Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes Jenkins.SYSTEM_READ support #825

Merged
merged 3 commits into from
Apr 3, 2023
Merged

Fixes Jenkins.SYSTEM_READ support #825

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ada12a2
Fixes Jenkins.SYSTEM_READ support
Vlatombe Mar 30, 2023
c508f14
Convert more calls to check for SYSTEM_READ instead of ADMINISTER
Vlatombe Mar 31, 2023
c3c0e77
Merge branch 'master' into fix-readonly-configuration
Vlatombe Apr 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
31 changes: 16 additions & 15 deletions src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,9 @@ public String getDisplayName() {

@POST
public FormValidation doCheckCloudName(@QueryParameter String value) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
return FormValidation.ok();
}
try {
Jenkins.checkGoodName(value);
} catch (Failure e) {
Expand Down Expand Up @@ -205,22 +207,21 @@ public ListBoxModel doFillRegionItems(
@QueryParameter String credentialsId)

throws IOException, ServletException {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);

ListBoxModel model = new ListBoxModel();

try {
AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials,
credentialsId);
AmazonEC2 client = AmazonEC2Factory.getInstance().connect(credentialsProvider, determineEC2EndpointURL(altEC2Endpoint));
DescribeRegionsResult regions = client.describeRegions();
List<Region> regionList = regions.getRegions();
for (Region r : regionList) {
String name = r.getRegionName();
model.add(name, name);
if (Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
try {
AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials,
credentialsId);
AmazonEC2 client = AmazonEC2Factory.getInstance().connect(credentialsProvider, determineEC2EndpointURL(altEC2Endpoint));
DescribeRegionsResult regions = client.describeRegions();
List<Region> regionList = regions.getRegions();
for (Region r : regionList) {
String name = r.getRegionName();
model.add(name, name);
}
} catch (SdkClientException ex) {
// Ignore, as this may happen before the credentials are specified
}
} catch (SdkClientException ex) {
// Ignore, as this may happen before the credentials are specified
}
return model;
}
Expand Down
4 changes: 3 additions & 1 deletion src/main/java/hudson/plugins/ec2/EC2AbstractSlave.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -829,7 +829,9 @@ public ListBoxModel doFillZoneItems(@QueryParameter boolean useInstanceProfileFo
@QueryParameter String region,
@QueryParameter String roleArn,
@QueryParameter String roleSessionName) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
return new ListBoxModel();
}
AWSCredentialsProvider credentialsProvider = EC2Cloud.createCredentialsProvider(useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
return fillZoneItems(credentialsProvider, region);
}
Expand Down
49 changes: 27 additions & 22 deletions src/main/java/hudson/plugins/ec2/EC2Cloud.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
import com.cloudbees.plugins.credentials.common.AbstractIdCredentialsListBoxModel;
import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
import com.cloudbees.plugins.credentials.domains.Domain;
import com.cloudbees.plugins.credentials.domains.DomainRequirement;
Expand Down Expand Up @@ -1086,34 +1087,35 @@ public InstanceType[] getInstanceTypes() {

@POST
public FormValidation doCheckUseInstanceProfileForCredentials(@QueryParameter boolean value) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
if (value) {
try {
new InstanceProfileCredentialsProvider(false).getCredentials();
} catch (AmazonClientException e) {
return FormValidation.error(Messages.EC2Cloud_FailedToObtainCredentialsFromEC2(), e.getMessage());
}
if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER) || !value) {
return FormValidation.ok();
}
try {
new InstanceProfileCredentialsProvider(false).getCredentials();
return FormValidation.ok();
} catch (AmazonClientException e) {
return FormValidation.error(Messages.EC2Cloud_FailedToObtainCredentialsFromEC2(), e.getMessage());
}

return FormValidation.ok();
}

@POST
public ListBoxModel doFillSshKeysCredentialsIdItems(@AncestorInPath ItemGroup context, @QueryParameter String sshKeysCredentialsId) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);

