summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdam Romanek <romanek.adam@gmail.com>2020-07-15 13:11:33 +0200
committerAdam Romanek <romanek.adam@gmail.com>2020-07-15 13:11:33 +0200
commit703a76650f746bad713fef55389a616f0067255a (patch)
tree5786b501c02ea1ced86019d4ea0163a913c524e7
parent28e43831e9facb5bdd1169f3af845aad5bf0c717 (diff)
downloadpython-jenkins-job-builder-703a76650f746bad713fef55389a616f0067255a.tar.gz
python-jenkins-job-builder-703a76650f746bad713fef55389a616f0067255a.tar.xz
python-jenkins-job-builder-703a76650f746bad713fef55389a616f0067255a.zip
Fix Authorization Matrix property - inheritance strategy
Up until now <inheritanceStrategy> tag was only added to jobs-in-a-folder and folder configs. In JJB the tag's class is always set to "InheritParentStrategy" which according to the docs means the "item will inherit its parent items permissions". Apparently <inheritanceStrategy> tag needs to be present on top-level jobs also. For top-level jobs setting the tag's class value to "InheritParentStrategy" means the job "will inherit the global security security settings" and this is the default behavior. The code has simplified a bit - if it's a folder then we use a different property name for authorization matrix property, other than that the code is the same for all three "variants": folder, job-in-a-folder and job-outside-a-folder (top-level job). Also this change fixes the missing <inheritanceStrategy> tag for job-in-a-folder, where the folder name was specified as part of the "name" key instead of the standalone "folder" key. With this change we no longer check if a job is in a folder or not, so it's implicitly fixed. Added a test case to catch potential regressions in the future. The copyright notice reflects this and the previous contribution in this module. Change-Id: I84b22c09c8a107aab2b4eca20feffc9b61675a92
-rw-r--r--jenkins_jobs/modules/properties.py34
-rw-r--r--tests/properties/fixtures/authorization.xml1
-rw-r--r--tests/properties/fixtures/authorization_matrix.xml1
-rw-r--r--tests/yamlparser/fixtures/auth-jobs/project-in-folder-with-auth-properties2.xml20
-rw-r--r--tests/yamlparser/fixtures/project-in-folder-with-auth-properties2.yaml8
-rw-r--r--tests/yamlparser/fixtures/project-with-auth-properties.xml1
6 files changed, 43 insertions, 22 deletions
diff --git a/jenkins_jobs/modules/properties.py b/jenkins_jobs/modules/properties.py
index 41db1c03..67a14f51 100644
--- a/jenkins_jobs/modules/properties.py
+++ b/jenkins_jobs/modules/properties.py
@@ -1,4 +1,5 @@
# Copyright 2012 Hewlett-Packard Development Company, L.P.
+# Copyright 2020 Liberty Global B.V.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -518,9 +519,6 @@ def authorization(registry, xml_parent, data):
:language: yaml
"""
- # get the folder name if it exists
- in_a_folder = data.pop("_use_folder_perms", None) if data else None
-
# check if it's a folder or a job
is_a_folder = data.pop("_is_a_folder", None) if data else False
@@ -551,23 +549,18 @@ def authorization(registry, xml_parent, data):
}
if data:
- if in_a_folder:
- if is_a_folder:
- element_name = "com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty"
- else:
- element_name = "hudson.security.AuthorizationMatrixProperty"
- matrix = XML.SubElement(xml_parent, element_name)
- XML.SubElement(
- matrix,
- "inheritanceStrategy",
- {
- "class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
- },
- )
+ if is_a_folder:
+ element_name = "com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty"
else:
- matrix = XML.SubElement(
- xml_parent, "hudson.security.AuthorizationMatrixProperty"
- )
+ element_name = "hudson.security.AuthorizationMatrixProperty"
+ matrix = XML.SubElement(xml_parent, element_name)
+ XML.SubElement(
+ matrix,
