Integrated the new PermissionManager API to the existing structure

Signed-off-by: Pratham Vaghela <prathamcomeslast@gmail.com>

Author: prathamalwayscomeslast

src/main/java/com/sap/prd/jenkins/plugins/agent_maintenance/MaintenanceAction.java

@@ -14,7 +14,6 @@
 import java.io.IOException;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -61,33 +60,12 @@ public boolean isVisible() {
       if (!MaintenanceHelper.getInstance().isValidTarget(target.toKey())) {
         return false;
       }
-
-      if (isAgent()) {
-        Computer computer = Jenkins.get().getComputer(target.getName());
-        return computer != null
-                && (computer.hasPermission(Computer.DISCONNECT)
-                        || computer.hasPermission(Computer.CONFIGURE)
-                        || computer.hasPermission(Computer.EXTENDED_READ))
-                && computer.getNode() != null;
-      }
-      return Jenkins.get().hasPermission(Jenkins.ADMINISTER);
+      return PermissionManager.canView(target);
     } catch (IOException e) {
       return false;
     }
   }
 
-  protected void checkPermission(Permission... permissions) {
-    if (isAgent()) {
-      Computer c = Jenkins.get().getComputer(target.getName());
-      if (c == null) {
-        throw new IllegalStateException("Agent '" + target.getName() + "' no longer exists");
-      }
-      c.checkAnyPermission(permissions);
-    } else { // For cloud
-      Jenkins.get().checkPermission(Jenkins.ADMINISTER);
-    }
-  }
-
   @Override
   public String getIconFileName() {
     if (isVisible()) {
@@ -100,7 +78,7 @@ public String getIconFileName() {
   @Override
   public String getDisplayName() {
     if (isVisible()) {
-      if (hasPermissions()) {
+      if (PermissionManager.canModify(target)) {
         return Messages.MaintenanceAction_maintenanceWindows();
       } else {
         return Messages.MaintenanceAction_view();
@@ -179,58 +157,30 @@ public Computer getAgentComputer() {
   }
 
   /**
-   * Checks if the user has permissions to access MaintenanceWindows.
+   * Checks if the user can view maintenance windows for this target (called by jelly).
    *
-   * @return true if they do.
+   * @return true if they can view.
    */
   public boolean hasPermissions() {
-    if (isAgent()) {
-      Computer c = Jenkins.get().getComputer(target.getName());
-      return c != null
-              && (c.hasPermission(Computer.DISCONNECT)
-              || c.hasPermission(Computer.CONFIGURE)
-              || c.hasPermission(Computer.EXTENDED_READ));
-    } else {
-      return Jenkins.get().hasPermission(Jenkins.ADMINISTER);
-    }
+    return PermissionManager.canView(target);
   }
 
   /**
-   * Checks the given permissions.
+   * Checks if the user can add or edit maintenance windows for this target (called by jelly).
    *
-   * @param permissions A group of permissions to be checked.
-   * @return true if all permissions are granted.
+   * @return true if they can modify.
    */
-  public boolean hasPermissions(Permission... permissions) {
-    if (isAgent()) {
-      Computer c = Jenkins.get().getComputer(target.getName());
-      return c != null && Arrays.stream(permissions).allMatch(c::hasPermission);
-    } else {
-      return Jenkins.get().hasPermission(Jenkins.ADMINISTER);
-    }
+  public boolean hasModifyPermission() {
+    return PermissionManager.canModify(target);
   }
 
   /**
-   * Checks if the user has permissions to delete MaintenanceWindows.
+   * Checks if the user can delete maintenance windows for this target.
    *
-   * @return true if they do.
+   * @return true if they can delete.
    */
   public boolean hasDeletePermission() {
-    if (isAgent()) {
-      Computer c = Jenkins.get().getComputer(target.getName());
-      return c != null && (c.hasPermission(Computer.DISCONNECT) || c.hasPermission(Computer.CONFIGURE));
-    } else {
-      return Jenkins.get().hasPermission(Jenkins.ADMINISTER);
-    }
-  }
-
-  /**
-   * Checks if the user has permissions to delete Cloud windows.
-   *
-   * @return true if they do.
-   */
-  public boolean hasCloudDeletePermission() {
-    return Jenkins.get().hasPermission(Jenkins.ADMINISTER);
+    return PermissionManager.canDelete(target);
   }
 
