From f9e60801aae459b1a2034a7d2eb236e1356bdd8d Mon Sep 17 00:00:00 2001 From: Daniel Beck <1831569+daniel-beck@users.noreply.github.com> Date: Tue, 22 Aug 2023 14:29:58 +0200 Subject: [PATCH] Implement nicer property DSL for Job DSL and Pipeline (#144) * Implement nicer property DSL for Job DSL and Pipeline * Nicer output * Test fixes * Test fix * Simplify * Thanks Spotless * Add compatibility warning for DSL change * Restrictions, Javadoc, add support for 'userOrGroup' * Resolve TODOs, use SCM internal ID to allow loading * Fix typo * Adapt test --------- Co-authored-by: Daniel Beck --- pom.xml | 2 +- .../AuthorizationMatrixProperty.java | 20 +- .../security/AuthorizationMatrixProperty.java | 19 +- .../matrixauth/AuthorizationProperty.java | 195 ++++++++++++++++++ .../AuthorizationMatrixPropertyTest.java | 17 +- .../configuration-as-code-v2-ambiguous.yml | 12 +- .../casc/configuration-as-code-v2.yml | 12 +- .../casc/configuration-as-code-v3.yml | 13 +- 8 files changed, 248 insertions(+), 42 deletions(-) diff --git a/pom.xml b/pom.xml index cea843eb..49074724 100644 --- a/pom.xml +++ b/pom.xml @@ -27,7 +27,7 @@ 3.1.11 -SNAPSHOT jenkinsci/${project.artifactId}-plugin - 3.0 + 3.2 2.387.3 false diff --git a/src/main/java/com/cloudbees/hudson/plugins/folder/properties/AuthorizationMatrixProperty.java b/src/main/java/com/cloudbees/hudson/plugins/folder/properties/AuthorizationMatrixProperty.java index f3734e2a..075b8111 100644 --- a/src/main/java/com/cloudbees/hudson/plugins/folder/properties/AuthorizationMatrixProperty.java +++ b/src/main/java/com/cloudbees/hudson/plugins/folder/properties/AuthorizationMatrixProperty.java @@ -109,12 +109,13 @@ public AuthorizationMatrixProperty(Map> grante } } - @DataBoundConstructor // JENKINS-49199: Used for job-dsl - @Restricted(NoExternalUse.class) - public AuthorizationMatrixProperty(List permissions) { - for (String permission : permissions) { - add(permission); - } + /** + * Exists for reflective Job DSL / Pipeline use only. + */ + @DataBoundConstructor + @Restricted(DoNotUse.class) + public AuthorizationMatrixProperty(List entries) { + setEntries(entries); } @Override @@ -143,6 +144,13 @@ protected void setOwner(@NonNull AbstractFolder owner) { FolderContributor.record(owner); } + @Override + @Restricted(DoNotUse.class) + public List getEntries() { + // ReflectionUtils#getPublicProperty / PropertyDescriptor#getPropertyDescriptor can't find default methods + return AuthorizationProperty.super.getEntries(); + } + @Extension(optional = true) @Symbol("authorizationMatrix") public static class DescriptorImpl extends AbstractFolderPropertyDescriptor diff --git a/src/main/java/hudson/security/AuthorizationMatrixProperty.java b/src/main/java/hudson/security/AuthorizationMatrixProperty.java index a4637cf4..0770d416 100644 --- a/src/main/java/hudson/security/AuthorizationMatrixProperty.java +++ b/src/main/java/hudson/security/AuthorizationMatrixProperty.java @@ -134,13 +134,13 @@ public AuthorizationMatrixProperty(Map> grantedPermissio } } + /** + * Exists for reflective Job DSL / Pipeline use only. + */ + @Restricted(DoNotUse.class) @DataBoundConstructor - public AuthorizationMatrixProperty(List permissions) { - for (String str : permissions) { - if (str != null) { - this.add(str); - } - } + public AuthorizationMatrixProperty(List entries) { + setEntries(entries); } /** @@ -182,6 +182,13 @@ public Permission getEditingPermission() { return Item.CONFIGURE; } + @Override + @Restricted(DoNotUse.class) + public List getEntries() { + // ReflectionUtils#getPublicProperty / PropertyDescriptor#getPropertyDescriptor can't find default methods + return AuthorizationProperty.super.getEntries(); + } + @Extension @Symbol("authorizationMatrix") public static class DescriptorImpl extends JobPropertyDescriptor diff --git a/src/main/java/org/jenkinsci/plugins/matrixauth/AuthorizationProperty.java b/src/main/java/org/jenkinsci/plugins/matrixauth/AuthorizationProperty.java index f53a975a..2ad66bd9 100644 --- a/src/main/java/org/jenkinsci/plugins/matrixauth/AuthorizationProperty.java +++ b/src/main/java/org/jenkinsci/plugins/matrixauth/AuthorizationProperty.java @@ -23,11 +23,29 @@ */ package org.jenkinsci.plugins.matrixauth; +import edu.umd.cs.findbugs.annotations.NonNull; +import hudson.Extension; +import hudson.model.Describable; +import hudson.model.Descriptor; +import hudson.security.Permission; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.SortedSet; +import java.util.TreeSet; +import java.util.stream.Collectors; +import jenkins.model.Jenkins; +import org.jenkinsci.Symbol; import org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy; import org.jenkinsci.plugins.matrixauth.inheritance.InheritanceStrategy; import org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy; +import org.jenkinsci.plugins.matrixauth.integrations.PermissionFinder; import org.kohsuke.accmod.Restricted; +import org.kohsuke.accmod.restrictions.DoNotUse; import org.kohsuke.accmod.restrictions.NoExternalUse; +import org.kohsuke.stapler.DataBoundConstructor; @Restricted(NoExternalUse.class) public interface AuthorizationProperty extends AuthorizationContainer { @@ -72,4 +90,181 @@ default void setBlocksInheritance(boolean blocksInheritance) { default boolean isBlocksInheritance() { return getInheritanceStrategy() instanceof NonInheritingStrategy; } + + /** + * Set entries from DSL in Job DSL or Pipeline plugins. + * + * @param entries list of entries to use for permission assignment + */ + @Restricted(DoNotUse.class) + default void setEntries(List entries) { + for (DslEntry entry : entries) { + entry.addPermission(this); + } + } + + /** + * Getter supporting nicer DSL syntax for Job DSL and Pipeline job property definitions. + * @return a list of {@link DslEntry} + */ + default List getEntries() { + final Map> mapping = new HashMap<>(); + getGrantedPermissionEntries() + .forEach((permission, value) -> + value.forEach(sid -> mapping.computeIfAbsent(sid, unused -> new TreeSet<>()) + .add(permission.group.getId() + "/" + permission.name))); + return mapping.entrySet().stream() + .map(e -> { + final PermissionEntry key = e.getKey(); + if (key.getType() == AuthorizationType.USER) { + return new DslUser(key.getSid(), new ArrayList<>(e.getValue())); + } + if (key.getType() == AuthorizationType.GROUP) { + return new DslGroup(key.getSid(), new ArrayList<>(e.getValue())); + } + if (key.getType() == AuthorizationType.EITHER) { + return new DslUserOrGroup(key.getSid(), new ArrayList<>(e.getValue())); + } + throw new IllegalStateException("Got unexpected key type in: " + key); + }) + .distinct() + .sorted() + .collect(Collectors.toList()); + } + + /** + * Common superclass for {@link DslUser}, {@link DslGroup}, and {@link DslUserOrGroup}, supporting nicer DSLs + * for Job DSL and Pipeline Job definitions/reconfigurations. + * Job DSL and Pipeline use this for {@link hudson.security.AuthorizationMatrixProperty}. + * Job DSL additionally uses this for {@link com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty}. + */ + @Restricted(NoExternalUse.class) + abstract class DslEntry implements Describable, Comparable { + private final String name; + private final List permissions; + + /** + * + * @param name the sid of the DSL entity + * @param permissions the list of string-typed permissions + */ + public DslEntry(String name, List permissions) { + this.name = name; + this.permissions = permissions; + } + + public String getName() { + return name; + } + + public List getPermissions() { + return permissions; + } + + @Override + public Descriptor getDescriptor() { + return Jenkins.get().getDescriptorOrDie(getClass()); + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + DslEntry that = (DslEntry) o; + return Objects.equals(name, that.name) && Objects.equals(permissions, that.permissions); + } + + @Override + public int hashCode() { + return Objects.hash(name, permissions, getClass()); + } + + @Override + public int compareTo(@NonNull DslEntry that) { + if (this.getClass() != that.getClass()) { + return this.getClass().getName().compareTo(that.getClass().getName()); + } + if (!this.name.equals(that.name)) { + return this.name.compareTo(that.name); + } + return this.permissions.size() - that.permissions.size(); + } + + public abstract void addPermission(AuthorizationProperty