Hide CSRF configuration UI when only DefaultCrumbIssuer is available #26057
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,31 @@ | ||
| package hudson.security.csrf.GlobalCrumbIssuerConfiguration | ||
|
|
||
| import hudson.security.csrf.CrumbIssuer | ||
| import hudson.security.csrf.DefaultCrumbIssuer | ||
|
|
||
| def f = namespace(lib.FormTagLib) | ||
| def all = CrumbIssuer.all() | ||
| def disableCsrf = | ||
| hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION | ||
|
|
||
| def onlyDefaultIssuer = | ||
| all.size() == 1 && all[0].clazz == DefaultCrumbIssuer | ||
|
|
||
| def showCsrfConfig = !onlyDefaultIssuer || disableCsrf | ||
|
|
||
| if (showCsrfConfig) { | ||
| f.section(title: _("CSRF Protection")) { | ||
| if (disableCsrf) { | ||
| f.entry { | ||
| p(raw(_('disabled'))) | ||
| p(_('unsupported')) | ||
| } | ||
| } else { | ||
| f.dropdownDescriptorSelector( | ||
| title: _("Crumb Issuer"), | ||
| descriptors: all, | ||
| field: 'crumbIssuer' | ||
| ) | ||
| } | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| package hudson.security.csrf; | ||
|
|
||
| import static org.hamcrest.MatcherAssert.assertThat; | ||
| import static org.hamcrest.Matchers.containsString; | ||
|
|
||
| import jakarta.servlet.ServletRequest; | ||
| import org.htmlunit.html.HtmlPage; | ||
| import org.junit.jupiter.api.BeforeEach; | ||
| import org.junit.jupiter.api.Test; | ||
| import org.jvnet.hudson.test.JenkinsRule; | ||
| import org.jvnet.hudson.test.TestExtension; | ||
| import org.jvnet.hudson.test.junit.jupiter.WithJenkins; | ||
|
|
||
| @WithJenkins | ||
| class GlobalCrumbIssuerConfigurationTest { | ||
|
|
||
| private JenkinsRule j; | ||
|
|
||
| @BeforeEach | ||
| void setUp(JenkinsRule rule) { | ||
| j = rule; | ||
| } | ||
|
|
||
| @Test | ||
| void csrfSectionShownWhenNonDefaultIssuerConfigured() throws Exception { | ||
| // DefaultCrumbIssuer is default, but other CrumbIssuer descriptors exist in test environment | ||
| // so the CSRF section should be visible | ||
| j.jenkins.setCrumbIssuer(new DefaultCrumbIssuer(false)); | ||
|
|
||
| JenkinsRule.WebClient wc = j.createWebClient(); | ||
| HtmlPage page = wc.goTo("configureSecurity"); | ||
| String pageContent = page.asNormalizedText(); | ||
|
|
||
| // With multiple CrumbIssuer descriptors available (from test extensions), | ||
| // the CSRF Protection section should always be shown | ||
| assertThat("CSRF Protection section should be shown when multiple issuers are available", | ||
| pageContent, containsString("CSRF Protection")); | ||
| } | ||
|
|
||
| @Test | ||
| void csrfSectionShownWhenCsrfProtectionDisabled() throws Exception { | ||
| boolean original = GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION; | ||
| try { | ||
| GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true; | ||
|
|
||
| JenkinsRule.WebClient wc = j.createWebClient(); | ||
| HtmlPage page = wc.goTo("configureSecurity"); | ||
| String pageContent = page.asNormalizedText(); | ||
|
|
||
| assertThat("CSRF section should be shown when CSRF protection is disabled", | ||
| pageContent, containsString("CSRF Protection")); | ||
| } finally { | ||
| GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = original; | ||
| } | ||
| } | ||
|
|
||
| @TestExtension | ||
|
||
| public static class DummyCrumbIssuer extends CrumbIssuer { | ||
|
|
||
| @Override | ||
| public String getCrumbRequestField() { | ||
| return "dummy"; | ||
| } | ||
|
|
||
| @Override | ||
| public String issueCrumb(ServletRequest request, String salt) { | ||
| return "dummy-crumb"; | ||
| } | ||
|
|
||
| public static class DescriptorImpl extends CrumbIssuerDescriptor<DummyCrumbIssuer> { | ||
|
|
||
| DescriptorImpl() { | ||
| super( | ||
| DummyCrumbIssuer.class.getName(), | ||
| "Dummy Crumb Issuer" | ||
| ); | ||
| } | ||
|
|
||
| @Override | ||
| public String getDisplayName() { | ||
| return "Dummy Crumb Issuer"; | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should specifically assert the placeholder message, see other comment.