下面列出了hudson.model.Hudson#hudson.security.Permission 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
private static Set<Permission> cacheImplyingPermissions(Permission permission) {
Set<Permission> implyingPermissions;
if (PermissionWrapper.DANGEROUS_PERMISSIONS.contains(permission)) {
// dangerous permissions should be deferred to Jenkins.ADMINISTER
implyingPermissions = getImplyingPermissions(Jenkins.ADMINISTER);
} else {
implyingPermissions = new HashSet<>();
for (Permission p = permission; p != null; p = p.impliedBy) {
implyingPermissions.add(p);
}
}
implyingPermissionsCache.put(permission, implyingPermissions);
return implyingPermissions;
}
@Override
@SuppressFBWarnings(value = "NP_BOOLEAN_RETURN_NULL",
justification = "hudson.security.SidACL requires null when unknown")
@Nullable
protected Boolean hasPermission(Sid sid, Permission permission) {
if (PermissionWrapper.DANGEROUS_PERMISSIONS.contains(permission)) {
permission = Jenkins.ADMINISTER;
}
Set<Permission> permissions = permissionList.get(toString(sid));
if (permissions != null && CollectionUtils.containsAny(permissions, getImplyingPermissions(permission))) {
return true;
}
return null;
}
/**
* Initializes the ACL objects and preemptively calculates all permissions for all sids.
*
* @param globalRoles set of roles from which to calculate the permissions.
*/
public GlobalAclImpl(Set<GlobalRole> globalRoles) {
for (GlobalRole role : globalRoles) {
Set<Permission> impliedPermissions = ConcurrentHashMap.newKeySet();
role.getPermissionsUnsorted().parallelStream().map(PermissionWrapper::getPermission).forEach(impliedPermissions::add);
role.getSids().parallelStream().forEach(sid -> {
Set<Permission> permissionsForSid = permissionList.get(sid);
if (permissionsForSid == null) {
permissionsForSid = new HashSet<>();
}
permissionsForSid.addAll(impliedPermissions);
permissionList.put(sid, permissionsForSid);
});
}
}
/**
* Attempt to match a given permission to what is defined in the UI.
* @param id String of the form "Title/Permission" (Look in the UI) for a particular permission
* @return a matched permission ID
*/
@CheckForNull
public static String findPermissionId(String id) {
List<PermissionGroup> pgs = PermissionGroup.getAll();
Matcher m = PERMISSION_PATTERN.matcher(id);
if(m.matches()) {
String owner = m.group(1);
String name = m.group(2);
for(PermissionGroup pg : pgs) {
if(pg.owner.equals(Permission.class)) {
continue;
}
if(pg.getId().equals(owner)) {
return pg.owner.getName() + "." + name;
}
}
}
return null;
}
@Nonnull
@Override
public FolderBasedAuthorizationStrategy newInstance(@Nullable StaplerRequest req, @Nonnull JSONObject formData) {
AuthorizationStrategy strategy = Jenkins.get().getAuthorizationStrategy();
if (strategy instanceof FolderBasedAuthorizationStrategy) {
// this action was invoked from the 'Configure Global Security' page when the
// old strategy was FolderBasedAuthorizationStrategy; return it back as formData would be empty
return (FolderBasedAuthorizationStrategy) strategy;
} else {
// when this AuthorizationStrategy is selected for the first time, this makes the current
// user admin (give all permissions) and prevents him/her from getting access denied.
