[JENKINS-75545] Make pod templates more flexible configurable based on permissions (#1671)

Co-authored-by: Vincent Latombe <[email protected]>
Co-authored-by: Allan Burdajewicz <[email protected]>

Author: 3 people

src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java

@@ -23,6 +23,7 @@
 import hudson.model.Label;
 import hudson.security.ACL;
 import hudson.security.AccessControlled;
+import hudson.security.Permission;
 import hudson.slaves.Cloud;
 import hudson.slaves.NodeProvisioner;
 import hudson.util.FormApply;
@@ -737,10 +738,16 @@ private static void ensureServerCertificateInFipsMode(String serverCertificate)
 
     @Override
     public void replaceTemplate(PodTemplate oldTemplate, PodTemplate newTemplate) {
+        this.checkManagePermission();
         this.removeTemplate(oldTemplate);
         this.addTemplate(newTemplate);
     }
 
+    @Override
+    public Permission getManagePermission() {
+        return Jenkins.MANAGE;
+    }
+
     @Override
     public boolean canProvision(@NonNull Cloud.CloudState state) {
         return getTemplate(state.getLabel()) != null;
@@ -805,6 +812,7 @@ public List<PodTemplate> getTemplatesFor(@CheckForNull Label label) {
      */
     @Override
     public void addTemplate(PodTemplate t) {
+        this.checkManagePermission();
         this.templates.add(t);
         // t.parent = this;
     }
@@ -816,6 +824,7 @@ public void addTemplate(PodTemplate t) {
      */
     @Override
     public void removeTemplate(PodTemplate t) {
+        this.checkManagePermission();
         this.templates.remove(t);
     }
 
@@ -920,7 +929,7 @@ public PodTemplate.DescriptorImpl getTemplateDescriptor() {
     public HttpResponse doCreate(StaplerRequest2 req, StaplerResponse2 rsp)
             throws IOException, ServletException, Descriptor.FormException {
         Jenkins j = Jenkins.get();
-        j.checkPermission(Jenkins.MANAGE);
+        this.checkManagePermission();
         PodTemplate newTemplate = getTemplateDescriptor().newInstance(req, req.getSubmittedForm());
         addTemplate(newTemplate);
         j.save();

src/main/java/org/csanchez/jenkins/plugins/kubernetes/NonConfigurableKubernetesCloud.java

@@ -10,6 +10,7 @@
 import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.StaplerRequest2;
+import org.springframework.security.access.AccessDeniedException;
 
 public class NonConfigurableKubernetesCloud extends KubernetesCloud {
     public NonConfigurableKubernetesCloud(@NonNull String name, @NonNull KubernetesCloud source) {
@@ -25,6 +26,14 @@ public void addTemplate(PodTemplate template) {}
     @Override
     public void removeTemplate(PodTemplate template) {}
 
+    @Override
+    public boolean hasManagePermission() {
+        return false;
+    }
+
+    @Override
+    public void checkManagePermission() throws AccessDeniedException {}
+
     @Override
     public Cloud reconfigure(@NonNull StaplerRequest2 req, JSONObject form) throws Descriptor.FormException {
         return DescriptorImpl.class.cast(getDescriptor()).newInstance(req, form);

src/main/java/org/csanchez/jenkins/plugins/kubernetes/PodTemplate.java

@@ -53,6 +53,7 @@
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.HttpRedirect;
 import org.kohsuke.stapler.HttpResponse;
+import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerRequest2;
 import org.kohsuke.stapler.verb.POST;
 
@@ -661,16 +662,29 @@ public void addEnvVars(List<TemplateEnvVar> envVars) {
         }
     }
 
+    @SuppressWarnings("unused") // Used by jelly
+    @Restricted(DoNotUse.class) // Used by jelly
+    public boolean hasManagePermission() {
+        StaplerRequest2 request = Stapler.getCurrentRequest2();
+        if (request != null) {
+            PodTemplateGroup groupFromRequest = request.findAncestorObject(PodTemplateGroup.class);
+            if (groupFromRequest != null) {
+                return groupFromRequest.hasManagePermission();
+            }
+        }
+        return Jenkins.get().hasPermission(Jenkins.MANAGE);
+    }
+
     /**
      * Deletes the template.
      */
     @POST
     public HttpResponse doDoDelete(@AncestorInPath PodTemplateGroup owner) throws IOException {
-        Jenkins j = Jenkins.get();
-        j.checkPermission(Jenkins.MANAGE);
         if (owner == null) {
             throw new IllegalStateException("Cloud could not be found");
         }
+        Jenkins j = Jenkins.get();
+        owner.checkManagePermission();
         owner.removeTemplate(this);
         j.save();
         // take the user back.
@@ -680,11 +694,11 @@ public HttpResponse doDoDelete(@AncestorInPath PodTemplateGroup owner) throws IO
     @POST
     public HttpResponse doConfigSubmit(StaplerRequest2 req, @AncestorInPath PodTemplateGroup owner)
             throws IOException, ServletException, Descriptor.FormException {
-        Jenkins j = Jenkins.get();
-        j.checkPermission(Jenkins.MANAGE);
         if (owner == null) {
             throw new IllegalStateException("Cloud could not be found");
         }
+        Jenkins j = Jenkins.get();
+        owner.checkManagePermission();
         PodTemplate newTemplate = reconfigure(req, req.getSubmittedForm());
         owner.replaceTemplate(this, newTemplate);
         j.save();

