diff --git a/docs/consumer.adoc b/docs/consumer.adoc index 7c2f6860b..d154ed8cf 100644 --- a/docs/consumer.adoc +++ b/docs/consumer.adoc @@ -170,7 +170,7 @@ public FormValidation doCheckCredentialsId( if (value.startsWith("${") && value.endsWith("}")) { // <5> return FormValidation.warning("Cannot validate expression based credentials"); } - if (CredentialsProvider.listCredentials( // <6> + if (CredentialsProvider.listCredentialsInItem( // <6> ..., CredentialsMatchers.withId(value) // <6> ).isEmpty()) { @@ -187,29 +187,26 @@ Better yet would be to try and ping the remote service anonymously and report su _You may want to cache the check result for a short time-span if the remote service has rate limits on anonymous access._ <5> If you have not enabled credentials parameter expressions on the select control then you do not need this test. <6> This example checks that the credentials exist, but does not use them to connect. -Alternatively `CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(...), withId(value))` can be used to retrieve the credentials, a `null` return value would indicate that the error that they cannot be found, while the non-`null` return value could be used to validate the credentials against the remote service. +Alternatively `CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentialsInItem(...), withId(value))` can be used to retrieve the credentials, a `null` return value would indicate that the error that they cannot be found, while the non-`null` return value could be used to validate the credentials against the remote service. _You may want to cache the check result for a short time-span if the remote service has rate limits._ === Listing available credentials matching some specific set of criteria -We use the `CredentialsProvider.listCredentials()` overloads to list credentials. -An external credentials provider may be recording usage of the credential and as such the `listCredentials` methods are supposed to not access the secret information and hence should not trigger such usage records. +We use the `CredentialsProvider.listCredentialsInItem()` or `CredentialsProvider.listCredentialsInItemGroup()` methods to list credentials. +An external credentials provider may be recording usage of the credential and as such the `listCredentialsInItem`/`listCredentialsInItemGroup` methods are supposed to not access the secret information and hence should not trigger such usage records. [TIP] ==== -If you are listing available credentials in order to populate a drop-down list, then `StandardListBoxModel.includeMatchingAs()` may be a more convenient way to call `CredentialsProvider.listCredentials()` +If you are listing available credentials in order to populate a drop-down list, then `StandardListBoxModel.includeMatchingAs()` may be a more convenient way to call `CredentialsProvider.listCredentialsInItem()`/`CredentialsProvider.listCredentialsInItemGroup()` ==== -There are currently two overloads, one taking `Item` as the context and the other taking `ItemGroup` as the context, the other parameters are otherwise identical. - -NOTE: A current RFE https://issues.jenkins-ci.org/browse/JENKINS-39324[JENKINS-39324] is looking to replace overloaded methods with a single method taking the more generic `ModelObject`. - The parameters are: `type`:: The type of credentials to list. -`item` or `itemGroup`:: +`item` (when using `CredentialsProvider.listCredentialsInItem`):: +`itemGroup` (when using `CredentialsProvider.listCredentialsInItemGroup`):: The context within which to list available credentials. `authentication`:: @@ -227,12 +224,12 @@ Here are some examples of usage: + [source,java] ---- -CredentialsProvider.listCredentials( +CredentialsProvider.listCredentialsInItem( StandardUsernamePasswordCredentials.class, // <1> job, // <2> job instanceof Queue.Task // <3> - ? Tasks.getAuthenticationOf((Queue.Task)job)) // <4> - : ACL.SYSTEM, // <5> + ? Tasks.getAuthenticationOf2((Queue.Task)job)) // <4> + : ACL.SYSTEM2, // <5> URIRequirementBuilder.fromUri(scmUrl), // <6> null // <7> ); @@ -244,7 +241,7 @@ We need `UsernamePasswordCredentials` to ensure that they are username and passw <3> For almost all implementations of `Job`, this will be `true`. (Note: https://plugins.jenkins.io/external-monitor-job[external jobs] do *not* implement `Queue.Task`) <4> This is important, we must use the authentication that the job is likely to run as. -<5> If not a `Queue.Task` then use `ACL.SYSTEM` +<5> If not a `Queue.Task` then use `ACL.SYSTEM2` <6> We use the requirements builder most idiomatically appropriate to our use case. In most cases, unless `URIRequirementBuilder` can be used to construct at least some domain requirements. <7> We do not have any additional requirements to place, so we can specify `null` for the matcher. @@ -253,10 +250,10 @@ In most cases, unless `URIRequirementBuilder` can be used to construct at least + [source,java] ---- -CredentialsProvider.listCredentials( +CredentialsProvider.listCredentialsInItem( StandardUsernamePasswordCredentials.class, job, - Jenkins.getAuthentication(), // <1> + Jenkins.getAuthentication2(), // <1> URIRequirementBuilder.fromUri(scmUrl), null ) @@ -267,12 +264,12 @@ CredentialsProvider.listCredentials( + [source,java] ---- -CredentialsProvider.listCredentials( +CredentialsProvider.listCredentialsInItem( StandardCredentials.class, // <1> job, job instanceof Queue.Task - ? Tasks.getAuthenticationOf((Queue.Task)job)) - : ACL.SYSTEM, + ? Tasks.getAuthenticationOf2((Queue.Task)job)) + : ACL.SYSTEM2, URIRequirementBuilder.fromUri(issueTrackerUrl), AuthenticationTokens.matcher(IssueTrackerAuthentication.class) // <2> ) @@ -288,10 +285,10 @@ Alternatively, more complex conversion contexts can be handled with `Authenticat + [source,java] ---- -CredentialsProvider.listCredentials( +CredentialsProvider.listCredentialsInItem( StandardCredentials.class, // <1> job, - Jenkins.getAuthentication(), // <2> + Jenkins.getAuthentication2(), // <2> URIRequirementBuilder.fromUri(loadBalancerUrl), CredentialsMatchers.allOf( AuthenticationTokens.matcher(LoadBalancerAuthentication.class), @@ -313,10 +310,10 @@ This drop down list would typically be displayed from one of the _Manage Jenkins + [source,java] ---- -CredentialsProvider.listCredentials( +CredentialsProvider.listCredentialsInItemGroup( StandardUsernameCredentials.class, // <1> Jenkins.get(), // <2> - ACL.SYSTEM, // <2> + ACL.SYSTEM2, // <2> URIRequirementBuilder.fromUri(scmUrl), AuthenticationTokens.matcher(MySCMAuthentication.class) // <1> ) @@ -324,7 +321,7 @@ CredentialsProvider.listCredentials( <1> For this SCM, management of post commit hooks requires authentication that has specified a username, so even though there are other authentication mechanisms supported by `AuthenticationTokens.matcher(...)` we limit at the type level as that reduces the response that needs to be filtered. The alternative would have been a matcher that combined `CredentialsMatchers.instanceOf(StandardUsernameCredentials.class)` but this reduces the ability of an external credentials provider to filter the query on the remote side. <2> We are doing this operation outside of the context of a single job, rather this is being performed on behalf of the entire Jenkins instance. -Thus we should be performing this as `ACL.SYSTEM` and in the context of `Jenkins.get()`. +Thus we should be performing this as `ACL.SYSTEM2` and in the context of `Jenkins.get()`. This has the additional benefit that the admin can restrict the high permission hook management credentials to `CredentialsScope.SYSTEM` which will prevent access by jobs. === Persist a reference to a specific credential instance @@ -382,24 +379,24 @@ If we have a job, "foobar", and we configure a credentials parameter on that job If you are working outside the context of a `Run` then you will not have to deal with the complexities of credentials expressions. -In most cases the retrieval will just be a call to one of the `CredentialsProvider.lookupCredentials(...)` wrapped within `CredentialsMatchers.firstOrNull(..., CredentialsMatchers.withId(...))`, for example: +In most cases the retrieval will just be a call to one of the `CredentialsProvider.lookupCredentialsInItem(...)`/`CredentialsProvider.lookupCredentialsInItemGroup(...)` wrapped within `CredentialsMatchers.firstOrNull(..., CredentialsMatchers.withId(...))`, for example: [source,java] ---- StandardCredentials c = CredentialsMatchers.firstOrNull( - CredentialsProvider.lookupCredentials( + CredentialsProvider.lookupCredentialsInItem( StandardCredentials.class, // <1> job, // <1> job instanceof Queue.Task // <1> ? Tasks.getAuthenticationOf((Queue.Task)job)) - : ACL.SYSTEM, + : ACL.SYSTEM2, URIRequirementBuilder.fromUri(...) // <1> ), CredentialsMatchers.withId(credentialsId) // <2> ); ---- -<1> These should be the same as your call to `CredentialsProvider.listCredentials(...)`/`StandardListBoxModel.includeMatchingAs(...)` in order to ensure that we get the same credential instance back. -<2> If you had additional `CredentialsMatcher` expressions in your call to `CredentialsProvider.listCredentials(...)`/`StandardListBoxModel.includeMatchingAs(...)` then you should merge them here with a `CredentialsMatchers.allOf(...)` +<1> These should be the same as your call to `CredentialsProvider.listCredentialsInItem(...)`/`CredentialsProvider.listCredentialsInItemGroup(...)`/`StandardListBoxModel.includeMatchingAs(...)` in order to ensure that we get the same credential instance back. +<2> If you had additional `CredentialsMatcher` expressions in your call to `CredentialsProvider.listCredentialsInItem(...)`/`CredentialsProvider.listCredentialsInItemGroup(...)`/`StandardListBoxModel.includeMatchingAs(...)` then you should merge them here with a `CredentialsMatchers.allOf(...)` Once you have retrieved a non-null credentials instance, all non-secret properties can be assumed as eager-fetch immutable. @@ -416,12 +413,12 @@ The recommended way to use a credential is through the https://plugins.jenkins.i [source,java] ---- StandardCredentials c = CredentialsMatchers.firstOrNull( // <1> - CredentialsProvider.listCredentials( + CredentialsProvider.listCredentialsInItem( StandardCredentials.class, job, job instanceof Queue.Task - ? Tasks.getAuthenticationOf((Queue.Task)job)) - : ACL.SYSTEM, + ? Tasks.getAuthenticationOf2((Queue.Task)job)) + : ACL.SYSTEM2, URIRequirementBuilder.fromUri(issueTrackerUrl) ), CredentialsMatchers.allOf( @@ -461,12 +458,12 @@ IssueTrackerAuthentication auth = AuthenticationTokens.convert( CredentialsProvider.track( job, CredentialsMatchers.firstOrNull( - CredentialsProvider.listCredentials( + CredentialsProvider.listCredentialsInItem( StandardCredentials.class, job, job instanceof Queue.Task - ? Tasks.getAuthenticationOf((Queue.Task)job)) - : ACL.SYSTEM, + ? Tasks.getAuthenticationOf2((Queue.Task)job)) + : ACL.SYSTEM2, URIRequirementBuilder.fromUri(issueTrackerUrl) ), CredentialsMatchers.allOf( diff --git a/docs/implementation.adoc b/docs/implementation.adoc index ead2a158a..fe3d02885 100644 --- a/docs/implementation.adoc +++ b/docs/implementation.adoc @@ -742,9 +742,9 @@ If you have implemented that check before creating the proxy then you could be m <2> Any consumer plugin that is transferring a credential to another JVM is supposed to call `CredentialsProvider.snapshot(credential)` and send the return value. The `CredentialsSnapshotTaker` is supposed to fetch the secret as part of the snapshotting, so a proper consumer will never be at risk of this `IOException`. -* The `CredentialsProvider.getCredentials(...)` methods should instantiate the proxies, so these methods will operate from the cache while initiate background refresh. Where the cache is a miss or where the cache is stale, a short term block is acceptable. +* The `CredentialsProvider.getCredentialsInItem(...)` / `CredentialsProvider.getCredentialsInItemGroup(...)` methods should instantiate the proxies, so these methods will operate from the cache while initiate background refresh. Where the cache is a miss or where the cache is stale, a short term block is acceptable. -* The `CredentialsProvider.getCredentialIds(...)` methods are used to list credentials for drop-down list population, so these methods should use a live request with a fall-back to the cache where the live request takes too long. +* The `CredentialsProvider.getCredentialIdsInItem(...)` / `CredentialsProvider.getCredentialIdsInItemGroup(...)` methods are used to list credentials for drop-down list population, so these methods should use a live request with a fall-back to the cache where the live request takes too long. [NOTE] ==== @@ -758,6 +758,6 @@ The main work in an implementation will be the mapping to `CredentialStore` inst + [NOTE] ==== -Technically, the "read-only, implicitly exposed" style credentials provider implementation does not need to interact with the `CredentialsStore` portion of the API as it can expose credentials directly using just the `CredentialsProvider.getCredentials(...)` and `CredentialsProvider.getCredentialIds(...)