fix: Stapler: Missing permission check (#278)

jenkinsci · Oct 23, 2022 · 56110e6 · 56110e6
1 parent eddefb8
commit 56110e6
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 0 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java b/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java
@@ -30,6 +30,8 @@
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
+import jenkins.util.xml.XMLUtils;
 import static org.jenkinsci.plugins.saml.SamlSecurityRealm.ERROR_IDP_METADATA_EMPTY;
 import static org.jenkinsci.plugins.saml.SamlSecurityRealm.ERROR_MALFORMED_URL;
 import static org.jenkinsci.plugins.saml.SamlSecurityRealm.NOT_POSSIBLE_TO_GET_THE_METADATA;
@@ -195,6 +197,7 @@ public String getDisplayName() {
 
         @RequirePOST
         public FormValidation doTestIdpMetadata(@QueryParameter("xml") String xml) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if (StringUtils.isBlank(xml)) {
                 return FormValidation.error(ERROR_IDP_METADATA_EMPTY);
             }
@@ -204,11 +207,13 @@ public FormValidation doTestIdpMetadata(@QueryParameter("xml") String xml) {
 
         @RequirePOST
         public FormValidation doCheckPeriod(@QueryParameter("period") String period) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkIntegerFormat(period);
         }
 
         @RequirePOST
         public FormValidation doCheckXml(@QueryParameter("xml") String xml, @QueryParameter("url") String url) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if (StringUtils.isBlank(xml) && StringUtils.isBlank(url)) {
                 return FormValidation.error(ERROR_IDP_METADATA_EMPTY);
             }
@@ -218,6 +223,7 @@ public FormValidation doCheckXml(@QueryParameter("xml") String xml, @QueryParame
 
         @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter("url") String url) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if (StringUtils.isEmpty(url)) {
                 return FormValidation.ok();
             }
@@ -232,6 +238,7 @@ public FormValidation doCheckUrl(@QueryParameter("url") String url) {
         @RequirePOST
         public FormValidation doTestIdpMetadataURL(@QueryParameter("url") String url) {
             URLConnection urlConnection;
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
                 urlConnection = ProxyConfiguration.open(new URL(url));
             } catch (IOException e) {

diff --git a/src/main/java/org/jenkinsci/plugins/saml/SamlAdvancedConfiguration.java b/src/main/java/org/jenkinsci/plugins/saml/SamlAdvancedConfiguration.java
@@ -27,6 +27,7 @@
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
 import static org.jenkinsci.plugins.saml.SamlSecurityRealm.ERROR_NOT_VALID_NUMBER;
 
 /**
@@ -106,22 +107,26 @@ public String getDisplayName() {
 
         @RequirePOST
         public FormValidation doCheckAuthnContextClassRef(@org.kohsuke.stapler.QueryParameter String authnContextClassRef) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return SamlFormValidation.checkStringFormat(authnContextClassRef);
         }
 
 
         @RequirePOST
         public FormValidation doCheckSpEntityId(@org.kohsuke.stapler.QueryParameter String spEntityId) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringFormat(spEntityId);
         }
 
         @RequirePOST
         public FormValidation doCheckNameIdPolicyFormat(@org.kohsuke.stapler.QueryParameter String nameIdPolicyFormat) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringFormat(nameIdPolicyFormat);
         }
 
         @RequirePOST
         public FormValidation doCheckMaximumSessionLifetime(@org.kohsuke.stapler.QueryParameter String maximumSessionLifetime) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if (StringUtils.isEmpty(maximumSessionLifetime)) {
                 return hudson.util.FormValidation.ok();
             }

diff --git a/src/main/java/org/jenkinsci/plugins/saml/SamlEncryptionData.java b/src/main/java/org/jenkinsci/plugins/saml/SamlEncryptionData.java
@@ -39,6 +39,7 @@
 import hudson.model.Descriptor;
 import hudson.util.FormValidation;
 import hudson.util.Secret;
+import jenkins.model.Jenkins;
 import static org.jenkinsci.plugins.saml.SamlSecurityRealm.ERROR_ALGORITHM_CANNOT_BE_FOUND;
 import static org.jenkinsci.plugins.saml.SamlSecurityRealm.ERROR_CERTIFICATES_COULD_NOT_BE_LOADED;
 import static org.jenkinsci.plugins.saml.SamlSecurityRealm.ERROR_INSUFFICIENT_OR_INVALID_INFO;
@@ -151,21 +152,25 @@ public String getDisplayName() {
 
