Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWinston Prakash2012-02-14 20:01:20 -0500
committerWinston Prakash2012-02-14 20:01:20 -0500
commitcc9920be00067fbe7fef452c496ea818facf2c22 (patch)
tree2e1b5ce0a74d38b24d57621e38af8c7f377e0fe8
parentc39f59a75a338fa95e733a6afbb7660fab1715c5 (diff)
downloadorg.eclipse.hudson.core-cc9920be00067fbe7fef452c496ea818facf2c22.tar.gz
org.eclipse.hudson.core-cc9920be00067fbe7fef452c496ea818facf2c22.tar.xz
org.eclipse.hudson.core-cc9920be00067fbe7fef452c496ea818facf2c22.zip
Move Global Matrix authorization and Project Matrix Authorization to Security Plugin
-rw-r--r--hudson-core/src/main/java/hudson/model/Job.java1
-rw-r--r--hudson-core/src/main/java/hudson/model/JobPropertyDescriptor.java4
-rw-r--r--hudson-core/src/main/java/hudson/model/ParametersDefinitionProperty.java81
-rw-r--r--hudson-core/src/main/java/hudson/security/AuthorizationMatrixProperty.java296
-rw-r--r--hudson-core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java332
-rw-r--r--hudson-core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java110
-rw-r--r--hudson-core/src/main/java/hudson/util/CascadingUtil.java4
7 files changed, 207 insertions, 621 deletions
diff --git a/hudson-core/src/main/java/hudson/model/Job.java b/hudson-core/src/main/java/hudson/model/Job.java
index f0cbba2c..b765e171 100644
--- a/hudson-core/src/main/java/hudson/model/Job.java
+++ b/hudson-core/src/main/java/hudson/model/Job.java
@@ -42,7 +42,6 @@ import hudson.search.SearchIndexBuilder;
import hudson.search.SearchItem;
import hudson.search.SearchItems;
import hudson.security.ACL;
-import hudson.security.AuthorizationMatrixProperty;
import hudson.security.AuthorizationStrategy;
import hudson.security.Permission;
//import hudson.security.ProjectMatrixAuthorizationStrategy;
diff --git a/hudson-core/src/main/java/hudson/model/JobPropertyDescriptor.java b/hudson-core/src/main/java/hudson/model/JobPropertyDescriptor.java
index e6246f1f..8b8a4761 100644
--- a/hudson-core/src/main/java/hudson/model/JobPropertyDescriptor.java
+++ b/hudson-core/src/main/java/hudson/model/JobPropertyDescriptor.java
@@ -85,6 +85,10 @@ public abstract class JobPropertyDescriptor extends Descriptor<JobProperty<?>> {
throw new AssertionError(clazz+" doesn't properly parameterize JobProperty. The isApplicable() method must be overriden.");
}
}
+
+ public boolean isCascadable(){
+ return true;
+ }
/**
* Gets the {@link JobPropertyDescriptor}s applicable for a given job type.
diff --git a/hudson-core/src/main/java/hudson/model/ParametersDefinitionProperty.java b/hudson-core/src/main/java/hudson/model/ParametersDefinitionProperty.java
index 1a5f43cc..c4b61c41 100644
--- a/hudson-core/src/main/java/hudson/model/ParametersDefinitionProperty.java
+++ b/hudson-core/src/main/java/hudson/model/ParametersDefinitionProperty.java
@@ -1,19 +1,20 @@
-/*******************************************************************************
+/**
+ * *****************************************************************************
*
* Copyright (c) 2004-2010 Oracle Corporation.
*
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the Eclipse Public License v1.0
- * which accompanies this distribution, and is available at
+ * All rights reserved. This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License v1.0 which
+ * accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
- * Contributors:
+ * Contributors:
*
- * Kohsuke Kawaguchi, Jean-Baptiste Quenot, Seiji Sogabe, Tom Huybrechts
- *
+ * Kohsuke Kawaguchi, Jean-Baptiste Quenot, Seiji Sogabe, Tom Huybrechts
*
- *******************************************************************************/
-
+ *
+ ******************************************************************************
+ */
package hudson.model;
import java.io.IOException;
@@ -39,11 +40,10 @@ import hudson.Extension;
/**
* Keeps a list of the parameters defined for a project.
*
- * <p>
- * This class also implements {@link Action} so that <tt>index.jelly</tt> provides
- * a form to enter build parameters.
+ * <p> This class also implements {@link Action} so that <tt>index.jelly</tt>
+ * provides a form to enter build parameters.
*/
-@ExportedBean(defaultVisibility=2)
+@ExportedBean(defaultVisibility = 2)
public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?, ?>>
implements Action {
@@ -67,7 +67,7 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
super.setOwner(owner);
}
- public AbstractProject<?,?> getOwner() {
+ public AbstractProject<?, ?> getOwner() {
return owner;
}
@@ -81,6 +81,7 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
*/
public List<String> getParameterDefinitionNames() {
return new AbstractList<String>() {
+
public String get(int index) {
return parameterDefinitions.get(index).getName();
}
@@ -101,15 +102,15 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
}
/**
- * Interprets the form submission and schedules a build for a parameterized job.
