Add agent-secret endpoint to SlaveComputer

adhamahmad · adhamahmad · commit 4e2cf11e4bd7 · 2025-12-29T22:01:29.000+02:00
Introduces a new /agent-secret web method in SlaveComputer to expose the agent's JNLP MAC. Adds corresponding tests to verify access control and response correctness for users with and without the required permission.
diff --git a/core/src/main/java/hudson/slaves/SlaveComputer.java b/core/src/main/java/hudson/slaves/SlaveComputer.java
@@ -56,6 +56,7 @@
 import hudson.security.ACLContext;
 import hudson.slaves.OfflineCause.ChannelTermination;
 import hudson.util.Futures;
+import hudson.util.HttpResponses;
 import hudson.util.RingBufferLogHandler;
 import hudson.util.StreamTaskListener;
 import hudson.util.VersionNumber;
@@ -890,6 +891,15 @@ public HttpResponse doJenkinsAgentJnlp(StaplerRequest2 req, StaplerResponse2 res
         return new EncryptedSlaveAgentJnlpFile(this, "jenkins-agent.jnlp.jelly", getName(), CONNECT);
     }
 
+    @WebMethod(name = "agent-secret")
+    public HttpResponse doAgentSecret(StaplerRequest2 req, StaplerResponse2 rsp) throws  IOException {
+        checkPermission(CONNECT);
+
+        rsp.setContentType("text/plain;charset=UTF-8");
+        rsp.getWriter().write(getJnlpMac());
+        return HttpResponses.ok();
+    }
+
     class LowPermissionResponse {
         @WebMethod(name = "jenkins-agent.jnlp")
         public HttpResponse doJenkinsAgentJnlp(StaplerRequest2 req, StaplerResponse2 res) {
diff --git a/test/src/test/java/hudson/slaves/SlaveComputerTest.java b/test/src/test/java/hudson/slaves/SlaveComputerTest.java
@@ -32,6 +32,7 @@
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assumptions.assumeFalse;
 
@@ -48,6 +49,8 @@
 import jenkins.model.Jenkins;
 import net.sf.json.JSONNull;
 import net.sf.json.JSONObject;
+import org.htmlunit.FailingHttpStatusCodeException;
+import org.htmlunit.Page;
 import org.htmlunit.WebResponse;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -228,4 +231,51 @@ private String getRemoteFS(Node node, String user) throws Exception {
             return pathObj.toString();
         }
     }
+
+    @Test
+    void testAgentSecretWithAgentConnectPermission() throws Exception {
+        DumbSlave testAgent = j.createOnlineSlave();
+
+        // Setup user with Agent/Connect permission
+        String userWithConnect = "user-with-connect";
+        MockAuthorizationStrategy authStrategy = new MockAuthorizationStrategy();
+        authStrategy.grant(Computer.CONNECT, Jenkins.READ).everywhere().to(userWithConnect);
+
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(authStrategy);
+
+        JenkinsRule.WebClient wc = j.createWebClient();
+        wc.login(userWithConnect);
+
+        Page page = wc.goTo("computer/" + testAgent.getNodeName() + "/agent-secret", "text/plain");
+        WebResponse response = page.getWebResponse();
+
+        // Verify response
+        assertEquals(200, response.getStatusCode());
+
+        String secret = response.getContentAsString().trim();
+        assertNotNull(secret);
+        assertEquals(testAgent.getComputer().getJnlpMac(), secret);
+    }
+
+    @Test
+    void testAgentSecretWithoutAgentConnectPermission() throws Exception {
+        DumbSlave testAgent = j.createOnlineSlave();
+
+        // Setup user without Agent/Connect permission
+        String userWithoutConnect = "user-without-connect";
+        MockAuthorizationStrategy authStrategy = new MockAuthorizationStrategy();
+
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(authStrategy);
+
+        JenkinsRule.WebClient wc = j.createWebClient();
+        // Expect 403 Forbidden
+        FailingHttpStatusCodeException e = assertThrows(FailingHttpStatusCodeException.class, () -> {
+            wc.goTo("computer/" + testAgent.getNodeName() + "/agent-secret", "text/plain");
+        });
+
+        // Verify it's a 403 Forbidden
+        assertEquals(403, e.getStatusCode());
+    }
 }
