Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17798

build badge icon requires authentication

XMLWordPrintable

      Maybe expose job status icon using an UnprotectedRootAction
      JENKINS/build-status-icon/

      {jobFullName}

      Then maybe have to consider impact on DISCOVER permission ?

          [JENKINS-17798] build badge icon requires authentication

          Jesse Glick added a comment -

          Is this actually a bug? If the builds are not readable by anonymous, then the badge should not be visible either, because it would expose information about the build that you have asked to hide.

          Jesse Glick added a comment - Is this actually a bug? If the builds are not readable by anonymous, then the badge should not be visible either, because it would expose information about the build that you have asked to hide.

          Dominik Bartholdi added a comment -

          I also think this is a bug or at least a very annoying implementation, because this way one only sees the build status if there is SingleSignOn between Jenkins and the Embedder (e.g. a Wiki)

          Dominik Bartholdi added a comment - I also think this is a bug or at least a very annoying implementation, because this way one only sees the build status if there is SingleSignOn between Jenkins and the Embedder (e.g. a Wiki)

          Jesse Glick added a comment -

          But that is exactly the point: if the Jenkins instance is not anonymously viewable, then anonymous users would not normally be able to determine the status of any jobs—or even (without DISCOVER) their existence. So exposing this information via an UnprotectedRootAction without any additional access control, merely by installing this plugin, would constitute a security breach. If you want your build status to be seen by the world, why not make the job itself visible?

          SSO should be irrelevant since the image is loaded from Jenkins, so it should not matter what if any authentication is applied to the embedding page.

          If there is some use case for making selected build statuses anonymously obtainable without exposing other information about the job(s), then the plugin should define a new permission VIEW_STATUS and check that on the Job corresponding to a URL from the UnprotectedRootAction. (Returning a 404 if either there is no such job or that permission is denied, so as not to bypass DISCOVER.) That way an administrator could grant this permission to the anonymous user on all jobs, selected jobs, jobs in a certain folder, etc.

          Jesse Glick added a comment - But that is exactly the point: if the Jenkins instance is not anonymously viewable, then anonymous users would not normally be able to determine the status of any jobs—or even (without DISCOVER ) their existence. So exposing this information via an UnprotectedRootAction without any additional access control, merely by installing this plugin, would constitute a security breach. If you want your build status to be seen by the world, why not make the job itself visible? SSO should be irrelevant since the image is loaded from Jenkins, so it should not matter what if any authentication is applied to the embedding page. If there is some use case for making selected build statuses anonymously obtainable without exposing other information about the job(s), then the plugin should define a new permission VIEW_STATUS and check that on the Job corresponding to a URL from the UnprotectedRootAction . (Returning a 404 if either there is no such job or that permission is denied, so as not to bypass DISCOVER .) That way an administrator could grant this permission to the anonymous user on all jobs, selected jobs, jobs in a certain folder, etc.

          Dominik Bartholdi added a comment -

          I don't really agree, if there is no SSO, the user will never see the icon embedded within the wiki without loging in to Jenkins.
          And thats exactly my point, authentication should take place when the user tries to access the job and not before, there is no point in opening a whole security session in Jenkins just to see the icon.

          But OK, I like the idea with the new permission which could then be assigned to anonymous.

          Dominik Bartholdi added a comment - I don't really agree, if there is no SSO, the user will never see the icon embedded within the wiki without loging in to Jenkins. And thats exactly my point, authentication should take place when the user tries to access the job and not before, there is no point in opening a whole security session in Jenkins just to see the icon. But OK, I like the idea with the new permission which could then be assigned to anonymous.

          Dominik Bartholdi added a comment -

          placed a pull request: https://github.com/jenkinsci/embeddable-build-status-plugin/pull/4

          Dominik Bartholdi added a comment - placed a pull request: https://github.com/jenkinsci/embeddable-build-status-plugin/pull/4

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: imod
          Path:
          pom.xml
          src/main/java/org/jenkinsci/plugins/badge/BadgeActionFactory.java
          src/main/java/org/jenkinsci/plugins/badge/ImageResolver.java
          src/main/java/org/jenkinsci/plugins/badge/PluginImpl.java
          src/main/java/org/jenkinsci/plugins/badge/PublicBadgeAction.java
          src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.groovy
          src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.properties
          src/main/resources/org/jenkinsci/plugins/badge/Messages.properties
          src/test/java/org/jenkinsci/plugins/badge/PublicBadgeActionTest.java
          http://jenkins-ci.org/commit/embeddable-build-status-plugin/7d2b5945c5a279ab4545aa41dedcd453eb66b15f
          Log:
          [FIXED JENKINS-17798] expose build badge via unprotected URL, but with new Permission

