6 | 讓您能做到「Joe 可以看到 A, B, C 專案,但是看不到 D」這種程度的設定。
7 | 可以看看「矩陣型安全性」的說明,了解矩陣型安全性的基本概念。
8 |
9 |
10 | ACL 會逐一累加,所以下列授與的存取權限會影響到每一個專案。
11 |
12 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritParentStrategy/config.properties:
--------------------------------------------------------------------------------
1 | blurb = This item will inherit its parent item's permissions (in addition to any permissions granted here). \
2 | If this item is at the top level in Jenkins, it will inherit the global security security settings.
3 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/ProjectMatrixAuthorizationStrategy/help_ja.html:
--------------------------------------------------------------------------------
1 |
4 | Different security realm has different conventions about group names.
5 | The best way to go about it is to login and see what group names you belong to,
6 | by going to this diagnostics page.
7 |
3 | This attribute only exists for compatibility for Configuration as Code YAML files before Matrix Authorization Strategy Plugin 1.4.
4 | Use permissions instead.
5 | Setting both is unsupported and the result undefined.
6 |
14 | 權限會累加。也就是說,如果 X 使用者在 A, B, C 三個群組中,則該使用者實際的權限會是 X, A, B, C 及匿名使用者權限的聯集。
15 |
16 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/inheritance/NonInheritingStrategy/config.properties:
--------------------------------------------------------------------------------
1 | blurb = This object will not inherit the global security security settings, or any permissions from its ancestors. \
2 | Only permissions explicitly enabled here will be granted. \
3 | To ensure that users are not inadvertently locked out from Jenkins, an exception is made for the Overall/Administer permission: \
4 | Administrators of Jenkins will still have access to this object even if not explicitly granted here.
5 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/ProjectMatrixAuthorizationStrategy/help.html:
--------------------------------------------------------------------------------
1 |
2 | This mode is an extension to "Matrix-based security" that allows additional ACL matrix to be defined
3 | for each project separately (which is done on the job configuration screen.)
4 |
5 |
6 | This allows you to say things like "Joe can access project A, B, and C but he can't see D."
7 | See the help of "Matrix-based security" for the concept of matrix-based security in general.
8 |
9 |
10 | ACLs are additive, so the access rights granted below will be effective for all the projects.
11 |
4 | This attribute only exists for compatibility for Configuration as Code YAML files before Matrix Authorization Strategy Plugin 1.4.
5 | Use permissions instead.
6 | Setting both is unsupported and the result undefined.
7 |
4 | A list of strings with the following format: "PermissionGroup/PermissionName:UserOrGroup".
5 | Examples for list entries:
6 |
7 |
"Overall/Read:anonymous"
8 |
"Job/Build:joe.chin"
9 |
10 |
11 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/DangerousMatrixPermissionsAdministrativeMonitor/message.properties:
--------------------------------------------------------------------------------
1 | blurb = Your authorization strategy is currently configured to grant at least one of the permissions that can be used to escalate permissions and execute arbitrary code to users without Overall/Administer permission: \
2 |
\
3 |
Run Scripts
\
4 |
Configure Update Center
\
5 |
Upload Plugins
\
6 |
\
7 | These permissions will no longer actually be granted to users without Overall/Administer permission for security reasons. \
8 | It is recommended that you remove these permissions, or grant Overall/Administer to affected users or groups:
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/AuthorizationMatrixNodeProperty/config.groovy:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth.AuthorizationMatrixNodeProperty
2 |
3 | import lib.FormTagLib
4 | import org.jenkinsci.plugins.matrixauth.inheritance.InheritanceStrategyDescriptor
5 |
6 | def f = namespace(FormTagLib)
7 | def st = namespace("jelly:stapler")
8 |
9 | f.nested {
10 | table(style: "width: 100%") {
11 | f.dropdownDescriptorSelector(title: _("Inheritance Strategy"), descriptors: InheritanceStrategyDescriptor.getApplicableDescriptors(my?.class?:hudson.model.Node.class), field: 'inheritanceStrategy')
12 | st.include(class: "hudson.security.GlobalMatrixAuthorizationStrategy", page: "config")
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/ProjectMatrixAuthorizationStrategy/help_de.html:
--------------------------------------------------------------------------------
1 |
2 | Dieser Modus erweitert die "Matrix-basierte Sicherheit" um eine zusätzliche ACL-Rechtematrix,
3 | die für jedes Projekt individuell festgelegt werden kann (in der Konfigurationsmaske des jeweiligen Jobs).
4 |
5 |
6 | Dies erlaubt Ihnen eine Rechtevergabe wie z.B. "Joe darf auf Projekt A, B und C zugreifen - er
7 | soll aber Projekt D nicht sehen dürfen". Lesen Sie den Hilfetext bei "Matrix-basierte Sicherheit",
8 | um mehr über das Konzept der matrix-basierten Sicherheit im Allgemeinen zu erfahren.
9 |
10 |
11 | ACL-Rechte sind additiv. Dies bedeutet, dass die untenstehend erteilten Rechte für alle
12 | Projekte als erteilt gelten.
13 |
2 | In this scheme, you can configure who can do what by using a big table.
3 |
4 |
5 | Each column represents a permission. Hover the mouse over the permission names to get
6 | more information about what they represent.
7 |
8 |
9 | Each row represents a user or a group (often called 'role', depending on the security realm.)
10 | This includes a special user 'anonymous', which represents unauthenticated users, as well
11 | as 'authenticated', which represents all authenticated users (IOW, everyone except anonymous users.)
12 | Use the text box below the table to add new users/groups/roles to the table, and click the
13 | [x] icon to remove it from the table.
14 |
15 |
16 | Permissions are additive. That is, if an user X is in group A, B, and C, then
17 | the permissions that this user actually has are the union of all permissions given to
18 | X, A, B, C, and anonymous.
19 |
2 |
3 | В этом режиме вы можете явно указать допустимые операции, используя матрицу привилегий.
4 |
5 |
6 | Каждая колонка представляет собой привилегию. Наведите курсор мыши на имя привелегии
7 | для получения большей информации о её предназначении.
8 |
9 |
10 | Каждая строка представляет собой пользователя или группу (обычно называемая "ролью", в
11 | зависимости от используемого модуля безопасности). Список включает также специального
12 | пользователя Аноним, который представляет собой неаутентифицированного пользователя.
13 | Чтобы добавить нового пользователя/группу/роль в таблицу, используйте поле ввода под таблицей.
14 | Чтобы удалить пользователя/группу/роль нажмите кнопку [x] в правой колонке.
15 |
16 |
17 | Привилегии аддитивны, то есть если пользователь X состоит в группах A, B и C, тогда
18 | реальные привилегии пользователя - объединение всех привилегий данных конкретно пользователю,
19 | группам A, B и C и анонимному пользователю.
20 |
2 | In dieser Tabelle können Sie angeben, wer zu welchen Aktionen berechtigt ist.
3 |
4 | Jede Spalte entspricht einer Berechtigung. Fahren Sie mit der Maus über die
5 | Namen der Berechtigungen, um mehr Informationen darüber zu erhalten, was sie
6 | bedeuten.
7 |
8 | Jede Zeile entspricht einem Benutzer oder einer Benutzergruppe (je nach
9 | Benutzerverzeichnis oft auch als "Rolle" bezeichnet). Die Zeilen beinhalten
10 | auch die besonderen Benutzer 'anonymous' bzw. 'authenticated', welche
11 | nichtangemeldete bzw. angemeldete Benutzer repräsentieren,
12 |
13 | Verwenden Sie das untenstehende Textfeld, um neue Benutzer/Gruppen/Rollen zur Tabelle
14 | hinzuzufügen und klicken Sie auf das [x]-Symbol, um sie wieder von der
15 | Tabelle zu entfernen.
16 |
17 | Berechtigungen sind additiv. Dies bedeutet, dass ein Benutzer X, der Mitglied
18 | in den Gruppen A, B und C ist, die Vereinigungsmenge aller Berechtigungen
19 | besitzt, die X, A, B, C und dem Benutzer 'anonymous' erteilt wurden.
20 |
2 |
3 | Neste esquema, você pode configurar quem pode fazer o quê usando uma grande tabela.
4 |
5 |
6 | Cada coluna representa uma permissão. Passe o mouse sobre os nomes das permissões para
7 | obter mais informação sobre o que elas representam.
8 |
9 |
10 | Cada linha representa um usuário ou grupo (frequentemente chamado de 'papel',
11 | dependendo do domínio de segurança.)
12 | Isto inclui um usuário especial chamado 'anonymous', que representa os usuários não autenticados.
13 | Use a caixa de texto abaixo da tabela para adicionar novos usuários/grupos/papéis na tabela, e clique
14 | no ícone [x] para remover da tabela.
15 |
16 |
17 | Permissões são cumulativas. Ou seja, se um usuário X está nos grupos A, B, e C, então
18 | as permissões que este usuário na verdade tem é a únião de todas as permissões dadas para
19 | X, A, B, C, e anônimos.
20 |
2 |
3 | Bu şemada, tabloyu kullanarak kimin ne yapabileceğini belirleyebilirsiniz.
4 |
5 |
6 | Her kolon bir yetkiyi temsil eder. Mouse ile yetki isimlerinin üzerine
7 | gelerek, daha fazla bilgi alabilirsiniz.
8 |
9 |
10 | Her satır bir kullanıcı veya grubu temsil eder (Güvenlik alanına bağlı olarak, "rol" olarak da
11 | adlandırılabilir). Bu satırların içerisinde yetkisiz kullanıcıları temsilen bilinmeyen (anonymous)
12 | kullanıcı da yer almaktadır. Aşağıdaki metin kutusunu kullanarak, tabloya kullanıcı/grup/rol ekleyebilir,
13 | [x] ikonuna tıklayarak bunları silebilirsiniz.
14 |
15 |
16 | Yetkilendirme, kullanıcı ve ait olduğu grupların yetkilerinin birleşim kümesi ile hesaplanır.
17 | Yani X kullanıcısı, A, B ve C gruplarına dahilse, yetkileri X, A, B, C ve bilinmeyen kullanıcıya
18 | verilen yetkilerinin birleşim kümesidir.
19 |
2 |
3 | Cette option vous permet de configurer qui fait quoi dans un grand tableau.
4 |
5 |
6 | Chaque colonne représente une autorisation. Faites glisser la souris au
7 | dessus du nom d'une autorisation pour obtenir plus d'information sur
8 | ce qu'elle représente.
9 |
10 |
11 | Chaque ligne représente un utilisateur ou un groupe (souvent appelé
12 | 'rôle', selon les royaumes -realms- de sécurité).
13 | On y trouve un utilisateur spécial 'anonymous' qui représente
14 | les utilisateurs non authentifiés, ainsi qu'un utilisateur 'authenticated',
15 | qui représente les utilisateurs authentifiés (c-à-d, tout le monde, à
16 | l'exception des utilisateurs anonymes).
17 | Utilisez le texte sous la table pour ajouter des nouveaux
18 | utilisateurs/groupes/rôles à la table et cliquez sur l'icône
19 | [x] pour les supprimer.
20 |
21 |
22 | Les autorisations s'ajoutent les unes aux autres. En clair, si un
23 | utilisateur X est présent dans les groupes A, B et C, alors les
24 | autorisations associées à cet utilisateur sont l'union de toutes les
25 | autorisations accordées à X, A, B, C et anonymous.
26 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_tr.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=Matris-temelli G\u00fcvenlik
24 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_nl.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=Matrix-gebaseerde beveiliging
24 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_nb_NO.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Anonymous=Anonym
24 | User/group=Bruker/gruppe
25 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_pt_BR.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=Seguran\u00e7a baseada em matriz
24 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/AuthorizationMatrixProperty/config_es.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Enable\ project-based\ security=Habilitar seguridad en el projecto
24 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_fi.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Remove\ user/group=Poista k\u00E4ytt\u00E4j\u00E4/ryhm\u00E4
24 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_tr.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Oguz Dag
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | User/group=Kullan\u0131c\u0131/grup
24 | Anonymous=Bilinmeyen
25 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/ExportTest/nodes/agent1/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | agent1
4 | 1
5 | NORMAL
6 |
7 |
8 |
9 | false
10 | remoting
11 | false
12 |
13 |
14 |
15 |
16 |
17 |
18 | hudson.model.Computer.Build:anonymous
19 | hudson.model.Computer.Build:authenticated
20 | hudson.model.Computer.Configure:authenticated
21 | hudson.model.Computer.Connect:authenticated
22 | hudson.model.Computer.Delete:authenticated
23 | hudson.model.Computer.Disconnect:authenticated
24 |
25 |
26 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_es.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | User/group=Usuario/Grupo
24 | Remove\ user/group=Borrar usuario/grupo
25 | Toggle\ all=Cambiar todo
26 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/AuthorizationMatrixProperty/config_da.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc. Kohsuke Kawaguchi. Knud Poulsen.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Enable\ project-based\ security=Sl\u00e5 projektbaseret adgangskontrol til
24 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/AuthorizationMatrixProperty/config_zh_TW.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2013, Chunghwa Telecom Co., Ltd., Pei-Tang Huang
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Enable\ project-based\ security=\u555f\u7528\u5c08\u6848\u578b\u5b89\u5168\u6027\u8a2d\u5b9a
24 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceStrategy/config.jelly:
--------------------------------------------------------------------------------
1 |
24 |
25 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceMigrationTest/users/bob/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Bob
4 |
5 |
6 | {AQAAABAAAAAwjQ/AtGDcImIkLDhq69pgnztzZq5jDwcRsZjwRnH+M/GunPrOxaLbCjBU1Xn1fRq1FHbmZXZV6klo0181L8HnSg==}
7 |
8 |
9 |
10 |
11 |
12 | all
13 | false
14 | false
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | true
24 |
25 |
26 | #jbcrypt:$2a$10$Q/.u9U7mphJ4q6Mfifa.Oufm6w4iUCs5TRHVLY/1m..kAqw0qGn.O
27 |
28 |
29 |
--------------------------------------------------------------------------------
/src/test/java/org/jenkinsci/plugins/matrixauth/Jenkins57313Test.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth;
2 |
3 | import com.gargoylesoftware.htmlunit.html.HtmlPage;
4 | import hudson.security.GlobalMatrixAuthorizationStrategy;
5 | import jenkins.model.Jenkins;
6 | import org.junit.Assert;
7 | import org.junit.Rule;
8 | import org.junit.Test;
9 | import org.jvnet.hudson.test.Issue;
10 | import org.jvnet.hudson.test.JenkinsRule;
11 |
12 | public class Jenkins57313Test {
13 | @Rule
14 | public JenkinsRule j = new JenkinsRule();
15 |
16 | @Test
17 | @Issue("JENKINS-57313")
18 | public void testFormValidation() throws Exception {
19 | j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
20 | GlobalMatrixAuthorizationStrategy authorizationStrategy = new GlobalMatrixAuthorizationStrategy();
21 | authorizationStrategy.add(Jenkins.ADMINISTER, "anonymous");
22 | j.jenkins.setAuthorizationStrategy(authorizationStrategy);
23 | HtmlPage page = j.createWebClient().goTo(authorizationStrategy.getDescriptor().getDescriptorUrl() + "/checkName?value=[alice]");
24 | Assert.assertEquals(200, page.getWebResponse().getStatusCode());
25 | String responseText = page.getWebResponse().getContentAsString();
26 | Assert.assertTrue(responseText.contains("alice"));
27 | Assert.assertTrue(responseText.contains("person.png"));
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceMigrationTest/users/admin/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | admin