authorizationProperty); + + protected static Permission findPermission(String value) { + final Permission permission = Permission.fromId(value); + if (permission != null) { + return permission; + } + return PermissionFinder.findPermission(value); + } + } + + /** + * Represents a user being assigned permissions. + */ + @Restricted(NoExternalUse.class) + class DslUser extends DslEntry { + @DataBoundConstructor + public DslUser(String name, List permissions) { + super(name, permissions); + } + + @Override + public void addPermission(AuthorizationProperty authorizationProperty) { + getPermissions() + .forEach(permission -> + authorizationProperty.add(findPermission(permission), PermissionEntry.user(getName()))); + } + + @Extension + @Symbol("user") + public static class DescriptorImpl extends Descriptor {} + } + + /** + * Represents a group being assigned permissions. + */ + @Restricted(NoExternalUse.class) + class DslGroup extends DslEntry { + @DataBoundConstructor + public DslGroup(String name, List permissions) { + super(name, permissions); + } + + @Override + public void addPermission(AuthorizationProperty authorizationProperty) { + getPermissions() + .forEach(permission -> + authorizationProperty.add(findPermission(permission), PermissionEntry.group(getName()))); + } + + @Extension + @Symbol("group") + public static class DescriptorImpl extends Descriptor {} + } + + /** + * Represents a user or group being assigned permissions. + * Generally discouraged "ambiguous" permission assignments. + */ + @Restricted(NoExternalUse.class) + class DslUserOrGroup extends DslEntry { + @DataBoundConstructor + public DslUserOrGroup(String name, List permissions) { + super(name, permissions); + } + + @Override + public void addPermission(AuthorizationProperty authorizationProperty) { + getPermissions() + .forEach(permission -> authorizationProperty.add( + findPermission(permission), new PermissionEntry(AuthorizationType.EITHER, getName()))); + } + + @Extension + @Symbol("userOrGroup") + public static class DescriptorImpl extends Descriptor {} + } } diff --git a/src/test/java/hudson/security/AuthorizationMatrixPropertyTest.java b/src/test/java/hudson/security/AuthorizationMatrixPropertyTest.java index b7a4955a..9b4df5d4 100644 --- a/src/test/java/hudson/security/AuthorizationMatrixPropertyTest.java +++ b/src/test/java/hudson/security/AuthorizationMatrixPropertyTest.java @@ -40,8 +40,7 @@ public void testSnippetizer() throws Exception { SnippetizerTester tester = new SnippetizerTester(j); tester.assertRoundTrip( new JobPropertyStep(Collections.singletonList(property)), - "properties([authorizationMatrix(inheritanceStrategy: nonInheriting(), " - + "permissions: ['hudson.model.Item.Configure:alice', 'hudson.model.Item.Read:alice', 'hudson.model.Item.Read:bob', 'hudson.scm.SCM.Tag:bob'])])"); + "properties([authorizationMatrix(entries: [userOrGroup(name: 'alice', permissions: ['Job/Configure', 'Job/Read']), userOrGroup(name: 'bob', permissions: ['Job/Read', 'SCM/Tag'])], inheritanceStrategy: nonInheriting())])"); } @Test @@ -56,8 +55,7 @@ public void testSnippetizer2() throws Exception { SnippetizerTester tester = new SnippetizerTester(j); tester.assertRoundTrip( new JobPropertyStep(Collections.singletonList(property)), - "properties([authorizationMatrix(inheritanceStrategy: nonInheriting(), " - + "permissions: ['USER:hudson.model.Item.Configure:alice', 'USER:hudson.model.Item.Read:alice', 'USER:hudson.model.Item.Read:bob', 'USER:hudson.scm.SCM.Tag:bob'])])"); + "properties([authorizationMatrix(entries: [user(name: 'alice', permissions: ['Job/Configure', 'Job/Read']), user(name: 'bob', permissions: ['Job/Read', 'SCM/Tag'])], inheritanceStrategy: nonInheriting())])"); } @Test @@ -79,8 +77,7 @@ public void testSnippetizerInapplicablePermission() throws Exception { SnippetizerTester tester = new SnippetizerTester(j); tester.assertRoundTrip( new JobPropertyStep(Collections.singletonList(property)), - "properties([authorizationMatrix(inheritanceStrategy: nonInheriting(), " - + "permissions: ['hudson.model.Item.Configure:alice', 'hudson.model.Item.Read:alice', 'hudson.model.Item.Read:bob', 