From 5b0c0cea18c351352f2d33ad2491d148bb38a447 Mon Sep 17 00:00:00 2001 From: Antonio Muniz Date: Thu, 2 May 2024 19:48:30 +0200 Subject: [PATCH] [JENKINS-73053] Allow users with Overall/Manage permission to configure endpoints (#784) * [JENKINS-73053] Allow users with Overall/Manage permission to configure endpoints See [JENKINS-73053](https://issues.jenkins.io/browse/JENKINS-73053). * Tests that the endpoints configuration is visible to Overall/Manage --- .../plugins/github_branch_source/Connector.java | 2 +- .../plugins/github_branch_source/Endpoint.java | 2 +- .../github_branch_source/GitHubConfiguration.java | 8 ++++++++ .../github_branch_source/GitHubSCMNavigator.java | 2 +- .../plugins/github_branch_source/GitHubSCMSource.java | 8 ++++---- .../plugins/github_branch_source/SSHCheckoutTrait.java | 4 ++-- .../plugins/github_branch_source/EndpointTest.java | 10 +++++++++- .../github_branch_source/GitHubSCMNavigatorTest.java | 2 +- .../github_branch_source/GitHubSCMSourceTest.java | 2 +- .../github_branch_source/SSHCheckoutTraitTest.java | 2 +- 10 files changed, 29 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java b/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java index 7acb87dff..b5e6b4920 100644 --- a/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java +++ b/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java @@ -182,7 +182,7 @@ public static FormValidation checkScanCredentials( */ public static FormValidation checkScanCredentials( @CheckForNull Item context, String apiUri, String scanCredentialsId, @CheckForNull String repoOwner) { - if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + if (context == null && !Jenkins.get().hasPermission(Jenkins.MANAGE) || context != null && !context.hasPermission(Item.EXTENDED_READ)) { return FormValidation.ok(); } diff --git a/src/main/java/org/jenkinsci/plugins/github_branch_source/Endpoint.java b/src/main/java/org/jenkinsci/plugins/github_branch_source/Endpoint.java index 548a8e3cd..8c6539002 100644 --- a/src/main/java/org/jenkinsci/plugins/github_branch_source/Endpoint.java +++ b/src/main/java/org/jenkinsci/plugins/github_branch_source/Endpoint.java @@ -130,7 +130,7 @@ public String getDisplayName() { @RequirePOST @Restricted(NoExternalUse.class) public FormValidation doCheckApiUri(@QueryParameter String apiUri) { - Jenkins.get().checkPermission(Jenkins.ADMINISTER); + Jenkins.get().checkPermission(Jenkins.MANAGE); if (Util.fixEmptyAndTrim(apiUri) == null) { return FormValidation.warning("You must specify the API URL"); } diff --git a/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubConfiguration.java b/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubConfiguration.java index f88f197ab..5360b3d8e 100644 --- a/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubConfiguration.java +++ b/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubConfiguration.java @@ -27,6 +27,7 @@ import edu.umd.cs.findbugs.annotations.CheckForNull; import edu.umd.cs.findbugs.annotations.NonNull; import hudson.Extension; +import hudson.security.Permission; import hudson.util.ListBoxModel; import java.net.URI; import java.net.URISyntaxException; @@ -38,6 +39,7 @@ import java.util.Locale; import java.util.Set; import jenkins.model.GlobalConfiguration; +import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.apache.commons.lang.StringUtils; import org.kohsuke.stapler.StaplerRequest; @@ -232,4 +234,10 @@ public ListBoxModel doFillApiRateLimitCheckerItems() { } return items; } + + @NonNull + @Override + public Permission getRequiredGlobalConfigPagePermission() { + return Jenkins.MANAGE; + } } diff --git a/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigator.java b/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigator.java index 868e5311e..13e4c3a17 100644 --- a/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigator.java +++ b/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigator.java @@ -1800,7 +1800,7 @@ public ListBoxModel doFillCredentialsIdItems( @QueryParameter String apiUri, @QueryParameter String credentialsId) { if (context == null - ? !