`, however, implementing the `CredentialsStore` contract is required in order for the credentials to be visible to users via the Credentials side action on the different Jenkins context objects. +Technically, the "read-only, implicitly exposed" style credentials provider implementation does not need to interact with the `CredentialsStore` portion of the API as it can expose credentials directly using just the `CredentialsProvider.getCredentialsInItem(...)`/`CredentialsProvider.getCredentialsInItemGroup(...)` and `CredentialsProvider.getCredentialIdsInItem(...)`/`CredentialsProvider.getCredentialIdsInItemGroup(...)`, however, implementing the `CredentialsStore` contract is required in order for the credentials to be visible to users via the Credentials side action on the different Jenkins context objects. ==== * A "read-write, implicitly exposed" style implementation will need to semi-dynamically create `CredentialsStore` instances for each context in order to integrate with the Jenkins credentials management UI. diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterDefinition.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterDefinition.java index c42b8dc6a..3a1998e77 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterDefinition.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterDefinition.java @@ -17,13 +17,13 @@ import java.util.Set; import jenkins.model.Jenkins; import net.sf.json.JSONObject; -import org.acegisecurity.Authentication; import org.apache.commons.lang.StringUtils; import org.jenkinsci.Symbol; import org.kohsuke.stapler.AncestorInPath; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.springframework.security.core.Authentication; /** * A {@link ParameterDefinition} for a parameter that supplies a {@link Credentials}. @@ -173,7 +173,7 @@ public StandardListBoxModel doFillDefaultValueItems(@AncestorInPath Item context final StandardListBoxModel result = new StandardListBoxModel(); result.includeEmptyValue(); if (acl.hasPermission(CredentialsProvider.USE_ITEM)) { - result.includeAs(CredentialsProvider.getDefaultAuthenticationOf(context), context, typeClass, domainRequirements); + result.includeAs(CredentialsProvider.getDefaultAuthenticationOf2(context), context, typeClass, domainRequirements); } return result; } @@ -185,9 +185,9 @@ public StandardListBoxModel doFillValueItems(@AncestorInPath Item context, @QueryParameter boolean includeUser) { Jenkins jenkins = Jenkins.get(); final ACL acl = context == null ? jenkins.getACL() : context.getACL(); - final Authentication authentication = Jenkins.getAuthentication(); - final Authentication itemAuthentication = CredentialsProvider.getDefaultAuthenticationOf(context); - final boolean isSystem = ACL.SYSTEM.equals(authentication); + final Authentication authentication = Jenkins.getAuthentication2(); + final Authentication itemAuthentication = CredentialsProvider.getDefaultAuthenticationOf2(context); + final boolean isSystem = ACL.SYSTEM2.equals(authentication); final Class typeClass = decodeType(credentialType); final List domainRequirements = Collections.emptyList(); final StandardListBoxModel result = new StandardListBoxModel(); diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterValue.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterValue.java index 170e8760c..eeb51ad0b 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterValue.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterValue.java @@ -21,10 +21,10 @@ import java.util.Collections; import java.util.List; import jenkins.model.Jenkins; -import org.acegisecurity.Authentication; import org.apache.commons.lang.StringUtils; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.Stapler; +import org.springframework.security.core.Authentication; /** * A {@link ParameterValue} produced from a {@link CredentialsParameterDefinition}. @@ -89,24 +89,24 @@ public C lookupCredentials(@NonNull Class type, @No public C lookupCredentials(@NonNull Class type, @NonNull Run run, List domainRequirements) { - Authentication authentication = Jenkins.getAuthentication(); + Authentication authentication = Jenkins.getAuthentication2(); final Executor executor = run.getExecutor(); if (executor != null) { final WorkUnit workUnit = executor.getCurrentWorkUnit(); if (workUnit != null) { - authentication = workUnit.context.item.authenticate(); + authentication = workUnit.context.item.authenticate2(); } } List candidates = new ArrayList<>(); - final boolean isSystem = ACL.SYSTEM.equals(authentication); + final boolean isSystem = ACL.SYSTEM2.equals(authentication); if (!isSystem && run.getParent().hasPermission(CredentialsProvider.USE_OWN)) { candidates.addAll(CredentialsProvider - .lookupCredentials(type, run.getParent(), authentication, domainRequirements)); + .lookupCredentialsInItem(type, run.getParent(), authentication, domainRequirements)); } if (run.getParent().hasPermission(CredentialsProvider.USE_ITEM) || isSystem || isDefaultValue) { candidates.addAll( - CredentialsProvider.lookupCredentials(type, run.getParent(), ACL.SYSTEM, domainRequirements)); + CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), ACL.SYSTEM2, domainRequirements)); } return CredentialsMatchers.firstOrNull(candidates, CredentialsMatchers.withId(value)); } @@ -120,14 +120,14 @@ public String describe() { throw new IllegalStateException("Should only be called from value.jelly"); } StandardCredentials c = CredentialsMatchers.firstOrNull( - CredentialsProvider.lookupCredentials(StandardCredentials.class, run.getParent(), ACL.SYSTEM, + CredentialsProvider.lookupCredentialsInItem(StandardCredentials.class, run.getParent(), ACL.SYSTEM2, Collections.emptyList()), CredentialsMatchers.withId(value)); if (c != null) { return CredentialsNameProvider.name(c); } c = CredentialsMatchers.firstOrNull( - CredentialsProvider.lookupCredentials(StandardCredentials.class, run.getParent(), - Jenkins.getAuthentication(), + CredentialsProvider.lookupCredentialsInItem(StandardCredentials.class, run.getParent(), + Jenkins.getAuthentication2(), Collections.emptyList()), CredentialsMatchers.withId(value)); if (c != null) { return CredentialsNameProvider.name(c); @@ -144,14 +144,14 @@ public String iconClassName() { throw new IllegalStateException("Should only be called from value.jelly"); } StandardCredentials c = CredentialsMatchers.firstOrNull( - CredentialsProvider.lookupCredentials(StandardCredentials.class, run.getParent(), ACL.SYSTEM, + CredentialsProvider.lookupCredentialsInItem(StandardCredentials.class, run.getParent(), ACL.SYSTEM2, Collections.emptyList()), CredentialsMatchers.withId(value)); if (c != null) { return c.getDescriptor().getIconClassName(); } c = CredentialsMatchers.firstOrNull( - CredentialsProvider.lookupCredentials(StandardCredentials.class, run.getParent(), - Jenkins.getAuthentication(), + CredentialsProvider.lookupCredentialsInItem(StandardCredentials.class, run.getParent(), + Jenkins.getAuthentication2(), Collections.emptyList()), CredentialsMatchers.withId(value)); if (c != null) { return c.getDescriptor().getIconClassName(); @@ -167,7 +167,7 @@ public String url() { if (run == null) { throw new IllegalStateException("Should only be called from value.jelly"); } - try (ACLContext ctx = ACL.as(ACL.SYSTEM)) { + try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) { for (CredentialsStore store : CredentialsProvider.lookupStores(run.getParent())) { String url = url(store); if (url != null) { diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java index a0504bb0c..a9de5d525 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java @@ -91,12 +91,7 @@ import jenkins.model.FingerprintFacet; import jenkins.model.Jenkins; import jenkins.util.Timer; -import org.acegisecurity.Authentication; -import org.acegisecurity.GrantedAuthority; -import org.acegisecurity.providers.UsernamePasswordAuthenticationToken; -import org.acegisecurity.userdetails.UsernameNotFoundException; import org.apache.commons.io.IOUtils; -import org.apache.commons.io.output.NullOutputStream; import org.apache.commons.lang.StringUtils; import org.jenkins.ui.icon.IconSpec; import org.kohsuke.accmod.Restricted; @@ -104,6 +99,9 @@ import org.kohsuke.accmod.restrictions.NoExternalUse; import org.kohsuke.stapler.Stapler; import org.kohsuke.stapler.StaplerRequest; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.userdetails.UsernameNotFoundException; import static com.cloudbees.plugins.credentials.CredentialsStoreAction.FINGERPRINT_XML; @@ -118,17 +116,7 @@ public abstract class CredentialsProvider extends Descriptor List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication) { - return Collections.emptyList(); - } - }; + public static final CredentialsProvider NONE = new CredentialsProvider() {}; /** * The permission group for credentials. @@ -245,16 +233,8 @@ public static DescriptorExtensionList allCre } /** - * Returns all credentials which are available to the {@link ACL#SYSTEM} {@link Authentication} - * within the {@link Jenkins#get()}. - * - * @param type the type of credentials to get. - * @param the credentials type. - * @return the list of credentials. - * @deprecated use {@link #lookupCredentials(Class, Item, Authentication, List)}, - * {@link #lookupCredentials(Class, Item, Authentication, DomainRequirement...)}, - * {@link #lookupCredentials(Class, ItemGroup, Authentication, List)} - * or {@link #lookupCredentials(Class, ItemGroup, Authentication, DomainRequirement...)} + * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication, List)} + * or {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)} */ @Deprecated @NonNull @@ -264,36 +244,19 @@ public static List lookupCredentials(@NonNull Class the credentials type. - * @return the list of credentials. - * @deprecated use {@link #lookupCredentials(Class, Item, Authentication, List)}, - * {@link #lookupCredentials(Class, Item, Authentication, DomainRequirement...)}, - * {@link #lookupCredentials(Class, ItemGroup, Authentication, List)} - * or {@link #lookupCredentials(Class, ItemGroup, Authentication, DomainRequirement...)} + * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication, List)}, + * {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)} */ @Deprecated @NonNull @SuppressWarnings("unused") // API entry point for consumers public static List lookupCredentials(@NonNull Class type, - @Nullable Authentication authentication) { + @Nullable org.acegisecurity.Authentication authentication) { return lookupCredentials(type, Jenkins.get(), authentication); } /** - * Returns all credentials which are available to the {@link ACL#SYSTEM} {@link Authentication} - * for use by the specified {@link Item}. - * - * @param type the type of credentials to get. - * @param item the item. - * @param the credentials type. - * @return the list of credentials. - * @deprecated use {@link #lookupCredentials(Class, Item, Authentication, List)} - * or {@link #lookupCredentials(Class, Item, Authentication, DomainRequirement...)} + * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication, List)} instead. */ @Deprecated @NonNull @@ -306,15 +269,7 @@ public static List lookupCredentials(@NonNull Class the credentials type. - * @return the list of credentials. - * @deprecated use {@link #lookupCredentials(Class, ItemGroup, Authentication, List)} - * or {@link #lookupCredentials(Class, ItemGroup, Authentication, DomainRequirement...)} + * @deprecated use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)} instead. */ @Deprecated @NonNull @@ -325,45 +280,40 @@ public static List lookupCredentials(@NonNull Class the credentials type. - * @return the list of credentials. - * @deprecated use {@link #lookupCredentials(Class, ItemGroup, Authentication, List)} - * or {@link #lookupCredentials(Class, ItemGroup, Authentication, DomainRequirement...)} + * @deprecated use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication)} instead. */ @Deprecated @NonNull @SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers public static List lookupCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication) { - return lookupCredentials(type, itemGroup, authentication, Collections.emptyList()); + @Nullable org.acegisecurity.Authentication authentication) { + return lookupCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), Collections.emptyList()); } /** - * Returns all credentials which are available to the specified {@link Authentication} - * for use by the specified {@link Item}. - * - * @param type the type of credentials to get. - * @param authentication the authentication. - * @param item the item. - * @param the credentials type. - * @return the list of credentials. - * @deprecated use {@link #lookupCredentials(Class, Item, Authentication, List)} - * or {@link #lookupCredentials(Class, Item, Authentication, DomainRequirement...)} + * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication)} instead. */ @Deprecated @NonNull @SuppressWarnings("unused") // API entry point for consumers public static List lookupCredentials(@NonNull Class type, @Nullable Item item, - @Nullable Authentication authentication) { - return lookupCredentials(type, item, authentication, Collections.emptyList()); + @Nullable org.acegisecurity.Authentication authentication) { + return lookupCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), Collections.emptyList()); + } + + /** + * @deprecated Use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication)} or {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)}. + */ + @Deprecated + @NonNull + @SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers + public static List lookupCredentials(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable org.acegisecurity.Authentication authentication, + @Nullable DomainRequirement... domainRequirements) { + return lookupCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), Arrays.asList(domainRequirements == null ? new DomainRequirement[0] : domainRequirements)); } /** @@ -373,18 +323,29 @@ public static List lookupCredentials(@NonNull Class the credentials type. * @return the list of credentials. - * @since 1.5 + * @since TODO */ @NonNull @SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers + public static List lookupCredentialsInItemGroup(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable Authentication authentication) { + return lookupCredentialsInItemGroup(type, itemGroup, authentication, List.of()); + } + + /** + * @deprecated Use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)} instead. + */ + @NonNull + @SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers + @Deprecated public static List lookupCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication, - @Nullable DomainRequirement... domainRequirements) { - return lookupCredentials(type, itemGroup, authentication, Arrays.asList(domainRequirements)); + @Nullable org.acegisecurity.Authentication authentication, + @Nullable List domainRequirements) { + return lookupCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), domainRequirements); } /** @@ -397,19 +358,18 @@ public static List lookupCredentials(@NonNull Class the credentials type. * @return the list of credentials. - * @since 1.5 + * @since TODO */ @NonNull @SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers - public static List lookupCredentials(@NonNull Class type, - @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication, - @Nullable List - domainRequirements) { + public static List lookupCredentialsInItemGroup(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable Authentication authentication, + @Nullable List domainRequirements) { Objects.requireNonNull(type); Jenkins jenkins = Jenkins.get(); itemGroup = itemGroup == null ? jenkins : itemGroup; - authentication = authentication == null ? ACL.SYSTEM : authentication; + authentication = authentication == null ? ACL.SYSTEM2 : authentication; domainRequirements = domainRequirements == null ? Collections.emptyList() : domainRequirements; CredentialsResolver resolver = CredentialsResolver.getResolver(type); @@ -417,7 +377,7 @@ public static List lookupCredentials(@NonNull Class originals = - lookupCredentials(resolver.getFromClass(), itemGroup, authentication, domainRequirements); + lookupCredentialsInItemGroup(resolver.getFromClass(), itemGroup, authentication, domainRequirements); LOGGER.log(Level.FINE, "Original credentials for resolving: {0}", originals); return resolver.resolve(originals); } @@ -426,7 +386,7 @@ public static List lookupCredentials(@NonNull Class List lookupCredentials(@NonNull Class ListBoxModel listCredentials(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable org.acegisecurity.Authentication authentication, + @Nullable List + domainRequirements, + @Nullable CredentialsMatcher matcher) { + return listCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), domainRequirements, matcher); + } + /** * Returns a {@link ListBoxModel} of all credentials which are available to the specified {@link Authentication} * for use by the {@link Item}s in the specified {@link ItemGroup}. @@ -454,18 +427,18 @@ public static List lookupCredentials(@NonNull Class the credentials type. * @return the {@link ListBoxModel} of {@link IdCredentials#getId()} with the corresponding display names as * provided by {@link CredentialsNameProvider}. - * @since 2.1.0 + * @since TODO */ - public static ListBoxModel listCredentials(@NonNull Class type, - @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication, - @Nullable List + public static ListBoxModel listCredentialsInItemGroup(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable Authentication authentication, + @Nullable List domainRequirements, - @Nullable CredentialsMatcher matcher) { + @Nullable CredentialsMatcher matcher) { Objects.requireNonNull(type); Jenkins jenkins = Jenkins.get(); itemGroup = itemGroup == null ? jenkins : itemGroup; - authentication = authentication == null ? ACL.SYSTEM : authentication; + authentication = authentication == null ? ACL.SYSTEM2 : authentication; domainRequirements = domainRequirements == null ? Collections.emptyList() : domainRequirements; matcher = matcher == null ? CredentialsMatchers.always() : matcher; @@ -473,7 +446,7 @@ public static ListBoxModel listCredentials(@NonNull Cl if (resolver != null && IdCredentials.class.isAssignableFrom(resolver.getFromClass())) { LOGGER.log(Level.FINE, "Listing legacy credentials of type {0} identified by resolver {1}", new Object[]{type, resolver}); - return listCredentials((Class) resolver.getFromClass(), itemGroup, authentication, domainRequirements, + return listCredentialsInItemGroup((Class) resolver.getFromClass(), itemGroup, authentication, domainRequirements, matcher); } ListBoxModel result = new ListBoxModel(); @@ -481,7 +454,7 @@ public static ListBoxModel listCredentials(@NonNull Cl for (CredentialsProvider provider : all()) { if (provider.isEnabled(itemGroup) && provider.isApplicable(type)) { try { - for (ListBoxModel.Option option : provider.getCredentialIds( + for (ListBoxModel.Option option : provider.getCredentialIdsInItemGroup( type, itemGroup, authentication, domainRequirements, matcher) ) { if (ids.add(option.value)) { @@ -498,6 +471,19 @@ public static ListBoxModel listCredentials(@NonNull Cl return result; } + /** + * @deprecated use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication)} or {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)}. + */ + @Deprecated + @NonNull + @SuppressWarnings("unused") // API entry point for consumers + public static List lookupCredentials(@NonNull Class type, + @Nullable Item item, + @Nullable org.acegisecurity.Authentication authentication, + DomainRequirement... domainRequirements) { + return lookupCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), Arrays.asList(domainRequirements)); + } + /** * Returns all credentials which are available to the specified {@link Authentication} * for use by the specified {@link Item}. @@ -505,18 +491,30 @@ public static ListBoxModel listCredentials(@NonNull Cl * @param type the type of credentials to get. * @param authentication the authentication. * @param item the item. - * @param domainRequirements the credential domains to match. * @param the credentials type. * @return the list of credentials. - * @since 1.5 + * @since TODO + */ + @NonNull + @SuppressWarnings("unused") // API entry point for consumers + public static List lookupCredentialsInItem(@NonNull Class type, + @Nullable Item item, + @Nullable Authentication authentication) { + return lookupCredentialsInItem(type, item, authentication, List.of()); + } + + /** + * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication, List)} */ @NonNull @SuppressWarnings("unused") // API entry point for consumers + @Deprecated public static List lookupCredentials(@NonNull Class type, @Nullable Item item, - @Nullable Authentication authentication, - DomainRequirement... domainRequirements) { - return lookupCredentials(type, item, authentication, Arrays.asList(domainRequirements)); + @Nullable org.acegisecurity.Authentication authentication, + @Nullable List + domainRequirements) { + return lookupCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), domainRequirements); } /** @@ -529,23 +527,23 @@ public static List lookupCredentials(@NonNull Class the credentials type. * @return the list of credentials. - * @since 1.5 + * @since TODO */ @NonNull @SuppressWarnings("unused") // API entry point for consumers - public static List lookupCredentials(@NonNull Class type, - @Nullable Item item, - @Nullable Authentication authentication, - @Nullable List + public static List lookupCredentialsInItem(@NonNull Class type, + @Nullable Item item, + @Nullable Authentication authentication, + @Nullable List domainRequirements) { Objects.requireNonNull(type); if (item == null) { - return lookupCredentials(type, Jenkins.get(), authentication, domainRequirements); + return lookupCredentialsInItemGroup(type, Jenkins.get(), authentication, domainRequirements); } if (item instanceof ItemGroup) { - return lookupCredentials(type, (ItemGroup)item, authentication, domainRequirements); + return lookupCredentialsInItemGroup(type, (ItemGroup)item, authentication, domainRequirements); } - authentication = authentication == null ? ACL.SYSTEM : authentication; + authentication = authentication == null ? ACL.SYSTEM2 : authentication; domainRequirements = domainRequirements == null ? Collections.emptyList() : domainRequirements; CredentialsResolver resolver = CredentialsResolver.getResolver(type); @@ -553,7 +551,7 @@ public static List lookupCredentials(@NonNull Class originals = - lookupCredentials(resolver.getFromClass(), item, authentication, domainRequirements); + lookupCredentialsInItem(resolver.getFromClass(), item, authentication, domainRequirements); LOGGER.log(Level.FINE, "Original credentials for resolving: {0}", originals); return resolver.resolve(originals); } @@ -562,7 +560,7 @@ public static List lookupCredentials(@NonNull Class List lookupCredentials(@NonNull Class ListBoxModel listCredentials(@NonNull Class type, + @Nullable Item item, + @Nullable org.acegisecurity.Authentication authentication, + @Nullable List + domainRequirements, + @Nullable CredentialsMatcher matcher) { + return listCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), domainRequirements, matcher); + } + /** * Returns a {@link ListBoxModel} of all credentials which are available to the specified {@link Authentication} * for use by the specified {@link Item}. @@ -590,30 +602,30 @@ public static List lookupCredentials(@NonNull Class the credentials type. * @return the {@link ListBoxModel} of {@link IdCredentials#getId()} with the corresponding display names as * provided by {@link CredentialsNameProvider}. - * @since 2.1.0 + * @since TODO */ @NonNull - public static ListBoxModel listCredentials(@NonNull Class type, - @Nullable Item item, - @Nullable Authentication authentication, - @Nullable List + public static ListBoxModel listCredentialsInItem(@NonNull Class type, + @Nullable Item item, + @Nullable Authentication authentication, + @Nullable List domainRequirements, - @Nullable CredentialsMatcher matcher) { + @Nullable CredentialsMatcher matcher) { Objects.requireNonNull(type); if (item == null) { - return listCredentials(type, Jenkins.get(), authentication, domainRequirements, matcher); + return listCredentialsInItemGroup(type, Jenkins.get(), authentication, domainRequirements, matcher); } if (item instanceof ItemGroup) { - return listCredentials(type, (ItemGroup) item, authentication, domainRequirements, matcher); + return listCredentialsInItemGroup(type, (ItemGroup) item, authentication, domainRequirements, matcher); } - authentication = authentication == null ? ACL.SYSTEM : authentication; + authentication = authentication == null ? ACL.SYSTEM2 : authentication; domainRequirements = domainRequirements == null ? Collections.emptyList() : domainRequirements; CredentialsResolver resolver = CredentialsResolver.getResolver(type); if (resolver != null && IdCredentials.class.isAssignableFrom(resolver.getFromClass())) { LOGGER.log(Level.FINE, "Listing legacy credentials of type {0} identified by resolver {1}", new Object[]{type, resolver}); - return listCredentials((Class) resolver.getFromClass(), item, authentication, + return listCredentialsInItem((Class) resolver.getFromClass(), item, authentication, domainRequirements, matcher); } ListBoxModel result = new ListBoxModel(); @@ -621,8 +633,8 @@ public static ListBoxModel listCredentials(@NonNull Cl for (CredentialsProvider provider : all()) { if (provider.isEnabled(item) && provider.isApplicable(type)) { try { - for (ListBoxModel.Option option : provider.getCredentialIds( - type, item, authentication, domainRequirements, matcher) + for (ListBoxModel.Option option : provider.getCredentialIdsInItem( + type, item, authentication, domainRequirements, matcher == null ? CredentialsMatchers.always() : matcher) ) { if (ids.add(option.value)) { result.add(option); @@ -726,15 +738,15 @@ public boolean hasNext() { Authentication a; if (jenkins.hasPermission(USE_ITEM) && current == User.current()) { // this is the fast path for the 99% of cases - a = Jenkins.getAuthentication(); + a = Jenkins.getAuthentication2(); } else { try { - a = ((User) current).impersonate(); + a = ((User) current).impersonate2(); } catch (UsernameNotFoundException e) { - a = null; + a = Jenkins.ANONYMOUS2; } } - if (current == User.current() && jenkins.getACL().hasPermission(a, USE_ITEM)) { + if (current == User.current() && jenkins.getACL().hasPermission2(a, USE_ITEM)) { current = jenkins; iterator = providers.iterator(); } else { @@ -826,11 +838,11 @@ public static C snapshot(Class clazz, C credential) { * Helper method to get the default authentication to use for an {@link Item}. */ @NonNull - /*package*/ static Authentication