Skip to content

Listing credentials authorisation check #222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ChampiYann wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Listing credentials authorisation check #222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
709d1e5
added new test as comment
ChampiYann Mar 19, 2022
9c98457
added new code as comment
ChampiYann Mar 19, 2022
2e83c3c
Added listable test for authorised user
ChampiYann Mar 19, 2022
1f176f4
added system and authorised user check to getcredentials
ChampiYann Mar 19, 2022
a7f3d13
added listable test without use item permission
ChampiYann Mar 19, 2022
cc3ab75
cleanup
ChampiYann Mar 19, 2022
c39dd2d
Apply suggestions from code review
ChampiYann Mar 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions src/main/java/com/cloudbees/hudson/plugins/folder/properties/FolderCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,19 @@ public <C extends Credentials> List<C> getCredentials(@NonNull Class<C> type, @N
@NonNull List<DomainRequirement> domainRequirements) {
List<C> result = new ArrayList<>();
Set<String> ids = new HashSet<>();

// Check if Authentication is authorised to list the credentials
boolean isAuthorised = false;
if (ACL.SYSTEM.equals(authentication)) {
isAuthorised = true;
} else if (itemGroup instanceof AbstractFolder) {
final AbstractFolder<?> folder = AbstractFolder.class.cast(itemGroup);
if (folder.hasPermission(authentication, CredentialsProvider.USE_ITEM)) {
isAuthorised = true;
}
}
// Get credentials
if (isAuthorised) {
while (itemGroup != null) {
if (itemGroup instanceof AbstractFolder) {
final AbstractFolder<?> folder = AbstractFolder.class.cast(itemGroup);
Expand Down Expand Up @@ -178,7 +190,20 @@ public <C extends IdCredentials> ListBoxModel getCredentialIds(@NonNull Class<C>
@NonNull CredentialsMatcher matcher) {
ListBoxModel result = new ListBoxModel();
Set<String> ids = new HashSet<>();

// Check if Authentication is authorised to list the credentials
boolean isAuthorised = false;
if (ACL.SYSTEM.equals(authentication)) {
isAuthorised = true;
}
else if (itemGroup instanceof AbstractFolder) {
final AbstractFolder<?> folder = AbstractFolder.class.cast(itemGroup);
if (folder.hasPermission(authentication, CredentialsProvider.USE_ITEM)) {
Copy link
Member

@jtnord jtnord Mar 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should allow for listing credentials if the user can also configure the itemgroup (as they may be able to select a credential that the system (not they themselves) will use later

(note the follow syntax has not been checked)

Suggested change
if (folder.hasPermission(authentication, CredentialsProvider.USE_ITEM)) {
if (folder.hasPermission(authentication, CredentialsProvider.USE_ITEM) || folder.hasPermission(authentication, Item.CONFIGURE)) {

@daniel-beck I always have to double think this - but for listing the credential IDs it should be you have configure on the item, or the ability to use a credntials. (configure so you can select a credential that the job/system can use even if you can not use it, USE_ITEM incase you can not configure the job (e.g. for the pipeline snippet generator at the job level and the pipeline is "as-code")?

Copy link
Author

@ChampiYann ChampiYann Mar 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, I'm assuming we're waiting for @daniel-beck 's response on this. Is there any indication on when we can expect that?

isAuthorised = true;
}
}
// Get credentials
if (isAuthorised) {
while (itemGroup != null) {
if (itemGroup instanceof AbstractFolder) {
final AbstractFolder<?> folder = AbstractFolder.class.cast(itemGroup);
Expand Down
111 changes: 85 additions & 26 deletions ...st/java/com/cloudbees/hudson/plugins/folder/properties/FolderCredentialsProviderTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,17 +82,17 @@ public void foldersHaveTheirOwnStore() throws Exception {
@Test
public void credentialsAvailableAtFolderScope() throws Exception {
Folder f = createFolder();
List<StandardUsernamePasswordCredentials> asGroup =
CredentialsProvider.lookupCredentials(StandardUsernamePasswordCredentials.class, (ItemGroup) f,
ACL.SYSTEM, Collections.emptyList());
List<StandardUsernamePasswordCredentials> asItem =
CredentialsProvider.lookupCredentials(StandardUsernamePasswordCredentials.class, (Item) f,
ACL.SYSTEM, Collections.emptyList());
List<StandardUsernamePasswordCredentials> asGroup = CredentialsProvider.lookupCredentials(
StandardUsernamePasswordCredentials.class, (ItemGroup) f,
ACL.SYSTEM, Collections.emptyList());
List<StandardUsernamePasswordCredentials> asItem = CredentialsProvider.lookupCredentials(
StandardUsernamePasswordCredentials.class, (Item) f,
ACL.SYSTEM, Collections.emptyList());
assertThat(asGroup, is(asItem));
CredentialsStore folderStore = getFolderStore(f);
UsernamePasswordCredentialsImpl credentials =
new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "test-id", "description", "test-user",
"secret");
UsernamePasswordCredentialsImpl credentials = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL,
"test-id", "description", "test-user",
"secret");
folderStore.addCredentials(Domain.global(), credentials);
asGroup = CredentialsProvider.lookupCredentials(StandardUsernamePasswordCredentials.class, (ItemGroup) f,
ACL.SYSTEM, Collections.emptyList());
Expand All @@ -106,30 +106,87 @@ public void credentialsAvailableAtFolderScope() throws Exception {
@Test
public void credentialsListableAtFolderScope() throws Exception {
Folder f = createFolder();
ListBoxModel asGroup =
CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (ItemGroup) f,
ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
ListBoxModel asItem =
CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (Item) f,
ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
ListBoxModel asGroup = CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class,
(ItemGroup) f,
ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
ListBoxModel asItem = CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (Item) f,
ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
assertThat(asGroup, is(asItem));
assertThat(asGroup.size(), is(0));
assertThat(asItem.size(), is(0));
CredentialsStore folderStore = getFolderStore(f);
UsernamePasswordCredentialsImpl credentials =
new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "test-id", "description", "test-user",
"secret");
UsernamePasswordCredentialsImpl credentials = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL,
"test-id", "description", "test-user",
"secret");
folderStore.addCredentials(Domain.global(), credentials);
asGroup = CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (ItemGroup) f,
ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
asItem = CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (Item) f,
ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
assertThat(asGroup.size(), is(1));
assertThat(asGroup.get(0).value, is("test-id"));
assertThat(asItem.size(), is(1));
assertThat(asItem.get(0).value, is("test-id"));
}

