diff --git a/core/src/main/java/hudson/model/AbstractProject.java b/core/src/main/java/hudson/model/AbstractProject.java
index 804b805129cfb3147e4b440a6bf2c53546eb927c..d05ef17d5e4cbd31b0a324d1b32b3cc8e476ee3c 100644
--- a/core/src/main/java/hudson/model/AbstractProject.java
+++ b/core/src/main/java/hudson/model/AbstractProject.java
@@ -39,7 +39,6 @@ import hudson.Launcher;
import hudson.Util;
import hudson.cli.declarative.CLIMethod;
import hudson.cli.declarative.CLIResolver;
-import hudson.matrix.MatrixConfiguration;
import hudson.model.Cause.LegacyCodeCause;
import hudson.model.Cause.RemoteCause;
import hudson.model.Cause.UserIdCause;
@@ -90,9 +89,6 @@ import jenkins.model.lazy.AbstractLazyLoadRunMap.Direction;
import jenkins.scm.DefaultSCMCheckoutStrategyImpl;
import jenkins.scm.SCMCheckoutStrategy;
import jenkins.scm.SCMCheckoutStrategyDescriptor;
-import jenkins.security.ProjectAuthenticator;
-import jenkins.security.ProjectAuthenticatorConfiguration;
-import jenkins.security.ProjectAuthenticatorConfiguration;
import jenkins.util.TimeDuration;
import net.sf.json.JSONObject;
import org.acegisecurity.Authentication;
@@ -113,6 +109,7 @@ import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.interceptor.RequirePOST;
+import javax.annotation.Nonnull;
import javax.servlet.ServletException;
import java.io.File;
import java.io.IOException;
@@ -1178,13 +1175,10 @@ public abstract class AbstractProject,R extends A
return this;
}
- /**
- * Let the identity determined by {@link ProjectAuthenticator}.
- *
- * @since 1.520
- */
- public Authentication getIdentity() {
- return ProjectAuthenticatorConfiguration.get().authenticate(this);
+ @Nonnull
+ public Authentication getDefaultAuthentication() {
+ // backward compatible behaviour.
+ return ACL.SYSTEM;
}
/**
diff --git a/core/src/main/java/hudson/model/Executor.java b/core/src/main/java/hudson/model/Executor.java
index f2aaf341cde9759d84350669b9fe7e50aac3392f..2aa98d02197bc326b3f98e4bad977ab14ac3b200 100644
--- a/core/src/main/java/hudson/model/Executor.java
+++ b/core/src/main/java/hudson/model/Executor.java
@@ -239,7 +239,7 @@ public class Executor extends Thread implements ModelObject {
}
}
- final SecurityContext savedContext = ACL.impersonate(Tasks.getIdentityOf(task));
+ final SecurityContext savedContext = ACL.impersonate(workUnit.context.item.authenticate());
try {
setName(threadName + " : executing " + executable.toString());
if (LOGGER.isLoggable(FINE))
diff --git a/core/src/main/java/hudson/model/Node.java b/core/src/main/java/hudson/model/Node.java
index e8f7af4665461aa5d67053683b1206f2937ad8a1..c57d1c188ee721764abc57586f998ecf7c89193e 100644
--- a/core/src/main/java/hudson/model/Node.java
+++ b/core/src/main/java/hudson/model/Node.java
@@ -327,7 +327,7 @@ public abstract class Node extends AbstractModelObject implements Reconfigurable
if(l==null && getMode()== Mode.EXCLUSIVE)
return CauseOfBlockage.fromMessage(Messages._Node_BecauseNodeIsReserved(getNodeName())); // this node is reserved for tasks that are tied to it
- Authentication identity = item.task.getIdentity();
+ Authentication identity = item.authenticate();
if (!getACL().hasPermission(identity,AbstractProject.BUILD)) {
// doesn't have a permission
// TODO: does it make more sense to define a separate permission?
