From ba2d2c3c6a4858081a3abba747586df79c347adf Mon Sep 17 00:00:00 2001
From: kohsuke <kohsuke@71c3de6d-444a-0410-be80-ed276b4c234a>
Date: Tue, 26 Feb 2008 17:54:57 +0000
Subject: [PATCH] defined the 'SYSTEM' user.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@7203 71c3de6d-444a-0410-be80-ed276b4c234a
---
 core/src/main/java/hudson/security/ACL.java   | 19 +++++++++++++++++++
 .../src/main/java/hudson/security/SidACL.java |  1 +
 .../main/java/hudson/security/SparseACL.java  |  1 +
 3 files changed, 21 insertions(+)

diff --git a/core/src/main/java/hudson/security/ACL.java b/core/src/main/java/hudson/security/ACL.java
index 37ff2966ba..70c299bbde 100644
--- a/core/src/main/java/hudson/security/ACL.java
+++ b/core/src/main/java/hudson/security/ACL.java
@@ -2,6 +2,7 @@ package hudson.security;
 
 import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.Authentication;
+import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import org.acegisecurity.acls.sid.PrincipalSid;
 import org.acegisecurity.acls.sid.Sid;
 import org.acegisecurity.context.SecurityContextHolder;
@@ -40,6 +41,10 @@ public abstract class ACL {
 
     /**
      * Checks if the given principle has the given permission.
+     *
+     * <p>
+     * Note that {@link #SYSTEM} can be passed in as the authentication parameter,
+     * in which case you should probably just assume it has every permission.
      */
     public abstract boolean hasPermission(Authentication a, Permission permission);
 
@@ -64,4 +69,18 @@ public abstract class ACL {
      * regardless of the current {@link SecurityRealm} in use.
      */
     public static final Sid ANONYMOUS = new PrincipalSid("anonymous");
+
+    /**
+     * {@link Sid} that represents the Hudson itself.
+     * <p>
+     * This is used when Hudson is performing computation for itself, instead
+     * of acting on behalf of an user, such as doing builds.
+     *
+     * <p>
+     * Technically speaking, this is probably a broken concept, because Hudson never
+     * does anything on its own; for example, it builds a project because someone
+     * configures it or someone triggers it, so ideally Hudson should be impersonating
+     * that user when executing things.
+     */
+    public static final Authentication SYSTEM = new UsernamePasswordAuthenticationToken("SYSTEM","SYSTEM");
 }
diff --git a/core/src/main/java/hudson/security/SidACL.java b/core/src/main/java/hudson/security/SidACL.java
index eb6a88d202..836142d0f5 100644
--- a/core/src/main/java/hudson/security/SidACL.java
+++ b/core/src/main/java/hudson/security/SidACL.java
@@ -16,6 +16,7 @@ public abstract class SidACL extends ACL {
 
     @Override
     public boolean hasPermission(Authentication a, Permission permission) {
+        if(a==SYSTEM)   return true;
         Boolean b = _hasPermission(a,permission);
         if(b==null) b=false;    // default to rejection
         return b;
diff --git a/core/src/main/java/hudson/security/SparseACL.java b/core/src/main/java/hudson/security/SparseACL.java
index 80f9217c35..52bc71057f 100644
--- a/core/src/main/java/hudson/security/SparseACL.java
+++ b/core/src/main/java/hudson/security/SparseACL.java
@@ -44,6 +44,7 @@ public class SparseACL extends SidACL {
     }
 
     public boolean hasPermission(Authentication a, Permission permission) {
+        if(a==SYSTEM)   return true;
         Boolean b = _hasPermission(a,permission);
         if(b!=null) return b;
 
-- 
GitLab