diff --git a/jenkins_jobs/modules/properties.py b/jenkins_jobs/modules/properties.py index b7cdb34c3..30368e5d5 100644 --- a/jenkins_jobs/modules/properties.py +++ b/jenkins_jobs/modules/properties.py @@ -534,6 +534,12 @@ def authorization(registry, xml_parent, data, job_data): .. _authorization: For *matrix-auth >= 3.0* + :arg list : `` the name of inheritance strategy + + : values: + * **parent** + * **global** + * **none** :arg list prefix:: * `prefix` @@ -572,7 +578,7 @@ def authorization(registry, xml_parent, data, job_data): Example: - .. literalinclude:: /../../tests/properties/fixtures/authorization.yaml + .. literalinclude:: /../../tests/properties/fixtures/authorization01.yaml :language: yaml """ @@ -610,30 +616,41 @@ def authorization(registry, xml_parent, data, job_data): else: element_name = "hudson.security.AuthorizationMatrixProperty" matrix = XML.SubElement(xml_parent, element_name) + + inheritance_strategy = ( + "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy" + ) + if data.get("inheritance-strategy") == "global": + inheritance_strategy = ( + "org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy" + ) + elif data.get("inheritance-strategy") == "none": + inheritance_strategy = ( + "org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy" + ) XML.SubElement( matrix, "inheritanceStrategy", - { - "class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy" - }, + {"class": inheritance_strategy}, ) for (username, perms) in data.items(): - for perm in perms: - pe = XML.SubElement(matrix, "permission") - try: - if username.upper().startswith( - "GROUP:" - ) or username.upper().startswith("USER:"): - pe.text = "{0}:{1}:{2}".format( - username.split(":")[0].upper(), - mapping[perm], - username.split(":")[1], - ) - else: - pe.text = "{0}:{1}".format(mapping[perm], username) - except KeyError: - raise InvalidAttributeError(username, perm, mapping.keys()) + if username != "inheritance-strategy": + for perm in perms: + pe = XML.SubElement(matrix, "permission") + try: + if username.upper().startswith( + "GROUP:" + ) or username.upper().startswith("USER:"): + pe.text = "{0}:{1}:{2}".format( + username.split(":")[0].upper(), + mapping[perm], + username.split(":")[1], + ) + else: + pe.text = "{0}:{1}".format(mapping[perm], username) + except KeyError: + raise InvalidAttributeError(username, perm, mapping.keys()) def priority_sorter(registry, xml_parent, data): diff --git a/tests/properties/fixtures/authorization01.xml b/tests/properties/fixtures/authorization01.xml new file mode 100644 index 000000000..98d38032c --- /dev/null +++ b/tests/properties/fixtures/authorization01.xml @@ -0,0 +1,32 @@ + + + + + + USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin + USER:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin + USER:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin + USER:com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin + USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:admin + USER:hudson.model.Item.Build:admin + USER:hudson.model.Item.Cancel:admin + USER:hudson.model.Item.Configure:admin + USER:hudson.model.Item.Delete:admin + USER:hudson.model.Item.Discover:admin + USER:hudson.model.Item.Move:admin + USER:hudson.model.Item.Read:admin + USER:hudson.model.Item.ViewStatus:admin + USER:hudson.model.Item.Workspace:admin + USER:com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin + USER:hudson.model.Run.Delete:admin + USER:hudson.model.Run.Replay:admin + USER:hudson.model.Run.Update:admin + USER:hudson.scm.SCM.Tag:admin + GROUP:hudson.model.Item.Read:anonymous + GROUP:hudson.model.Item.ExtendedRead:anonymous + hudson.model.Item.Read:authenticated + hudson.model.Item.Discover:authenticated + hudson.model.Item.ExtendedRead:authenticated + + + diff --git a/tests/properties/fixtures/authorization01.yaml b/tests/properties/fixtures/authorization01.yaml new file mode 100644 index 000000000..8d4f0ea70 --- /dev/null +++ b/tests/properties/fixtures/authorization01.yaml @@ -0,0 +1,30 @@ +properties: + - authorization: + inheritance-strategy: none + USER:admin: + - credentials-create + - credentials-delete + - credentials-manage-domains + - credentials-update + - credentials-view + - job-build + - job-cancel + - job-configure + - job-delete + - job-discover + - job-move + - job-read + - job-status + - job-workspace + - ownership-jobs + - run-delete + - run-replay + - run-update + - scm-tag + GROUP:anonymous: + - job-read + - job-extended-read + authenticated: + - job-read + - job-discover + - job-extended-read diff --git a/tests/properties/fixtures/authorization02.xml b/tests/properties/fixtures/authorization02.xml new file mode 100644 index 000000000..adb92c4c5 --- /dev/null +++ b/tests/properties/fixtures/authorization02.xml @@ -0,0 +1,32 @@ + + + + + + USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin + USER:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin + USER:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin + USER:com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin + USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:admin + USER:hudson.model.Item.Build:admin + USER:hudson.model.Item.Cancel:admin + USER:hudson.model.Item.Configure:admin + USER:hudson.model.Item.Delete:admin + USER:hudson.model.Item.Discover:admin + USER:hudson.model.Item.Move:admin + USER:hudson.model.Item.Read:admin + USER:hudson.model.Item.ViewStatus:admin + USER:hudson.model.Item.Workspace:admin + USER:com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin + USER:hudson.model.Run.Delete:admin + USER:hudson.model.Run.Replay:admin + USER:hudson.model.Run.Update:admin + USER:hudson.scm.SCM.Tag:admin + GROUP:hudson.model.Item.Read:anonymous + GROUP:hudson.model.Item.ExtendedRead:anonymous + hudson.model.Item.Read:authenticated + hudson.model.Item.Discover:authenticated + hudson.model.Item.ExtendedRead:authenticated + + + diff --git a/tests/properties/fixtures/authorization02.yaml b/tests/properties/fixtures/authorization02.yaml new file mode 100644 index 000000000..fe1a34b5b --- /dev/null +++ b/tests/properties/fixtures/authorization02.yaml @@ -0,0 +1,30 @@ +properties: + - authorization: + inheritance-strategy: global + USER:admin: + - credentials-create + - credentials-delete + - credentials-manage-domains + - credentials-update + - credentials-view + - job-build + - job-cancel + - job-configure + - job-delete + - job-discover + - job-move + - job-read + - job-status + - job-workspace + - ownership-jobs + - run-delete + - run-replay + - run-update + - scm-tag + GROUP:anonymous: + - job-read + - job-extended-read + authenticated: + - job-read + - job-discover + - job-extended-read