jjb/jenkins-job-builder
Code Issues Proposed changes

STORY-2011206: add inheritance strategy

Browse Source 
Change-Id: Iadc5cfd2fe920be0b6e985bb2f19e4e5bab8929e
This commit is contained in:
Max Trunov 2024-08-16 16:42:52 +05:00
parent 2fb1a53c44
commit b500b95c56
5 changed files with 160 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
jenkins_jobs/modules/properties.py
View File

@ -534,6 +534,12 @@ def authorization(registry, xml_parent, data, job_data):
.. _authorization:
For *matrix-auth >= 3.0*
:arg list <inheritance-strategy>: `<inheritance-strategy>` the name of inheritance strategy
:<inheritance-strategy> values:
* **parent**
* **global**
* **none**
:arg list prefix:<name>:
* `prefix`
@ -572,7 +578,7 @@ def authorization(registry, xml_parent, data, job_data):
Example:
.. literalinclude:: /../../tests/properties/fixtures/authorization.yaml
.. literalinclude:: /../../tests/properties/fixtures/authorization01.yaml
:language: yaml
"""
@ -610,30 +616,41 @@ def authorization(registry, xml_parent, data, job_data):
else:
element_name = "hudson.security.AuthorizationMatrixProperty"
matrix = XML.SubElement(xml_parent, element_name)
inheritance_strategy = (
"org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
)
if data.get("inheritance-strategy") == "global":
inheritance_strategy = (
"org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy"
)
elif data.get("inheritance-strategy") == "none":
inheritance_strategy = (
"org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy"
)
XML.SubElement(
matrix,
"inheritanceStrategy",
{
"class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
},
{"class": inheritance_strategy},
)
for (username, perms) in data.items():
for perm in perms:
pe = XML.SubElement(matrix, "permission")
try:
if username.upper().startswith(
"GROUP:"
) or username.upper().startswith("USER:"):
pe.text = "{0}:{1}:{2}".format(
username.split(":")[0].upper(),
mapping[perm],
username.split(":")[1],
)
else:
pe.text = "{0}:{1}".format(mapping[perm], username)
except KeyError:
raise InvalidAttributeError(username, perm, mapping.keys())
if username != "inheritance-strategy":
for perm in perms:
pe = XML.SubElement(matrix, "permission")
try:
if username.upper().startswith(
"GROUP:"
) or username.upper().startswith("USER:"):
pe.text = "{0}:{1}:{2}".format(
username.split(":")[0].upper(),
mapping[perm],
username.split(":")[1],
)
else:
pe.text = "{0}:{1}".format(mapping[perm], username)
except KeyError:
raise InvalidAttributeError(username, perm, mapping.keys())
def priority_sorter(registry, xml_parent, data):

32
tests/properties/fixtures/authorization01.xml Normal file
View File

@ -0,0 +1,32 @@
<?xml version="1.0" encoding="utf-8"?>
<project>
<properties>
<hudson.security.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy"/>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:admin</permission>
<permission>USER:hudson.model.Item.Build:admin</permission>
<permission>USER:hudson.model.Item.Cancel:admin</permission>
<permission>USER:hudson.model.Item.Configure:admin</permission>
<permission>USER:hudson.model.Item.Delete:admin</permission>
<permission>USER:hudson.model.Item.Discover:admin</permission>
<permission>USER:hudson.model.Item.Move:admin</permission>
<permission>USER:hudson.model.Item.Read:admin</permission>
<permission>USER:hudson.model.Item.ViewStatus:admin</permission>
<permission>USER:hudson.model.Item.Workspace:admin</permission>
<permission>USER:com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin</permission>
<permission>USER:hudson.model.Run.Delete:admin</permission>
<permission>USER:hudson.model.Run.Replay:admin</permission>
<permission>USER:hudson.model.Run.Update:admin</permission>
<permission>USER:hudson.scm.SCM.Tag:admin</permission>
<permission>GROUP:hudson.model.Item.Read:anonymous</permission>
<permission>GROUP:hudson.model.Item.ExtendedRead:anonymous</permission>
<permission>hudson.model.Item.Read:authenticated</permission>
<permission>hudson.model.Item.Discover:authenticated</permission>
<permission>hudson.model.Item.ExtendedRead:authenticated</permission>
</hudson.security.AuthorizationMatrixProperty>
</properties>
</project>

30
tests/properties/fixtures/authorization01.yaml Normal file
View File

@ -0,0 +1,30 @@
properties:
- authorization:
inheritance-strategy: none
USER:admin:
- credentials-create
- credentials-delete
- credentials-manage-domains
- credentials-update
- credentials-view
- job-build
- job-cancel
- job-configure
- job-delete
- job-discover
- job-move
- job-read
- job-status
- job-workspace
- ownership-jobs
- run-delete
- run-replay
- run-update
- scm-tag
GROUP:anonymous:
- job-read
- job-extended-read
authenticated:
- job-read
- job-discover
- job-extended-read

32
tests/properties/fixtures/authorization02.xml Normal file
View File

@ -0,0 +1,32 @@
<?xml version="1.0" encoding="utf-8"?>
<project>
<properties>
<hudson.security.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy"/>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin</permission>
<permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:admin</permission>
<permission>USER:hudson.model.Item.Build:admin</permission>
<permission>USER:hudson.model.Item.Cancel:admin</permission>
<permission>USER:hudson.model.Item.Configure:admin</permission>
<permission>USER:hudson.model.Item.Delete:admin</permission>
<permission>USER:hudson.model.Item.Discover:admin</permission>
<permission>USER:hudson.model.Item.Move:admin</permission>
<permission>USER:hudson.model.Item.Read:admin</permission>
<permission>USER:hudson.model.Item.ViewStatus:admin</permission>
<permission>USER:hudson.model.Item.Workspace:admin</permission>
<permission>USER:com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin</permission>
<permission>USER:hudson.model.Run.Delete:admin</permission>
<permission>USER:hudson.model.Run.Replay:admin</permission>
<permission>USER:hudson.model.Run.Update:admin</permission>
<permission>USER:hudson.scm.SCM.Tag:admin</permission>
<permission>GROUP:hudson.model.Item.Read:anonymous</permission>
<permission>GROUP:hudson.model.Item.ExtendedRead:anonymous</permission>
<permission>hudson.model.Item.Read:authenticated</permission>
<permission>hudson.model.Item.Discover:authenticated</permission>
<permission>hudson.model.Item.ExtendedRead:authenticated</permission>
</hudson.security.AuthorizationMatrixProperty>
</properties>
</project>

30
tests/properties/fixtures/authorization02.yaml Normal file
View File

@ -0,0 +1,30 @@
properties:
- authorization:
inheritance-strategy: global
USER:admin:
- credentials-create
- credentials-delete
- credentials-manage-domains
- credentials-update
- credentials-view
- job-build
- job-cancel
- job-configure
- job-delete
- job-discover
- job-move
- job-read
- job-status
- job-workspace
- ownership-jobs
- run-delete
- run-replay
- run-update
- scm-tag
GROUP:anonymous:
- job-read
- job-extended-read
authenticated:
- job-read
- job-discover
- job-extended-read