4 |
5 |
6 | {AQAAABAAAAAwGlr2GmbKMnWJDyTmXdB/J1yPDUj/A8tAFk8Sl7g7ZZIdEzMcatUYTgFQx2DqaKpGkQEV3V9vvLcGRIFkKLcbHg==}
7 |
8 |
9 |
10 |
11 |
12 | all
13 | false
14 | false
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | true
24 |
25 |
26 | #jbcrypt:$2a$10$8ikKOpe48MnWcKt4nIct6eY.DKVQhRqrlYx.fa.Mt7Ya1X9tFxMtS
27 |
28 |
29 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceMigrationTest/users/alice/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | Alice
4 |
5 |
6 | {AQAAABAAAAAw++0Gifydu+kMl6DwWZxMyXeka/KVmOYbv6ljP7ljepmP4r7Q2oa04Z5Wp7WaOTEKxPfEgg2/v3ALLHn6J9SDKw==}
7 |
8 |
9 |
10 |
11 |
12 | all
13 | false
14 | false
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | true
24 |
25 |
26 | #jbcrypt:$2a$10$gcruH6YoDS/Sr0Yd9uSDdeqqZ9GidPEBPCKdzWCpDsdrNbQJwTAwC
27 |
28 |
29 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/AuthorizationMatrixProperty/config_tr.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Oguz Dag
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Enable\ project-based\ security=Proje tabanl\u0131 g\u00fcvenlik ayarlar\u0131n\u0131 devreye al
24 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_da.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc. Kohsuke Kawaguchi. Knud Poulsen.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Anonymous=Anonym
24 | Remove\ user/group=Fjern user/gruppe
25 | User/group=Bruger/gruppe
26 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_pt_BR.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Reginaldo L. Russinholi, Cleiber Silva
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | User/group=Usu\u00E1rios/Grupo
24 | Anonymous=An\u00f4nimo
25 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_da.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | ProjectMatrixAuthorizationStrategy.DisplayName=Projektbaseret matriceauthentificering
24 | GlobalMatrixAuthorizationStrategy.DisplayName=Matricebaseret sikkerhed
25 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_nl.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, id:sorokh
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Remove\ user/group=Verwijder gebruiker/groep
24 | User/group=Gebruiker/groep
25 | Anonymous=Anoniem
26 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_de.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=Matrix-basierte Sicherheit
24 | ProjectMatrixAuthorizationStrategy.DisplayName=Projektbasierte Matrix-Zugriffssteuerung
25 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/AuthorizationMatrixProperty/config_pt_BR.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Reginaldo L. Russinholi, Cleiber Silva
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Enable\ project-based\ security=Habilitar seguran\u00e7a baseada em projeto
24 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_es.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=Configuraci\u00f3n de seguridad
24 | ProjectMatrixAuthorizationStrategy.DisplayName=Estrategia de seguridad para el proyecto
25 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_zh_CN.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=\u5b89\u5168\u77e9\u9635
24 | ProjectMatrixAuthorizationStrategy.DisplayName=\u9879\u76ee\u77e9\u9635\u6388\u6743\u7b56\u7565
25 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_sv_SE.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Anonymous=Anonym
24 | Remove\ user/group=Ta bort anv\u00E4ndare/grupp
25 | Toggle\ all=V\u00E4xla alla
26 | User/group=Anv\u00E4ndare/grupp
27 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_fr.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Eric Lefevre-Ardant
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Remove\ user/group=Supprimer utilisateur/groupe
24 | User/group=Utilisateur/groupe
25 | Anonymous=Anonyme
26 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_zh_TW.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=\u77e9\u9663\u578b\u5b89\u5168\u6027
24 | ProjectMatrixAuthorizationStrategy.DisplayName=\u5c08\u6848\u578b\u77e9\u9663\u6388\u6b0a\u7b56\u7565
25 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritGlobalStrategy/config.jelly:
--------------------------------------------------------------------------------
1 |
24 |
25 |
26 |
27 | ${%blurb(rootURL)}
28 |
29 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritParentStrategy/config.jelly:
--------------------------------------------------------------------------------
1 |
24 |
25 |
26 |
27 | ${%blurb(rootURL)}
28 |
29 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/inheritance/NonInheritingStrategy/config.jelly:
--------------------------------------------------------------------------------
1 |
24 |
25 |
26 |
27 | ${%blurb(rootURL)}
28 |
29 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/AuthorizationMatrixProperty/config_ja.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc., Kohsuke Kawaguchi, Seiji Sogabe
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Enable\ project-based\ security=\u6A29\u9650\u8A2D\u5B9A(\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u5358\u4F4D)\u306E\u6709\u52B9\u5316
24 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_ru.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=\u041c\u0430\u0442\u0440\u0438\u0447\u043d\u043e\u0435 \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u0430\u0432
24 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_de.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Simon Wiest
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Remove\ user/group=Nutzer/Gruppe entfernen
24 | Toggle\ all=Alles ausw\u00E4hlen
25 | User/group=Benutzer/Gruppe
26 | Anonymous=Anonym
27 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_zh_CN.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2010, Sun Microsystems, Inc.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Remove\ user/group=\u79FB\u9664\u7528\u6237/\u7EC4
24 | Toggle\ all=\u5C55\u5F00\u5168\u90E8
25 | User/group=\u7528\u6237/\u7ec4
26 | Anonymous=\u533f\u540d\u7528\u6237
27 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_fr.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=S\u00e9curit\u00e9 bas\u00e9e sur une matrice
24 | ProjectMatrixAuthorizationStrategy.DisplayName=Strat\u00e9gie d''authorisation matricielle bas\u00e9e sur les projets
25 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages_ja.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=\u884c\u5217\u306b\u3088\u308b\u6a29\u9650\u8a2d\u5b9a
24 | ProjectMatrixAuthorizationStrategy.DisplayName=\u884c\u5217\u306b\u3088\u308b\u6a29\u9650\u8a2d\u5b9a(\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u5358\u4f4d)
25 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_zh_TW.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2013, Sun Microsystems, Inc., Chunghwa Telecom Co., Ltd.,
4 | # and Pei-Tang Huang
5 | #
6 | # Permission is hereby granted, free of charge, to any person obtaining a copy
7 | # of this software and associated documentation files (the "Software"), to deal
8 | # in the Software without restriction, including without limitation the rights
9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | # copies of the Software, and to permit persons to whom the Software is
11 | # furnished to do so, subject to the following conditions:
12 | #
13 | # The above copyright notice and this permission notice shall be included in
14 | # all copies or substantial portions of the Software.
15 | #
16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | # THE SOFTWARE.
23 |
24 | Toggle\ all=\u53cd\u5411\u9078\u53d6
25 | Remove\ user/group=\u79fb\u9664\u4f7f\u7528\u8005\u6216\u7fa4\u7d44
26 |
27 | User/group=\u4f7f\u7528\u8005\u6216\u7fa4\u7d44
28 | Anonymous=\u533f\u540d\u4f7f\u7528\u8005
29 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_ja.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2012, Sun Microsystems, Inc., Kohsuke Kawaguchi, Seiji Sogabe
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Anonymous=\u533f\u540d\u30e6\u30fc\u30b6\u30fc
24 | User/group=\u30e6\u30fc\u30b6\u30fc/\u30b0\u30eb\u30fc\u30d7
25 |
26 | Toggle\ all=\u3059\u3079\u3066\u53cd\u8ee2
27 | Remove\ user/group=\u30e6\u30fc\u30b6/\u30b0\u30eb\u30fc\u30d7\u3092\u524a\u9664
28 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/legacy-format.yml:
--------------------------------------------------------------------------------
1 | jenkins:
2 | authorizationStrategy:
3 | projectMatrix:
4 | grantedPermissions:
5 | - "Agent/Build:authenticated"
6 | - "Agent/Configure:authenticated"
7 | - "Agent/Connect:authenticated"
8 | - "Agent/Create:authenticated"
9 | - "Agent/Delete:authenticated"
10 | - "Agent/Disconnect:authenticated"
11 | - "Credentials/Create:authenticated"
12 | - "Credentials/Delete:authenticated"
13 | - "Credentials/ManageDomains:authenticated"
14 | - "Credentials/Update:authenticated"
15 | - "Credentials/View:authenticated"
16 | - "Job/Build:authenticated"
17 | - "Job/Cancel:authenticated"
18 | - "Job/Configure:authenticated"
19 | - "Job/Create:authenticated"
20 | - "Job/Delete:authenticated"
21 | - "Job/Discover:authenticated"
22 | - "Job/Move:authenticated"
23 | - "Job/Read:authenticated"
24 | - "Job/Workspace:authenticated"
25 | - "Overall/Read:anonymous"
26 | - "Overall/Administer:authenticated"
27 | - "Overall/Read:authenticated"
28 | - "Run/Delete:authenticated"
29 | - "Run/Replay:authenticated"
30 | - "Run/Update:authenticated"
31 | - "View/Configure:authenticated"
32 | - "View/Create:authenticated"
33 | - "View/Delete:authenticated"
34 | - "View/Read:authenticated"
35 | securityRealm:
36 | local:
37 | allowsSignup: true
38 | enableCaptcha: false
39 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/integrations/casc/GlobalMatrixAuthorizationStrategyConfigurator.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth.integrations.casc;
2 |
3 | import hudson.Extension;
4 | import hudson.security.GlobalMatrixAuthorizationStrategy;
5 | import io.jenkins.plugins.casc.ConfigurationContext;
6 | import io.jenkins.plugins.casc.model.CNode;
7 | import io.jenkins.plugins.casc.model.Mapping;
8 | import org.kohsuke.accmod.Restricted;
9 | import org.kohsuke.accmod.restrictions.NoExternalUse;
10 |
11 | import javax.annotation.CheckForNull;
12 | import javax.annotation.Nonnull;
13 |
14 | @Extension(optional = true, ordinal = 2)
15 | @Restricted(NoExternalUse.class)
16 | public class GlobalMatrixAuthorizationStrategyConfigurator extends MatrixAuthorizationStrategyConfigurator {
17 |
18 | @Override
19 | @Nonnull
20 | public String getName() {
21 | return "globalMatrix";
22 | }
23 |
24 | @Override
25 | public Class getTarget() {
26 | return GlobalMatrixAuthorizationStrategy.class;
27 | }
28 |
29 | @Override
30 | public GlobalMatrixAuthorizationStrategy instance(Mapping mapping, ConfigurationContext context) {
31 | return new GlobalMatrixAuthorizationStrategy();
32 | }
33 |
34 | @CheckForNull
35 | @Override
36 | public CNode describe(GlobalMatrixAuthorizationStrategy instance, ConfigurationContext context) throws Exception {
37 | return compare(instance, new GlobalMatrixAuthorizationStrategy(), context);
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/integrations/casc/ProjectMatrixAuthorizationStrategyConfigurator.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth.integrations.casc;
2 |
3 | import hudson.Extension;
4 | import hudson.security.ProjectMatrixAuthorizationStrategy;
5 | import io.jenkins.plugins.casc.ConfigurationContext;
6 | import io.jenkins.plugins.casc.model.CNode;
7 | import io.jenkins.plugins.casc.model.Mapping;
8 | import org.kohsuke.accmod.Restricted;
9 | import org.kohsuke.accmod.restrictions.NoExternalUse;
10 |
11 | import javax.annotation.CheckForNull;
12 | import javax.annotation.Nonnull;
13 |
14 | @Extension(optional = true, ordinal = 2)
15 | @Restricted(NoExternalUse.class)
16 | public class ProjectMatrixAuthorizationStrategyConfigurator extends MatrixAuthorizationStrategyConfigurator {
17 |
18 | @Override
19 | @Nonnull
20 | public String getName() {
21 | return "projectMatrix";
22 | }
23 |
24 | @Override
25 | public Class getTarget() {
26 | return ProjectMatrixAuthorizationStrategy.class;
27 | }
28 |
29 | @Override
30 | public ProjectMatrixAuthorizationStrategy instance(Mapping mapping, ConfigurationContext context) {
31 | return new ProjectMatrixAuthorizationStrategy();
32 | }
33 |
34 | @CheckForNull
35 | @Override
36 | public CNode describe(ProjectMatrixAuthorizationStrategy instance, ConfigurationContext context) throws Exception {
37 | return compare(instance, new ProjectMatrixAuthorizationStrategy(), context);
38 | }
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/src/test/resources/hudson/security/ProjectMatrixAuthorizationStrategyTest/loadEmptyAuthorizationStrategy/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 1.0
5 | 2
6 | NORMAL
7 | true
8 |
9 |
10 | false
11 |
12 | ${JENKINS_HOME}/workspace/${ITEM_FULLNAME}
13 | ${ITEM_ROOTDIR}/builds
14 |
15 |
16 |
17 |
18 |
19 | 0
20 |
21 |
22 |
23 | all
24 | false
25 | false
26 |
27 |
28 |
29 | all
30 | 0
31 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceMigrationTest/jobs/folder/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | true
8 | hudson.model.Item.Read:admin
9 | hudson.model.Item.Create:admin
10 | hudson.model.Item.Configure:admin
11 |
12 |
13 |
14 |
15 |
16 |
17 | All
18 | false
19 | false
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 | false
28 |
29 |
30 |
31 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceMigrationTest/jobs/folder1/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | true
8 | hudson.model.Item.Configure:alice
9 | hudson.model.Item.Configure:admin
10 | hudson.model.Item.Read:alice
11 |
12 |
13 |
14 |
15 |
16 |
17 | All
18 | false
19 | false
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 | false
28 |
29 |
30 |
31 |
--------------------------------------------------------------------------------
/src/test/resources/hudson/security/ProjectMatrixAuthorizationStrategyTest/loadFilledAuthorizationStrategy/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 1.0
5 | 2
6 | NORMAL
7 | true
8 |
9 | hudson.model.Hudson.Administer:alice
10 |
11 |
12 | false
13 |
14 | ${JENKINS_HOME}/workspace/${ITEM_FULLNAME}
15 | ${ITEM_ROOTDIR}/builds
16 |
17 |
18 |
19 |
20 |
21 | 0
22 |
23 |
24 |
25 | all
26 | false
27 | false
28 |
29 |
30 |
31 | all
32 | 0
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config_ru.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Mike Salnikov
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Remove\ user/group=\u0423\u0434\u0430\u043B\u0438\u0442\u044C \u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u044F/\u0433\u0440\u0443\u043F\u043F\u0443
24 | Toggle\ all=\u041F\u0435\u0440\u0435\u043A\u043B\u044E\u0447\u0438\u0442\u044C \u0432\u0441\u0451
25 | User/group=\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c/\u0433\u0440\u0443\u043f\u043f\u0430
26 | Anonymous=\u0410\u043d\u043e\u043d\u0438\u043c
27 |
--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/matrixauth/Messages.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright 2013 Jesse Glick.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | GlobalMatrixAuthorizationStrategy.DisplayName=Matrix-based security
24 | ProjectMatrixAuthorizationStrategy.DisplayName=Project-based Matrix Authorization Strategy
25 | AuthorizationMatrixNodeProperty.DisplayName=Enable node-based security
26 | GlobalMatrixAuthorizationStrategy.PermissionImpliedBy=This permission is implied by {0}/{1}.
27 | GlobalMatrixAuthorizationStrategy.PermissionNotImpliedBy=This permission is not implied by Overall/Administer. It needs to be explicitly granted even to administrators.
