Add support for node properties (#143)

Author: timja

src/main/java/com/microsoft/jenkins/azuread/AzureAdAuthorizationMatrixNodeProperty.java

@@ -0,0 +1,187 @@
+package com.microsoft.jenkins.azuread;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.model.Computer;
+import hudson.model.Node;
+import hudson.model.User;
+import hudson.security.AuthorizationStrategy;
+import hudson.security.Permission;
+import hudson.security.PermissionScope;
+import hudson.slaves.NodePropertyDescriptor;
+import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
+import jenkins.model.NodeListener;
+import net.sf.json.JSONObject;
+import org.jenkinsci.Symbol;
+import org.jenkinsci.plugins.matrixauth.AbstractAuthorizationPropertyConverter;
+import org.jenkinsci.plugins.matrixauth.AuthorizationMatrixNodeProperty;
+import org.jenkinsci.plugins.matrixauth.AuthorizationPropertyDescriptor;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.DoNotUse;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+import org.kohsuke.accmod.restrictions.suppressions.SuppressRestrictedWarnings;
+import org.kohsuke.stapler.AncestorInPath;
+import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.StaplerRequest;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public class AzureAdAuthorizationMatrixNodeProperty extends AuthorizationMatrixNodeProperty {
+
+    private final transient ObjId2FullSidMap objId2FullSidMap = new ObjId2FullSidMap();
+
+    public AzureAdAuthorizationMatrixNodeProperty() {
+        super(Collections.emptyMap());
+    }
+
+    void refreshMap() {
+        for (String fullSid : this.getAllSIDs()) {
+            objId2FullSidMap.putFullSid(fullSid);
+        }
+        new AzureAdAuthorizationMatrixNodeProperty();
+    }
+
+    @Override
+    public void add(Permission p, String sid) {
+        super.add(p, sid);
+        objId2FullSidMap.putFullSid(sid);
+    }
+
+    @Override
+    public boolean hasExplicitPermission(String sid, Permission p) {
+        // Jenkins will pass in the object Id as sid
+        final String objectId = sid;
+        if (objectId == null) {
+            return false;
+        }
+        return super.hasExplicitPermission(objId2FullSidMap.getOrOriginal(objectId), p);
+    }
+
+    @Override
+    public boolean hasPermission(String sid, Permission p) {
+        // Jenkins will pass in the object Id as sid
+        final String objectId = sid;
+        return super.hasPermission(objId2FullSidMap.getOrOriginal(objectId), p);
+    }
+
+    @Override
+    public boolean hasPermission(String sid, Permission p, boolean principal) {
+        // Jenkins will pass in the object Id as sid
+        final String objectId = sid;
+        return super.hasPermission(objId2FullSidMap.getOrOriginal(objectId), p, principal);
+    }
+
+    /**
+     * Persist {@link AzureAdAuthorizationMatrixNodeProperty} as a list of IDs that
+     * represent {@link AzureAdAuthorizationMatrixNodeProperty#getGrantedPermissions()}.
+     */
+    @Restricted(NoExternalUse.class)
+    @SuppressRestrictedWarnings(AbstractAuthorizationPropertyConverter.class)
+    public static final class ConverterImpl extends
+            AbstractAuthorizationPropertyConverter<AzureAdAuthorizationMatrixNodeProperty> {
+        public boolean canConvert(Class type) {
+            return type == AzureAdAuthorizationMatrixNodeProperty.class;
+        }
+
+        public AzureAdAuthorizationMatrixNodeProperty create() {
+            return new AzureAdAuthorizationMatrixNodeProperty();
+        }
+    }
+
+    @Extension
+    @Symbol("azureAdAuthorizationMatrix")
+    @SuppressRestrictedWarnings(AuthorizationPropertyDescriptor.class)
+    public static class DescriptorImpl extends NodePropertyDescriptor
+            implements AuthorizationPropertyDescriptor<AzureAdAuthorizationMatrixNodeProperty> {
+
+        @Override
+        public AzureAdAuthorizationMatrixNodeProperty create() {
+            return new AzureAdAuthorizationMatrixNodeProperty();
+        }
+
+        @Override
+        public PermissionScope getPermissionScope() {
+            return PermissionScope.COMPUTER;
+        }
+
+        @Override
+        public AzureAdAuthorizationMatrixNodeProperty newInstance(
+                StaplerRequest req,
+                @NonNull JSONObject formData
+        ) throws FormException {
+            return createNewInstance(req, formData, false);
+        }
+
+        @Override
+        public boolean isApplicable() {
+            return Jenkins.get().getAuthorizationStrategy() instanceof AzureAdMatrixAuthorizationStrategy;
+        }
+
+        @NonNull
+        @Override
+        public String getDisplayName() {
+            return "Azure Active Directory Authorization Matrix";
+        }
+
+        @SuppressWarnings("unused") // called by jelly
+        public boolean isDisableGraphIntegration() {
+            AzureSecurityRealm securityRealm = (AzureSecurityRealm) Jenkins.get().getSecurityRealm();
+            return securityRealm.isDisableGraphIntegration();
+        }
+
+        @Restricted(DoNotUse.class)
+        public FormValidation doCheckName(@AncestorInPath Computer computer, @QueryParameter String value) {
+            if (isDisableGraphIntegration()) {
+                return Utils.undecidableResponse(value);
+            }
+
+            // Computer isn't a DescriptorByNameOwner before Jenkins 2.78, and then @AncestorInPath doesn't work
+            return doCheckName_(value,
+                    computer == null ? Jenkins.get() : computer,
+                    computer == null ? Jenkins.ADMINISTER : Computer.CONFIGURE);
+        }
+    }
+
+    /**
+     * Ensure that the user creating a node has Read and Configure permissions.
+     */
+    @Extension
+    @Restricted(NoExternalUse.class)
+    public static class NodeListenerImpl extends NodeListener {
+        @Override
+        protected void onCreated(@NonNull Node node) {
+            AuthorizationStrategy authorizationStrategy = Jenkins.get().getAuthorizationStrategy();
+            if (authorizationStrategy instanceof AzureAdMatrixAuthorizationStrategy) {
+                AzureAdMatrixAuthorizationStrategy strategy =
+                        (AzureAdMatrixAuthorizationStrategy) authorizationStrategy;
+
+                AuthorizationMatrixNodeProperty prop = node
+                        .getNodeProperty(AzureAdAuthorizationMatrixNodeProperty.class);
+                if (prop == null) {
+                    prop = new AzureAdAuthorizationMatrixNodeProperty();
+                }
+
+                User current = User.current();
+                String sid = current == null ? "anonymous" : current.getId();
+
+                if (!strategy.getACL(node).hasPermission2(Jenkins.getAuthentication2(), Computer.CONFIGURE)) {
+                    prop.add(Computer.CONFIGURE, sid);
+                }
+                if (!prop.getGrantedPermissions().isEmpty()) {
+                    try {
+                        node.getNodeProperties().replace(prop);
+                    } catch (IOException ex) {
+                        LOGGER.log(Level.WARNING, "Failed to grant creator permissions on node "
+                                + node.getDisplayName(), ex);
+                    }
+                }
+            }
+        }
+    }
+
+    private static final Logger LOGGER = Logger.getLogger(AzureAdAuthorizationMatrixNodeProperty.class.getName());
+}

