Allow reloading configuration with Overall/Manage permission (jenkinsci#1653)

Co-authored-by: Tim Jacomb <timjacomb1+github@gmail.com>

Author: C​⁠‌​⁠⁠‌​​⁠‍‌‌​​‍‌yprien Q​⁠‌​⁠⁠‌​​⁠‍‌‌​​‍‌uilici

.idea/codeStyles/Project.xml

@@ -151,7 +151,7 @@ public String getDescription() {
     @NonNull
     @Override
     public Permission getRequiredPermission() {
-        return Jenkins.SYSTEM_READ;
+        return Jenkins.READ;
     }
 
     public Date getLastTimeLoaded() {
@@ -165,7 +165,7 @@ public List<String> getSources() {
     @RequirePOST
     @Restricted(NoExternalUse.class)
     public void doReload(StaplerRequest request, StaplerResponse response) throws Exception {
-        if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+        if (!Jenkins.get().hasPermission(Jenkins.MANAGE)) {
             response.sendError(HttpServletResponse.SC_FORBIDDEN);
             return;
         }

plugin/src/main/java/io/jenkins/plugins/casc/ConfigurationAsCode.java

@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout" xmlns:f="/lib/form" xmlns:i="jelly:fmt" xmlns:st="jelly:stapler">
-  <l:layout norefresh="true" type="one-column" title="${%Configuration as Code}">
+  <l:layout norefresh="true" type="one-column" title="${%Configuration as Code}" permissions="${app.MANAGE_AND_SYSTEM_READ}">
   <l:main-panel>
   <st:adjunct includes="io.jenkins.plugins.casc.assets.index"/>
 
@@ -39,27 +39,29 @@
     </l:isAdmin>
     <h2>${%Actions}</h2>
 
-    <l:isAdmin>
+    <l:hasAdministerOrManage>
       <f:form method="post" action="reload" name="reload">
         <f:submit name="reload" value="${%Reload existing configuration}"/>
       </f:form>
-    </l:isAdmin>
-    <f:form method="post" action="export" name="export">
-      <f:submit name="export" value="${%Download Configuration}"/>
-    </f:form>
-    <f:form method="post" action="viewExport" name="viewExport">
-      <f:submit name="viewExport" value="${%View Configuration}"/>
-    </f:form>
-    <div class="alert alert-warning clear-action-forms">
-      <img src="${rootURL}/images/16x16/warning.png"/>
-      ${%exportWarning}
-    </div>
+    </l:hasAdministerOrManage>
+    <l:hasPermission permission="${app.SYSTEM_READ}">
+      <f:form method="post" action="export" name="export">
+        <f:submit name="export" value="${%Download Configuration}"/>
+      </f:form>
+      <f:form method="post" action="viewExport" name="viewExport">
+        <f:submit name="viewExport" value="${%View Configuration}"/>
+      </f:form>
+      <div class="alert alert-warning clear-action-forms">
+        <img src="${rootURL}/images/16x16/warning.png"/>
+        ${%exportWarning}
+      </div>
 
-    <h2>${%Reference}</h2>
-    <dt>
-      <dl><a href="reference">${%Documentation}</a></dl>
-      <dl><a href="schema">${%JSON schema}</a></dl>
-    </dt>
+      <h2>${%Reference}</h2>
+      <dt>
+        <dl><a href="reference">${%Documentation}</a></dl>
+        <dl><a href="schema">${%JSON schema}</a></dl>
+      </dt>
+    </l:hasPermission>
 
   </div>
   </div>

plugin/src/main/resources/io/jenkins/plugins/casc/ConfigurationAsCode/index.jelly

@@ -0,0 +1,16 @@
+package io.jenkins.plugins.casc.permissions;
+
+public enum Action {
+
+    VIEW_CONFIGURATION("View Configuration"),
+    DOWNLOAD_CONFIGURATION("Download Configuration"),
+    APPLY_NEW_CONFIGURATION("Apply new configuration"),
+    RELOAD_EXISTING_CONFIGURATION("Reload existing configuration"),
+    ;
+
+    String buttonText;
+
+    Action(String buttonText) {
+        this.buttonText = buttonText;
+    }
+}

