diff --git a/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/PermissionTemplate.java b/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/PermissionTemplate.java index 133698d3..4100236b 100644 --- a/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/PermissionTemplate.java +++ b/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/PermissionTemplate.java @@ -59,14 +59,13 @@ public PermissionTemplate(Set permissions, String name) { } /** - * Checks whether the template is used by one or more roles.# + * Checks whether the template is used by one or more roles. * * @return true when template is used. */ public boolean isUsed() { AuthorizationStrategy auth = Jenkins.get().getAuthorizationStrategy(); - ProjectNamingStrategy pns = Jenkins.get().getProjectNamingStrategy(); - if (auth instanceof RoleBasedAuthorizationStrategy && pns instanceof RoleBasedProjectNamingStrategy) { + if (auth instanceof RoleBasedAuthorizationStrategy) { RoleBasedAuthorizationStrategy rbas = (RoleBasedAuthorizationStrategy) auth; Map> roleMap = rbas.getGrantedRolesEntries(RoleType.Project); for (Role role : roleMap.keySet()) { diff --git a/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/Role.java b/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/Role.java index 68e53af6..60db43bf 100644 --- a/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/Role.java +++ b/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/Role.java @@ -29,6 +29,7 @@ import hudson.Util; import hudson.security.AccessControlled; import hudson.security.Permission; +import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.Objects; @@ -38,6 +39,8 @@ import java.util.regex.Pattern; import org.apache.commons.collections.CollectionUtils; import org.jenkinsci.plugins.rolestrategy.permissions.PermissionHelper; +import org.kohsuke.accmod.Restricted; +import org.kohsuke.accmod.restrictions.NoExternalUse; import org.kohsuke.stapler.DataBoundConstructor; /** @@ -198,9 +201,13 @@ private void setPermissions(Set permissions) { } /** - * Updates the permissions from the used template. + * Updates the permissions from the template matching the name. + * + * @param permissionTemplates List of templates to look for + * @deprecated Use {@link #refreshPermissionsFromTemplate(PermissionTemplate)} */ - public void refreshPermissionsFromTemplate(Set permissionTemplates) { + @Deprecated + public void refreshPermissionsFromTemplate(Collection permissionTemplates) { if (Util.fixEmptyAndTrim(templateName) != null) { boolean found = false; for (PermissionTemplate pt : permissionTemplates) { @@ -216,6 +223,20 @@ public void refreshPermissionsFromTemplate(Set permissionTem } } + /** + * Updates the permissions from the given template. + * + * The name of the given template must match the configured template name in the role. + * + * @param permissionTemplate PermissionTemplate + */ + @Restricted(NoExternalUse.class) + public void refreshPermissionsFromTemplate(@CheckForNull PermissionTemplate permissionTemplate) { + if (permissionTemplate != null && templateName != null && templateName.equals(permissionTemplate.getName())) { + setPermissions(permissionTemplate.getPermissions()); + } + } + /** * Gets the role description. * diff --git a/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java b/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java index 1644bfd0..7268ed11 100644 --- a/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java +++ b/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java @@ -70,8 +70,10 @@ import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.SortedMap; +import java.util.TreeMap; import java.util.TreeSet; import java.util.logging.Level; import java.util.logging.Logger; @@ -79,6 +81,7 @@ import java.util.regex.PatternSyntaxException; import java.util.stream.Collectors; import javax.servlet.ServletException; +import javax.servlet.http.HttpServletResponse; import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.acegisecurity.acls.sid.PrincipalSid; @@ -94,6 +97,7 @@ import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.interceptor.RequirePOST; import org.kohsuke.stapler.verb.GET; +import org.kohsuke.stapler.verb.POST; /** * Role-based authorization strategy. @@ -115,7 +119,7 @@ public class RoleBasedAuthorizationStrategy