src/main/java/com/microsoft/jenkins/azuread/AzureAdMatrixAuthorizationStrategy.java

@@ -24,6 +24,7 @@
 import hudson.model.Item;
 import hudson.model.ItemGroup;
 import hudson.model.Job;
+import hudson.model.Node;
 import hudson.security.ACL;
 import hudson.security.AuthorizationStrategy;
 import hudson.security.GlobalMatrixAuthorizationStrategy;
@@ -34,6 +35,7 @@
 import okhttp3.Request;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.matrixauth.AuthorizationContainer;
+import org.jenkinsci.plugins.matrixauth.AuthorizationMatrixNodeProperty;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.DoNotUse;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
@@ -70,6 +72,16 @@ public ACL getACL(@NonNull Job<?, ?> project) {
         }
     }
 
+    @NonNull
+    @Override
+    public ACL getACL(@NonNull Node node) {
+        AuthorizationMatrixNodeProperty property = node.getNodeProperty(AzureAdAuthorizationMatrixNodeProperty.class);
+        if (property != null) {
+            return property.getInheritanceStrategy().getEffectiveACL(property.getACL(), node);
+        }
+        return getRootACL();
+    }
+
     @Restricted(NoExternalUse.class)
     public static ACL inheritingACL(final ACL parent, final ACL child) {
         if (parent instanceof SidACL && child instanceof SidACL) {

src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java

@@ -358,6 +358,12 @@ public HttpResponse doFinishLogin(StaplerRequest request)
         try {
             final Long beginTime = (Long) request.getSession().getAttribute(TIMESTAMP_ATTRIBUTE);
             final String expectedNonce = (String) request.getSession().getAttribute(NONCE_ATTRIBUTE);
+            if (expectedNonce == null) {
+                // no nonce, probably some issue with an old session, force the user to re-auth
+                request.getSession().invalidate();
+                return HttpResponses.redirectToContextRoot();
+            }
+
             if (beginTime != null) {
                 long endTime = System.currentTimeMillis();
                 LOGGER.info("Requesting oauth code time = " + (endTime - beginTime) + " ms");

src/main/java/com/microsoft/jenkins/azuread/GraphProxy.java

@@ -6,9 +6,11 @@
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
 import hudson.model.Action;
+import hudson.model.Computer;
 import hudson.model.Job;
 import hudson.model.RootAction;
 import hudson.model.User;
+import hudson.security.AccessControlled;
 import hudson.security.SecurityRealm;
 import jenkins.model.Jenkins;
 import jenkins.model.TransientActionFactory;
@@ -45,7 +47,7 @@ public class GraphProxy implements RootAction, StaplerProxy {
             .expireAfterWrite(TEN, TimeUnit.MINUTES)
             .build();
 