28 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/DangerousMatrixPermissionsAdministrativeMonitor/message.groovy:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2016, CloudBees, Inc.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 |
25 | package hudson.security.DangerousMatrixPermissionsAdministrativeMonitor
26 |
27 | def f = namespace(lib.FormTagLib)
28 |
29 | div(class: "error") {
30 | raw(_("blurb"))
31 | ul {
32 | my.sidsWithDangerousPermissions.each {
33 | li(it)
34 | }
35 | }
36 | a(href: "https://jenkins.io/redirect/dangerous-permissions") {
37 | text(_("Learn more"))
38 | }
39 | }
40 |
41 | form(method: "post", action: "${rootURL}/${it.url}/act") {
42 | div {
43 | f.submit(name: 'yes', value: _("Review Permissions"))
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceStrategy.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2017 Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth.inheritance;
25 |
26 | import hudson.ExtensionPoint;
27 | import hudson.model.AbstractDescribableImpl;
28 | import hudson.security.ACL;
29 | import hudson.security.AccessControlled;
30 |
31 | public abstract class InheritanceStrategy extends AbstractDescribableImpl implements ExtensionPoint {
32 | @Override
33 | public InheritanceStrategyDescriptor getDescriptor() {
34 | return (InheritanceStrategyDescriptor) super.getDescriptor();
35 | }
36 |
37 | public abstract ACL getEffectiveACL(ACL acl, AccessControlled subject);
38 | }
39 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceMigrationTest/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 2.0
5 | 2
6 | NORMAL
7 | true
8 |
9 | hudson.model.Hudson.Administer:admin
10 | hudson.model.Hudson.Read:alice
11 | hudson.model.Hudson.Read:bob
12 | hudson.model.Item.Read:alice
13 |
14 |
15 | true
16 | false
17 |
18 | false
19 |
20 | ${JENKINS_HOME}/workspace/${ITEM_FULLNAME}
21 | ${ITEM_ROOTDIR}/builds
22 |
23 |
24 |
25 |
26 |
27 | 0
28 |
29 |
30 |
31 | all
32 | false
33 | false
34 |
35 |
36 |
37 | all
38 | -1
39 |
40 |
41 | false
42 |
43 |
44 |
45 |
--------------------------------------------------------------------------------
/src/test/java/org/jenkinsci/plugins/matrixauth/PermissionAdderTest.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth;
2 |
3 | import hudson.model.User;
4 | import hudson.security.GlobalMatrixAuthorizationStrategy;
5 | import hudson.security.HudsonPrivateSecurityRealm;
6 | import hudson.security.pages.SignupPage;
7 | import jenkins.model.Jenkins;
8 |
9 | import java.util.Collections;
10 |
11 | import org.junit.Assert;
12 | import org.junit.Rule;
13 | import org.junit.Test;
14 | import org.junit.runners.model.Statement;
15 | import org.jvnet.hudson.test.Issue;
16 | import org.jvnet.hudson.test.JenkinsRule;
17 | import org.jvnet.hudson.test.RestartableJenkinsRule;
18 |
19 | public class PermissionAdderTest {
20 |
21 | @Rule
22 | public RestartableJenkinsRule r = new RestartableJenkinsRule();
23 |
24 | @Test
25 | @Issue("JENKINS-20520")
26 | public void ensureSavingAfterInitialUser() {
27 | r.addStep(new Statement() {
28 | @Override
29 | public void evaluate() throws Throwable {
30 | r.j.jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(true, false, null));
31 | r.j.jenkins.setAuthorizationStrategy(new GlobalMatrixAuthorizationStrategy());
32 | r.j.jenkins.save();
33 |
34 | JenkinsRule.WebClient wc = r.j.createWebClient();
35 | SignupPage signup = new SignupPage(wc.goTo("signup"));
36 | signup.enterUsername("alice");
37 | signup.enterPassword("alice");
38 | signup.enterFullName("Alice User");
39 | signup.submit(r.j);
40 |
41 | Assert.assertTrue(r.j.jenkins.getACL().hasPermission(User.get("alice", false, Collections.emptyMap()).impersonate(), Jenkins.ADMINISTER));
42 | }
43 | });
44 | r.addStep(new Statement() {
45 | @Override
46 | public void evaluate() throws Throwable {
47 | Assert.assertTrue(r.j.jenkins.getACL().hasPermission(User.get("alice", false, Collections.emptyMap()).impersonate(), Jenkins.ADMINISTER));
48 | }
49 | });
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceStrategyDescriptor.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2017 Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth.inheritance;
25 |
26 | import hudson.DescriptorExtensionList;
27 | import hudson.model.Descriptor;
28 | import jenkins.model.Jenkins;
29 |
30 | import java.util.ArrayList;
31 | import java.util.List;
32 |
33 | public abstract class InheritanceStrategyDescriptor extends Descriptor {
34 |
35 | public static DescriptorExtensionList all() {
36 | return Jenkins.get().getDescriptorList(InheritanceStrategy.class);
37 | }
38 |
39 | public static List getApplicableDescriptors(Class clazz) {
40 | List result = new ArrayList<>();
41 | List list = all();
42 | for (InheritanceStrategyDescriptor isd : list) {
43 | if (isd.isApplicable(clazz)) {
44 | result.add(isd);
45 | }
46 | }
47 | return result;
48 | }
49 |
50 | public abstract boolean isApplicable(Class clazz);
51 | }
52 |
--------------------------------------------------------------------------------
/src/main/resources/hudson/security/table.css:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Seiji Sogabe
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | .global-matrix-authorization-strategy-table {
25 | border-collapse: collapse;
26 | border-spacing: 0;
27 | border: 1px solid #D3D7CF;
28 | }
29 |
30 | .global-matrix-authorization-strategy-table TH {
31 | padding: 0.2em;
32 | }
33 |
34 | .global-matrix-authorization-strategy-table TD.blank {
35 | vertical-align: middle;
36 | padding: 0.2em;
37 | }
38 |
39 | .global-matrix-authorization-strategy-table .caption-row TH {
40 | font-weight: lighter;
41 | padding: 0;
42 | }
43 |
44 | .global-matrix-authorization-strategy-table .caption-row TH span {
45 | writing-mode: vertical-rl;
46 | }
47 |
48 | .global-matrix-authorization-strategy-table TD {
49 | border: 1px solid #D3D7CF;
50 | }
51 |
52 | .global-matrix-authorization-strategy-table TD.left-most {
53 | text-align: left;
54 | border-left: none;
55 | white-space: nowrap;
56 | }
57 |
58 | .global-matrix-authorization-strategy-table TD.stop {
59 | border-top: 1px solid transparent;
60 | border-right: 1px solid transparent;
61 | border-bottom: 1px solid transparent;
62 | white-space: nowrap;
63 | }
64 |
--------------------------------------------------------------------------------
/src/test/java/org/jenkinsci/plugins/matrixauth/AuthorizationContainerDescriptorTest.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth;
2 |
3 | import hudson.model.Item;
4 | import hudson.model.Run;
5 | import hudson.security.GlobalMatrixAuthorizationStrategy;
6 | import hudson.security.Permission;
7 | import hudson.security.PermissionScope;
8 | import jenkins.model.Jenkins;
9 | import org.junit.Assert;
10 | import org.junit.Test;
11 | import org.jvnet.localizer.Localizable;
12 | import org.jvnet.localizer.ResourceBundleHolder;
13 |
14 | public class AuthorizationContainerDescriptorTest {
15 |
16 | private Permission TEST_PERMISSION = new Permission(Item.PERMISSIONS, "Test", new Localizable(ResourceBundleHolder.get(AuthorizationContainerDescriptorTest.class), "Test"), Item.BUILD, PermissionScope.ITEM);
17 |
18 | @Test
19 | public void testImpliedNotes() {
20 | { // no message on Administer
21 | String description = new GlobalMatrixAuthorizationStrategy.DescriptorImpl().getDescription(Jenkins.ADMINISTER);
22 | Assert.assertFalse(description.contains(Messages.GlobalMatrixAuthorizationStrategy_PermissionNotImpliedBy()));
23 | Assert.assertFalse(description.contains(Messages.GlobalMatrixAuthorizationStrategy_PermissionImpliedBy(Jenkins.PERMISSIONS.title.toString(), Jenkins.ADMINISTER.name)));
24 | }
25 |
26 | { // Run.ARTIFACTS is not implied by other permissions
27 | String description = new GlobalMatrixAuthorizationStrategy.DescriptorImpl().getDescription(Run.ARTIFACTS);
28 | Assert.assertTrue(description.contains(Messages.GlobalMatrixAuthorizationStrategy_PermissionNotImpliedBy()));
29 | Assert.assertFalse(description.contains(Messages.GlobalMatrixAuthorizationStrategy_PermissionImpliedBy(Jenkins.PERMISSIONS.title.toString(), Jenkins.ADMINISTER.name)));
30 | }
31 |
32 | {
33 | // Use a fake permission for the 'implied by' message addition check, since Item.CANCEL changed behavior in 2.120, and there's no permission left with the same behavior.
34 | String description = new GlobalMatrixAuthorizationStrategy.DescriptorImpl().getDescription(TEST_PERMISSION);
35 | Assert.assertFalse(description.contains(Messages.GlobalMatrixAuthorizationStrategy_PermissionNotImpliedBy()));
36 | Assert.assertTrue(description.contains(Messages.GlobalMatrixAuthorizationStrategy_PermissionImpliedBy(Item.PERMISSIONS.title.toString(), Item.BUILD.name)));
37 | }
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code.yml:
--------------------------------------------------------------------------------
1 | jenkins:
2 | authorizationStrategy:
3 | projectMatrix:
4 | permissions:
5 | - "Agent/Build:authenticated"
6 | - "Agent/Configure:authenticated"
7 | - "Agent/Connect:authenticated"
8 | - "Agent/Create:authenticated"
9 | - "Agent/Delete:authenticated"
10 | - "Agent/Disconnect:authenticated"
11 | - "Credentials/Create:authenticated"
12 | - "Credentials/Delete:authenticated"
13 | - "Credentials/ManageDomains:authenticated"
14 | - "Credentials/Update:authenticated"
15 | - "Credentials/View:authenticated"
16 | - "Job/Build:authenticated"
17 | - "Job/Cancel:authenticated"
18 | - "Job/Configure:authenticated"
19 | - "Job/Create:authenticated"
20 | - "Job/Delete:authenticated"
21 | - "Job/Discover:authenticated"
22 | - "Job/Move:authenticated"
23 | - "Job/Read:authenticated"
24 | - "Job/Workspace:authenticated"
25 | - "Overall/Read:anonymous"
26 | - "Overall/Administer:authenticated"
27 | - "Overall/Read:authenticated"
28 | - "Run/Delete:authenticated"
29 | - "Run/Replay:authenticated"
30 | - "Run/Update:authenticated"
31 | - "View/Configure:authenticated"
32 | - "View/Create:authenticated"
33 | - "View/Delete:authenticated"
34 | - "View/Read:authenticated"
35 | nodes:
36 | - permanent:
37 | launcher:
38 | jnlp:
39 | workDirSettings:
40 | disabled: false
41 | failIfWorkDirIsMissing: false
42 | internalDir: "remoting"
43 | name: "agent1"
44 | nodeProperties:
45 | - authorizationMatrix:
46 | inheritanceStrategy: "inheritingGlobal"
47 | permissions:
48 | - "Agent/Disconnect:authenticated"
49 | - "Agent/Build:authenticated"
50 | - "Agent/Build:anonymous"
51 | numExecutors: 1
52 | retentionStrategy: "always"
53 | securityRealm:
54 | local:
55 | allowsSignup: true
56 | enableCaptcha: false
57 | jobs:
58 | - script: >
59 | folder('generated') {
60 | properties {
61 | authorizationMatrix {
62 | inheritanceStrategy {
63 | nonInheriting()
64 | }
65 | permissions([
66 | 'Job/Build:authenticated',
67 | 'Job/Configure:authenticated',
68 | 'Job/Delete:authenticated',
69 | 'Job/Read:authenticated',
70 | ])
71 | }
72 | }
73 | }
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/ValidationUtil.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2004-2017 Sun Microsystems, Inc., Kohsuke Kawaguchi, Yahoo! Inc., Peter Hayes, Tom Huybrechts, Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth;
25 |
26 | import jenkins.model.Jenkins;
27 | import org.kohsuke.accmod.Restricted;
28 | import org.kohsuke.accmod.restrictions.NoExternalUse;
29 | import org.kohsuke.stapler.Stapler;
30 |
31 | @Restricted(NoExternalUse.class)
32 | class ValidationUtil {
33 | private ValidationUtil() {
34 | // do not use
35 | }
36 |
37 | static String formatNonExistentUserGroupValidationResponse(String user, String tooltip) {
38 | return formatUserGroupValidationResponse("user-disabled.png", "" + user + "", tooltip, true);
39 | }
40 |
41 | static String formatUserGroupValidationResponse(String img, String user, String tooltip, boolean inPlugin) {
42 | if (inPlugin) {
43 | return String.format("%s", tooltip, Stapler.getCurrentRequest().getContextPath(), img, user);
44 | } else {
45 | return String.format("%s", tooltip, Stapler.getCurrentRequest().getContextPath(), Jenkins.RESOURCE_PATH, img, user);
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/inheritance/InheritGlobalStrategy.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2017 Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth.inheritance;
25 |
26 | import hudson.Extension;
27 | import hudson.security.ACL;
28 | import hudson.security.AccessControlled;
29 | import hudson.security.ProjectMatrixAuthorizationStrategy;
30 | import jenkins.model.Jenkins;
31 | import org.jenkinsci.Symbol;
32 | import org.kohsuke.stapler.DataBoundConstructor;
33 |
34 | import javax.annotation.Nonnull;
35 |
36 | /**
37 | * Strategy that inherits only the global ACL -- parent, grandparent, etc. ACLs are not inherited.