plugin/src/test/java/io/jenkins/plugins/casc/permissions/Action.java

@@ -0,0 +1,173 @@
+package io.jenkins.plugins.casc.permissions;
+
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.google.common.collect.ImmutableMap;
+import java.util.Map;
+import jenkins.model.Jenkins;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.JenkinsRule.WebClient;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
+
+import static io.jenkins.plugins.casc.permissions.Action.APPLY_NEW_CONFIGURATION;
+import static io.jenkins.plugins.casc.permissions.Action.DOWNLOAD_CONFIGURATION;
+import static io.jenkins.plugins.casc.permissions.Action.RELOAD_EXISTING_CONFIGURATION;
+import static io.jenkins.plugins.casc.permissions.Action.VIEW_CONFIGURATION;
+import static java.lang.String.format;
+import static java.net.HttpURLConnection.HTTP_FORBIDDEN;
+import static java.net.HttpURLConnection.HTTP_OK;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+import static org.junit.Assert.assertEquals;
+
+public class PermissionsTest {
+
+    private static final String RELATIVE_PATH_MANAGE_PAGE = "manage";
+    private static final String RELATIVE_PATH_CASC_PAGE = "configuration-as-code";
+
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Test
+    public void checkPermissionsForReader() throws Exception {
+        final String READER = "reader";
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+            .grant(Jenkins.READ).everywhere().to(READER)
+        );
+
+        JenkinsRule.WebClient webClient = j.createWebClient()
+            .withThrowExceptionOnFailingStatusCode(false);
+
+        webClient.login(READER);
+        assertCannotAccessPage(webClient, RELATIVE_PATH_CASC_PAGE);
+        assertCannotAccessPage(webClient, RELATIVE_PATH_MANAGE_PAGE);
+    }
+
+    @Test
+    public void checkPermissionsForSystemReader() throws Exception {
+        final String SYSTEM_READER = "systemReader";
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+            .grant(Jenkins.READ).everywhere().to(SYSTEM_READER)
+            .grant(Jenkins.SYSTEM_READ).everywhere().to(SYSTEM_READER)
+        );
+
+        JenkinsRule.WebClient webClient = j.createWebClient()
+            .withThrowExceptionOnFailingStatusCode(false);
+
+        assertUserPermissions(
+            webClient,
+            SYSTEM_READER,
+            ImmutableMap.<Action, Boolean>builder()
+                .put(VIEW_CONFIGURATION, true)
+                .put(DOWNLOAD_CONFIGURATION, true)
+                .put(APPLY_NEW_CONFIGURATION, false)
+                .put(RELOAD_EXISTING_CONFIGURATION, false)
+                .build()
+        );
+    }
+
+    @Test
+    public void checkPermissionsForManager() throws Exception {
+        final String MANAGER = "manager";
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+            .grant(Jenkins.READ).everywhere().to(MANAGER)
+            .grant(Jenkins.MANAGE).everywhere().to(MANAGER)
+        );
+
+        JenkinsRule.WebClient webClient = j.createWebClient()
+            .withThrowExceptionOnFailingStatusCode(false);
+
+        assertUserPermissions(
+            webClient,
+            MANAGER,
+            ImmutableMap.<Action, Boolean>builder()
+                .put(RELOAD_EXISTING_CONFIGURATION, true)
+                .build()
+        );
+    }
+
+    @Test
+    public void checkPermissionsForAdmin() throws Exception {
+        final String ADMIN = "admin";
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+            .grant(Jenkins.ADMINISTER).everywhere().to(ADMIN)
+        );
+
+        JenkinsRule.WebClient webClient = j.createWebClient()
+            .withThrowExceptionOnFailingStatusCode(false);
+
+        assertUserPermissions(
+            webClient,
+            ADMIN,
+            ImmutableMap.<Action, Boolean>builder()
+                .put(VIEW_CONFIGURATION, true)
+                .put(DOWNLOAD_CONFIGURATION, true)
+                .put(APPLY_NEW_CONFIGURATION, true)
+                .put(RELOAD_EXISTING_CONFIGURATION, true)
+                .build()
+        );
+    }
+
+    private void assertUserPermissions(WebClient webClient, String user,
+        Map<Action, Boolean> allowedActions) throws Exception {
+
+        webClient.login(user);
+        assertCascTileShows(webClient);
+
+        HtmlPage cascPage = assertCanAccessPage(webClient, RELATIVE_PATH_CASC_PAGE);
+        allowedActions.forEach(
+            (action, isAllowed) -> assertActionAvailable(cascPage, action, isAllowed)
+        );
+    }
+
+    private HtmlPage assertCanAccessPage(WebClient webClient, String relativePath)
+        throws Exception {
+        HtmlPage page = webClient.goTo(relativePath);
+        assertEquals(HTTP_OK, page.getWebResponse().getStatusCode());
+        return page;
+    }
+
+    private void assertCannotAccessPage(WebClient webClient, String relativePath) throws Exception {
+        final HtmlPage page = webClient.goTo(relativePath);
+        final int statusCode = page.getWebResponse().getStatusCode();
+        assertThat(
+            format("Page %s should not be accessible", relativePath),
+            statusCode,
+            is(HTTP_FORBIDDEN)
+        );
+    }
+
+    private void assertCascTileShows(WebClient webClient) throws Exception {
+        HtmlPage managePage = assertCanAccessPage(webClient, RELATIVE_PATH_MANAGE_PAGE);
+        final String pageContent = managePage.getWebResponse().getContentAsString();
+        assertThat(
+            "The user should have access to the CasC tile in management page",
+            pageContent,
+            containsString("Configuration as Code")
+        );
+    }
+
+    private void assertActionAvailable(HtmlPage page, Action action, boolean shouldContain) {
+        String responseContent = page.getWebResponse().getContentAsString();
+        if (shouldContain) {
+            assertThat(
+                format("Action %s should be available", action.name()),
+                responseContent,
+                containsString(action.buttonText)
+            );
+        } else {
+            assertThat(
+                format("Action %s should not be available", action.name()),
+                responseContent,
+                not(containsString(action.buttonText))
+            );
+        }
+    }
+}

plugin/src/test/java/io/jenkins/plugins/casc/permissions/PermissionsTest.java

@@ -21,7 +21,7 @@
   <properties>
     <revision>1.52</revision>
     <changelist>-SNAPSHOT</changelist>
-    <jenkins.version>2.222.1</jenkins.version>
+    <jenkins.version>2.249.1</jenkins.version>
     <java.level>8</java.level>
     <tagNameFormat>configuration-as-code-@{project.version}</tagNameFormat>
     <useBeta>true</useBeta>