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + ? !Jenkins.get().hasPermission(Jenkins.MANAGE) : !context.hasPermission(Item.EXTENDED_READ)) { return new StandardListBoxModel().includeCurrentValue(credentialsId); } diff --git a/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java b/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java index f0a174a93..7e1d00f1f 100644 --- a/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java +++ b/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java @@ -2069,7 +2069,7 @@ public ListBoxModel doFillCredentialsIdItems( @QueryParameter String apiUri, @QueryParameter String credentialsId) { if (context == null - ? !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + ? !Jenkins.get().hasPermission(Jenkins.MANAGE) : !context.hasPermission(Item.EXTENDED_READ)) { return new StandardListBoxModel().includeCurrentValue(credentialsId); } @@ -2102,7 +2102,7 @@ public FormValidation doValidateRepositoryUrlAndCredentials( @QueryParameter String repositoryUrl, @QueryParameter String credentialsId, @QueryParameter String repoOwner) { - if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + if (context == null && !Jenkins.get().hasPermission(Jenkins.MANAGE) || context != null && !context.hasPermission(Item.EXTENDED_READ)) { return FormValidation.error( "Unable to validate repository information"); // not supposed to be seeing this form @@ -2249,7 +2249,7 @@ public ListBoxModel doFillOrganizationItems( if (credentialsId == null) { return new ListBoxModel(); } - if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + if (context == null && !Jenkins.get().hasPermission(Jenkins.MANAGE) || context != null && !context.hasPermission(Item.EXTENDED_READ)) { return new ListBoxModel(); // not supposed to be seeing this form } @@ -2297,7 +2297,7 @@ public ListBoxModel doFillRepositoryItems( if (repoOwner == null) { return new ListBoxModel(); } - if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + if (context == null && !Jenkins.get().hasPermission(Jenkins.MANAGE) || context != null && !context.hasPermission(Item.EXTENDED_READ)) { return new ListBoxModel(); // not supposed to be seeing this form } diff --git a/src/main/java/org/jenkinsci/plugins/github_branch_source/SSHCheckoutTrait.java b/src/main/java/org/jenkinsci/plugins/github_branch_source/SSHCheckoutTrait.java index 5737ab5a5..76b0e40e6 100644 --- a/src/main/java/org/jenkinsci/plugins/github_branch_source/SSHCheckoutTrait.java +++ b/src/main/java/org/jenkinsci/plugins/github_branch_source/SSHCheckoutTrait.java @@ -152,7 +152,7 @@ public ListBoxModel doFillCredentialsIdItems( @QueryParameter String apiUri, @QueryParameter String credentialsId) { if (context == null - ? !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + ? !Jenkins.get().hasPermission(Jenkins.MANAGE) : !context.hasPermission(Item.EXTENDED_READ)) { return new StandardListBoxModel().includeCurrentValue(credentialsId); } @@ -181,7 +181,7 @@ public FormValidation doCheckCredentialsId( @QueryParameter String serverUrl, @QueryParameter String value) { if (context == null - ? !