Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-66740] Fix credentials permissions checks #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[JENKINS-66740] Fix credentials permissions checks #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 28 additions & 36 deletions src/main/java/hudson/plugins/blazemeter/BlazemeterCredentialsBAImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,16 @@
import javax.validation.constraints.NotNull;
import hudson.Extension;
import hudson.Util;
import hudson.model.ModelObject;
import hudson.plugins.blazemeter.utils.JenkinsBlazeMeterUtils;
import hudson.security.AccessControlled;
import hudson.util.FormValidation;
import hudson.util.Secret;
import jenkins.model.Jenkins;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;

import java.util.Objects;

@SuppressWarnings("unused") // read resolved by extension plugins
public class BlazemeterCredentialsBAImpl extends BaseStandardCredentials implements BlazemeterCredentials, StandardUsernamePasswordCredentials {

Expand Down Expand Up @@ -104,48 +105,39 @@ public String getIconClassName() {
return "icon-credentials-userpass";
}

public Boolean getAdministerStatus() {
return Objects.requireNonNull(Jenkins.getInstance()).hasPermission(Jenkins.ADMINISTER);
}

public Boolean getManageCredentialsStatus() {
Jenkins jenkins = Objects.requireNonNull(Jenkins.getInstance());
return jenkins.hasPermission(CredentialsProvider.CREATE) ||
jenkins.hasPermission(CredentialsProvider.UPDATE) ||
jenkins.hasPermission(CredentialsProvider.DELETE) ||
jenkins.hasPermission(CredentialsProvider.MANAGE_DOMAINS) ||
jenkins.hasPermission(CredentialsProvider.VIEW);
}

public Boolean getProjectLevelCredentialsStatus() {
hudson.model.User currentUser = Objects.requireNonNull(hudson.model.User.current());
return currentUser.hasPermission(CredentialsProvider.CREATE) ||
currentUser.hasPermission(CredentialsProvider.UPDATE) ||
currentUser.hasPermission(CredentialsProvider.DELETE) ||
currentUser.hasPermission(CredentialsProvider.MANAGE_DOMAINS) ||
currentUser.hasPermission(CredentialsProvider.VIEW);
}

public Boolean isPrivilegedUser() {
return getAdministerStatus() || getManageCredentialsStatus() || getProjectLevelCredentialsStatus();
public Boolean checkPermissions(AccessControlled aclHolder) {
return aclHolder.hasPermission(CredentialsProvider.CREATE) ||
aclHolder.hasPermission(CredentialsProvider.UPDATE) ||
aclHolder.hasPermission(CredentialsProvider.DELETE) ||
aclHolder.hasPermission(CredentialsProvider.MANAGE_DOMAINS) ||
aclHolder.hasPermission(CredentialsProvider.VIEW);
}

public FormValidation doValidate(@QueryParameter("username") final String username,
@QueryParameter("password") final String password) {
String decryptedPassword = Secret.fromString(password).getPlainText();
@QueryParameter("password") final String password,
@AncestorInPath ModelObject context) {

// Maybe a Folder
// Maybe be null in which case default to root Jenkins
AccessControlled aclHolder = context instanceof AccessControlled
? (AccessControlled) context
: Jenkins.getInstance();

if(aclHolder == null) {
return FormValidation.ok();
}

checkPermissions(aclHolder);

try {
if (isPrivilegedUser()) {
JenkinsBlazeMeterUtils utils = BlazeMeterPerformanceBuilderDescriptor.getBzmUtils(username, decryptedPassword);
User.getUser(utils);
return FormValidation.ok("Successfully validated credentials.");
} else {
return FormValidation.error("You don't have required privileges to add/update credentials.");
}
JenkinsBlazeMeterUtils utils = BlazeMeterPerformanceBuilderDescriptor.getBzmUtils(username,
Secret.fromString(password).getPlainText());
User.getUser(utils);
return FormValidation.ok();
} catch (Exception e) {
return FormValidation.error(e.getMessage());
}
}


}
}
63 changes: 11 additions & 52 deletions src/main/resources/hudson/plugins/blazemeter/BlazemeterCredentialsBAImpl/credentials.jelly
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,60 +13,19 @@
limitations under the License.
-->
<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">

<j:if test="${descriptor.isPrivilegedUser()}">

<f:entry title="${%API Key Id}" field="username">
<f:textbox/>
</f:entry>
<f:entry title="${%API Key Secret}" field="password">
<f:password/>
</f:entry>

<st:include page="id-and-description" class="${descriptor.clazz}"/>
<f:entry>
<f:validateButton
<f:entry title="${%API Key Id}" field="username">
<f:textbox/>
</f:entry>
<f:entry title="${%API Key Secret}" field="password">
<f:password/>
</f:entry>

<st:include page="id-and-description" class="${descriptor.clazz}"/>
<f:entry>
<f:validateButton
title="${%Test BlazeMeter credentials}"
progress="${%Validating BlazeMeter credentials}"
method="validate"
with="username,password"/>
</f:entry>

</j:if>



<j:if test="${!descriptor.isPrivilegedUser()}">
<h1>You don't have required privileges to add/update credentials.</h1>
<script>

// Removed OK or Save button for rest of the users
let btnOK = document._getElementsByXPath("//button[text()='OK']")[0];
if (!btnOK) {
var timer = setInterval(function() {
let btnSave = document._getElementsByXPath("//button[text()='Save']")[0];
if (btnSave) {
btnSave.remove();
clearInterval(timer);
}
}, 100);
} else {
btnOK.remove();
}

// Removed delete button
let btnDelete = document._getElementsByXPath("//a[@title='Delete']")[0];
if (btnDelete) {
btnDelete.remove();
}

// Removed Label and Credentials drop-down
let labelKind = document._getElementsByXPath("//div[contains(text(),'Kind')]")[0];
let credentialsTypeSelectBox = document.querySelector("select");
labelKind.remove();
credentialsTypeSelectBox.remove();
</script>
</j:if>


</f:entry>
</j:jelly>