-    private Job<?, ?> job;
+    private AccessControlled accessControlled;
 
     @Override
     public String getIconFileName() {
@@ -67,14 +69,21 @@ public String getUrlName() {
     public GraphProxy() {
     }
 
-    public GraphProxy(Job<?, ?> job) {
-        this.job = job;
+    public GraphProxy(AccessControlled accessControlled) {
+        this.accessControlled = accessControlled;
     }
 
     @Override
     public Object getTarget() {
-        if (job != null) {
-            job.checkPermission(Job.CONFIGURE);
+        if (accessControlled != null) {
+            if (accessControlled instanceof Job) {
+                accessControlled.checkPermission(Job.CONFIGURE);
+            } else if (accessControlled instanceof Computer) {
+                accessControlled.checkPermission(Computer.CONFIGURE);
+            } else {
+                accessControlled.checkPermission(Jenkins.ADMINISTER);
+            }
+
             return this;
         }
 
@@ -98,6 +107,21 @@ public Collection<? extends Action> createFor(@NonNull Job target) {
         }
     }
 
+    @Extension
+    public static class TransientActionFactoryComputer extends TransientActionFactory<Computer> {
+
+        @Override
+        public Class<Computer> type() {
+            return Computer.class;
+        }
+
+        @NonNull
+        @Override
+        public Collection<? extends Action> createFor(@NonNull Computer target) {
+            return Collections.singletonList(new GraphProxy(target));
+        }
+    }
+
     public void doDynamic(StaplerRequest request, StaplerResponse response) throws IOException {
         proxy(request, response);
     }

src/main/java/com/microsoft/jenkins/azuread/integrations/casc/AzureAdAuthorizationMatrixNodePropertyConfigurator.java

@@ -0,0 +1,74 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2018-2019 Matrix Authorization Strategy Plugin developers
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package com.microsoft.jenkins.azuread.integrations.casc;
+
+import com.microsoft.jenkins.azuread.AzureAdAuthorizationMatrixNodeProperty;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import io.jenkins.plugins.casc.Attribute;
+import io.jenkins.plugins.casc.BaseConfigurator;
+import io.jenkins.plugins.casc.ConfigurationContext;
+import io.jenkins.plugins.casc.ConfiguratorException;
+import io.jenkins.plugins.casc.impl.attributes.DescribableAttribute;
+import io.jenkins.plugins.casc.impl.attributes.MultivaluedAttribute;
+import io.jenkins.plugins.casc.model.Mapping;
+import org.jenkinsci.plugins.matrixauth.inheritance.InheritanceStrategy;
+import org.jenkinsci.plugins.matrixauth.integrations.casc.MatrixAuthorizationStrategyConfigurator;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+@Extension(optional = true)
+@Restricted(NoExternalUse.class)
+public class AzureAdAuthorizationMatrixNodePropertyConfigurator
+        extends BaseConfigurator<AzureAdAuthorizationMatrixNodeProperty> {
+
+    @Override
+    public Class<AzureAdAuthorizationMatrixNodeProperty> getTarget() {
+        return AzureAdAuthorizationMatrixNodeProperty.class;
+    }
+
+    @Override
+    protected AzureAdAuthorizationMatrixNodeProperty instance(Mapping mapping, ConfigurationContext context)
+            throws ConfiguratorException {
+        return new AzureAdAuthorizationMatrixNodeProperty();
+    }
+
+    @Override
+    @NonNull
+    public Set<Attribute<AzureAdAuthorizationMatrixNodeProperty, ?>> describe() {
+        return new HashSet<>(Arrays.asList(
+                new MultivaluedAttribute<AzureAdAuthorizationMatrixNodeProperty, String>(
+                        "permissions",
+                        String.class
+                )
+                        .getter(MatrixAuthorizationStrategyConfigurator::getPermissions)
+                        .setter(MatrixAuthorizationStrategyConfigurator::setPermissions),
+                new DescribableAttribute<AzureAdAuthorizationMatrixNodeProperty,
+                        InheritanceStrategy>("inheritanceStrategy", InheritanceStrategy.class)));
+    }
+}

src/main/resources/com/microsoft/jenkins/azuread/AzureAdAuthorizationMatrixNodeProperty/config.groovy

@@ -0,0 +1,14 @@
+package com.microsoft.jenkins.azuread.AzureAdAuthorizationMatrixNodeProperty
+
+import lib.FormTagLib
+import org.jenkinsci.plugins.matrixauth.inheritance.InheritanceStrategyDescriptor
+
+def f = namespace(FormTagLib)
+def st = namespace("jelly:stapler")
+
+f.nested {
+    div {
+        f.dropdownDescriptorSelector(title: _("Inheritance Strategy"), descriptors: InheritanceStrategyDescriptor.getApplicableDescriptors(my?.class?:hudson.model.Node.class), field: 'inheritanceStrategy')
+        st.include(class: "com.microsoft.jenkins.azuread.AzureAdMatrixAuthorizationStrategy", page: "config")
+    }
+}