Package com.michelin.cio.hudson.plugins.rolestrategy

Class RoleBasedAuthorizationStrategy

java.lang.Object
hudson.model.AbstractDescribableImpl<AuthorizationStrategy>
hudson.security.AuthorizationStrategy
com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy
All Implemented Interfaces:
ExtensionPoint, Describable<AuthorizationStrategy>
public class RoleBasedAuthorizationStrategy extends AuthorizationStrategy
Role-based authorization strategy.
Author:
Thomas Maurel

  • Field Details

  • Constructor Details

    • RoleBasedAuthorizationStrategy

      public RoleBasedAuthorizationStrategy()
      Create new RoleBasedAuthorizationStrategy.

    • RoleBasedAuthorizationStrategy

      public RoleBasedAuthorizationStrategy(Map<String,RoleMap> grantedRoles)
      Creates a new RoleBasedAuthorizationStrategy.
      Parameters:
      grantedRoles - the roles in the strategy

    • RoleBasedAuthorizationStrategy

      public RoleBasedAuthorizationStrategy(Map<String,RoleMap> grantedRoles, @CheckForNull Set<PermissionTemplate> permissionTemplates)
      Creates a new RoleBasedAuthorizationStrategy.
      Parameters:
      grantedRoles - the roles in the strategy
      permissionTemplates - the permission templates in the strategy

  • Method Details

    • getRootACL

      @NonNull public SidACL getRootACL()
      Get the root ACL.
      Specified by:
      getRootACL in class AuthorizationStrategy
      Returns:
      The global ACL

    • getRoleMap

      @NonNull @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public RoleMap getRoleMap(RoleType roleType)
      Get the RoleMap corresponding to the RoleType.
      Parameters:
      roleType - the type of the role
      Returns:
      the RoleMap corresponding to the roleType
      Throws:
      IllegalArgumentException - for an invalid roleType

    • getACL

      @NonNull public ACL getACL(@NonNull Job<?,?> project)
      Get the specific ACL for projects.
      Overrides:
      getACL in class AuthorizationStrategy
      Parameters:
      project - The access-controlled project
      Returns:
      The project specific ACL

    • getACL

      @NonNull public ACL getACL(@NonNull AbstractItem project)
      Overrides:
      getACL in class AuthorizationStrategy

    • getACL

      @NonNull public ACL getACL(@NonNull Computer computer)
      Overrides:
      getACL in class AuthorizationStrategy

    • getACL

      @NonNull public ACL getACL(@NonNull Node node)
      Overrides:
      getACL in class AuthorizationStrategy

    • getGroups

      @NonNull public Collection<String> getGroups()
      Used by the container realm.
      Specified by:
      getGroups in class AuthorizationStrategy
      Returns:
      All the sids referenced by the strategy

    • getGrantedRoles

      @Nullable @Deprecated public SortedMap<Role,Set<String>> getGrantedRoles(String type)
      Deprecated.
      Use getGrantedRolesEntries(RoleType)
      Get the roles from the global RoleMap.

      The returned sorted map is unmodifiable.

      Parameters:
      type - The object type controlled by the RoleMap
      Returns:
      All roles from the global RoleMap.

    • getGrantedRoles

      @Deprecated public SortedMap<Role,Set<String>> getGrantedRoles(@NonNull RoleType type)
      Deprecated.
      use getGrantedRolesEntries(RoleType)
      Get the Roles and the sids assigned to them for the given RoleType.
      Parameters:
      type - the type of the role
      Returns:
      roles mapped to the set of user sids assigned to that role
      Since:
      2.12

    • getPermissionTemplates

      public Set<PermissionTemplate> getPermissionTemplates()
      Get the permission templates.
      Returns:
      set of permission templates.

    • getPermissionTemplate

      @CheckForNull public PermissionTemplate getPermissionTemplate(String templateName)

    • hasPermissionTemplate

      public boolean hasPermissionTemplate(String name)

    • getGrantedRolesEntries

      public SortedMap<Role,Set<PermissionEntry>> getGrantedRolesEntries(@NonNull String type)
      Get the Roles and the sids assigned to them for the given RoleType.
      Parameters:
      type - the type of the role
      Returns:
      roles mapped to the set of user sids assigned to that role

    • getGrantedRolesEntries

      public SortedMap<Role,Set<PermissionEntry>> getGrantedRolesEntries(@NonNull RoleType type)
      Get the Roles and the sids assigned to them for the given RoleType.
      Parameters:
      type - the type of the role
      Returns:
      roles mapped to the set of user sids assigned to that role

    • getSidEntries

      public Set<PermissionEntry> getSidEntries(String type)
      Get all the SIDs referenced by specified RoleMap type.
      Parameters:
      type - The object type controlled by the RoleMap
      Returns:
      All SIDs from the specified RoleMap.

    • getSIDs

      @Deprecated @CheckForNull public Set<String> getSIDs(String type)
      Deprecated.
      use getSidEntries(String)
      Get all the SIDs referenced by specified RoleMap type.
      Parameters:
      type - The object type controlled by the RoleMap
      Returns:
      All SIDs from the specified RoleMap.

