/** Test that project level permissions apply to child configurations as well. */ @Issue("JENKINS-9293") @Test public void configurationACL() throws Exception { j.jenkins.setAuthorizationStrategy(new ProjectMatrixAuthorizationStrategy()); MatrixProject mp = j.createMatrixProject(); mp.setAxes(new AxisList(new Axis("foo", "a", "b"))); MatrixConfiguration mc = mp.getItem("foo=a"); assertNotNull(mc); SecurityContextHolder.clearContext(); assertFalse(mc.getACL().hasPermission(Item.READ)); mp.addProperty( new AuthorizationMatrixProperty( Collections.singletonMap(Item.READ, Collections.singleton("anonymous")))); // Project-level permission should apply to single configuration too: assertTrue(mc.getACL().hasPermission(Item.READ)); }
/** * Test that a user is prevented from bypassing permissions on other jobs when configuring a * copyartifact build step. */ @LocalData public void testPermission() throws Exception { SecurityContextHolder.clearContext(); assertNull("Job should not be accessible to anonymous", hudson.getItem("testJob")); assertEquals( "Should ignore/clear value for inaccessible project", "", new CopyArtifact("testJob", null, null, null, false, false).getProjectName()); // Login as user with access to testJob: SecurityContextHolder.getContext() .setAuthentication(new UsernamePasswordAuthenticationToken("joe", "joe")); assertEquals( "Should allow use of testJob for joe", "testJob", new CopyArtifact("testJob", null, null, null, false, false).getProjectName()); }
public void before() throws Throwable { setPluginManager(null); super.before(); ScheduledThreadPoolExecutor service = new ScheduledThreadPoolExecutor(NUM_THREADS); // Create a system level context with ACL.SYSTEM systemContext = ACL.impersonate(ACL.SYSTEM); User u = User.get("bob"); // Create a sample user context userContext = new NonSerializableSecurityContext(u.impersonate()); // Create a null context SecurityContextHolder.clearContext(); nullContext = SecurityContextHolder.getContext(); // Create a wrapped service wrappedService = new SecurityContextExecutorService(service); }
/** * When the source project name is parameterized, cannot check at configure time whether the * project is accessible. In this case, permission check is done when the build runs. Only jobs * accessible to all authenticated users are allowed. */ @LocalData public void testPermissionWhenParameterized() throws Exception { FreeStyleProject p = createProject("test$JOB", "", "", false, false, false); // Build step should succeed when this parameter expands to a job accessible // to authenticated users (even if triggered by anonymous, as in this case): SecurityContextHolder.clearContext(); FreeStyleBuild b = p.scheduleBuild2( 0, new UserCause(), new ParametersAction(new StringParameterValue("JOB", "Job2"))) .get(); assertFile(true, "foo2.txt", b); assertBuildStatusSuccess(b); // Build step should fail for a job not accessible to all authenticated users, // even when accessible to the user starting the job, as in this case: SecurityContextHolder.getContext() .setAuthentication(new UsernamePasswordAuthenticationToken("joe", "joe")); b = p.scheduleBuild2( 0, new UserCause(), new ParametersAction(new StringParameterValue("JOB", "Job"))) .get(); assertFile(false, "foo.txt", b); assertBuildStatus(Result.FAILURE, b); }