   /**
@@ -318,7 +268,7 @@ public Set<RecurringMaintenanceWindow> getRecurringMaintenanceWindows() {
    */
   @POST
   public HttpResponse doAdd(StaplerRequest2 req) throws IOException, ServletException {
-    checkPermission(CONFIGURE_AND_DISCONNECT);
+    PermissionManager.checkCanModify(target);
 
     JSONObject src = req.getSubmittedForm();
     MaintenanceWindow mw = req.bindJSON(MaintenanceWindow.class, src);
@@ -336,7 +286,7 @@ public HttpResponse doAdd(StaplerRequest2 req) throws IOException, ServletExcept
    */
   @POST
   public void doAddRecurring(StaplerRequest2 req, StaplerResponse2 rsp) throws IOException, ServletException {
-    checkPermission(CONFIGURE_AND_DISCONNECT);
+    PermissionManager.checkCanModify(target);
 
     JSONObject src = req.getSubmittedForm();
     RecurringMaintenanceWindow rmw = req.bindJSON(RecurringMaintenanceWindow.class, src);
@@ -351,7 +301,7 @@ public void doAddRecurring(StaplerRequest2 req, StaplerResponse2 rsp) throws IOE
    */
   @JavaScriptMethod
   public String[] deleteMultiple(String[] ids) {
-    checkPermission(CONFIGURE_AND_DISCONNECT);
+    PermissionManager.checkCanDelete(target);
     List<String> deletedList = new ArrayList<>();
     for (String id : ids) {
       try {
@@ -372,7 +322,7 @@ public String[] deleteMultiple(String[] ids) {
   @JavaScriptMethod
   public Map<String, Boolean> getMaintenanceStatus() {
     Map<String, Boolean> statusList = new HashMap<>();
-    if (hasPermissions()) {
+    if (PermissionManager.canView(target)) {
       try {
         for (MaintenanceWindow mw : MaintenanceHelper.getInstance().getMaintenanceWindows(target.toKey())) {
           if (!mw.isMaintenanceOver()) {
@@ -393,7 +343,7 @@ public Map<String, Boolean> getMaintenanceStatus() {
    */
   @JavaScriptMethod
   public String[] deleteMultipleRecurring(String[] ids) {
-    checkPermission(CONFIGURE_AND_DISCONNECT);
+    PermissionManager.checkCanDelete(target);
     List<String> deletedList = new ArrayList<>();
     for (String id : ids) {
       try {
@@ -414,7 +364,7 @@ public String[] deleteMultipleRecurring(String[] ids) {
   @JavaScriptMethod
   public boolean deleteMaintenance(String id) {
     try {
-      checkPermission(CONFIGURE_AND_DISCONNECT);
+      PermissionManager.checkCanDelete(target);
       if (Util.fixEmptyAndTrim(id) == null) {
         return false;
       }
@@ -439,7 +389,7 @@ public boolean deleteMaintenance(String id) {
   @JavaScriptMethod
   public boolean deleteRecurringMaintenance(String id) {
     try {
-      checkPermission(CONFIGURE_AND_DISCONNECT);
+      PermissionManager.checkCanDelete(target);
       if (Util.fixEmptyAndTrim(id) == null) {
         return false;
       }
@@ -466,7 +416,7 @@ public boolean deleteRecurringMaintenance(String id) {
    */
   @POST
   public synchronized HttpResponse doConfigSubmit(StaplerRequest2 req) throws IOException, ServletException {
-    checkPermission(Computer.CONFIGURE);
+    PermissionManager.checkCanModify(target);
 
     JSONObject src = req.getSubmittedForm();
 