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + ? !Jenkins.get().hasPermission(Jenkins.MANAGE) : !context.hasPermission(Item.EXTENDED_READ)) { return FormValidation.ok(); } diff --git a/src/test/java/org/jenkinsci/plugins/github_branch_source/EndpointTest.java b/src/test/java/org/jenkinsci/plugins/github_branch_source/EndpointTest.java index cf5aa8605..b470e6fc3 100644 --- a/src/test/java/org/jenkinsci/plugins/github_branch_source/EndpointTest.java +++ b/src/test/java/org/jenkinsci/plugins/github_branch_source/EndpointTest.java @@ -22,6 +22,7 @@ import org.htmlunit.HttpMethod; import org.htmlunit.Page; import org.htmlunit.WebRequest; +import org.htmlunit.html.HtmlPage; import org.htmlunit.util.NameValuePair; import org.junit.Before; import org.junit.Rule; @@ -45,7 +46,7 @@ public class EndpointTest { public void setUp() throws Exception { j.jenkins.setSecurityRealm(j.createDummySecurityRealm()); MockAuthorizationStrategy auth = new MockAuthorizationStrategy(); - auth.grant(Jenkins.ADMINISTER).everywhere().to("alice"); + auth.grant(Jenkins.MANAGE).everywhere().to("alice"); auth.grant(Jenkins.READ).everywhere().toEveryone(); j.jenkins.setAuthorizationStrategy(auth); testUrl = Util.rawEncode(j.getURL().toString() + "testroot/"); @@ -90,6 +91,13 @@ public void canPostAsAdmin_doCheckApiUri() throws Exception { assertTrue(TestRoot.get().visited); } + @Test + @Issue("JENKINS-73053") + public void manageCanSetupEndpoints() throws Exception { + HtmlPage htmlPage = j.createWebClient().login("alice").goTo("manage/configure"); + assertTrue(htmlPage.getVisibleText().contains("GitHub Enterprise Servers")); + } + private String appendCrumb(String url) { return url + "&" + getCrumb(); } diff --git a/src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigatorTest.java b/src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigatorTest.java index f2c7ff4cf..957099b0a 100644 --- a/src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigatorTest.java +++ b/src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMNavigatorTest.java @@ -458,7 +458,7 @@ public void doFillScanCredentials() throws Exception { try { r.jenkins.setSecurityRealm(r.createDummySecurityRealm()); MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy(); - mockStrategy.grant(Jenkins.ADMINISTER).onRoot().to("admin"); + mockStrategy.grant(Jenkins.MANAGE).onRoot().to("admin"); mockStrategy.grant(Item.CONFIGURE).onItems(dummy).to("bob"); mockStrategy.grant(Item.EXTENDED_READ).onItems(dummy).to("jim"); r.jenkins.setAuthorizationStrategy(mockStrategy); diff --git a/src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSourceTest.java b/src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSourceTest.java index db4b06739..1a58db43e 100644 --- a/src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSourceTest.java +++ b/src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSourceTest.java @@ -739,7 +739,7 @@ public void doFillCredentials() throws Exception { try { r.jenkins.setSecurityRealm(r.createDummySecurityRealm()); MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy(); - mockStrategy.grant(Jenkins.ADMINISTER).onRoot().to("admin"); + mockStrategy.grant(Jenkins.MANAGE).onRoot().to("admin"); mockStrategy.grant(Item.CONFIGURE).onItems(dummy).to("bob"); mockStrategy.grant(Item.EXTENDED_READ).onItems(dummy).to("jim"); r.jenkins.setAuthorizationStrategy(mockStrategy); diff --git a/src/test/java/org/jenkinsci/plugins/github_branch_source/SSHCheckoutTraitTest.java b/src/test/java/org/jenkinsci/plugins/github_branch_source/SSHCheckoutTraitTest.java index 4d601d656..5f7b44337 100644 --- a/src/test/java/org/jenkinsci/plugins/github_branch_source/SSHCheckoutTraitTest.java +++ b/src/test/java/org/jenkinsci/plugins/github_branch_source/SSHCheckoutTraitTest.java @@ -86,7 +86,7 @@ public void given__descriptor__when__displayingCredentials__then__contractEnforc try { j.jenkins.setSecurityRealm(j.createDummySecurityRealm()); MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy(); - mockStrategy.grant(Jenkins.ADMINISTER).onRoot().to("admin"); + mockStrategy.grant(Jenkins.MANAGE).onRoot().to("admin"); mockStrategy.grant(Item.CONFIGURE).onItems(dummy).to("bob"); mockStrategy.grant(Item.EXTENDED_READ).onItems(dummy).to("jim"); j.jenkins.setAuthorizationStrategy(mockStrategy);