From 04f5ec1f3743da5c21b8a10b41aaffb614d6d61f Mon Sep 17 00:00:00 2001
From: Vincent Latombe
Date: Fri, 27 Oct 2023 14:25:16 +0200
Subject: [PATCH] [JEP-227][JENKINS-39324] Replace Acegi Security with Spring
Security APIs (#490)
* [JEP-227] Replace Acegi Security with Spring Security APIs
This is the implementation of
https://github.com/jenkinsci/jenkins/pull/4848 for Credentials API. This
will allow consumers of the credentials API to remove references to
deprecated acegi APIs.
* Fix spotbugs issues
* Fix reviews
* Rename methods appropriately
* Fixup some javadocs.
* Remove unused method.
* Forgot to remove usages.
* Remove CredentialsProvider#getCredentials2(Class, ItemGroup, Authentication) in favor of CredentialsProvider#getCredentials2(Class, ItemGroup, Authentication, List)
* Fix a few null checks while we are here.
* Restore a method I deleted by mistake.
* Add tests for new signatures
* Rename *2 methods to *InItem/*InItemGroup to avoid ambiguous signatures
* Update docs
---
docs/consumer.adoc | 67 ++-
docs/implementation.adoc | 6 +-
.../CredentialsParameterDefinition.java | 10 +-
.../CredentialsParameterValue.java | 26 +-
.../credentials/CredentialsProvider.java | 487 ++++++++++--------
.../plugins/credentials/CredentialsStore.java | 36 +-
.../credentials/CredentialsStoreAction.java | 2 +-
.../SystemCredentialsProvider.java | 45 +-
.../credentials/UserCredentialsProvider.java | 38 +-
.../credentials/ViewCredentialsAction.java | 8 +-
.../AbstractIdCredentialsListBoxModel.java | 114 +++-
.../credentials/CredentialsProviderTest.java | 143 ++++-
.../CredentialsUnavailableExceptionTest.java | 4 +-
.../MockFolderCredentialsProvider.java | 34 +-
.../casc/CredentialsProviderTest.java | 13 +-
.../casc/SystemCredentialsTest.java | 4 +-
.../DomainRestrictedCredentialsTest.java | 4 +-
.../credentials/domains/DomainTest.java | 26 +-
.../impl/CertificateCredentialsImplTest.java | 4 +-
19 files changed, 634 insertions(+), 437 deletions(-)
diff --git a/docs/consumer.adoc b/docs/consumer.adoc
index 7c2f6860b..d154ed8cf 100644
--- a/docs/consumer.adoc
+++ b/docs/consumer.adoc
@@ -170,7 +170,7 @@ public FormValidation doCheckCredentialsId(
if (value.startsWith("${") && value.endsWith("}")) { // <5>
return FormValidation.warning("Cannot validate expression based credentials");
}
- if (CredentialsProvider.listCredentials( // <6>
+ if (CredentialsProvider.listCredentialsInItem( // <6>
...,
CredentialsMatchers.withId(value) // <6>
).isEmpty()) {
@@ -187,29 +187,26 @@ Better yet would be to try and ping the remote service anonymously and report su
_You may want to cache the check result for a short time-span if the remote service has rate limits on anonymous access._
<5> If you have not enabled credentials parameter expressions on the select control then you do not need this test.
<6> This example checks that the credentials exist, but does not use them to connect.
-Alternatively `CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(...), withId(value))` can be used to retrieve the credentials, a `null` return value would indicate that the error that they cannot be found, while the non-`null` return value could be used to validate the credentials against the remote service.
+Alternatively `CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentialsInItem(...), withId(value))` can be used to retrieve the credentials, a `null` return value would indicate that the error that they cannot be found, while the non-`null` return value could be used to validate the credentials against the remote service.
_You may want to cache the check result for a short time-span if the remote service has rate limits._
=== Listing available credentials matching some specific set of criteria
-We use the `CredentialsProvider.listCredentials()` overloads to list credentials.
-An external credentials provider may be recording usage of the credential and as such the `listCredentials` methods are supposed to not access the secret information and hence should not trigger such usage records.
+We use the `CredentialsProvider.listCredentialsInItem()` or `CredentialsProvider.listCredentialsInItemGroup()` methods to list credentials.
+An external credentials provider may be recording usage of the credential and as such the `listCredentialsInItem`/`listCredentialsInItemGroup` methods are supposed to not access the secret information and hence should not trigger such usage records.
[TIP]
====
-If you are listing available credentials in order to populate a drop-down list, then `StandardListBoxModel.includeMatchingAs()` may be a more convenient way to call `CredentialsProvider.listCredentials()`
+If you are listing available credentials in order to populate a drop-down list, then `StandardListBoxModel.includeMatchingAs()` may be a more convenient way to call `CredentialsProvider.listCredentialsInItem()`/`CredentialsProvider.listCredentialsInItemGroup()`
====
-There are currently two overloads, one taking `Item` as the context and the other taking `ItemGroup` as the context, the other parameters are otherwise identical.
-
-NOTE: A current RFE https://issues.jenkins-ci.org/browse/JENKINS-39324[JENKINS-39324] is looking to replace overloaded methods with a single method taking the more generic `ModelObject`.
-
The parameters are:
`type`::
The type of credentials to list.
-`item` or `itemGroup`::
+`item` (when using `CredentialsProvider.listCredentialsInItem`)::
+`itemGroup` (when using `CredentialsProvider.listCredentialsInItemGroup`)::
The context within which to list available credentials.
`authentication`::
@@ -227,12 +224,12 @@ Here are some examples of usage:
+
[source,java]
----
-CredentialsProvider.listCredentials(
+CredentialsProvider.listCredentialsInItem(
StandardUsernamePasswordCredentials.class, // <1>
job, // <2>
job instanceof Queue.Task // <3>
- ? Tasks.getAuthenticationOf((Queue.Task)job)) // <4>
- : ACL.SYSTEM, // <5>
+ ? Tasks.getAuthenticationOf2((Queue.Task)job)) // <4>
+ : ACL.SYSTEM2, // <5>
URIRequirementBuilder.fromUri(scmUrl), // <6>
null // <7>
);
@@ -244,7 +241,7 @@ We need `UsernamePasswordCredentials` to ensure that they are username and passw
<3> For almost all implementations of `Job`, this will be `true`.
(Note: https://plugins.jenkins.io/external-monitor-job[external jobs] do *not* implement `Queue.Task`)
<4> This is important, we must use the authentication that the job is likely to run as.
-<5> If not a `Queue.Task` then use `ACL.SYSTEM`
+<5> If not a `Queue.Task` then use `ACL.SYSTEM2`
<6> We use the requirements builder most idiomatically appropriate to our use case.
In most cases, unless `URIRequirementBuilder` can be used to construct at least some domain requirements.
<7> We do not have any additional requirements to place, so we can specify `null` for the matcher.
@@ -253,10 +250,10 @@ In most cases, unless `URIRequirementBuilder` can be used to construct at least
+
[source,java]
----
-CredentialsProvider.listCredentials(
+CredentialsProvider.listCredentialsInItem(
StandardUsernamePasswordCredentials.class,
job,
- Jenkins.getAuthentication(), // <1>
+ Jenkins.getAuthentication2(), // <1>
URIRequirementBuilder.fromUri(scmUrl),
null
)
@@ -267,12 +264,12 @@ CredentialsProvider.listCredentials(
+
[source,java]
----
-CredentialsProvider.listCredentials(
+CredentialsProvider.listCredentialsInItem(
StandardCredentials.class, // <1>
job,
job instanceof Queue.Task
- ? Tasks.getAuthenticationOf((Queue.Task)job))
- : ACL.SYSTEM,
+ ? Tasks.getAuthenticationOf2((Queue.Task)job))
+ : ACL.SYSTEM2,
URIRequirementBuilder.fromUri(issueTrackerUrl),
AuthenticationTokens.matcher(IssueTrackerAuthentication.class) // <2>
)
@@ -288,10 +285,10 @@ Alternatively, more complex conversion contexts can be handled with `Authenticat
+
[source,java]
----
-CredentialsProvider.listCredentials(
+CredentialsProvider.listCredentialsInItem(
StandardCredentials.class, // <1>
job,
- Jenkins.getAuthentication(), // <2>
+ Jenkins.getAuthentication2(), // <2>
URIRequirementBuilder.fromUri(loadBalancerUrl),
CredentialsMatchers.allOf(
AuthenticationTokens.matcher(LoadBalancerAuthentication.class),
@@ -313,10 +310,10 @@ This drop down list would typically be displayed from one of the _Manage Jenkins
+
[source,java]
----
-CredentialsProvider.listCredentials(
+CredentialsProvider.listCredentialsInItemGroup(
StandardUsernameCredentials.class, // <1>
Jenkins.get(), // <2>
- ACL.SYSTEM, // <2>
+ ACL.SYSTEM2, // <2>
URIRequirementBuilder.fromUri(scmUrl),
AuthenticationTokens.matcher(MySCMAuthentication.class) // <1>
)
@@ -324,7 +321,7 @@ CredentialsProvider.listCredentials(
<1> For this SCM, management of post commit hooks requires authentication that has specified a username, so even though there are other authentication mechanisms supported by `AuthenticationTokens.matcher(...)` we limit at the type level as that reduces the response that needs to be filtered.
The alternative would have been a matcher that combined `CredentialsMatchers.instanceOf(StandardUsernameCredentials.class)` but this reduces the ability of an external credentials provider to filter the query on the remote side.
<2> We are doing this operation outside of the context of a single job, rather this is being performed on behalf of the entire Jenkins instance.
-Thus we should be performing this as `ACL.SYSTEM` and in the context of `Jenkins.get()`.
+Thus we should be performing this as `ACL.SYSTEM2` and in the context of `Jenkins.get()`.
This has the additional benefit that the admin can restrict the high permission hook management credentials to `CredentialsScope.SYSTEM` which will prevent access by jobs.
=== Persist a reference to a specific credential instance
@@ -382,24 +379,24 @@ If we have a job, "foobar", and we configure a credentials parameter on that job
If you are working outside the context of a `Run` then you will not have to deal with the complexities of credentials expressions.
-In most cases the retrieval will just be a call to one of the `CredentialsProvider.lookupCredentials(...)` wrapped within `CredentialsMatchers.firstOrNull(..., CredentialsMatchers.withId(...))`, for example:
+In most cases the retrieval will just be a call to one of the `CredentialsProvider.lookupCredentialsInItem(...)`/`CredentialsProvider.lookupCredentialsInItemGroup(...)` wrapped within `CredentialsMatchers.firstOrNull(..., CredentialsMatchers.withId(...))`, for example:
[source,java]
----
StandardCredentials c = CredentialsMatchers.firstOrNull(
- CredentialsProvider.lookupCredentials(
+ CredentialsProvider.lookupCredentialsInItem(
StandardCredentials.class, // <1>
job, // <1>
job instanceof Queue.Task // <1>
? Tasks.getAuthenticationOf((Queue.Task)job))
- : ACL.SYSTEM,
+ : ACL.SYSTEM2,
URIRequirementBuilder.fromUri(...) // <1>
),
CredentialsMatchers.withId(credentialsId) // <2>
);
----
-<1> These should be the same as your call to `CredentialsProvider.listCredentials(...)`/`StandardListBoxModel.includeMatchingAs(...)` in order to ensure that we get the same credential instance back.
-<2> If you had additional `CredentialsMatcher` expressions in your call to `CredentialsProvider.listCredentials(...)`/`StandardListBoxModel.includeMatchingAs(...)` then you should merge them here with a `CredentialsMatchers.allOf(...)`
+<1> These should be the same as your call to `CredentialsProvider.listCredentialsInItem(...)`/`CredentialsProvider.listCredentialsInItemGroup(...)`/`StandardListBoxModel.includeMatchingAs(...)` in order to ensure that we get the same credential instance back.
+<2> If you had additional `CredentialsMatcher` expressions in your call to `CredentialsProvider.listCredentialsInItem(...)`/`CredentialsProvider.listCredentialsInItemGroup(...)`/`StandardListBoxModel.includeMatchingAs(...)` then you should merge them here with a `CredentialsMatchers.allOf(...)`
Once you have retrieved a non-null credentials instance, all non-secret properties can be assumed as eager-fetch immutable.
