Merge branch 'master' into verbs-everywhere

Author: daniel-beck

.github/workflows/jenkins-security-scan.yml

@@ -0,0 +1,15 @@
+name: Jenkins Security Scan
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  workflow_dispatch:
+
+jobs:
+  security-scan:
+    uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
+    with:
+      java-cache: maven
+      java-version: 11

.gitignore

@@ -15,7 +15,3 @@ build/
 
 # VS Code
 .vscode/
-
-# maven-release-plugin
-pom.xml.releaseBackup
-release.properties

CHANGELOG.md

@@ -1,5 +1,30 @@
 # Changelog
 
+Release notes for Version 3.0 and newer are published in [GitHub Releases](https://github.com/jenkinsci/matrix-auth-plugin/releases) only. 
+
+## Version 2.6.11 (2021-12-08)
+
+* [JENKINS-67311](https://issues.jenkins.io/browse/JENKINS-67311): Fix help button for table ([#108](https://github.com/jenkinsci/matrix-auth-plugin/pull/108))
+
+## Version 2.6.9 (2021-12-03)
+
+* [JENKINS-67210](https://issues.jenkins.io/browse/JENKINS-67210): Fix broken link to global security configuration from help ([#106](https://github.com/jenkinsci/matrix-auth-plugin/pull/106))
+* [JENKINS-66964](https://issues.jenkins.io/browse/JENKINS-66964): Fix button tooltips in configuration matrix ([#107](https://github.com/jenkinsci/matrix-auth-plugin/pull/107))
+
+## Version 2.6.8 (2021-07-21)
+
+* [JENKINS-66170](https://issues.jenkins.io/browse/JENKINS-66170): Apply table style when viewing in read-only mode (Extended Read permission).
+  This fixes a regression in version 2.6.7.
+
+## Version 2.6.7 (2021-05-12)
+
+* Internal: Moved JavaScript to resource files ([#102](https://github.com/jenkinsci/matrix-auth-plugin/pull/102))
+* Internal: Migrate from RestartableJenkinsRule to JenkinsSessionRule ([#101](https://github.com/jenkinsci/matrix-auth-plugin/pull/101))
+
+## Version 2.6.6 (2021-03-18)
+
+* [SECURITY-2180](https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180): Ensure Item/Read is only granted it all ancestors grant it as well.
+
 ## Version 2.6.5 (2021-01-21)
 
 * [JENKINS-64661](https://issues.jenkins.io/browse/JENKINS-64661): Do not break `properties` in the global Pipeline snippet generator.
@@ -12,7 +37,7 @@
 
 * [JENKINS-56109](https://issues.jenkins.io/browse/JENKINS-56109): Make the plugin compatible with new form layout in Jenkins 2.264 and newer.
 * Open links from job, folder, and agent configurations to the Global Security Configuration in a new window.
-* Internal: Parent POM update, make test assertions compatible with JEP-295
+* Internal: Parent POM update, make test assertions compatible with [JEP-295](https://github.com/jenkinsci/jep/blob/master/jep/295/README.adoc)
 
 ## Version 2.6.2 (2020-07-15)
 
@@ -69,7 +94,6 @@
 ## Version 2.3 (2018-07-10)
 
 * [JENKINS-52167](https://issues.jenkins.io/browse/JENKINS-52167): Rotate column headers in Google Chrome
-
 * [JENKINS-47424](https://issues.jenkins.io/browse/JENKINS-47424): Don't show 'Implied by' note for the Overall/Administer permission
 * [JENKINS-28668](https://issues.jenkins.io/browse/JENKINS-28668): Use a modal dialog to add users/groups to the list to prevent accidental form submissions
 