getDefaultAuthenticationOf(Item item) { + /*package*/ static Authentication getDefaultAuthenticationOf2(Item item) { if (item instanceof Queue.Task) { - return Tasks.getAuthenticationOf((Queue.Task) item); + return Tasks.getAuthenticationOf2((Queue.Task) item); } else { - return ACL.SYSTEM; + return ACL.SYSTEM2; } } @@ -843,13 +855,20 @@ public static C snapshot(Class clazz, C credential) { * @param id either the id of the credential to find or a parameter expression for the id. * @param type the type of credential to find. * @param run the {@link Run} defining the context within which to find the credential. - * @param domainRequirements the domain requirements of the credential. * @param the credentials type. * @return the credential or {@code null} if either the credential cannot be found or the user triggering the run * is not permitted to use the credential in the context of the run. - * @since 1.16 + * @since TODO */ @CheckForNull + public static C findCredentialById(@NonNull String id, @NonNull Class type, + @NonNull Run run) { + return findCredentialById(id, type, run, List.of()); + } + + /** + * @deprecated Use {@link #findCredentialById(String, Class, Run, List)} instead. + */ public static C findCredentialById(@NonNull String id, @NonNull Class type, @NonNull Run run, DomainRequirement... domainRequirements) { @@ -906,15 +925,15 @@ public static C findCredentialById(@NonNull String id, // we use the default authentication of the job as those are the only ones that can be configured // if a different strategy is in play it doesn't make sense to consider the run-time authentication // as you would have no way to configure it - Authentication runAuth = CredentialsProvider.getDefaultAuthenticationOf(run.getParent()); + Authentication runAuth = CredentialsProvider.getDefaultAuthenticationOf2(run.getParent()); // we want the credentials available to the user the build is running as List candidates = new ArrayList<>( - CredentialsProvider.lookupCredentials(type, run.getParent(), runAuth, domainRequirements) + CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), runAuth, domainRequirements) ); // if that user can use the item's credentials, add those in too - if (runAuth != ACL.SYSTEM && run.hasPermission(runAuth, CredentialsProvider.USE_ITEM)) { + if (runAuth != ACL.SYSTEM2 && run.hasPermission2(runAuth, CredentialsProvider.USE_ITEM)) { candidates.addAll( - CredentialsProvider.lookupCredentials(type, run.getParent(), ACL.SYSTEM, domainRequirements) + CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), ACL.SYSTEM2, domainRequirements) ); } // TODO should this be calling track? @@ -922,37 +941,37 @@ public static C findCredentialById(@NonNull String id, } // this is a parameter and not the default value, we need to determine who triggered the build final Map.Entry> triggeredBy = triggeredBy(run); - final Authentication a = triggeredBy == null ? Jenkins.ANONYMOUS : triggeredBy.getKey().impersonate(); + final Authentication a = triggeredBy == null ? Jenkins.ANONYMOUS2 : triggeredBy.getKey().impersonate2(); List candidates = new ArrayList<>(); - if (triggeredBy != null && run == triggeredBy.getValue() && run.hasPermission(a, CredentialsProvider.USE_OWN)) { + if (triggeredBy != null && run == triggeredBy.getValue() && run.hasPermission2(a, CredentialsProvider.USE_OWN)) { // the user triggered this job directly and they are allowed to supply their own credentials, so // add those into the list. We do not want to follow the chain for the user's authentication // though, as there is no way to limit how far the passed-through parameters can be used - candidates.addAll(CredentialsProvider.lookupCredentials(type, run.getParent(), a, domainRequirements)); + candidates.addAll(CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), a, domainRequirements)); } if (inputUserId != null) { final User inputUser = User.getById(inputUserId, false); if (inputUser != null) { - final Authentication inputAuth = inputUser.impersonate(); - if (run.hasPermission(inputAuth, CredentialsProvider.USE_OWN)) { - candidates.addAll(CredentialsProvider.lookupCredentials(type, run.getParent(), inputAuth, domainRequirements)); + final Authentication inputAuth = inputUser.impersonate2(); + if (run.hasPermission2(inputAuth, CredentialsProvider.USE_OWN)) { + candidates.addAll(CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), inputAuth, domainRequirements)); } } } - if (run.hasPermission(a, CredentialsProvider.USE_ITEM)) { + if (run.hasPermission2(a, CredentialsProvider.USE_ITEM)) { // the triggering user is allowed to use the item's credentials, so add those into the list // we use the default authentication of the job as those are the only ones that can be configured // if a different strategy is in play it doesn't make sense to consider the run-time authentication // as you would have no way to configure it - Authentication runAuth = CredentialsProvider.getDefaultAuthenticationOf(run.getParent()); + Authentication runAuth = CredentialsProvider.getDefaultAuthenticationOf2(run.getParent()); // we want the credentials available to the user the build is running as candidates.addAll( - CredentialsProvider.lookupCredentials(type, run.getParent(), runAuth, domainRequirements) + CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), runAuth, domainRequirements) ); // if that user can use the item's credentials, add those in too - if (runAuth != ACL.SYSTEM && run.hasPermission(runAuth, CredentialsProvider.USE_ITEM)) { + if (runAuth != ACL.SYSTEM2 && run.hasPermission2(runAuth, CredentialsProvider.USE_ITEM)) { candidates.addAll( - CredentialsProvider.lookupCredentials(type, run.getParent(), ACL.SYSTEM, domainRequirements) + CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), ACL.SYSTEM2, domainRequirements) ); } } @@ -1124,19 +1143,28 @@ public CredentialsStore getStore(@CheckForNull ModelObject object) { } /** - * Returns the credentials provided by this provider which are available to the specified {@link Authentication} - * for items in the specified {@link ItemGroup} - * - * @param type the type of credentials to return. - * @param itemGroup the item group (if {@code null} assume {@link Jenkins#get()}. - * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}. - * @param the credentials type. - * @return the list of credentials. + * @deprecated use {@link #getCredentialsInItem(Class, Item, Authentication, List)} instead. */ @NonNull - public abstract List getCredentials(@NonNull Class type, + @Deprecated + public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication); + @Nullable org.acegisecurity.Authentication authentication) { + return getCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), List.of()); + } + + /** + * @deprecated use {@link #getCredentialsInItem(Class, Item, Authentication, List)} instead. + */ + @Deprecated + @NonNull + public List getCredentials(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable org.acegisecurity.Authentication authentication, + @NonNull List domainRequirements) { + return getCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), domainRequirements); + } + /** * Returns the credentials provided by this provider which are available to the specified {@link Authentication} @@ -1145,20 +1173,38 @@ public abstract List getCredentials(@NonNull Class * * @param type the type of credentials to return. * @param itemGroup the item group (if {@code null} assume {@link Jenkins#get()}. - * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}. + * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM2}. * @param domainRequirements the credential domains to match (if the {@link CredentialsProvider} does not support * {@link DomainRequirement}s then it should * assume the match is true). * @param the credentials type. * @return the list of credentials. - * @since 1.5 + * @since TODO */ @NonNull - public List getCredentials(@NonNull Class type, - @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication, - @NonNull List domainRequirements) { - return getCredentials(type, itemGroup, authentication); + @SuppressWarnings("deprecation") + public List getCredentialsInItemGroup(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable Authentication authentication, + @NonNull List domainRequirements) { + if (Util.isOverridden(CredentialsProvider.class, getClass(), "getCredentials", Class.class, ItemGroup.class, org.acegisecurity.Authentication.class, List.class)) { + return getCredentials(type, itemGroup, authentication == null ? null : org.acegisecurity.Authentication.fromSpring(authentication), domainRequirements); + } + throw new AbstractMethodError("Implement getCredentialsInItemGroup"); + } + + /** + * @deprecated Use {@link #getCredentialIdsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher)} instead. + */ + @NonNull + @Deprecated + public ListBoxModel getCredentialIds(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable org.acegisecurity.Authentication authentication, + @NonNull + List domainRequirements, + @NonNull CredentialsMatcher matcher) { + return getCredentialIdsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), domainRequirements, matcher); } /** @@ -1167,7 +1213,7 @@ public List getCredentials(@NonNull Class type, * specified {@link DomainRequirement}s. * NOTE: implementations are recommended to override this method if the actual secret information * is being stored external from Jenkins and the non-secret information can be accessed with lesser traceability - * requirements. The default implementation just uses {@link #getCredentials(Class, Item, Authentication, List)} + * requirements. The default implementation just uses {@link #getCredentialsInItem(Class, Item, Authentication, List)} * to build the {@link ListBoxModel}. Handling the {@link CredentialsMatcher} may require standing up a proxy * instance to apply the matcher against if {@link CredentialsMatchers#describe(CredentialsMatcher)} returns * {@code null} @@ -1175,21 +1221,21 @@ public List getCredentials(@NonNull Class type, * @param the credentials type. * @param type the type of credentials to return. * @param itemGroup the item group (if {@code null} assume {@link Jenkins#get()}. - * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}. + * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM2}. * @param domainRequirements the credential domain to match. * @param matcher the additional filtering to apply to the credentials * @return the {@link ListBoxModel} of {@link IdCredentials#getId()} with names provided by * {@link CredentialsNameProvider}. - * @since 2.1.0 + * @since TODO */ @NonNull - public ListBoxModel getCredentialIds(@NonNull Class type, - @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication, - @NonNull + public ListBoxModel getCredentialIdsInItemGroup(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable Authentication authentication, + @NonNull List domainRequirements, - @NonNull CredentialsMatcher matcher) { - return getCredentials(type, itemGroup, authentication, domainRequirements) + @NonNull CredentialsMatcher matcher) { + return getCredentialsInItemGroup(type, itemGroup, authentication, domainRequirements) .stream() .filter(matcher::matches) .sorted(new CredentialsNameComparator()) @@ -1198,21 +1244,27 @@ public ListBoxModel getCredentialIds(@NonNull Class } /** - * Returns the credentials provided by this provider which are available to the specified {@link Authentication} - * for the specified {@link Item} - * - * @param type the type of credentials to return. - * @param item the item. - * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}. - * @param the credentials type. - * @return the list of credentials. + * @deprecated Use {@link #getCredentialsInItem(Class, Item, Authentication, List)} instead. */ + @Deprecated @NonNull public List getCredentials(@NonNull Class type, @NonNull Item item, - @Nullable Authentication authentication) { + @Nullable org.acegisecurity.Authentication authentication) { Objects.requireNonNull(item); - return getCredentials(type, item.getParent(), authentication); + return getCredentialsInItemGroup(type, item.getParent(), authentication == null ? null : authentication.toSpring(), List.of()); + } + + /** + * @deprecated Use {@link #getCredentialsInItem(Class, Item, Authentication, List)} instead. + */ + @Deprecated + @NonNull + public List getCredentials(@NonNull Class type, + @NonNull Item item, + @Nullable org.acegisecurity.Authentication authentication, + @NonNull List domainRequirements) { + return getCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), domainRequirements); } /** @@ -1221,51 +1273,64 @@ public List getCredentials(@NonNull Class type, * * @param type the type of credentials to return. * @param item the item. - * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}. + * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM2}. * @param domainRequirements the credential domain to match. * @param the credentials type. * @return the list of credentials. - * @since 1.5 + * @since TODO */ @NonNull - public List getCredentials(@NonNull Class type, - @NonNull Item item, - @Nullable Authentication authentication, - @NonNull List domainRequirements) { - return getCredentials(type, item instanceof ItemGroup ? (ItemGroup) item : item.getParent(), + public List getCredentialsInItem(@NonNull