[FIXED JENKINS-21254] Ensuring that all <link>s offered on the /login page can...

[FIXED JENKINS-21254] Ensuring that all <link>s offered on the /login page can be read even by anonymous users without Jenkins.READ.

[FIXED JENKINS-21254] Ensuring that all <link>s offered on the /login page can...
[FIXED JENKINS-21254] Ensuring that all <link>s offered on the /login page can be read even by anonymous users without Jenkins.READ.
7c91c402 · Jesse Glick · e9f2adff · 7c91c402 · 7c91c402 · 7c91c402
4 changed file
--- a/changelog.html
+++ b/changelog.html
@@ -55,7 +55,9 @@ Upcoming changes</a>
 <!-- Record your changes in the trunk here. -->
 <div id="trunk" style="display:none"><!--=TRUNK-BEGIN=-->
 <ul class=image>
-  <li class=>
+  <li class=bug>
+    <code>/login</code> offers link to <code>/opensearch.xml</code> which anonymous users cannot retrieve.
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-21254">issue 21254</a>)
 </ul>
 </div><!--=TRUNK-END=-->


--- a/core/src/main/resources/lib/layout/layout.jelly
+++ b/core/src/main/resources/lib/layout/layout.jelly
@@ -132,7 +132,9 @@ ${h.initPageVariables(context)}
    <link rel="stylesheet" href="${resURL}/scripts/yui/menu/assets/skins/sam/menu.css" type="text/css" />
    <!--link rel="stylesheet" href="${resURL}/scripts/yui/editor/assets/skins/sam/editor.css" type="text/css" /-->

-    <link rel="search" type="application/opensearchdescription+xml" href="${rootURL}/opensearch.xml" title="Jenkins" />
+    <l:hasPermission permission="${app.READ}">
+      <link rel="search" type="application/opensearchdescription+xml" href="${rootURL}/opensearch.xml" title="Jenkins" />
+    </l:hasPermission>
    <meta name="ROBOTS" content="INDEX,NOFOLLOW" />
    <j:set var="mode" value="header" />
    <d:invokeBody />

--- a/test/src/main/java/org/jvnet/hudson/test/JenkinsRule.java
+++ b/test/src/main/java/org/jvnet/hudson/test/JenkinsRule.java
@@ -30,6 +30,7 @@ import com.gargoylesoftware.htmlunit.DefaultCssErrorHandler;
 import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
 import com.gargoylesoftware.htmlunit.Page;
 import com.gargoylesoftware.htmlunit.WebRequestSettings;
+import com.gargoylesoftware.htmlunit.WebResponse;
 import com.gargoylesoftware.htmlunit.html.DomNode;
 import com.gargoylesoftware.htmlunit.html.HtmlButton;
 import com.gargoylesoftware.htmlunit.html.HtmlElement;
@@ -206,6 +207,7 @@ import java.util.logging.Filter;
 import java.util.logging.Level;
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
+import javax.annotation.CheckForNull;

 import jenkins.model.JenkinsLocationConfiguration;

@@ -250,11 +252,12 @@ public class JenkinsRule implements TestRule, MethodRule, RootAction {
    protected Server server;

    /**
-     * Where in the {@link Server} is Hudson deployed?
+     * Where in the {@link Server} is Jenkins deployed?
     * <p>
     * Just like {@link javax.servlet.ServletContext#getContextPath()}, starts with '/' but doesn't end with '/'.
+     * Unlike {@link WebClient#getContextPath} this is not a complete URL.
     */
-    protected String contextPath = "/jenkins";
+    public String contextPath = "/jenkins";

    /**
     * {@link Runnable}s to be invoked at {@link #after()} .
@@ -1913,10 +1916,10 @@ public class JenkinsRule implements TestRule, MethodRule, RootAction {
        }

        /**
-         * Requests a page within Hudson.
+         * Requests an HTML page within Jenkins.
         *
         * @param relative
-         *      Relative path within Hudson. Starts without '/'.
+         *      Relative path within Jenkins. Starts without '/'.
         *      For example, "job/test/" to go to a job top page.
         */
        public HtmlPage goTo(String relative) throws IOException, SAXException {
@@ -1928,14 +1931,24 @@ public class JenkinsRule implements TestRule, MethodRule, RootAction {
            }
        }

-        public Page goTo(String relative, String expectedContentType) throws IOException, SAXException {
+        /**
+         * Requests a page within Jenkins.
+         *
+         * @param relative
+         *      Relative path within Jenkins. Starts without '/'.
+         *      For example, "job/test/" to go to a job top page.
+         * @param expectedContentType the expected {@link WebResponse#getContentType}, or null to do no such check
+         */
+        public Page goTo(String relative, @CheckForNull String expectedContentType) throws IOException, SAXException {
            assert !relative.startsWith("/");
            Page p = super.getPage(getContextPath() + relative);
-            assertThat(p.getWebResponse().getContentType(), is(expectedContentType));
+            if (expectedContentType != null) {
+                assertThat(p.getWebResponse().getContentType(), is(expectedContentType));
+            }
            return p;
        }

-        /** Loads a page as XML. Useful for testing Hudson's xml api, in concert with
+        /** Loads a page as XML. Useful for testing Jenkins's XML API, in concert with
         * assertXPath(DomNode page, String xpath)
         * @param path   the path part of the url to visit
         * @return  the XmlPage found at that url
@@ -1968,6 +1981,7 @@ public class JenkinsRule implements TestRule, MethodRule, RootAction {
        /**
         * Returns the URL of the webapp top page.
         * URL ends with '/'.
+         * <p>This is actually the same as {@link #getURL} and should not be confused with {@link #contextPath}.
         */
        public String getContextPath() throws IOException {
            return getURL().toExternalForm();

--- a/test/src/test/java/lib/layout/LayoutTest.java
+++ b/test/src/test/java/lib/layout/LayoutTest.java
+/*
+ * The MIT License
+ *
+ * Copyright 2014 Jesse Glick.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package lib.layout;
+
+import com.gargoylesoftware.htmlunit.html.HtmlElement;
+import com.gargoylesoftware.htmlunit.html.HtmlLink;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Bug;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.recipes.PresetData;
+
+public class LayoutTest {
+
+    @Rule public JenkinsRule r = new JenkinsRule();
+
+    @Bug(21254)
+    @PresetData(PresetData.DataSet.NO_ANONYMOUS_READACCESS)
+    @Test public void rejectedLinks() throws Exception {
+        JenkinsRule.WebClient wc = r.createWebClient();
+        String prefix = r.contextPath + '/';
+        for (HtmlElement e : wc.goTo("login").getElementsByTagName("link")) {
+            String href = ((HtmlLink) e).getHrefAttribute();
+            if (!href.startsWith(prefix)) {
+                System.err.println("ignoring " + href);
+                continue;
+            }
+            System.err.println("checking " + href);
+            wc.goTo(href.substring(prefix.length()), null);
+        }
+    }
+
+}