@@ -105,9 +129,9 @@
 * **Allow configuring per-agent permissions.** This allows e.g. restricting per-agent build permissions when using the Authorize Project plugin ([JENKINS-46654](https://issues.jenkins.io/browse/JENKINS-46654))
 * **Prevent accidental lockouts and unexpected lack of permissions**  
     * Improvement: When submitting a global matrix auth configuration that does not specify an administrator (often happening in accidental/premature form submissions), give the submitting user Administer permission. Note that this could mean that the 'anonymous' may still have admin permission if the form is submitted as an anonymous user. ([JENKINS-46832](https://issues.jenkins.io/browse/JENKINS-46832) / [JENKINS-10871](https://issues.jenkins.io/browse/JENKINS-10871))
-    * Bug: Ensure that users creating a new job, folder, or node have read and configure access when using the project-based matrix authorization strategy. (<span class="js-issue-title">JENKINS-5277</span>)
+    * Bug: Ensure that users creating a new job, folder, or node have read and configure access when using the project-based matrix authorization strategy. ([JENKINS-5277](https://issues.jenkins.io/browse/JENKINS-5277))
     * Bug: Save the global security configuration after granting administer permission to the first user to sign up. ([JENKINS-20520](https://issues.jenkins.io/browse/JENKINS-20520))
-    * Bug: Ensure 'empty' matrix permission configurations can be loaded in case this is needed (e.g. programmatically defined). The fix for [JENKINS-10871](https://issues.jenkins.io/browse/JENKINS-10871) will prevent this from happening accidentally. (JENKINS-9774)
+    * Bug: Ensure 'empty' matrix permission configurations can be loaded in case this is needed (e.g. programmatically defined). The fix for [JENKINS-10871](https://issues.jenkins.io/browse/JENKINS-10871) will prevent this from happening accidentally. ([JENKINS-9774](https://issues.jenkins.io/browse/JENKINS-9774))
     * Bug: When using container-based authentication and project-based matrix authorization, permissions granted to groups in items inside folders only may not have been granted to members of those groups.
 * **UX improvements for the matrix configuration table**  
     * Improvement: Indicate whether a permission is implied by another permission in the tool tip, and also indicate when a permission is not implied by Overall/Administer (which is unusual). ([JENKINS-32506](https://issues.jenkins.io/browse/JENKINS-32506))

README.md

@@ -6,7 +6,7 @@ For a basic introduction, see [the section on Matrix Authorization in the Jenkin
 
 ## Changelog
 
-See [CHANGELOG](CHANGELOG.md).
+See [GitHub Releases](https://github.com/jenkinsci/matrix-auth-plugin/releases) (2.6.5 and newer only) or [CHANGELOG](CHANGELOG.md) (before 3.0 only).
 
 ## Use Cases
 

pom.xml

@@ -4,22 +4,20 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>4.7</version>
+        <version>4.37</version>
     </parent>
     <artifactId>matrix-auth</artifactId>
     <version>${revision}${changelist}</version>
     <packaging>hpi</packaging>
     <name>Matrix Authorization Strategy Plugin</name>
     <url>https://github.com/jenkinsci/matrix-auth-plugin</url>
     <properties>
-        <revision>2.6.6</revision>
+        <revision>3.2</revision>
         <changelist>-SNAPSHOT</changelist>
         <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
-        <hpi.compatibleSinceVersion>2.0</hpi.compatibleSinceVersion>
-        <jenkins.version>2.222.1</jenkins.version>
+        <hpi.compatibleSinceVersion>3.0</hpi.compatibleSinceVersion>
+        <jenkins.version>2.277.1</jenkins.version>
         <java.level>8</java.level>
-        <workflow-cps.version>2.31</workflow-cps.version>
-        <configuration-as-code.version>1.35</configuration-as-code.version>
     </properties>
     <licenses>
         <license>
@@ -33,58 +31,57 @@
         <url>https://github.com/${gitHubRepo}</url>
         <tag>${scmTag}</tag>
      </scm>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.jenkins.tools.bom</groupId>
+                <artifactId>bom-2.277.x</artifactId>
+                <version>28</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <!-- optional plugin dependencies -->
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>cloudbees-folder</artifactId>
-            <version>6.1.0</version>
             <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>io.jenkins</groupId>
             <artifactId>configuration-as-code</artifactId>
-            <version>${configuration-as-code.version}</version>
             <optional>true</optional>
         </dependency>
 
