[JENKINS-58902] Non-user-scoped credentials are not shown when build …

…authentication is configured Fix CredentialProvider to gather system credentials when users have USE_ITEM permission.
jenkinsci · Jan 17, 2022 · 1310df1 · 1310df1
1 parent 60e6c29
commit 1310df1
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
@@ -561,7 +561,13 @@ public static <C extends Credentials> List<C> lookupCredentials(@NonNull Class<C
         for (CredentialsProvider provider : all()) {
             if (provider.isEnabled(item) && provider.isApplicable(type)) {
                 try {
-                    for (C c: provider.getCredentials(type, item, authentication, domainRequirements)) {
+                    List<C> credentials = provider.getCredentials(type, item, authentication, domainRequirements);
+                    // also lookup credentials as SYSTEM if granted for this item
+                    if (authentication != ACL.SYSTEM && item.getACL().hasPermission(authentication, CredentialsProvider.USE_ITEM)) {
+                        credentials.addAll(provider.getCredentials(type, item, ACL.SYSTEM, domainRequirements));
+                    }
+
+                    for (C c: credentials) {
                         if (!(c instanceof IdCredentials) || ids.add(((IdCredentials) c).getId())) {
                             // if IdCredentials, only add if we haven't added already
                             // if not IdCredentials, always add
@@ -620,9 +626,12 @@ public static <C extends IdCredentials> ListBoxModel listCredentials(@NonNull Cl
         for (CredentialsProvider provider : all()) {
             if (provider.isEnabled(item) && provider.isApplicable(type)) {
                 try {
-                    for (ListBoxModel.Option option : provider.getCredentialIds(
-                            type, item, authentication, domainRequirements, matcher)
-                            ) {
+                    ListBoxModel credentialIds = provider.getCredentialIds(type, item, authentication, domainRequirements, matcher);
+                    // also lookup credentials with scope SYSTEM when user has grants for this item
+                    if (authentication != ACL.SYSTEM && item.getACL().hasPermission(authentication, CredentialsProvider.USE_ITEM)) {
+                        credentialIds.addAll(provider.getCredentialIds(type, item, ACL.SYSTEM, domainRequirements, matcher));
+                    }
+                    for (ListBoxModel.Option option : credentialIds) {
                         if (ids.add(option.value)) {
                             result.add(option);
                         }