extends AuthorizationStrategy { private final RoleMap agentRoles; private final RoleMap globalRoles; private final RoleMap itemRoles; - private Set permissionTemplates; + private Map permissionTemplates; /** * Create new RoleBasedAuthorizationStrategy. @@ -124,7 +128,7 @@ public RoleBasedAuthorizationStrategy() { agentRoles = new RoleMap(); globalRoles = new RoleMap(); itemRoles = new RoleMap(); - permissionTemplates = new TreeSet<>(); + permissionTemplates = new TreeMap<>(); } /** @@ -143,7 +147,13 @@ public RoleBasedAuthorizationStrategy(Map grantedRoles) { * @param permissionTemplates the permission templates in the strategy */ public RoleBasedAuthorizationStrategy(Map grantedRoles, @CheckForNull Set permissionTemplates) { - this.permissionTemplates = permissionTemplates == null ? Collections.emptySet() : new TreeSet<>(permissionTemplates); + + this.permissionTemplates = new TreeMap<>(); + if (permissionTemplates != null) { + for (PermissionTemplate template : permissionTemplates) { + this.permissionTemplates.put(template.getName(), template); + } + } RoleMap map = grantedRoles.get(SLAVE); agentRoles = map == null ? new RoleMap() : map; @@ -162,7 +172,9 @@ public RoleBasedAuthorizationStrategy(Map grantedRoles, @CheckF private void refreshPermissionsFromTemplate() { SortedMap> roles = getGrantedRolesEntries(RoleBasedAuthorizationStrategy.PROJECT); for (Role role : roles.keySet()) { - role.refreshPermissionsFromTemplate(this.permissionTemplates); + if (Util.fixEmptyAndTrim(role.getTemplateName()) != null) { + role.refreshPermissionsFromTemplate(permissionTemplates.get(role.getTemplateName())); + } } } @@ -284,7 +296,16 @@ public SortedMap> getGrantedRoles(@NonNull RoleType type) { * @return set of permission templates. */ public Set getPermissionTemplates() { - return Collections.unmodifiableSet(permissionTemplates); + return Set.copyOf(permissionTemplates.values()); + } + + @CheckForNull + public PermissionTemplate getPermissionTemplate(String templateName) { + return permissionTemplates.get(templateName); + } + + public boolean hasPermissionTemplate(String name) { + return permissionTemplates.containsKey(name); } /** @@ -391,11 +412,76 @@ private static void checkAdminPerm() { instance().checkPermission(Jenkins.ADMINISTER); } + /** + * API method to add a permission template. + * + * An existing template with the same will only be replaced when overwrite is set. Otherwise, the request will fail with status + * 400 + * + * @param name The template nae + * @param permissionIds Comma separated list of permission IDs + * @param overwrite If an existing template should be overwritten + */ + @POST + @Restricted(NoExternalUse.class) + public void doAddTemplate(@QueryParameter(required = true) String name, + @QueryParameter(required = true) String permissionIds, + @QueryParameter(required = false) boolean overwrite) + throws IOException { + checkAdminPerm(); + List permissionList = Arrays.asList(permissionIds.split(",")); + Set permissionSet = PermissionHelper.fromStrings(permissionList, true); + PermissionTemplate template = new PermissionTemplate(permissionSet, name); + if (!overwrite && hasPermissionTemplate(name)) { + Stapler.getCurrentResponse().sendError(HttpServletResponse.SC_BAD_REQUEST, "A template with name " + name + " already exists."); + return; + } + permissionTemplates.put(name, template); + refreshPermissionsFromTemplate(); + persistChanges(); + } + + /** + * API method to remove templates. + * + *

+ * Example: {@code curl -X POST localhost:8080/role-strategy/strategy/removeTemplates --data "templates=developer,qualits"} + * + * @param names comma separated list of templates to remove + * @param force If templates that are in use should be removed + * @throws IOException in case saving changes fails + */ + @POST + @Restricted(NoExternalUse.class) + public void doRemoveTemplates(@QueryParameter(required = true) String names, + @QueryParameter(required = false) boolean force) throws IOException { + checkAdminPerm(); + String[] split = names.split(","); + for (String templateName : split) { + templateName = templateName.trim(); + PermissionTemplate pt = getPermissionTemplate(templateName); + if (pt != null && (!pt.isUsed() || force)) { + permissionTemplates.remove(templateName); + RoleMap roleMap = getRoleMap(RoleType.Project); + for (Role role : roleMap.getRoles()) { + if (templateName.equals(role.getTemplateName())) { + role.setTemplateName(null); + } + } + } + } + persistChanges(); + } + /** * API method to add a role. * *