         <!-- test dependencies -->
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>credentials</artifactId>
-            <version>2.1.16</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
             <artifactId>workflow-cps</artifactId>
-            <version>${workflow-cps.version}</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
             <artifactId>workflow-cps</artifactId>
-            <version>${workflow-cps.version}</version>
             <classifier>tests</classifier>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
             <artifactId>workflow-multibranch</artifactId>
-            <version>2.10</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <!-- requireUpperBoundDeps -->
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>structs</artifactId>
-            <version>1.19</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>io.jenkins.configuration-as-code</groupId>
             <artifactId>test-harness</artifactId>
-            <version>${configuration-as-code.version}</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -100,13 +97,6 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <!-- requireUpperBounds -->
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>script-security</artifactId>
-            <version>1.54</version>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
     <repositories>

src/main/java/com/cloudbees/hudson/plugins/folder/properties/AuthorizationMatrixProperty.java

@@ -26,6 +26,7 @@
 import com.cloudbees.hudson.plugins.folder.AbstractFolder;
 import com.cloudbees.hudson.plugins.folder.AbstractFolderProperty;
 import com.cloudbees.hudson.plugins.folder.AbstractFolderPropertyDescriptor;
+import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.model.AbstractItem;
@@ -34,6 +35,7 @@
 import hudson.model.listeners.ItemListener;
 import hudson.security.AuthorizationStrategy;
 import jenkins.model.Jenkins;
+import org.acegisecurity.acls.sid.PrincipalSid;
 import org.jenkinsci.Symbol;
 import org.jenkinsci.plugins.matrixauth.AuthorizationPropertyDescriptor;
 import hudson.security.Permission;
@@ -45,6 +47,8 @@
 import hudson.util.FormValidation;
 import net.sf.json.JSONObject;
 import org.acegisecurity.acls.sid.Sid;
+import org.jenkinsci.plugins.matrixauth.AuthorizationType;
+import org.jenkinsci.plugins.matrixauth.PermissionEntry;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.DoNotUse;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
@@ -64,10 +68,10 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
-import java.util.Map.Entry;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.stream.Collectors;
 
 /**
  * Holds ACL for {@link ProjectMatrixAuthorizationStrategy}.
@@ -78,13 +82,10 @@ public class AuthorizationMatrixProperty extends AbstractFolderProperty<Abstract
 
     /**
      * List up all permissions that are granted.
-     *
-     * Strings are either the granted authority or the principal, which is not
-     * distinguished.
      */
-    private final Map<Permission, Set<String>> grantedPermissions = new HashMap<>();
+    private final Map<Permission, Set<PermissionEntry>> grantedPermissions = new HashMap<>();
 
-    private final Set<String> sids = new HashSet<>();
+    private final Set<String> groupSids = Collections.synchronizedSet(new HashSet<>());
 
     /**
      * @deprecated unused, use {@link #setInheritanceStrategy(InheritanceStrategy)} instead.
@@ -99,10 +100,12 @@ public class AuthorizationMatrixProperty extends AbstractFolderProperty<Abstract
     protected AuthorizationMatrixProperty() {
     }
 
+    // TODO(3.0) How is this used?
+    @Deprecated
     public AuthorizationMatrixProperty(Map<Permission,? extends Set<String>> grantedPermissions) {
-        // do a deep copy to be safe
-        for (Entry<Permission,? extends Set<String>> e : grantedPermissions.entrySet())
-            this.grantedPermissions.put(e.getKey(),new HashSet<>(e.getValue()));
+        for (Map.Entry<Permission,? extends Set<String>> e : grantedPermissions.entrySet()) {
+            this.grantedPermissions.put(e.getKey(), e.getValue().stream().map(sid -> new PermissionEntry(AuthorizationType.EITHER, sid)).collect(Collectors.toSet()));
+        }
     }
 
     @DataBoundConstructor // JENKINS-49199: Used for job-dsl
@@ -113,37 +116,30 @@ public AuthorizationMatrixProperty(List<String> permissions) {
         }
     }
 
-    @Restricted(NoExternalUse.class)
+    @Override
     public Set<String> getGroups() {
-        return new HashSet<>(sids);
+        return groupSids;
     }
 