+ * Interprets the form submission and schedules a build for a parameterized
+ * job.
*
- * <p>
- * This method is supposed to be invoked from {@link AbstractProject#doBuild(StaplerRequest, StaplerResponse)}.
+ * <p> This method is supposed to be invoked from {@link AbstractProject#doBuild(StaplerRequest, StaplerResponse)}.
*/
public void _doBuild(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
- if(!req.getMethod().equals("POST")) {
+ if (!req.getMethod().equals("POST")) {
// show the parameter entry form.
- req.getView(this,"index.jelly").forward(req,rsp);
+ req.getView(this, "index.jelly").forward(req, rsp);
return;
}
@@ -123,13 +124,14 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
String name = jo.getString("name");
ParameterDefinition d = getParameterDefinition(name);
- if(d==null)
+ if (d == null) {
throw new IllegalArgumentException("No such parameter definition: " + name);
+ }
ParameterValue parameterValue = d.createValue(req, jo);
values.add(parameterValue);
}
- Hudson.getInstance().getQueue().schedule(
+ Hudson.getInstance().getQueue().schedule(
owner, owner.getDelay(req), new ParametersAction(values), new CauseAction(new Cause.UserCause()));
// send the user back to the job top page.
@@ -138,16 +140,16 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
public void buildWithParameters(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
List<ParameterValue> values = new ArrayList<ParameterValue>();
- for (ParameterDefinition d: parameterDefinitions) {
- ParameterValue value = d.createValue(req);
- if (value != null) {
- values.add(value);
- } else {
- throw new IllegalArgumentException("Parameter " + d.getName() + " was missing.");
- }
+ for (ParameterDefinition d : parameterDefinitions) {
+ ParameterValue value = d.createValue(req);
+ if (value != null) {
+ values.add(value);
+ } else {
+ throw new IllegalArgumentException("Parameter " + d.getName() + " was missing.");
+ }
}
- Hudson.getInstance().getQueue().schedule(
+ Hudson.getInstance().getQueue().schedule(
owner, owner.getDelay(req), new ParametersAction(values), owner.getBuildCause(req));
// send the user back to the job top page.
@@ -158,14 +160,17 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
* Gets the {@link ParameterDefinition} of the given name, if any.
*/
public ParameterDefinition getParameterDefinition(String name) {
- for (ParameterDefinition pd : parameterDefinitions)
- if (pd.getName().equals(name))
+ for (ParameterDefinition pd : parameterDefinitions) {
+ if (pd.getName().equals(name)) {
return pd;
+ }
+ }
return null;
}
@Extension
public static class DescriptorImpl extends JobPropertyDescriptor {
+
@Override
public boolean isApplicable(Class<? extends Job> jobType) {
return AbstractProject.class.isAssignableFrom(jobType);
@@ -173,7 +178,7 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
@Override
public JobProperty<?> newInstance(StaplerRequest req,
- JSONObject formData) throws FormException {
+ JSONObject formData) throws FormException {
if (formData.isNullObject()) {
return null;
}
@@ -181,16 +186,22 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
JSONObject parameterized = formData.getJSONObject("parameterized");
if (parameterized.isNullObject()) {
- return null;
+ return null;
}
List<ParameterDefinition> parameterDefinitions = Descriptor.newInstancesFromHeteroList(
req, parameterized, "parameter", ParameterDefinition.all());
- if(parameterDefinitions.isEmpty())
+ if (parameterDefinitions.isEmpty()) {
return null;
+ }
return new ParametersDefinitionProperty(parameterDefinitions);
}
+
+ @Override
+ public boolean isCascadable() {
+ return false;
+ }
@Override
public String getDisplayName() {
@@ -221,7 +232,7 @@ public class ParametersDefinitionProperty extends JobProperty<AbstractProject<?,
ParametersDefinitionProperty that = (ParametersDefinitionProperty) o;
if (parameterDefinitions != null ? !this.parameterDefinitions.equals(that.parameterDefinitions)
- : that.parameterDefinitions != null) {
+ : that.parameterDefinitions != null) {
return false;
}
diff --git a/hudson-core/src/main/java/hudson/security/AuthorizationMatrixProperty.java b/hudson-core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
index 8b2dea88..d16fdcb1 100644
--- a/hudson-core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
+++ b/hudson-core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
@@ -1,19 +1,20 @@
-/*******************************************************************************
+/**
+ * *****************************************************************************
*
* Copyright (c) 2004-2010 Oracle Corporation.
