/** Test that project level permissions apply to child configurations as well. */
@Issue("JENKINS-9293")
@Test
public void configurationACL() throws Exception {
j.jenkins.setAuthorizationStrategy(new ProjectMatrixAuthorizationStrategy());
MatrixProject mp = j.createMatrixProject();
mp.setAxes(new AxisList(new Axis("foo", "a", "b")));
MatrixConfiguration mc = mp.getItem("foo=a");
assertNotNull(mc);
SecurityContextHolder.clearContext();
assertFalse(mc.getACL().hasPermission(Item.READ));
mp.addProperty(
new AuthorizationMatrixProperty(
Collections.singletonMap(Item.READ, Collections.singleton("anonymous"))));
// Project-level permission should apply to single configuration too:
assertTrue(mc.getACL().hasPermission(Item.READ));
}
/**
* Test that a user is prevented from bypassing permissions on other jobs when configuring a
* copyartifact build step.
*/
@LocalData
public void testPermission() throws Exception {
SecurityContextHolder.clearContext();
assertNull("Job should not be accessible to anonymous", hudson.getItem("testJob"));
assertEquals(
"Should ignore/clear value for inaccessible project",
"",
new CopyArtifact("testJob", null, null, null, false, false).getProjectName());
// Login as user with access to testJob:
SecurityContextHolder.getContext()
.setAuthentication(new UsernamePasswordAuthenticationToken("joe", "joe"));
assertEquals(
"Should allow use of testJob for joe",
"testJob",
new CopyArtifact("testJob", null, null, null, false, false).getProjectName());
}
public void before() throws Throwable {
setPluginManager(null);
super.before();
ScheduledThreadPoolExecutor service = new ScheduledThreadPoolExecutor(NUM_THREADS);
// Create a system level context with ACL.SYSTEM
systemContext = ACL.impersonate(ACL.SYSTEM);
User u = User.get("bob");
// Create a sample user context
userContext = new NonSerializableSecurityContext(u.impersonate());
// Create a null context
SecurityContextHolder.clearContext();
nullContext = SecurityContextHolder.getContext();
// Create a wrapped service
wrappedService = new SecurityContextExecutorService(service);
}
/**
* When the source project name is parameterized, cannot check at configure time whether the
* project is accessible. In this case, permission check is done when the build runs. Only jobs
* accessible to all authenticated users are allowed.
*/
@LocalData
public void testPermissionWhenParameterized() throws Exception {
FreeStyleProject p = createProject("test$JOB", "", "", false, false, false);
// Build step should succeed when this parameter expands to a job accessible
// to authenticated users (even if triggered by anonymous, as in this case):
SecurityContextHolder.clearContext();
FreeStyleBuild b =
p.scheduleBuild2(
0, new UserCause(), new ParametersAction(new StringParameterValue("JOB", "Job2")))
.get();
assertFile(true, "foo2.txt", b);
assertBuildStatusSuccess(b);
// Build step should fail for a job not accessible to all authenticated users,
// even when accessible to the user starting the job, as in this case:
SecurityContextHolder.getContext()
.setAuthentication(new UsernamePasswordAuthenticationToken("joe", "joe"));
b =
p.scheduleBuild2(
0, new UserCause(), new ParametersAction(new StringParameterValue("JOB", "Job")))
.get();
assertFile(false, "foo.txt", b);
assertBuildStatus(Result.FAILURE, b);
}
