STORY-2011206: add inheritance strategy

Change-Id: Iadc5cfd2fe920be0b6e985bb2f19e4e5bab8929e

jenkins_jobs/modules/properties.py

@@ -534,6 +534,12 @@ def authorization(registry, xml_parent, data, job_data):
     .. _authorization:
 
     For *matrix-auth >= 3.0*
+    :arg list <inheritance-strategy>: `<inheritance-strategy>` the name of inheritance strategy
+
+        :<inheritance-strategy> values:
+            * **parent**
+            * **global**
+            * **none**
 
     :arg list prefix:<name>:
             * `prefix`
@@ -572,7 +578,7 @@ def authorization(registry, xml_parent, data, job_data):
 
     Example:
 
-    .. literalinclude:: /../../tests/properties/fixtures/authorization.yaml
+    .. literalinclude:: /../../tests/properties/fixtures/authorization01.yaml
        :language: yaml
     """
 
@@ -610,30 +616,41 @@ def authorization(registry, xml_parent, data, job_data):
         else:
             element_name = "hudson.security.AuthorizationMatrixProperty"
         matrix = XML.SubElement(xml_parent, element_name)
+
+        inheritance_strategy = (
+            "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
+        )
+        if data.get("inheritance-strategy") == "global":
+            inheritance_strategy = (
+                "org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy"
+            )
+        elif data.get("inheritance-strategy") == "none":
+            inheritance_strategy = (
+                "org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy"
+            )
         XML.SubElement(
             matrix,
             "inheritanceStrategy",
-            {
+            {"class": inheritance_strategy},
-                "class": "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy"
-            },
         )
 
         for (username, perms) in data.items():
-            for perm in perms:
+            if username != "inheritance-strategy":
-                pe = XML.SubElement(matrix, "permission")
+                for perm in perms:
-                try:
+                    pe = XML.SubElement(matrix, "permission")
-                    if username.upper().startswith(
+                    try:
-                        "GROUP:"
+                        if username.upper().startswith(
-                    ) or username.upper().startswith("USER:"):
+                            "GROUP:"
-                        pe.text = "{0}:{1}:{2}".format(
+                        ) or username.upper().startswith("USER:"):
-                            username.split(":")[0].upper(),
+                            pe.text = "{0}:{1}:{2}".format(
-                            mapping[perm],
+                                username.split(":")[0].upper(),
-                            username.split(":")[1],
+                                mapping[perm],
-                        )
+                                username.split(":")[1],
-                    else:
+                            )
-                        pe.text = "{0}:{1}".format(mapping[perm], username)
+                        else:
-                except KeyError:
+                            pe.text = "{0}:{1}".format(mapping[perm], username)
-                    raise InvalidAttributeError(username, perm, mapping.keys())
+                    except KeyError:
+                        raise InvalidAttributeError(username, perm, mapping.keys())
 
 
 def priority_sorter(registry, xml_parent, data):

tests/properties/fixtures/authorization01.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <properties>
+    <hudson.security.AuthorizationMatrixProperty>
+      <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.NonInheritingStrategy"/>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:admin</permission>
+      <permission>USER:hudson.model.Item.Build:admin</permission>
+      <permission>USER:hudson.model.Item.Cancel:admin</permission>
+      <permission>USER:hudson.model.Item.Configure:admin</permission>
+      <permission>USER:hudson.model.Item.Delete:admin</permission>
+      <permission>USER:hudson.model.Item.Discover:admin</permission>
+      <permission>USER:hudson.model.Item.Move:admin</permission>
+      <permission>USER:hudson.model.Item.Read:admin</permission>
+      <permission>USER:hudson.model.Item.ViewStatus:admin</permission>
+      <permission>USER:hudson.model.Item.Workspace:admin</permission>
+      <permission>USER:com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin</permission>
+      <permission>USER:hudson.model.Run.Delete:admin</permission>
+      <permission>USER:hudson.model.Run.Replay:admin</permission>
+      <permission>USER:hudson.model.Run.Update:admin</permission>
+      <permission>USER:hudson.scm.SCM.Tag:admin</permission>
+      <permission>GROUP:hudson.model.Item.Read:anonymous</permission>
+      <permission>GROUP:hudson.model.Item.ExtendedRead:anonymous</permission>
+      <permission>hudson.model.Item.Read:authenticated</permission>
+      <permission>hudson.model.Item.Discover:authenticated</permission>
+      <permission>hudson.model.Item.ExtendedRead:authenticated</permission>
+    </hudson.security.AuthorizationMatrixProperty>
+  </properties>
+</project>

