From 18e4e97e86227bff00be78c88b5d7ee62988b198 Mon Sep 17 00:00:00 2001
From: Jesse Glick <jglick@cloudbees.com>
Date: Fri, 7 Dec 2012 13:30:21 -0500
Subject: [PATCH] LegacySecurityRealm.getUnprotectedRootActions

---
 changelog.html                                |  2 +
 .../hudson/security/LegacySecurityRealm.java  | 24 +++++++++++
 .../security/LegacySecurityRealm/index.jelly  | 40 +++++++++++++++++++
 .../LegacySecurityRealm/index.properties      | 25 ++++++++++++
 .../LegacySecurityRealm/sidepanel.jelly       | 34 ++++++++++++++++
 .../webapp/help/security/container-realm.html |  2 +
 6 files changed, 127 insertions(+)
 create mode 100644 core/src/main/resources/hudson/security/LegacySecurityRealm/index.jelly
 create mode 100644 core/src/main/resources/hudson/security/LegacySecurityRealm/index.properties
 create mode 100644 core/src/main/resources/hudson/security/LegacySecurityRealm/sidepanel.jelly

diff --git a/changelog.html b/changelog.html
index b9bffb14e7..e7abc0282d 100644
--- a/changelog.html
+++ b/changelog.html
@@ -69,6 +69,8 @@ Upcoming changes</a>
   <li class=rfe>
     Allows to disable triggering of downstream jobs (for a maven job)
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-1295">issue 1295</a>)
+  <li class=rfe>
+    When using container-managed security, display unprotected root actions at <code>/securityRealm/</code> for convenience.
   <li class=bug>
     Context menu and tooltip of the queue items were colliding with each other
     <li class=bug>
diff --git a/core/src/main/java/hudson/security/LegacySecurityRealm.java b/core/src/main/java/hudson/security/LegacySecurityRealm.java
index f96104625e..650c8580ab 100644
--- a/core/src/main/java/hudson/security/LegacySecurityRealm.java
+++ b/core/src/main/java/hudson/security/LegacySecurityRealm.java
@@ -32,10 +32,16 @@ import groovy.lang.Binding;
 import hudson.model.Descriptor;
 import hudson.util.spring.BeanBuilder;
 import hudson.Extension;
+import hudson.model.Action;
+import hudson.model.UnprotectedRootAction;
+import java.util.Collection;
+import java.util.Set;
+import java.util.TreeSet;
 import net.sf.json.JSONObject;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterConfig;
+import jenkins.model.Jenkins;
 
 /**
  * {@link SecurityRealm} that accepts {@link ContainerAuthentication} object
@@ -88,6 +94,24 @@ public final class LegacySecurityRealm extends SecurityRealm implements Authenti
         return (Filter) context.getBean("legacy");
     }
 
+    /**
+     * Gets a list of unprotected root actions.
+     * These URL prefixes should be exempted from access control checks by container-managed security.
+     * Ideally would be synchronized with {@link Jenkins#getTarget}.
+     * @return a list of {@linkplain Action#getUrlName URL names}
+     * @since 1.494
+     */
+    public Collection<String> getUnprotectedRootActions() {
+        Set<String> names = new TreeSet<String>();
+        names.add("jnlpJars");
+        for (Action a : Jenkins.getInstance().getActions()) {
+            if (a instanceof UnprotectedRootAction) {
+                names.add(a.getUrlName());
+            }
+        }
+        return names;
+    }
+
     @Extension
     public static final Descriptor<SecurityRealm> DESCRIPTOR = new Descriptor<SecurityRealm>() {
         public SecurityRealm newInstance(StaplerRequest req, JSONObject formData) throws FormException {
diff --git a/core/src/main/resources/hudson/security/LegacySecurityRealm/index.jelly b/core/src/main/resources/hudson/security/LegacySecurityRealm/index.jelly
new file mode 100644
index 0000000000..e86166bb76
--- /dev/null
+++ b/core/src/main/resources/hudson/security/LegacySecurityRealm/index.jelly
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+The MIT License
+
+Copyright 2012 Jesse Glick.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:i="jelly:fmt" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+    <l:layout permission="${app.ADMINISTER}" title="${%Container-Managed Security}">
+        <st:include page="sidepanel.jelly"/>
+        <l:main-panel>
+            <h1>${%Unprotected URLs}</h1>
+            <p>${%blurb}</p>
+            <ul>
+                <j:forEach var="name" items="${it.unprotectedRootActions}">
+                    <li><a href="../${name}"><code>${name}</code></a></li>
+                </j:forEach>
+            </ul>
+        </l:main-panel>
+    </l:layout>
+</j:jelly>
diff --git a/core/src/main/resources/hudson/security/LegacySecurityRealm/index.properties b/core/src/main/resources/hudson/security/LegacySecurityRealm/index.properties
new file mode 100644
index 0000000000..036c412b21
--- /dev/null
+++ b/core/src/main/resources/hudson/security/LegacySecurityRealm/index.properties
@@ -0,0 +1,25 @@
+# The MIT License
+#
+# Copyright 2012 Jesse Glick.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+blurb=\
+    These URLs (and URLs starting with these prefixes plus a /) should require no authentication. \
+    If possible, configure your container to pass these requests straight to Jenkins without requiring login.
diff --git a/core/src/main/resources/hudson/security/LegacySecurityRealm/sidepanel.jelly b/core/src/main/resources/hudson/security/LegacySecurityRealm/sidepanel.jelly
new file mode 100644
index 0000000000..baa4ed6572
--- /dev/null
+++ b/core/src/main/resources/hudson/security/LegacySecurityRealm/sidepanel.jelly
@@ -0,0 +1,34 @@
+<!--
+The MIT License
+
+Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:s="/lib/form">
+  <l:header />
+  <l:side-panel>
+    <l:tasks>
+      <l:task icon="images/24x24/up.png" href="${rootURL}/" title="${%Back to Dashboard}" />
+      <l:task icon="images/24x24/setting.png" href="${rootURL}/manage" title="${%Manage Jenkins}" permission="${app.ADMINISTER}" />
+    </l:tasks>
+  </l:side-panel>
+</j:jelly>
\ No newline at end of file
diff --git a/war/src/main/webapp/help/security/container-realm.html b/war/src/main/webapp/help/security/container-realm.html
index 676d18a098..535ba887b3 100644
--- a/war/src/main/webapp/help/security/container-realm.html
+++ b/war/src/main/webapp/help/security/container-realm.html
@@ -13,4 +13,6 @@
       or custom implementations to connect to a specific user realm.) 
     </li>
   </ol>
+
+  <p>After enabling, see <a href="securityRealm/"><code>securityRealm</code></a> for URLs which ought to be whitelisted by the container.</p>
 </div>
\ No newline at end of file
-- 
GitLab