*
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the Eclipse Public License v1.0
- * which accompanies this distribution, and is available at
+ * All rights reserved. This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License v1.0 which
+ * accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
- * Contributors:
+ * Contributors:
*
- * Kohsuke Kawaguchi, Yahoo! Inc., Peter Hayes, Tom Huybrechts
- *
+ * Kohsuke Kawaguchi, Yahoo! Inc., Peter Hayes, Tom Huybrechts
*
- *******************************************************************************/
-
+ *
+ ******************************************************************************
+ */
package hudson.security;
import hudson.diagnosis.OldDataMonitor;
@@ -52,95 +53,101 @@ import com.thoughtworks.xstream.converters.MarshallingContext;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+import hudson.security.Permission;
+import hudson.security.PermissionGroup;
+import hudson.security.SidACL;
import javax.servlet.ServletException;
+import org.eclipse.hudson.plugins.security.GlobalMatrixAuthorizationStrategy;
+import org.eclipse.hudson.plugins.security.ProjectMatrixAuthorizationStrategy;
/**
* {@link JobProperty} to associate ACL for each project.
*
- * <p>
- * Once created (and initialized), this object becomes immutable.
+ * <p> Once created (and initialized), this object becomes immutable.
*/
public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {
- private transient SidACL acl = new AclImpl();
-
- /**
- * List up all permissions that are granted.
- *
- * Strings are either the granted authority or the principal, which is not
- * distinguished.
- */
- private final Map<Permission, Set<String>> grantedPermissions = new HashMap<Permission, Set<String>>();
-
- private Set<String> sids = new HashSet<String>();
+ private transient SidACL acl = new AclImpl();
+ /**
+ * List up all permissions that are granted.
+ *
+ * Strings are either the granted authority or the principal, which is not
+ * distinguished.
+ */
+ private final Map<Permission, Set<String>> grantedPermissions = new HashMap<Permission, Set<String>>();
+ private Set<String> sids = new HashSet<String>();
private AuthorizationMatrixProperty() {
}
public AuthorizationMatrixProperty(Map<Permission, Set<String>> grantedPermissions) {
// do a deep copy to be safe
- for (Entry<Permission,Set<String>> e : grantedPermissions.entrySet())
- this.grantedPermissions.put(e.getKey(),new HashSet<String>(e.getValue()));
+ for (Entry<Permission, Set<String>> e : grantedPermissions.entrySet()) {
+ this.grantedPermissions.put(e.getKey(), new HashSet<String>(e.getValue()));
+ }
+ }
+
+ public Set<String> getGroups() {
+ return sids;
}
- public Set<String> getGroups() {
- return sids;
- }
-
- /**
- * Returns all SIDs configured in this matrix, minus "anonymous"
- *
- * @return Always non-null.
- */
- public List<String> getAllSIDs() {
- Set<String> r = new HashSet<String>();
- for (Set<String> set : grantedPermissions.values())
- r.addAll(set);
- r.remove("anonymous");
-
- String[] data = r.toArray(new String[r.size()]);
- Arrays.sort(data);
- return Arrays.asList(data);
- }
+ /**
+ * Returns all SIDs configured in this matrix, minus "anonymous"
+ *
+ * @return Always non-null.
+ */
+ public List<String> getAllSIDs() {
+ Set<String> r = new HashSet<String>();
+ for (Set<String> set : grantedPermissions.values()) {
+ r.addAll(set);
+ }
+ r.remove("anonymous");
+
+ String[] data = r.toArray(new String[r.size()]);
+ Arrays.sort(data);
+ return Arrays.asList(data);
+ }
/**
- * Returns all the (Permission,sid) pairs that are granted, in the multi-map form.
+ * Returns all the (Permission,sid) pairs that are granted, in the multi-map
+ * form.
*
- * @return
- * read-only. never null.
+ * @return read-only. never null.
*/
- public Map<Permission,Set<String>> getGrantedPermissions() {
+ public Map<Permission, Set<String>> getGrantedPermissions() {
return Collections.unmodifiableMap(grantedPermissions);
}
/**
- * Adds to {@link #grantedPermissions}. Use of this method should be limited
- * during construction, as this object itself is considered immutable once
- * populated.
- */
- protected void add(Permission p, String sid) {
- Set<String> set = grantedPermissions.get(p);
- if (set == null)
- grantedPermissions.put(p, set = new HashSet<String>());
- set.add(sid);
- sids.add(sid);
- }
+ * Adds to {@link #grantedPermissions}. Use of this method should be limited
+ * during construction, as this object itself is considered immutable once
+ * populated.
+ */
+ protected void add(Permission p, String sid) {
+ Set<String> set = grantedPermissions.get(p);
+ if (set == null) {
+ grantedPermissions.put(p, set = new HashSet<String>());
+ }
+ set.add(sid);
+ sids.add(sid);
+ }
@Extension
public static class DescriptorImpl extends JobPropertyDescriptor {
- @Override
- public JobProperty<?> newInstance(StaplerRequest req, JSONObject formData) throws FormException {
+
+ @Override
+ public JobProperty<?> newInstance(StaplerRequest req, JSONObject formData) throws FormException {
formData = formData.getJSONObject("useProjectSecurity");
- if (formData.isNullObject())
+ if (formData.isNullObject()) {
return null;
+ }
AuthorizationMatrixProperty amp = new AuthorizationMatrixProperty();
for (Map.Entry<String, Object> r : (Set<Map.Entry<String, Object>>) formData.getJSONObject("data").entrySet()) {
String sid = r.getKey();
if (r.getValue() instanceof JSONObject) {
- for (Map.Entry<String, Boolean> e : (Set<Map.Entry<String, Boolean>>) ((JSONObject) r
- .getValue()).entrySet()) {
+ for (Map.Entry<String, Boolean> e : (Set<Map.Entry<String, Boolean>>) ((JSONObject) r.getValue()).entrySet()) {
if (e.getValue()) {
Permission p = Permission.fromId(e.getKey());
amp.add(p, sid);
@@ -148,26 +155,31 @@ public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {
}
}
}
- return amp;
- }
+ return amp;
+ }
+
+ @Override
+ public boolean isCascadable() {
+ return false;
+ }
- @Override
- public boolean isApplicable(Class<? extends Job> jobType) {
+ @Override
+ public boolean isApplicable(Class<? extends Job> jobType) {
// only applicable when ProjectMatrixAuthorizationStrategy is in charge
return Hudson.getInstance().getAuthorizationStrategy() instanceof ProjectMatrixAuthorizationStrategy;
- }
+ }
- @Override
- public String getDisplayName() {
- return "Authorization Matrix";
- }
+ @Override
+ public String getDisplayName() {
+ return "Authorization Matrix";
+ }
- public List<PermissionGroup> getAllGroups() {
- return Arrays.asList(PermissionGroup.get(Item.class),PermissionGroup.get(Run.class));
- }
+ public List<PermissionGroup> getAllGroups() {
+ return Arrays.asList(PermissionGroup.get(Item.class), PermissionGroup.get(Run.class));
+ }
public boolean showPermission(Permission p) {
- return p.getEnabled() && p!=Item.CREATE;
+ return p.getEnabled() && p != Item.CREATE;
}
public FormValidation doCheckName(@AncestorInPath Job project, @QueryParameter String value) throws IOException, ServletException {
@@ -175,29 +187,32 @@ public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {
}
}
- private final class AclImpl extends SidACL {
- protected Boolean hasPermission(Sid sid, Permission p) {
- if (AuthorizationMatrixProperty.this.hasPermission(toString(sid),p))
- return true;
- return null;
- }
- }
-
- public SidACL getACL() {
- return acl;
- }
-
- /**
- * Checks if the given SID has the given permission.
- */
- public boolean hasPermission(String sid, Permission p) {
- for (; p != null; p = p.impliedBy) {
- Set<String> set = grantedPermissions.get(p);
- if (set != null && set.contains(sid))
- return true;
- }
- return false;
- }
+ private final class AclImpl extends SidACL {
+
+ protected Boolean hasPermission(Sid sid, Permission p) {
+ if (AuthorizationMatrixProperty.this.hasPermission(toString(sid), p)) {
+ return true;
+ }
+ return null;
+ }
+ }
+
+ public SidACL getACL() {
+ return acl;
+ }
+
+ /**
+ * Checks if the given SID has the given permission.
+ */
+ public boolean hasPermission(String sid, Permission p) {
+ for (; p != null; p = p.impliedBy) {
+ Set<String> set = grantedPermissions.get(p);
+ if (set != null && set.contains(sid)) {
+ return true;
+ }
+ }
+ return false;
+ }
/**
* Checks if the permission is explicitly given, instead of implied through {@link Permission#impliedBy}.
@@ -206,7 +221,7 @@ public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {
Set<String> set = grantedPermissions.get(p);
return set != null && set.contains(sid);
}
-
+
/**
* Works like {@link #add(Permission, String)} but takes both parameters
* from a single string of the form <tt>PERMISSIONID:sid</tt>
@@ -214,59 +229,60 @@ public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {
private void add(String shortForm) {
int idx = shortForm.indexOf(':');
Permission p = Permission.fromId(shortForm.substring(0, idx));
- if (p==null)
- throw new IllegalArgumentException("Failed to parse '"+shortForm+"' --- no such permission");
+ if (p == null) {
+ throw new IllegalArgumentException("Failed to parse '" + shortForm + "' --- no such permission");
+ }
add(p, shortForm.substring(idx + 1));
}
- /**
- * Persist {@link ProjectMatrixAuthorizationStrategy} as a list of IDs that
- * represent {@link ProjectMatrixAuthorizationStrategy#grantedPermissions}.
