Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
FIY695
jenkins
提交
57e78880
J
jenkins
项目概览
FIY695
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
57e78880
编写于
3月 16, 2015
作者:
K
Kohsuke Kawaguchi
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #13 from jenkinsci-cert/SECURITY-180
[SECURITY-180] arbitrary API Token change/leak via changeToken
上级
25411a0b
25bf232c
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
45 addition
and
0 deletion
+45
-0
core/src/main/java/jenkins/security/ApiTokenProperty.java
core/src/main/java/jenkins/security/ApiTokenProperty.java
+1
-0
test/src/test/java/hudson/model/UserTest.java
test/src/test/java/hudson/model/UserTest.java
+44
-0
未找到文件。
core/src/main/java/jenkins/security/ApiTokenProperty.java
浏览文件 @
57e78880
...
...
@@ -81,6 +81,7 @@ public class ApiTokenProperty extends UserProperty {
}
public
void
changeApiToken
()
throws
IOException
{
user
.
checkPermission
(
Jenkins
.
ADMINISTER
);
_changeApiToken
();
if
(
user
!=
null
)
user
.
save
();
...
...
test/src/test/java/hudson/model/UserTest.java
浏览文件 @
57e78880
...
...
@@ -28,19 +28,27 @@ import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
import
com.gargoylesoftware.htmlunit.WebAssert
;
import
com.gargoylesoftware.htmlunit.html.HtmlForm
;
import
com.gargoylesoftware.htmlunit.html.HtmlPage
;
import
hudson.security.AccessDeniedException2
;
import
hudson.security.GlobalMatrixAuthorizationStrategy
;
import
hudson.security.HudsonPrivateSecurityRealm
;
import
hudson.security.Permission
;
import
hudson.tasks.MailAddressResolver
;
import
java.io.IOException
;
import
java.io.PrintStream
;
import
java.util.Collections
;
import
jenkins.model.Jenkins
;
import
jenkins.security.ApiTokenProperty
;
import
org.acegisecurity.AccessDeniedException
;
import
org.acegisecurity.Authentication
;
import
org.acegisecurity.context.SecurityContext
;
import
org.acegisecurity.context.SecurityContextHolder
;
import
static
org
.
junit
.
Assert
.*;
import
org.junit.Rule
;
import
org.junit.Test
;
import
org.jvnet.hudson.test.Bug
;
...
...
@@ -419,6 +427,42 @@ public class UserTest {
assertTrue
(
"User should be able to delete."
,
user
.
canDelete
());
}
@Test
// @Issue("SECURITY-180")
public
void
security180
()
throws
Exception
{
final
GlobalMatrixAuthorizationStrategy
auth
=
new
GlobalMatrixAuthorizationStrategy
();
j
.
jenkins
.
setAuthorizationStrategy
(
auth
);
j
.
jenkins
.
setSecurityRealm
(
new
HudsonPrivateSecurityRealm
(
false
));
User
alice
=
User
.
get
(
"alice"
);
User
bob
=
User
.
get
(
"bob"
);
User
anonymous
=
User
.
get
(
"anonymous"
);
User
admin
=
User
.
get
(
"admin"
);
auth
.
add
(
Jenkins
.
READ
,
alice
.
getId
());
auth
.
add
(
Jenkins
.
READ
,
bob
.
getId
());
auth
.
add
(
Jenkins
.
ADMINISTER
,
admin
.
getId
());
SecurityContextHolder
.
getContext
().
setAuthentication
(
admin
.
impersonate
());
// Change token by admin
admin
.
getProperty
(
ApiTokenProperty
.
class
).
changeApiToken
();
alice
.
getProperty
(
ApiTokenProperty
.
class
).
changeApiToken
();
SecurityContextHolder
.
getContext
().
setAuthentication
(
bob
.
impersonate
());
// Change own token
bob
.
getProperty
(
ApiTokenProperty
.
class
).
changeApiToken
();
try
{
alice
.
getProperty
(
ApiTokenProperty
.
class
).
changeApiToken
();
fail
(
"Bob should not be authorized to change alice's token"
);
}
catch
(
AccessDeniedException
expected
)
{
}
try
{
anonymous
.
getProperty
(
ApiTokenProperty
.
class
).
changeApiToken
();
fail
(
"Anonymous should not be authorized to change alice's token"
);
}
catch
(
AccessDeniedException
expected
)
{
}
}
@Test
public
void
testGetDynamic
()
{
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录