@@ -497,7 +447,7 @@ public synchronized HttpResponse doConfigSubmit(StaplerRequest2 req) throws IOEx
   public void doEnable(StaplerResponse2 rsp) throws IOException {
     Computer c = getAgentComputer();
     if (c != null) {
-      c.checkPermission(Computer.CONFIGURE);
+      PermissionManager.checkCanModify(target);
       MaintenanceHelper.getInstance().injectRetentionStrategy(c);
     }
     rsp.sendRedirect(".");
@@ -513,7 +463,7 @@ public void doEnable(StaplerResponse2 rsp) throws IOException {
   public void doDisable(StaplerResponse2 rsp) throws IOException {
     Computer c = getAgentComputer();
     if (c != null) {
-      c.checkPermission(Computer.CONFIGURE);
+      PermissionManager.checkCanModify(target);
       MaintenanceHelper.getInstance().removeRetentionStrategy(c);
     }
 
@@ -533,10 +483,14 @@ public void doIndex(StaplerRequest2 req, StaplerResponse2 rsp)
         rsp.sendError(HttpServletResponse.SC_NOT_FOUND);  // 404
         return;
       }
-      c.checkAnyPermission(Computer.EXTENDED_READ, Computer.CONFIGURE, Computer.DISCONNECT);
     } else {
-      Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+      Cloud cloud = getCloud();
+      if (cloud == null) {
+        rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
+        return;
+      }
     }
+    PermissionManager.checkCanView(target);
 
     req.getView(this, "index.jelly").forward(req, rsp);
   }

src/main/java/com/sap/prd/jenkins/plugins/agent_maintenance/MaintenanceLink.java

@@ -53,14 +53,18 @@ public String getDescription() {
 
   @Override
   public String getDisplayName() {
-    boolean hasClouds = !getCloudTargets().isEmpty();
-    boolean hasAgents = !getAgentTargets().isEmpty();
+    List<MaintenanceAction> all = getTargets();
+    boolean hasAgents = all.stream().anyMatch(MaintenanceAction::isAgent);
+    boolean hasClouds = all.stream().anyMatch(MaintenanceAction::isCloud);
+
     if (hasAgents && !hasClouds) {
       return Messages.MaintenanceLink_displayName_agent();
     }
+
     if (hasClouds && !hasAgents) {
       return Messages.MaintenanceLink_displayName_cloud();
     }
+
     return Messages.MaintenanceLink_displayName();
   }
 
@@ -110,11 +114,13 @@ public List<MaintenanceAction> getTargets() {
       }
     }
 
-    return targetList;
+    return targetList.stream()
+        .filter(action -> PermissionManager.canView(action.getTarget()))
+        .toList();
   }
 
   /**
-   * Gets all Agents' maintenance actions.
+   * Gets all Agents' maintenance actions (called by jelly).
    *
    * @return List of all Agent actions.
    */
@@ -126,7 +132,7 @@ public List<MaintenanceAction> getAgentTargets() {
   }
 
   /**
-   * Gets all Clouds' maintenance actions.
+   * Gets all Clouds' maintenance actions (called by jelly).
    *
    * @return List of all Cloud actions.
    */
@@ -222,7 +228,8 @@ private String getVerb(int count, String target) {
    */
   @JavaScriptMethod
   public boolean deleteMaintenance(String id, String targetKey) {
-    if (hasPermission(targetKey)) {
+    MaintenanceTarget target = MaintenanceTarget.fromKey(targetKey);
+    if (PermissionManager.canDelete(target)) {
       try {
         MaintenanceHelper.getInstance().deleteMaintenanceWindow(targetKey, id);
         return true;
@@ -245,7 +252,8 @@ public String[] deleteMultiple(JSONObject json) {
     List<String> deletedList = new ArrayList<>();
     for (Entry<String, String> entry : mwList.entrySet()) {
       String targetKey = entry.getValue();
-      if (hasPermission(targetKey)) {
+      MaintenanceTarget target = MaintenanceTarget.fromKey(targetKey);
+      if (PermissionManager.canDelete(target)) {
         String id = entry.getKey();
         try {
           MaintenanceHelper.getInstance().deleteMaintenanceWindow(targetKey, id);
@@ -268,16 +276,14 @@ public Map<String, Boolean> getMaintenanceStatus() {
     Map<String, Boolean> statusList = new HashMap<>();
     for (MaintenanceAction action : getTargets()) {
       try {
-        if (!action.hasPermissions()) {
+        if (!PermissionManager.canView(action.getTarget())) {
           continue;
         }
 
