 @@
  <canRoam>true</canRoam>
  <properties>
    <hudson.security.AuthorizationMatrixProperty>
+      <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
      <permission>hudson.model.Item.Build:auser</permission>
    </hudson.security.AuthorizationMatrixProperty>
  </properties>