    • doAddTemplate

      @POST @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAddTemplate(@QueryParameter(required=true) String name, @QueryParameter(required=true) String permissionIds, @QueryParameter(required=false) boolean overwrite) throws IOException
      API method to add a permission template. An existing template with the same will only be replaced when overwrite is set. Otherwise, the request will fail with status 400
      Parameters:
      name - The template nae
      permissionIds - Comma separated list of permission IDs
      overwrite - If an existing template should be overwritten
      Throws:
      IOException

    • doRemoveTemplates

      @POST @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doRemoveTemplates(@QueryParameter(required=true) String names, @QueryParameter(required=false) boolean force) throws IOException
      API method to remove templates.

      Example: curl -X POST localhost:8080/role-strategy/strategy/removeTemplates --data "templates=developer,qualits"

      Parameters:
      names - comma separated list of templates to remove
      force - If templates that are in use should be removed
      Throws:
      IOException - in case saving changes fails

    • doAddRole

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAddRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String permissionIds, @QueryParameter(required=true) String overwrite, @QueryParameter(required=false) String pattern, @QueryParameter(required=false) String template) throws IOException
      API method to add a role.

      Unknown and dangerous permissions are ignored. When specifying a template for an item role, the given permissions are ignored. The named template must exist, otherwise the request fails with status 400. The template is ignored when adding global or agent roles.

      Example: curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=globalRoles&amp;roleName=ADM&amp; permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&amp;overwrite=true"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleName - Name of role
      permissionIds - Comma separated list of IDs for given roleName
      overwrite - Overwrite existing role
      pattern - Role pattern
      template - Name of template
      Throws:
      IOException - In case saving changes fails
      Since:
      2.5.0

    • doRemoveRoles

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doRemoveRoles(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleNames) throws IOException
      API method to remove roles.

      Example: curl -X POST localhost:8080/role-strategy/strategy/removeRoles --data "type=globalRoles&amp; roleNames=ADM,DEV"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleNames - comma separated list of roles to remove from type
      Throws:
      IOException - in case saving changes fails
      Since:
      2.5.0

    • doAssignRole

      @Deprecated @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String sid) throws IOException
      Deprecated.
      Use doAssignUserRole(java.lang.String, java.lang.String, java.lang.String) or doAssignGroupRole(java.lang.String, java.lang.String, java.lang.String) to create unambiguous entries
      API method to assign a SID of type EITHER to role. This method should no longer be used.

      Example: curl -X POST localhost:8080/role-strategy/strategy/assignRole --data "type=globalRoles&amp;roleName=ADM &amp;sid=username"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleName - name of role (single, no list)
      sid - user ID (single, no list)
      Throws:
      IOException - in case saving changes fails
      Since:
      2.5.0

    • doAssignUserRole

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignUserRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String user) throws IOException
      API method to assign a User to role.

      Example: curl -X POST localhost:8080/role-strategy/strategy/assignUserRole --data "type=globalRoles&amp;roleName=ADM &amp;user=username"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleName - name of role (single, no list)
      user - user ID (single, no list)
      Throws:
      IOException - in case saving changes fails
      Since:
      TODO

    • doAssignGroupRole

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doAssignGroupRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String group) throws IOException
      API method to assign a Group to role.

      Example: curl -X POST localhost:8080/role-strategy/strategy/assignGroupRole --data "type=globalRoles&amp;roleName=ADM &amp;group=groupname"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleName - name of role (single, no list)
      group - group ID (single, no list)
      Throws:
      IOException - in case saving changes fails
      Since:
      TODO

    • doDeleteSid

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteSid(@QueryParameter(required=true) String type, @QueryParameter(required=true) String sid) throws IOException
      API method to delete a SID from all granted roles. Only SIDS of type EITHER with the given name will be deleted.

      Example: curl -X POST localhost:8080/role-strategy/strategy/deleteSid --data "type=globalRoles&amp;sid=username"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      sid - user/group ID to remove
      Throws:
      IOException - in case saving changes fails
      Since:
      2.4.1

    • doDeleteUser

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteUser(@QueryParameter(required=true) String type, @QueryParameter(required=true) String user) throws IOException
      API method to delete a user from all granted roles.

      Example: curl -X POST localhost:8080/role-strategy/strategy/deleteUser --data "type=globalRoles&amp;user=username"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      user - user ID to remove
      Throws:
      IOException - in case saving changes fails
      Since:
      2.4.1

    • doDeleteGroup

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doDeleteGroup(@QueryParameter(required=true) String type, @QueryParameter(required=true) String group) throws IOException
      API method to delete a group from all granted roles.

      Example: curl -X POST localhost:8080/role-strategy/strategy/deleteGroup --data "type=globalRoles&amp;group=groupname"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      group - group ID to remove
      Throws:
      IOException - in case saving changes fails
      Since:
      2.4.1

    • doUnassignRole

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String sid) throws IOException
      API method to remove a SID from a role. Only entries of type EITHER will be removed. use doUnassignUserRole(String, String, String) or doUnassignGroupRole(String, String, String) to unassign a User or a Group.