@@ -416,12 +413,12 @@ The recommended way to use a credential is through the https://plugins.jenkins.i
[source,java]
----
StandardCredentials c = CredentialsMatchers.firstOrNull( // <1>
- CredentialsProvider.listCredentials(
+ CredentialsProvider.listCredentialsInItem(
StandardCredentials.class,
job,
job instanceof Queue.Task
- ? Tasks.getAuthenticationOf((Queue.Task)job))
- : ACL.SYSTEM,
+ ? Tasks.getAuthenticationOf2((Queue.Task)job))
+ : ACL.SYSTEM2,
URIRequirementBuilder.fromUri(issueTrackerUrl)
),
CredentialsMatchers.allOf(
@@ -461,12 +458,12 @@ IssueTrackerAuthentication auth = AuthenticationTokens.convert(
CredentialsProvider.track(
job,
CredentialsMatchers.firstOrNull(
- CredentialsProvider.listCredentials(
+ CredentialsProvider.listCredentialsInItem(
StandardCredentials.class,
job,
job instanceof Queue.Task
- ? Tasks.getAuthenticationOf((Queue.Task)job))
- : ACL.SYSTEM,
+ ? Tasks.getAuthenticationOf2((Queue.Task)job))
+ : ACL.SYSTEM2,
URIRequirementBuilder.fromUri(issueTrackerUrl)
),
CredentialsMatchers.allOf(
diff --git a/docs/implementation.adoc b/docs/implementation.adoc
index ead2a158a..fe3d02885 100644
--- a/docs/implementation.adoc
+++ b/docs/implementation.adoc
@@ -742,9 +742,9 @@ If you have implemented that check before creating the proxy then you could be m
<2> Any consumer plugin that is transferring a credential to another JVM is supposed to call `CredentialsProvider.snapshot(credential)` and send the return value.
The `CredentialsSnapshotTaker` is supposed to fetch the secret as part of the snapshotting, so a proper consumer will never be at risk of this `IOException`.
-* The `CredentialsProvider.getCredentials(...)` methods should instantiate the proxies, so these methods will operate from the cache while initiate background refresh. Where the cache is a miss or where the cache is stale, a short term block is acceptable.
+* The `CredentialsProvider.getCredentialsInItem(...)` / `CredentialsProvider.getCredentialsInItemGroup(...)` methods should instantiate the proxies, so these methods will operate from the cache while initiate background refresh. Where the cache is a miss or where the cache is stale, a short term block is acceptable.
-* The `CredentialsProvider.getCredentialIds(...)` methods are used to list credentials for drop-down list population, so these methods should use a live request with a fall-back to the cache where the live request takes too long.
+* The `CredentialsProvider.getCredentialIdsInItem(...)` / `CredentialsProvider.getCredentialIdsInItemGroup(...)` methods are used to list credentials for drop-down list population, so these methods should use a live request with a fall-back to the cache where the live request takes too long.
[NOTE]
====
@@ -758,6 +758,6 @@ The main work in an implementation will be the mapping to `CredentialStore` inst
+
[NOTE]
====
-Technically, the "read-only, implicitly exposed" style credentials provider implementation does not need to interact with the `CredentialsStore` portion of the API as it can expose credentials directly using just the `CredentialsProvider.getCredentials(...)` and `CredentialsProvider.getCredentialIds(...)`, however, implementing the `CredentialsStore` contract is required in order for the credentials to be visible to users via the Credentials side action on the different Jenkins context objects.
+Technically, the "read-only, implicitly exposed" style credentials provider implementation does not need to interact with the `CredentialsStore` portion of the API as it can expose credentials directly using just the `CredentialsProvider.getCredentialsInItem(...)`/`CredentialsProvider.getCredentialsInItemGroup(...)` and `CredentialsProvider.getCredentialIdsInItem(...)`/`CredentialsProvider.getCredentialIdsInItemGroup(...)`, however, implementing the `CredentialsStore` contract is required in order for the credentials to be visible to users via the Credentials side action on the different Jenkins context objects.
====
* A "read-write, implicitly exposed" style implementation will need to semi-dynamically create `CredentialsStore` instances for each context in order to integrate with the Jenkins credentials management UI.
diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterDefinition.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterDefinition.java
index c42b8dc6a..3a1998e77 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterDefinition.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterDefinition.java
@@ -17,13 +17,13 @@
import java.util.Set;
import jenkins.model.Jenkins;
import net.sf.json.JSONObject;
-import org.acegisecurity.Authentication;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
+import org.springframework.security.core.Authentication;
/**
* A {@link ParameterDefinition} for a parameter that supplies a {@link Credentials}.
@@ -173,7 +173,7 @@ public StandardListBoxModel doFillDefaultValueItems(@AncestorInPath Item context
final StandardListBoxModel result = new StandardListBoxModel();
result.includeEmptyValue();
if (acl.hasPermission(CredentialsProvider.USE_ITEM)) {
- result.includeAs(CredentialsProvider.getDefaultAuthenticationOf(context), context, typeClass, domainRequirements);
+ result.includeAs(CredentialsProvider.getDefaultAuthenticationOf2(context), context, typeClass, domainRequirements);
}
return result;
}
@@ -185,9 +185,9 @@ public StandardListBoxModel doFillValueItems(@AncestorInPath Item context,
@QueryParameter boolean includeUser) {
Jenkins jenkins = Jenkins.get();
final ACL acl = context == null ? jenkins.getACL() : context.getACL();
- final Authentication authentication = Jenkins.getAuthentication();
- final Authentication itemAuthentication = CredentialsProvider.getDefaultAuthenticationOf(context);
- final boolean isSystem = ACL.SYSTEM.equals(authentication);
+ final Authentication authentication = Jenkins.getAuthentication2();
+ final Authentication itemAuthentication = CredentialsProvider.getDefaultAuthenticationOf2(context);
+ final boolean isSystem = ACL.SYSTEM2.equals(authentication);
final Class extends StandardCredentials> typeClass = decodeType(credentialType);
final List domainRequirements = Collections.emptyList();
final StandardListBoxModel result = new StandardListBoxModel();
diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterValue.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterValue.java
index 170e8760c..eeb51ad0b 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterValue.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsParameterValue.java
@@ -21,10 +21,10 @@
import java.util.Collections;
import java.util.List;
import jenkins.model.Jenkins;
-import org.acegisecurity.Authentication;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Stapler;
+import org.springframework.security.core.Authentication;
/**
* A {@link ParameterValue} produced from a {@link CredentialsParameterDefinition}.
@@ -89,24 +89,24 @@ public C lookupCredentials(@NonNull Class type, @No
public C lookupCredentials(@NonNull Class type, @NonNull Run run,
List domainRequirements) {
- Authentication authentication = Jenkins.getAuthentication();
+ Authentication authentication = Jenkins.getAuthentication2();
final Executor executor = run.getExecutor();
if (executor != null) {
final WorkUnit workUnit = executor.getCurrentWorkUnit();
if (workUnit != null) {
- authentication = workUnit.context.item.authenticate();
+ authentication = workUnit.context.item.authenticate2();
}
}
List candidates = new ArrayList<>();
- final boolean isSystem = ACL.SYSTEM.equals(authentication);
+ final boolean isSystem = ACL.SYSTEM2.equals(authentication);
if (!isSystem && run.getParent().hasPermission(CredentialsProvider.USE_OWN)) {
candidates.addAll(CredentialsProvider
- .lookupCredentials(type, run.getParent(), authentication, domainRequirements));
+ .lookupCredentialsInItem(type, run.getParent(), authentication, domainRequirements));
}
if (run.getParent().hasPermission(CredentialsProvider.USE_ITEM) || isSystem
|| isDefaultValue) {
candidates.addAll(
- CredentialsProvider.lookupCredentials(type, run.getParent(), ACL.SYSTEM, domainRequirements));
+ CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), ACL.SYSTEM2, domainRequirements));
}
return CredentialsMatchers.firstOrNull(candidates, CredentialsMatchers.withId(value));
}
@@ -120,14 +120,14 @@ public String describe() {
throw new IllegalStateException("Should only be called from value.jelly");
}
StandardCredentials c = CredentialsMatchers.firstOrNull(
- CredentialsProvider.lookupCredentials(StandardCredentials.class, run.getParent(), ACL.SYSTEM,
+ CredentialsProvider.lookupCredentialsInItem(StandardCredentials.class, run.getParent(), ACL.SYSTEM2,
Collections.emptyList()), CredentialsMatchers.withId(value));
if (c != null) {
return CredentialsNameProvider.name(c);
}
c = CredentialsMatchers.firstOrNull(
- CredentialsProvider.lookupCredentials(StandardCredentials.class, run.getParent(),
- Jenkins.getAuthentication(),
+ CredentialsProvider.lookupCredentialsInItem(StandardCredentials.class, run.getParent(),
+ Jenkins.getAuthentication2(),
Collections.emptyList()), CredentialsMatchers.withId(value));
if (c != null) {
return CredentialsNameProvider.name(c);
@@ -144,14 +144,14 @@ public String iconClassName() {
throw new IllegalStateException("Should only be called from value.jelly");
}
StandardCredentials c = CredentialsMatchers.firstOrNull(
- CredentialsProvider.lookupCredentials(StandardCredentials.class, run.getParent(), ACL.SYSTEM,
+ CredentialsProvider.lookupCredentialsInItem(StandardCredentials.class, run.getParent(), ACL.SYSTEM2,
Collections.emptyList()), CredentialsMatchers.withId(value));
if (c != null) {
return c.getDescriptor().getIconClassName();
}
c = CredentialsMatchers.firstOrNull(
- CredentialsProvider.lookupCredentials(StandardCredentials.class, run.getParent(),
- Jenkins.getAuthentication(),
+ CredentialsProvider.lookupCredentialsInItem(StandardCredentials.class, run.getParent(),
+ Jenkins.getAuthentication2(),
Collections.emptyList()), CredentialsMatchers.withId(value));
if (c != null) {
return c.getDescriptor().getIconClassName();
@@ -167,7 +167,7 @@ public String url() {
if (run == null) {
throw new IllegalStateException("Should only be called from value.jelly");
}
- try (ACLContext ctx = ACL.as(ACL.SYSTEM)) {
+ try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
for (CredentialsStore store : CredentialsProvider.lookupStores(run.getParent())) {
String url = url(store);
if (url != null) {
diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
index a0504bb0c..a9de5d525 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
@@ -91,12 +91,7 @@
import jenkins.model.FingerprintFacet;
import jenkins.model.Jenkins;
import jenkins.util.Timer;
-import org.acegisecurity.Authentication;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
-import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.apache.commons.io.IOUtils;
-import org.apache.commons.io.output.NullOutputStream;
import org.apache.commons.lang.StringUtils;
import org.jenkins.ui.icon.IconSpec;
import org.kohsuke.accmod.Restricted;
@@ -104,6 +99,9 @@
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
import static com.cloudbees.plugins.credentials.CredentialsStoreAction.FINGERPRINT_XML;
@@ -118,17 +116,7 @@ public abstract class CredentialsProvider extends Descriptor List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication) {
- return Collections.emptyList();
- }
- };
+ public static final CredentialsProvider NONE = new CredentialsProvider() {};
/**
* The permission group for credentials.
@@ -245,16 +233,8 @@ public static DescriptorExtensionList allCre
}
/**
- * Returns all credentials which are available to the {@link ACL#SYSTEM} {@link Authentication}
- * within the {@link Jenkins#get()}.
- *
- * @param type the type of credentials to get.
- * @param the credentials type.
- * @return the list of credentials.
- * @deprecated use {@link #lookupCredentials(Class, Item, Authentication, List)},
- * {@link #lookupCredentials(Class, Item, Authentication, DomainRequirement...)},
- * {@link #lookupCredentials(Class, ItemGroup, Authentication, List)}
- * or {@link #lookupCredentials(Class, ItemGroup, Authentication, DomainRequirement...)}
+ * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication, List)}
+ * or {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)}
*/
@Deprecated
@NonNull
@@ -264,36 +244,19 @@ public static List lookupCredentials(@NonNull Class the credentials type.
- * @return the list of credentials.
- * @deprecated use {@link #lookupCredentials(Class, Item, Authentication, List)},
- * {@link #lookupCredentials(Class, Item, Authentication, DomainRequirement...)},
- * {@link #lookupCredentials(Class, ItemGroup, Authentication, List)}
- * or {@link #lookupCredentials(Class, ItemGroup, Authentication, DomainRequirement...)}
+ * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication, List)},
+ * {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)}
*/
@Deprecated
@NonNull
@SuppressWarnings("unused") // API entry point for consumers
public static List lookupCredentials(@NonNull Class type,
- @Nullable Authentication authentication) {
+ @Nullable org.acegisecurity.Authentication authentication) {
return lookupCredentials(type, Jenkins.get(), authentication);
}
/**
- * Returns all credentials which are available to the {@link ACL#SYSTEM} {@link Authentication}
- * for use by the specified {@link Item}.
- *
- * @param type the type of credentials to get.
- * @param item the item.
- * @param the credentials type.
- * @return the list of credentials.
- * @deprecated use {@link #lookupCredentials(Class, Item, Authentication, List)}
- * or {@link #lookupCredentials(Class, Item, Authentication, DomainRequirement...)}
+ * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication, List)} instead.
*/
@Deprecated
@NonNull
@@ -306,15 +269,7 @@ public static List lookupCredentials(@NonNull Class the credentials type.
- * @return the list of credentials.
- * @deprecated use {@link #lookupCredentials(Class, ItemGroup, Authentication, List)}
- * or {@link #lookupCredentials(Class, ItemGroup, Authentication, DomainRequirement...)}
+ * @deprecated use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)} instead.
*/
@Deprecated
@NonNull
@@ -325,45 +280,40 @@ public static List lookupCredentials(@NonNull Class the credentials type.
- * @return the list of credentials.
- * @deprecated use {@link #lookupCredentials(Class, ItemGroup, Authentication, List)}
- * or {@link #lookupCredentials(Class, ItemGroup, Authentication, DomainRequirement...)}
+ * @deprecated use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication)} instead.
*/
@Deprecated
@NonNull
@SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers
public static List lookupCredentials(@NonNull Class type,
@Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication) {
- return lookupCredentials(type, itemGroup, authentication, Collections.emptyList());
+ @Nullable org.acegisecurity.Authentication authentication) {
+ return lookupCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), Collections.emptyList());
}
/**
- * Returns all credentials which are available to the specified {@link Authentication}
- * for use by the specified {@link Item}.
- *
- * @param type the type of credentials to get.
- * @param authentication the authentication.
- * @param item the item.
- * @param the credentials type.
- * @return the list of credentials.
- * @deprecated use {@link #lookupCredentials(Class, Item, Authentication, List)}
- * or {@link #lookupCredentials(Class, Item, Authentication, DomainRequirement...)}
+ * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication)} instead.
*/
@Deprecated
@NonNull
@SuppressWarnings("unused") // API entry point for consumers
public static List lookupCredentials(@NonNull Class type,
@Nullable Item item,
- @Nullable Authentication authentication) {
- return lookupCredentials(type, item, authentication, Collections.emptyList());
+ @Nullable org.acegisecurity.Authentication authentication) {
+ return lookupCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), Collections.emptyList());
+ }
+
+ /**
+ * @deprecated Use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication)} or {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)}.
+ */
+ @Deprecated
+ @NonNull
+ @SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers
+ public static List lookupCredentials(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable org.acegisecurity.Authentication authentication,
+ @Nullable DomainRequirement... domainRequirements) {
+ return lookupCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), Arrays.asList(domainRequirements == null ? new DomainRequirement[0] : domainRequirements));
}
/**
@@ -373,18 +323,29 @@ public static List lookupCredentials(@NonNull Class the credentials type.
* @return the list of credentials.
- * @since 1.5
+ * @since TODO
*/
@NonNull
@SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers
+ public static List lookupCredentialsInItemGroup(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable Authentication authentication) {
+ return lookupCredentialsInItemGroup(type, itemGroup, authentication, List.of());
+ }
+
+ /**
+ * @deprecated Use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)} instead.
+ */
+ @NonNull
+ @SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers
+ @Deprecated
public static List lookupCredentials(@NonNull Class type,
@Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication,
- @Nullable DomainRequirement... domainRequirements) {
- return lookupCredentials(type, itemGroup, authentication, Arrays.asList(domainRequirements));
+ @Nullable org.acegisecurity.Authentication authentication,
+ @Nullable List domainRequirements) {
+ return lookupCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), domainRequirements);
}
/**
@@ -397,19 +358,18 @@ public static List lookupCredentials(@NonNull Class the credentials type.
* @return the list of credentials.
- * @since 1.5
+ * @since TODO
*/
@NonNull
@SuppressWarnings({"unchecked", "unused"}) // API entry point for consumers
- public static List lookupCredentials(@NonNull Class type,
- @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication,
- @Nullable List
- domainRequirements) {
+ public static List lookupCredentialsInItemGroup(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable Authentication authentication,
+ @Nullable List domainRequirements) {
Objects.requireNonNull(type);
Jenkins jenkins = Jenkins.get();
itemGroup = itemGroup == null ? jenkins : itemGroup;
- authentication = authentication == null ? ACL.SYSTEM : authentication;
+ authentication = authentication == null ? ACL.SYSTEM2 : authentication;
domainRequirements = domainRequirements
== null ? Collections.emptyList() : domainRequirements;
CredentialsResolver resolver = CredentialsResolver.getResolver(type);
@@ -417,7 +377,7 @@ public static List lookupCredentials(@NonNull Class originals =
- lookupCredentials(resolver.getFromClass(), itemGroup, authentication, domainRequirements);
+ lookupCredentialsInItemGroup(resolver.getFromClass(), itemGroup, authentication, domainRequirements);
LOGGER.log(Level.FINE, "Original credentials for resolving: {0}", originals);
return resolver.resolve(originals);
}
@@ -426,7 +386,7 @@ public static List lookupCredentials(@NonNull Class List lookupCredentials(@NonNull Class ListBoxModel listCredentials(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable org.acegisecurity.Authentication authentication,
+ @Nullable List
+ domainRequirements,
+ @Nullable CredentialsMatcher matcher) {
+ return listCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), domainRequirements, matcher);
+ }
+
/**
* Returns a {@link ListBoxModel} of all credentials which are available to the specified {@link Authentication}
* for use by the {@link Item}s in the specified {@link ItemGroup}.
@@ -454,18 +427,18 @@ public static List lookupCredentials(@NonNull Class the credentials type.
* @return the {@link ListBoxModel} of {@link IdCredentials#getId()} with the corresponding display names as
* provided by {@link CredentialsNameProvider}.
- * @since 2.1.0
+ * @since TODO
*/
- public static ListBoxModel listCredentials(@NonNull Class type,
- @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication,
- @Nullable List
+ public static ListBoxModel listCredentialsInItemGroup(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable Authentication authentication,
+ @Nullable List
domainRequirements,
- @Nullable CredentialsMatcher matcher) {
+ @Nullable CredentialsMatcher matcher) {
Objects.requireNonNull(type);
Jenkins jenkins = Jenkins.get();
itemGroup = itemGroup == null ? jenkins : itemGroup;
- authentication = authentication == null ? ACL.SYSTEM : authentication;
+ authentication = authentication == null ? ACL.SYSTEM2 : authentication;
domainRequirements =
domainRequirements == null ? Collections.emptyList() : domainRequirements;
matcher = matcher == null ? CredentialsMatchers.always() : matcher;
@@ -473,7 +446,7 @@ public static ListBoxModel listCredentials(@NonNull Cl
if (resolver != null && IdCredentials.class.isAssignableFrom(resolver.getFromClass())) {
LOGGER.log(Level.FINE, "Listing legacy credentials of type {0} identified by resolver {1}",
new Object[]{type, resolver});
- return listCredentials((Class) resolver.getFromClass(), itemGroup, authentication, domainRequirements,
+ return listCredentialsInItemGroup((Class) resolver.getFromClass(), itemGroup, authentication, domainRequirements,
matcher);
}
ListBoxModel result = new ListBoxModel();
@@ -481,7 +454,7 @@ public static ListBoxModel listCredentials(@NonNull Cl
for (CredentialsProvider provider : all()) {
if (provider.isEnabled(itemGroup) && provider.isApplicable(type)) {
try {
- for (ListBoxModel.Option option : provider.getCredentialIds(
+ for (ListBoxModel.Option option : provider.getCredentialIdsInItemGroup(
type, itemGroup, authentication, domainRequirements, matcher)
) {
if (ids.add(option.value)) {
@@ -498,6 +471,19 @@ public static ListBoxModel listCredentials(@NonNull Cl
return result;
}
+ /**
+ * @deprecated use {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication)} or {@link #lookupCredentialsInItemGroup(Class, ItemGroup, Authentication, List)}.
+ */
+ @Deprecated
+ @NonNull
+ @SuppressWarnings("unused") // API entry point for consumers
+ public static List lookupCredentials(@NonNull Class type,
+ @Nullable Item item,
+ @Nullable org.acegisecurity.Authentication authentication,
+ DomainRequirement... domainRequirements) {
+ return lookupCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), Arrays.asList(domainRequirements));
+ }
+
/**
* Returns all credentials which are available to the specified {@link Authentication}
* for use by the specified {@link Item}.
@@ -505,18 +491,30 @@ public static ListBoxModel listCredentials(@NonNull Cl
* @param type the type of credentials to get.
* @param authentication the authentication.
* @param item the item.
- * @param domainRequirements the credential domains to match.
* @param the credentials type.
* @return the list of credentials.
- * @since 1.5
+ * @since TODO
+ */
+ @NonNull
+ @SuppressWarnings("unused") // API entry point for consumers
+ public static List lookupCredentialsInItem(@NonNull Class type,
+ @Nullable Item item,
+ @Nullable Authentication authentication) {
+ return lookupCredentialsInItem(type, item, authentication, List.of());
+ }
+
+ /**
+ * @deprecated use {@link #lookupCredentialsInItem(Class, Item, Authentication, List)}
*/
@NonNull
@SuppressWarnings("unused") // API entry point for consumers
+ @Deprecated
public static List lookupCredentials(@NonNull Class type,
@Nullable Item item,
- @Nullable Authentication authentication,
- DomainRequirement... domainRequirements) {
- return lookupCredentials(type, item, authentication, Arrays.asList(domainRequirements));
+ @Nullable org.acegisecurity.Authentication authentication,
+ @Nullable List
+ domainRequirements) {
+ return lookupCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), domainRequirements);
}
/**
@@ -529,23 +527,23 @@ public static List lookupCredentials(@NonNull Class the credentials type.
* @return the list of credentials.
- * @since 1.5
+ * @since TODO
*/
@NonNull
@SuppressWarnings("unused") // API entry point for consumers
- public static List lookupCredentials(@NonNull Class type,
- @Nullable Item item,
- @Nullable Authentication authentication,
- @Nullable List
+ public static List lookupCredentialsInItem(@NonNull Class type,
+ @Nullable Item item,
+ @Nullable Authentication authentication,
+ @Nullable List
domainRequirements) {
Objects.requireNonNull(type);
if (item == null) {
- return lookupCredentials(type, Jenkins.get(), authentication, domainRequirements);
+ return lookupCredentialsInItemGroup(type, Jenkins.get(), authentication, domainRequirements);
}
if (item instanceof ItemGroup) {
- return lookupCredentials(type, (ItemGroup)item, authentication, domainRequirements);
+ return lookupCredentialsInItemGroup(type, (ItemGroup)item, authentication, domainRequirements);
}
- authentication = authentication == null ? ACL.SYSTEM : authentication;
+ authentication = authentication == null ? ACL.SYSTEM2 : authentication;
domainRequirements = domainRequirements
== null ? Collections.emptyList() : domainRequirements;
CredentialsResolver resolver = CredentialsResolver.getResolver(type);
@@ -553,7 +551,7 @@ public static List lookupCredentials(@NonNull Class originals =
- lookupCredentials(resolver.getFromClass(), item, authentication, domainRequirements);
+ lookupCredentialsInItem(resolver.getFromClass(), item, authentication, domainRequirements);
LOGGER.log(Level.FINE, "Original credentials for resolving: {0}", originals);
return resolver.resolve(originals);
}
@@ -562,7 +560,7 @@ public static List lookupCredentials(@NonNull Class List lookupCredentials(@NonNull Class ListBoxModel listCredentials(@NonNull Class type,
+ @Nullable Item item,
+ @Nullable org.acegisecurity.Authentication authentication,
+ @Nullable List
+ domainRequirements,
+ @Nullable CredentialsMatcher matcher) {
+ return listCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), domainRequirements, matcher);
+ }
+
/**
* Returns a {@link ListBoxModel} of all credentials which are available to the specified {@link Authentication}
* for use by the specified {@link Item}.
@@ -590,30 +602,30 @@ public static List lookupCredentials(@NonNull Class the credentials type.
* @return the {@link ListBoxModel} of {@link IdCredentials#getId()} with the corresponding display names as
* provided by {@link CredentialsNameProvider}.
- * @since 2.1.0
+ * @since TODO
*/
@NonNull
- public static ListBoxModel listCredentials(@NonNull Class type,
- @Nullable Item item,
- @Nullable Authentication authentication,
- @Nullable List
+ public static ListBoxModel listCredentialsInItem(@NonNull Class type,
+ @Nullable Item item,
+ @Nullable Authentication authentication,
+ @Nullable List
domainRequirements,
- @Nullable CredentialsMatcher matcher) {
+ @Nullable CredentialsMatcher matcher) {
Objects.requireNonNull(type);
if (item == null) {
- return listCredentials(type, Jenkins.get(), authentication, domainRequirements, matcher);
+ return listCredentialsInItemGroup(type, Jenkins.get(), authentication, domainRequirements, matcher);
}
if (item instanceof ItemGroup) {
- return listCredentials(type, (ItemGroup) item, authentication, domainRequirements, matcher);
+ return listCredentialsInItemGroup(type, (ItemGroup) item, authentication, domainRequirements, matcher);
}
- authentication = authentication == null ? ACL.SYSTEM : authentication;
+ authentication = authentication == null ? ACL.SYSTEM2 : authentication;
domainRequirements = domainRequirements
== null ? Collections.emptyList() : domainRequirements;
CredentialsResolver resolver = CredentialsResolver.getResolver(type);
if (resolver != null && IdCredentials.class.isAssignableFrom(resolver.getFromClass())) {
LOGGER.log(Level.FINE, "Listing legacy credentials of type {0} identified by resolver {1}",
new Object[]{type, resolver});
- return listCredentials((Class) resolver.getFromClass(), item, authentication,
+ return listCredentialsInItem((Class) resolver.getFromClass(), item, authentication,
domainRequirements, matcher);
}
ListBoxModel result = new ListBoxModel();
@@ -621,8 +633,8 @@ public static ListBoxModel listCredentials(@NonNull Cl
for (CredentialsProvider provider : all()) {
if (provider.isEnabled(item) && provider.isApplicable(type)) {
try {
- for (ListBoxModel.Option option : provider.getCredentialIds(
- type, item, authentication, domainRequirements, matcher)
+ for (ListBoxModel.Option option : provider.getCredentialIdsInItem(
+ type, item, authentication, domainRequirements, matcher == null ? CredentialsMatchers.always() : matcher)
) {
if (ids.add(option.value)) {
result.add(option);
@@ -726,15 +738,15 @@ public boolean hasNext() {
Authentication a;
if (jenkins.hasPermission(USE_ITEM) && current == User.current()) {
// this is the fast path for the 99% of cases
- a = Jenkins.getAuthentication();
+ a = Jenkins.getAuthentication2();
} else {
try {
- a = ((User) current).impersonate();
+ a = ((User) current).impersonate2();
} catch (UsernameNotFoundException e) {
- a = null;
+ a = Jenkins.ANONYMOUS2;
}
}
- if (current == User.current() && jenkins.getACL().hasPermission(a, USE_ITEM)) {
+ if (current == User.current() && jenkins.getACL().hasPermission2(a, USE_ITEM)) {
current = jenkins;
iterator = providers.iterator();
} else {
@@ -826,11 +838,11 @@ public static C snapshot(Class clazz, C credential) {
* Helper method to get the default authentication to use for an {@link Item}.
*/
@NonNull
- /*package*/ static Authentication getDefaultAuthenticationOf(Item item) {
+ /*package*/ static Authentication getDefaultAuthenticationOf2(Item item) {
if (item instanceof Queue.Task) {
- return Tasks.getAuthenticationOf((Queue.Task) item);
+ return Tasks.getAuthenticationOf2((Queue.Task) item);
} else {
- return ACL.SYSTEM;
+ return ACL.SYSTEM2;
}
}
@@ -843,13 +855,20 @@ public static C snapshot(Class clazz, C credential) {
* @param id either the id of the credential to find or a parameter expression for the id.
* @param type the type of credential to find.
* @param run the {@link Run} defining the context within which to find the credential.
- * @param domainRequirements the domain requirements of the credential.
* @param the credentials type.
* @return the credential or {@code null} if either the credential cannot be found or the user triggering the run
* is not permitted to use the credential in the context of the run.
- * @since 1.16
+ * @since TODO
*/
@CheckForNull
+ public static C findCredentialById(@NonNull String id, @NonNull Class type,
+ @NonNull Run, ?> run) {
+ return findCredentialById(id, type, run, List.of());
+ }
+
+ /**
+ * @deprecated Use {@link #findCredentialById(String, Class, Run, List)} instead.
+ */
public static C findCredentialById(@NonNull String id, @NonNull Class type,
@NonNull Run, ?> run,
DomainRequirement... domainRequirements) {
@@ -906,15 +925,15 @@ public static C findCredentialById(@NonNull String id,
// we use the default authentication of the job as those are the only ones that can be configured
// if a different strategy is in play it doesn't make sense to consider the run-time authentication
// as you would have no way to configure it
- Authentication runAuth = CredentialsProvider.getDefaultAuthenticationOf(run.getParent());
+ Authentication runAuth = CredentialsProvider.getDefaultAuthenticationOf2(run.getParent());
// we want the credentials available to the user the build is running as
List candidates = new ArrayList<>(
- CredentialsProvider.lookupCredentials(type, run.getParent(), runAuth, domainRequirements)
+ CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), runAuth, domainRequirements)
);
// if that user can use the item's credentials, add those in too
- if (runAuth != ACL.SYSTEM && run.hasPermission(runAuth, CredentialsProvider.USE_ITEM)) {
+ if (runAuth != ACL.SYSTEM2 && run.hasPermission2(runAuth, CredentialsProvider.USE_ITEM)) {
candidates.addAll(
- CredentialsProvider.lookupCredentials(type, run.getParent(), ACL.SYSTEM, domainRequirements)
+ CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), ACL.SYSTEM2, domainRequirements)
);
}
// TODO should this be calling track?
@@ -922,37 +941,37 @@ public static C findCredentialById(@NonNull String id,
}
// this is a parameter and not the default value, we need to determine who triggered the build
final Map.Entry> triggeredBy = triggeredBy(run);
- final Authentication a = triggeredBy == null ? Jenkins.ANONYMOUS : triggeredBy.getKey().impersonate();
+ final Authentication a = triggeredBy == null ? Jenkins.ANONYMOUS2 : triggeredBy.getKey().impersonate2();
List candidates = new ArrayList<>();
- if (triggeredBy != null && run == triggeredBy.getValue() && run.hasPermission(a, CredentialsProvider.USE_OWN)) {
+ if (triggeredBy != null && run == triggeredBy.getValue() && run.hasPermission2(a, CredentialsProvider.USE_OWN)) {
// the user triggered this job directly and they are allowed to supply their own credentials, so
// add those into the list. We do not want to follow the chain for the user's authentication
// though, as there is no way to limit how far the passed-through parameters can be used
- candidates.addAll(CredentialsProvider.lookupCredentials(type, run.getParent(), a, domainRequirements));
+ candidates.addAll(CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), a, domainRequirements));
}
if (inputUserId != null) {
final User inputUser = User.getById(inputUserId, false);
if (inputUser != null) {
- final Authentication inputAuth = inputUser.impersonate();
- if (run.hasPermission(inputAuth, CredentialsProvider.USE_OWN)) {
- candidates.addAll(CredentialsProvider.lookupCredentials(type, run.getParent(), inputAuth, domainRequirements));
+ final Authentication inputAuth = inputUser.impersonate2();
+ if (run.hasPermission2(inputAuth, CredentialsProvider.USE_OWN)) {
+ candidates.addAll(CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), inputAuth, domainRequirements));
}
}
}
- if (run.hasPermission(a, CredentialsProvider.USE_ITEM)) {
+ if (run.hasPermission2(a, CredentialsProvider.USE_ITEM)) {
// the triggering user is allowed to use the item's credentials, so add those into the list
// we use the default authentication of the job as those are the only ones that can be configured
// if a different strategy is in play it doesn't make sense to consider the run-time authentication
// as you would have no way to configure it
- Authentication runAuth = CredentialsProvider.getDefaultAuthenticationOf(run.getParent());
+ Authentication runAuth = CredentialsProvider.getDefaultAuthenticationOf2(run.getParent());
// we want the credentials available to the user the build is running as
candidates.addAll(
- CredentialsProvider.lookupCredentials(type, run.getParent(), runAuth, domainRequirements)
+ CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), runAuth, domainRequirements)
);
// if that user can use the item's credentials, add those in too
- if (runAuth != ACL.SYSTEM && run.hasPermission(runAuth, CredentialsProvider.USE_ITEM)) {
+ if (runAuth != ACL.SYSTEM2 && run.hasPermission2(runAuth, CredentialsProvider.USE_ITEM)) {
candidates.addAll(
- CredentialsProvider.lookupCredentials(type, run.getParent(), ACL.SYSTEM, domainRequirements)
+ CredentialsProvider.lookupCredentialsInItem(type, run.getParent(), ACL.SYSTEM2, domainRequirements)
);
}
}
@@ -1124,19 +1143,28 @@ public CredentialsStore getStore(@CheckForNull ModelObject object) {
}
/**
- * Returns the credentials provided by this provider which are available to the specified {@link Authentication}
- * for items in the specified {@link ItemGroup}
- *
- * @param type the type of credentials to return.
- * @param itemGroup the item group (if {@code null} assume {@link Jenkins#get()}.
- * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}.
- * @param the credentials type.
- * @return the list of credentials.
+ * @deprecated use {@link #getCredentialsInItem(Class, Item, Authentication, List)} instead.
*/
@NonNull
- public abstract List getCredentials(@NonNull Class type,
+ @Deprecated
+ public List getCredentials(@NonNull Class type,
@Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication);
+ @Nullable org.acegisecurity.Authentication authentication) {
+ return getCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), List.of());
+ }
+
+ /**
+ * @deprecated use {@link #getCredentialsInItem(Class, Item, Authentication, List)} instead.
+ */
+ @Deprecated
+ @NonNull
+ public List getCredentials(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable org.acegisecurity.Authentication authentication,
+ @NonNull List domainRequirements) {
+ return getCredentialsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), domainRequirements);
+ }
+
/**
* Returns the credentials provided by this provider which are available to the specified {@link Authentication}
@@ -1145,20 +1173,38 @@ public abstract List getCredentials(@NonNull Class
*
* @param type the type of credentials to return.
* @param itemGroup the item group (if {@code null} assume {@link Jenkins#get()}.
- * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}.
+ * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM2}.
* @param domainRequirements the credential domains to match (if the {@link CredentialsProvider} does not support
* {@link DomainRequirement}s then it should
* assume the match is true).
* @param the credentials type.
* @return the list of credentials.
- * @since 1.5
+ * @since TODO
*/
@NonNull
- public List getCredentials(@NonNull Class type,
- @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication,
- @NonNull List domainRequirements) {
- return getCredentials(type, itemGroup, authentication);
+ @SuppressWarnings("deprecation")
+ public List getCredentialsInItemGroup(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable Authentication authentication,
+ @NonNull List domainRequirements) {
+ if (Util.isOverridden(CredentialsProvider.class, getClass(), "getCredentials", Class.class, ItemGroup.class, org.acegisecurity.Authentication.class, List.class)) {
+ return getCredentials(type, itemGroup, authentication == null ? null : org.acegisecurity.Authentication.fromSpring(authentication), domainRequirements);
+ }
+ throw new AbstractMethodError("Implement getCredentialsInItemGroup");
+ }
+
+ /**
+ * @deprecated Use {@link #getCredentialIdsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher)} instead.
+ */
+ @NonNull
+ @Deprecated
+ public ListBoxModel getCredentialIds(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable org.acegisecurity.Authentication authentication,
+ @NonNull
+ List domainRequirements,
+ @NonNull CredentialsMatcher matcher) {
+ return getCredentialIdsInItemGroup(type, itemGroup, authentication == null ? null : authentication.toSpring(), domainRequirements, matcher);
}
/**
@@ -1167,7 +1213,7 @@ public List getCredentials(@NonNull Class type,
* specified {@link DomainRequirement}s.
* NOTE: implementations are recommended to override this method if the actual secret information
* is being stored external from Jenkins and the non-secret information can be accessed with lesser traceability
- * requirements. The default implementation just uses {@link #getCredentials(Class, Item, Authentication, List)}
+ * requirements. The default implementation just uses {@link #getCredentialsInItem(Class, Item, Authentication, List)}
* to build the {@link ListBoxModel}. Handling the {@link CredentialsMatcher} may require standing up a proxy
* instance to apply the matcher against if {@link CredentialsMatchers#describe(CredentialsMatcher)} returns
* {@code null}
@@ -1175,21 +1221,21 @@ public List getCredentials(@NonNull Class type,
* @param the credentials type.
* @param type the type of credentials to return.
* @param itemGroup the item group (if {@code null} assume {@link Jenkins#get()}.
- * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}.
+ * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM2}.
* @param domainRequirements the credential domain to match.
* @param matcher the additional filtering to apply to the credentials
* @return the {@link ListBoxModel} of {@link IdCredentials#getId()} with names provided by
* {@link CredentialsNameProvider}.
- * @since 2.1.0
+ * @since TODO
*/
@NonNull
- public ListBoxModel getCredentialIds(@NonNull Class type,
- @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication,
- @NonNull
+ public ListBoxModel getCredentialIdsInItemGroup(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable Authentication authentication,
+ @NonNull
List domainRequirements,
- @NonNull CredentialsMatcher matcher) {
- return getCredentials(type, itemGroup, authentication, domainRequirements)
+ @NonNull CredentialsMatcher matcher) {
+ return getCredentialsInItemGroup(type, itemGroup, authentication, domainRequirements)
.stream()
.filter(matcher::matches)
.sorted(new CredentialsNameComparator())
@@ -1198,21 +1244,27 @@ public ListBoxModel getCredentialIds(@NonNull Class
}
/**
- * Returns the credentials provided by this provider which are available to the specified {@link Authentication}
- * for the specified {@link Item}
- *
- * @param type the type of credentials to return.
- * @param item the item.
- * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}.
- * @param the credentials type.
- * @return the list of credentials.
+ * @deprecated Use {@link #getCredentialsInItem(Class, Item, Authentication, List)} instead.
*/
+ @Deprecated
@NonNull
public List getCredentials(@NonNull Class type,
@NonNull Item item,
- @Nullable Authentication authentication) {
+ @Nullable org.acegisecurity.Authentication authentication) {
Objects.requireNonNull(item);
- return getCredentials(type, item.getParent(), authentication);
+ return getCredentialsInItemGroup(type, item.getParent(), authentication == null ? null : authentication.toSpring(), List.of());
+ }
+
+ /**
+ * @deprecated Use {@link #getCredentialsInItem(Class, Item, Authentication, List)} instead.
+ */
+ @Deprecated
+ @NonNull
+ public List getCredentials(@NonNull Class type,
+ @NonNull Item item,
+ @Nullable org.acegisecurity.Authentication authentication,
+ @NonNull List domainRequirements) {
+ return getCredentialsInItem(type, item, authentication == null ? null : authentication.toSpring(), domainRequirements);
}
/**
@@ -1221,51 +1273,64 @@ public List getCredentials(@NonNull Class type,
*
* @param type the type of credentials to return.
* @param item the item.
- * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}.
+ * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM2}.
* @param domainRequirements the credential domain to match.
* @param the credentials type.
* @return the list of credentials.
- * @since 1.5
+ * @since TODO
*/
@NonNull
- public List getCredentials(@NonNull Class type,
- @NonNull Item item,
- @Nullable Authentication authentication,
- @NonNull List domainRequirements) {
- return getCredentials(type, item instanceof ItemGroup ? (ItemGroup) item : item.getParent(),
+ public List getCredentialsInItem(@NonNull Class type,
+ @NonNull Item item,
+ @Nullable Authentication authentication,
+ @NonNull List domainRequirements) {
+ return getCredentialsInItemGroup(type, item instanceof ItemGroup ? (ItemGroup) item : item.getParent(),
authentication, domainRequirements);
}
+ /**
+ * @deprecated Use {@link #getCredentialIdsInItem(Class, Item, Authentication, List, CredentialsMatcher)} instead.
+ */
+ @NonNull
+ @Deprecated
+ public ListBoxModel getCredentialIds(@NonNull Class type,
+ @NonNull Item item,
+ @Nullable org.acegisecurity.Authentication authentication,
+ @NonNull List domainRequirements,
+ @NonNull CredentialsMatcher matcher) {
+ return getCredentialIdsInItem(type, item, authentication == null ? null : authentication.toSpring(), domainRequirements, matcher);
+ }
+
/**
* Returns a {@link ListBoxModel} of the credentials provided by this provider which are available to the
* specified {@link Authentication} for the specified {@link Item} and are appropriate for the
* specified {@link DomainRequirement}s.
* NOTE: implementations are recommended to override this method if the actual secret information
* is being stored external from Jenkins and the non-secret information can be accessed with lesser traceability
- * requirements. The default implementation just uses {@link #getCredentials(Class, Item, Authentication, List)}
+ * requirements. The default implementation just uses {@link #getCredentialsInItem(Class, Item, Authentication, List)}
* to build the {@link ListBoxModel}. Handling the {@link CredentialsMatcher} may require standing up a proxy
* instance to apply the matcher against.
*
* @param type the type of credentials to return.
* @param item the item.
- * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM}.
+ * @param authentication the authentication (if {@code null} assume {@link ACL#SYSTEM2}.
* @param domainRequirements the credential domain to match.
* @param matcher the additional filtering to apply to the credentials
* @param the credentials type.
* @return the {@link ListBoxModel} of {@link IdCredentials#getId()} with names provided by
* {@link CredentialsNameProvider}.
- * @since 2.1.0
+ * @since TODO
*/
@NonNull
- public ListBoxModel getCredentialIds(@NonNull Class type,
- @NonNull Item item,
- @Nullable Authentication authentication,
- @NonNull List domainRequirements,
- @NonNull CredentialsMatcher matcher) {
+ public ListBoxModel getCredentialIdsInItem(@NonNull Class type,
+ @NonNull Item item,
+ @Nullable Authentication authentication,
+ @NonNull List domainRequirements,
+ @NonNull CredentialsMatcher matcher) {
if (item instanceof ItemGroup) {
- return getCredentialIds(type, (ItemGroup) item, authentication, domainRequirements, matcher);
+ return getCredentialIdsInItemGroup(type, (ItemGroup) item, authentication, domainRequirements, matcher);
}
- return getCredentials(type, item, authentication, domainRequirements)
+ return getCredentialsInItem(type, item, authentication, domainRequirements)
.stream()
.filter(matcher::matches)
.sorted(new CredentialsNameComparator())
@@ -1690,9 +1755,9 @@ public static void saveAll() {
Jenkins jenkins = Jenkins.get();
jenkins.checkPermission(Jenkins.ADMINISTER);
LOGGER.log(Level.INFO, "Forced save credentials stores: Requested by {0}",
- StringUtils.defaultIfBlank(Jenkins.getAuthentication().getName(), "anonymous"));
+ StringUtils.defaultIfBlank(Jenkins.getAuthentication2().getName(), "anonymous"));
Timer.get().execute(() -> {
- try (ACLContext ctx = ACL.as(ACL.SYSTEM)) {
+ try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
if (jenkins.getInitLevel().compareTo(InitMilestone.JOB_LOADED) < 0) {
LOGGER.log(Level.INFO, "Forced save credentials stores: Initialization has not completed");
while (jenkins.getInitLevel().compareTo(InitMilestone.JOB_LOADED) < 0) {
@@ -1747,8 +1812,8 @@ public static void saveAll() {
// to ensure that User.current() == user
// while we could use User.impersonate() that would force a query against the backing
// SecurityRealm to revalidate
- ACL.impersonate(new UsernamePasswordAuthenticationToken(user.getId(), "",
- new GrantedAuthority[]{SecurityRealm.AUTHENTICATED_AUTHORITY}));
+ ACL.impersonate2(new UsernamePasswordAuthenticationToken(user.getId(), "",
+ Set.of(SecurityRealm.AUTHENTICATED_AUTHORITY2)));
for (CredentialsStore s : lookupStores(user)) {
if (user == s.getContext()) {
// only save if the store is associated with this context item as otherwise will
diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStore.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStore.java
index fd3626c55..ee2e15cf5 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStore.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStore.java
@@ -41,7 +41,7 @@
import hudson.model.User;
import hudson.security.ACL;
import hudson.security.AccessControlled;
-import hudson.security.AccessDeniedException2;
+import hudson.security.AccessDeniedException3;
import hudson.security.Permission;
import java.io.IOException;
import java.net.URI;
@@ -51,10 +51,10 @@
import java.util.Set;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
-import org.acegisecurity.Authentication;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
+import org.springframework.security.core.Authentication;
/**
* A store of {@link Credentials}. Each {@link CredentialsStore} is associated with one and only one
@@ -167,14 +167,30 @@ public final Set getScopes() {
@NonNull
public abstract ModelObject getContext();
+
+ /**
+ * @deprecated Use {@link #hasPermission2(Authentication, Permission)} instead.
+ */
+ @Deprecated
+ public boolean hasPermission(@NonNull org.acegisecurity.Authentication a, @NonNull Permission permission) {
+ return hasPermission2(a.toSpring(), permission);
+ }
+
/**
* Checks if the given principle has the given permission.
*
* @param a the principle.
* @param permission the permission.
* @return {@code false} if the user doesn't have the permission.
+ * @since TODO
*/
- public abstract boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission);
+ public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) {
+ if (Util.isOverridden(CredentialsStore.class, getClass(), "hasPermission", org.acegisecurity.Authentication.class,
+ Permission.class)) {
+ return hasPermission(org.acegisecurity.Authentication.fromSpring(a), permission);
+ }
+ throw new AbstractMethodError("Implement hasPermission2");
+ }
/**
* {@inheritDoc}
@@ -185,8 +201,8 @@ public ACL getACL() {
// an effective ACL implementation.
return new ACL() {
@Override
- public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) {
- return CredentialsStore.this.hasPermission(a, permission);
+ public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) {
+ return CredentialsStore.this.hasPermission2(a, permission);
}
};
}
@@ -197,12 +213,12 @@ public boolean hasPermission(@NonNull Authentication a, @NonNull Permission perm
* Note: This is just a convenience function.
*
*
- * @throws org.acegisecurity.AccessDeniedException if the user doesn't have the permission.
+ * @throws AccessDeniedException3 if the user doesn't have the permission.
*/
public final void checkPermission(@NonNull Permission p) {
- Authentication a = Jenkins.getAuthentication();
- if (!hasPermission(a, p)) {
- throw new AccessDeniedException2(a, p);
+ Authentication a = Jenkins.getAuthentication2();
+ if (!hasPermission2(a, p)) {
+ throw new AccessDeniedException3(a, p);
}
}
@@ -212,7 +228,7 @@ public final void checkPermission(@NonNull Permission p) {
* @return {@code false} if the user doesn't have the permission.
*/
public final boolean hasPermission(@NonNull Permission p) {
- return hasPermission(Jenkins.getAuthentication(), p);
+ return hasPermission2(Jenkins.getAuthentication2(), p);
}
/**
diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java
index b752bfe21..5d08350db 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java
@@ -83,7 +83,6 @@
import jenkins.model.ModelObjectWithContextMenu;
import jenkins.util.xml.XMLUtils;
import net.sf.json.JSONObject;
-import org.acegisecurity.AccessDeniedException;
import org.apache.commons.lang.StringUtils;
import org.jenkins.ui.icon.IconSpec;
import org.kohsuke.accmod.Restricted;
@@ -97,6 +96,7 @@
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.export.ExportedBean;
import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.springframework.security.access.AccessDeniedException;
import org.xml.sax.SAXException;
import static com.cloudbees.plugins.credentials.ContextMenuIconUtils.getMenuItemIconUrlByClassSpec;
diff --git a/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java b/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java
index fee970cd4..15f24d18c 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java
@@ -59,9 +59,9 @@
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
-import org.acegisecurity.Authentication;
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.export.ExportedBean;
+import org.springframework.security.core.Authentication;
import static com.cloudbees.plugins.credentials.CredentialsMatchers.always;
import static com.cloudbees.plugins.credentials.CredentialsMatchers.not;
@@ -204,7 +204,7 @@ private void checkPermission(Permission p) {
*/
private void checkedSave(Permission p) throws IOException {
checkPermission(p);
- try (ACLContext ignored = ACL.as(ACL.SYSTEM)) {
+ try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
save();
}
}
@@ -423,21 +423,10 @@ public CredentialsStore getStore(@CheckForNull ModelObject object) {
*/
@NonNull
@Override
- public List getCredentials(@NonNull Class type,
- @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication) {
- return getCredentials(type, itemGroup, authentication, Collections.emptyList());
- }
-
- /**
- * {@inheritDoc}
- */
- @NonNull
- @Override
- public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication,
- @NonNull List domainRequirements) {
- if (ACL.SYSTEM.equals(authentication)) {
+ public List getCredentialsInItemGroup(@NonNull Class type, @Nullable ItemGroup itemGroup,
+ @Nullable Authentication authentication,
+ @NonNull List domainRequirements) {
+ if (ACL.SYSTEM2.equals(authentication)) {
CredentialsMatcher matcher = Jenkins.get() == itemGroup ? always() : not(withScope(SYSTEM));
return DomainCredentials.getCredentials(SystemCredentialsProvider.getInstance()
.getDomainCredentialsMap(), type, domainRequirements, matcher);
@@ -450,20 +439,10 @@ public List getCredentials(@NonNull Class type, @N
*/
@NonNull
@Override
- public List getCredentials(@NonNull Class type, @NonNull Item item,
- @Nullable Authentication authentication) {
- return getCredentials(type, item, authentication, Collections.emptyList());
- }
-
- /**
- * {@inheritDoc}
- */
- @NonNull
- @Override
- public List getCredentials(@NonNull Class type, @NonNull Item item,
- @Nullable Authentication authentication,
- @NonNull List domainRequirements) {
- if (ACL.SYSTEM.equals(authentication)) {
+ public List getCredentialsInItem(@NonNull Class type, @NonNull Item item,
+ @Nullable Authentication authentication,
+ @NonNull List domainRequirements) {
+ if (ACL.SYSTEM2.equals(authentication)) {
return DomainCredentials.getCredentials(SystemCredentialsProvider.getInstance()
.getDomainCredentialsMap(), type, domainRequirements, not(withScope(SYSTEM)));
}
@@ -507,9 +486,9 @@ public ModelObject getContext() {
* {@inheritDoc}
*/
@Override
- public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) {
+ public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) {
// we follow the permissions of Jenkins itself
- return getACL().hasPermission(a, permission);
+ return getACL().hasPermission2(a, permission);
}
@NonNull
diff --git a/src/main/java/com/cloudbees/plugins/credentials/UserCredentialsProvider.java b/src/main/java/com/cloudbees/plugins/credentials/UserCredentialsProvider.java
index a30105dcc..9f0ddadca 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/UserCredentialsProvider.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/UserCredentialsProvider.java
@@ -42,7 +42,7 @@
import hudson.model.UserPropertyDescriptor;
import hudson.security.ACL;
import hudson.security.ACLContext;
-import hudson.security.AccessDeniedException2;
+import hudson.security.AccessDeniedException3;
import hudson.security.Permission;
import java.io.IOException;
import java.net.URI;
@@ -59,12 +59,12 @@
import jenkins.model.Jenkins;
import net.jcip.annotations.GuardedBy;
import net.sf.json.JSONObject;
-import org.acegisecurity.Authentication;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.export.ExportedBean;
+import org.springframework.security.core.Authentication;
import static com.cloudbees.plugins.credentials.CredentialsMatchers.always;
@@ -118,27 +118,17 @@ public CredentialsStore getStore(@CheckForNull ModelObject object) {
*/
@NonNull
@Override
- public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication) {
- return getCredentials(type, itemGroup, authentication, Collections.emptyList());
- }
-
- /**
- * {@inheritDoc}
- */
- @NonNull
- @Override
- public List getCredentials(@NonNull Class type,
- @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication,
- @NonNull List domainRequirements) {
+ public List getCredentialsInItemGroup(@NonNull Class type,
+ @Nullable ItemGroup itemGroup,
+ @Nullable Authentication authentication,
+ @NonNull List domainRequirements) {
// ignore itemGroup, as per-user credentials are available on any object
if (authentication == null) {
// assume ACL#SYSTEM
- authentication = ACL.SYSTEM;
+ authentication = ACL.SYSTEM2;
}
- if (!ACL.SYSTEM.equals(authentication)) {
- User user = User.get(authentication);
+ if (!ACL.SYSTEM2.equals(authentication)) {
+ User user = User.get2(authentication);
if (user != null) {
UserCredentialsProperty property = user.getProperty(UserCredentialsProperty.class);
if (property != null) {
@@ -425,7 +415,7 @@ private void checkPermission(Permission p) {
if (user.equals(User.current())) {
user.checkPermission(p);
} else {
- throw new AccessDeniedException2(Jenkins.getAuthentication(), p);
+ throw new AccessDeniedException3(Jenkins.getAuthentication2(), p);
}
}
@@ -671,8 +661,8 @@ public ModelObject getContext() {
* {@inheritDoc}
*/
@Override
- public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) {
- return getACL().hasPermission(a, permission);
+ public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) {
+ return getACL().hasPermission2(a, permission);
}
/**
@@ -683,8 +673,8 @@ public boolean hasPermission(@NonNull Authentication a, @NonNull Permission perm
public ACL getACL() {
return new ACL() {
@Override
- public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) {
- return user.equals(User.getById(a.getName(), true)) && user.getACL().hasPermission(a, permission);
+ public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) {
+ return user.equals(User.getById(a.getName(), true)) && user.getACL().hasPermission2(a, permission);
}
};
}
diff --git a/src/main/java/com/cloudbees/plugins/credentials/ViewCredentialsAction.java b/src/main/java/com/cloudbees/plugins/credentials/ViewCredentialsAction.java
index 8126ce6bc..ea9507b15 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/ViewCredentialsAction.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/ViewCredentialsAction.java
@@ -57,7 +57,6 @@
import jenkins.model.Jenkins;
import jenkins.model.ModelObjectWithContextMenu;
import jenkins.model.TransientActionFactory;
-import org.acegisecurity.Authentication;
import org.jenkins.ui.icon.IconSpec;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
@@ -65,6 +64,7 @@
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.export.ExportedBean;
+import org.springframework.security.core.Authentication;
/**
* An {@link Action} that lets you view the available credentials for any {@link ModelObject}.
@@ -377,10 +377,10 @@ public ACL getACL() {
context instanceof AccessControlled ? (AccessControlled) context : Jenkins.get();
return new ACL() {
@Override
- public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) {
- if (accessControlled.hasPermission(a, permission)) {
+ public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) {
+ if (accessControlled.hasPermission2(a, permission)) {
for (CredentialsStore s : getLocalStores()) {
- if (s.hasPermission(a, permission)) {
+ if (s.hasPermission2(a, permission)) {
return true;
}
}
diff --git a/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java b/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java
index ce1a248cb..6c778672a 100644
--- a/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java
+++ b/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java
@@ -43,8 +43,8 @@
import java.util.List;
import java.util.Set;
import jenkins.model.Jenkins;
-import org.acegisecurity.Authentication;
import org.apache.commons.lang.StringUtils;
+import org.springframework.security.core.Authentication;
/**
* {@link ListBoxModel} with support for credentials.
@@ -290,7 +290,7 @@ public AbstractIdCredentialsListBoxModel withMatching(@NonNull Credentials
* @param context the context to add credentials from.
* @param type the base class of the credentials to add.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher)
+ * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher)
* @since 2.1.0
*/
public AbstractIdCredentialsListBoxModel include(@Nullable Item context, @NonNull Class extends C> type) {
@@ -304,7 +304,7 @@ public AbstractIdCredentialsListBoxModel include(@Nullable Item context, @
* @param context the context to add credentials from.
* @param type the base class of the credentials to add.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher)
+ * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher)
* @since 2.1.0
*/
public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup context,
@@ -312,6 +312,16 @@ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup contex
return include(context, type, Collections.emptyList());
}
+ /**
+ * @deprecated Use {@link #includeAs(Authentication, Item, Class)} instead.
+ */
+ @Deprecated
+ public AbstractIdCredentialsListBoxModel includeAs(@NonNull org.acegisecurity.Authentication authentication,
+ @Nullable Item context,
+ @NonNull Class extends C> type) {
+ return includeAs(authentication, context, type, Collections.emptyList());
+ }
+
/**
* Adds the ids of the specified credential type that are available to the specified context as the specified
* authentication.
@@ -320,8 +330,8 @@ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup contex
* @param context the context to add credentials from.
* @param type the base class of the credentials to add.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher)
- * @since 2.1.0
+ * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher)
+ * @since TODO
*/
public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication authentication,
@Nullable Item context,
@@ -329,6 +339,16 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication
return includeAs(authentication, context, type, Collections.emptyList());
}
+ /**
+ * @deprecated Use {@link #includeAs(Authentication, ItemGroup, Class)} instead.
+ */
+ @Deprecated
+ public AbstractIdCredentialsListBoxModel includeAs(@NonNull org.acegisecurity.Authentication authentication,
+ @NonNull ItemGroup context,
+ @NonNull Class extends C> type) {
+ return includeAs(authentication, context, type, Collections.emptyList());
+ }
+
/**
* Adds the ids of the specified credential type that are available to the specified context as the specified
* authentication.
@@ -337,8 +357,8 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication
* @param context the context to add credentials from.
* @param type the base class of the credentials to add.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher)
- * @since 2.1.0
+ * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher)
+ * @since TODO
*/
public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication authentication,
@NonNull ItemGroup context,
@@ -354,7 +374,7 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication
* @param type the base class of the credentials to add.
* @param domainRequirements the domain requirements.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher)
+ * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher)
* @since 2.1.0
*/
public AbstractIdCredentialsListBoxModel include(@Nullable Item context, @NonNull Class extends C> type,
@@ -370,7 +390,7 @@ public AbstractIdCredentialsListBoxModel include(@Nullable Item context, @
* @param type the base class of the credentials to add.
* @param domainRequirements the domain requirements.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher)
+ * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher)
* @since 2.1.0
*/
public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup context, @NonNull Class extends C> type,
@@ -378,6 +398,17 @@ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup contex
return includeMatching(context, type, domainRequirements, CredentialsMatchers.always());
}
+ /**
+ * @deprecated Use {@link #includeAs(Authentication, Item, Class, List)} instead.
+ */
+ @Deprecated
+ public AbstractIdCredentialsListBoxModel includeAs(@NonNull org.acegisecurity.Authentication authentication,
+ @Nullable Item context,
+ @NonNull Class extends C> type,
+ @NonNull List domainRequirements) {
+ return includeMatchingAs(authentication, context, type, domainRequirements, CredentialsMatchers.always());
+ }
+
/**
* Adds the ids of the specified credential type that are available to the specified context as the specified
* authentication with the specified domain requirements.
@@ -387,8 +418,8 @@ public AbstractIdCredentialsListBoxModel include(@NonNull ItemGroup contex
* @param type the base class of the credentials to add.
* @param domainRequirements the domain requirements.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher)
- * @since 2.1.0
+ * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher)
+ * @since TODO
*/
public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication authentication,
@Nullable Item context,
@@ -397,6 +428,17 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication
return includeMatchingAs(authentication, context, type, domainRequirements, CredentialsMatchers.always());
}
+ /**
+ * @deprecated Use {@link #includeAs(Authentication, ItemGroup, Class, List)} instead.
+ */
+ @Deprecated
+ public AbstractIdCredentialsListBoxModel includeAs(@NonNull org.acegisecurity.Authentication authentication,
+ @NonNull ItemGroup context,
+ @NonNull Class extends C> type,
+ @NonNull List domainRequirements) {
+ return includeMatchingAs(authentication.toSpring(), context, type, domainRequirements, CredentialsMatchers.always());
+ }
+
/**
* Adds the ids of the specified credential type that are available to the specified context as the specified
* authentication with the specified domain requirements.
@@ -406,8 +448,8 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication
* @param type the base class of the credentials to add.
* @param domainRequirements the domain requirements.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher)
- * @since 2.1.0
+ * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher)
+ * @since TODO
*/
public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication authentication,
@NonNull ItemGroup context,
@@ -425,14 +467,14 @@ public AbstractIdCredentialsListBoxModel includeAs(@NonNull Authentication
* @param domainRequirements the domain requirements.
* @param matcher the filter to apply to the credentials.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher)
+ * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher)
* @since 2.1.0
*/
public AbstractIdCredentialsListBoxModel includeMatching(@Nullable Item context,
@NonNull Class extends C> type,
@NonNull List domainRequirements,
@NonNull CredentialsMatcher matcher) {
- return includeMatchingAs(Jenkins.getAuthentication(), context, type, domainRequirements, matcher);
+ return includeMatchingAs(Jenkins.getAuthentication2(), context, type, domainRequirements, matcher);
}
/**
@@ -444,14 +486,27 @@ public AbstractIdCredentialsListBoxModel includeMatching(@Nullable Item co
* @param domainRequirements the domain requirements.
* @param matcher the filter to apply to the credentials.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher)
+ * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher)
* @since 2.1.0
*/
public AbstractIdCredentialsListBoxModel includeMatching(@NonNull ItemGroup context,
@NonNull Class extends C> type,
@NonNull List domainRequirements,
@NonNull CredentialsMatcher matcher) {
- return includeMatchingAs(Jenkins.getAuthentication(), context, type, domainRequirements, matcher);
+ return includeMatchingAs(Jenkins.getAuthentication2(), context, type, domainRequirements, matcher);
+ }
+
+ /**
+ * @deprecated Use {@link #includeMatchingAs(Authentication, Item, Class, List, CredentialsMatcher)} instead.