'hudson.scm.SCM.Tag:bob'])])"); + "properties([authorizationMatrix(entries: [userOrGroup(name: 'alice', permissions: ['Job/Configure', 'Job/Read']), userOrGroup(name: 'bob', permissions: ['Job/Read', 'SCM/Tag'])], inheritanceStrategy: nonInheriting())])"); Assert.assertTrue(l.getMessages().stream() .anyMatch(m -> m.contains("Tried to add inapplicable permission") @@ -126,16 +123,16 @@ public void testPipelineReconfiguration() throws Exception { project.setDefinition(new CpsFlowDefinition( "properties([authorizationMatrix(inheritanceStrategy: nonInheriting(), " - + "permissions: ['hudson.model.Item.Read:bob', 'hudson.model.Item.Configure:bob', 'hudson.scm.SCM.Tag:bob'])])", + + "entries: [user(name: 'bob', permissions: ['Job/Read', 'Job/Configure', 'hudson.scm.SCM.Tag'])])])", true)); j.buildAndAssertSuccess(project); // let's look ast the property AuthorizationMatrixProperty property = project.getProperty(AuthorizationMatrixProperty.class); Assert.assertTrue(property.getInheritanceStrategy() instanceof NonInheritingStrategy); - Assert.assertEquals(3, property.getGrantedPermissions().size()); + Assert.assertEquals(0, property.getGrantedPermissions().size()); // Unambiguous permissions are 0 Assert.assertEquals(3, property.getGrantedPermissionEntries().size()); - Assert.assertEquals("bob", property.getGroups().toArray()[0]); + Assert.assertEquals(0, property.getGroups().size()); // now bob has access, including configure j.createWebClient().login("bob").goTo(project.getUrl()); @@ -179,7 +176,7 @@ public void testPipelineReconfiguration2() throws Exception { project.setDefinition(new CpsFlowDefinition( "properties([authorizationMatrix(inheritanceStrategy: nonInheriting(), " - + "permissions: ['USER:hudson.model.Item.Read:bob', 'USER:hudson.model.Item.Configure:bob', 'USER:hudson.scm.SCM.Tag:bob'])])", + + "entries: [user(name: 'bob', permissions: ['Job/Read', 'Job/Configure', 'hudson.scm.SCM.Tag'])])])", true)); j.buildAndAssertSuccess(project); diff --git a/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v2-ambiguous.yml b/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v2-ambiguous.yml index 4b9a2d0f..42011782 100644 --- a/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v2-ambiguous.yml +++ b/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v2-ambiguous.yml @@ -62,12 +62,12 @@ jobs: inheritanceStrategy { nonInheriting() } - permissions([ - 'Job/Build:authenticated', - 'Job/Configure:authenticated', - 'Job/Delete:authenticated', - 'Job/Read:authenticated', - ]) + entries { + group { + name('authenticated') + permissions([ 'Job/Build', 'Job/Configure', 'Job/Delete', 'Job/Read' ]) + } + } } } } \ No newline at end of file diff --git a/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v2.yml b/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v2.yml index 2633cb80..24f5910a 100644 --- a/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v2.yml +++ b/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v2.yml @@ -62,12 +62,12 @@ jobs: inheritanceStrategy { nonInheriting() } - permissions([ - 'GROUP:Job/Build:authenticated', - 'GROUP:Job/Configure:authenticated', - 'GROUP:Job/Delete:authenticated', - 'GROUP:Job/Read:authenticated', - ]) + entries { + group { + name('authenticated') + permissions([ 'Job/Build', 'Job/Configure', 'Job/Delete', 'Job/Read' ]) + } + } } } } \ No newline at end of file diff --git a/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v3.yml b/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v3.yml index 2420505f..db8a9a75 100644 --- a/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v3.yml +++ b/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code-v3.yml @@ -82,13 +82,12 @@ jobs: inheritanceStrategy { nonInheriting() } - /* TODO Adapt to https://github.com/jenkinsci/matrix-auth-plugin/pull/144 once that's merged */ - permissions([ - 'GROUP:Job/Build:authenticated', - 'GROUP:Job/Configure:authenticated', - 'GROUP:Job/Delete:authenticated', - 'GROUP:Job/Read:authenticated', - ]) + entries { + group { + name('authenticated') + permissions([ 'Job/Build', 'Job/Configure', 'Job/Delete', 'Job/Read' ]) + } + } } } } \ No newline at end of file