38 | */
39 | public class InheritGlobalStrategy extends InheritanceStrategy {
40 |
41 | @DataBoundConstructor
42 | public InheritGlobalStrategy() {
43 |
44 | }
45 |
46 | @Override
47 | public ACL getEffectiveACL(ACL acl, AccessControlled subject) {
48 | return ProjectMatrixAuthorizationStrategy.inheritingACL(Jenkins.get().getAuthorizationStrategy().getRootACL(), acl);
49 | }
50 |
51 | @Symbol("inheritingGlobal")
52 | @Extension
53 | public static class DescriptorImpl extends InheritanceStrategyDescriptor {
54 |
55 | @Override
56 | public boolean isApplicable(Class clazz) {
57 | return true;
58 | }
59 |
60 | @Override
61 | @Nonnull
62 | public String getDisplayName() {
63 | return Messages.InheritGlobalStrategy_DisplayName();
64 | }
65 | }
66 | }
67 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/ExportTest/config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 2.138.3
5 | DEVELOPMENT
6 | 2
7 | NORMAL
8 | true
9 |
10 | com.cloudbees.plugins.credentials.CredentialsProvider.Create:authenticated
11 | com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:authenticated
12 | com.cloudbees.plugins.credentials.CredentialsProvider.View:authenticated
13 | hudson.model.Computer.Build:authenticated
14 | hudson.model.Computer.Connect:authenticated
15 | hudson.model.Computer.Create:authenticated
16 | hudson.model.Computer.Delete:authenticated
17 | hudson.model.Computer.Disconnect:authenticated
18 | hudson.model.Hudson.Administer:anonymous
19 | hudson.model.Hudson.Administer:authenticated
20 | hudson.model.Item.Build:authenticated
21 | hudson.model.Item.Cancel:authenticated
22 | hudson.model.Item.Configure:authenticated
23 | hudson.model.Item.Read:authenticated
24 | hudson.model.Run.Delete:authenticated
25 | hudson.model.Run.Update:authenticated
26 | hudson.model.View.Configure:authenticated
27 | hudson.model.View.Delete:authenticated
28 |
29 |
30 | false
31 | false
32 |
33 | false
34 |
35 | ${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}
36 | ${ITEM_ROOTDIR}/builds
37 |
38 |
39 |
40 |
41 |
42 | 5
43 | 0
44 |
45 |
46 |
47 | all
48 | false
49 | false
50 |
51 |
52 |
53 | all
54 | 0
55 |
56 |
57 |
58 |
--------------------------------------------------------------------------------
/src/test/java/org/jenkinsci/plugins/matrixauth/integrations/casc/ExportTest.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth.integrations.casc;
2 |
3 | import hudson.security.ProjectMatrixAuthorizationStrategy;
4 | import io.jenkins.plugins.casc.ConfigurationContext;
5 | import io.jenkins.plugins.casc.Configurator;
6 | import io.jenkins.plugins.casc.ConfiguratorRegistry;
7 | import io.jenkins.plugins.casc.model.CNode;
8 | import io.jenkins.plugins.casc.model.Mapping;
9 | import org.jenkinsci.plugins.matrixauth.AuthorizationMatrixNodeProperty;
10 | import org.junit.Rule;
11 | import org.junit.Test;
12 | import org.jvnet.hudson.test.JenkinsRule;
13 | import org.jvnet.hudson.test.recipes.LocalData;
14 |
15 | import java.util.Arrays;
16 | import java.util.List;
17 |
18 | import static org.junit.Assert.assertEquals;
19 | import static org.junit.Assert.assertNotNull;
20 | import static org.junit.Assert.assertNull;
21 | import static org.junit.Assert.assertTrue;
22 |
23 | public class ExportTest {
24 |
25 | @Rule
26 | public JenkinsRule j = new JenkinsRule();
27 |
28 | @Test
29 | @LocalData
30 | public void exportTest() throws Exception {
31 | ConfiguratorRegistry registry = ConfiguratorRegistry.get();
32 | ConfigurationContext context = new ConfigurationContext(registry);
33 |
34 | { // global configuration
35 | ProjectMatrixAuthorizationStrategy authorizationStrategy = (ProjectMatrixAuthorizationStrategy) j.jenkins.getAuthorizationStrategy();
36 | Configurator c = context.lookupOrFail(ProjectMatrixAuthorizationStrategy.class);
37 |
38 | CNode node = c.describe(authorizationStrategy, context);
39 | assertNotNull(node);
40 | Mapping mapping = node.asMapping();
41 |
42 | List permissions = mapping.get("permissions").asSequence();
43 | assertEquals("list size", 18, permissions.size());
44 |
45 | assertNull("no grantedPermissions", mapping.get("grantedPermissions"));
46 | }
47 |
48 | { // node configuration
49 | Configurator c = context.lookupOrFail(AuthorizationMatrixNodeProperty.class);
50 | AuthorizationMatrixNodeProperty nodeProperty = j.jenkins.getNode("agent1").getNodeProperty(AuthorizationMatrixNodeProperty.class);
51 |
52 | CNode node = c.describe(nodeProperty, context);
53 | assertNotNull(node);
54 | Mapping mapping = node.asMapping();
55 |
56 | assertEquals("inheritance strategy", mapping.getScalarValue("inheritanceStrategy"), "inheritingGlobal");
57 | List permissions = mapping.get("permissions").asSequence();
58 | assertEquals("list size", 6, permissions.size());
59 |
60 | {
61 | List strings = Arrays.asList(
62 | "Agent/Build:anonymous", "Agent/Build:authenticated", "Agent/Configure:authenticated",
63 | "Agent/Connect:authenticated", "Agent/Delete:authenticated", "Agent/Disconnect:authenticated");
64 | for (CNode entry : permissions) {
65 | String value = entry.asScalar().getValue();
66 | assertTrue("list contains entry", strings.contains(value));
67 | }
68 | }
69 | }
70 | }
71 | }
72 |
--------------------------------------------------------------------------------
/src/test/java/org/jenkinsci/plugins/matrixauth/AuthorizationMatrixNodePropertyTest.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright 2017 Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 |
25 | package org.jenkinsci.plugins.matrixauth;
26 |
27 | import hudson.model.Computer;
28 | import hudson.model.Node;
29 | import hudson.model.User;
30 | import hudson.security.ACL;
31 | import hudson.security.ACLContext;
32 | import hudson.security.HudsonPrivateSecurityRealm;
33 | import hudson.security.ProjectMatrixAuthorizationStrategy;
34 | import jenkins.model.Jenkins;
35 |
36 | import java.util.Collections;
37 |
38 | import org.junit.Assert;
39 | import org.junit.Rule;
40 | import org.junit.Test;
41 | import org.jvnet.hudson.test.JenkinsRule;
42 |
43 | public class AuthorizationMatrixNodePropertyTest {
44 |
45 | @Rule
46 | public JenkinsRule r = new JenkinsRule();
47 |
48 | @Test
49 | public void ensureCreatorHasPermissions() throws Exception {
50 | HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(false, false, null);
51 | realm.createAccount("alice","alice");
52 | realm.createAccount("bob","bob");
53 | r.jenkins.setSecurityRealm(realm);
54 |
55 | ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy();
56 | authorizationStrategy.add(Computer.CREATE, "alice");
57 | authorizationStrategy.add(Jenkins.READ, "alice");
58 |
59 | { // createSlave uses CommandLauncher, which requires RUN_SCRIPTS since 2.73.2
60 | authorizationStrategy.add(Jenkins.RUN_SCRIPTS, "alice");
61 | ProjectMatrixAuthorizationStrategy.ENABLE_DANGEROUS_PERMISSIONS = true;
62 | }
63 | r.jenkins.setAuthorizationStrategy(authorizationStrategy);
64 |
65 | Node node;
66 | try (ACLContext ignored = ACL.as(User.get("alice", false, Collections.emptyMap()))) {
67 | node = r.createSlave();
68 | }
69 |
70 | Assert.assertNotNull(node.getNodeProperty(AuthorizationMatrixNodeProperty.class));
71 | Assert.assertTrue(node.getACL().hasPermission(User.get("alice", false, Collections.emptyMap()).impersonate(), Computer.CONFIGURE));
72 | Assert.assertFalse(node.getACL().hasPermission(User.get("bob", false, Collections.emptyMap()).impersonate(), Computer.CONFIGURE));
73 | }
74 | }
75 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/integrations/casc/AuthorizationMatrixNodePropertyConfigurator.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2018-2019 Matrix Authorization Strategy Plugin developers
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth.integrations.casc;
25 |
26 | import hudson.Extension;
27 | import io.jenkins.plugins.casc.Attribute;
28 | import io.jenkins.plugins.casc.BaseConfigurator;
29 | import io.jenkins.plugins.casc.ConfigurationContext;
30 | import io.jenkins.plugins.casc.ConfiguratorException;
31 | import io.jenkins.plugins.casc.impl.attributes.DescribableAttribute;
32 | import io.jenkins.plugins.casc.impl.attributes.MultivaluedAttribute;
33 | import io.jenkins.plugins.casc.model.Mapping;
34 | import org.jenkinsci.plugins.matrixauth.AuthorizationMatrixNodeProperty;
35 | import org.jenkinsci.plugins.matrixauth.inheritance.InheritanceStrategy;
36 | import org.kohsuke.accmod.Restricted;
37 | import org.kohsuke.accmod.restrictions.NoExternalUse;
38 |
39 | import javax.annotation.Nonnull;
40 | import java.util.Arrays;
41 | import java.util.HashSet;
42 | import java.util.Set;
43 |
44 | @Extension(optional = true)
45 | @Restricted(NoExternalUse.class)
46 | public class AuthorizationMatrixNodePropertyConfigurator extends BaseConfigurator {
47 |
48 | @Override
49 | public Class getTarget() {
50 | return AuthorizationMatrixNodeProperty.class;
51 | }
52 |
53 | @Override
54 | protected AuthorizationMatrixNodeProperty instance(Mapping mapping, ConfigurationContext context)
55 | throws ConfiguratorException {
56 | return new AuthorizationMatrixNodeProperty();
57 | }
58 |
59 | @Override
60 | @Nonnull
61 | public Set> describe() {
62 | return new HashSet<>(Arrays.asList(
63 | new MultivaluedAttribute("permissions", String.class)
64 | .getter(MatrixAuthorizationStrategyConfigurator::getPermissions)
65 | .setter(MatrixAuthorizationStrategyConfigurator::setPermissions),
66 | new DescribableAttribute("inheritanceStrategy", InheritanceStrategy.class)));
67 | }
68 | }
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/inheritance/InheritParentStrategy.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2017 Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth.inheritance;
25 |
26 | import hudson.Extension;
27 | import hudson.model.AbstractItem;
28 | import hudson.model.ItemGroup;
29 | import hudson.security.ACL;
30 | import hudson.security.AccessControlled;
31 | import hudson.security.ProjectMatrixAuthorizationStrategy;
32 | import jenkins.model.Jenkins;
33 | import org.jenkinsci.Symbol;
34 | import org.kohsuke.stapler.DataBoundConstructor;
35 |
36 | import javax.annotation.Nonnull;
37 |
38 | /**
39 | * Strategy that inherits the ACL from the parent.
40 | *
41 | * The paren't inheritance strategy in turn determines whether this receives permissions from grandparents etc. up to root.
42 | */
43 | public class InheritParentStrategy extends InheritanceStrategy {
44 |
45 | @DataBoundConstructor
46 | public InheritParentStrategy() {
47 |
48 | }
49 |
50 | @Override
51 | public ACL getEffectiveACL(ACL acl, AccessControlled subject) {
52 | if (subject instanceof AbstractItem) {
53 | AbstractItem item = (AbstractItem) subject;
54 | ItemGroup parent = item.getParent();
55 | final ACL parentACL;
56 | if (parent instanceof AbstractItem) {
57 | parentACL = Jenkins.get().getAuthorizationStrategy().getACL((AbstractItem) parent);
58 | } else {
59 | parentACL = Jenkins.get().getAuthorizationStrategy().getRootACL();
60 | }
61 | return ProjectMatrixAuthorizationStrategy.inheritingACL(parentACL, acl);
62 | } else {
63 | throw new IllegalArgumentException("Expected subject to be AbstractItem, but got " + subject);
64 | }
65 | }
66 |
67 | @Symbol("inheriting")
68 | @Extension(ordinal = 100)
69 | public static class DescriptorImpl extends InheritanceStrategyDescriptor {
70 |
71 | @Override
72 | public boolean isApplicable(Class clazz) {
73 | return AbstractItem.class.isAssignableFrom(clazz);
74 | }
75 |
76 | @Override
77 | @Nonnull
78 | public String getDisplayName() {
79 | return Messages.InheritParentStrategy_DisplayName();
80 | }
81 | }
82 | }
83 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/AuthorizationProperty.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2004-2017 Sun Microsystems, Inc., Kohsuke Kawaguchi, Yahoo! Inc., Peter Hayes, Tom Huybrechts, Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth;
25 |
26 | import org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy;
27 | import org.jenkinsci.plugins.matrixauth.inheritance.InheritanceStrategy;
28 | import org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy;
29 | import org.kohsuke.accmod.Restricted;
30 | import org.kohsuke.accmod.restrictions.NoExternalUse;
31 |
32 | @Restricted(NoExternalUse.class)
33 | public interface AuthorizationProperty extends AuthorizationContainer {
34 |
35 | void setInheritanceStrategy(InheritanceStrategy inheritanceStrategy);
36 | InheritanceStrategy getInheritanceStrategy();
37 |
38 | /**
39 | * Sets the flag to block inheritance.
40 | *
41 | * Since the introduction of inheritance strategies, set the inheritance
42 | * strategy roughly matching the previous behavior, i.e. {@code false} will
43 | * set the {@link NonInheritingStrategy}, {@code true} will set the
44 | * {@link InheritGlobalStrategy}.
45 | *
46 | * Note that for items nested inside folders, this will change behavior significantly.
47 | *
48 | * @since 2.0
49 | * @deprecated Use {@link InheritanceStrategy} instead.
50 | */
51 | @Deprecated
52 | default void setBlocksInheritance(boolean blocksInheritance) {
53 | if (blocksInheritance) {
54 | setInheritanceStrategy(new NonInheritingStrategy());
55 | } else {
56 | setInheritanceStrategy(new InheritGlobalStrategy());
57 | }
58 | }
59 |
60 | /**
61 | * Returns true if the authorization matrix is configured to block
62 | * inheritance from the parent.
63 | *
64 | * Since the introduction of inheritance strategies, returns {@code true}
65 | * if and only if the selected inheritance strategy is {@link NonInheritingStrategy}.
66 | *
67 | * @since 2.0
68 | * @deprecated Use {@link #getInheritanceStrategy()} instead.
69 | */
70 | @Deprecated
71 | default boolean isBlocksInheritance() {
72 | return getInheritanceStrategy() instanceof NonInheritingStrategy;
73 | }
74 |
75 | }
76 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/integrations/PermissionFinder.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2018 Configuration as Code Plugin Developers
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth.integrations;
25 |
26 | import hudson.security.Permission;
27 | import hudson.security.PermissionGroup;
28 | import java.util.List;
29 | import java.util.regex.Matcher;
30 | import java.util.regex.Pattern;
31 | import org.kohsuke.accmod.Restricted;
32 | import org.kohsuke.accmod.restrictions.NoExternalUse;
33 |
34 | import javax.annotation.CheckForNull;
35 |
36 |
37 | /**
38 | * Implements lookup for {@link Permission}s.
39 | */
40 | // Imported from https://github.com/jenkinsci/configuration-as-code-plugin/blob/727c976d137461f146b301f302d1552ca81de75e/plugin/src/main/java/io/jenkins/plugins/casc/util/PermissionFinder.java
41 | @Restricted(NoExternalUse.class)
42 | public class PermissionFinder {
43 |
44 | /** For Matrix Auth - Title/Permission **/
45 | private static final Pattern PERMISSION_PATTERN = Pattern.compile("^([^\\/]+)\\/(.+)$");
46 |
47 | /**
48 | * Attempt to match a given permission to what is defined in the UI.
49 | * @param id String of the form "Title/Permission" (Look in the UI) for a particular permission
50 | * @return a matched permission
51 | */
52 | @CheckForNull
53 | public static Permission findPermission(String id) {
54 | final String resolvedId = findPermissionId(id);
55 | return resolvedId != null ? Permission.fromId(resolvedId) : null;
56 | }
57 |
58 | /**
59 | * Attempt to match a given permission to what is defined in the UI.
60 | * @param id String of the form "Title/Permission" (Look in the UI) for a particular permission
61 | * @return a matched permission ID
62 | */
63 | @CheckForNull
64 | public static String findPermissionId(String id) {
65 | List pgs = PermissionGroup.getAll();
66 | Matcher m = PERMISSION_PATTERN.matcher(id);
67 | if(m.matches()) {
68 | String owner = m.group(1);
69 | String name = m.group(2);
70 | for(PermissionGroup pg : pgs) {
71 | if(pg.owner.equals(Permission.class)) {
72 | continue;
73 | }
74 | if(pg.getId().equals(owner)) {
75 | return pg.owner.getName() + "." + name;
76 | }
77 | }
78 | }
79 | return null;
80 | }
81 | }
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/integrations/casc/MatrixAuthorizationStrategyConfigurator.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth.integrations.casc;
2 |
3 | import hudson.security.AuthorizationStrategy;
4 | import hudson.security.Permission;
5 | import io.jenkins.plugins.casc.Attribute;
6 | import io.jenkins.plugins.casc.BaseConfigurator;
7 | import io.jenkins.plugins.casc.impl.attributes.MultivaluedAttribute;
8 | import org.jenkinsci.plugins.matrixauth.AuthorizationContainer;
9 | import org.jenkinsci.plugins.matrixauth.integrations.PermissionFinder;
10 | import org.kohsuke.accmod.Restricted;
11 | import org.kohsuke.accmod.restrictions.NoExternalUse;
12 |
13 | import javax.annotation.Nonnull;
14 | import java.util.Arrays;
15 | import java.util.Collection;
16 | import java.util.HashSet;
17 | import java.util.Set;
18 | import java.util.logging.Level;
19 | import java.util.logging.Logger;
20 | import java.util.stream.Collectors;
21 |
22 | @Restricted(NoExternalUse.class)
23 | public abstract class MatrixAuthorizationStrategyConfigurator extends BaseConfigurator {
24 |
25 | @Nonnull
26 | @Override
27 | public Class getImplementedAPI() {
28 | return AuthorizationStrategy.class;
29 | }
30 |
31 |
32 | @Override
33 | @Nonnull
34 | public Set> describe() {
35 | return new HashSet<>(Arrays.asList(
36 | new MultivaluedAttribute("permissions", String.class)
37 | .getter(MatrixAuthorizationStrategyConfigurator::getPermissions)
38 | .setter(MatrixAuthorizationStrategyConfigurator::setPermissions),
39 |
40 | // support old style configuration options
41 | new MultivaluedAttribute("grantedPermissions", String.class)
42 | .getter(unused -> null)
43 | .setter(MatrixAuthorizationStrategyConfigurator::setPermissionsDeprecated)
44 | ));
45 | }
46 |
47 | /**
48 | * Extract container's permissions as a List of "PERMISSION:sid"
49 | */
50 | public static Collection getPermissions(AuthorizationContainer container) {
51 | return container.getGrantedPermissions().entrySet().stream()
52 | .flatMap( e -> e.getValue().stream()
53 | .map(v -> e.getKey().group.getId() + "/" + e.getKey().name + ":" + v))
54 | .sorted()
55 | .collect(Collectors.toList());
56 | }
57 |
58 | /**
59 | * Configure container's permissions from a List of "PERMISSION:sid"
60 | */
61 | public static void setPermissions(AuthorizationContainer container, Collection permissions) {
62 | permissions.forEach(p -> {
63 | final int i = p.indexOf(':');
64 | final Permission permission = PermissionFinder.findPermission(p.substring(0, i));
65 | container.add(permission, p.substring(i+1));
66 | });
67 | }
68 |
69 | /**
70 | * Like {@link #setPermissions(AuthorizationContainer, Collection)} but logs a deprecation warning
71 | */
72 | public static void setPermissionsDeprecated(AuthorizationContainer container, Collection permissions) {
73 | LOGGER.log(Level.WARNING, "Loading deprecated attribute 'grantedPermissions' for instance of '" + container.getClass().getName() +"'. Use 'permissions' instead.");
74 | setPermissions(container, permissions);
75 | }
76 |
77 | private static final Logger LOGGER = Logger.getLogger(MatrixAuthorizationStrategyConfigurator.class.getName());
78 | }
79 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Matrix Authorization Strategy Plugin
2 |
3 | Implement fine-grained access control in Jenkins with this plugin.
4 |
5 | For a basic introduction, see [the section on Matrix Authorization in the Jenkins handbook](https://jenkins.io/doc/book/managing/security/#authorization).
6 |
7 | For the changelog, see [the plugin wiki page](https://wiki.jenkins-ci.org/display/JENKINS/Matrix+Authorization+Strategy+Plugin).
8 |
9 | ## Use Cases
10 |
11 | Matrix Authorization allows configuring the lowest level permissions, such as starting new builds, configuring items, or deleting them, individually.
12 |
13 | ### Project-based configuration
14 |
15 | Project-based matrix authorization allows configuring permissions for each item or agent independently.
16 | Permission applying to such items or agents that are granted in the global configuration apply to all of them, unless they don't inherit global permissions (see below).
17 |
18 | ### Permission inheritance
19 |
20 | With project-based matrix authorization, permissions are by inherited from the global configuration and any parent entities (e.g. the folder a job is in) by default.
21 | This can be changed.
22 | Depending on the entity being configured, all or a subset of the following _inheritance strategies_ are available:
23 |
24 | * Inherit permissions:
25 | This is the default behavior.
26 | Permissions explicitly granted on individual items or agents will only add to permissions defined globally or in any parent items.
27 | * Inherit global configuration only:
28 | This will only inherit permissions granted globally, but not those granted on parent folders.
29 | This way, jobs in folders can control access independently from their parent folder.
30 | * Do not inherit permissions:
31 | The most restrictive inheritance configuration.
32 | Only permissions defined explicitly on this agent or item will be granted.
33 | The only exception is Overall/Administer:
34 | It is not possible to remove access to an agent or item from Jenkins administrators.
35 |
36 | ### Configuration as Code and Job DSL support
37 |
38 | Matrix Authorization Strategy Plugin has full support for use in Configuration as Code and Job DSL.
39 |
40 | For an example combining the two, see [this `configuration-as-code.yml` test resource](https://github.com/jenkinsci/matrix-auth-plugin/blob/master/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/configuration-as-code.yml).
41 |
42 |
43 | ## Caveats
44 |
45 | When using project-based matrix authorization, users granted permission to configure items or agents will be able to grant themselves all other permissions on the item or agent.
46 | These would be inherited unless specifically disabled.
47 |
48 | Beyond the above, administrators implementing fine-grained permissions control need to be aware of interactions between permissions, and certain overlap between them.
49 | Some examples:
50 |
51 | * A user not granted read access to Jenkins in general will not be able to use most of the other permissions they've been granted -- likely none of them.
52 | * A user not granted read access to a job will not be able to start new builds, delete the job, configure the job, etc.
53 | * When using global matrix authorization, users granted permission to configure jobs but not start them will still be able to configure the job to be periodically executed.
54 | * Some permissions imply others.
55 | Most notably, Overall/Administer implies (almost) all other permissions, but other implications exist:
56 | For example, Job/Read implies Job/Discover.
57 | Descriptions for permissions will note when a permission is either implied by a permission other than Overall/Administer, or when it is not implied by any other permission.
58 |
--------------------------------------------------------------------------------
/src/main/java/hudson/security/DangerousMatrixPermissionsAdministrativeMonitor.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2017 CloudBees, Inc.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package hudson.security;
25 |
26 | import hudson.Extension;
27 | import hudson.model.AdministrativeMonitor;
28 | import hudson.util.HttpResponses;
29 | import jenkins.model.Jenkins;
30 | import org.kohsuke.accmod.Restricted;
31 | import org.kohsuke.accmod.restrictions.NoExternalUse;
32 | import org.kohsuke.stapler.HttpResponse;
33 | import org.kohsuke.stapler.QueryParameter;
34 | import org.kohsuke.stapler.interceptor.RequirePOST;
35 |
36 | import java.util.ArrayList;
37 | import java.util.Collections;
38 | import java.util.List;
39 |
40 | /**
41 | * Administrative monitor that shows up when 'dangerous' permissions are granted to non-admin users.
42 | * Those are permissions that could be used to grant themselves administer permissions.
43 | *
44 | * See also https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions
45 | */
46 | @Extension
47 | @Restricted(NoExternalUse.class)
48 | public class DangerousMatrixPermissionsAdministrativeMonitor extends AdministrativeMonitor {
49 | @Override
50 | public boolean isActivated() {
51 | return !GlobalMatrixAuthorizationStrategy.ENABLE_DANGEROUS_PERMISSIONS && !getSidsWithDangerousPermissions().isEmpty();
52 | }
53 |
54 | @RequirePOST
55 | public HttpResponse doAct(@QueryParameter String yes) {
56 | if (yes != null) {
57 | return HttpResponses.redirectViaContextPath("configureSecurity");
58 | }
59 | return HttpResponses.redirectToDot();
60 | }
61 |
62 | public List getSidsWithDangerousPermissions() {
63 | Jenkins j = Jenkins.get();
64 |
65 | if (!(j.getAuthorizationStrategy() instanceof GlobalMatrixAuthorizationStrategy)) {
66 | return Collections.emptyList();
67 | }
68 |
69 | List sids = new ArrayList<>();
70 |
71 | GlobalMatrixAuthorizationStrategy strategy = (GlobalMatrixAuthorizationStrategy) j.getAuthorizationStrategy();
72 |
73 | List allSidsPlusAnon = new ArrayList<>(strategy.getAllSIDs());
74 | allSidsPlusAnon.add("anonymous");
75 |
76 | for (String sid : allSidsPlusAnon) {
77 | if (!strategy.hasPermission(sid, Jenkins.ADMINISTER) && strategy.isAnyRelevantDangerousPermissionExplicitlyGranted(sid)) {
78 | sids.add(sid);
79 | }
80 | }
81 | return sids;
82 | }
83 |
84 | @Override
85 | public String getDisplayName() {
86 | return "Matrix Authorization: Dangerous Permissions";
87 | }
88 | }
89 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/inheritance/NonInheritingStrategy.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2017 Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth.inheritance;
25 |
26 | import hudson.Extension;
27 | import hudson.security.ACL;
28 | import hudson.security.AccessControlled;
29 | import hudson.security.Permission;
30 | import jenkins.model.Jenkins;
31 | import org.acegisecurity.Authentication;
32 | import org.jenkinsci.Symbol;
33 | import org.kohsuke.stapler.DataBoundConstructor;
34 |
35 | import javax.annotation.Nonnull;
36 |
37 | /**
38 | * Strategy that disables inheritance except for the globally defined Administer permission.
39 | */
40 | public class NonInheritingStrategy extends InheritanceStrategy {
41 |
42 | @DataBoundConstructor
43 | public NonInheritingStrategy() {
44 |
45 | }
46 |
47 | @Override
48 | public ACL getEffectiveACL(ACL acl, AccessControlled subject) {
49 | final ACL rootACL = Jenkins.get().getAuthorizationStrategy().getRootACL();
50 | return new ACL() {
51 | @Override
52 | public boolean hasPermission(@Nonnull Authentication a, @Nonnull Permission permission) {
53 | /*
54 | I see two possible approaches here:
55 | One would be to just grant every permission if the root ACL grants Administer.
56 | This could result in weird situations where disabling inheritance would grant permissions like the optional
57 | Run/Artifacts permission not implied by anything else.
58 | The chosen, second approach checks whether the given permission is ultimately (transitively) implied by
59 | Administer, and, if so, grants it if the user has Administer.
60 | As this is a tree, any permission implication rooted in Administer should then be granted to administrators.
61 | */
62 | return isUltimatelyImpliedByAdminister(permission) && rootACL.hasPermission(a, Jenkins.ADMINISTER) || acl.hasPermission(a, permission);
63 | }
64 |
65 | private boolean isUltimatelyImpliedByAdminister(Permission permission) {
66 | while (permission.impliedBy != null) {
67 | permission = permission.impliedBy;
68 | }
69 | return permission == Jenkins.ADMINISTER;
70 | }
71 | };
72 | }
73 |
74 | @Symbol("nonInheriting")
75 | @Extension(ordinal = -100)
76 | public static class DescriptorImpl extends InheritanceStrategyDescriptor {
77 |
78 | @Override
79 | public boolean isApplicable(Class clazz) {
80 | return true;
81 | }
82 |
83 | @Override
84 | @Nonnull
85 | public String getDisplayName() {
86 | return Messages.NonInheritingStrategy_DisplayName();
87 | }
88 | }
89 | }
90 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/AuthorizationPropertyDescriptor.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2004-2017, Sun Microsystems, Inc., Kohsuke Kawaguchi, Yahoo! Inc., Peter Hayes, Tom Huybrechts, Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth;
25 |
26 | import hudson.model.Descriptor;
27 | import hudson.security.Permission;
28 | import hudson.security.ProjectMatrixAuthorizationStrategy;
29 | import jenkins.model.Jenkins;
30 | import net.sf.json.JSONObject;
31 | import org.jenkinsci.plugins.matrixauth.inheritance.InheritanceStrategy;
32 | import org.kohsuke.accmod.Restricted;
33 | import org.kohsuke.accmod.restrictions.NoExternalUse;
34 | import org.kohsuke.stapler.StaplerRequest;
35 |
36 | import java.util.Map;
37 | import java.util.logging.Level;
38 | import java.util.logging.Logger;
39 |
40 | /**
41 | * Interface with default methods common to all authorization related property descriptors.
42 | *
43 | */
44 | @Restricted(NoExternalUse.class)
45 | public interface AuthorizationPropertyDescriptor extends AuthorizationContainerDescriptor {
46 |
47 | T create();
48 |
49 | default T createNewInstance(StaplerRequest req, JSONObject formData, boolean hasOptionalWrap) throws Descriptor.FormException {
50 | if (hasOptionalWrap) {
51 | formData = formData.getJSONObject("useProjectSecurity");
52 | if (formData.isNullObject())
53 | return null;
54 | }
55 |
56 | T property = create();
57 |
58 | Map data = formData.getJSONObject("data");
59 |
60 |
61 | property.setInheritanceStrategy(req.bindJSON(InheritanceStrategy.class, formData.getJSONObject("inheritanceStrategy")));
62 |
63 | for (Map.Entry r : data.entrySet()) {
64 | String sid = r.getKey();
65 |
66 | if (!(r.getValue() instanceof JSONObject)) {
67 | throw new Descriptor.FormException("not an object: " + formData, "data");
68 | }
69 | Map value = (JSONObject) r.getValue();
70 |
71 | for (Map.Entry e : value.entrySet()) {
72 | if (!(e.getValue() instanceof Boolean)) {
73 | throw new Descriptor.FormException("not an boolean: " + formData, "data");
74 | }
75 | if ((Boolean) e.getValue()) {
76 | Permission p = Permission.fromId(e.getKey());
77 | if (p == null) {
78 | Logger.getLogger(AuthorizationPropertyDescriptor.class.getName())
79 | .log(Level.FINE, "Silently skip unknown permission \"{0}\" for sid:\"{1}\"", new Object[]{e.getKey(), sid});
80 | } else {
81 | property.add(p, sid);
82 | }
83 | }
84 | }
85 | }
86 | return property;
87 | }
88 |
89 | default boolean isApplicable() {
90 | // only applicable when ProjectMatrixAuthorizationStrategy is in charge
91 | return Jenkins.get().getAuthorizationStrategy() instanceof ProjectMatrixAuthorizationStrategy;
92 | }
93 | }
94 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/AbstractAuthorizationPropertyConverter.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2004-2017 Sun Microsystems, Inc., Kohsuke Kawaguchi, Yahoo! Inc., Peter Hayes, Tom Huybrechts, Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth;
25 |
26 | import com.thoughtworks.xstream.converters.MarshallingContext;
27 | import com.thoughtworks.xstream.converters.UnmarshallingContext;
28 | import com.thoughtworks.xstream.io.HierarchicalStreamReader;
29 | import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
30 | import org.jenkinsci.plugins.matrixauth.inheritance.InheritanceStrategy;
31 | import org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy;
32 | import org.kohsuke.accmod.Restricted;
33 | import org.kohsuke.accmod.restrictions.NoExternalUse;
34 |
35 | import java.util.logging.Level;
36 | import java.util.logging.Logger;
37 |
38 | @Restricted(NoExternalUse.class)
39 | public abstract class AbstractAuthorizationPropertyConverter extends AbstractAuthorizationContainerConverter {
40 | @SuppressWarnings("rawtypes")
41 | abstract public boolean canConvert(Class type);
42 |
43 | abstract public T create();
44 |
45 | public void marshal(Object source, HierarchicalStreamWriter writer,
46 | MarshallingContext context) {
47 | AuthorizationProperty authorizationProperty = (AuthorizationProperty) source;
48 |
49 | InheritanceStrategy strategy = authorizationProperty.getInheritanceStrategy();
50 | if (strategy != null) {
51 | writer.startNode("inheritanceStrategy");
52 | writer.addAttribute("class", strategy.getClass().getCanonicalName());
53 | writer.endNode();
54 | }
55 |
56 | super.marshal(source, writer, context);
57 | }
58 |
59 | @Override
60 | protected void unmarshalContainer(T container, HierarchicalStreamReader reader, UnmarshallingContext context) {
61 | String prop = reader.peekNextChild();
62 |
63 | if (prop!=null && prop.equals("useProjectSecurity")) {
64 | reader.moveDown();
65 | reader.getValue(); // we used to use this but not any more.
66 | reader.moveUp();
67 | prop = reader.peekNextChild(); // We check the next field
68 | }
69 | if ("blocksInheritance".equals(prop)) {
70 | reader.moveDown();
71 | boolean blocksInheritance = "true".equals(reader.getValue());
72 | if (blocksInheritance) {
73 | container.setInheritanceStrategy(new NonInheritingStrategy());
74 | }
75 | reader.moveUp();
76 | }
77 |
78 | if ("inheritanceStrategy".equals(prop)) {
79 | reader.moveDown();
80 | String clazz = reader.getAttribute("class");
81 | try {
82 | container.setInheritanceStrategy((InheritanceStrategy) Class.forName(clazz).newInstance());
83 | } catch (Exception e) {
84 | LOGGER.log(Level.WARNING, "Failed to restore inheritance strategy", e);
85 | }
86 | reader.moveUp();
87 | }
88 |
89 | // let the super handle the permissions that are always towards the end
90 | super.unmarshalContainer(container, reader, context);
91 | }
92 |
93 | private static final Logger LOGGER = Logger.getLogger(AbstractAuthorizationPropertyConverter.class.getName());
94 | }
95 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/AbstractAuthorizationContainerConverter.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2004-2017 Sun Microsystems, Inc., Kohsuke Kawaguchi, Yahoo! Inc., Peter Hayes, Tom Huybrechts, Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth;
25 |
26 | import com.thoughtworks.xstream.converters.Converter;
27 | import com.thoughtworks.xstream.converters.MarshallingContext;
28 | import com.thoughtworks.xstream.converters.UnmarshallingContext;
29 | import com.thoughtworks.xstream.io.HierarchicalStreamReader;
30 | import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
31 | import hudson.security.GlobalMatrixAuthorizationStrategy;
32 | import hudson.security.Permission;
33 | import hudson.util.RobustReflectionConverter;
34 | import org.kohsuke.accmod.Restricted;
35 | import org.kohsuke.accmod.restrictions.NoExternalUse;
36 |
37 | import java.util.Map;
38 | import java.util.Set;
39 | import java.util.SortedMap;
40 | import java.util.TreeMap;
41 | import java.util.TreeSet;
42 | import java.util.logging.Level;
43 | import java.util.logging.Logger;
44 |
45 | @Restricted(NoExternalUse.class)
46 | public abstract class AbstractAuthorizationContainerConverter implements Converter {
47 | @SuppressWarnings("rawtypes")
48 | abstract public boolean canConvert(Class type);
49 |
50 | abstract public T create();
51 |
52 | @SuppressWarnings("unchecked")
53 | public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
54 | final GlobalMatrixAuthorizationStrategy.IdStrategyComparator comparator = new GlobalMatrixAuthorizationStrategy.IdStrategyComparator();
55 |
56 | if (!canConvert(source.getClass())) {
57 | throw new IllegalArgumentException("cannot marshal object of type " + source.getClass());
58 | }
59 | T container = (T) source;
60 |
61 | // Output in alphabetical order for readability.
62 | SortedMap> sortedPermissions = new TreeMap<>(Permission.ID_COMPARATOR);
63 | sortedPermissions.putAll(container.getGrantedPermissions());
64 |
65 | for (Map.Entry> e : sortedPermissions.entrySet()) {
66 | String p = e.getKey().getId();
67 | Set sids = new TreeSet<>(comparator);
68 | sids.addAll(e.getValue());
69 |
70 | for (String sid : sids) {
71 | writer.startNode("permission");
72 | writer.setValue(p + ':' + sid);
73 | writer.endNode();
74 | }
75 | }
76 | }
77 |
78 | protected void unmarshalContainer(T container, HierarchicalStreamReader reader, final UnmarshallingContext context) {
79 | while (reader.hasMoreChildren()) {
80 | reader.moveDown();
81 | try {
82 | container.add(reader.getValue());
83 | } catch (IllegalArgumentException ex) {
84 | Logger.getLogger(AbstractAuthorizationContainerConverter.class.getName())
85 | .log(Level.WARNING,"Skipping a non-existent permission", ex);
86 | RobustReflectionConverter.addErrorInContext(context, ex);
87 | }
88 | reader.moveUp();
89 | }
90 | }
91 |
92 | public Object unmarshal(HierarchicalStreamReader reader, final UnmarshallingContext context) {
93 | T container = create();
94 | unmarshalContainer(container, reader, context);
95 |
96 | return container;
97 | }
98 | }
99 |
--------------------------------------------------------------------------------
/src/test/java/hudson/security/Security410Test.java:
--------------------------------------------------------------------------------
1 | package hudson.security;
2 |
3 | import hudson.PluginManager;
4 | import jenkins.model.Jenkins;
5 | import org.junit.Rule;
6 | import org.junit.Test;
7 | import org.jvnet.hudson.test.Issue;
8 | import org.jvnet.hudson.test.JenkinsRule;
9 | import org.jvnet.hudson.test.recipes.LocalData;
10 |
11 | import static org.junit.Assert.assertEquals;
12 | import static org.junit.Assert.assertFalse;
13 | import static org.junit.Assert.assertTrue;
14 |
15 | public class Security410Test {
16 |
17 | @Rule
18 | public JenkinsRule j = new JenkinsRule();
19 |
20 | @Issue("SECURITY-410")
21 | @Test
22 | public void dangerousPermissions1() {
23 | ProjectMatrixAuthorizationStrategy as = new ProjectMatrixAuthorizationStrategy();
24 | assertFalse(((GlobalMatrixAuthorizationStrategy.DescriptorImpl) as.getDescriptor()).showPermission(Jenkins.RUN_SCRIPTS));
25 | assertFalse(((GlobalMatrixAuthorizationStrategy.DescriptorImpl) as.getDescriptor()).showPermission(PluginManager.CONFIGURE_UPDATECENTER));
26 | assertFalse(((GlobalMatrixAuthorizationStrategy.DescriptorImpl) as.getDescriptor()).showPermission(PluginManager.UPLOAD_PLUGINS));
27 |
28 | try {
29 | GlobalMatrixAuthorizationStrategy.ENABLE_DANGEROUS_PERMISSIONS = true;
30 | assertTrue(((GlobalMatrixAuthorizationStrategy.DescriptorImpl) as.getDescriptor()).showPermission(Jenkins.RUN_SCRIPTS));
31 | assertTrue(((GlobalMatrixAuthorizationStrategy.DescriptorImpl) as.getDescriptor()).showPermission(PluginManager.CONFIGURE_UPDATECENTER));
32 | assertTrue(((GlobalMatrixAuthorizationStrategy.DescriptorImpl) as.getDescriptor()).showPermission(PluginManager.UPLOAD_PLUGINS));
33 | } finally {
34 | GlobalMatrixAuthorizationStrategy.ENABLE_DANGEROUS_PERMISSIONS = false;
35 | }
36 | }
37 |
38 | @LocalData
39 | @Test
40 | public void testUpgradeWithRelevantDangerousPermissions() {
41 | assertTrue(j.jenkins.getAuthorizationStrategy() instanceof GlobalMatrixAuthorizationStrategy);
42 |
43 | GlobalMatrixAuthorizationStrategy strategy = (GlobalMatrixAuthorizationStrategy) j.jenkins.getAuthorizationStrategy();
44 | assertEquals("two known users", 2, strategy.getAllSIDs().size());
45 | assertTrue("active monitor", j.jenkins.getAdministrativeMonitor(DangerousMatrixPermissionsAdministrativeMonitor.class.getName()).isActivated());
46 | assertTrue("show permissions", strategy.isAnyRelevantDangerousPermissionExplicitlyGranted());
47 | assertFalse("alice is admin so no relevant dangerous permissions", strategy.isAnyRelevantDangerousPermissionExplicitlyGranted("alice"));
48 | assertTrue("bob is not admin but has dangerous permission", strategy.isAnyRelevantDangerousPermissionExplicitlyGranted("bob"));
49 | assertTrue("show dangerous permissions in config", ((GlobalMatrixAuthorizationStrategy.DescriptorImpl)strategy.getDescriptor()).showPermission(Jenkins.RUN_SCRIPTS));
50 | assertFalse("do not grant scripts permission to bob", strategy.hasPermission("bob", Jenkins.RUN_SCRIPTS));
51 | assertTrue("grant scripts permission to alice", strategy.hasPermission("alice", Jenkins.RUN_SCRIPTS));
52 |
53 | try {
54 | GlobalMatrixAuthorizationStrategy.ENABLE_DANGEROUS_PERMISSIONS = true;
55 |
56 | assertTrue("show dangerous permissions in config", ((GlobalMatrixAuthorizationStrategy.DescriptorImpl)strategy.getDescriptor()).showPermission(Jenkins.RUN_SCRIPTS));
57 | assertTrue("grant permission to bob", strategy.hasPermission("bob", Jenkins.RUN_SCRIPTS));
58 | assertFalse("disabled admin monitor", j.jenkins.getAdministrativeMonitor(DangerousMatrixPermissionsAdministrativeMonitor.class.getName()).isActivated());
59 | } finally {
60 | GlobalMatrixAuthorizationStrategy.ENABLE_DANGEROUS_PERMISSIONS = false;
61 | }
62 | }
63 |
64 | @LocalData
65 | @Test
66 | public void testUpgradeWithNoRelevantDangerousPermissions() {
67 | assertTrue(j.jenkins.getAuthorizationStrategy() instanceof GlobalMatrixAuthorizationStrategy);
68 |
69 | GlobalMatrixAuthorizationStrategy strategy = (GlobalMatrixAuthorizationStrategy) j.jenkins.getAuthorizationStrategy();
70 | assertEquals("two known users", 2, strategy.getAllSIDs().size());
71 | assertFalse("not active monitor", j.jenkins.getAdministrativeMonitor(DangerousMatrixPermissionsAdministrativeMonitor.class.getName()).isActivated());
72 | assertFalse("do not show permissions", strategy.isAnyRelevantDangerousPermissionExplicitlyGranted());
73 | assertFalse("alice has no relevant dangerous permissions", strategy.isAnyRelevantDangerousPermissionExplicitlyGranted("alice"));
74 | assertFalse("bob has no relevant dangerous permissions", strategy.isAnyRelevantDangerousPermissionExplicitlyGranted("bob"));
75 | assertFalse("show dangerous permissions in config", ((GlobalMatrixAuthorizationStrategy.DescriptorImpl)strategy.getDescriptor()).showPermission(Jenkins.RUN_SCRIPTS));
76 | }
77 | }
78 |
--------------------------------------------------------------------------------
/src/test/java/org/jenkinsci/plugins/matrixauth/inheritance/InheritanceMigrationTest.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth.inheritance;
2 |
3 | import com.cloudbees.hudson.plugins.folder.Folder;
4 | import com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty;
5 | import hudson.model.Item;
6 | import hudson.model.Job;
7 | import hudson.model.User;
8 | import hudson.security.ProjectMatrixAuthorizationStrategy;
9 | import org.junit.Assert;
10 | import org.junit.Rule;
11 | import org.junit.Test;
12 | import org.jvnet.hudson.test.JenkinsRule;
13 | import org.jvnet.hudson.test.recipes.LocalData;
14 |
15 | public class InheritanceMigrationTest {
16 |
17 | @Rule
18 | public JenkinsRule j = new JenkinsRule();
19 |
20 | @Test
21 | @LocalData
22 | @SuppressWarnings("deprecation")
23 | public void testInheritanceMigration() throws Exception {
24 | Assert.assertTrue(j.jenkins.getAuthorizationStrategy() instanceof ProjectMatrixAuthorizationStrategy);
25 |
26 | {
27 | Folder folder = (Folder) j.jenkins.getItemByFullName("folder");
28 | Assert.assertTrue(folder.getConfigFile().asString().contains("blocksInheritance"));
29 | AuthorizationMatrixProperty prop = (folder).getProperties().get(AuthorizationMatrixProperty.class);
30 | Assert.assertTrue(prop.isBlocksInheritance());
31 | Assert.assertTrue(prop.getInheritanceStrategy() instanceof NonInheritingStrategy);
32 | Assert.assertTrue(prop.hasExplicitPermission("admin", Item.CONFIGURE));
33 | Assert.assertTrue(prop.hasExplicitPermission("admin", Item.READ));
34 | Assert.assertTrue(prop.hasExplicitPermission("admin", Item.CREATE));
35 | Assert.assertFalse(folder.getACL().hasPermission(User.get("alice").impersonate(), Item.READ));
36 | Assert.assertFalse(folder.getACL().hasPermission(User.get("bob").impersonate(), Item.READ));
37 | folder.save();
38 | Assert.assertFalse(folder.getConfigFile().asString().contains("blocksInheritance"));
39 |
40 | folder = (Folder) j.jenkins.getItemByFullName("folder1");
41 | Assert.assertTrue(folder.getConfigFile().asString().contains("blocksInheritance"));
42 | prop = (folder).getProperties().get(AuthorizationMatrixProperty.class);
43 | Assert.assertTrue(prop.isBlocksInheritance());
44 | Assert.assertTrue(prop.getInheritanceStrategy() instanceof NonInheritingStrategy);
45 | Assert.assertTrue(prop.hasExplicitPermission("admin", Item.CONFIGURE));
46 | Assert.assertFalse(prop.hasExplicitPermission("admin", Item.READ));
47 | Assert.assertTrue(folder.getACL().hasPermission(User.get("admin").impersonate(), Item.READ)); // change from before (JENKINS-24878/JENKINS-37904)
48 | Assert.assertTrue(folder.getACL().hasPermission(User.get("admin").impersonate(), Item.CONFIGURE));
49 | Assert.assertTrue(prop.hasExplicitPermission("alice", Item.CONFIGURE));
50 | Assert.assertTrue(prop.hasExplicitPermission("alice", Item.READ));
51 | Assert.assertTrue(folder.getACL().hasPermission(User.get("alice").impersonate(), Item.READ));
52 | Assert.assertFalse(prop.hasPermission("bob", Item.READ));
53 | Assert.assertFalse(folder.getACL().hasPermission(User.get("bob").impersonate(), Item.READ));
54 | folder.save();
55 | Assert.assertFalse(folder.getConfigFile().asString().contains("blocksInheritance"));
56 | }
57 |
58 | {
59 | Job job = (Job) j.jenkins.getItemByFullName("folder/inheritNone");
60 | Assert.assertTrue(job.getConfigFile().asString().contains("blocksInheritance"));
61 | hudson.security.AuthorizationMatrixProperty prop = job.getProperty(hudson.security.AuthorizationMatrixProperty.class);
62 | Assert.assertTrue(prop.isBlocksInheritance());
63 | Assert.assertEquals(0, prop.getGrantedPermissions().size());
64 | Assert.assertTrue(prop.getInheritanceStrategy() instanceof NonInheritingStrategy);
65 | Assert.assertTrue(job.getACL().hasPermission(User.get("admin").impersonate(), Item.READ)); // change from before (JENKINS-24878/JENKINS-37904)
66 | job.save();
67 | Assert.assertFalse(job.getConfigFile().asString().contains("blocksInheritance"));
68 |
69 | job = (Job) j.jenkins.getItemByFullName("job");
70 | Assert.assertTrue(job.getConfigFile().asString().contains("blocksInheritance"));
71 | prop = job.getProperty(hudson.security.AuthorizationMatrixProperty.class);
72 | Assert.assertFalse(prop.isBlocksInheritance());
73 | Assert.assertTrue(prop.getInheritanceStrategy() instanceof InheritParentStrategy);
74 | Assert.assertTrue(job.getACL().hasPermission(User.get("bob").impersonate(), Item.READ));
75 | Assert.assertTrue(job.getACL().hasPermission(User.get("alice").impersonate(), Item.READ));
76 | Assert.assertTrue(job.getACL().hasPermission(User.get("admin").impersonate(), Item.READ));
77 | Assert.assertTrue(job.getACL().hasPermission(User.get("admin").impersonate(), Item.CONFIGURE));
78 | job.save();
79 | Assert.assertFalse(job.getConfigFile().asString().contains("blocksInheritance"));
80 | }
81 | }
82 | }
83 |
--------------------------------------------------------------------------------
/src/test/java/com/cloudbees/hudson/plugins/folder/properties/IdStrategyTest.java:
--------------------------------------------------------------------------------
1 | package com.cloudbees.hudson.plugins.folder.properties;
2 |
3 | import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
4 | import hudson.model.FreeStyleProject;
5 | import hudson.model.Hudson;
6 | import hudson.model.Item;
7 | import hudson.security.HudsonPrivateSecurityRealm;
8 | import hudson.security.ProjectMatrixAuthorizationStrategy;
9 | import jenkins.model.IdStrategy;
10 | import org.acegisecurity.AccessDeniedException;
11 | import org.junit.Rule;
12 | import org.junit.Test;
13 | import org.jvnet.hudson.test.JenkinsRule;
14 |
15 | import static org.junit.Assert.assertEquals;
16 | import static org.junit.Assert.fail;
17 |
18 | public class IdStrategyTest {
19 | private static final IdStrategy.CaseSensitive CASE_SENSITIVE = new IdStrategy.CaseSensitive();
20 | @Rule
21 | public JenkinsRule r = new JenkinsRule();
22 |
23 | private static class CaseInsensitiveSecurityRealm extends HudsonPrivateSecurityRealm {
24 | CaseInsensitiveSecurityRealm() {
25 | super(false, false, null);
26 | }
27 | @Override
28 | public IdStrategy getUserIdStrategy() {
29 | return IdStrategy.CASE_INSENSITIVE;
30 | }
31 |
32 | @Override
33 | public IdStrategy getGroupIdStrategy() {
34 | return IdStrategy.CASE_INSENSITIVE;
35 | }
36 | }
37 |
38 | private static class CaseSensitiveSecurityRealm extends HudsonPrivateSecurityRealm {
39 | CaseSensitiveSecurityRealm() {
40 | super(false, false, null);
41 | }
42 | @Override
43 | public IdStrategy getUserIdStrategy() {
44 | return CASE_SENSITIVE;
45 | }
46 |
47 | @Override
48 | public IdStrategy getGroupIdStrategy() {
49 | return CASE_SENSITIVE;
50 | }
51 | }
52 |
53 | @Test
54 | public void insensitive() throws Exception {
55 | HudsonPrivateSecurityRealm realm = new CaseInsensitiveSecurityRealm();
56 | realm.createAccount("alice", "alice");
57 | r.jenkins.setSecurityRealm(realm);
58 |
59 | ProjectMatrixAuthorizationStrategy as = new ProjectMatrixAuthorizationStrategy();
60 | r.jenkins.setAuthorizationStrategy(as);
61 | as.add(Hudson.READ, "authenticated");
62 | as.add(Item.READ, "alicE");
63 | as.add(Item.BUILD, "aLice");
64 |
65 | final FreeStyleProject foo = r.createProject(FreeStyleProject.class, "foo");
66 |
67 | JenkinsRule.WebClient wc = r.createWebClient().login("alice");
68 | wc.getPage(foo); // this should succeed
69 |
70 | // and build permission should be set, too
71 | wc.executeOnServer(() -> {
72 | foo.checkPermission(Item.BUILD);
73 | try {
74 | foo.checkPermission(Item.DELETE);
75 | fail("access should be denied");
76 | } catch (AccessDeniedException e) {
77 | // expected
78 | }
79 | return null;
80 | });
81 |
82 | try {
83 | r.createWebClient().login("AliCe");
84 | fail();
85 | } catch (FailingHttpStatusCodeException e) {
86 | assertEquals(401, e.getStatusCode());
87 | }
88 |
89 | // now logging with the username case incorrect should still authenticate as the password is a match
90 | wc = r.createWebClient().login("AliCe", "alice");
91 | wc.getPage(foo); // this should succeed
92 |
93 | // and build permission should be set, too
94 | wc.executeOnServer(() -> {
95 | foo.checkPermission(Item.BUILD);
96 | try {
97 | foo.checkPermission(Item.DELETE);
98 | fail("acecss should be denied");
99 | } catch (AccessDeniedException e) {
100 | // expected
101 | }
102 | return null;
103 | });
104 | }
105 |
106 | @Test
107 | public void sensitive() throws Exception {
108 | HudsonPrivateSecurityRealm realm = new CaseSensitiveSecurityRealm();
109 | realm.createAccount("alice", "alice");
110 | r.jenkins.setSecurityRealm(realm);
111 |
112 | ProjectMatrixAuthorizationStrategy as = new ProjectMatrixAuthorizationStrategy();
113 | r.jenkins.setAuthorizationStrategy(as);
114 | as.add(Hudson.READ, "authenticated");
115 | as.add(Item.READ, "alice");
116 | as.add(Item.BUILD, "alice");
117 |
118 | final FreeStyleProject foo = r.createProject(FreeStyleProject.class, "foo");
119 | JenkinsRule.WebClient wc = r.createWebClient().login("alice", "alice");
120 | wc.getPage(foo); // this should succeed
121 |
122 | // and build permission should be set, too
123 | wc.executeOnServer(() -> {
124 | foo.checkPermission(Item.BUILD);
125 | try {
126 | foo.checkPermission(Item.DELETE);
127 | fail("access should be denied");
128 | } catch (AccessDeniedException e) {
129 | // expected
130 | }
131 | return null;
132 | });
133 |
134 | try {
135 | r.createWebClient().login("Alice", "alice");
136 | fail();
137 | } catch (FailingHttpStatusCodeException e) {
138 | assertEquals(401, e.getStatusCode());
139 | }
140 | }
141 |
142 | }
143 |
--------------------------------------------------------------------------------
/src/test/java/org/jenkinsci/plugins/matrixauth/integrations/casc/ImportTest.java:
--------------------------------------------------------------------------------
1 | package org.jenkinsci.plugins.matrixauth.integrations.casc;
2 |
3 | import com.cloudbees.hudson.plugins.folder.Folder;
4 | import com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty;
5 | import hudson.model.Computer;
6 | import hudson.model.Item;
7 | import hudson.security.AuthorizationStrategy;
8 | import hudson.security.HudsonPrivateSecurityRealm;
9 | import hudson.security.ProjectMatrixAuthorizationStrategy;
10 | import jenkins.model.Jenkins;
11 | import org.jenkinsci.plugins.matrixauth.AuthorizationMatrixNodeProperty;
12 | import org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy;
13 | import org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy;
14 | import org.junit.Rule;
15 | import org.junit.Test;
16 | import io.jenkins.plugins.casc.misc.ConfiguredWithCode;
17 | import io.jenkins.plugins.casc.misc.JenkinsConfiguredWithCodeRule;
18 | import org.jvnet.hudson.test.LoggerRule;
19 |
20 | import java.util.logging.Level;
21 |
22 | import static org.junit.Assert.*;
23 |
24 | public class ImportTest {
25 |
26 | @Rule
27 | public JenkinsConfiguredWithCodeRule r = new JenkinsConfiguredWithCodeRule();
28 |
29 | @Rule
30 | public LoggerRule l = new LoggerRule().record(MatrixAuthorizationStrategyConfigurator.class, Level.WARNING).capture(20);
31 |
32 | @Test
33 | @ConfiguredWithCode("configuration-as-code.yml")
34 | public void should_support_configuration_as_code() throws Exception {
35 | assertTrue("security realm", r.jenkins.getSecurityRealm() instanceof HudsonPrivateSecurityRealm);
36 | AuthorizationStrategy authorizationStrategy = r.jenkins.getAuthorizationStrategy();
37 | assertTrue("authorization strategy", authorizationStrategy instanceof ProjectMatrixAuthorizationStrategy);
38 | ProjectMatrixAuthorizationStrategy projectMatrixAuthorizationStrategy = (ProjectMatrixAuthorizationStrategy) authorizationStrategy;
39 | { // global
40 | assertEquals("one real user sid", 1, projectMatrixAuthorizationStrategy.getAllSIDs().size());
41 | assertTrue("anon can read", projectMatrixAuthorizationStrategy.hasExplicitPermission("anonymous", Jenkins.READ));
42 | assertTrue("authenticated can read", projectMatrixAuthorizationStrategy.hasExplicitPermission("authenticated", Jenkins.READ));
43 | assertTrue("authenticated can build", projectMatrixAuthorizationStrategy.hasExplicitPermission("authenticated", Item.BUILD));
44 | assertTrue("authenticated can delete jobs", projectMatrixAuthorizationStrategy.hasExplicitPermission("authenticated", Item.DELETE));
45 | assertTrue("authenticated can administer", projectMatrixAuthorizationStrategy.hasExplicitPermission("authenticated", Jenkins.ADMINISTER));
46 | }
47 | { // item from Job DSL
48 | Folder folder = (Folder) r.jenkins.getItem("generated");
49 | AuthorizationMatrixProperty property = folder.getProperties().get(AuthorizationMatrixProperty.class);
50 | assertTrue("folder property inherits", property.getInheritanceStrategy() instanceof NonInheritingStrategy);
51 | assertTrue(property.hasExplicitPermission("authenticated", Item.BUILD));
52 | assertTrue(property.hasExplicitPermission("authenticated", Item.READ));
53 | assertFalse(property.hasExplicitPermission("anonymous", Item.READ));
54 | assertTrue(property.hasExplicitPermission("authenticated", Item.CONFIGURE));
55 | assertTrue(property.hasExplicitPermission("authenticated", Item.DELETE));
56 | }
57 | { // agent
58 | AuthorizationMatrixNodeProperty property = r.jenkins.getNode("agent1").getNodeProperty(AuthorizationMatrixNodeProperty.class);
59 | assertTrue(property.getInheritanceStrategy() instanceof InheritGlobalStrategy);
60 | assertTrue(property.hasExplicitPermission("anonymous", Computer.BUILD));
61 | assertTrue(property.hasExplicitPermission("authenticated", Computer.BUILD));
62 | assertTrue(property.hasExplicitPermission("authenticated", Computer.DISCONNECT));
63 | }
64 | assertEquals("no warnings", 0, l.getMessages().size());
65 | }
66 |
67 | @Test
68 | @ConfiguredWithCode("legacy-format.yml")
69 | public void legacyTest() throws Exception {
70 | assertTrue("security realm", r.jenkins.getSecurityRealm() instanceof HudsonPrivateSecurityRealm);
71 | AuthorizationStrategy authorizationStrategy = r.jenkins.getAuthorizationStrategy();
72 | assertTrue("authorization strategy", authorizationStrategy instanceof ProjectMatrixAuthorizationStrategy);
73 | ProjectMatrixAuthorizationStrategy projectMatrixAuthorizationStrategy = (ProjectMatrixAuthorizationStrategy) authorizationStrategy;
74 | { // global
75 | assertEquals("one real user sid", 1, projectMatrixAuthorizationStrategy.getAllSIDs().size());
76 | assertTrue("anon can read", projectMatrixAuthorizationStrategy.hasExplicitPermission("anonymous", Jenkins.READ));
77 | assertTrue("authenticated can read", projectMatrixAuthorizationStrategy.hasExplicitPermission("authenticated", Jenkins.READ));
78 | assertTrue("authenticated can build", projectMatrixAuthorizationStrategy.hasExplicitPermission("authenticated", Item.BUILD));
79 | assertTrue("authenticated can delete jobs", projectMatrixAuthorizationStrategy.hasExplicitPermission("authenticated", Item.DELETE));
80 | assertTrue("authenticated can administer", projectMatrixAuthorizationStrategy.hasExplicitPermission("authenticated", Jenkins.ADMINISTER));
81 | }
82 |
83 | assertTrue("at least one warning", 0 < l.getMessages().size()); // seems to be called twice?
84 | assertTrue("correct message", l.getMessages().get(0).contains("Loading deprecated attribute 'grantedPermissions' for instance"));
85 | }
86 | }
87 |
--------------------------------------------------------------------------------
/src/test/java/hudson/security/AuthorizationMatrixPropertyTest.java:
--------------------------------------------------------------------------------
1 | package hudson.security;
2 |
3 | import hudson.model.Item;
4 | import hudson.scm.SCM;
5 | import jenkins.model.Jenkins;
6 | import org.jenkinsci.plugins.matrixauth.AuthorizationContainer;
7 | import org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy;
8 | import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
9 | import org.jenkinsci.plugins.workflow.cps.SnippetizerTester;
10 | import org.jenkinsci.plugins.workflow.job.WorkflowJob;
11 | import org.jenkinsci.plugins.workflow.multibranch.JobPropertyStep;
12 | import org.junit.Assert;
13 | import org.junit.Rule;
14 | import org.junit.Test;
15 | import org.jvnet.hudson.test.Issue;
16 | import org.jvnet.hudson.test.JenkinsRule;
17 | import org.jvnet.hudson.test.LoggerRule;
18 |
19 | import java.util.Collections;
20 | import java.util.logging.Level;
21 |
22 | public class AuthorizationMatrixPropertyTest {
23 |
24 | @Rule
25 | public JenkinsRule j = new JenkinsRule();
26 |
27 | @Rule
28 | public LoggerRule l = new LoggerRule();
29 |
30 | @Test
31 | public void testSnippetizer() throws Exception {
32 | AuthorizationMatrixProperty property = new AuthorizationMatrixProperty(Collections.emptyMap());
33 | property.add(Item.CONFIGURE, "alice");
34 | property.add(Item.READ, "bob");
35 | property.add(Item.READ, "alice");
36 | property.add(SCM.TAG, "bob"); // use this to test for JENKINS-17200 robustness
37 | property.setInheritanceStrategy(new NonInheritingStrategy());
38 | SnippetizerTester tester = new SnippetizerTester(j);
39 | tester.assertRoundTrip(new JobPropertyStep(Collections.singletonList(property)),
40 | "properties([authorizationMatrix(inheritanceStrategy: nonInheriting(), " +
41 | "permissions: ['hudson.model.Item.Configure:alice', 'hudson.model.Item.Read:alice', 'hudson.model.Item.Read:bob', 'hudson.scm.SCM.Tag:bob'])])");
42 |
43 | }
44 |
45 | @Test
46 | @Issue("JENKINS-46944")
47 | public void testSnippetizerInapplicablePermission() throws Exception {
48 | AuthorizationMatrixProperty property = new AuthorizationMatrixProperty(Collections.emptyMap());
49 | l.record(AuthorizationContainer.class, Level.WARNING).capture(1);
50 | property.add("hudson.model.Item.Configure:alice");
51 | property.add("hudson.model.Item.Read:bob");
52 | property.add("hudson.model.Item.Read:alice");
53 | property.add("hudson.scm.SCM.Tag:bob"); // use this to test for JENKINS-17200 robustness
54 | property.add("hudson.model.Hudson.Read:carol"); // the important line for this test, inapplicable permission
55 |
56 | property.setInheritanceStrategy(new NonInheritingStrategy());
57 |
58 | SnippetizerTester tester = new SnippetizerTester(j);
59 | tester.assertRoundTrip(new JobPropertyStep(Collections.singletonList(property)),
60 | "properties([authorizationMatrix(inheritanceStrategy: nonInheriting(), " +
61 | "permissions: ['hudson.model.Item.Configure:alice', 'hudson.model.Item.Read:alice', 'hudson.model.Item.Read:bob', 'hudson.scm.SCM.Tag:bob'])])");
62 |
63 | Assert.assertTrue(l.getMessages().get(0).contains("Tried to add inapplicable permission"));
64 | Assert.assertTrue(l.getMessages().get(0).contains("Hudson,Read"));
65 | Assert.assertTrue(l.getMessages().get(0).contains("carol"));
66 | }
67 |
68 | @Test
69 | public void testPipelineReconfiguration() throws Exception {
70 |
71 | HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(true, false, null);
72 | realm.createAccount("alice", "alice");
73 | realm.createAccount("bob", "bob");
74 | realm.createAccount("carol", "carol");
75 | j.jenkins.setSecurityRealm(realm);
76 |
77 | ProjectMatrixAuthorizationStrategy strategy = new ProjectMatrixAuthorizationStrategy();
78 | strategy.add(Jenkins.ADMINISTER, "alice");
79 | strategy.add(Jenkins.READ, "bob");
80 | strategy.add(Jenkins.READ, "carol");
81 | strategy.add(Item.READ, "carol");
82 |
83 | j.jenkins.setAuthorizationStrategy(strategy);
84 |
85 | WorkflowJob project = j.createProject(WorkflowJob.class);
86 |
87 | // bob cannot see the project due to lack of Item.Read
88 | j.createWebClient().login("bob").assertFails(project.getUrl(), 404);
89 |
90 | // but bob can discover the project and get a 403
91 | strategy.add(Item.DISCOVER, "bob");
92 | j.createWebClient().login("bob").assertFails(project.getUrl(), 403);
93 |
94 | // alice OTOH is admin and can see it
95 | j.createWebClient().login("alice").goTo(project.getUrl()); // succeeds
96 |
97 | // carol can also see the project, she has global Item.Read
98 | j.createWebClient().login("carol").goTo(project.getUrl());
99 |
100 | project.setDefinition(new CpsFlowDefinition("properties([authorizationMatrix(inheritanceStrategy: nonInheriting(), " +
101 | "permissions: ['hudson.model.Item.Read:bob', 'hudson.model.Item.Configure:bob', 'hudson.scm.SCM.Tag:bob'])])", true));
102 | j.buildAndAssertSuccess(project);
103 |
104 | // let's look ast the property
105 | AuthorizationMatrixProperty property = project.getProperty(AuthorizationMatrixProperty.class);
106 | Assert.assertTrue(property.getInheritanceStrategy() instanceof NonInheritingStrategy);
107 | Assert.assertEquals(3, property.getGrantedPermissions().size());
108 | Assert.assertEquals("bob", property.getGroups().toArray()[0]);
109 |
110 | // now bob has access, including configure
111 | j.createWebClient().login("bob").goTo(project.getUrl());
112 | j.createWebClient().login("bob").goTo(project.getUrl() + "configure");
113 |
114 | // and carol no longer has access due to non-inheriting strategy
115 | j.createWebClient().login("carol").assertFails(project.getUrl(), 404);
116 | }
117 | }
118 |
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 | 4.0.0
3 |
4 | org.jenkins-ci.plugins
5 | plugin
6 | 3.42
7 |
8 | matrix-auth
9 | ${revision}${changelist}
10 | hpi
11 | Matrix Authorization Strategy Plugin
12 | https://wiki.jenkins-ci.org/display/JENKINS/Matrix+Authorization+Strategy+Plugin
13 |
14 | 2.4.3
15 | -SNAPSHOT
16 | 2.138.3
17 | 8
18 | 2.30
19 | 1.12
20 |
21 |
22 |
23 | MIT
24 | http://opensource.org/licenses/MIT
25 |
26 |
27 |
28 | scm:git:git://github.com/jenkinsci/${project.artifactId}-plugin.git
29 | scm:git:git@github.com:jenkinsci/${project.artifactId}-plugin.git
30 | https://github.com/jenkinsci/${project.artifactId}-plugin
31 | ${scmTag}
32 |
33 |
34 |
35 |
36 | org.jenkins-ci.plugins
37 | cloudbees-folder
38 | 6.1.0
39 | true
40 |
41 |
42 | io.jenkins
43 | configuration-as-code
44 | ${configuration-as-code.version}
45 | true
46 |
47 |
48 |
49 |
50 | org.jenkins-ci.plugins
51 | credentials
52 | 2.1.16
53 | test
54 |
55 |
56 | org.jenkins-ci.plugins.workflow
57 | workflow-cps
58 | ${workflow-cps.version}
59 | test
60 |
61 |
62 | org.jenkins-ci.plugins.workflow
63 | workflow-cps
64 | ${workflow-cps.version}
65 | tests
66 | test
67 |
68 |
69 | org.jenkins-ci.plugins.workflow
70 | workflow-multibranch
71 | 2.10
72 | test
73 |
74 |
75 |
76 | org.jenkins-ci.plugins
77 | structs
78 | 1.13
79 | test
80 |
81 |
82 | io.jenkins.configuration-as-code
83 | configuration-as-code-support
84 | ${configuration-as-code.version}
85 | true
86 | test
87 |
88 |
89 | io.jenkins
90 | configuration-as-code
91 | ${configuration-as-code.version}
92 | tests
93 | test
94 |
95 |
96 | org.jenkins-ci.plugins
97 | job-dsl
98 | 1.72
99 | test
100 |
101 |
102 |
103 | org.codehaus.groovy
104 | groovy-all
105 |
106 |
107 |
108 |
109 |
110 | org.jenkins-ci.plugins
111 | script-security
112 | 1.54
113 | test
114 |
115 |
116 |
117 |
118 |
119 | repo.jenkins-ci.org
120 | https://repo.jenkins-ci.org/public/
121 |
122 |
123 |
124 |
125 | repo.jenkins-ci.org
126 | https://repo.jenkins-ci.org/public/
127 |
128 |
129 |
130 |
131 |
132 |
133 | org.jenkins-ci.tools
134 | maven-hpi-plugin
135 | true
136 |
137 | 2.0
138 |
139 |
140 |
141 |
142 |
143 |
--------------------------------------------------------------------------------
/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Yahoo! Inc., Seiji Sogabe, Tom Huybrechts
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package hudson.security;
25 |
26 | import com.cloudbees.hudson.plugins.folder.AbstractFolder;
27 | import hudson.model.AbstractItem;
28 | import hudson.model.Descriptor;
29 | import hudson.model.Node;
30 | import jenkins.model.Jenkins;
31 | import hudson.model.Item;
32 | import hudson.model.ItemGroup;
33 | import hudson.model.Job;
34 | import hudson.Extension;
35 | import org.acegisecurity.Authentication;
36 | import org.jenkinsci.plugins.matrixauth.AuthorizationMatrixNodeProperty;
37 | import org.jenkinsci.plugins.matrixauth.Messages;
38 | import org.kohsuke.accmod.Restricted;
39 | import org.kohsuke.accmod.restrictions.DoNotUse;
40 | import org.kohsuke.accmod.restrictions.NoExternalUse;
41 |
42 | import javax.annotation.Nonnull;
43 | import java.util.Set;
44 | import java.util.TreeSet;
45 |
46 | /**
47 | * {@link GlobalMatrixAuthorizationStrategy} plus per-project ACL.
48 | *
49 | *
50 | * Per-project ACL is stored in {@link AuthorizationMatrixProperty}.
51 | *
52 | * @author Kohsuke Kawaguchi
53 | */
54 | public class ProjectMatrixAuthorizationStrategy extends GlobalMatrixAuthorizationStrategy {
55 | @Override
56 | @Nonnull
57 | public ACL getACL(@Nonnull Job project) {
58 | AuthorizationMatrixProperty amp = project.getProperty(AuthorizationMatrixProperty.class);
59 | if (amp != null) {
60 | return amp.getInheritanceStrategy().getEffectiveACL(amp.getACL(), project);
61 | } else {
62 | return getACL(project.getParent());
63 | }
64 | }
65 |
66 | @Restricted(NoExternalUse.class)
67 | public static ACL inheritingACL(final ACL parent, final ACL child) {
68 | if (parent instanceof SidACL && child instanceof SidACL) {
69 | return ((SidACL) child).newInheritingACL((SidACL) parent);
70 | }
71 | return new ACL() {
72 | @Override
73 | public boolean hasPermission(@Nonnull Authentication a, @Nonnull Permission permission) {
74 | return a.equals(SYSTEM) || child.hasPermission(a, permission) || parent.hasPermission(a, permission);
75 | }
76 | };
77 | }
78 |
79 | public ACL getACL(ItemGroup g) {
80 | if (g instanceof Item) {
81 | Item item = (Item) g;
82 | return item.getACL();
83 | }
84 | return getRootACL();
85 | }
86 |
87 | @Nonnull
88 | @Override
89 | public ACL getACL(@Nonnull Node node) {
90 | AuthorizationMatrixNodeProperty property = node.getNodeProperty(AuthorizationMatrixNodeProperty.class);
91 | if (property != null) {
92 | return property.getInheritanceStrategy().getEffectiveACL(property.getACL(), node);
93 | }
94 | return getRootACL();
95 | }
96 |
97 | @Override
98 | @Nonnull
99 | public ACL getACL(@Nonnull AbstractItem item) {
100 | if (Jenkins.get().getPlugin("cloudbees-folder") != null) { // optional dependency
101 | if (item instanceof AbstractFolder) {
102 | com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty p = ((AbstractFolder) item).getProperties().get(com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty.class);
103 | if (p != null) {
104 | return p.getInheritanceStrategy().getEffectiveACL(p.getACL(), item);
105 | }
106 | }
107 | }
108 | return getACL(item.getParent());
109 | }
110 |
111 | @Override
112 | @Nonnull
113 | public Set getGroups() {
114 | Set r = new TreeSet<>(new IdStrategyComparator());
115 | r.addAll(super.getGroups());
116 | for (Job j : Jenkins.get().getAllItems(Job.class)) {
117 | AuthorizationMatrixProperty jobProperty = j.getProperty(AuthorizationMatrixProperty.class);
118 | if (jobProperty != null)
119 | r.addAll(jobProperty.getGroups());
120 | }
121 | for (AbstractFolder j : Jenkins.get().getAllItems(AbstractFolder.class)) {
122 | com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty folderProperty = j.getProperties().get(com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty.class);
123 | if (folderProperty != null)
124 | r.addAll(folderProperty.getGroups());
125 | }
126 | for (Node node : Jenkins.get().getNodes()) {
127 | AuthorizationMatrixNodeProperty nodeProperty = node.getNodeProperty(AuthorizationMatrixNodeProperty.class);
128 | if (nodeProperty != null) {
129 | r.addAll(nodeProperty.getGroups());
130 | }
131 | }
132 | return r;
133 | }
134 |
135 | @Extension
136 | public static final Descriptor DESCRIPTOR = new DescriptorImpl() {
137 | @Override
138 | protected GlobalMatrixAuthorizationStrategy create() {
139 | return new ProjectMatrixAuthorizationStrategy();
140 | }
141 |
142 | @Override
143 | @Nonnull
144 | public String getDisplayName() {
145 | return Messages.ProjectMatrixAuthorizationStrategy_DisplayName();
146 | }
147 | };
148 |
149 | @Restricted(DoNotUse.class)
150 | public static class ConverterImpl extends GlobalMatrixAuthorizationStrategy.ConverterImpl {
151 |
152 | @Override
153 | public GlobalMatrixAuthorizationStrategy create() {
154 | return new ProjectMatrixAuthorizationStrategy();
155 | }
156 |
157 | @Override
158 | @SuppressWarnings("rawtypes")
159 | public boolean canConvert(Class type) {
160 | return type==ProjectMatrixAuthorizationStrategy.class;
161 | }
162 | }
163 | }
164 |
165 |
--------------------------------------------------------------------------------
/src/test/java/com/cloudbees/hudson/plugins/folder/properties/AuthorizationMatrixPropertyTest.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright 2013 CloudBees.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 |
25 | package com.cloudbees.hudson.plugins.folder.properties;
26 |
27 | import com.cloudbees.hudson.plugins.folder.Folder;
28 | import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
29 | import hudson.model.FreeStyleProject;
30 | import hudson.model.Hudson;
31 | import hudson.model.Item;
32 | import hudson.model.User;
33 | import hudson.security.ACL;
34 | import hudson.security.ACLContext;
35 | import hudson.security.HudsonPrivateSecurityRealm;
36 | import hudson.security.ProjectMatrixAuthorizationStrategy;
37 |
38 | import java.util.Collections;
39 | import java.util.logging.Level;
40 |
41 | import jenkins.model.Jenkins;
42 | import org.acegisecurity.AccessDeniedException;
43 | import static org.junit.Assert.*;
44 |
45 | import org.jenkinsci.plugins.matrixauth.AuthorizationContainer;
46 | import org.junit.Assert;
47 | import org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy;
48 | import org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy;
49 | import org.junit.Rule;
50 | import org.junit.Test;
51 | import org.jvnet.hudson.test.JenkinsRule;
52 | import org.jvnet.hudson.test.LoggerRule;
53 |
54 | public class AuthorizationMatrixPropertyTest {
55 |
56 | @Rule public JenkinsRule r = new JenkinsRule();
57 |
58 | @Rule public LoggerRule l = new LoggerRule();
59 |
60 | @Test
61 | public void ensureCreatorHasPermissions() throws Exception {
62 | HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(false, false, null);
63 | realm.createAccount("alice","alice");
64 | realm.createAccount("bob","bob");
65 | r.jenkins.setSecurityRealm(realm);
66 |
67 | ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy();
68 | authorizationStrategy.add(Item.CREATE, "alice");
69 | authorizationStrategy.add(Jenkins.READ, "alice");
70 | r.jenkins.setAuthorizationStrategy(authorizationStrategy);
71 |
72 | Folder job;
73 | try (ACLContext ignored = ACL.as(User.get("alice", false, Collections.emptyMap()))) {
74 | job = r.createProject(Folder.class);
75 | }
76 |
77 | Assert.assertNotNull(job.getProperties().get(AuthorizationMatrixProperty.class));
78 | Assert.assertTrue(job.getACL().hasPermission(User.get("alice", false, Collections.emptyMap()).impersonate(), Item.READ));
79 | Assert.assertFalse(job.getACL().hasPermission(User.get("bob", false, Collections.emptyMap()).impersonate(), Item.READ));
80 | Assert.assertTrue(job.getACL().hasPermission(User.get("alice", false, Collections.emptyMap()).impersonate(), Item.CONFIGURE));
81 | }
82 |
83 | @Test public void basics1() throws Exception {
84 | HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(false, false, null);
85 | realm.createAccount("alice","alice");
86 | realm.createAccount("bob","bob");
87 | r.jenkins.setSecurityRealm(realm);
88 |
89 | ProjectMatrixAuthorizationStrategy as = new ProjectMatrixAuthorizationStrategy();
90 | r.jenkins.setAuthorizationStrategy(as);
91 | as.add(Hudson.READ,"authenticated");
92 |
93 | Folder f = r.jenkins.createProject(Folder.class, "d");
94 | AuthorizationMatrixProperty amp = new AuthorizationMatrixProperty();
95 |
96 | assertTrue(amp.getInheritanceStrategy() instanceof InheritParentStrategy);
97 |
98 | amp.add(Item.READ,"alice");
99 | amp.add(Item.BUILD,"alice");
100 | f.getProperties().add(amp);
101 |
102 | final FreeStyleProject foo = f.createProject(FreeStyleProject.class, "foo");
103 |
104 | JenkinsRule.WebClient wc = r.createWebClient().login("bob");
105 | try {
106 | wc.getPage(foo);
107 | fail();
108 | } catch (FailingHttpStatusCodeException e) {
109 | assertEquals(404, e.getStatusCode());
110 | }
111 |
112 | wc = r.createWebClient().login("alice");
113 | wc.getPage(foo); // this should succeed
114 |
115 | // and build permission should be set, too
116 | wc.executeOnServer(() -> {
117 | foo.checkPermission(Item.BUILD);
118 | try {
119 | foo.checkPermission(Item.DELETE);
120 | fail("access should be denied");
121 | } catch (AccessDeniedException e) {
122 | // expected
123 | }
124 | return null;
125 | });
126 | }
127 |
128 | @Test public void disabling_permission_inheritance_removes_global_permissions() throws Exception {
129 | HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(false, false, null);
130 | realm.createAccount("alice","alice");
131 | realm.createAccount("bob","bob");
132 | r.jenkins.setSecurityRealm(realm);
133 |
134 | ProjectMatrixAuthorizationStrategy as = new ProjectMatrixAuthorizationStrategy();
135 | r.jenkins.setAuthorizationStrategy(as);
136 | as.add(Hudson.READ,"authenticated");
137 |
138 | Folder f = r.jenkins.createProject(Folder.class, "d");
139 | AuthorizationMatrixProperty amp = new AuthorizationMatrixProperty();
140 | amp.setInheritanceStrategy(new NonInheritingStrategy());
141 | amp.add(Item.READ,"alice");
142 | f.getProperties().add(amp);
143 |
144 | final FreeStyleProject foo = f.createProject(FreeStyleProject.class, "foo");
145 |
146 | JenkinsRule.WebClient wc = r.createWebClient().login("bob");
147 | try {
148 | wc.getPage(foo);
149 | fail();
150 | } catch (FailingHttpStatusCodeException e) {
151 | assertEquals(404, e.getStatusCode());
152 | }
153 |
154 | wc = r.createWebClient().login("alice");
155 | wc.getPage(foo); // this should succeed
156 | }
157 |
158 | @Test
159 | public void inapplicablePermissionIsSkipped() throws Exception {
160 | AuthorizationMatrixProperty property = new AuthorizationMatrixProperty();
161 | l.record(AuthorizationContainer.class, Level.WARNING).capture(1);
162 | property.add("hudson.model.Hudson.Administer:alice");
163 | assertTrue(property.getGrantedPermissions().isEmpty());
164 | assertTrue(l.getMessages().get(0).contains("Tried to add inapplicable permission"));
165 | assertTrue(l.getMessages().get(0).contains("Administer"));
166 | assertTrue(l.getMessages().get(0).contains("alice"));
167 | }
168 | }
169 |
--------------------------------------------------------------------------------
%s", tooltip, Stapler.getCurrentRequest().getContextPath(), img, user);
44 | } else {
45 | return String.format("
%s", tooltip, Stapler.getCurrentRequest().getContextPath(), Jenkins.RESOURCE_PATH, img, user);
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/matrixauth/inheritance/InheritGlobalStrategy.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2017 Daniel Beck
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package org.jenkinsci.plugins.matrixauth.inheritance;
25 |
26 | import hudson.Extension;
27 | import hudson.security.ACL;
28 | import hudson.security.AccessControlled;
29 | import hudson.security.ProjectMatrixAuthorizationStrategy;
30 | import jenkins.model.Jenkins;
31 | import org.jenkinsci.Symbol;
32 | import org.kohsuke.stapler.DataBoundConstructor;
33 |
34 | import javax.annotation.Nonnull;
35 |
36 | /**
37 | * Strategy that inherits only the global ACL -- parent, grandparent, etc. ACLs are not inherited.
38 | */
39 | public class InheritGlobalStrategy extends InheritanceStrategy {
40 |
41 | @DataBoundConstructor
42 | public InheritGlobalStrategy() {
43 |
44 | }
45 |
46 | @Override
47 | public ACL getEffectiveACL(ACL acl, AccessControlled subject) {
48 | return ProjectMatrixAuthorizationStrategy.inheritingACL(Jenkins.get().getAuthorizationStrategy().getRootACL(), acl);
49 | }
50 |
51 | @Symbol("inheritingGlobal")
52 | @Extension
53 | public static class DescriptorImpl extends InheritanceStrategyDescriptor {
54 |
55 | @Override
56 | public boolean isApplicable(Class clazz) {
57 | return true;
58 | }
59 |
60 | @Override
61 | @Nonnull
62 | public String getDisplayName() {
63 | return Messages.InheritGlobalStrategy_DisplayName();
64 | }
65 | }
66 | }
67 |
--------------------------------------------------------------------------------
/src/test/resources/org/jenkinsci/plugins/matrixauth/integrations/casc/ExportTest/config.xml:
--------------------------------------------------------------------------------
1 |
2 |