@Test
public void credentialsListableAtFolderScope_when_builtAsUserWithUseItem() throws Exception {
JenkinsRule.DummySecurityRealm realm = r.createDummySecurityRealm();
r.jenkins.setSecurityRealm(realm);

MockAuthorizationStrategy strategy = new MockAuthorizationStrategy();
strategy.grant(CredentialsProvider.USE_ITEM).everywhere().to("bob");
strategy.grant(Item.BUILD).everywhere().to("bob");
strategy.grant(Computer.BUILD).everywhere().to("bob");

r.jenkins.setAuthorizationStrategy(strategy);

Folder f = createFolder();
FreeStyleProject prj = f.createProject(FreeStyleProject.class, "job");
ListBoxModel asItem = CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (Item) prj,
User.getOrCreateByIdOrFullName("bob").impersonate(), Collections.emptyList(),
CredentialsMatchers.always());
assertThat(asItem.size(), is(0));
CredentialsStore folderStore = getFolderStore(f);
UsernamePasswordCredentialsImpl credentials = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL,
"test-id", "description", "test-user",
"secret");
folderStore.addCredentials(Domain.global(), credentials);
asItem = CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (Item) prj,
User.getOrCreateByIdOrFullName("bob").impersonate(), Collections.emptyList(),
CredentialsMatchers.always());
assertThat(asItem.size(), is(1));
assertThat(asItem.get(0).value, is("test-id"));
}

@Test
public void credentialsListableAtFolderScope_when_builtAsUserWithoutUseItem() throws Exception {
JenkinsRule.DummySecurityRealm realm = r.createDummySecurityRealm();
r.jenkins.setSecurityRealm(realm);

MockAuthorizationStrategy strategy = new MockAuthorizationStrategy();
strategy.grant(Item.BUILD).everywhere().to("bob");
strategy.grant(Computer.BUILD).everywhere().to("bob");

r.jenkins.setAuthorizationStrategy(strategy);

Folder f = createFolder();
FreeStyleProject prj = f.createProject(FreeStyleProject.class, "job");
ListBoxModel asItem = CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (Item) prj,
User.getOrCreateByIdOrFullName("bob").impersonate(), Collections.emptyList(),
CredentialsMatchers.always());
assertThat(asItem.size(), is(0));
CredentialsStore folderStore = getFolderStore(f);
UsernamePasswordCredentialsImpl credentials = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL,
"test-id", "description", "test-user",
"secret");
folderStore.addCredentials(Domain.global(), credentials);
asItem = CredentialsProvider.listCredentials(StandardUsernamePasswordCredentials.class, (Item) prj,
User.getOrCreateByIdOrFullName("bob").impersonate(), Collections.emptyList(),
CredentialsMatchers.always());
assertThat(asItem.size(), is(0));
}

@Test
public void given_folderCredential_when_builtAsSystem_then_credentialFound() throws Exception {
Folder f = createFolder();
Expand Down Expand Up @@ -198,10 +255,11 @@ public void given_folderCredential_when_builtAsUserWithoutUseItem_then_credentia
}

@Test
public void given_folderAndSystemCredentials_when_builtAsUserWithUseItem_then_folderCredentialFound() throws Exception {
public void given_folderAndSystemCredentials_when_builtAsUserWithUseItem_then_folderCredentialFound()
throws Exception {
SystemCredentialsProvider.getInstance().getCredentials().add(
new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "foo-manchu", "You don't want me", "bar", "fly")
);
new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "foo-manchu", "You don't want me", "bar",
"fly"));
Folder f = createFolder();
CredentialsStore folderStore = getFolderStore(f);
folderStore.addCredentials(Domain.global(),
Expand Down Expand Up @@ -237,10 +295,11 @@ public void given_folderAndSystemCredentials_when_builtAsUserWithUseItem_then_fo
}

@Test
public void given_nestedFolderAndSystemCredentials_when_builtAsUserWithUseItem_then_folderCredentialFound() throws Exception {
public void given_nestedFolderAndSystemCredentials_when_builtAsUserWithUseItem_then_folderCredentialFound()
throws Exception {
SystemCredentialsProvider.getInstance().getCredentials().add(
new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "foo-manchu", "You don't want me", "bar", "fly")
);
new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "foo-manchu", "You don't want me", "bar",
"fly"));
Folder f = createFolder();
CredentialsStore folderStore = getFolderStore(f);
folderStore.addCredentials(Domain.global(),
Expand Down