- */
- public static final class ConverterImpl implements Converter {
- public boolean canConvert(Class type) {
- return type == AuthorizationMatrixProperty.class;
- }
-
- public void marshal(Object source, HierarchicalStreamWriter writer,
- MarshallingContext context) {
- AuthorizationMatrixProperty amp = (AuthorizationMatrixProperty) source;
-
- for (Entry<Permission, Set<String>> e : amp.grantedPermissions
- .entrySet()) {
- String p = e.getKey().getId();
- for (String sid : e.getValue()) {
- writer.startNode("permission");
- writer.setValue(p + ':' + sid);
- writer.endNode();
- }
- }
- }
-
- public Object unmarshal(HierarchicalStreamReader reader,
- final UnmarshallingContext context) {
- AuthorizationMatrixProperty as = new AuthorizationMatrixProperty();
-
- String prop = reader.peekNextChild();
- if (prop!=null && prop.equals("useProjectSecurity")) {
- reader.moveDown();
- reader.getValue(); // we used to use this but not any more.
- reader.moveUp();
- }
+ /**
+ * Persist {@link ProjectMatrixAuthorizationStrategy} as a list of IDs that
+ * represent {@link ProjectMatrixAuthorizationStrategy#grantedPermissions}.
+ */
+ public static final class ConverterImpl implements Converter {
+
+ public boolean canConvert(Class type) {
+ return type == AuthorizationMatrixProperty.class;
+ }
+
+ public void marshal(Object source, HierarchicalStreamWriter writer,
+ MarshallingContext context) {
+ AuthorizationMatrixProperty amp = (AuthorizationMatrixProperty) source;
+
+ for (Entry<Permission, Set<String>> e : amp.grantedPermissions.entrySet()) {
+ String p = e.getKey().getId();
+ for (String sid : e.getValue()) {
+ writer.startNode("permission");
+ writer.setValue(p + ':' + sid);
+ writer.endNode();
+ }
+ }
+ }
+
+ public Object unmarshal(HierarchicalStreamReader reader,
+ final UnmarshallingContext context) {
+ AuthorizationMatrixProperty as = new AuthorizationMatrixProperty();
+
+ String prop = reader.peekNextChild();
+ if (prop != null && prop.equals("useProjectSecurity")) {
+ reader.moveDown();
+ reader.getValue(); // we used to use this but not any more.
+ reader.moveUp();
+ }
while (reader.hasMoreChildren()) {
reader.moveDown();
try {
as.add(reader.getValue());
} catch (IllegalArgumentException ex) {
- Logger.getLogger(AuthorizationMatrixProperty.class.getName())
- .log(Level.WARNING,"Skipping a non-existent permission",ex);
- RobustReflectionConverter.addErrorInContext(context, ex);
+ Logger.getLogger(AuthorizationMatrixProperty.class.getName()).log(Level.WARNING, "Skipping a non-existent permission", ex);
+ RobustReflectionConverter.addErrorInContext(context, ex);
}
reader.moveUp();
}
- if (GlobalMatrixAuthorizationStrategy.migrateHudson2324(as.grantedPermissions))
+ if (GlobalMatrixAuthorizationStrategy.migrateHudson2324(as.grantedPermissions)) {
OldDataMonitor.report(context, "1.301");
+ }
return as;
}
diff --git a/hudson-core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java b/hudson-core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
deleted file mode 100644
index f242a060..00000000
--- a/hudson-core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
+++ /dev/null
@@ -1,332 +0,0 @@
-/*******************************************************************************
- *
- * Copyright (c) 2004-2010 Oracle Corporation.
- *
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the Eclipse Public License v1.0
- * which accompanies this distribution, and is available at
- * http://www.eclipse.org/legal/epl-v10.html
- *
- * Contributors:
- *
- * Kohsuke Kawaguchi, Yahoo! Inc.
- *
- *
- *******************************************************************************/
-
-package hudson.security;
-
-import com.thoughtworks.xstream.converters.Converter;
-import com.thoughtworks.xstream.converters.MarshallingContext;
-import com.thoughtworks.xstream.converters.UnmarshallingContext;
-import com.thoughtworks.xstream.io.HierarchicalStreamReader;
-import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
-import hudson.diagnosis.OldDataMonitor;
-import hudson.model.Descriptor;
-import hudson.model.Hudson;
-import hudson.model.Item;
-import hudson.util.FormValidation;
-import hudson.util.FormValidation.Kind;
-import hudson.util.VersionNumber;
-import hudson.util.RobustReflectionConverter;
-import hudson.Functions;
-import hudson.Extension;
-import net.sf.json.JSONObject;
-import org.springframework.security.userdetails.UsernameNotFoundException;
-import org.springframework.security.acls.sid.Sid;
-import org.kohsuke.stapler.Stapler;
-import org.kohsuke.stapler.StaplerRequest;
-import org.kohsuke.stapler.QueryParameter;
-import org.springframework.dao.DataAccessException;
-
-import javax.servlet.ServletException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-import java.io.IOException;
-import java.util.Collections;
-import java.util.SortedMap;
-import java.util.TreeMap;
-
-/**
- * Role-based authorization via a matrix.