         @RequirePOST
         public FormValidation doCheckKeystorePath(@QueryParameter String keystorePath) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringAttributeFormat(keystorePath, WARN_KEYSTORE_NOT_SET, true);
         }
 
         @RequirePOST
         public FormValidation doCheckPrivateKeyAlias(@QueryParameter String privateKeyAlias) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringAttributeFormat(privateKeyAlias, WARN_PRIVATE_KEY_ALIAS_NOT_SET, true);
         }
 
         @RequirePOST
         public FormValidation doCheckKeystorePassword(@QueryParameter String keystorePassword) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringAttributeFormat(keystorePassword, WARN_PRIVATE_KEYSTORE_PASS_NOT_SET, true);
         }
 
         @RequirePOST
         public FormValidation doCheckPrivateKeyPassword(@QueryParameter String privateKeyPassword) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringAttributeFormat(privateKeyPassword, WARN_PRIVATE_KEY_PASS_NOT_SET, true);
         }
 
@@ -174,6 +179,7 @@ public FormValidation doTestKeyStore(@QueryParameter("keystorePath") String keys
                                                          @QueryParameter("keystorePassword") Secret keystorePassword,
                                                          @QueryParameter("privateKeyPassword") Secret privateKeyPassword,
                                                          @QueryParameter("privateKeyAlias") String privateKeyAlias) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if (StringUtils.isBlank(keystorePath)) {
                 return FormValidation.warning(WARN_THERE_IS_NOT_KEY_STORE);
             }

diff --git a/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java
@@ -598,6 +598,7 @@ static String getSPMetadataFilePath() {
     @SuppressWarnings("unused")
     @RequirePOST
     public HttpResponse doMetadata(StaplerRequest request, StaplerResponse response) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         return new SamlSPMetadataWrapper(getSamlPluginConfig(), request, response).get();
     }
 
@@ -621,6 +622,7 @@ protected String getPostLogOutUrl(StaplerRequest req, @Nonnull Authentication au
     @Override
     @RequirePOST
     public void doLogout(StaplerRequest req, StaplerResponse rsp) throws IOException, javax.servlet.ServletException {
+        Jenkins.get().checkPermission(Jenkins.READ);
         super.doLogout(req, rsp);
         LOG.log(Level.FINEST, "Here we could do the SAML Single Logout");
     }
@@ -684,31 +686,37 @@ public String getDisplayName() {
 
         @RequirePOST
         public FormValidation doCheckLogoutUrl(@QueryParameter String logoutUrl) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkUrlFormat(logoutUrl);
         }
 
         @RequirePOST
         public FormValidation doCheckDisplayNameAttributeName(@QueryParameter String displayNameAttributeName) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringFormat(displayNameAttributeName);
         }
 
         @RequirePOST
         public FormValidation doCheckGroupsAttributeName(@QueryParameter String groupsAttributeName) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringAttributeFormat(groupsAttributeName, SamlSecurityRealm.WARN_RECOMMENDED_TO_SET_THE_GROUPS_ATTRIBUTE, true);
         }
 
         @RequirePOST
         public FormValidation doCheckUsernameAttributeName(@QueryParameter String usernameAttributeName) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringAttributeFormat(usernameAttributeName, SamlSecurityRealm.WARN_RECOMMENDED_TO_SET_THE_USERNAME_ATTRIBUTE, true);
         }
 
         @RequirePOST
         public FormValidation doCheckEmailAttributeName(@QueryParameter String emailAttributeName) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkStringAttributeFormat(emailAttributeName, SamlSecurityRealm.WARN_RECOMMENDED_TO_SET_THE_EMAIL_ATTRIBUTE, true);
         }
 
         @RequirePOST
         public FormValidation doCheckMaximumAuthenticationLifetime(@QueryParameter String maximumAuthenticationLifetime) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return SamlFormValidation.checkIntegerFormat(maximumAuthenticationLifetime);
         }
     }