      Example: curl -X POST localhost:8080/role-strategy/strategy/unassignRole --data "type=globalRoles&amp;roleName=AMD&amp;sid=username"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleName - unassign role with sid
      sid - user ID to remove
      Throws:
      IOException - in case saving changes fails
      Since:
      2.6.0

    • doUnassignUserRole

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignUserRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String user) throws IOException
      API method to remove a user from a role.

      Example: curl -X POST localhost:8080/role-strategy/strategy/unassignUserRole --data "type=globalRoles&amp;roleName=AMD&amp;user=username"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleName - unassign role with sid
      user - user ID to remove
      Throws:
      IOException - in case saving changes fails
      Since:
      TODO

    • doUnassignGroupRole

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doUnassignGroupRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName, @QueryParameter(required=true) String group) throws IOException
      API method to remove a user from a role.

      Example: curl -X POST localhost:8080/role-strategy/strategy/unassignGroupRole --data "type=globalRoles&amp;roleName=AMD&amp;user=username"

      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleName - unassign role with sid
      group - user ID to remove
      Throws:
      IOException - in case saving changes fails
      Since:
      TODO

    • doGetTemplate

      @GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetTemplate(@QueryParameter(required=true) String name) throws IOException
      API method to get the granted permissions of a template and if the template is used.

      Example: curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getTemplate?name=developer'

      Returns json with granted permissions and assigned sids.
      Example: 

      
   {
     "permissionIds": {
         "hudson.model.Item.Read":true,
         "hudson.model.Item.Build":true,
         "hudson.model.Item.Cancel":true,
      },
      "isUsed": true
   }
      Throws:
      IOException

    • doGetRole

      @GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetRole(@QueryParameter(required=true) String type, @QueryParameter(required=true) String roleName) throws IOException
      API method to get the granted permissions of a role and the SIDs assigned to it.

      Example: curl -XGET 'http://localhost:8080/jenkins/role-strategy/strategy/getRole ?type=projectRoles&roleName=admin'

      Returns json with granted permissions and assigned sids.
      Example: 

      
   {
     "permissionIds": {
         "hudson.model.Item.Read":true,
         "hudson.model.Item.Build":true,
         "hudson.model.Item.Cancel":true,
      },
      "sids": [{"type":"USER","sid":"user1"}, {"type":"USER","sid":"user2"}]
      "pattern": ".*",
      "template": "developers",
   }
      Parameters:
      type - (globalRoles, projectRoles, slaveRoles)
      roleName - name of role (single, no list)
      Throws:
      IOException - In case write response failed
      Since:
      2.8.3

    • doGetAllRoles

      @GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetAllRoles(@QueryParameter(fixEmpty=true) String type) throws IOException
      API method to get all roles and the SIDs assigned to the roles for a roletype.

      Example: curl -X GET localhost:8080/role-strategy/strategy/getAllRoles?type=projectRoles

      Returns a json with roles and sids
      Example: 

      
   {
     "role2": [{"type":"USER","sid":"user1"}, {"type":"USER","sid":"user2"}],
     "role2": [{"type":"GROUP","sid":"group1"}, {"type":"USER","sid":"user2"}]
   }
      Parameters:
      type - (globalRoles by default, projectRoles, slaveRoles)
      Throws:
      IOException
      Since:
      2.6.0

    • doGetMatchingJobs

      @GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetMatchingJobs(@QueryParameter(required=true) String pattern, @QueryParameter int maxJobs) throws IOException
      API method to get a list of items matching a pattern.

      Example: curl -X GET localhost:8080/role-strategy/strategy/getMatchingJobs?pattern=^staging.*

      Parameters:
      pattern - Pattern to match against
      maxJobs - Maximum matching items to search for
      Throws:
      IOException - when unable to write response

    • doGetMatchingAgents

      @GET @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void doGetMatchingAgents(@QueryParameter(required=true) String pattern, @QueryParameter int maxAgents) throws IOException
      API method to get a list of agents matching a pattern.

      Example: curl -X GET localhost:8080/role-strategy/strategy/getMatchingAgents?pattern=^linux.*

      Parameters:
      pattern - Pattern to match against
      maxAgents - Maximum matching agents to search for
      Throws:
      IOException - when unable to write response

    • validateConfig

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void validateConfig()
      Checks if there are ambiguous entries and adds them to the monitor.

    • init

      @Initializer(after=SYSTEM_CONFIG_LOADED) public static void init()
      Validate the config after System config was loaded.

    • getInstance

      @CheckForNull public static RoleBasedAuthorizationStrategy getInstance()
      Retrieves instance of the strategy.
      Returns:
      Strategy instance or null if it is disabled.

    • isCreateAllowed

      @Deprecated public static boolean isCreateAllowed()
      Deprecated.
      Always available since 1.566
      Control job create using RoleBasedProjectNamingStrategy.
      Since:
      2.2.0