diff --git a/core/src/main/java/hudson/model/Queue.java b/core/src/main/java/hudson/model/Queue.java
index a162856f59a4083b31498561e6ce7f55171fece0..03f73f882db9c43d0ab4f5edf684bbe1b425d1e9 100644
--- a/core/src/main/java/hudson/model/Queue.java
+++ b/core/src/main/java/hudson/model/Queue.java
@@ -62,6 +62,7 @@ import hudson.model.queue.CauseOfBlockage.BecauseNodeIsOffline;
import hudson.model.queue.CauseOfBlockage.BecauseLabelIsOffline;
import hudson.model.queue.CauseOfBlockage.BecauseNodeIsBusy;
import hudson.model.queue.WorkUnitContext;
+import hudson.security.ACL;
import hudson.triggers.SafeTimerTask;
import hudson.triggers.Trigger;
import hudson.util.OneShotEvent;
@@ -99,10 +100,14 @@ import java.util.concurrent.atomic.AtomicLong;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.annotation.Nonnull;
import javax.servlet.ServletException;
import jenkins.model.Jenkins;
+import jenkins.security.QueueItemAuthenticator;
+import jenkins.security.QueueItemAuthenticatorConfiguration;
import org.acegisecurity.AccessDeniedException;
+import org.acegisecurity.Authentication;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.export.Exported;
@@ -1282,6 +1287,28 @@ public class Queue extends ResourceController implements Saveable {
* @since 1.377
*/
Collection getSubTasks();
+
+ /**
+ * This method allows the task to provide the default fallback authentication object to be used
+ * when {@link QueueItemAuthenticator} fails to authenticate the build.
+ *
+ *
+ * When the task execution touches other objects inside Jenkins, the access control is performed
+ * based on whether this {@link Authentication} is allowed to use them. Implementers, if you are unsure,
+ * consider returning the identity of the user who created the task, or
+ * {@link ACL#SYSTEM} to bypass the access control and run as the super user, which has been
+ * the traditional behaviour.)
+ *
+ *
+ * This method was added to an interface after it was created, so plugins built against
+ * older versions of Jenkins may not have this method implemented. Called {@link Tasks#_getDefaultAuthenticationOf(Task)}
+ * to avoid {@link AbstractMethodError}.
+ *
+ * @since 1.520
+ * @see QueueItemAuthenticator
+ * @see Tasks#getDefaultAuthenticationOf(Task)
+ */
+ @Nonnull Authentication getDefaultAuthentication();
}
/**
@@ -1512,6 +1539,27 @@ public class Queue extends ResourceController implements Saveable {
return HttpResponses.forwardToPreviousPage();
}
+ /**
+ * Returns the identity that this task carries when it runs, for the purpose of access control.
+ *
+ * When the task execution touches other objects inside Jenkins, the access control is performed
+ * based on whether this {@link Authentication} is allowed to use them. Implementers, if you are unsure,
+ * return the identity of the user who queued the task, or {@link ACL#SYSTEM} to bypass the access control
+ * and run as the super user.
+ *
+ * @since 1.520
+ */
+ @Nonnull
+ public Authentication authenticate() {
+ for (QueueItemAuthenticator auth : QueueItemAuthenticatorConfiguration.get().getAuthenticators()) {
+ Authentication a = auth.authenticate(this);
+ if (a!=null)
+ return a;
+ }
+ return Tasks.getDefaultAuthenticationOf(task);
+ }
+
+
/**
* Participates in the cancellation logic to set the {@link #future} accordingly.
*/
diff --git a/core/src/main/java/hudson/model/queue/AbstractQueueTask.java b/core/src/main/java/hudson/model/queue/AbstractQueueTask.java
index 67d5a6229ac436d09376c1d89f7a9c6dd90dea05..6b1ebe1d1545d59d96b5b817764b65567f02ddf2 100644
--- a/core/src/main/java/hudson/model/queue/AbstractQueueTask.java
+++ b/core/src/main/java/hudson/model/queue/AbstractQueueTask.java
@@ -62,7 +62,7 @@ public abstract class AbstractQueueTask implements Queue.Task {
/**
* This default implementation is the historical behaviour, but this is no longer desirable. Please override.
- * See {@link SubTask#getIdentity()} for the contract.
+ * See {@link Task#getIdentity()} for the contract.
*/
public Authentication getIdentity() {
return ACL.SYSTEM;
diff --git a/core/src/main/java/hudson/model/queue/AbstractSubTask.java b/core/src/main/java/hudson/model/queue/AbstractSubTask.java
index d405326d0411bd2a26a433087ee07f274a613467..a031d9ef81f8beaa71dab99f9fa9600ceeaec09a 100644
--- a/core/src/main/java/hudson/model/queue/AbstractSubTask.java
+++ b/core/src/main/java/hudson/model/queue/AbstractSubTask.java
@@ -26,8 +26,6 @@ package hudson.model.queue;
import hudson.model.Label;
import hudson.model.Node;
import hudson.model.ResourceList;
-import hudson.security.ACL;
-import org.acegisecurity.Authentication;
/**
* Partial default implementation of {@link SubTask} to avoid
@@ -55,8 +53,4 @@ public abstract class AbstractSubTask implements SubTask {
public ResourceList getResourceList() {
return new ResourceList();
}
-
- public Authentication getIdentity() {
- return getOwnerTask().getIdentity();
- }
}
diff --git a/core/src/main/java/hudson/model/queue/MappingWorksheet.java b/core/src/main/java/hudson/model/queue/MappingWorksheet.java
index e081f51523cdbe4a00dbc526d2491da8cad76304..c073ee70bda72eaf06dc6195e5cd49bd0d9f29e4 100644
--- a/core/src/main/java/hudson/model/queue/MappingWorksheet.java
+++ b/core/src/main/java/hudson/model/queue/MappingWorksheet.java
@@ -67,9 +67,6 @@ import static java.lang.Math.*;
* See {@link SubTask#getSameNodeConstraint()}
*
* Label constraint. {@link SubTask}s can specify that it can be only run on nodes that has the label.
- *
- * Permission constraint. {@link SubTask}s have {@linkplain SubTask#getIdentity() identities} that need to have
- * permissions to build on the node.
*
*
*
@@ -137,10 +134,8 @@ public class MappingWorksheet {
if (c.assignedLabel!=null && !c.assignedLabel.contains(node))
return false; // label mismatch
- for (SubTask task : c) {
- if (!nodeAcl.hasPermission(task.getIdentity(), AbstractProject.BUILD))
- return false; // tasks don't have a permission to run on this node
- }
+ if (!nodeAcl.hasPermission(item.authenticate(), AbstractProject.BUILD))
+ return false; // tasks don't have a permission to run on this node
return true;
}
diff --git a/core/src/main/java/hudson/model/queue/QueueTaskFilter.java b/core/src/main/java/hudson/model/queue/QueueTaskFilter.java
index 2399d103f9cd8b20ddd843c64a855bb3708931e0..b8b6e240c85ceb330ccc76c3d9a663936f92be3f 100644
--- a/core/src/main/java/hudson/model/queue/QueueTaskFilter.java
+++ b/core/src/main/java/hudson/model/queue/QueueTaskFilter.java
@@ -30,7 +30,6 @@ import hudson.model.Queue;
import hudson.model.Queue.Executable;
import hudson.model.Queue.Task;
import hudson.model.ResourceList;
-import org.acegisecurity.Authentication;
import java.io.IOException;
import java.util.Collection;
@@ -119,8 +118,4 @@ public abstract class QueueTaskFilter implements Queue.Task {
public Object getSameNodeConstraint() {
return base.getSameNodeConstraint();
}
-
- public Authentication getIdentity() {
- return base.getIdentity();
- }
}
diff --git a/core/src/main/java/hudson/model/queue/SubTask.java b/core/src/main/java/hudson/model/queue/SubTask.java
index 6a31232625f2e31c3aa1b02392c264e74fea8d21..c5dc1391cd75e885dc6aec90a17bfe867145f6f5 100644
--- a/core/src/main/java/hudson/model/queue/SubTask.java
+++ b/core/src/main/java/hudson/model/queue/SubTask.java
@@ -86,17 +86,4 @@ public interface SubTask extends ResourceActivity {
* colocation constraint.
*/
Object getSameNodeConstraint();
-
- /**
- * Returns the identity that this task carries when it runs, for the purpose of access control.
- *
- * When the task execution touches other objects inside Jenkins, the access control is performed
- * based on whether this {@link Authentication} is allowed to use them. Implementers, if you are unsure,
- * return the identity of the user who queued the task, or {@link ACL#SYSTEM} to bypass the access control
- * and run as the super user.
