-
Bug
-
Resolution: Fixed
-
Major
-
None
I think this is related to JENKINS-15765 and JENKINS-35179 "IRC Bot does not take commands" : mine does not either, as of release ircbot-2.30 and instant-messaging-1.35
Digging in code, I see that both IRCPrivateChat.java and IRCChannel.java define `getNickName(String senderId)` and `getIMId(String senderId)` routines to implement the interface from https://github.com/jenkinsci/instant-messaging-plugin/blob/master/src/main/java/hudson/plugins/im/IMChat.java#L18 (which says that `senderId` is "the fully qualified IM id of the sender (e.g. for Jabber the user, the server domain and optional resource part)", and one "Translates the sender into a nickname which can be used to informally address the sender." while another "Translates the sender into a unique IM id.") and are used by https://github.com/jenkinsci/instant-messaging-plugin/blob/master/src/main/java/hudson/plugins/im/bot/Bot.java#L162 `getSender()`.
All of these implementations for IRCbot just return the passed `senderId` value, and do not make use of the configurable "IRC Nick" to map the Jenkins account name (which may be privileged to run commands like `build`) to the Nickname of this user on the IRC server, which are two independent accounts.
Actually, looking at the descriptions in the source, it is not evident to me that either `nick` or `id` in the `Sender` intend to mean the Jenkins user account name; but if in practice one does - it is not known to the messaging backend.
The configurable value in Jenkins user account settings ("Your IRC Nick") is only referenced in ircbot/IrcPublisher.java routine `getConfiguredIMId()` (and managed in IrcUserProperty.java), and in https://github.com/jenkinsci/instant-messaging-plugin/blob/master/src/main/java/hudson/plugins/im/IMPublisher.java#L635 `calculateIMTarget()` which seems only used for notifications (e.g. "hey you broke the build") but not for build and such permissions.
At https://github.com/jenkinsci/instant-messaging-plugin/blob/master/src/main/java/hudson/plugins/im/bot/BuildCommand.java#L195 it apparently checks whether the user who sent a command (sender) may build the project in question, but the check is for `project.hasPermission(Item.BUILD)` so no sender here. The docs are a bit vague for me, e.g. https://javadoc.jenkins-ci.org/hudson/security/AccessControlled.html#hasPermission-hudson.security.Permission- says that the command is a "Convenient short-cut for getACL().hasPermission(permission)" where it means probably getACL() for the `project`; whereas items like a similar(-looking) https://javadoc.jenkins-ci.org/hudson/model/AbstractProject.html#checkAbortPermission-- say that it "Checks the permission to see if the current user can abort this executable" but I have no idea how it determines the "current user" and what one is in the non-webgui context of an IM plugin per se.
[JENKINS-55760] IRC nick is configurable but does not map to Jenkins ID of sender in the "build" command
https://github.com/jenkinsci/instant-messaging-plugin/pull/21 currently should address one part of this issue, allowing at least the "build" command for an account whose Jenkins name is same as IRC ID or nickname.
Matching the nickname to an optionally configured mapping (as exists for IRCbot plugin) proved tricky to implement in an arbitrary solution, so help would be welcome.
Note to self: seems the AbortCommand.java could benefit from similar security considerations, but does not check any such permissions at all (only declares the required permission), or I'm missing something...
I've added a Jenkins user account literally named same as my IRC nick, and gave it all privileges listed in our "Matrix-based security" table, but still get "X: you're not allowed to build job Y!"