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: imod Path: pom.xml src/main/java/org/jenkinsci/plugins/badge/BadgeActionFactory.java src/main/java/org/jenkinsci/plugins/badge/ImageResolver.java src/main/java/org/jenkinsci/plugins/badge/PluginImpl.java src/main/java/org/jenkinsci/plugins/badge/PublicBadgeAction.java src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.groovy src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.properties src/main/resources/org/jenkinsci/plugins/badge/Messages.properties src/test/java/org/jenkinsci/plugins/badge/PublicBadgeActionTest.java http://jenkins-ci.org/commit/embeddable-build-status-plugin/7d2b5945c5a279ab4545aa41dedcd453eb66b15f Log: [FIXED JENKINS-17798] expose build badge via unprotected URL, but with new Permission

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Jesse Glick
          Path:
          pom.xml
          src/main/java/org/jenkinsci/plugins/badge/BadgeActionFactory.java
          src/main/java/org/jenkinsci/plugins/badge/ImageResolver.java
          src/main/java/org/jenkinsci/plugins/badge/PluginImpl.java
          src/main/java/org/jenkinsci/plugins/badge/PublicBadgeAction.java
          src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.groovy
          src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.properties
          src/main/resources/org/jenkinsci/plugins/badge/Messages.properties
          src/test/java/org/jenkinsci/plugins/badge/PublicBadgeActionTest.java
          http://jenkins-ci.org/commit/embeddable-build-status-plugin/3a6e78d3e0a4127e990b2cb39b2d9ab1faa2c71e
          Log:
          Merge pull request #4 from imod/unprotected-status

          [FIXED JENKINS-17798] expose build badge via unprotected URL, but with new Permission

          Compare: https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/badge/BadgeActionFactory.java src/main/java/org/jenkinsci/plugins/badge/ImageResolver.java src/main/java/org/jenkinsci/plugins/badge/PluginImpl.java src/main/java/org/jenkinsci/plugins/badge/PublicBadgeAction.java src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.groovy src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.properties src/main/resources/org/jenkinsci/plugins/badge/Messages.properties src/test/java/org/jenkinsci/plugins/badge/PublicBadgeActionTest.java http://jenkins-ci.org/commit/embeddable-build-status-plugin/3a6e78d3e0a4127e990b2cb39b2d9ab1faa2c71e Log: Merge pull request #4 from imod/unprotected-status [FIXED JENKINS-17798] expose build badge via unprotected URL, but with new Permission Compare: https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4

          Bob Rockers added a comment -

          Sorry to bug everyone on a successfully closed ticket, but where do I actually configure this setting? This is exactly the problem I need to overcome with github's camo image proxy but I cannot find the VIEW_STATUS setting anywhere.

          Bob Rockers added a comment - Sorry to bug everyone on a successfully closed ticket, but where do I actually configure this setting? This is exactly the problem I need to overcome with github's camo image proxy but I cannot find the VIEW_STATUS setting anywhere.

          Mani Soundararajan added a comment -

          @aisystems I found "View Status" under Jenkins -> Global Security -> Authorization -> Matrix-based security.

          However I am trying to use the GitHub Committer auth strategy instead of Matrix. If you find a way of getting it to work with github oauth please post here.

          Mani Soundararajan added a comment - @aisystems I found "View Status" under Jenkins -> Global Security -> Authorization -> Matrix-based security. However I am trying to use the GitHub Committer auth strategy instead of Matrix. If you find a way of getting it to work with github oauth please post here.

          retronym added a comment -

          msound

          I think either:

          1) the `GitHub OAuth` plugin would need to be changed to allow anoynmous access to the "ViewStatus" permission https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4#diff-25df045777dd8f7465c9cbac4dea6416R63, or
          2) this plugin would need to change to use the standard "hudson.model.Hudson.Read" / "hudson.model.Item.Read" permissions: https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4#diff-25df045777dd8f7465c9cbac4dea6416R103

          (Disclaimer: I'm not a Jenkins plugin expert, I just had a quick browse of the two code bases)

          retronym added a comment - msound I think either: 1) the `GitHub OAuth` plugin would need to be changed to allow anoynmous access to the "ViewStatus" permission https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4#diff-25df045777dd8f7465c9cbac4dea6416R63 , or 2) this plugin would need to change to use the standard "hudson.model.Hudson.Read" / "hudson.model.Item.Read" permissions: https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4#diff-25df045777dd8f7465c9cbac4dea6416R103 (Disclaimer: I'm not a Jenkins plugin expert, I just had a quick browse of the two code bases)

            kohsuke Kohsuke Kawaguchi
            ndeloof Nicolas De Loof
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: