[JENKINS-73103] Prepare plugin to allow users with overall/manage to manage clouds/pod/container templates (#1546)

Author: mikecirioli

src/main/java/org/csanchez/jenkins/plugins/kubernetes/ContainerTemplate.java

@@ -1,10 +1,12 @@
 package org.csanchez.jenkins.plugins.kubernetes;
 
+import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
 import hudson.Util;
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.model.DescriptorVisibilityFilter;
+import hudson.security.Permission;
 import hudson.util.FormValidation;
 import java.io.Serializable;
 import java.util.ArrayList;
@@ -321,6 +323,11 @@ public String getDisplayName() {
             return "Container Template";
         }
 
+        @NonNull
+        public Permission getRequiredGlobalConfigPagePermission() {
+            return Jenkins.MANAGE;
+        }
+
         @SuppressWarnings("unused") // Used by jelly
         @Restricted(DoNotUse.class) // Used by jelly
         public List<? extends Descriptor> getEnvVarsDescriptors() {

src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubectlBuildWrapper.java

@@ -147,9 +147,7 @@ public String getDisplayName() {
 
         public ListBoxModel doFillCredentialsIdItems(
                 @AncestorInPath Item item, @QueryParameter String serverUrl, @QueryParameter String credentialsId) {
-            if (item == null
-                    ? !Jenkins.get().hasPermission(Jenkins.ADMINISTER)
-                    : !item.hasPermission(Item.EXTENDED_READ)) {
+            if (item == null ? !Jenkins.get().hasPermission(Jenkins.MANAGE) : !item.hasPermission(Item.EXTENDED_READ)) {
                 return new StandardListBoxModel().includeCurrentValue(credentialsId);
             }
             StandardListBoxModel result = new StandardListBoxModel();

src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java

@@ -832,7 +832,7 @@ public PodTemplate.DescriptorImpl getTemplateDescriptor() {
     public HttpResponse doCreate(StaplerRequest req, StaplerResponse rsp)
             throws IOException, ServletException, Descriptor.FormException {
         Jenkins j = Jenkins.get();
-        j.checkPermission(Jenkins.ADMINISTER);
+        j.checkPermission(Jenkins.MANAGE);
         PodTemplate newTemplate = getTemplateDescriptor().newInstance(req, req.getSubmittedForm());
         addTemplate(newTemplate);
         j.save();
@@ -873,7 +873,7 @@ public FormValidation doTestConnection(
                 @QueryParameter int readTimeout,
                 @QueryParameter boolean useJenkinsProxy)
                 throws Exception {
-            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+            Jenkins.get().checkPermission(Jenkins.MANAGE);
 
             if (StringUtils.isBlank(name)) return FormValidation.error("name is required");
 
@@ -913,7 +913,7 @@ public FormValidation doTestConnection(
         @SuppressWarnings("unused") // used by jelly
         public ListBoxModel doFillCredentialsIdItems(
                 @AncestorInPath ItemGroup context, @QueryParameter String serverUrl) {
-            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+            Jenkins.get().checkPermission(Jenkins.MANAGE);
             StandardListBoxModel result = new StandardListBoxModel();
             result.includeEmptyValue();
             result.includeMatchingAs(

src/main/java/org/csanchez/jenkins/plugins/kubernetes/PodTemplate.java

@@ -13,6 +13,7 @@
 import hudson.model.Saveable;
 import hudson.model.TaskListener;
 import hudson.model.labels.LabelAtom;
+import hudson.security.Permission;
 import hudson.slaves.NodeProperty;
 import hudson.util.FormApply;
 import hudson.util.XStream2;
@@ -646,7 +647,7 @@ public void addEnvVars(List<TemplateEnvVar> envVars) {
     @POST
     public HttpResponse doDoDelete(@AncestorInPath PodTemplateGroup owner) throws IOException {
         Jenkins j = Jenkins.get();
-        j.checkPermission(Jenkins.ADMINISTER);
+        j.checkPermission(Jenkins.MANAGE);
         if (owner == null) {
             throw new IllegalStateException("Cloud could not be found");
         }
@@ -660,7 +661,7 @@ public HttpResponse doDoDelete(@AncestorInPath PodTemplateGroup owner) throws IO
     public HttpResponse doConfigSubmit(StaplerRequest req, @AncestorInPath PodTemplateGroup owner)
             throws IOException, ServletException, Descriptor.FormException {
         Jenkins j = Jenkins.get();
-        j.checkPermission(Jenkins.ADMINISTER);
+        j.checkPermission(Jenkins.MANAGE);
         if (owner == null) {
             throw new IllegalStateException("Cloud could not be found");
         }
@@ -1055,6 +1056,11 @@ public static class DescriptorImpl extends Descriptor<PodTemplate> {
             "activeDeadlineSeconds", "idleMinutes", "instanceCap", "slaveConnectTimeout",
         };
 
+        @NonNull
+        public Permission getRequiredGlobalConfigPagePermission() {
+            return Jenkins.MANAGE;
+        }
+
         public DescriptorImpl() {
             for (String field : STRING_FIELDS) {
                 addHelpFileRedirect(field + "Str", PodTemplate.class, field);

src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/PodTemplateStep.java

@@ -449,8 +449,7 @@ public DescriptorImpl() {
         public ListBoxModel doFillCloudItems() {
             ListBoxModel result = new ListBoxModel();
             result.add("—any—", "");
-            // TODO track use of SYSTEM_READ and/or MANAGE in GlobalCloudConfiguration
-            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+            if (!Jenkins.get().hasPermission(Jenkins.MANAGE)) {
                 return result;
             }
             Jenkins.get().clouds.getAll(KubernetesCloud.class).forEach(cloud -> result.add(cloud.name));
@@ -463,8 +462,7 @@ public ListBoxModel doFillInheritFromItems(@QueryParameter("cloud") String cloud
             ListBoxModel result = new ListBoxModel();
             result.add("—Default inheritance—", "<default>");
             result.add("—Disable inheritance—", " ");
-            // TODO track use of SYSTEM_READ and/or MANAGE in GlobalCloudConfiguration
-            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+            if (!Jenkins.get().hasPermission(Jenkins.MANAGE)) {
                 return result;
             }
             Cloud cloud;

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud/new.jelly

@@ -19,8 +19,8 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout" xmlns:f="/lib/form">
-  <l:layout permission="${app.SYSTEM_READ}" title="${%New pod template}">
-    <j:set var="readOnlyMode" value="${!app.hasPermission(app.ADMINISTER)}"/>
+  <l:layout permission="${app.MANAGE_AND_SYSTEM_READ}" title="${%New pod template}">
+    <j:set var="readOnlyMode" value="${!app.hasPermission(app.MANAGE)}"/>
     <l:breadcrumb title="${%New pod template }"/>
     <st:include page="sidepanel.jelly" it="${it}"/>
     <l:main-panel>
@@ -30,15 +30,15 @@ THE SOFTWARE.
 
         <j:set var="descriptor" value="${it.templateDescriptor}"/>
         <st:include class="${descriptor.clazz}" page="config.jelly"/>
-        <l:isAdmin>
+        <l:hasAdministerOrManage>
           <f:bottomButtonBar>
             <f:submit value="${%Create}"/>
           </f:bottomButtonBar>
-        </l:isAdmin>
+        </l:hasAdministerOrManage>
       </f:form>
-      <l:isAdmin>
+      <l:hasAdministerOrManage>
         <st:adjunct includes="lib.form.confirm"/>
-      </l:isAdmin>
+      </l:hasAdministerOrManage>
     </l:main-panel>
   </l:layout>
 </j:jelly>

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud/sidepanel.jelly

@@ -25,8 +25,8 @@ THE SOFTWARE.
             <l:task contextMenu="false" href="." icon="symbol-computer" title="${%Status}"/>
             <l:task href="templates" icon="symbol-details" title="${%Pod Templates}"/>
             <l:task href="configure" icon="symbol-settings"
-                    title="${app.hasPermission(app.ADMINISTER) ? '%Configure' : '%View Configuration'}"/>
-            <l:delete permission="${app.ADMINISTER}" title="${%Delete Cloud}" message="${%delete.cloud(it.displayName)}"/>
+                    title="${app.hasPermission(app.MANAGE) ? '%Configure' : '%View Configuration'}"/>
+            <l:delete permission="${app.MANAGE}" title="${%Delete Cloud}" message="${%delete.cloud(it.displayName)}"/>
             <t:actions />
         </l:tasks>
         <j:forEach var="action" items="${it.allActions}">

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud/templates.jelly

@@ -29,12 +29,12 @@ THE SOFTWARE.
         <j:choose>
             <j:when test="${not empty it.templates}">
                 <l:app-bar title="${it.name} - ${%Pod templates}">
-                    <l:isAdmin>
+                    <l:hasAdministerOrManage>
                         <a name="newTemplate" class="jenkins-button jenkins-button--primary" href="new">
                             <l:icon src="symbol-add"/>
                             ${%Add a pod template}
                         </a>
-                    </l:isAdmin>
+                    </l:hasAdministerOrManage>
                 </l:app-bar>
                 <table id="templates" class="jenkins-table sortable">
                     <thead>

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesComputer/container.jelly

@@ -24,7 +24,7 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
-  <l:layout title="${it.displayName} log" permission="${app.ADMINISTER}">
+  <l:layout title="${it.displayName} log" permission="${app.MANAGE}">
     <st:include page="sidepanel.jelly" />
     <l:main-panel>
       <pre id="out" />

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesComputer/events.jelly

@@ -24,7 +24,7 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
-  <l:layout title="${it.displayName} log" permission="${app.ADMINISTER}">
+  <l:layout title="${it.displayName} log" permission="${app.MANAGE}">
     <st:include page="sidepanel.jelly" />
     <l:main-panel>
       <table class="sortable jenkins-table">

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesComputer/podLog.jelly

@@ -24,7 +24,7 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
-  <l:layout title="${it.displayName} log" permission="${app.ADMINISTER}">
+  <l:layout title="${it.displayName} log" permission="${app.MANAGE}">
     <st:include page="sidepanel.jelly" />
     <l:main-panel>
       <table class="sortable jenkins-table">

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesComputer/sidepanel2.jelly

@@ -24,10 +24,10 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout">
-  <l:task icon="symbol-terminal icon-md" href="${rootURL}/${it.url}log" title="${%Log}" permission="${app.ADMINISTER}"/>
-  <l:task icon="symbol-terminal icon-md" href="${rootURL}/${it.url}podLog" title="${%Pod Log}" permission="${app.ADMINISTER}"/>
-  <l:task icon="symbol-list icon-md" href="${rootURL}/${it.url}events" title="${%Events}" permission="${app.ADMINISTER}"/>
+  <l:task icon="symbol-terminal icon-md" href="${rootURL}/${it.url}log" title="${%Log}" permission="${app.MANAGE}"/>
+  <l:task icon="symbol-terminal icon-md" href="${rootURL}/${it.url}podLog" title="${%Pod Log}" permission="${app.MANAGE}"/>
+  <l:task icon="symbol-list icon-md" href="${rootURL}/${it.url}events" title="${%Events}" permission="${app.MANAGE}"/>
   <j:if test="${it.channel!=null}">
-    <l:task icon="symbol-computer icon-md" href="${rootURL}/${it.url}systemInfo" title="${%System Information}" permission="${app.ADMINISTER}"/>
+    <l:task icon="symbol-computer icon-md" href="${rootURL}/${it.url}systemInfo" title="${%System Information}" permission="${app.MANAGE}"/>
   </j:if>
 </j:jelly>

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/PodTemplate/index.jelly

@@ -19,8 +19,8 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout" xmlns:f="/lib/form">
-  <l:layout permission="${app.SYSTEM_READ}" title="${%Pod template settings}">
-    <j:set var="readOnlyMode" value="${!app.hasPermission(app.ADMINISTER)}"/>
+  <l:layout permission="${app.MANAGE_AND_SYSTEM_READ}" title="${%Pod template settings}">
+    <j:set var="readOnlyMode" value="${!app.hasPermission(app.MANAGE)}"/>
     <l:breadcrumb title="${it.name}"/>
 
     <st:include page="sidepanel.jelly"/>
@@ -33,15 +33,15 @@ THE SOFTWARE.
         <!-- main body of the configuration -->
         <st:include it="${instance}" page="config.jelly"/>
 
-        <l:isAdmin>
+        <l:hasAdministerOrManage>
           <f:bottomButtonBar>
             <f:submit value="${%Save}"/>
           </f:bottomButtonBar>
-        </l:isAdmin>
+        </l:hasAdministerOrManage>
       </f:form>
-      <l:isAdmin>
+      <l:hasAdministerOrManage>
         <st:adjunct includes="lib.form.confirm"/> 
-      </l:isAdmin>
+      </l:hasAdministerOrManage>
     </l:main-panel>
   </l:layout>
 </j:jelly>

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/PodTemplate/sidepanel.jelly

@@ -23,8 +23,8 @@ THE SOFTWARE.
     <l:side-panel>
         <l:tasks>
             <l:task href="" icon="symbol-settings"
-                    title="${app.hasPermission(app.ADMINISTER) ? '%Configure' : '%View Configuration'}"/>
-            <l:delete permission="${app.ADMINISTER}" title="${%Delete Pod Template}" message="${%delete.template(it.name)}"/>
+                    title="${app.hasPermission(app.MANAGE) ? '%Configure' : '%View Configuration'}"/>
+            <l:delete permission="${app.MANAGE}" title="${%Delete Pod Template}" message="${%delete.template(it.name)}"/>
             <t:actions />
         </l:tasks>
     </l:side-panel>

src/test/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesPipelineTest.java

@@ -630,7 +630,7 @@ public void cascadingDelete() throws Exception {
     public void computerCantBeConfigured() throws Exception {
         r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
         r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
-                .grant(Jenkins.ADMINISTER)
+                .grant(Jenkins.MANAGE)
                 .everywhere()
                 .to("admin"));
         SemaphoreStep.waitForStart("pod/1", b);