src/main/java/org/csanchez/jenkins/plugins/kubernetes/PodTemplateGroup.java

@@ -1,4 +1,10 @@
 package org.csanchez.jenkins.plugins.kubernetes;
+
+import hudson.security.Permission;
+import jenkins.model.Jenkins;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.Authentication;
+
 /**
  * A group of pod templates that can be saved together.
  */
@@ -25,4 +31,23 @@ public interface PodTemplateGroup {
      * @return the URL to redirect to after the template is saved.
      */
     String getPodTemplateGroupUrl();
+
+    /**
+     * @return The permission required to manage the templates in this group.
+     */
+    Permission getManagePermission();
+
+    /**
+     * @return {@code true} if the current {@link Authentication} has permissions to add / replace / remove templates.
+     */
+    default boolean hasManagePermission() {
+        return Jenkins.get().hasPermission(getManagePermission());
+    }
+    /**
+     * Checks whether the current {@link Authentication} has sufficient permissions to manage the templates in this group.
+     * @throws AccessDeniedException if access is denied for the current {@link Authentication}.
+     */
+    default void checkManagePermission() throws AccessDeniedException {
+        Jenkins.get().checkPermission(getManagePermission());
+    }
 }

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud/new.jelly

@@ -20,7 +20,8 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout" xmlns:f="/lib/form">
   <l:layout permission="${app.MANAGE_AND_SYSTEM_READ}" title="${%New pod template}">
-    <j:set var="readOnlyMode" value="${!app.hasPermission(app.MANAGE)}"/>
+    <j:set var="canManageTemplate" value="${it.hasManagePermission()}"/>
+    <j:set var="readOnlyMode" value="${!canManageTemplate}"/>
     <l:breadcrumb title="${%New pod template }"/>
     <st:include page="sidepanel.jelly" it="${it}"/>
     <l:main-panel>
@@ -30,15 +31,16 @@ THE SOFTWARE.
 
         <j:set var="descriptor" value="${it.templateDescriptor}"/>
         <st:include class="${descriptor.clazz}" page="config.jelly"/>
-        <l:hasAdministerOrManage>
+
+        <j:if test="${canManageTemplate}">
           <f:bottomButtonBar>
             <f:submit value="${%Create}"/>
           </f:bottomButtonBar>
-        </l:hasAdministerOrManage>
+        </j:if>
       </f:form>
-      <l:hasAdministerOrManage>
+      <j:if test="${canManageTemplate}">
         <st:adjunct includes="lib.form.confirm"/>
-      </l:hasAdministerOrManage>
+      </j:if>
     </l:main-panel>
   </l:layout>
 </j:jelly>

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud/templates.jelly

@@ -29,12 +29,12 @@ THE SOFTWARE.
         <j:choose>
             <j:when test="${not empty it.templates}">
                 <l:app-bar title="${it.name} - ${%Pod templates}">
-                    <l:hasAdministerOrManage>
+                    <j:if test="${it.hasManagePermission()}">
                         <a name="newTemplate" class="jenkins-button jenkins-button--primary" href="new">
                             <l:icon src="symbol-add"/>
                             ${%Add a pod template}
                         </a>
-                    </l:hasAdministerOrManage>
+                    </j:if>
                 </l:app-bar>
                 <table id="templates" class="jenkins-table sortable">
                     <thead>
@@ -63,19 +63,21 @@ THE SOFTWARE.
             </j:when>
             <j:otherwise>
                 <l:app-bar title="${it.name} - ${%Pod templates}"/>
-                <div >
-                    <section>
-                        <div>
-                            <div class="jenkins-!-padding-bottom-3">No pod template added yet.</div>
+                <j:if test="${it.hasManagePermission()}">
+                    <div >
+                        <section>
                             <div>
-                                <a name="newTemplate" class="jenkins-button jenkins-button--primary" href="new">
-                                    <l:icon src="symbol-add"/>
-                                    ${%Add a pod template}
-                                </a>
+                                <div class="jenkins-!-padding-bottom-3">No pod template added yet.</div>
+                                <div>
+                                    <a name="newTemplate" class="jenkins-button jenkins-button--primary" href="new">
+                                        <l:icon src="symbol-add"/>
+                                        ${%Add a pod template}
+                                    </a>
+                                </div>
                             </div>
-                        </div>
-                    </section>
-                </div>
+                        </section>
+                    </div>
+                </j:if>
             </j:otherwise>
         </j:choose>
       </l:main-panel>