- *
- * @author Kohsuke Kawaguchi
- */
-// TODO: think about the concurrency commitment of this class
-public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy {
- private transient SidACL acl = new AclImpl();
-
- /**
- * List up all permissions that are granted.
- *
- * Strings are either the granted authority or the principal,
- * which is not distinguished.
- */
- private final Map<Permission,Set<String>> grantedPermissions = new HashMap<Permission, Set<String>>();
-
- private final Set<String> sids = new HashSet<String>();
-
- @Override
- public int getMode(){
- return MODE_GLOBAL_MATRIX;
- }
-
- /**
- * Adds to {@link #grantedPermissions}.
- * Use of this method should be limited during construction,
- * as this object itself is considered immutable once populated.
- */
- public void add(Permission p, String sid) {
- if (p==null)
- throw new IllegalArgumentException();
- Set<String> set = grantedPermissions.get(p);
- if(set==null)
- grantedPermissions.put(p,set = new HashSet<String>());
- set.add(sid);
- sids.add(sid);
- }
-
- /**
- * Works like {@link #add(Permission, String)} but takes both parameters
- * from a single string of the form <tt>PERMISSIONID:sid</tt>
- */
- private void add(String shortForm) {
- int idx = shortForm.indexOf(':');
- Permission p = Permission.fromId(shortForm.substring(0, idx));
- if (p==null)
- throw new IllegalArgumentException("Failed to parse '"+shortForm+"' --- no such permission");
- add(p,shortForm.substring(idx+1));
- }
-
- @Override
- public SidACL getRootACL() {
- return acl;
- }
-
- public Set<String> getGroups() {
- return sids;
- }
-
- /**
- * Due to HUDSON-2324, we want to inject Item.READ permission to everyone who has Hudson.READ,
- * to remain backward compatible.
- * @param grantedPermissions
- */
- /*package*/ static boolean migrateHudson2324(Map<Permission,Set<String>> grantedPermissions) {
- boolean result = false;
- if(Hudson.getInstance().isUpgradedFromBefore(new VersionNumber("1.300.*"))) {
- Set<String> f = grantedPermissions.get(Hudson.READ);
- if (f!=null) {
- Set<String> t = grantedPermissions.get(Item.READ);
- if (t!=null)
- result = t.addAll(f);
- else {
- t = new HashSet<String>(f);
- result = true;
- }
- grantedPermissions.put(Item.READ,t);
- }
- }
- return result;
- }
-
- /**
- * Checks if the given SID has the given permission.
- */
- public boolean hasPermission(String sid, Permission p) {
- for(; p!=null; p=p.impliedBy) {
- Set<String> set = grantedPermissions.get(p);
- if(set!=null && set.contains(sid) && p.getEnabled())
- return true;
- }
- return false;
- }
-
- /**
- * Checks if the permission is explicitly given, instead of implied through {@link Permission#impliedBy}.
- */
- public boolean hasExplicitPermission(String sid, Permission p) {
- Set<String> set = grantedPermissions.get(p);
- return set != null && set.contains(sid) && p.getEnabled();
- }
-
- /**
- * Returns all SIDs configured in this matrix, minus "anonymous"
- *
- * @return
- * Always non-null.
- */
- public List<String> getAllSIDs() {
- Set<String> r = new HashSet<String>();
- for (Set<String> set : grantedPermissions.values())
- r.addAll(set);
- r.remove("anonymous");
-
- String[] data = r.toArray(new String[r.size()]);
- Arrays.sort(data);
- return Arrays.asList(data);
- }
-
- private final class AclImpl extends SidACL {
- protected Boolean hasPermission(Sid p, Permission permission) {
- if(GlobalMatrixAuthorizationStrategy.this.hasPermission(toString(p),permission))
- return true;
- return null;
- }
- }
-
- @Extension
- public static final DescriptorImpl DESCRIPTOR = new DescriptorImpl();
-
- /**
- * Persist {@link GlobalMatrixAuthorizationStrategy} as a list of IDs that
- * represent {@link GlobalMatrixAuthorizationStrategy#grantedPermissions}.
- */
- public static class ConverterImpl implements Converter {
- public boolean canConvert(Class type) {
- return type==GlobalMatrixAuthorizationStrategy.class;
- }
-
- public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
- GlobalMatrixAuthorizationStrategy strategy = (GlobalMatrixAuthorizationStrategy)source;
-
- // Output in alphabetical order for readability.