Class type, + @NonNull Item item, + @Nullable Authentication authentication, + @NonNull List domainRequirements) { + return getCredentialsInItemGroup(type, item instanceof ItemGroup ? (ItemGroup) item : item.getParent(), authentication, domainRequirements); } + /** + * @deprecated Use {@link #getCredentialIdsInItem(Class, Item, Authentication, List, CredentialsMatcher)} instead. + */ + @NonNull + @Deprecated + public ListBoxModel getCredentialIds(@NonNull Class type, + @NonNull Item item, + @Nullable org.acegisecurity.Authentication authentication, + @NonNull List domainRequirements, + @NonNull CredentialsMatcher matcher) { + return getCredentialIdsInItem(type, item, authentication == null ? null : authentication.toSpring(), domainRequirements, matcher); + } + /** * Returns a {@link ListBoxModel} of the credentials provided by this provider which are available to the * specified {@link Authentication} for the specified {@link Item} and are appropriate for the * specified {@link DomainRequirement}s. * NOTE: implementations are recommended to override this method if the actual secret information * is being stored external from Jenkins and the non-secret information can be accessed with lesser traceability - * requirements. The default implementation just uses {@link #getCredentials(Class, Item, Authentication, List)} + * requirements. The default implementation just uses {@link #getCredentialsInItem(Class, Item, Authentication, List)} * to build the {@link ListBoxModel}. Handling the {@link CredentialsMatcher} may require standing up a proxy * instance to apply the matcher against. * * @param type the type of credentials to return. * @param item the item. - * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}. + * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM2}. * @param domainRequirements the credential domain to match. * @param matcher the additional filtering to apply to the credentials * @param the credentials type. * @return the {@link ListBoxModel} of {@link IdCredentials#getId()} with names provided by * {@link CredentialsNameProvider}. - * @since 2.1.0 + * @since TODO */ @NonNull - public ListBoxModel getCredentialIds(@NonNull Class type, - @NonNull Item item, - @Nullable Authentication authentication, - @NonNull List domainRequirements, - @NonNull CredentialsMatcher matcher) { + public ListBoxModel getCredentialIdsInItem(@NonNull Class type, + @NonNull Item item, + @Nullable Authentication authentication, + @NonNull List domainRequirements, + @NonNull CredentialsMatcher matcher) { if (item instanceof ItemGroup) { - return getCredentialIds(type, (ItemGroup) item, authentication, domainRequirements, matcher); + return getCredentialIdsInItemGroup(type, (ItemGroup) item, authentication, domainRequirements, matcher); } - return getCredentials(type, item, authentication, domainRequirements) + return getCredentialsInItem(type, item, authentication, domainRequirements) .stream() .filter(matcher::matches) .sorted(new CredentialsNameComparator()) @@ -1690,9 +1755,9 @@ public static void saveAll() { Jenkins jenkins = Jenkins.get(); jenkins.checkPermission(Jenkins.ADMINISTER); LOGGER.log(Level.INFO, "Forced save credentials stores: Requested by {0}", - StringUtils.defaultIfBlank(Jenkins.getAuthentication().getName(), "anonymous")); + StringUtils.defaultIfBlank(Jenkins.getAuthentication2().getName(), "anonymous")); Timer.get().execute(() -> { - try (ACLContext ctx = ACL.as(ACL.SYSTEM)) { + try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) { if (jenkins.getInitLevel().compareTo(InitMilestone.JOB_LOADED) < 0) { LOGGER.log(Level.INFO, "Forced save credentials stores: Initialization has not completed"); while (jenkins.getInitLevel().compareTo(InitMilestone.JOB_LOADED) < 0) { @@ -1747,8 +1812,8 @@ public static void saveAll() { // to ensure that User.current() == user // while we could use User.impersonate() that would force a query against the backing // SecurityRealm to revalidate - ACL.impersonate(new UsernamePasswordAuthenticationToken(user.getId(), "", - new GrantedAuthority[]{SecurityRealm.AUTHENTICATED_AUTHORITY})); + ACL.impersonate2(new UsernamePasswordAuthenticationToken(user.getId(), "", + Set.of(SecurityRealm.AUTHENTICATED_AUTHORITY2))); for (CredentialsStore s : lookupStores(user)) { if (user == s.getContext()) { // only save if the store is associated with this context item as otherwise will diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStore.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStore.java index fd3626c55..ee2e15cf5 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStore.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStore.java @@ -41,7 +41,7 @@ import hudson.model.User; import hudson.security.ACL; import hudson.security.AccessControlled; -import hudson.security.AccessDeniedException2; +import hudson.security.AccessDeniedException3; import hudson.security.Permission; import java.io.IOException; import java.net.URI; @@ -51,10 +51,10 @@ import java.util.Set; import java.util.stream.Collectors; import jenkins.model.Jenkins; -import org.acegisecurity.Authentication; import org.apache.commons.lang.StringUtils; import org.kohsuke.stapler.Stapler; import org.kohsuke.stapler.StaplerRequest; +import org.springframework.security.core.Authentication; /** * A store of {@link Credentials}. Each {@link CredentialsStore} is associated with one and only one @@ -167,14 +167,30 @@ public final Set getScopes() { @NonNull public abstract ModelObject getContext(); + + /** + * @deprecated Use {@link #hasPermission2(Authentication, Permission)} instead. + */ + @Deprecated + public boolean hasPermission(@NonNull org.acegisecurity.Authentication a, @NonNull Permission permission) { + return hasPermission2(a.toSpring(), permission); + } + /** * Checks if the given principle has the given permission. * * @param a the principle. * @param permission the permission. * @return {@code false} if the user doesn't have the permission. + * @since TODO */ - public abstract boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission); + public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) { + if (Util.isOverridden(CredentialsStore.class, getClass(), "hasPermission", org.acegisecurity.Authentication.class, + Permission.class)) { + return hasPermission(org.acegisecurity.Authentication.fromSpring(a), permission); + } + throw new AbstractMethodError("Implement hasPermission2"); + } /** * {@inheritDoc} @@ -185,8 +201,8 @@ public ACL getACL() { // an effective ACL implementation. return new ACL() { @Override - public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) { - return CredentialsStore.this.hasPermission(a, permission); + public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) { + return CredentialsStore.this.hasPermission2(a, permission); } }; } @@ -197,12 +213,12 @@ public boolean hasPermission(@NonNull Authentication a, @NonNull Permission perm * Note: This is just a convenience function. *

* - * @throws org.acegisecurity.AccessDeniedException if the user doesn't have the permission. + * @throws AccessDeniedException3 if the user doesn't have the permission. */ public final void checkPermission(@NonNull Permission p) { - Authentication a = Jenkins.getAuthentication(); - if (!hasPermission(a, p)) { - throw new AccessDeniedException2(a, p); + Authentication a = Jenkins.getAuthentication2(); + if (!hasPermission2(a, p)) { + throw new AccessDeniedException3(a, p); } } @@ -212,7 +228,7 @@ public final void checkPermission(@NonNull Permission p) { * @return {@code false} if the user doesn't have the permission. */ public final boolean hasPermission(@NonNull Permission p) { - return hasPermission(Jenkins.getAuthentication(), p); + return hasPermission2(Jenkins.getAuthentication2(), p); } /** diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java index b752bfe21..5d08350db 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java @@ -83,7 +83,6 @@ import jenkins.model.ModelObjectWithContextMenu; import jenkins.util.xml.XMLUtils; import net.sf.json.JSONObject; -import org.acegisecurity.AccessDeniedException; import org.apache.commons.lang.StringUtils; import org.jenkins.ui.icon.IconSpec; import org.kohsuke.accmod.Restricted; @@ -97,6 +96,7 @@ import org.kohsuke.stapler.export.Exported; import org.kohsuke.stapler.export.ExportedBean; import org.kohsuke.stapler.interceptor.RequirePOST; +import org.springframework.security.access.AccessDeniedException; import org.xml.sax.SAXException; import static com.cloudbees.plugins.credentials.ContextMenuIconUtils.getMenuItemIconUrlByClassSpec; diff --git a/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java b/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java index fee970cd4..15f24d18c 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java +++ b/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java @@ -59,9 +59,9 @@ import java.util.logging.Level; import java.util.logging.Logger; import jenkins.model.Jenkins; -import org.acegisecurity.Authentication; import org.kohsuke.stapler.export.Exported; import org.kohsuke.stapler.export.ExportedBean; +import org.springframework.security.core.Authentication; import static com.cloudbees.plugins.credentials.CredentialsMatchers.always; import static com.cloudbees.plugins.credentials.CredentialsMatchers.not; @@ -204,7 +204,7 @@ private void checkPermission(Permission p) { */ private void checkedSave(Permission p) throws IOException { checkPermission(p); - try (ACLContext ignored = ACL.as(ACL.SYSTEM)) { + try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) { save(); } } @@ -423,21 +423,10 @@ public CredentialsStore getStore(@CheckForNull ModelObject object) { */ @NonNull @Override - public List getCredentials(@NonNull Class type, - @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication) { - return getCredentials(type, itemGroup, authentication, Collections.emptyList()); - } - - /** - * {@inheritDoc} - */ - @NonNull - @Override - public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication, - @NonNull List domainRequirements) { - if (ACL.SYSTEM.equals(authentication)) { + public List getCredentialsInItemGroup(@NonNull Class type, @Nullable ItemGroup itemGroup, + @Nullable Authentication authentication, + @NonNull List domainRequirements) { + if (ACL.SYSTEM2.equals(authentication)) { CredentialsMatcher matcher = Jenkins.get() == itemGroup ? always() : not(withScope(SYSTEM)); return DomainCredentials.getCredentials(SystemCredentialsProvider.getInstance() .getDomainCredentialsMap(), type, domainRequirements, matcher); @@ -450,20 +439,10 @@ public List getCredentials(@NonNull Class type, @N */ @NonNull @Override - public List getCredentials(@NonNull Class type, @NonNull Item item, - @Nullable Authentication authentication) { - return getCredentials(type, item, authentication, Collections.emptyList()); - } - - /** - * {@inheritDoc} - */ - @NonNull - @Override - public List getCredentials(@NonNull Class type, @NonNull Item item, - @Nullable Authentication authentication, - @NonNull List domainRequirements) { - if (ACL.SYSTEM.equals(authentication)) { + public List getCredentialsInItem(@NonNull Class type, @NonNull Item item, + @Nullable Authentication authentication, + @NonNull List domainRequirements) { + if (ACL.SYSTEM2.equals(authentication)) { return DomainCredentials.getCredentials(SystemCredentialsProvider.getInstance() .getDomainCredentialsMap(), type, domainRequirements, not(withScope(SYSTEM))); } @@ -507,9 +486,9 @@ public ModelObject getContext() { * {@inheritDoc} */ @Override - public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) { + public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) { // we follow the permissions of Jenkins itself - return getACL().hasPermission(a, permission); + return getACL().hasPermission2(a, permission); } @NonNull diff --git a/src/main/java/com/cloudbees/plugins/credentials/UserCredentialsProvider.java b/src/main/java/com/cloudbees/plugins/credentials/UserCredentialsProvider.java index a30105dcc..9f0ddadca 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/UserCredentialsProvider.java +++ b/src/main/java/com/cloudbees/plugins/credentials/UserCredentialsProvider.java @@ -42,7 +42,7 @@ import hudson.model.UserPropertyDescriptor; import hudson.security.ACL; import hudson.security.ACLContext; -import hudson.security.AccessDeniedException2; +import hudson.security.AccessDeniedException3; import hudson.security.Permission; import java.io.IOException; import java.net.URI; @@ -59,12 +59,12 @@ import jenkins.model.Jenkins; import net.jcip.annotations.GuardedBy; import net.sf.json.JSONObject; -import org.acegisecurity.Authentication; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.Stapler; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.export.Exported; import org.kohsuke.stapler.export.ExportedBean; +import org.springframework.security.core.Authentication; import static com.cloudbees.plugins.credentials.CredentialsMatchers.always; @@ -118,27 +118,17 @@ public CredentialsStore getStore(@CheckForNull ModelObject object) { */ @NonNull @Override - public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication) { - return getCredentials(type, itemGroup, authentication, Collections.emptyList()); - } - - /** - * {@inheritDoc} - */ - @NonNull - @Override - public List getCredentials(@NonNull Class type, - @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication, - @NonNull List domainRequirements) { + public List getCredentialsInItemGroup(@NonNull Class type, + @Nullable ItemGroup itemGroup, + @Nullable Authentication authentication, + @NonNull List domainRequirements) { // ignore itemGroup, as per-user credentials are available on any object if (authentication == null) { // assume ACL#SYSTEM - authentication = ACL.SYSTEM; + authentication = ACL.SYSTEM2; } - if (!ACL.SYSTEM.equals(authentication)) { - User user = User.get(authentication); + if (!ACL.SYSTEM2.equals(authentication)) { + User user = User.get2(authentication); if (user != null) { UserCredentialsProperty property = user.getProperty(UserCredentialsProperty.class); if (property != null) { @@ -425,7 +415,7 @@ private void checkPermission(Permission p) { if (user.equals(User.current())) { user.checkPermission(p); } else { - throw new AccessDeniedException2(Jenkins.getAuthentication(), p); + throw new AccessDeniedException3(Jenkins.getAuthentication2(), p); } } @@ -671,8 +661,8 @@ public ModelObject getContext() { * {@inheritDoc} */ @Override - public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) { - return getACL().hasPermission(a, permission); + public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) { + return getACL().hasPermission2(a, permission); } /** @@ -683,8 +673,8 @@ public boolean hasPermission(@NonNull Authentication a, @NonNull Permission perm public ACL getACL() { return new ACL() { @Override - public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) { - return user.equals(User.getById(a.getName(), true)) && user.getACL().hasPermission(a, permission); + public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) { + return user.equals(User.getById(a.getName(), true)) && user.getACL().hasPermission2(a, permission); } }; } diff --git a/src/main/java/com/cloudbees/plugins/credentials/ViewCredentialsAction.java b/src/main/java/com/cloudbees/plugins/credentials/ViewCredentialsAction.java index 8126ce6bc..ea9507b15 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/ViewCredentialsAction.java +++ b/src/main/java/com/cloudbees/plugins/credentials/ViewCredentialsAction.java @@ -57,7 +57,6 @@ import jenkins.model.Jenkins; import jenkins.model.ModelObjectWithContextMenu; import jenkins.model.TransientActionFactory; -import org.acegisecurity.Authentication; import org.jenkins.ui.icon.IconSpec; import org.kohsuke.accmod.Restricted; import org.kohsuke.accmod.restrictions.NoExternalUse; @@ -65,6 +64,7 @@ import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.export.Exported; import org.kohsuke.stapler.export.ExportedBean; +import org.springframework.security.core.Authentication; /** * An {@link Action} that lets you view the available credentials for any {@link ModelObject}. @@ -377,10 +377,10 @@ public ACL getACL() { context instanceof AccessControlled ? (AccessControlled) context : Jenkins.get(); return new ACL() { @Override - public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) { - if (accessControlled.hasPermission(a, permission)) { + public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) { + if (accessControlled.hasPermission2(a, permission)) { for (CredentialsStore s : getLocalStores()) { - if (s.hasPermission(a, permission)) { + if (s.hasPermission2(a, permission)) { return true; } } diff --git a/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java b/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java index ce1a248cb..6c778672a 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java +++ b/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java @@ -43,8 +43,8 @@ import java.util.List; import java.util.Set; import jenkins.model.Jenkins; -import org.acegisecurity.Authentication; import org.apache.commons.lang.StringUtils; +import org.springframework.security.core.Authentication; /** * {@link ListBoxModel} with support for credentials. @@ -290,7 +290,7 @@ public AbstractIdCredentialsListBoxModel withMatching(@NonNull Credentials * @param context the context to add credentials from. * @param type the base class of the credentials to add. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher) + * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher) * @since 2.1.0 */ public AbstractIdCredentialsListBoxModel include(@Nullable Item context, @NonNull Class type) { @@ -304,7 +304,7 @@ public AbstractIdCredentialsListBoxModel include(@Nullable Item context, @ * @param context the context to add credentials from. * @param type the base class of the credentials to add. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher) + * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher) * @since 2.1.0 */ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup context, @@ -312,6 +312,16 @@ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup contex return include(context, type, Collections.emptyList()); } + /** + * @deprecated Use {@link #includeAs(Authentication, Item, Class)} instead. + */ + @Deprecated + public AbstractIdCredentialsListBoxModel includeAs(@NonNull org.acegisecurity.Authentication authentication, + @Nullable Item context, + @NonNull Class type) { + return includeAs(authentication, context, type, Collections.emptyList()); + } + /** * Adds the ids of the specified credential type that are available to the specified context as the specified * authentication. @@ -320,8 +330,8 @@ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup contex * @param context the context to add credentials from. * @param type the base class of the credentials to add. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher) - * @since 2.1.0 + * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher) + * @since TODO */ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication authentication, @Nullable Item context, @@ -329,6 +339,16 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication return includeAs(authentication, context, type, Collections.emptyList()); } + /** + * @deprecated Use {@link #includeAs(Authentication, ItemGroup, Class)} instead. + */ + @Deprecated + public AbstractIdCredentialsListBoxModel includeAs(@NonNull org.acegisecurity.Authentication authentication, + @NonNull ItemGroup context, + @NonNull Class type) { + return includeAs(authentication, context, type, Collections.emptyList()); + } + /** * Adds the ids of the specified credential type that are available to the specified context as the specified * authentication. @@ -337,8 +357,8 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication * @param context the context to add credentials from. * @param type the base class of the credentials to add. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher) - * @since 2.1.0 + * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher) + * @since TODO */ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication authentication, @NonNull ItemGroup context, @@ -354,7 +374,7 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication * @param type the base class of the credentials to add. * @param domainRequirements the domain requirements. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher) + * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher) * @since 2.1.0 */ public AbstractIdCredentialsListBoxModel include(@Nullable Item context, @NonNull Class type, @@ -370,7 +390,7 @@ public AbstractIdCredentialsListBoxModel include(@Nullable Item context, @ * @param type the base class of the credentials to add. * @param domainRequirements the domain requirements. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher) + * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher) * @since 2.1.0 */ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup context, @NonNull Class type, @@ -378,6 +398,17 @@ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup contex return includeMatching(context, type, domainRequirements, CredentialsMatchers.always()); } + /** + * @deprecated Use {@link #includeAs(Authentication, Item, Class, List)} instead. + */ + @Deprecated + public AbstractIdCredentialsListBoxModel includeAs(@NonNull org.acegisecurity.Authentication authentication, + @Nullable Item context, + @NonNull Class type, + @NonNull List domainRequirements) { + return includeMatchingAs(authentication, context, type, domainRequirements, CredentialsMatchers.always()); + } + /** * Adds the ids of the specified credential type that are available to the specified context as the specified * authentication with the specified domain requirements. @@ -387,8 +418,8 @@ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup contex * @param type the base class of the credentials to add. * @param domainRequirements the domain requirements. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher) - * @since 2.1.0 + * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher) + * @since TODO */ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication authentication, @Nullable Item context, @@ -397,6 +428,17 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication return includeMatchingAs(authentication, context, type, domainRequirements, CredentialsMatchers.always()); } + /** + * @deprecated Use {@link #includeAs(Authentication, ItemGroup, Class, List)} instead. + */ + @Deprecated + public AbstractIdCredentialsListBoxModel includeAs(@NonNull org.acegisecurity.Authentication authentication, + @NonNull ItemGroup context, + @NonNull Class type, + @NonNull List domainRequirements) { + return includeMatchingAs(authentication.toSpring(), context, type, domainRequirements, CredentialsMatchers.always()); + } + /** * Adds the ids of the specified credential type that are available to the specified context as the specified * authentication with the specified domain requirements. @@ -406,8 +448,8 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication * @param type the base class of the credentials to add. * @param domainRequirements the domain requirements. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher) - * @since 2.1.0 + * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher) + * @since TODO */ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication authentication, @NonNull ItemGroup context, @@ -425,14 +467,14 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication * @param domainRequirements the domain requirements. * @param matcher the filter to apply to the credentials. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher) + * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher) * @since 2.1.0 */ public AbstractIdCredentialsListBoxModel includeMatching(@Nullable Item context, @NonNull Class type, @NonNull List domainRequirements, @NonNull CredentialsMatcher matcher) { - return includeMatchingAs(Jenkins.getAuthentication(), context, type, domainRequirements, matcher); + return includeMatchingAs(Jenkins.getAuthentication2(), context, type, domainRequirements, matcher); } /** @@ -444,14 +486,27 @@ public AbstractIdCredentialsListBoxModel includeMatching(@Nullable Item co * @param domainRequirements the domain requirements. * @param matcher the filter to apply to the credentials. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher) + * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher) * @since 2.1.0 */ public AbstractIdCredentialsListBoxModel includeMatching(@NonNull ItemGroup context, @NonNull Class type, @NonNull List domainRequirements, @NonNull CredentialsMatcher matcher) { - return includeMatchingAs(Jenkins.getAuthentication(), context, type, domainRequirements, matcher); + return includeMatchingAs(Jenkins.getAuthentication2(), context, type, domainRequirements, matcher); + } + + /** + * @deprecated Use {@link #includeMatchingAs(Authentication, Item, Class, List, CredentialsMatcher)} instead. + */ + @Deprecated + public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull org.acegisecurity.Authentication authentication, + @Nullable Item context, + @NonNull Class type, + @NonNull + List domainRequirements, + @NonNull CredentialsMatcher matcher) { + return includeMatchingAs(authentication.toSpring(), context, type, domainRequirements, matcher); } /** @@ -464,8 +519,8 @@ public AbstractIdCredentialsListBoxModel includeMatching(@NonNull ItemGrou * @param domainRequirements the domain requirements. * @param matcher the filter to apply to the credentials. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher) - * @since 2.1.0 + * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher) + * @since TODO */ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authentication authentication, @Nullable Item context, @@ -473,10 +528,23 @@ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authen @NonNull List domainRequirements, @NonNull CredentialsMatcher matcher) { - addMissing(CredentialsProvider.listCredentials(type, context, authentication, domainRequirements, matcher)); + addMissing(CredentialsProvider.listCredentialsInItem(type, context, authentication, domainRequirements, matcher)); return this; } + /** + * @deprecated Use {@link #includeMatchingAs(Authentication, ItemGroup, Class, List, CredentialsMatcher)} instead. + */ + @Deprecated + public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull org.acegisecurity.Authentication authentication, + @NonNull ItemGroup context, + @NonNull Class type, + @NonNull + List domainRequirements, + @NonNull CredentialsMatcher matcher) { + return includeMatchingAs(authentication.toSpring(), context, type, domainRequirements, matcher); + } + /** * Adds the ids of the specified credential type that are available to the specified context as the specified * authentication with the specified domain requirements and match the specified filter. @@ -487,8 +555,8 @@ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authen * @param domainRequirements the domain requirements. * @param matcher the filter to apply to the credentials. * @return {@code this} for method chaining. - * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher) - * @since 2.1.0 + * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher) + * @since TODO */ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authentication authentication, @NonNull ItemGroup context, @@ -496,7 +564,7 @@ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authen @NonNull List domainRequirements, @NonNull CredentialsMatcher matcher) { - addMissing(CredentialsProvider.listCredentials(type, context, authentication, domainRequirements, matcher)); + addMissing(CredentialsProvider.listCredentialsInItemGroup(type, context, authentication, domainRequirements, matcher)); return this; } diff --git a/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java b/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java index 5cf30d5fd..9dffe0806 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java +++ b/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java @@ -41,7 +41,6 @@ import hudson.security.ACL; import hudson.util.ListBoxModel; import jenkins.model.Jenkins; -import org.acegisecurity.Authentication; import org.junit.Rule; import org.junit.Test; import org.jvnet.hudson.test.Issue; @@ -80,7 +79,7 @@ public void testNoCredentialsUntilWeAddSome() throws Exception { assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty()); assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty()); assertFalse("null auth -> ACL.SYSTEM", - CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty()); + CredentialsProvider.lookupCredentials(DummyCredentials.class, (org.acegisecurity.Authentication) null).isEmpty()); assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.get()).isEmpty()); assertFalse("null item -> Root", @@ -98,7 +97,7 @@ public void testNoCredentialsUntilWeAddSome() throws Exception { assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty()); assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty()); assertFalse("null auth -> ACL.SYSTEM", - CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty()); + CredentialsProvider.lookupCredentials(DummyCredentials.class, (org.acegisecurity.Authentication) null).isEmpty()); assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.get()).isEmpty()); assertFalse("null item -> Root", @@ -112,6 +111,54 @@ public void testNoCredentialsUntilWeAddSome() throws Exception { "manchu"); } + + /** + * Same test as {@link #testNoCredentialsUntilWeAddSome()} but using new APIs. + */ + @Test + public void testNoCredentialsUntilWeAddSome2() throws Exception { + FreeStyleProject project = r.createFreeStyleProject(); + assertTrue(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + SystemCredentialsProvider.getInstance().getCredentials().add( + new DummyCredentials(CredentialsScope.SYSTEM, "foo", "bar")); + assertFalse(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + + assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), Jenkins.ANONYMOUS2).isEmpty()); + assertFalse("null auth -> ACL.SYSTEM", + CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), null).isEmpty()); + + assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty()); + assertFalse("null item -> Root", + CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + assertFalse("null item -> Root", + CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, (ItemGroup) null, ACL.SYSTEM2).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).isEmpty()); + + SystemCredentialsProvider.getInstance().getCredentials().add( + new DummyCredentials(CredentialsScope.GLOBAL, "manchu", "bar")); + + assertFalse(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + + assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), Jenkins.ANONYMOUS2).isEmpty()); + assertFalse("null auth -> ACL.SYSTEM", + CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), null).isEmpty()); + + assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty()); + assertFalse("null item -> Root", + CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + assertFalse("null item -> Root", + CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, (ItemGroup) null, ACL.SYSTEM2).isEmpty()); + assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).isEmpty()); + assertEquals(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).size(), 1); + assertEquals( + CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).iterator().next().getUsername(), + "manchu"); + + } @Test public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception { @@ -125,7 +172,7 @@ public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception { assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty()); assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty()); assertFalse("null auth -> ACL.SYSTEM", - CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty()); + CredentialsProvider.lookupCredentials(DummyCredentials.class, (org.acegisecurity.Authentication) null).isEmpty()); assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.get()).isEmpty()); assertFalse("null item -> Root", @@ -142,7 +189,7 @@ public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception { assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty()); assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty()); assertFalse("null auth -> ACL.SYSTEM", - CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty()); + CredentialsProvider.lookupCredentials(DummyCredentials.class, (org.acegisecurity.Authentication) null).isEmpty()); assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.get()).isEmpty()); assertFalse("null item -> Root", @@ -157,6 +204,52 @@ public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception { } + /** + * Same test as {@link #testNoCredentialsUntilWeAddSomeViaStore()} but using new APIs. + */ + @Test + public void testNoCredentialsUntilWeAddSomeViaStore2() throws Exception { + FreeStyleProject project = r.createFreeStyleProject(); + assertTrue(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + CredentialsStore store = CredentialsProvider.lookupStores(Jenkins.get()).iterator().next(); + store.addCredentials(Domain.global(), new DummyCredentials(CredentialsScope.SYSTEM, "foo", "bar")); + assertFalse(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + + assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), Jenkins.ANONYMOUS2).isEmpty()); + assertFalse("null auth -> ACL.SYSTEM", + CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), null).isEmpty()); + + assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty()); + assertFalse("null item -> Root", + CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + assertFalse("null item -> Root", + CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, (ItemGroup) null, ACL.SYSTEM2).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).isEmpty()); + + store.addCredentials(Domain.global(), new DummyCredentials(CredentialsScope.GLOBAL, "manchu", "bar")); + + assertFalse(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + + assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), Jenkins.ANONYMOUS2).isEmpty()); + assertFalse("null auth -> ACL.SYSTEM", + CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), null).isEmpty()); + + assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty()); + assertFalse("null item -> Root", + CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty()); + assertFalse("null item -> Root", + CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, (ItemGroup) null, ACL.SYSTEM2).isEmpty()); + assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).isEmpty()); + assertEquals(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).size(), 1); + assertEquals( + CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).iterator().next().getUsername(), + "manchu"); + } + @Test public void testManageUserCredentials() throws IOException { final User alice = User.getById("alice", true); @@ -171,22 +264,22 @@ public void testManageUserCredentials() throws IOException { userStore.addCredentials(Domain.global(), aliceCred1); userStore.addCredentials(Domain.global(), aliceCred2); - assertEquals(2, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.emptyList()).size()); - assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).isEmpty()); - assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS, Collections.emptyList()).isEmpty()); + assertEquals(2, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, alice.impersonate2(), Collections.emptyList()).size()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS2, Collections.emptyList()).isEmpty()); // Remove credentials userStore.removeCredentials(Domain.global(), aliceCred2); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.emptyList()).size()); - assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).isEmpty()); - assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS, Collections.emptyList()).isEmpty()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, alice.impersonate2(), Collections.emptyList()).size()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS2, Collections.emptyList()).isEmpty()); // Update credentials userStore.updateCredentials(Domain.global(), aliceCred1, aliceCred3); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.emptyList()).size()); - assertEquals(aliceCred3.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.emptyList()).get(0).getUsername()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, alice.impersonate2(), Collections.emptyList()).size()); + assertEquals(aliceCred3.getUsername(), CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, alice.impersonate2(), Collections.emptyList()).get(0).getUsername()); } } @@ -205,22 +298,22 @@ public void testUpdateAndDeleteCredentials() throws IOException { store.addCredentials(Domain.global(), systemCred2); store.addCredentials(Domain.global(), globalCred); - assertEquals(3, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).size()); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).size()); - assertEquals(globalCred.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).get(0).getUsername()); + assertEquals(3, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).size()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).size()); + assertEquals(globalCred.getUsername(), CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).get(0).getUsername()); // Update credentials store.updateCredentials(Domain.global(), globalCred, modCredential); - assertEquals(3, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).size()); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).size()); - assertEquals(modCredential.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).get(0).getUsername()); + assertEquals(3, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).size()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).size()); + assertEquals(modCredential.getUsername(), CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).get(0).getUsername()); // Remove credentials store.removeCredentials(Domain.global(), systemCred2); - assertEquals(2, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).size()); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).size()); + assertEquals(2, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).size()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).size()); } @Test @@ -342,10 +435,10 @@ public void trackingOfFingerprintDependsOnConfiguration() throws Exception { @Test @Issue("JENKINS-65333") public void insertionOrderLookupCredentials() { - assertThat(CredentialsProvider.lookupCredentials(Credentials.class, (Item) null, ACL.SYSTEM, Collections.emptyList()), hasSize(0)); + assertThat(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2, Collections.emptyList()), hasSize(0)); SystemCredentialsProvider.getInstance().getCredentials().add(new DummyIdCredentials("1", CredentialsScope.SYSTEM, "beta", "bar", "description 1")); SystemCredentialsProvider.getInstance().getCredentials().add(new DummyIdCredentials("2", CredentialsScope.SYSTEM, "alpha", "bar", "description 2")); - List credentials = CredentialsProvider.lookupCredentials(DummyIdCredentials.class, (Item) null, ACL.SYSTEM, Collections.emptyList()); + List credentials = CredentialsProvider.lookupCredentialsInItem(DummyIdCredentials.class, (Item) null, ACL.SYSTEM2, Collections.emptyList()); assertThat(credentials, hasSize(2)); // Insertion order assertThat(credentials.get(0).getUsername(), is("beta")); @@ -355,10 +448,10 @@ public void insertionOrderLookupCredentials() { @Test @Issue("JENKINS-65333") public void