// The same thing happens in Role Strategy plugin. See RoleBasedStrategy.DESCRIPTOR.newInstance()
HashSet<PermissionGroup> groups = new HashSet<>(PermissionGroup.getAll());
groups.remove(PermissionGroup.get(Permission.class));
Set<PermissionWrapper> adminPermissions = PermissionWrapper.wrapPermissions(
FolderAuthorizationStrategyManagementLink.getSafePermissions(groups));
GlobalRole adminRole = new GlobalRole(ADMIN_ROLE_NAME, adminPermissions,
Collections.singleton(new PrincipalSid(Jenkins.getAuthentication()).getPrincipal()));
return new FolderBasedAuthorizationStrategy(Collections.singleton(adminRole), Collections.emptySet(),
Collections.emptySet());
}
}
public boolean hasRepositoryPermission(GitLabAuthenticationToken authenticationToken, Permission permission) {
String repositoryName = getRepositoryName();
if (repositoryName == null) {
if (authenticatedUserCreateJobPermission) {
if (permission.equals(Item.READ) ||
permission.equals(Item.CONFIGURE) ||
permission.equals(Item.DELETE) ||
permission.equals(Item.EXTENDED_READ)) {
return true;
} else {
return false;
}
} else {
return false;
}
} else if (checkReadPermission(permission) &&
authenticationToken.isPublicRepository(repositoryName)) {
return true;
} else {
return authenticationToken.hasRepositoryPermission(repositoryName);
}
}
@Override
public ACL getRootACL() {
return new SidACL() {
@Override
protected Boolean hasPermission(Sid u, Permission permission) {
if (u instanceof PrincipalSid && ((PrincipalSid) u).getPrincipal().equals(username)) {
for (Permission p = permission; p != null; p = p.impliedBy) {
if (permissions.contains(p)) {
return true;
}
}
}
return false;
}
};
}
@Nonnull
@Restricted(NoExternalUse.class)
@SuppressWarnings("unused") // used by index.jelly
public Set<Permission> getGlobalPermissions() {
HashSet<PermissionGroup> groups = new HashSet<>(PermissionGroup.getAll());
groups.remove(PermissionGroup.get(Permission.class));
return getSafePermissions(groups);
}
@Nonnull
@Restricted(NoExternalUse.class)
@SuppressWarnings("unused") // used by index.jelly
public Set<Permission> getFolderPermissions() {
HashSet<PermissionGroup> groups = new HashSet<>(PermissionGroup.getAll());
groups.remove(PermissionGroup.get(Hudson.class));
groups.remove(PermissionGroup.get(Computer.class));
groups.remove(PermissionGroup.get(Permission.class));
return getSafePermissions(groups);
}
@Nonnull
@Restricted(NoExternalUse.class)
@SuppressWarnings("unused") // used by index.jelly
public Set<Permission> getAgentPermissions() {
HashSet<PermissionGroup> groups = new HashSet<>(PermissionGroup.getAll());
groups.remove(PermissionGroup.get(Run.class));
groups.remove(PermissionGroup.get(SCM.class));
groups.remove(PermissionGroup.get(View.class));
groups.remove(PermissionGroup.get(Item.class));
groups.remove(PermissionGroup.get(Hudson.class));
groups.remove(PermissionGroup.get(Permission.class));
return getSafePermissions(groups);
}
@Nonnull
static Set<Permission> getSafePermissions(Set<PermissionGroup> groups) {
TreeSet<Permission> safePermissions = new TreeSet<>(Permission.ID_COMPARATOR);
groups.stream().map(PermissionGroup::getPermissions).forEach(safePermissions::addAll);
safePermissions.removeAll(PermissionWrapper.DANGEROUS_PERMISSIONS);
return safePermissions;
}
private static Set<Permission> getImplyingPermissions(Permission p) {
Set<Permission> permissions = implyingPermissionsCache.get(p);
if (permissions != null) {
return permissions;
} else {
return cacheImplyingPermissions(p);
}
}
/**
* Assigns {@code permissions} to each sid in {@code sid}.
*
* @param sids the sids to be assigned {@code permissions}
* @param permissions the {@link Permission}s to be assigned
*/
public void assignPermissions(Set<String> sids, Set<Permission> permissions) {
sids.parallelStream().forEach(sid -> {
Set<Permission> assignedPermissions = permissionList.get(sid);
if (assignedPermissions == null) {
assignedPermissions = new HashSet<>();
}
assignedPermissions.addAll(permissions);
permissionList.put(sid, assignedPermissions);
});
}
/**
* Attempt to match a given permission to what is defined in the UI.
