@Override public boolean hasOperationPermissionDefined() { PipelineConfigs authPart = this.getAuthorizationPartOrNull(); if(authPart == null) return false; return authPart.hasOperationPermissionDefined(); }
public Set<String> rolesThatCanOperateOnStage(CruiseConfig cruiseConfig, PipelineConfig pipelineConfig) { PipelineConfigs group = cruiseConfig.findGroupOfPipeline(pipelineConfig); SortedSet<String> roles = new TreeSet<>(); if (group.hasAuthorizationDefined()) { if (group.hasOperationPermissionDefined()) { roles.addAll(group.getOperateRoleNames()); } } else { roles.addAll(allRoleNames(cruiseConfig)); } return roles; }
public Set<String> usersThatCanOperateOnStage(CruiseConfig cruiseConfig, PipelineConfig pipelineConfig) { SortedSet<String> users = new TreeSet<>(); PipelineConfigs group = cruiseConfig.findGroupOfPipeline(pipelineConfig); if (group.hasAuthorizationDefined()) { if (group.hasOperationPermissionDefined()) { users.addAll(group.getOperateUserNames()); List<String> roles = group.getOperateRoleNames(); for (Role role : cruiseConfig.server().security().getRoles()) { if (roles.contains(CaseInsensitiveString.str(role.getName()))) { users.addAll(role.usersOfRole()); } } } } else { users.addAll(allUsernames()); } return users; }
private void validateOperatePermissions(ValidationContext validationContext) { if (validationContext.isWithinPipelines()) { PipelineConfigs group = validationContext.getPipelineGroup(); if (!group.hasOperationPermissionDefined()) { return; } AdminsConfig groupOperators = group.getAuthorization().getOperationConfig(); SecurityConfig serverSecurityConfig = validationContext.getServerSecurityConfig(); RolesConfig roles = serverSecurityConfig.getRoles(); for (Admin approver : authConfig) { boolean approverIsASuperAdmin = serverSecurityConfig.isAdmin(approver); boolean approverIsAGroupAdmin = group.isUserAnAdmin(approver.getName(), roles.memberRoles(approver)); boolean approverIsNotAnAdmin = !(approverIsASuperAdmin || approverIsAGroupAdmin); boolean approverIsNotAGroupOperator = !groupOperators.has(approver, roles.memberRoles(approver)); if (approverIsNotAnAdmin && approverIsNotAGroupOperator) { approver.addError(String.format("%s \"%s\" who is not authorized to operate pipeline group `%s` can not be authorized to approve stage", approver.describe(), approver, group.getGroup())); } } } }