Skip to content

Commit

Permalink
JENKINS-73941 - HideSandbox - Unify all the logic in Script-Security …
Browse files Browse the repository at this point in the history 
…plugin - Tests
  • Loading branch information
@jgarciacloudbees
jgarciacloudbees committed Oct 31, 2024
1 parent a02bf24 commit bfb4853
Showing 1 changed file with 96 additions and 21 deletions.
117 changes: 96 additions & 21 deletions src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@

import org.htmlunit.html.HtmlPage;
import org.htmlunit.html.HtmlTextArea;

import hudson.model.Descriptor;
import hudson.model.FreeStyleBuild;
import hudson.model.FreeStyleProject;
import hudson.model.Item;
Expand Down Expand Up @@ -209,23 +211,7 @@ public void reload() throws Exception {

@Test
public void forceSandboxTests() throws Exception {
r.jenkins.setSecurityRealm(r.createDummySecurityRealm());

ScriptApproval.get().setForceSandbox(true);

MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy();
mockStrategy.grant(Jenkins.READ).everywhere().to("devel");
for (Permission p : Item.PERMISSIONS.getPermissions()) {
mockStrategy.grant(p).everywhere().to("devel");
}

mockStrategy.grant(Jenkins.READ).everywhere().to("admin");
mockStrategy.grant(Jenkins.ADMINISTER).everywhere().to("admin");
for (Permission p : Item.PERMISSIONS.getPermissions()) {
mockStrategy.grant(p).everywhere().to("admin");
}

r.jenkins.setAuthorizationStrategy(mockStrategy);
setBasicSecurity();

try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
assertTrue(ScriptApproval.get().isForceSandbox());
Expand Down Expand Up @@ -299,10 +285,7 @@ public void forceSandboxScriptSignatureException() throws Exception {

@Test
public void forceSandboxFormValidation() throws Exception {
r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
grant(Jenkins.READ, Item.READ).everywhere().to("dev").
grant(Jenkins.ADMINISTER).everywhere().to("admin"));
setBasicSecurity();

try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
ScriptApproval.get().setForceSandbox(true);
Expand Down Expand Up @@ -346,6 +329,98 @@ public void forceSandboxFormValidation() throws Exception {
}
}

@Test
public void shouldHideSandboxTest() throws Exception {
setBasicSecurity();

ScriptApproval.get().setForceSandbox(true);

SecureGroovyScript testSandboxTrue = new SecureGroovyScript("jenkins.model.Jenkins.instance", true, null);
SecureGroovyScript testSandboxFalse = new SecureGroovyScript("jenkins.model.Jenkins.instance", false, null);

try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
assertTrue(ScriptApproval.shouldHideSandbox(testSandboxTrue, SecureGroovyScript::isSandbox));
assertFalse(ScriptApproval.shouldHideSandbox(testSandboxFalse, SecureGroovyScript::isSandbox));
assertTrue(ScriptApproval.shouldHideSandbox(null, SecureGroovyScript::isSandbox));
}

try (ACLContext ctx = ACL.as(User.getById("admin", true))) {
assertFalse(ScriptApproval.shouldHideSandbox(testSandboxTrue, SecureGroovyScript::isSandbox));
assertFalse(ScriptApproval.shouldHideSandbox(testSandboxFalse, SecureGroovyScript::isSandbox));
assertFalse(ScriptApproval.shouldHideSandbox(null, SecureGroovyScript::isSandbox));
}

ScriptApproval.get().setForceSandbox(false);

try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
assertFalse(ScriptApproval.shouldHideSandbox(testSandboxTrue, SecureGroovyScript::isSandbox));
assertFalse(ScriptApproval.shouldHideSandbox(testSandboxFalse, SecureGroovyScript::isSandbox));
assertFalse(ScriptApproval.shouldHideSandbox(null, SecureGroovyScript::isSandbox));
}

try (ACLContext ctx = ACL.as(User.getById("admin", true))) {
assertFalse(ScriptApproval.shouldHideSandbox(testSandboxTrue, SecureGroovyScript::isSandbox));
assertFalse(ScriptApproval.shouldHideSandbox(testSandboxFalse, SecureGroovyScript::isSandbox));
assertFalse(ScriptApproval.shouldHideSandbox(null, SecureGroovyScript::isSandbox));
}
}

@Test
public void validateSandboxTest() throws Exception {
setBasicSecurity();

ScriptApproval.get().setForceSandbox(true);

try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
ScriptApproval.validateSandbox(true);
assertThrows(Descriptor.FormException.class,
() -> ScriptApproval.validateSandbox(false));
}

try (ACLContext ctx = ACL.as(User.getById("admin", true))) {
ScriptApproval.validateSandbox(true);
ScriptApproval.validateSandbox(false);
}

ScriptApproval.get().setForceSandbox(false);

try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
ScriptApproval.validateSandbox(true);
ScriptApproval.validateSandbox(false);
}

try (ACLContext ctx = ACL.as(User.getById("admin", true))) {
ScriptApproval.validateSandbox(true);
ScriptApproval.validateSandbox(false);
}
}

/**
* Will configure a mock security settings with users:
* Devel: overall Read and write without admin permission
* admin: System administrator
*/
private void setBasicSecurity()
{
r.jenkins.setSecurityRealm(r.createDummySecurityRealm());

ScriptApproval.get().setForceSandbox(true);

MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy();
mockStrategy.grant(Jenkins.READ).everywhere().to("devel");
for (Permission p : Item.PERMISSIONS.getPermissions()) {
mockStrategy.grant(p).everywhere().to("devel");
}

mockStrategy.grant(Jenkins.READ).everywhere().to("admin");
mockStrategy.grant(Jenkins.ADMINISTER).everywhere().to("admin");
for (Permission p : Item.PERMISSIONS.getPermissions()) {
mockStrategy.grant(p).everywhere().to("admin");
}

r.jenkins.setAuthorizationStrategy(mockStrategy);
}

private Script script(String groovy) {
return new Script(groovy);
}
Expand Down

0 comments on commit bfb4853

Please sign in to comment.