+ */
+ @Deprecated
+ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull org.acegisecurity.Authentication authentication,
+ @Nullable Item context,
+ @NonNull Class extends C> type,
+ @NonNull
+ List domainRequirements,
+ @NonNull CredentialsMatcher matcher) {
+ return includeMatchingAs(authentication.toSpring(), context, type, domainRequirements, matcher);
}
/**
@@ -464,8 +519,8 @@ public AbstractIdCredentialsListBoxModel includeMatching(@NonNull ItemGrou
* @param domainRequirements the domain requirements.
* @param matcher the filter to apply to the credentials.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, Item, Authentication, List, CredentialsMatcher)
- * @since 2.1.0
+ * @see CredentialsProvider#listCredentialsInItem(Class, Item, Authentication, List, CredentialsMatcher)
+ * @since TODO
*/
public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authentication authentication,
@Nullable Item context,
@@ -473,10 +528,23 @@ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authen
@NonNull
List domainRequirements,
@NonNull CredentialsMatcher matcher) {
- addMissing(CredentialsProvider.listCredentials(type, context, authentication, domainRequirements, matcher));
+ addMissing(CredentialsProvider.listCredentialsInItem(type, context, authentication, domainRequirements, matcher));
return this;
}
+ /**
+ * @deprecated Use {@link #includeMatchingAs(Authentication, ItemGroup, Class, List, CredentialsMatcher)} instead.
+ */
+ @Deprecated
+ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull org.acegisecurity.Authentication authentication,
+ @NonNull ItemGroup context,
+ @NonNull Class extends C> type,
+ @NonNull
+ List domainRequirements,
+ @NonNull CredentialsMatcher matcher) {
+ return includeMatchingAs(authentication.toSpring(), context, type, domainRequirements, matcher);
+ }
+
/**
* Adds the ids of the specified credential type that are available to the specified context as the specified
* authentication with the specified domain requirements and match the specified filter.
@@ -487,8 +555,8 @@ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authen
* @param domainRequirements the domain requirements.
* @param matcher the filter to apply to the credentials.
* @return {@code this} for method chaining.
- * @see CredentialsProvider#listCredentials(Class, ItemGroup, Authentication, List, CredentialsMatcher)
- * @since 2.1.0
+ * @see CredentialsProvider#listCredentialsInItemGroup(Class, ItemGroup, Authentication, List, CredentialsMatcher)
+ * @since TODO
*/
public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authentication authentication,
@NonNull ItemGroup context,
@@ -496,7 +564,7 @@ public AbstractIdCredentialsListBoxModel includeMatchingAs(@NonNull Authen
@NonNull
List domainRequirements,
@NonNull CredentialsMatcher matcher) {
- addMissing(CredentialsProvider.listCredentials(type, context, authentication, domainRequirements, matcher));
+ addMissing(CredentialsProvider.listCredentialsInItemGroup(type, context, authentication, domainRequirements, matcher));
return this;
}
diff --git a/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java b/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java
index 5cf30d5fd..9dffe0806 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java
@@ -41,7 +41,6 @@
import hudson.security.ACL;
import hudson.util.ListBoxModel;
import jenkins.model.Jenkins;
-import org.acegisecurity.Authentication;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Issue;
@@ -80,7 +79,7 @@ public void testNoCredentialsUntilWeAddSome() throws Exception {
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty());
assertFalse("null auth -> ACL.SYSTEM",
- CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty());
+ CredentialsProvider.lookupCredentials(DummyCredentials.class, (org.acegisecurity.Authentication) null).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.get()).isEmpty());
assertFalse("null item -> Root",
@@ -98,7 +97,7 @@ public void testNoCredentialsUntilWeAddSome() throws Exception {
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty());
assertFalse("null auth -> ACL.SYSTEM",
- CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty());
+ CredentialsProvider.lookupCredentials(DummyCredentials.class, (org.acegisecurity.Authentication) null).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.get()).isEmpty());
assertFalse("null item -> Root",
@@ -112,6 +111,54 @@ public void testNoCredentialsUntilWeAddSome() throws Exception {
"manchu");
}
+
+ /**
+ * Same test as {@link #testNoCredentialsUntilWeAddSome()} but using new APIs.
+ */
+ @Test
+ public void testNoCredentialsUntilWeAddSome2() throws Exception {
+ FreeStyleProject project = r.createFreeStyleProject();
+ assertTrue(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ SystemCredentialsProvider.getInstance().getCredentials().add(
+ new DummyCredentials(CredentialsScope.SYSTEM, "foo", "bar"));
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), Jenkins.ANONYMOUS2).isEmpty());
+ assertFalse("null auth -> ACL.SYSTEM",
+ CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), null).isEmpty());
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty());
+ assertFalse("null item -> Root",
+ CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ assertFalse("null item -> Root",
+ CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, (ItemGroup) null, ACL.SYSTEM2).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).isEmpty());
+
+ SystemCredentialsProvider.getInstance().getCredentials().add(
+ new DummyCredentials(CredentialsScope.GLOBAL, "manchu", "bar"));
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), Jenkins.ANONYMOUS2).isEmpty());
+ assertFalse("null auth -> ACL.SYSTEM",
+ CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), null).isEmpty());
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty());
+ assertFalse("null item -> Root",
+ CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ assertFalse("null item -> Root",
+ CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, (ItemGroup) null, ACL.SYSTEM2).isEmpty());
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).isEmpty());
+ assertEquals(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).size(), 1);
+ assertEquals(
+ CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).iterator().next().getUsername(),
+ "manchu");
+
+ }
@Test
public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception {
@@ -125,7 +172,7 @@ public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception {
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty());
assertFalse("null auth -> ACL.SYSTEM",
- CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty());
+ CredentialsProvider.lookupCredentials(DummyCredentials.class, (org.acegisecurity.Authentication) null).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.get()).isEmpty());
assertFalse("null item -> Root",
@@ -142,7 +189,7 @@ public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception {
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, ACL.SYSTEM).isEmpty());
assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.ANONYMOUS).isEmpty());
assertFalse("null auth -> ACL.SYSTEM",
- CredentialsProvider.lookupCredentials(DummyCredentials.class, (Authentication) null).isEmpty());
+ CredentialsProvider.lookupCredentials(DummyCredentials.class, (org.acegisecurity.Authentication) null).isEmpty());
assertFalse(CredentialsProvider.lookupCredentials(DummyCredentials.class, Jenkins.get()).isEmpty());
assertFalse("null item -> Root",
@@ -157,6 +204,52 @@ public void testNoCredentialsUntilWeAddSomeViaStore() throws Exception {
}
+ /**
+ * Same test as {@link #testNoCredentialsUntilWeAddSomeViaStore()} but using new APIs.
+ */
+ @Test
+ public void testNoCredentialsUntilWeAddSomeViaStore2() throws Exception {
+ FreeStyleProject project = r.createFreeStyleProject();
+ assertTrue(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ CredentialsStore store = CredentialsProvider.lookupStores(Jenkins.get()).iterator().next();
+ store.addCredentials(Domain.global(), new DummyCredentials(CredentialsScope.SYSTEM, "foo", "bar"));
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), Jenkins.ANONYMOUS2).isEmpty());
+ assertFalse("null auth -> ACL.SYSTEM",
+ CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), null).isEmpty());
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty());
+ assertFalse("null item -> Root",
+ CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ assertFalse("null item -> Root",
+ CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, (ItemGroup) null, ACL.SYSTEM2).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).isEmpty());
+
+ store.addCredentials(Domain.global(), new DummyCredentials(CredentialsScope.GLOBAL, "manchu", "bar"));
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), Jenkins.ANONYMOUS2).isEmpty());
+ assertFalse("null auth -> ACL.SYSTEM",
+ CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), null).isEmpty());
+
+ assertFalse(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, Jenkins.get(), ACL.SYSTEM2).isEmpty());
+ assertFalse("null item -> Root",
+ CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, ACL.SYSTEM2).isEmpty());
+ assertFalse("null item -> Root",
+ CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, (ItemGroup) null, ACL.SYSTEM2).isEmpty());
+ assertFalse(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).isEmpty());
+ assertEquals(CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).size(), 1);
+ assertEquals(
+ CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2).iterator().next().getUsername(),
+ "manchu");
+ }
+
@Test
public void testManageUserCredentials() throws IOException {
final User alice = User.getById("alice", true);
@@ -171,22 +264,22 @@ public void testManageUserCredentials() throws IOException {
userStore.addCredentials(Domain.global(), aliceCred1);
userStore.addCredentials(Domain.global(), aliceCred2);
- assertEquals(2, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.emptyList()).size());
- assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).isEmpty());
- assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS, Collections.emptyList()).isEmpty());
+ assertEquals(2, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, alice.impersonate2(), Collections.emptyList()).size());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS2, Collections.emptyList()).isEmpty());
// Remove credentials
userStore.removeCredentials(Domain.global(), aliceCred2);
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.emptyList()).size());
- assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).isEmpty());
- assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS, Collections.emptyList()).isEmpty());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, alice.impersonate2(), Collections.emptyList()).size());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, Jenkins.ANONYMOUS2, Collections.emptyList()).isEmpty());
// Update credentials
userStore.updateCredentials(Domain.global(), aliceCred1, aliceCred3);
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.emptyList()).size());
- assertEquals(aliceCred3.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, (Item) null, alice.impersonate(), Collections.emptyList()).get(0).getUsername());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, alice.impersonate2(), Collections.emptyList()).size());
+ assertEquals(aliceCred3.getUsername(), CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, (Item) null, alice.impersonate2(), Collections.emptyList()).get(0).getUsername());
}
}
@@ -205,22 +298,22 @@ public void testUpdateAndDeleteCredentials() throws IOException {
store.addCredentials(Domain.global(), systemCred2);
store.addCredentials(Domain.global(), globalCred);
- assertEquals(3, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).size());
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).size());
- assertEquals(globalCred.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).get(0).getUsername());
+ assertEquals(3, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).size());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).size());
+ assertEquals(globalCred.getUsername(), CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).get(0).getUsername());
// Update credentials
store.updateCredentials(Domain.global(), globalCred, modCredential);
- assertEquals(3, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).size());
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).size());
- assertEquals(modCredential.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).get(0).getUsername());
+ assertEquals(3, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).size());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).size());
+ assertEquals(modCredential.getUsername(), CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).get(0).getUsername());
// Remove credentials
store.removeCredentials(Domain.global(), systemCred2);
- assertEquals(2, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, Collections.emptyList()).size());
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, project, ACL.SYSTEM, Collections.emptyList()).size());
+ assertEquals(2, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, Collections.emptyList()).size());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItem(DummyCredentials.class, project, ACL.SYSTEM2, Collections.emptyList()).size());
}
@Test
@@ -342,10 +435,10 @@ public void trackingOfFingerprintDependsOnConfiguration() throws Exception {
@Test
@Issue("JENKINS-65333")
public void insertionOrderLookupCredentials() {
- assertThat(CredentialsProvider.lookupCredentials(Credentials.class, (Item) null, ACL.SYSTEM, Collections.emptyList()), hasSize(0));
+ assertThat(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2, Collections.emptyList()), hasSize(0));
SystemCredentialsProvider.getInstance().getCredentials().add(new DummyIdCredentials("1", CredentialsScope.SYSTEM, "beta", "bar", "description 1"));
SystemCredentialsProvider.getInstance().getCredentials().add(new DummyIdCredentials("2", CredentialsScope.SYSTEM, "alpha", "bar", "description 2"));
- List credentials = CredentialsProvider.lookupCredentials(DummyIdCredentials.class, (Item) null, ACL.SYSTEM, Collections.emptyList());
+ List credentials = CredentialsProvider.lookupCredentialsInItem(DummyIdCredentials.class, (Item) null, ACL.SYSTEM2, Collections.emptyList());
assertThat(credentials, hasSize(2));
// Insertion order
assertThat(credentials.get(0).getUsername(), is("beta"));
@@ -355,10 +448,10 @@ public void insertionOrderLookupCredentials() {
@Test
@Issue("JENKINS-65333")
public void credentialsSortedByNameInUI() {
- assertThat(CredentialsProvider.lookupCredentials(Credentials.class, (Item) null, ACL.SYSTEM, Collections.emptyList()), hasSize(0));
+ assertThat(CredentialsProvider.lookupCredentialsInItem(Credentials.class, (Item) null, ACL.SYSTEM2, Collections.emptyList()), hasSize(0));
SystemCredentialsProvider.getInstance().getCredentials().add(new DummyIdCredentials("1", CredentialsScope.SYSTEM, "beta", "bar", "description 1"));
SystemCredentialsProvider.getInstance().getCredentials().add(new DummyIdCredentials("2", CredentialsScope.SYSTEM, "alpha", "bar", "description 2"));
- ListBoxModel options = CredentialsProvider.listCredentials(DummyIdCredentials.class, (Item) null, ACL.SYSTEM, Collections.emptyList(), CredentialsMatchers.always());
+ ListBoxModel options = CredentialsProvider.listCredentialsInItem(DummyIdCredentials.class, (Item) null, ACL.SYSTEM2, Collections.emptyList(), CredentialsMatchers.always());
// Options are sorted by name
assertThat(options, hasSize(2));
assertThat(options.get(0).value, is("2"));
diff --git a/src/test/java/com/cloudbees/plugins/credentials/CredentialsUnavailableExceptionTest.java b/src/test/java/com/cloudbees/plugins/credentials/CredentialsUnavailableExceptionTest.java
index dfc40ee58..8976dea46 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/CredentialsUnavailableExceptionTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/CredentialsUnavailableExceptionTest.java
@@ -244,8 +244,8 @@ public PollingResult compareRemoteRevisionWith(@NonNull Job, ?> project, @Null
@NonNull SCMRevisionState baseline)
throws IOException {
StandardUsernamePasswordCredentials credentials = CredentialsMatchers.firstOrNull(
- CredentialsProvider.lookupCredentials(StandardUsernamePasswordCredentials.class, project,
- CredentialsProvider.getDefaultAuthenticationOf(project),
+ CredentialsProvider.lookupCredentialsInItem(StandardUsernamePasswordCredentials.class, project,
+ CredentialsProvider.getDefaultAuthenticationOf2(project),
Collections.emptyList()), CredentialsMatchers.withId(id));
if (credentials == null) {
throw new IOException(String.format("Could not find credentials with id '%s'", id));
diff --git a/src/test/java/com/cloudbees/plugins/credentials/MockFolderCredentialsProvider.java b/src/test/java/com/cloudbees/plugins/credentials/MockFolderCredentialsProvider.java
index 16fd54a90..07b13ea22 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/MockFolderCredentialsProvider.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/MockFolderCredentialsProvider.java
@@ -35,7 +35,7 @@
import hudson.model.ItemGroup;
import hudson.model.ModelObject;
import hudson.security.ACL;
-import hudson.security.AccessDeniedException2;
+import hudson.security.AccessDeniedException3;
import hudson.security.Permission;
import hudson.util.CopyOnWriteMap;
import java.io.IOException;
@@ -45,9 +45,8 @@
import java.util.Map;
import java.util.Set;
import jenkins.model.Jenkins;
-import org.acegisecurity.Authentication;
-import org.acegisecurity.context.SecurityContextHolder;
import org.jvnet.hudson.test.MockFolder;
+import org.springframework.security.core.Authentication;
/**
* Analogue of {@code FolderCredentialsProvider} for {@link MockFolder}.