- *
- * @since 1.520
- * @see Tasks#getIdentityOf(SubTask)
- */
- @Nonnull Authentication getIdentity();
}
diff --git a/core/src/main/java/hudson/model/queue/Tasks.java b/core/src/main/java/hudson/model/queue/Tasks.java
index f4a1987782a64c9b7d28f4a7075631a05d2501c3..f53c846da6809553bee668c16b2a1ce270e04ae4 100644
--- a/core/src/main/java/hudson/model/queue/Tasks.java
+++ b/core/src/main/java/hudson/model/queue/Tasks.java
@@ -90,13 +90,13 @@ public class Tasks {
* A pointless function to work around what appears to be a HotSpot problem. See JENKINS-5756 and bug 6933067
* on BugParade for more details.
*/
- private static Authentication _getIdentityOf(SubTask t) {
- return t.getIdentity();
+ private static Authentication _getDefaultAuthenticationOf(Task t) {
+ return t.getDefaultAuthentication();
}
- public static Authentication getIdentityOf(SubTask t) {
+ public static Authentication getDefaultAuthenticationOf(Task t) {
try {
- return _getIdentityOf(t);
+ return _getDefaultAuthenticationOf(t);
} catch (AbstractMethodError e) {
return ACL.SYSTEM;
}
diff --git a/core/src/main/java/jenkins/security/ProjectAuthenticator.java b/core/src/main/java/jenkins/security/ProjectAuthenticator.java
deleted file mode 100644
index 03ca50431967b6752c0bb242121eae3c3101b9e5..0000000000000000000000000000000000000000
--- a/core/src/main/java/jenkins/security/ProjectAuthenticator.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package jenkins.security;
-
-import hudson.ExtensionPoint;
-import hudson.model.AbstractBuild;
-import hudson.model.AbstractDescribableImpl;
-import hudson.model.AbstractProject;
-import hudson.security.ACL;
-import org.acegisecurity.Authentication;
-
-import javax.annotation.CheckForNull;
-
-/**
- * Extension point to run {@link AbstractBuild}s under a specific identity for better access control.
- *
- * @author Kohsuke Kawaguchi
- * @since 1.520
- * @see ProjectAuthenticatorConfiguration
- * @see AbstractProject#getIdentity()
- */
-public abstract class ProjectAuthenticator extends AbstractDescribableImpl implements ExtensionPoint {
- /**
- * Determines the identity in which the build will run as.
- *
- * @param project
- * The project to be built.
- *
- * @return
- * returning non-null will determine the identity. If null is returned, the next
- * configured {@link ProjectAuthenticator} will be given a chance to authenticate
- * the executor. If everything fails, fall back to the historical behaviour of
- * {@link ACL#SYSTEM}.
- */
- public abstract @CheckForNull Authentication authenticate(AbstractProject project);
-
- @Override
- public ProjectAuthenticatorDescriptor getDescriptor() {
- return (ProjectAuthenticatorDescriptor)super.getDescriptor();
- }
-}
diff --git a/core/src/main/java/jenkins/security/ProjectAuthenticatorConfiguration.java b/core/src/main/java/jenkins/security/ProjectAuthenticatorConfiguration.java
deleted file mode 100644
index 03d21c995ec34835ae318178bf02fceb26ff8b64..0000000000000000000000000000000000000000
--- a/core/src/main/java/jenkins/security/ProjectAuthenticatorConfiguration.java
+++ /dev/null
@@ -1,62 +0,0 @@
-package jenkins.security;
-
-import hudson.Extension;
-import hudson.model.AbstractProject;
-import hudson.security.ACL;
-import hudson.util.DescribableList;
-import jenkins.model.GlobalConfiguration;
-import jenkins.model.GlobalConfigurationCategory;
-import jenkins.model.Jenkins;
-import net.sf.json.JSONObject;
-import org.acegisecurity.Authentication;
-import org.kohsuke.stapler.StaplerRequest;
-
-import java.io.IOException;
-
-/**
- * Show the {@link ProjectAuthenticator} configurations on the system config page.
- *
- * @author Kohsuke Kawaguchi
- * @since 1.520
- */
-@Extension
-public class ProjectAuthenticatorConfiguration extends GlobalConfiguration {
- private final DescribableList authenticators
- = new DescribableList(this);
-
- public ProjectAuthenticatorConfiguration() {
- load();
- }
-
- @Override
- public GlobalConfigurationCategory getCategory() {
- return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class);
- }
-
- public DescribableList getAuthenticators() {
- return authenticators;
- }
-
- @Override
- public boolean configure(StaplerRequest req, JSONObject json) throws FormException {
- try {
- authenticators.rebuildHetero(req,json, ProjectAuthenticatorDescriptor.all(),"authenticators");
- return true;
- } catch (IOException e) {
- throw new FormException(e,"authenticators");
- }
- }
-
- public Authentication authenticate(AbstractProject project) {
- for (ProjectAuthenticator auth : get().getAuthenticators()) {
- Authentication a = auth.authenticate(project);
- if (a!=null)
- return a;
- }
- return ACL.SYSTEM;
- }
-
- public static ProjectAuthenticatorConfiguration get() {
- return Jenkins.getInstance().getInjector().getInstance(ProjectAuthenticatorConfiguration.class);
- }
-}
diff --git a/core/src/main/java/jenkins/security/ProjectAuthenticatorDescriptor.java b/core/src/main/java/jenkins/security/ProjectAuthenticatorDescriptor.java
deleted file mode 100644
index 7177644db3da79f8700d837acd3f0879e38b0bb8..0000000000000000000000000000000000000000
--- a/core/src/main/java/jenkins/security/ProjectAuthenticatorDescriptor.java
+++ /dev/null
@@ -1,19 +0,0 @@
-package jenkins.security;
-
-import hudson.DescriptorExtensionList;
-import hudson.model.Descriptor;
-import jenkins.model.Jenkins;
-
-/**
- * {@link Descriptor} for {@link ProjectAuthenticator}.
- *
- * @author Kohsuke Kawaguchi
- * @since 1.520
- */
-public abstract class ProjectAuthenticatorDescriptor extends Descriptor {
- // nothing defined here yet
-
- public static DescriptorExtensionList all() {
- return Jenkins.getInstance().getDescriptorList(ProjectAuthenticator.class);
- }
-}
diff --git a/core/src/main/java/jenkins/security/QueueItemAuthenticator.java b/core/src/main/java/jenkins/security/QueueItemAuthenticator.java
new file mode 100644
index 0000000000000000000000000000000000000000..d73ebd42b2610a53c079b1a200808d8f102004cb
--- /dev/null
+++ b/core/src/main/java/jenkins/security/QueueItemAuthenticator.java
@@ -0,0 +1,45 @@
+package jenkins.security;
+
+import hudson.ExtensionPoint;
+import hudson.model.AbstractDescribableImpl;
+import hudson.model.AbstractProject;
+import hudson.model.Action;
+import hudson.model.CauseAction;
+import hudson.model.Queue;
+import hudson.model.Queue.Item;
+import hudson.model.Queue.Task;
+import hudson.security.ACL;
+import org.acegisecurity.Authentication;
+
+import javax.annotation.CheckForNull;
+
+/**
+ * Extension point to run {@link Queue.Executable}s under a specific identity for better access control.
+ *
+ * @author Kohsuke Kawaguchi
+ * @since 1.520
+ * @see QueueItemAuthenticatorConfiguration
+ * @see Item#authenticate()
+ * @see Task#getDefaultAuthentication()
+ */
+public abstract class QueueItemAuthenticator extends AbstractDescribableImpl implements ExtensionPoint {
+ /**
+ * Determines the identity in which the {@link Queue.Executable} will run as.
+ *
+ * @param item
+ * The contextual information to assist the authentication.
+ * The primary interest is likely {@link Queue.Item#task}, which is often {@link AbstractProject}.
+ * {@link Action}s associated with the item is also likely of interest, such as {@link CauseAction}.
+ *
+ * @return
+ * returning non-null will determine the identity. If null is returned, the next
+ * configured {@link QueueItemAuthenticator} will be given a chance to authenticate
+ * the executor. If everything fails, fall back to {@link Task#getDefaultAuthentication()}.
+ */
+ public abstract @CheckForNull Authentication authenticate(Queue.Item item);
+
+ @Override
+ public QueueItemAuthenticatorDescriptor getDescriptor() {
+ return (QueueItemAuthenticatorDescriptor)super.getDescriptor();
+ }
+}
diff --git a/core/src/main/java/jenkins/security/QueueItemAuthenticatorConfiguration.java b/core/src/main/java/jenkins/security/QueueItemAuthenticatorConfiguration.java
new file mode 100644
index 0000000000000000000000000000000000000000..63044c04916865a8812e73f7a39482ce88bd78c5
--- /dev/null
+++ b/core/src/main/java/jenkins/security/QueueItemAuthenticatorConfiguration.java
@@ -0,0 +1,53 @@
+package jenkins.security;
+
+import hudson.Extension;
+import hudson.model.AbstractProject;
+import hudson.security.ACL;
+import hudson.util.DescribableList;
+import jenkins.model.GlobalConfiguration;
+import jenkins.model.GlobalConfigurationCategory;
+import jenkins.model.Jenkins;
+import net.sf.json.JSONObject;
+import org.acegisecurity.Authentication;
+import org.kohsuke.stapler.StaplerRequest;
+
+import java.io.IOException;
+
+/**
+ * Show the {@link QueueItemAuthenticator} configurations on the system config page.
+ *
+ * @author Kohsuke Kawaguchi
+ * @since 1.520
+ */
+@Extension
+public class QueueItemAuthenticatorConfiguration extends GlobalConfiguration {
+ private final DescribableList authenticators
+ = new DescribableList(this);
+
+ public QueueItemAuthenticatorConfiguration() {
+ load();
+ }
+
+ @Override
+ public GlobalConfigurationCategory getCategory() {
+ return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class);
+ }
+
+ public DescribableList getAuthenticators() {
+ return authenticators;
+ }
+
+ @Override
+ public boolean configure(StaplerRequest req, JSONObject json) throws FormException {
+ try {
+ authenticators.rebuildHetero(req,json, QueueItemAuthenticatorDescriptor.all(),"authenticators");
+ return true;
+ } catch (IOException e) {
+ throw new FormException(e,"authenticators");
+ }
+ }
+
+ public static QueueItemAuthenticatorConfiguration get() {
+ return Jenkins.getInstance().getInjector().getInstance(QueueItemAuthenticatorConfiguration.class);
+ }
+}
diff --git a/core/src/main/java/jenkins/security/QueueItemAuthenticatorDescriptor.java b/core/src/main/java/jenkins/security/QueueItemAuthenticatorDescriptor.java
new file mode 100644
index 0000000000000000000000000000000000000000..5a404365cf5400577f3d24db7c6f2134358b2e71
--- /dev/null
+++ b/core/src/main/java/jenkins/security/QueueItemAuthenticatorDescriptor.java
@@ -0,0 +1,19 @@
+package jenkins.security;
+
+import hudson.DescriptorExtensionList;
+import hudson.model.Descriptor;
+import jenkins.model.Jenkins;
+
+/**
+ * {@link Descriptor} for {@link QueueItemAuthenticator}.
+ *
+ * @author Kohsuke Kawaguchi
+ * @since 1.520
+ */
+public abstract class QueueItemAuthenticatorDescriptor extends Descriptor {
+ // nothing defined here yet
+
+ public static DescriptorExtensionList all() {
+ return Jenkins.getInstance().getDescriptorList(QueueItemAuthenticator.class);
+ }
+}
diff --git a/core/src/main/resources/jenkins/security/ProjectAuthenticator/config.groovy b/core/src/main/resources/jenkins/security/ProjectAuthenticator/config.groovy
deleted file mode 100644
index 41d8916d73481003237a1a0e27abda4f994263b9..0000000000000000000000000000000000000000
--- a/core/src/main/resources/jenkins/security/ProjectAuthenticator/config.groovy
+++ /dev/null
@@ -1,2 +0,0 @@
-package jenkins.security.ProjectAuthenticator;
-// the default is empty configuration
\ No newline at end of file
diff --git a/core/src/main/resources/jenkins/security/QueueItemAuthenticator/config.groovy b/core/src/main/resources/jenkins/security/QueueItemAuthenticator/config.groovy
new file mode 100644
index 0000000000000000000000000000000000000000..7c91e5fbe5fd23acb8bb219c7827e9b96075d17f
--- /dev/null
+++ b/core/src/main/resources/jenkins/security/QueueItemAuthenticator/config.groovy
@@ -0,0 +1,2 @@
+package jenkins.security.QueueItemAuthenticator;
+// the default is empty configuration
\ No newline at end of file
diff --git a/core/src/main/resources/jenkins/security/ProjectAuthenticatorConfiguration/config.groovy b/core/src/main/resources/jenkins/security/QueueItemAuthenticatorConfiguration/config.groovy
similarity index 88%
rename from core/src/main/resources/jenkins/security/ProjectAuthenticatorConfiguration/config.groovy
rename to core/src/main/resources/jenkins/security/QueueItemAuthenticatorConfiguration/config.groovy
index d1662c00caca2d4a49bd98fc4de1e88097d2489b..7bc4cb882b1f644c18f95e9b42f6f3db91c3153e 100644
--- a/core/src/main/resources/jenkins/security/ProjectAuthenticatorConfiguration/config.groovy
+++ b/core/src/main/resources/jenkins/security/QueueItemAuthenticatorConfiguration/config.groovy
@@ -21,13 +21,13 @@
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
-package jenkins.security.ProjectAuthenticatorConfiguration
+package jenkins.security.QueueItemAuthenticatorConfiguration
-import jenkins.security.ProjectAuthenticatorDescriptor;
+import jenkins.security.QueueItemAuthenticatorDescriptor;
f=namespace(lib.FormTagLib)
-if (!ProjectAuthenticatorDescriptor.all().isEmpty()) {
+if (!QueueItemAuthenticatorDescriptor.all().isEmpty()) {
f.section(title:_("Access Control for Builds")) {
f.block() {
f.repeatableHeteroProperty(field:"authenticators",hasHeader:true)
diff --git a/test/src/test/java/hudson/model/QueueTest.java b/test/src/test/java/hudson/model/QueueTest.java
index 2c7e1a4395c1d7ddba2f512b401170f1131369e2..a458d2be9d58ac9263595e2bbf90abab48973d5d 100644
--- a/test/src/test/java/hudson/model/QueueTest.java
+++ b/test/src/test/java/hudson/model/QueueTest.java
@@ -48,8 +48,8 @@ import hudson.matrix.MatrixRun;
import hudson.slaves.DummyCloudImpl;
import hudson.slaves.NodeProvisioner;
import jenkins.model.Jenkins;
-import jenkins.security.ProjectAuthenticator;
-import jenkins.security.ProjectAuthenticatorConfiguration;
+import jenkins.security.QueueItemAuthenticator;
+import jenkins.security.QueueItemAuthenticatorConfiguration;
import org.acegisecurity.Authentication;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.acls.sid.PrincipalSid;
@@ -369,14 +369,14 @@ public class QueueTest extends HudsonTestCase {
}
@Inject
- ProjectAuthenticatorConfiguration pac;
+ QueueItemAuthenticatorConfiguration qac;
/**
* Make sure that the running build actually carries an credential.
*/
public void testAccessControl() throws Exception {
configureUserRealm();
- pac.getAuthenticators().add(new ProjectAuthenticatorImpl());
+ qac.getAuthenticators().add(new QueueItemAuthenticatorImpl());
FreeStyleProject p = createFreeStyleProject();
p.getBuildersList().add(new TestBuilder() {
@Override
@@ -389,10 +389,9 @@ public class QueueTest extends HudsonTestCase {
}
@TestExtension
- public static class ProjectAuthenticatorImpl extends ProjectAuthenticator {
-
+ public static class QueueItemAuthenticatorImpl extends QueueItemAuthenticator {
@Override
- public Authentication authenticate(AbstractProject project) {
+ public Authentication authenticate(Queue.Item item) {
return alice;
}
}
@@ -412,7 +411,7 @@ public class QueueTest extends HudsonTestCase {
DumbSlave s2 = createSlave();
configureUserRealm();
- pac.getAuthenticators().add(new ProjectAuthenticatorImpl());
+ qac.getAuthenticators().add(new QueueItemAuthenticatorImpl());
FreeStyleProject p = createFreeStyleProject();
p.getBuildersList().add(new TestBuilder() {
@Override