StandardListBoxModel result = new StandardListBoxModel();

return result
.includeMatchingAs(Jenkins.getAuthentication(), context, SSHUserPrivateKey.class, Collections.<DomainRequirement>emptyList(), CredentialsMatchers.always())
.includeMatchingAs(ACL.SYSTEM, context, SSHUserPrivateKey.class, Collections.<DomainRequirement>emptyList(), CredentialsMatchers.always())
.includeCurrentValue(sshKeysCredentialsId);
AbstractIdCredentialsListBoxModel result = new StandardListBoxModel();
if (Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
result = result
.includeMatchingAs(Jenkins.getAuthentication(), context, SSHUserPrivateKey.class, Collections.<DomainRequirement>emptyList(), CredentialsMatchers.always())
.includeMatchingAs(ACL.SYSTEM, context, SSHUserPrivateKey.class, Collections.<DomainRequirement>emptyList(), CredentialsMatchers.always())
.includeCurrentValue(sshKeysCredentialsId);
}
return result;
}

@RequirePOST
public FormValidation doCheckSshKeysCredentialsId(@AncestorInPath ItemGroup context, @QueryParameter String value) throws IOException, ServletException {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);

if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
// Don't do anything if the user is only reading the configuration
return FormValidation.ok();
}
if (value == null || value.isEmpty()){
return FormValidation.error("No ssh credentials selected");
}
Expand Down Expand Up @@ -1163,9 +1165,10 @@ public FormValidation doCheckSshKeysCredentialsId(@AncestorInPath ItemGroup cont
@POST
protected FormValidation doTestConnection(@AncestorInPath ItemGroup context, URL ec2endpoint, boolean useInstanceProfileForCredentials, String credentialsId, String sshKeysCredentialsId, String roleArn, String roleSessionName, String region)
throws IOException, ServletException {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
return FormValidation.ok();
}
try {

SSHUserPrivateKey sshCredential = getSshCredential(sshKeysCredentialsId, context);
String privateKey = "";
if (sshCredential != null) {
Expand Down Expand Up @@ -1196,7 +1199,9 @@ protected FormValidation doTestConnection(@AncestorInPath ItemGroup context, URL

@RequirePOST
public ListBoxModel doFillCredentialsIdItems(@AncestorInPath ItemGroup context) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
return new StandardListBoxModel();
}
return new StandardListBoxModel()
.includeEmptyValue()
.includeMatchingAs(ACL.SYSTEM, context, AmazonWebServicesCredentials.class, Collections.emptyList(), CredentialsMatchers.always());
Expand Down
29 changes: 12 additions & 17 deletions src/main/java/hudson/plugins/ec2/EC2Step.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,30 +88,25 @@ public String getDisplayName() {

@POST
public ListBoxModel doFillCloudItems() {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
Jenkins.get().checkPermission(Jenkins.SYSTEM_READ);
ListBoxModel r = new ListBoxModel();
r.add("", "");
Jenkins.CloudList clouds = jenkins.model.Jenkins.get().clouds;
for (Cloud cList : clouds) {
if (cList instanceof AmazonEC2Cloud) {
r.add(cList.getDisplayName(), cList.getDisplayName());
}
}
Jenkins.get().clouds
.getAll(AmazonEC2Cloud.class)
.forEach(c -> r.add(c.getDisplayName(), c.getDisplayName()));
return r;
}

@POST
public ListBoxModel doFillTemplateItems(@QueryParameter String cloud) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
cloud = Util.fixEmpty(cloud);
public ListBoxModel doFillTemplateItems(@QueryParameter String cloudName) {
Jenkins.get().checkPermission(Jenkins.SYSTEM_READ);
ListBoxModel r = new ListBoxModel();
for (Cloud cList : jenkins.model.Jenkins.get().clouds) {
if (cList.getDisplayName().equals(cloud)) {
List<SlaveTemplate> templates = ((AmazonEC2Cloud) cList).getTemplates();
for (SlaveTemplate template : templates) {
for (String labelList : template.labels.split(" ")) {
r.add(labelList + " (AMI: " + template.getAmi() + ", REGION: " + ((AmazonEC2Cloud) cList).getRegion() + ", TYPE: " + template.type.name() + ")", labelList);
}
Cloud cloud = Jenkins.get().getCloud(Util.fixEmpty(cloudName));
if (cloud instanceof AmazonEC2Cloud) {
AmazonEC2Cloud ec2Cloud = (AmazonEC2Cloud) cloud;
for (SlaveTemplate template : ec2Cloud.getTemplates()) {
for (String labelList : template.labels.split(" ")) {
r.add(labelList + " (AMI: " + template.getAmi() + ", REGION: " + ec2Cloud.getRegion() + ", TYPE: " + template.type.name() + ")", labelList);
}
}
}
Expand Down