         MaintenanceTarget target = action.getTarget();
-        if (target != null) {
-          for (MaintenanceWindow mw : MaintenanceHelper.getInstance().getMaintenanceWindows(target.toKey())) {
-            if (!mw.isMaintenanceOver()) {
-              statusList.put(mw.getId(), mw.isMaintenanceScheduled());
-            }
+        for (MaintenanceWindow mw : MaintenanceHelper.getInstance().getMaintenanceWindows(target.toKey())) {
+          if (!mw.isMaintenanceOver()) {
+            statusList.put(mw.getId(), mw.isMaintenanceScheduled());
           }
         }
       } catch (IOException ioe) {
@@ -287,11 +293,6 @@ public Map<String, Boolean> getMaintenanceStatus() {
     return statusList;
   }
 
-  private boolean hasPermission(String targetKey) {
-    MaintenanceAction action = new MaintenanceAction(MaintenanceTarget.fromKey(targetKey));
-    return action.hasPermissions();
-  }
-
   @Restricted(NoExternalUse.class)
   public FormValidation doCheckLabel(@QueryParameter String value) {
     return LabelExpression.validate(value);

src/main/java/com/sap/prd/jenkins/plugins/agent_maintenance/PermissionManager.java

@@ -3,6 +3,7 @@
 import hudson.model.Computer;
 import hudson.security.AccessDeniedException3;
 import hudson.security.Permission;
+import java.util.Arrays;
 import jenkins.model.Jenkins;
 
 /**
@@ -58,6 +59,28 @@ public static boolean canDelete(MaintenanceTarget target) {
     return canModify(target); // same threshold for now
   }
 
+  /**
+   * Returns true if the current user has the given permissions for this target.
+   *
+   * @param target the target to check permissions for
+   * @param checkAll if true, all permissions must be granted; otherwise any permission is sufficient
+   * @param permissions the permissions to check for
+   *
+   * @return true if the user has the given permissions
+   */
+  public static boolean hasPermissions(MaintenanceTarget target, boolean checkAll, Permission... permissions) {
+    return switch (target.getType()) {
+      case AGENT -> {
+        Computer c = getComputer(target);
+        yield c != null
+            && (checkAll ? Arrays.stream(permissions).allMatch(c::hasPermission)
+            : Arrays.stream(permissions).anyMatch(c::hasPermission));
+      }
+      case CLOUD -> checkAll ? Arrays.stream(permissions).allMatch(Jenkins.get()::hasPermission)
+          : Arrays.stream(permissions).anyMatch(Jenkins.get()::hasPermission);
+    };
+  }
+
   /**
    * Throws AccessDeniedException if the user cannot VIEW.
    */
@@ -91,6 +114,31 @@ public static void checkCanDelete(MaintenanceTarget target) {
     }
   }
 
+  /**
+   * Throws AccessDeniedException if the user does not have the given permissions.
+   *
+   * @param target the target to check permissions for
+   * @param checkAll if true, all permissions must be granted; otherwise any permission is sufficient
+   * @param permissions the permissions to check for
+   *
+   * @throws AccessDeniedException3 if the user does not have the required permissions
+   */
+  public static void checkHasPermissions(MaintenanceTarget target, boolean checkAll, Permission... permissions) {
+    if (hasPermissions(target, checkAll, permissions)) {
+      return;
+    }
+
+    if (checkAll) {
+      Permission missing = Arrays.stream(permissions)
+        .filter(p -> !hasPermissions(target, true, p))
+        .findFirst()
+        .orElse(permissions[0]);
+      throwDenied(missing);
+    } else {
+      throwDenied(permissions[0]);
+    }
+  }
+
   private static Computer getComputer(MaintenanceTarget target) {
     return Jenkins.get().getComputer(target.getName());
   }