* @param id String of the form "Title/Permission" (Look in the UI) for a particular permission
* @return a matched permission
*/
@CheckForNull
public static Permission findPermission(String id) {
if (id.contains("/")) {
final String resolvedId = findPermissionId(id);
return resolvedId != null ? Permission.fromId(resolvedId) : null;
} else {
return Permission.fromId(id);
}
}
@Nonnull
private static Set<PermissionWrapper> _wrapPermissions(Stream<Permission> stream) {
return stream
.map(Permission::getId)
.map(PermissionWrapper::new)
.collect(Collectors.toSet());
}
@Test
public void permissionTest() {
Jenkins jenkins = jenkinsRule.jenkins;
try (ACLContext ignored = ACL.as(admin)) {
assertTrue(jenkins.hasPermission(Jenkins.ADMINISTER));
assertTrue(child3.hasPermission(Item.CONFIGURE));
assertTrue(job1.hasPermission(Item.READ));
assertTrue(job2.hasPermission(Item.CREATE));
}
try (ACLContext ignored = ACL.as(user1)) {
assertTrue(jenkins.hasPermission(Permission.READ));
assertTrue(root.hasPermission(Item.READ));
assertTrue(job1.hasPermission(Item.READ));
assertTrue(job2.hasPermission(Item.READ));
assertFalse(job1.hasPermission(Item.CREATE));
assertFalse(job1.hasPermission(Item.DELETE));
assertFalse(job1.hasPermission(Item.CONFIGURE));
assertFalse(job2.hasPermission(Item.CREATE));
assertFalse(job2.hasPermission(Item.CONFIGURE));
}
try (ACLContext ignored = ACL.as(user2)) {
assertTrue(jenkins.hasPermission(Permission.READ));
assertTrue(child2.hasPermission(Item.READ));
assertTrue(child1.hasPermission(Item.READ));
assertTrue(job2.hasPermission(Item.CONFIGURE));
assertFalse(job1.hasPermission(Item.CONFIGURE));
}
}
/**
* Tests against jenkins
*/
@Test
public void useTestAgainstJenkinsRoot() {
OrganizationImpl baseOrg = new OrganizationImpl("jenkins", jenkins);
UserImpl userImpl = new UserImpl(baseOrg, user, baseOrg);
checkPermissions(userImpl.getPermission(), false, false);
when(jenkins.getACL()).thenReturn(new ACL() {
public boolean hasPermission(Authentication a, Permission permission) {
return true;
}
});
checkPermissions(userImpl.getPermission(), true, true);
}
@Override
public boolean hasPermission(@Nonnull Authentication a, @Nonnull Permission permission) {
// its read only so for all permissions other than READ, we return false
if(permission == CREATE || permission == DELETE ||
permission == MANAGE_DOMAINS || permission == UPDATE){
return false;
}
return owner.getACL().hasPermission(a,permission);
}
@Test
public void testOrganizationFolderFactory() throws Exception{
List<OrganizationFolderPipelineImpl.OrganizationFolderFactory> organizationFolderFactoryList = ExtensionList.lookup(OrganizationFolderPipelineImpl.OrganizationFolderFactory.class);
OrganizationFolderFactoryTestImpl organizationFolderFactoryTest = ((ExtensionList<OrganizationFolderPipelineImpl.OrganizationFolderFactory>) organizationFolderFactoryList).get(OrganizationFolderFactoryTestImpl.class);
assertNotNull(organizationFolderFactoryTest);
OrganizationFolderPipelineImpl folderPipeline = organizationFolderFactoryTest.getFolder(orgFolder, new Reachable() {
@Override
public Link getLink() {
return organization.getLink().rel("/pipelines/");
}
}, mockOrganization());
assertNotNull(folderPipeline);
assertNotNull(folderPipeline.getQueue());
assertNotNull(folderPipeline.getQueue().iterator());
//Make sure the user does has permissions to that folder
PowerMockito.when(orgFolder.getACL()).thenReturn(new ACL() {
@Override
public boolean hasPermission(Authentication arg0, Permission arg1) {
return true;
}
});
ScmResourceImpl scmResource = new ScmResourceImpl(orgFolder, folderPipeline);
StaplerRequest staplerRequest = PowerMockito.mock(StaplerRequest.class);
assertEquals("hello", scmResource.getContent(staplerRequest));
}
@Test(expected = ServiceException.ForbiddenException.class)