Unknown and dangerous permissions are ignored. * + * When specifying a template for an item role, the given permissions are ignored. The named template must exist, + * otherwise the request fails with status 400. + * The template is ignored when adding global or agent roles. + * *

Example: * {@code curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=globalRoles&roleName=ADM& * permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&overwrite=true"} @@ -406,6 +492,7 @@ private static void checkAdminPerm() { * @param permissionIds Comma separated list of IDs for given roleName * @param overwrite Overwrite existing role * @param pattern Role pattern + * @param template Name of template * @throws IOException In case saving changes fails * @since 2.5.0 */ @@ -415,20 +502,31 @@ public void doAddRole(@QueryParameter(required = true) String type, @QueryParameter(required = true) String roleName, @QueryParameter(required = true) String permissionIds, @QueryParameter(required = true) String overwrite, - @QueryParameter(required = false) String pattern) throws IOException { + @QueryParameter(required = false) String pattern, + @QueryParameter(required = false) String template) throws IOException { checkAdminPerm(); - boolean overwriteb = Boolean.parseBoolean(overwrite); + final boolean overwriteb = Boolean.parseBoolean(overwrite); String pttrn = ".*"; + String templateName = Util.fixEmptyAndTrim(template); if (!type.equals(RoleBasedAuthorizationStrategy.GLOBAL) && pattern != null) { pttrn = pattern; } - List permissionList = Arrays.asList(permissionIds.split(",")); - Set permissionSet = PermissionHelper.fromStrings(permissionList, true); + Role role = new Role(roleName, pttrn, permissionSet); + + if (RoleBasedAuthorizationStrategy.PROJECT.equals(type) && templateName != null) { + if (!hasPermissionTemplate(template)) { + Stapler.getCurrentResponse().sendError(HttpServletResponse.SC_BAD_REQUEST, "A template with name " + template + " doesn't exists."); + return; + } + role.setTemplateName(templateName); + role.refreshPermissionsFromTemplate(getPermissionTemplate(templateName)); + } + RoleType roleType = RoleType.fromString(type); if (overwriteb) { RoleMap roleMap = getRoleMap(roleType); @@ -709,12 +807,58 @@ public void doUnassignGroupRole(@QueryParameter(required = true) String type, persistChanges(); } + /** + * API method to get the granted permissions of a template and if the template is used. + * + *

+ * Example: {@code curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getTemplate?name=developer'} + * + *

+ * Returns json with granted permissions and assigned sids.
+ * Example: + * + * 

{@code
+   *   {
+   *     "permissionIds": {
+   *         "hudson.model.Item.Read":true,
+   *         "hudson.model.Item.Build":true,
+   *         "hudson.model.Item.Cancel":true,
+   *      },
+   *      "isUsed": true
+   *   }
+   * }
+   *
+ * + */ + @GET + @Restricted(NoExternalUse.class) + public void doGetTemplate(@QueryParameter(required = true) String name) throws IOException { + checkAdminPerm(); + JSONObject responseJson = new JSONObject(); + + PermissionTemplate template = permissionTemplates.get(name); + if (template != null) { + Set permissions = template.getPermissions(); + Map permissionsMap = new HashMap<>(); + for (Permission permission : permissions) { + permissionsMap.put(permission.getId(), permission.getEnabled()); + } + responseJson.put("permissionIds", permissionsMap); + responseJson.put("isUsed", template.isUsed()); + } + Stapler.getCurrentResponse().setContentType("application/json;charset=UTF-8"); + Writer writer = Stapler.getCurrentResponse().getCompressedWriter(Stapler.getCurrentRequest()); + responseJson.write(writer); + writer.close(); + + } + /** * API method to get the granted permissions of a role and the SIDs assigned to it. * *

* Example: {@code curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getRole - * ?type=globalRoles&roleName=admin'} + * ?type=projectRoles&roleName=admin'} * *

* Returns json with granted permissions and assigned sids.