tests/properties/fixtures/authorization01.yaml

@@ -0,0 +1,30 @@
+properties:
+    - authorization:
+        inheritance-strategy: none
+        USER:admin:
+            - credentials-create
+            - credentials-delete
+            - credentials-manage-domains
+            - credentials-update
+            - credentials-view
+            - job-build
+            - job-cancel
+            - job-configure
+            - job-delete
+            - job-discover
+            - job-move
+            - job-read
+            - job-status
+            - job-workspace
+            - ownership-jobs
+            - run-delete
+            - run-replay
+            - run-update
+            - scm-tag
+        GROUP:anonymous:
+            - job-read
+            - job-extended-read
+        authenticated:
+            - job-read
+            - job-discover
+            - job-extended-read

tests/properties/fixtures/authorization02.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <properties>
+    <hudson.security.AuthorizationMatrixProperty>
+      <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy"/>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Create:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.Update:admin</permission>
+      <permission>USER:com.cloudbees.plugins.credentials.CredentialsProvider.View:admin</permission>
+      <permission>USER:hudson.model.Item.Build:admin</permission>
+      <permission>USER:hudson.model.Item.Cancel:admin</permission>
+      <permission>USER:hudson.model.Item.Configure:admin</permission>
+      <permission>USER:hudson.model.Item.Delete:admin</permission>
+      <permission>USER:hudson.model.Item.Discover:admin</permission>
+      <permission>USER:hudson.model.Item.Move:admin</permission>
+      <permission>USER:hudson.model.Item.Read:admin</permission>
+      <permission>USER:hudson.model.Item.ViewStatus:admin</permission>
+      <permission>USER:hudson.model.Item.Workspace:admin</permission>
+      <permission>USER:com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs:admin</permission>
+      <permission>USER:hudson.model.Run.Delete:admin</permission>
+      <permission>USER:hudson.model.Run.Replay:admin</permission>
+      <permission>USER:hudson.model.Run.Update:admin</permission>
+      <permission>USER:hudson.scm.SCM.Tag:admin</permission>
+      <permission>GROUP:hudson.model.Item.Read:anonymous</permission>
+      <permission>GROUP:hudson.model.Item.ExtendedRead:anonymous</permission>
+      <permission>hudson.model.Item.Read:authenticated</permission>
+      <permission>hudson.model.Item.Discover:authenticated</permission>
+      <permission>hudson.model.Item.ExtendedRead:authenticated</permission>
+    </hudson.security.AuthorizationMatrixProperty>
+  </properties>
+</project>

tests/properties/fixtures/authorization02.yaml

@@ -0,0 +1,30 @@
+properties:
+    - authorization:
+        inheritance-strategy: global
+        USER:admin:
+            - credentials-create
+            - credentials-delete
+            - credentials-manage-domains
+            - credentials-update
+            - credentials-view
+            - job-build
+            - job-cancel
+            - job-configure
+            - job-delete
+            - job-discover
+            - job-move
+            - job-read
+            - job-status
+            - job-workspace
+            - ownership-jobs
+            - run-delete
+            - run-replay
+            - run-update
+            - scm-tag
+        GROUP:anonymous:
+            - job-read
+            - job-extended-read
+        authenticated:
+            - job-read
+            - job-discover
+            - job-extended-read