@@ -77,21 +76,14 @@ public Set getScopes(ModelObject object) {
@NonNull
@Override
- public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication) {
- return getCredentials(type, itemGroup, authentication, Collections.emptyList());
- }
-
- @NonNull
- @Override
- public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup,
- @Nullable Authentication authentication,
- @NonNull List domainRequirements) {
+ public List getCredentialsInItemGroup(@NonNull Class type, @Nullable ItemGroup itemGroup,
+ @Nullable Authentication authentication,
+ @NonNull List domainRequirements) {
if (authentication == null) {
- authentication = ACL.SYSTEM;
+ authentication = ACL.SYSTEM2;
}
List result = new ArrayList<>();
- if (ACL.SYSTEM.equals(authentication)) {
+ if (ACL.SYSTEM2.equals(authentication)) {
while (itemGroup != null) {
if (itemGroup instanceof MockFolder) {
final MockFolder folder = (MockFolder) itemGroup;
@@ -204,7 +196,7 @@ public synchronized CredentialsStore getStore() {
*/
private void checkPermission(Permission p) {
if (!store.hasPermission(p)) {
- throw new AccessDeniedException2(Jenkins.getAuthentication(), p);
+ throw new AccessDeniedException3(Jenkins.getAuthentication2(), p);
}
}
@@ -217,12 +209,8 @@ private void checkPermission(Permission p) {
*/
private void checkedSave(Permission p) throws IOException {
checkPermission(p);
- Authentication old = SecurityContextHolder.getContext().getAuthentication();
- SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM);
- try {
+ try (var ignored = ACL.as2(ACL.SYSTEM2)) {
owner.save();
- } finally {
- SecurityContextHolder.getContext().setAuthentication(old);
}
}
@@ -365,8 +353,8 @@ public ModelObject getContext() {
}
@Override
- public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) {
- return owner.getACL().hasPermission(a, permission);
+ public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) {
+ return owner.getACL().hasPermission2(a, permission);
}
/**
diff --git a/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsProviderTest.java b/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsProviderTest.java
index 6aad51c3b..04accc741 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsProviderTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsProviderTest.java
@@ -4,6 +4,7 @@
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
+import com.cloudbees.plugins.credentials.domains.DomainRequirement;
import com.cloudbees.plugins.credentials.domains.HostnameRequirement;
import com.cloudbees.plugins.credentials.impl.DummyCredentials;
import edu.umd.cs.findbugs.annotations.NonNull;
@@ -19,7 +20,6 @@
import io.jenkins.plugins.casc.misc.JenkinsConfiguredWithCodeRule;
import io.jenkins.plugins.casc.model.CNode;
import io.jenkins.plugins.casc.model.Mapping;
-import org.acegisecurity.Authentication;
import org.jenkinsci.Symbol;
import org.junit.Rule;
import org.junit.Test;
@@ -30,6 +30,7 @@
import java.util.Collections;
import java.util.List;
import java.util.Set;
+import org.springframework.security.core.Authentication;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.equalTo;
@@ -45,16 +46,16 @@ public class CredentialsProviderTest {
@Test
@ConfiguredWithCode("CredentialsProviderExtension.yaml")
public void import_credentials_provider_extension_credentials() {
- List dummyCred = CredentialsProvider.lookupCredentials(
- DummyCredentials.class, j.jenkins, ACL.SYSTEM,
+ List dummyCred = CredentialsProvider.lookupCredentialsInItemGroup(
+ DummyCredentials.class, j.jenkins, ACL.SYSTEM2,
Collections.emptyList()
);
assertThat(dummyCred, hasSize(1));
assertThat(dummyCred.get(0).getUsername(), equalTo("user1"));
// the system provider works fine too
- List ups = CredentialsProvider.lookupCredentials(
- UsernamePasswordCredentials.class, j.jenkins, ACL.SYSTEM,
+ List ups = CredentialsProvider.lookupCredentialsInItemGroup(
+ UsernamePasswordCredentials.class, j.jenkins, ACL.SYSTEM2,
Collections.singletonList(new HostnameRequirement("api.test.com"))
);
assertThat(ups, hasSize(1));
@@ -84,7 +85,7 @@ public TestCredentialsProvider() {
@NonNull
@Override
- public List getCredentials(@NonNull Class type, @Nullable ItemGroup itemGroup, @Nullable Authentication authentication) {
+ public List getCredentialsInItemGroup(@NonNull Class type, @Nullable ItemGroup itemGroup, @Nullable Authentication authentication, @Nullable List domainRequirements) {
if (!type.equals(DummyCredentials.class)) {
return Collections.emptyList();
}
diff --git a/src/test/java/com/cloudbees/plugins/credentials/casc/SystemCredentialsTest.java b/src/test/java/com/cloudbees/plugins/credentials/casc/SystemCredentialsTest.java
index 4b39f05a0..3beee24b5 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/casc/SystemCredentialsTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/casc/SystemCredentialsTest.java
@@ -58,8 +58,8 @@ public class SystemCredentialsTest {
@Test
public void import_system_credentials() {
- List ups = CredentialsProvider.lookupCredentials(
- UsernamePasswordCredentials.class, j.jenkins, ACL.SYSTEM,
+ List ups = CredentialsProvider.lookupCredentialsInItemGroup(
+ UsernamePasswordCredentials.class, j.jenkins, ACL.SYSTEM2,
Collections.singletonList(new HostnameRequirement("api.test.com"))
);
assertThat(ups, hasSize(1));
diff --git a/src/test/java/com/cloudbees/plugins/credentials/domains/DomainRestrictedCredentialsTest.java b/src/test/java/com/cloudbees/plugins/credentials/domains/DomainRestrictedCredentialsTest.java
index 2a16c83da..b02ee809d 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/domains/DomainRestrictedCredentialsTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/domains/DomainRestrictedCredentialsTest.java
@@ -71,8 +71,8 @@ public void testGetRestrictedCredentials() {
.add(falseCredentials);
Collection matchingCredentials =
- CredentialsProvider.lookupCredentials(Credentials.class,
- Jenkins.get(), ACL.SYSTEM);
+ CredentialsProvider.lookupCredentialsInItemGroup(Credentials.class,
+ Jenkins.get(), ACL.SYSTEM2);
assertThat(matchingCredentials, hasItems(trueCredentials));
assertThat(matchingCredentials, not(hasItems(falseCredentials)));
diff --git a/src/test/java/com/cloudbees/plugins/credentials/domains/DomainTest.java b/src/test/java/com/cloudbees/plugins/credentials/domains/DomainTest.java
index 4c521c5e5..d9d571646 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/domains/DomainTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/domains/DomainTest.java
@@ -96,32 +96,32 @@ public void testCredentialsInCustomDomains() throws IOException {
List reqFoo = Arrays.asList(new DomainRequirement[] { new HostnameRequirement("foo.com") });
List reqBar = Arrays.asList(new DomainRequirement[] { new HostnameRequirement("bar.com") });
- assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).isEmpty());
- assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).isEmpty());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).isEmpty());
// Add credentials to domains
store.addCredentials(domainFoo, systemCred);
store.addCredentials(domainBar, systemCred1);
// Search credentials with specific domain restrictions
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).size());
- assertEquals(systemCred.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).get(0).getUsername());
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size());
- assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).size());
+ assertEquals(systemCred.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).get(0).getUsername());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).size());
+ assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).get(0).getUsername());
// Update credential from domain
store.updateCredentials(domainFoo, systemCred, systemCredMod);
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).size());
- assertEquals(systemCredMod.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).get(0).getUsername());
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size());
- assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).size());
+ assertEquals(systemCredMod.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).get(0).getUsername());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).size());
+ assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).get(0).getUsername());
// Remove credential from domain
store.removeCredentials(domainFoo, systemCredMod);
- assertTrue(CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqFoo).isEmpty());
- assertEquals(1, CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).size());
- assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentials(DummyCredentials.class, r.jenkins, ACL.SYSTEM, reqBar).get(0).getUsername());
+ assertTrue(CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqFoo).isEmpty());
+ assertEquals(1, CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).size());
+ assertEquals(systemCred1.getUsername(), CredentialsProvider.lookupCredentialsInItemGroup(DummyCredentials.class, r.jenkins, ACL.SYSTEM2, reqBar).get(0).getUsername());
}
}
diff --git a/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java b/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java
index eeeaa2277..246228d64 100644
--- a/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java
+++ b/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java
@@ -340,12 +340,12 @@ public void fullSubmitOfUploadedKeystore() throws Exception {
newCredentialsForm.getInputsByName("_.password").forEach(input -> input.setValue(VALID_PASSWORD));
htmlPage.getDocumentElement().querySelector("input[type=file][name=uploadedCertFile]");
- List certificateCredentials = CredentialsProvider.lookupCredentials(CertificateCredentials.class, (ItemGroup>) null, ACL.SYSTEM);
+ List certificateCredentials = CredentialsProvider.lookupCredentialsInItemGroup(CertificateCredentials.class, (ItemGroup>) null, ACL.SYSTEM2);
assertThat(certificateCredentials, hasSize(0));
r.submit(newCredentialsForm);
- certificateCredentials = CredentialsProvider.lookupCredentials(CertificateCredentials.class, (ItemGroup>) null, ACL.SYSTEM);
+ certificateCredentials = CredentialsProvider.lookupCredentialsInItemGroup(CertificateCredentials.class, (ItemGroup>) null, ACL.SYSTEM2);
assertThat(certificateCredentials, hasSize(1));
CertificateCredentials certificate = certificateCredentials.get(0);