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/PodTemplate/index.jelly

@@ -20,7 +20,8 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout" xmlns:f="/lib/form">
   <l:layout permission="${app.MANAGE_AND_SYSTEM_READ}" title="${%Pod template settings}">
-    <j:set var="readOnlyMode" value="${!app.hasPermission(app.MANAGE)}"/>
+    <j:set var="canManageTemplate" value="${it.hasManagePermission()}"/>
+    <j:set var="readOnlyMode" value="${!canManageTemplate}"/>
     <l:breadcrumb title="${it.name}"/>
 
     <st:include page="sidepanel.jelly"/>
@@ -37,17 +38,18 @@ THE SOFTWARE.
         <!-- main body of the configuration -->
         <st:include it="${instance}" page="config.jelly"/>
 
-        <l:hasAdministerOrManage>
+        <j:if test="${canManageTemplate}">
           <j:if test="${!instance.readonlyFromUi}">
             <f:bottomButtonBar>
               <f:submit value="${%Save}"/>
             </f:bottomButtonBar>
           </j:if>
-        </l:hasAdministerOrManage>
+        </j:if>
       </f:form>
-      <l:hasAdministerOrManage>
+
+      <j:if test="${canManageTemplate}">
         <st:adjunct includes="lib.form.confirm"/> 
-      </l:hasAdministerOrManage>
+      </j:if>
     </l:main-panel>
   </l:layout>
 </j:jelly>

src/main/resources/org/csanchez/jenkins/plugins/kubernetes/PodTemplate/sidepanel.jelly

@@ -22,10 +22,11 @@ THE SOFTWARE.
     <l:header />
     <l:side-panel>
         <l:tasks>
+            <j:set var="canManageTemplate" value="${it.hasManagePermission()}"/>
             <l:task href="" icon="symbol-settings"
-                    title="${app.hasPermission(app.MANAGE) ? '%Configure' : '%View Configuration'}"/>
+                    title="${canManageTemplate ? '%Configure' : '%View Configuration'}"/>
             <j:if test="${!it.readonlyFromUi}">
-                <l:delete permission="${app.MANAGE}" title="${%Delete Pod Template}" message="${%delete.template(it.name)}"/>
+                <l:delete permission="${it.managePermission}" title="${%Delete Pod Template}" message="${%delete.template(it.name)}"/>
             </j:if>
             <t:actions />
         </l:tasks>

src/test/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloudTest.java

@@ -1,10 +1,18 @@
 package org.csanchez.jenkins.plugins.kubernetes;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.model.User;
+import hudson.security.ACL;
+import hudson.security.ACLContext;
+import hudson.security.AccessDeniedException3;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -14,6 +22,7 @@
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import jenkins.model.Jenkins;
 import jenkins.model.JenkinsLocationConfiguration;
 import org.apache.commons.beanutils.PropertyUtils;
 import org.apache.commons.lang3.RandomStringUtils;
@@ -33,8 +42,10 @@
 import org.junit.After;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.function.ThrowingRunnable;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.LoggerRule;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
 import org.jvnet.hudson.test.recipes.LocalData;
 
 public class KubernetesCloudTest {
@@ -309,4 +320,41 @@ public HtmlInput getInputByName(DomElement root, String name) {
         }
         return null;
     }
+
+    @Test
+    public void authorization() throws Exception {
+        var securityRealm = j.createDummySecurityRealm();
+        j.jenkins.setSecurityRealm(securityRealm);
+        var authorizationStrategy = new MockAuthorizationStrategy();
+        authorizationStrategy.grant(Jenkins.ADMINISTER).everywhere().to("admin");
+        authorizationStrategy.grant(Jenkins.MANAGE).everywhere().to("manager");
+        authorizationStrategy.grant(Jenkins.READ).everywhere().to("user");
+        j.jenkins.setAuthorizationStrategy(authorizationStrategy);
+        j.jenkins.clouds.add(new KubernetesCloud("kubernetes"));
+        var pt1 = new PodTemplate("one");
+        var pt2 = new PodTemplate("two");
+        try (var ignored = asUser("admin")) {
+            j.jenkins.clouds.get(KubernetesCloud.class).addTemplate(pt1);
+        }
+        try (var ignored = asUser("user")) {
+            var expectedMessage = "user is missing the Overall/Administer permission";
+            var kubernetesCloud = j.jenkins.clouds.get(KubernetesCloud.class);
+            assertAccessDenied(() -> kubernetesCloud.addTemplate(new PodTemplate()), expectedMessage);
+            assertAccessDenied(() -> kubernetesCloud.removeTemplate(pt1), expectedMessage);
+            assertAccessDenied(() -> kubernetesCloud.replaceTemplate(pt1, pt2), expectedMessage);
+        }
+        try (var ignored = asUser("manager")) {
+            j.jenkins.clouds.get(KubernetesCloud.class).addTemplate(pt1);
+        }
+    }
+
+    private static void assertAccessDenied(ThrowingRunnable throwingRunnable, String expectedMessage) {
+        assertThat(
+                assertThrows(AccessDeniedException3.class, throwingRunnable).getMessage(),
+                containsString(expectedMessage));
+    }
+
+    private static @NonNull ACLContext asUser(String admin) {
+        return ACL.as2(User.get(admin, true, Map.of()).impersonate2());
+    }
 }