+ "inheritanceStrategy",
+ {
+ "class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
+ },
+ )
for (username, perms) in data.items():
for perm in perms:
@@ -1271,13 +1264,10 @@ class Properties(jenkins_jobs.modules.base.Base):
# Only projects are placed in folders
if "project-type" in data:
if data["project-type"] in ("folder", "multibranch"):
- prop["authorization"]["_use_folder_perms"] = True
prop["authorization"]["_is_a_folder"] = True
else:
- prop["authorization"]["_use_folder_perms"] = "folder" in data
prop["authorization"]["_is_a_folder"] = False
else:
- prop["authorization"]["_use_folder_perms"] = False
prop["authorization"]["_is_a_folder"] = False
self.registry.dispatch("property", properties, prop)
diff --git a/tests/properties/fixtures/authorization.xml b/tests/properties/fixtures/authorization.xml
index 06268a05..593dfa84 100644
--- a/tests/properties/fixtures/authorization.xml
+++ b/tests/properties/fixtures/authorization.xml
@@ -2,6 +2,7 @@
<project>
<properties>
<hudson.security.AuthorizationMatrixProperty>
+ <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
diff --git a/tests/properties/fixtures/authorization_matrix.xml b/tests/properties/fixtures/authorization_matrix.xml
index f3fd8177..6404b142 100644
--- a/tests/properties/fixtures/authorization_matrix.xml
+++ b/tests/properties/fixtures/authorization_matrix.xml
@@ -2,6 +2,7 @@
<project>
<properties>
<hudson.security.AuthorizationMatrixProperty>
+ <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>hudson.model.Item.Delete:admin</permission>
<permission>hudson.model.Item.Configure:admin</permission>
<permission>hudson.model.Item.Read:admin</permission>
diff --git a/tests/yamlparser/fixtures/auth-jobs/project-in-folder-with-auth-properties2.xml b/tests/yamlparser/fixtures/auth-jobs/project-in-folder-with-auth-properties2.xml
new file mode 100644
index 00000000..3669b217
--- /dev/null
+++ b/tests/yamlparser/fixtures/auth-jobs/project-in-folder-with-auth-properties2.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+ <actions/>
+ <description>&lt;!-- Managed by Jenkins Job Builder --&gt;</description>
+ <keepDependencies>false</keepDependencies>
+ <blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding>
+ <blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding>
+ <concurrentBuild>false</concurrentBuild>
+ <canRoam>true</canRoam>
+ <properties>
+ <hudson.security.AuthorizationMatrixProperty>
+ <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
+ <permission>hudson.model.Item.Build:auser</permission>
+ </hudson.security.AuthorizationMatrixProperty>
+ </properties>
+ <scm class="hudson.scm.NullSCM"/>
+ <builders/>
+ <publishers/>
+ <buildWrappers/>
+</project>
diff --git a/tests/yamlparser/fixtures/project-in-folder-with-auth-properties2.yaml b/tests/yamlparser/fixtures/project-in-folder-with-auth-properties2.yaml
new file mode 100644
index 00000000..8351c473
--- /dev/null
+++ b/tests/yamlparser/fixtures/project-in-folder-with-auth-properties2.yaml
@@ -0,0 +1,8 @@
+- job:
+ # folder name specified as part of job name
+ name: auth-jobs/auth-job-test
+ project-type: freestyle
+ properties:
+ - authorization:
+ auser:
+ - job-build
diff --git a/tests/yamlparser/fixtures/project-with-auth-properties.xml b/tests/yamlparser/fixtures/project-with-auth-properties.xml
index 4d4c1dfb..c02bd8cc 100644
--- a/tests/yamlparser/fixtures/project-with-auth-properties.xml
+++ b/tests/yamlparser/fixtures/project-with-auth-properties.xml
@@ -14,6 +14,7 @@
<canRoam>true</canRoam>
<properties>
<hudson.security.AuthorizationMatrixProperty>
+ <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"/>
<permission>hudson.model.Item.Build:auser</permission>
</hudson.security.AuthorizationMatrixProperty>
</properties>