@@ -723,11 +867,13 @@ public void doUnassignGroupRole(@QueryParameter(required = true) String type, * 

{@code
    *   {
    *     "permissionIds": {
-   *         "hudson.model.Hudson.Read":true,
    *         "hudson.model.Item.Read":true,
    *         "hudson.model.Item.Build":true,
+   *         "hudson.model.Item.Cancel":true,
    *      },
    *      "sids": [{"type":"USER","sid":"user1"}, {"type":"USER","sid":"user2"}]
+   *      "pattern": ".*",
+   *      "template": "developers",
    *   }
    * }
    *
@@ -758,6 +904,9 @@ public void doGetRole(@QueryParameter(required = true) String type, } Map> grantedRoleMap = roleMap.getGrantedRolesEntries(); responseJson.put("sids", grantedRoleMap.get(role)); + if (type.equals(RoleBasedAuthorizationStrategy.PROJECT)) { + responseJson.put("template", role.getTemplateName()); + } } Stapler.getCurrentResponse().setContentType("application/json;charset=UTF-8"); @@ -909,7 +1058,7 @@ public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingC RoleBasedAuthorizationStrategy strategy = (RoleBasedAuthorizationStrategy) source; writer.startNode(PERMISSION_TEMPLATES); - for (PermissionTemplate permissionTemplate : strategy.permissionTemplates) { + for (PermissionTemplate permissionTemplate : strategy.permissionTemplates.values()) { writer.startNode("template"); writer.addAttribute("name", permissionTemplate.getName()); writer.startNode("permissions"); @@ -1192,7 +1341,7 @@ public void doTemplatesSubmit(StaplerRequest req, StaplerResponse rsp) throws Se RoleBasedAuthorizationStrategy strategy = (RoleBasedAuthorizationStrategy) oldStrategy; JSONObject permissionTemplatesJson = json.getJSONObject(PERMISSION_TEMPLATES); - Set permissionTemplates = new TreeSet<>(); + Map permissionTemplates = new TreeMap<>(); for (Map.Entry r : (Set>) permissionTemplatesJson.getJSONObject("data").entrySet()) { String templateName = r.getKey(); @@ -1203,7 +1352,7 @@ public void doTemplatesSubmit(StaplerRequest req, StaplerResponse rsp) throws Se } } PermissionTemplate permissionTemplate = new PermissionTemplate(templateName, permissionStrings); - permissionTemplates.add(permissionTemplate); + permissionTemplates.put(templateName, permissionTemplate); } strategy.permissionTemplates = permissionTemplates; diff --git a/src/test/java/com/michelin/cio/hudson/plugins/rolestrategy/ApiTest.java b/src/test/java/com/michelin/cio/hudson/plugins/rolestrategy/ApiTest.java index 229017b8..91a3bf8d 100644 --- a/src/test/java/com/michelin/cio/hudson/plugins/rolestrategy/ApiTest.java +++ b/src/test/java/com/michelin/cio/hudson/plugins/rolestrategy/ApiTest.java @@ -1,7 +1,10 @@ package com.michelin.cio.hudson.plugins.rolestrategy; import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.notNullValue; +import static org.hamcrest.Matchers.nullValue; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotEquals; @@ -19,6 +22,7 @@ import java.util.Set; import java.util.SortedMap; import jenkins.model.Jenkins; +import net.sf.json.JSONObject; import org.htmlunit.HttpMethod; import org.htmlunit.Page; import org.htmlunit.WebRequest; @@ -42,18 +46,25 @@ public class ApiTest { private JenkinsRule.WebClient webClient; private DummySecurityRealm securityRealm; + private RoleBasedAuthorizationStrategy rbas; + @Before public void setUp() throws Exception { // Setting up jenkins configurations securityRealm = jenkinsRule.createDummySecurityRealm(); jenkinsRule.jenkins.setSecurityRealm(securityRealm); - jenkinsRule.jenkins.setAuthorizationStrategy(new RoleBasedAuthorizationStrategy()); + rbas = new RoleBasedAuthorizationStrategy(); + jenkinsRule.jenkins.setAuthorizationStrategy(rbas); jenkinsRule.jenkins.setCrumbIssuer(null); // Adding admin role and assigning adminUser - RoleBasedAuthorizationStrategy.getInstance().doAddRole("globalRoles", "adminRole", - "hudson.model.Hudson.Read,hudson.model.Hudson.Administer,hudson.security.Permission.GenericRead", "false", ""); - RoleBasedAuthorizationStrategy.getInstance().doAssignUserRole("globalRoles", "adminRole", "adminUser"); - webClient = jenkinsRule.createWebClient(); + rbas.doAddRole("globalRoles", "adminRole", + "hudson.model.Hudson.Read,hudson.model.Hudson.Administer,hudson.security.Permission.GenericRead", "false", "", ""); + rbas.doAssignUserRole("globalRoles", "adminRole", "adminUser"); + rbas.doAddTemplate("developer", "hudson.model.Item.Read,hudson.model.Item.Build,hudson.model.Item.Cancel", false); + rbas.doAddRole("projectRoles", "developers", + "", "false", ".