public void testOrganizationFolderFactoryNoPermissionsFolder() throws Exception {
List<OrganizationFolderPipelineImpl.OrganizationFolderFactory> organizationFolderFactoryList = ExtensionList.lookup(OrganizationFolderPipelineImpl.OrganizationFolderFactory.class);
OrganizationFolderFactoryTestImpl organizationFolderFactoryTest = ((ExtensionList<OrganizationFolderPipelineImpl.OrganizationFolderFactory>) organizationFolderFactoryList).get(OrganizationFolderFactoryTestImpl.class);
assertNotNull(organizationFolderFactoryTest);
OrganizationFolderPipelineImpl folderPipeline = organizationFolderFactoryTest.getFolder(orgFolder, new Reachable() {
@Override
public Link getLink() {
return organization.getLink().rel("/pipelines/");
}
}, mockOrganization());
assertNotNull(folderPipeline);
assertNotNull(folderPipeline.getQueue());
assertNotNull(folderPipeline.getQueue().iterator());
//Make sure the user does not have permissions to that folder
PowerMockito.when(orgFolder.getACL()).thenReturn(new ACL() {
@Override
public boolean hasPermission(Authentication arg0, Permission arg1) {
return false;
}
});
ScmResourceImpl scmResource = new ScmResourceImpl(orgFolder, folderPipeline);
StaplerRequest staplerRequest = PowerMockito.mock(StaplerRequest.class);
assertEquals("hello", scmResource.getContent(staplerRequest));
}
private boolean testBuildPermission(Permission permission) {
if (permission.getId().equals("hudson.model.Hudson.Build")
|| permission.getId().equals("hudson.model.Item.Build")) {
return true;
} else {
return false;
}
}
private boolean checkReadPermission(Permission permission) {
if (permission.getId().equals("hudson.model.Hudson.Read")
|| permission.getId().equals("hudson.model.Item.Workspace")
|| permission.getId().equals("hudson.model.Item.Read")) {
return true;
} else {
return false;
}
}
/**
* @deprecated Rather use {@link #asUser}.
*/
@Deprecated
public CLICommandInvoker authorizedTo(final Permission... permissions) {
this.permissions = Arrays.asList(permissions);
return this;
}
GrantPermissions(String username, List<Permission> permissions) {
this.username = username;
this.permissions = permissions;
for (Permission p : permissions) {
p.setEnabled(true);
}
}
/**
* Begin granting a set of permissions.
* Note that grants cannot be subsequently revoked, but you could reset the strategy to a newly configured one.
* @param permissions which permissions to grant ({@link Permission#impliedBy} is honored)
*/
public Grant grant(Permission... permissions) {
Set<Permission> effective = new HashSet<Permission>(Arrays.asList(permissions));
boolean added = true;
while (added) {
added = false;
for (Permission p : Permission.getAll()) {
added |= effective.contains(p.impliedBy) && effective.add(p);
}
}
return new Grant(effective);
}
@Override protected Boolean hasPermission(Sid p, Permission permission) {
String name = toString(p);
for (Grant.GrantOn.GrantOnTo grantOnTo : grantsOnTo) {
if (grantOnTo.matches(path, name, permission)) {
return true;
}
}
return null; // allow groups to be checked after users, etc.
}
@Override
public boolean hasPermission(Permission p) {
if (super.hasPermission(p)) {
return true;
}
return hasPermissionInField(Jenkins.getAuthentication().getName(), p);
}
private boolean hasPermissionInField(String sid, @Nonnull Permission p) {
if (sid.equals(grantedUser)) {
if (grantedPermissions != null && grantedPermissions.contains(p.getId())) {
return true;
}
}
return false;
}
public void setPermissions(String username, Permission... permissions) {
this.grantedUser = username;
if (grantedPermissions == null) {
grantedPermissions = new HashSet<String>();
} else {
grantedPermissions.clear();
}
for (Permission p : permissions) {
grantedPermissions.add(p.getId());
}
}
@Override
public boolean hasPermission(Permission permission)
{
if (permission == CONFIGURE)
return false;
return super.hasPermission(permission);
}