- SortedMap<Permission, Set<String>> sortedPermissions = new TreeMap<Permission, Set<String>>(Permission.ID_COMPARATOR);
- sortedPermissions.putAll(strategy.grantedPermissions);
- for (Entry<Permission, Set<String>> e : sortedPermissions.entrySet()) {
- String p = e.getKey().getId();
- List<String> sids = new ArrayList<String>(e.getValue());
- Collections.sort(sids);
- for (String sid : sids) {
- writer.startNode("permission");
- writer.setValue(p+':'+sid);
- writer.endNode();
- }
- }
-
- }
-
- public Object unmarshal(HierarchicalStreamReader reader, final UnmarshallingContext context) {
- GlobalMatrixAuthorizationStrategy as = create();
-
- while (reader.hasMoreChildren()) {
- reader.moveDown();
- try {
- as.add(reader.getValue());
- } catch (IllegalArgumentException ex) {
- Logger.getLogger(GlobalMatrixAuthorizationStrategy.class.getName())
- .log(Level.WARNING,"Skipping a non-existent permission",ex);
- RobustReflectionConverter.addErrorInContext(context, ex);
- }
- reader.moveUp();
- }
-
- if (migrateHudson2324(as.grantedPermissions))
- OldDataMonitor.report(context, "1.301");
-
- return as;
- }
-
- protected GlobalMatrixAuthorizationStrategy create() {
- return new GlobalMatrixAuthorizationStrategy();
- }
- }
-
- public static class DescriptorImpl extends Descriptor<AuthorizationStrategy> {
- protected DescriptorImpl(Class<? extends GlobalMatrixAuthorizationStrategy> clazz) {
- super(clazz);
- }
-
- public DescriptorImpl() {
- }
-
- public String getDisplayName() {
- return Messages.GlobalMatrixAuthorizationStrategy_DisplayName();
- }
-
- @Override
- public AuthorizationStrategy newInstance(StaplerRequest req, JSONObject formData) throws FormException {
- GlobalMatrixAuthorizationStrategy gmas = create();
- for(Map.Entry<String,JSONObject> r : (Set<Map.Entry<String,JSONObject>>)formData.getJSONObject("data").entrySet()) {
- String sid = r.getKey();
- for(Map.Entry<String,Boolean> e : (Set<Map.Entry<String,Boolean>>)r.getValue().entrySet()) {
- if(e.getValue()) {
- Permission p = Permission.fromId(e.getKey());
- gmas.add(p,sid);
- }
- }
- }
- return gmas;
- }
-
- protected GlobalMatrixAuthorizationStrategy create() {
- return new GlobalMatrixAuthorizationStrategy();
- }
-
- public List<PermissionGroup> getAllGroups() {
- List<PermissionGroup> groups = new ArrayList<PermissionGroup>(PermissionGroup.getAll());
- groups.remove(PermissionGroup.get(Permission.class));
- return groups;
- }
-
- public boolean showPermission(Permission p) {
- return p.getEnabled();
- }
-
- public FormValidation doCheckName(@QueryParameter String value ) throws IOException, ServletException {
- return doCheckName(value, Hudson.getInstance(), Hudson.ADMINISTER);
- }
-
- FormValidation doCheckName(String value, AccessControlled subject, Permission permission) throws IOException, ServletException {
- if(!subject.hasPermission(permission)) return FormValidation.ok(); // can't check
-
- final String v = value.substring(1,value.length()-1);
- SecurityRealm sr = Hudson.getInstance().getSecurityRealm();
- String ev = Functions.escape(v);
-
- if(v.equals("authenticated"))
- // system reserved group
- return FormValidation.respond(Kind.OK, makeImg("user.png") +ev);
-
- try {
- sr.loadUserByUsername(v);
- return FormValidation.respond(Kind.OK, makeImg("person.png")+ev);
- } catch (UserMayOrMayNotExistException e) {
- // undecidable, meaning the user may exist
- return FormValidation.respond(Kind.OK, ev);
- } catch (UsernameNotFoundException e) {
- // fall through next
- } catch (DataAccessException e) {
- // fall through next
- }
-
- try {
- sr.loadGroupByGroupname(v);
- return FormValidation.respond(Kind.OK, makeImg("user.png") +ev);
- } catch (UserMayOrMayNotExistException e) {
- // undecidable, meaning the group may exist
- return FormValidation.respond(Kind.OK, ev);
- } catch (UsernameNotFoundException e) {
- // fall through next
- } catch (DataAccessException e) {
- // fall through next
- }
-
- // couldn't find it. it doesn't exist
- return FormValidation.respond(Kind.ERROR, makeImg("error.png") +ev);
- }
-
- private String makeImg(String png) {
- return String.format("<img src='%s%s/images/16x16/%s' style='margin-right:0.2em'>", Stapler.getCurrentRequest().getContextPath(), Hudson.RESOURCE_PATH, png);
- }
- }
-}
-
diff --git a/hudson-core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java b/hudson-core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
deleted file mode 100644
index c7dd8944..00000000
--- a/hudson-core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
+++ /dev/null
@@ -1,110 +0,0 @@
-/*******************************************************************************
- *
- * Copyright (c) 2004-2009 Oracle Corporation.