-    /**
-     * Returns all the (Permission,sid) pairs that are granted, in the multi-map form.
-     *
-     * @return
-     *      read-only. never null.
-     */
-    public Map<Permission,Set<String>> getGrantedPermissions() {
-        return Collections.unmodifiableMap(grantedPermissions);
+    @Override
+    public void recordGroup(String sid) {
+        this.groupSids.add(sid);
+    }
+
+    @Override
+    public Map<Permission, Set<PermissionEntry>> getGrantedPermissionEntries() {
+        return grantedPermissions;
     }
 
     @Override
     public Permission getEditingPermission() {
         return Item.CONFIGURE;
     }
 
-    /**
-     * Adds to {@link #grantedPermissions}. Use of this method should be limited
-     * during construction, as this object itself is considered immutable once
-     * populated.
-     */
-    public void add(Permission p, String sid) {
-        Set<String> set = grantedPermissions.get(p);
-        if (set == null)
-            grantedPermissions.put(p, set = new HashSet<>());
-        set.add(sid);
-        sids.add(sid);
+    @Override
+    protected void setOwner(@NonNull AbstractFolder<?> owner) {
+        super.setOwner(owner);
+        FolderContributor.record(owner);
     }
 
     @Extension(optional = true)
@@ -166,7 +162,6 @@ public AuthorizationMatrixProperty newInstance(StaplerRequest req, JSONObject fo
         }
 
         @Override
-        @SuppressWarnings("rawtypes")
         public boolean isApplicable(Class<? extends AbstractFolder> folder) {
             return isApplicable();
         }
@@ -182,7 +177,7 @@ private final class AclImpl extends SidACL {
         @SuppressFBWarnings(value = "NP_BOOLEAN_RETURN_NULL",
                 justification = "Because that is the way this SPI works")
         protected Boolean hasPermission(Sid sid, Permission p) {
-            if (AuthorizationMatrixProperty.this.hasPermission(toString(sid),p))
+            if (AuthorizationMatrixProperty.this.hasPermission(toString(sid), p, sid instanceof PrincipalSid))
                 return true;
             return null;
         }
@@ -202,12 +197,12 @@ public InheritanceStrategy getInheritanceStrategy() {
     }
 
     /**
-     * Persist {@link ProjectMatrixAuthorizationStrategy} as a list of IDs that
-     * represent ProjectMatrixAuthorizationStrategy#grantedPermissions.
+     * Persist {@link AuthorizationMatrixProperty} as a list of IDs that
+     * represent {@link AuthorizationMatrixProperty#getGrantedPermissions()}.
      */
     @Restricted(DoNotUse.class)
+    @SuppressWarnings("unused")
     public static final class ConverterImpl extends AbstractAuthorizationPropertyConverter<AuthorizationMatrixProperty> {
-        @SuppressWarnings("rawtypes")
         public boolean canConvert(Class type) {
             return type == AuthorizationMatrixProperty.class;
         }
@@ -241,13 +236,13 @@ public void onCreated(Item item) {
                     User current = User.current();
                     String sid = current == null ? "anonymous" : current.getId();
 
-                    if (!strategy.getACL((AbstractItem) folder).hasPermission(Jenkins.getAuthentication(), Item.READ)) {
-                        prop.add(Item.READ, sid);
+                    if (!strategy.getACL((AbstractItem) folder).hasPermission2(Jenkins.getAuthentication2(), Item.READ)) {
+                        prop.add(Item.READ, PermissionEntry.user(sid));
                     }
-                    if (!strategy.getACL((AbstractItem) folder).hasPermission(Jenkins.getAuthentication(), Item.CONFIGURE)) {
-                        prop.add(Item.CONFIGURE, sid);
+                    if (!strategy.getACL((AbstractItem) folder).hasPermission2(Jenkins.getAuthentication2(), Item.CONFIGURE)) {
+                        prop.add(Item.CONFIGURE, PermissionEntry.user(sid));
                     }
-                    if (prop.getGrantedPermissions().size() > 0) {
+                    if (prop.getGrantedPermissionEntries().size() > 0) {
                         try {
                             if (propIsNew) {
                                 folder.addProperty(prop);