From 70e1977f21cb75d58647349905a128ffdd3ee550 Mon Sep 17 00:00:00 2001
From: Kohsuke Kawaguchi <kk@kohsuke.org>
Date: Fri, 19 Apr 2013 14:06:48 -0700
Subject: [PATCH] Call attention to the fact that the security isn't enabled.

This is deemed important because we ship Jenkins without security setting by default.
---
 .../diagnostics/SecurityIsOffMonitor.java     | 38 +++++++++++++++++++
 .../SecurityIsOffMonitor/message.jelly        | 36 ++++++++++++++++++
 .../SecurityIsOffMonitor/message.properties   |  2 +
 3 files changed, 76 insertions(+)
 create mode 100644 core/src/main/java/jenkins/diagnostics/SecurityIsOffMonitor.java
 create mode 100644 core/src/main/resources/jenkins/diagnostics/SecurityIsOffMonitor/message.jelly
 create mode 100644 core/src/main/resources/jenkins/diagnostics/SecurityIsOffMonitor/message.properties

diff --git a/core/src/main/java/jenkins/diagnostics/SecurityIsOffMonitor.java b/core/src/main/java/jenkins/diagnostics/SecurityIsOffMonitor.java
new file mode 100644
index 0000000000..23148724b2
--- /dev/null
+++ b/core/src/main/java/jenkins/diagnostics/SecurityIsOffMonitor.java
@@ -0,0 +1,38 @@
+package jenkins.diagnostics;
+
+import hudson.Extension;
+import hudson.model.AdministrativeMonitor;
+import jenkins.model.Jenkins;
+import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;
+
+import java.io.IOException;
+
+/**
+ * Unsecured Jenkins is, well, insecure.
+ *
+ * <p>
+ * Call attention to the fact that Jenkins is not secured, and encourage the administrator
+ * to take an action.
+ *
+ * @author Kohsuke Kawaguchi
+ */
+@Extension
+public class SecurityIsOffMonitor extends AdministrativeMonitor {
+    @Override
+    public boolean isActivated() {
+        return !Jenkins.getInstance().isUseSecurity();
+    }
+
+    /**
+     * Depending on whether the user said "yes" or "no", send him to the right place.
+     */
+    public void doAct(StaplerRequest req, StaplerResponse rsp) throws IOException {
+        if(req.hasParameter("no")) {
+            disable(true);
+            rsp.sendRedirect(req.getContextPath()+"/manage");
+        } else {
+            rsp.sendRedirect(req.getContextPath()+"/configureSecurity");
+        }
+    }
+}
diff --git a/core/src/main/resources/jenkins/diagnostics/SecurityIsOffMonitor/message.jelly b/core/src/main/resources/jenkins/diagnostics/SecurityIsOffMonitor/message.jelly
new file mode 100644
index 0000000000..d757f6e441
--- /dev/null
+++ b/core/src/main/resources/jenkins/diagnostics/SecurityIsOffMonitor/message.jelly
@@ -0,0 +1,36 @@
+<!--
+The MIT License
+
+Copyright (c) 2004-2009, Sun Microsystems, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+  <div class="warning">
+    <form method="post" action="${rootURL}/${it.url}/act" name="${it.id}">
+      <div style="float:right">
+        <f:submit name="yes" value="${%Setup Security}"/>
+        <f:submit name="no" value="${%Dismiss}"/>
+      </div>
+      ${%blurb}
+    </form>
+  </div>
+</j:jelly>
diff --git a/core/src/main/resources/jenkins/diagnostics/SecurityIsOffMonitor/message.properties b/core/src/main/resources/jenkins/diagnostics/SecurityIsOffMonitor/message.properties
new file mode 100644
index 0000000000..1ba45df729
--- /dev/null
+++ b/core/src/main/resources/jenkins/diagnostics/SecurityIsOffMonitor/message.properties
@@ -0,0 +1,2 @@
+blurb=Unsecured Jenkins allows anyone on the network to launch processes on your behalf. \
+  Consider at least enabling authentication to discourage misuse.
\ No newline at end of file
-- 
GitLab