From 7c657df3477ae8a0d0d2d888ccbe295abc26d4b0 Mon Sep 17 00:00:00 2001 From: Heller07 Date: Thu, 5 Mar 2026 15:41:45 +0530 Subject: [PATCH 1/3] Retire SHOW_LEGACY_TOKEN_TO_ADMINS system property in ApiTokenProperty --- .../jenkins/security/ApiTokenProperty.java | 30 ++----------------- 1 file changed, 3 insertions(+), 27 deletions(-) diff --git a/core/src/main/java/jenkins/security/ApiTokenProperty.java b/core/src/main/java/jenkins/security/ApiTokenProperty.java index b54e51410f3d..15cfae24d625 100644 --- a/core/src/main/java/jenkins/security/ApiTokenProperty.java +++ b/core/src/main/java/jenkins/security/ApiTokenProperty.java @@ -60,7 +60,6 @@ import jenkins.security.apitoken.ApiTokenStats; import jenkins.security.apitoken.ApiTokenStore; import jenkins.security.apitoken.TokenUuidAndPlainValue; -import jenkins.util.SystemProperties; import net.jcip.annotations.Immutable; import net.sf.json.JSONArray; import net.sf.json.JSONObject; @@ -87,29 +86,6 @@ public class ApiTokenProperty extends UserProperty { private static final Logger LOGGER = Logger.getLogger(ApiTokenProperty.class.getName()); - /** - * If enabled, the users with {@link Jenkins#ADMINISTER} permissions can view legacy tokens for - * other users.

- * Disabled by default due to the security reasons.

- * If enabled, it restores the original Jenkins behavior (SECURITY-200). - * - * @since 1.638 - */ - private static /* not final */ boolean SHOW_LEGACY_TOKEN_TO_ADMINS = - SystemProperties.getBoolean(ApiTokenProperty.class.getName() + ".showTokenToAdmins"); - - /** - * If enabled, the users with {@link Jenkins#ADMINISTER} permissions can generate new tokens for - * other users. Normally a user can only generate tokens for himself.

- * Take care that only the creator of a token will have the plain value as it's only stored as an hash in the system.

- * Disabled by default due to the security reasons. - * It's the version of {@link #SHOW_LEGACY_TOKEN_TO_ADMINS} for the new API Token system (SECURITY-200). - * - * @since 2.129 - */ - private static /* not final */ boolean ADMIN_CAN_GENERATE_NEW_TOKENS = - SystemProperties.getBoolean(ApiTokenProperty.class.getName() + ".adminCanGenerateNewTokens"); - private volatile Secret apiToken; private ApiTokenStore tokenStore; @@ -152,7 +128,7 @@ protected void setUser(User u) { /** * Gets the API token. * The method performs security checks since 1.638. Only the current user and SYSTEM may see it. - * Users with {@link Jenkins#ADMINISTER} may be allowed to do it using {@link #SHOW_LEGACY_TOKEN_TO_ADMINS}. + * Users with {@link Jenkins#ADMINISTER} permissions may also be allowed to see it. * * @return API Token. Never null, but may be {@link Messages#ApiTokenProperty_ChangeToken_TokenIsHidden()} * if the user has no appropriate permissions. @@ -213,7 +189,7 @@ public boolean matchesPassword(String token) { */ private boolean hasPermissionToSeeToken() { // Administrators can do whatever they want - return canCurrentUserControlObject(SHOW_LEGACY_TOKEN_TO_ADMINS, user); + return canCurrentUserControlObject(true, user); } private static boolean canCurrentUserControlObject(boolean trustAdmins, User propertyOwner) { @@ -563,7 +539,7 @@ public boolean mustDisplayLegacyApiToken(User propertyOwner) { // for Jelly view @Restricted(NoExternalUse.class) public boolean hasCurrentUserRightToGenerateNewToken(User propertyOwner) { - return canCurrentUserControlObject(ADMIN_CAN_GENERATE_NEW_TOKENS, propertyOwner); + return canCurrentUserControlObject(true, propertyOwner); } /** From 8dc0517d13b63966274d73623a7ec3c64c95e8d3 Mon Sep 17 00:00:00 2001 From: Heller07 Date: Thu, 5 Mar 2026 20:39:20 +0530 Subject: [PATCH 2/3] Remove obsolete trustAdmins parameter and admin override from ApiTokenProperty permission check --- .../main/java/jenkins/security/ApiTokenProperty.java | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/core/src/main/java/jenkins/security/ApiTokenProperty.java b/core/src/main/java/jenkins/security/ApiTokenProperty.java index 15cfae24d625..da19304ff7b0 100644 --- a/core/src/main/java/jenkins/security/ApiTokenProperty.java +++ b/core/src/main/java/jenkins/security/ApiTokenProperty.java @@ -189,14 +189,10 @@ public boolean matchesPassword(String token) { */ private boolean hasPermissionToSeeToken() { // Administrators can do whatever they want - return canCurrentUserControlObject(true, user); + return canCurrentUserControlObject(user); } - private static boolean canCurrentUserControlObject(boolean trustAdmins, User propertyOwner) { - if (trustAdmins && Jenkins.get().hasPermission(Jenkins.ADMINISTER)) { - return true; - } - + private static boolean canCurrentUserControlObject(User propertyOwner) { User current = User.current(); if (current == null) { // Anonymous return false; @@ -539,7 +535,7 @@ public boolean mustDisplayLegacyApiToken(User propertyOwner) { // for Jelly view @Restricted(NoExternalUse.class) public boolean hasCurrentUserRightToGenerateNewToken(User propertyOwner) { - return canCurrentUserControlObject(true, propertyOwner); + return canCurrentUserControlObject(propertyOwner); } /** From 2a8a3176b9ce301965aa4dd9cd7c2daa5d7bfeca Mon Sep 17 00:00:00 2001 From: Heller07 Date: Fri, 6 Mar 2026 03:28:12 +0530 Subject: [PATCH 3/3] Restore admin permission check while removing deprecated SHOW_LEGACY_TOKEN_TO_ADMINS property --- core/src/main/java/jenkins/security/ApiTokenProperty.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/core/src/main/java/jenkins/security/ApiTokenProperty.java b/core/src/main/java/jenkins/security/ApiTokenProperty.java index da19304ff7b0..7922bb8ebc07 100644 --- a/core/src/main/java/jenkins/security/ApiTokenProperty.java +++ b/core/src/main/java/jenkins/security/ApiTokenProperty.java @@ -193,6 +193,10 @@ private boolean hasPermissionToSeeToken() { } private static boolean canCurrentUserControlObject(User propertyOwner) { + if (Jenkins.get().hasPermission(Jenkins.ADMINISTER)) { + return true; + } + User current = User.current(); if (current == null) { // Anonymous return false;