*", "developer"); + rbas.doAssignUserRole("globalRoles", "adminRole", "adminUser"); + webClient = jenkinsRule.createWebClient().withThrowExceptionOnFailingStatusCode(false); webClient.login("adminUser", "adminUser"); } @@ -88,10 +99,153 @@ public void testAddRole() throws IOException { } @Test - @Issue("JENKINS-61470") + public void testAddRoleWithTemplate() throws IOException { + String roleName = "new-role"; + String pattern = "test-folder.*"; + String template = "developer"; + // Adding role via web request + URL apiUrl = new URL(jenkinsRule.jenkins.getRootUrl() + "role-strategy/strategy/addRole"); + WebRequest request = new WebRequest(apiUrl, HttpMethod.POST); + request.setRequestParameters( + Arrays.asList(new NameValuePair("type", RoleType.Project.getStringType()), + new NameValuePair("roleName", roleName), + new NameValuePair("permissionIds", "hudson.model.Item.Configure,hudson.model.Item.Read"), + new NameValuePair("overwrite", "false"), new NameValuePair("pattern", pattern), + new NameValuePair("template", template))); + Page page = webClient.getPage(request); + assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); + + // Verifying that the role is in + SortedMap> grantedRoles = rbas.getGrantedRolesEntries(RoleType.Project); + Role role = null; + for (Map.Entry> entry : grantedRoles.entrySet()) { + role = entry.getKey(); + if (role.getName().equals("new-role") && role.getPattern().pattern().equals(pattern) && role.getTemplateName().equals(template)) { + break; + } + role = null; + } + assertThat(role, notNullValue()); + assertThat(role.hasPermission(Item.CONFIGURE), equalTo(false)); + assertThat(role.hasPermission(Item.BUILD), equalTo(true)); + } + + @Test + public void testAddRoleWithMissingTemplate() throws IOException { + String roleName = "new-role"; + String pattern = "test-folder.*"; + String template = "quality"; + // Adding role via web request + URL apiUrl = new URL(jenkinsRule.jenkins.getRootUrl() + "role-strategy/strategy/addRole"); + WebRequest request = new WebRequest(apiUrl, HttpMethod.POST); + request.setRequestParameters( + Arrays.asList(new NameValuePair("type", RoleType.Project.getStringType()), new NameValuePair("roleName", roleName), + new NameValuePair("permissionIds", + "hudson.model.Item.Configure,hudson.model.Item.Discover,hudson.model.Item.Build,hudson.model.Item.Read"), + new NameValuePair("overwrite", "false"), new NameValuePair("pattern", pattern), + new NameValuePair("template", template))); + Page page = webClient.getPage(request); + assertEquals("Testing if request failed", HttpURLConnection.HTTP_BAD_REQUEST, page.getWebResponse().getStatusCode()); + } + + @Test + public void testAddTemplate() throws IOException { + String template = "quality"; + // Adding role via web request + URL apiUrl = new URL(jenkinsRule.jenkins.getRootUrl() + "role-strategy/strategy/addTemplate"); + WebRequest request = new WebRequest(apiUrl, HttpMethod.POST); + request.setRequestParameters( + Arrays.asList(new NameValuePair("name", template), + new NameValuePair("permissionIds", + "hudson.model.Item.Read"), + new NameValuePair("overwrite", "false"))); + Page page = webClient.getPage(request); + assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); + + // Verifying that the role is in + PermissionTemplate pt = rbas.getPermissionTemplate(template); + assertThat(pt, notNullValue()); + assertThat(pt.getName(), equalTo(template)); + assertThat(pt.hasPermission(Item.READ), equalTo(true)); + } + + @Test + public void testAddExistingTemplate() throws IOException { + String template = "developer"; + // Adding role via web request + URL apiUrl = new URL(jenkinsRule.jenkins.getRootUrl() + "role-strategy/strategy/addTemplate"); + WebRequest request = new WebRequest(apiUrl, HttpMethod.POST); + request.setRequestParameters( + Arrays.asList(new NameValuePair("name", template), + new NameValuePair("permissionIds", + "hudson.model.Item.Read"), + new NameValuePair("overwrite", "false"))); + Page page = webClient.getPage(request); + assertEquals("Testing if request is failed", HttpURLConnection.HTTP_BAD_REQUEST, page.getWebResponse().getStatusCode()); + } + + @Test + public void testGetTemplate() throws IOException { + String url = jenkinsRule.jenkins.getRootUrl() + "role-strategy/strategy/getTemplate?name=developer"; + URL apiUrl = new URL(url); + WebRequest request = new WebRequest(apiUrl, HttpMethod.GET); + Page page = webClient.getPage(request); + + // Verifying that web request is successful and that the role is found + assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); + String templateString = page.getWebResponse().getContentAsString(); + JSONObject responseJson = JSONObject.fromObject(templateString); + assertThat(responseJson.get("isUsed"), equalTo(true)); + } + + @Test + public void testRemoveTemplate() throws IOException { + String url = jenkinsRule.jenkins.getRootUrl() + "role-strategy/strategy/removeTemplates"; + rbas.doAddTemplate("quality", "Job/Read,Job/Workspace", false); + rbas.doAddTemplate("unused", "hudson.model.Item.Read", false); + rbas.doAddRole("projectRoles", "qa", + "", "false", ".*", "quality"); + + URL apiUrl = new URL(url); + WebRequest request = new WebRequest(apiUrl, HttpMethod.POST); + request.setRequestParameters( + Arrays.asList(new NameValuePair("names", "unused,quality"), + new NameValuePair("force", + "false"))); + Page page = webClient.getPage(request); + + // Verifying that web request is successful + assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); + Role role = rbas.getRoleMap(RoleType.Project).getRole("qa"); + assertThat(role.getTemplateName(), is("quality")); + assertThat(role.hasPermission(Item.WORKSPACE), is(true)); + assertThat(rbas.hasPermissionTemplate("unused"), is(false)); + assertThat(rbas.hasPermissionTemplate("quality"), is(true)); + } + + @Test + public void testForceRemoveTemplate() throws IOException { + String url = jenkinsRule.jenkins.getRootUrl() + "role-strategy/strategy/removeTemplates"; + URL apiUrl = new URL(url); + WebRequest request = new WebRequest(apiUrl, HttpMethod.POST); + request.setRequestParameters( + Arrays.asList(new NameValuePair("names", "developer,unknown"), + new NameValuePair("force", + "true"))); + Page page = webClient.getPage(request); + + // Verifying that web request is successful + assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); + Role role = rbas.getRoleMap(RoleType.Project).getRole("developers"); + assertThat(role.getTemplateName(), is(nullValue())); + assertThat(role.hasPermission(Item.BUILD), is(true)); + assertThat(rbas.hasPermissionTemplate("developer"), is(false)); + } + + @Test public void testGetRole() throws IOException { String url = jenkinsRule.jenkins.getRootUrl() + "role-strategy/strategy/getRole?type=" + RoleType.Global.getStringType() - + "&roleName=adminRole"; + + "&roleName=adminRole"; URL apiUrl = new URL(url); WebRequest request = new WebRequest(apiUrl, HttpMethod.GET); Page page = webClient.getPage(request); @@ -124,8 +278,7 @@ public void testAssignRole() throws IOException { assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); // Verifying that alice is assigned to the role "new-role" - RoleBasedAuthorizationStrategy strategy = RoleBasedAuthorizationStrategy.getInstance(); - SortedMap> roles = strategy.getGrantedRolesEntries(RoleType.Project); + SortedMap> roles = rbas.getGrantedRolesEntries(RoleType.Project); boolean found = false; for (Map.Entry> entry : roles.entrySet()) { Role role = entry.getKey(); @@ -156,8 +309,7 @@ public void testUnassignRole() throws IOException { assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); // Verifying that alice no longer has permissions - RoleBasedAuthorizationStrategy strategy = RoleBasedAuthorizationStrategy.getInstance(); - SortedMap> roles = strategy.getGrantedRolesEntries(RoleType.Project); + SortedMap> roles = rbas.getGrantedRolesEntries(RoleType.Project); for (Map.Entry> entry : roles.entrySet()) { Role role = entry.getKey(); Set sids = entry.getValue(); @@ -189,8 +341,7 @@ public void testAssignUserRole() throws IOException { assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); // Verifying that alice is assigned to the role "new-role" - RoleBasedAuthorizationStrategy strategy = RoleBasedAuthorizationStrategy.getInstance(); - SortedMap> roles = strategy.getGrantedRolesEntries(RoleType.Project); + SortedMap> roles = rbas.getGrantedRolesEntries(RoleType.Project); boolean found = false; for (Map.Entry> entry : roles.entrySet()) { Role role = entry.getKey(); @@ -220,8 +371,7 @@ public void testUnassignUserRole() throws IOException { assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); // Verifying that alice no longer has permissions - RoleBasedAuthorizationStrategy strategy = RoleBasedAuthorizationStrategy.getInstance(); - SortedMap> roles = strategy.getGrantedRolesEntries(RoleType.Project); + SortedMap> roles = rbas.getGrantedRolesEntries(RoleType.Project); for (Map.Entry> entry : roles.entrySet()) { Role role = entry.getKey(); Set sids = entry.getValue(); @@ -256,8 +406,7 @@ public void testAssignGroupRole() throws IOException { assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); // Verifying that alice is assigned to the role "new-role" - RoleBasedAuthorizationStrategy strategy = RoleBasedAuthorizationStrategy.getInstance(); - SortedMap> roles = strategy.getGrantedRolesEntries(RoleType.Project); + SortedMap> roles = rbas.getGrantedRolesEntries(RoleType.Project); boolean found = false; for (Map.Entry> entry : roles.entrySet()) { Role role = entry.getKey(); @@ -288,8 +437,7 @@ public void testUnassignGroupRole() throws IOException { assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); // Verifying that alice no longer has permissions - RoleBasedAuthorizationStrategy strategy = RoleBasedAuthorizationStrategy.getInstance(); - SortedMap> roles = strategy.getGrantedRolesEntries(RoleType.Project); + SortedMap> roles = rbas.getGrantedRolesEntries(RoleType.Project); for (Map.Entry> entry : roles.entrySet()) { Role role = entry.getKey(); Set sids = entry.getValue(); @@ -317,7 +465,6 @@ public void ignoreDangerousPermissionInAddRole() throws IOException { assertEquals("Testing if request is successful", HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode()); // Verifying that the role is in - RoleBasedAuthorizationStrategy rbas = RoleBasedAuthorizationStrategy.getInstance(); assertThat(rbas.getRoleMap(RoleType.Global).getRole(roleName).hasPermission(PluginManager.CONFIGURE_UPDATECENTER), is(false)); assertThat(rbas.getRoleMap(RoleType.Global).getRole(roleName).hasPermission(PluginManager.UPLOAD_PLUGINS), is(false)); assertThat(rbas.getRoleMap(RoleType.Global).getRole(roleName).hasPermission(Jenkins.RUN_SCRIPTS), is(false)); diff --git a/src/test/java/jmh/benchmarks/MaliciousRegexBenchmark.java b/src/test/java/jmh/benchmarks/MaliciousRegexBenchmark.java index e93d2ccb..b06a154b 100644 --- a/src/test/java/jmh/benchmarks/MaliciousRegexBenchmark.java +++ b/src/test/java/jmh/benchmarks/MaliciousRegexBenchmark.java @@ -38,7 +38,7 @@ public void setup() throws Exception { if (rand.nextBoolean()) { rbas.doAddRole(RoleBasedAuthorizationStrategy.PROJECT, "role" + i, "hudson.model.Item.Discover,hudson.model.Item.Read,hudson.model.Item.Build", "true", - "F(o+)+lder[" + rand.nextInt(10) + rand.nextInt(10) + "]{1,2}"); + "F(o+)+lder[" + rand.nextInt(10) + rand.nextInt(10) + "]{1,2}", ""); } rbas.doAssignRole(RoleBasedAuthorizationStrategy.PROJECT, "role" + i, "user" + i); }