credentialsSortedByNameInUI() { - assertThat(CredentialsProvider.lookupCredentials(Credentials.class, (Item) null, ACL.SYSTEM, Collections.emptyList()), hasSize(0)); + assertThat(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2, Collections.emptyList()), hasSize(0)); SystemCredentialsProvider.getInstance().getCredentials().add(new DummyIdCredentials("1", CredentialsScope.SYSTEM, "beta", "bar", "description 1")); SystemCredentialsProvider.getInstance().getCredentials().add(new DummyIdCredentials("2", CredentialsScope.SYSTEM, "alpha", "bar", "description 2")); - ListBoxModel options = CredentialsProvider.listCredentials(DummyIdCredentials.class, (Item) null, ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always()); + ListBoxModel options = CredentialsProvider.listCredentialsInItem(DummyIdCredentials.class, (Item) null, ACL.SYSTEM2, Collections.emptyList(), CredentialsMatchers.always()); // Options are sorted by name assertThat(options, hasSize(2)); assertThat(options.get(0).value, is("2")); diff --git a/src/test/java/com/cloudbees/plugins/credentials/CredentialsUnavailableExceptionTest.java b/src/test/java/com/cloudbees/plugins/credentials/CredentialsUnavailableExceptionTest.java index dfc40ee58..8976dea46 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/CredentialsUnavailableExceptionTest.java +++ b/src/test/java/com/cloudbees/plugins/credentials/CredentialsUnavailableExceptionTest.java @@ -244,8 +244,8 @@ public PollingResult compareRemoteRevisionWith(@NonNull Job project, @Null @NonNull SCMRevisionState baseline) throws IOException { StandardUsernamePasswordCredentials credentials = CredentialsMatchers.firstOrNull( - CredentialsProvider.lookupCredentials(StandardUsernamePasswordCredentials.class, project, - CredentialsProvider.getDefaultAuthenticationOf(project), + CredentialsProvider.lookupCredentialsInItem(StandardUsernamePasswordCredentials.class, project, + CredentialsProvider.getDefaultAuthenticationOf2(project), Collections.emptyList()), CredentialsMatchers.withId(id)); if (credentials == null) { throw new IOException(String.format("Could not find credentials with id '%s'", id)); diff --git a/src/test/java/com/cloudbees/plugins/credentials/MockFolderCredentialsProvider.java b/src/test/java/com/cloudbees/plugins/credentials/MockFolderCredentialsProvider.java index 16fd54a90..07b13ea22 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/MockFolderCredentialsProvider.java +++ b/src/test/java/com/cloudbees/plugins/credentials/MockFolderCredentialsProvider.java @@ -35,7 +35,7 @@ import hudson.model.ItemGroup; import hudson.model.ModelObject; import hudson.security.ACL; -import hudson.security.AccessDeniedException2; +import hudson.security.AccessDeniedException3; import hudson.security.Permission; import hudson.util.CopyOnWriteMap; import java.io.IOException; @@ -45,9 +45,8 @@ import java.util.Map; import java.util.Set; import jenkins.model.Jenkins; -import org.acegisecurity.Authentication; -import org.acegisecurity.context.SecurityContextHolder; import org.jvnet.hudson.test.MockFolder; +import org.springframework.security.core.Authentication; /** * Analogue of {@code FolderCredentialsProvider} for {@link MockFolder}. @@ -77,21 +76,14 @@ public Set getScopes(ModelObject object) { @NonNull @Override - public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication) { - return getCredentials(type, itemGroup, authentication, Collections.emptyList()); - } - - @NonNull - @Override - public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, - @Nullable Authentication authentication, - @NonNull List domainRequirements) { + public List getCredentialsInItemGroup(@NonNull Class type, @Nullable ItemGroup itemGroup, + @Nullable Authentication authentication, + @NonNull List domainRequirements) { if (authentication == null) { - authentication = ACL.SYSTEM; + authentication = ACL.SYSTEM2; } List result = new ArrayList<>(); - if (ACL.SYSTEM.equals(authentication)) { + if (ACL.SYSTEM2.equals(authentication)) { while (itemGroup != null) { if (itemGroup instanceof MockFolder) { final MockFolder folder = (MockFolder) itemGroup; @@ -204,7 +196,7 @@ public synchronized CredentialsStore getStore() { */ private void checkPermission(Permission p) { if (!store.hasPermission(p)) { - throw new AccessDeniedException2(Jenkins.getAuthentication(), p); + throw new AccessDeniedException3(Jenkins.getAuthentication2(), p); } } @@ -217,12 +209,8 @@ private void checkPermission(Permission p) { */ private void checkedSave(Permission p) throws IOException { checkPermission(p); - Authentication old = SecurityContextHolder.getContext().getAuthentication(); - SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM); - try { + try (var ignored = ACL.as2(ACL.SYSTEM2)) { owner.save(); - } finally { - SecurityContextHolder.getContext().setAuthentication(old); } } @@ -365,8 +353,8 @@ public ModelObject getContext() { } @Override - public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) { - return owner.getACL().hasPermission(a, permission); + public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) { + return owner.getACL().hasPermission2(a, permission); } /** diff --git a/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsProviderTest.java b/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsProviderTest.java index 6aad51c3b..04accc741 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsProviderTest.java +++ b/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsProviderTest.java @@ -4,6 +4,7 @@ import com.cloudbees.plugins.credentials.CredentialsProvider; import com.cloudbees.plugins.credentials.CredentialsScope; import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials; +import com.cloudbees.plugins.credentials.domains.DomainRequirement; import com.cloudbees.plugins.credentials.domains.HostnameRequirement; import com.cloudbees.plugins.credentials.impl.DummyCredentials; import edu.umd.cs.findbugs.annotations.NonNull; @@ -19,7 +20,6 @@ import io.jenkins.plugins.casc.misc.JenkinsConfiguredWithCodeRule; import io.jenkins.plugins.casc.model.CNode; import io.jenkins.plugins.casc.model.Mapping; -import org.acegisecurity.Authentication; import org.jenkinsci.Symbol; import org.junit.Rule; import org.junit.Test; @@ -30,6 +30,7 @@ import java.util.Collections; import java.util.List; import java.util.Set; +import org.springframework.security.core.Authentication; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; @@ -45,16 +46,16 @@ public class CredentialsProviderTest { @Test @ConfiguredWithCode("CredentialsProviderExtension.yaml") public void import_credentials_provider_extension_credentials() { - List dummyCred = CredentialsProvider.lookupCredentials( - DummyCredentials.class, j.jenkins, ACL.SYSTEM, + List dummyCred = CredentialsProvider.lookupCredentialsInItemGroup( + DummyCredentials.class, j.jenkins, ACL.SYSTEM2, Collections.emptyList() ); assertThat(dummyCred, hasSize(1)); assertThat(dummyCred.get(0).getUsername(), equalTo("user1")); // the system provider works fine too - List ups = CredentialsProvider.lookupCredentials( - UsernamePasswordCredentials.class, j.jenkins, ACL.SYSTEM, + List ups = CredentialsProvider.lookupCredentialsInItemGroup( + UsernamePasswordCredentials.class, j.jenkins, ACL.SYSTEM2, Collections.singletonList(new HostnameRequirement("api.test.com")) ); assertThat(ups, hasSize(1)); @@ -84,7 +85,7 @@ public TestCredentialsProvider() { @NonNull @Override - public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, @Nullable Authentication authentication) { + public List getCredentialsInItemGroup(@NonNull Class type, @Nullable ItemGroup itemGroup, @Nullable Authentication authentication, @Nullable List domainRequirements) { if (!type.equals(DummyCredentials.class)) { return Collections.emptyList(); } diff --git a/src/test/java/com/cloudbees/plugins/credentials/casc/SystemCredentialsTest.java b/src/test/java/com/cloudbees/plugins/credentials/casc/SystemCredentialsTest.java index 4b39f05a0..3beee24b5 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/casc/SystemCredentialsTest.java +++ b/src/test/java/com/cloudbees/plugins/credentials/casc/SystemCredentialsTest.java @@ -58,8 +58,8 @@ public class SystemCredentialsTest { @Test public void import_system_credentials() { - List ups = CredentialsProvider.lookupCredentials( - UsernamePasswordCredentials.class, j.jenkins, ACL.SYSTEM, + List ups = CredentialsProvider.lookupCredentialsInItemGroup( + UsernamePasswordCredentials.class, j.jenkins, ACL.SYSTEM2, Collections.singletonList(new HostnameRequirement("api.test.com")) ); assertThat(ups, hasSize(1)); diff --git a/src/test/java/com/cloudbees/plugins/credentials/domains/DomainRestrictedCredentialsTest.java b/src/test/java/com/cloudbees/plugins/credentials/domains/DomainRestrictedCredentialsTest.java index 2a16c83da..b02ee809d 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/domains/DomainRestrictedCredentialsTest.java +++ b/src/test/java/com/cloudbees/plugins/credentials/domains/DomainRestrictedCredentialsTest.java @@ -71,8 +71,8 @@ public void testGetRestrictedCredentials() { .add(falseCredentials); Collection matchingCredentials = - CredentialsProvider.lookupCredentials(Credentials.class, - Jenkins.get(), ACL.SYSTEM); + CredentialsProvider.lookupCredentialsInItemGroup(Credentials.class, + Jenkins.get(), ACL.SYSTEM2); assertThat(matchingCredentials, hasItems(trueCredentials)); assertThat(matchingCredentials, not(hasItems(falseCredentials))); diff --git a/src/test/java/com/cloudbees/plugins/credentials/domains/DomainTest.java b/src/test/java/com/cloudbees/plugins/credentials/domains/DomainTest.java index 4c521c5e5..d9d571646 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/domains/DomainTest.java +++ b/src/test/java/com/cloudbees/plugins/credentials/domains/DomainTest.java @@ -96,32 +96,32 @@ public void testCredentialsInCustomDomains() throws IOException { List reqFoo = Arrays.asList(new DomainRequirement[] { new HostnameRequirement("foo.com") }); List reqBar = Arrays.asList(new DomainRequirement[] { new HostnameRequirement("bar.com") }); - assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).isEmpty()); - assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).isEmpty()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).isEmpty()); // Add credentials to domains store.addCredentials(domainFoo, systemCred); store.addCredentials(domainBar, systemCred1); // Search credentials with specific domain restrictions - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).size()); - assertEquals(systemCred.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).get(0).getUsername()); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size()); - assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).size()); + assertEquals(systemCred.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).get(0).getUsername()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).size()); + assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).get(0).getUsername()); // Update credential from domain store.updateCredentials(domainFoo, systemCred, systemCredMod); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).size()); - assertEquals(systemCredMod.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).get(0).getUsername()); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size()); - assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).size()); + assertEquals(systemCredMod.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).get(0).getUsername()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).size()); + assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).get(0).getUsername()); // Remove credential from domain store.removeCredentials(domainFoo, systemCredMod); - assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).isEmpty()); - assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size()); - assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername()); + assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).isEmpty()); + assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).size()); + assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).get(0).getUsername()); } } diff --git a/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java b/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java index eeeaa2277..246228d64 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java +++ b/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java @@ -340,12 +340,12 @@ public void fullSubmitOfUploadedKeystore() throws Exception { newCredentialsForm.getInputsByName("_.password").forEach(input -> input.setValue(VALID_PASSWORD)); htmlPage.getDocumentElement().querySelector("input[type=file][name=uploadedCertFile]"); - List certificateCredentials = CredentialsProvider.lookupCredentials(CertificateCredentials.class, (ItemGroup) null, ACL.SYSTEM); + List certificateCredentials = CredentialsProvider.lookupCredentialsInItemGroup(CertificateCredentials.class, (ItemGroup) null, ACL.SYSTEM2); assertThat(certificateCredentials, hasSize(0)); r.submit(newCredentialsForm); - certificateCredentials = CredentialsProvider.lookupCredentials(CertificateCredentials.class, (ItemGroup) null, ACL.SYSTEM); + certificateCredentials = CredentialsProvider.lookupCredentialsInItemGroup(CertificateCredentials.class, (ItemGroup) null, ACL.SYSTEM2); assertThat(certificateCredentials, hasSize(1)); CertificateCredentials certificate = certificateCredentials.get(0);