- *
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the Eclipse Public License v1.0
- * which accompanies this distribution, and is available at
- * http://www.eclipse.org/legal/epl-v10.html
- *
- * Contributors:
-*
-* Kohsuke Kawaguchi, Yahoo! Inc., Seiji Sogabe, Tom Huybrechts
- *
- *
- *******************************************************************************/
-
-package hudson.security;
-
-import hudson.model.Descriptor;
-import hudson.model.Hudson;
-import hudson.model.Job;
-import hudson.util.RobustReflectionConverter;
-import hudson.Extension;
-import com.thoughtworks.xstream.io.HierarchicalStreamReader;
-import com.thoughtworks.xstream.converters.UnmarshallingContext;
-import com.thoughtworks.xstream.mapper.Mapper;
-import com.thoughtworks.xstream.core.JVM;
-
-import java.util.HashSet;
-import java.util.Set;
-
-/**
- * {@link GlobalMatrixAuthorizationStrategy} plus per-project ACL.
- *
- * <p>
- * Per-project ACL is stored in {@link AuthorizationMatrixProperty}.
- *
- * @author Kohsuke Kawaguchi
- */
-public class ProjectMatrixAuthorizationStrategy extends GlobalMatrixAuthorizationStrategy {
- @Override
- public ACL getACL(Job<?,?> project) {
- AuthorizationMatrixProperty amp = project.getProperty(AuthorizationMatrixProperty.class);
- if (amp != null) {
- return amp.getACL().newInheritingACL(getRootACL());
- } else {
- return getRootACL();
- }
- }
-
- @Override
- public Set<String> getGroups() {
- Set<String> r = new HashSet<String>();
- r.addAll(super.getGroups());
- for (Job<?,?> j : Hudson.getInstance().getItems(Job.class)) {
- AuthorizationMatrixProperty amp = j.getProperty(AuthorizationMatrixProperty.class);
- if (amp != null)
- r.addAll(amp.getGroups());
- }
- return r;
- }
-
- @Override
- public int getMode(){
- return MODE_PROJECT_MATRIX;
- }
-
- @Extension
- public static final Descriptor<AuthorizationStrategy> DESCRIPTOR = new DescriptorImpl() {
- @Override
- protected GlobalMatrixAuthorizationStrategy create() {
- return new ProjectMatrixAuthorizationStrategy();
- }
-
- @Override
- public String getDisplayName() {
- return Messages.ProjectMatrixAuthorizationStrategy_DisplayName();
- }
- };
-
- public static class ConverterImpl extends GlobalMatrixAuthorizationStrategy.ConverterImpl {
- private RobustReflectionConverter ref;
-
- public ConverterImpl(Mapper m) {
- ref = new RobustReflectionConverter(m,new JVM().bestReflectionProvider());
- }
-
- @Override
- protected GlobalMatrixAuthorizationStrategy create() {
- return new ProjectMatrixAuthorizationStrategy();
- }
-
- @Override
- public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
- String name = reader.peekNextChild();
- if(name!=null && (name.equals("permission") || name.equals("useProjectSecurity")))
- // the proper serialization form
- return super.unmarshal(reader, context);
- else
- // remain compatible with earlier problem where we used reflection converter
- return ref.unmarshal(reader,context);
- }
-
- @Override
- public boolean canConvert(Class type) {
- return type==ProjectMatrixAuthorizationStrategy.class;
- }
- }
-}
-
diff --git a/hudson-core/src/main/java/hudson/util/CascadingUtil.java b/hudson-core/src/main/java/hudson/util/CascadingUtil.java
index ad9f5958..20ae8009 100644
--- a/hudson-core/src/main/java/hudson/util/CascadingUtil.java
+++ b/hudson-core/src/main/java/hudson/util/CascadingUtil.java
@@ -24,7 +24,6 @@ import hudson.model.Job;
import hudson.model.JobPropertyDescriptor;
import hudson.model.ParameterDefinition;
import hudson.model.ParametersDefinitionProperty;
-import hudson.security.AuthorizationMatrixProperty;
import hudson.triggers.Trigger;
import hudson.triggers.TriggerDescriptor;
import java.io.IOException;
@@ -525,7 +524,6 @@ public class CascadingUtil {
* @see hudson.model.Job#getParameterDefinitionProperties()
*/
public static boolean isCascadableJobProperty(JobPropertyDescriptor d) {
- return !(d instanceof AuthorizationMatrixProperty.DescriptorImpl
- || d instanceof ParametersDefinitionProperty.DescriptorImpl);
+ return d.isCascadable();
}
}

Back to the top