Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42470

ModelConverterAction should use CrumbExclusionFilter

    XMLWordPrintable

Details

    Description

      https://github.com/jenkinsci/pipeline-model-definition-plugin/wiki/Validating-(or-linting)-a-Declarative-Jenkinsfile-from-the-command-line#how-to-use tells you to get a crumb from Jenkins, which makes REST-based access very awkward. This is only needed because we are accepting POST requests, which is only needed because we are sending content. But the action has no side effects so there is no actual need for a crumb. You should implement CrumbExclusionFilter to simplify usage.

      I would also suggest that doValidate should just stream from its body rather than require a form field, but I guess this would be an incompatible change.

      Attachments

        Issue Links

          Activity

            bitwiseman Liam Newman added a comment -

            Bulk closing resolved issues.

            bitwiseman Liam Newman added a comment - Bulk closing resolved issues.

            Code changed in jenkins
            User: Andrew Bayer
            Path:
            pipeline-model-definition/src/main/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterAction.java
            pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/WhenStageTest.java
            pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ErrorsEndpointOpsTest.java
            pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterActionStepsTest.java
            pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterActionTest.java
            pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/SuccessfulEndpointOpsTest.java
            http://jenkins-ci.org/commit/pipeline-model-definition-plugin/3671e8dba6a7f12bdcb4f50440e3cd4b7a3fbab6
            Log:
            [FIXED JENKINS-42470] Use CrumbExclusion and Jenkins.READ perms

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: pipeline-model-definition/src/main/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterAction.java pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/WhenStageTest.java pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ErrorsEndpointOpsTest.java pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterActionStepsTest.java pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/ModelConverterActionTest.java pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/endpoints/SuccessfulEndpointOpsTest.java http://jenkins-ci.org/commit/pipeline-model-definition-plugin/3671e8dba6a7f12bdcb4f50440e3cd4b7a3fbab6 Log: [FIXED JENKINS-42470] Use CrumbExclusion and Jenkins.READ perms
            abayer Andrew Bayer added a comment - PR up at https://github.com/jenkinsci/pipeline-model-definition-plugin/pull/129
            abayer Andrew Bayer added a comment -

            Ah, it's CrumbExclusion and I found one in github-plugin.

            abayer Andrew Bayer added a comment - Ah, it's CrumbExclusion and I found one in github-plugin .
            abayer Andrew Bayer added a comment -

            Got an example of CrumbExclusionFilter I can look at?

            abayer Andrew Bayer added a comment - Got an example of CrumbExclusionFilter I can look at?
            jglick Jesse Glick added a comment -

            Also it checks Permission.READ. That is wrong; you should not use these generic permissions, as they are not managed by authorization strategies. Rather use Jenkins.READ.

            jglick Jesse Glick added a comment - Also it checks Permission.READ . That is wrong; you should not use these generic permissions, as they are not managed by authorization strategies. Rather use Jenkins.READ .
            jglick Jesse Glick added a comment -

            BTW why is this documentation not on jenkins.io?

            jglick Jesse Glick added a comment - BTW why is this documentation not on jenkins.io?

            People

              abayer Andrew Bayer
              jglick Jesse Glick
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: