Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17798

build badge icon requires authentication

    Details

    • Similar Issues:

      Description

      Maybe expose job status icon using an UnprotectedRootAction
      JENKINS/build-status-icon/

      {jobFullName}

      Then maybe have to consider impact on DISCOVER permission ?

        Attachments

          Issue Links

            Activity

            ndeloof Nicolas De Loof created issue -
            Hide
            jglick Jesse Glick added a comment -

            Is this actually a bug? If the builds are not readable by anonymous, then the badge should not be visible either, because it would expose information about the build that you have asked to hide.

            Show
            jglick Jesse Glick added a comment - Is this actually a bug? If the builds are not readable by anonymous, then the badge should not be visible either, because it would expose information about the build that you have asked to hide.
            Hide
            domi Dominik Bartholdi added a comment -

            I also think this is a bug or at least a very annoying implementation, because this way one only sees the build status if there is SingleSignOn between Jenkins and the Embedder (e.g. a Wiki)

            Show
            domi Dominik Bartholdi added a comment - I also think this is a bug or at least a very annoying implementation, because this way one only sees the build status if there is SingleSignOn between Jenkins and the Embedder (e.g. a Wiki)
            Hide
            jglick Jesse Glick added a comment -

            But that is exactly the point: if the Jenkins instance is not anonymously viewable, then anonymous users would not normally be able to determine the status of any jobs—or even (without DISCOVER) their existence. So exposing this information via an UnprotectedRootAction without any additional access control, merely by installing this plugin, would constitute a security breach. If you want your build status to be seen by the world, why not make the job itself visible?

            SSO should be irrelevant since the image is loaded from Jenkins, so it should not matter what if any authentication is applied to the embedding page.

            If there is some use case for making selected build statuses anonymously obtainable without exposing other information about the job(s), then the plugin should define a new permission VIEW_STATUS and check that on the Job corresponding to a URL from the UnprotectedRootAction. (Returning a 404 if either there is no such job or that permission is denied, so as not to bypass DISCOVER.) That way an administrator could grant this permission to the anonymous user on all jobs, selected jobs, jobs in a certain folder, etc.

            Show
            jglick Jesse Glick added a comment - But that is exactly the point: if the Jenkins instance is not anonymously viewable, then anonymous users would not normally be able to determine the status of any jobs—or even (without DISCOVER ) their existence. So exposing this information via an UnprotectedRootAction without any additional access control, merely by installing this plugin, would constitute a security breach. If you want your build status to be seen by the world, why not make the job itself visible? SSO should be irrelevant since the image is loaded from Jenkins, so it should not matter what if any authentication is applied to the embedding page. If there is some use case for making selected build statuses anonymously obtainable without exposing other information about the job(s), then the plugin should define a new permission VIEW_STATUS and check that on the Job corresponding to a URL from the UnprotectedRootAction . (Returning a 404 if either there is no such job or that permission is denied, so as not to bypass DISCOVER .) That way an administrator could grant this permission to the anonymous user on all jobs, selected jobs, jobs in a certain folder, etc.
            Hide
            domi Dominik Bartholdi added a comment -

            I don't really agree, if there is no SSO, the user will never see the icon embedded within the wiki without loging in to Jenkins.
            And thats exactly my point, authentication should take place when the user tries to access the job and not before, there is no point in opening a whole security session in Jenkins just to see the icon.

            But OK, I like the idea with the new permission which could then be assigned to anonymous.

            Show
            domi Dominik Bartholdi added a comment - I don't really agree, if there is no SSO, the user will never see the icon embedded within the wiki without loging in to Jenkins. And thats exactly my point, authentication should take place when the user tries to access the job and not before, there is no point in opening a whole security session in Jenkins just to see the icon. But OK, I like the idea with the new permission which could then be assigned to anonymous.
            Show
            domi Dominik Bartholdi added a comment - placed a pull request: https://github.com/jenkinsci/embeddable-build-status-plugin/pull/4
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: imod
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/badge/BadgeActionFactory.java
            src/main/java/org/jenkinsci/plugins/badge/ImageResolver.java
            src/main/java/org/jenkinsci/plugins/badge/PluginImpl.java
            src/main/java/org/jenkinsci/plugins/badge/PublicBadgeAction.java
            src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.groovy
            src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.properties
            src/main/resources/org/jenkinsci/plugins/badge/Messages.properties
            src/test/java/org/jenkinsci/plugins/badge/PublicBadgeActionTest.java
            http://jenkins-ci.org/commit/embeddable-build-status-plugin/7d2b5945c5a279ab4545aa41dedcd453eb66b15f
            Log:
            [FIXED JENKINS-17798] expose build badge via unprotected URL, but with new Permission

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: imod Path: pom.xml src/main/java/org/jenkinsci/plugins/badge/BadgeActionFactory.java src/main/java/org/jenkinsci/plugins/badge/ImageResolver.java src/main/java/org/jenkinsci/plugins/badge/PluginImpl.java src/main/java/org/jenkinsci/plugins/badge/PublicBadgeAction.java src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.groovy src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.properties src/main/resources/org/jenkinsci/plugins/badge/Messages.properties src/test/java/org/jenkinsci/plugins/badge/PublicBadgeActionTest.java http://jenkins-ci.org/commit/embeddable-build-status-plugin/7d2b5945c5a279ab4545aa41dedcd453eb66b15f Log: [FIXED JENKINS-17798] expose build badge via unprotected URL, but with new Permission
            scm_issue_link SCM/JIRA link daemon made changes -
            Field Original Value New Value
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/badge/BadgeActionFactory.java
            src/main/java/org/jenkinsci/plugins/badge/ImageResolver.java
            src/main/java/org/jenkinsci/plugins/badge/PluginImpl.java
            src/main/java/org/jenkinsci/plugins/badge/PublicBadgeAction.java
            src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.groovy
            src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.properties
            src/main/resources/org/jenkinsci/plugins/badge/Messages.properties
            src/test/java/org/jenkinsci/plugins/badge/PublicBadgeActionTest.java
            http://jenkins-ci.org/commit/embeddable-build-status-plugin/3a6e78d3e0a4127e990b2cb39b2d9ab1faa2c71e
            Log:
            Merge pull request #4 from imod/unprotected-status

            [FIXED JENKINS-17798] expose build badge via unprotected URL, but with new Permission

            Compare: https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/badge/BadgeActionFactory.java src/main/java/org/jenkinsci/plugins/badge/ImageResolver.java src/main/java/org/jenkinsci/plugins/badge/PluginImpl.java src/main/java/org/jenkinsci/plugins/badge/PublicBadgeAction.java src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.groovy src/main/resources/org/jenkinsci/plugins/badge/BadgeAction/index.properties src/main/resources/org/jenkinsci/plugins/badge/Messages.properties src/test/java/org/jenkinsci/plugins/badge/PublicBadgeActionTest.java http://jenkins-ci.org/commit/embeddable-build-status-plugin/3a6e78d3e0a4127e990b2cb39b2d9ab1faa2c71e Log: Merge pull request #4 from imod/unprotected-status [FIXED JENKINS-17798] expose build badge via unprotected URL, but with new Permission Compare: https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4
            mgedmin Marius Gedminas made changes -
            Link This issue is duplicated by JENKINS-15769 [ JENKINS-15769 ]
            Hide
            aisystems Bob Rockers added a comment -

            Sorry to bug everyone on a successfully closed ticket, but where do I actually configure this setting? This is exactly the problem I need to overcome with github's camo image proxy but I cannot find the VIEW_STATUS setting anywhere.

            Show
            aisystems Bob Rockers added a comment - Sorry to bug everyone on a successfully closed ticket, but where do I actually configure this setting? This is exactly the problem I need to overcome with github's camo image proxy but I cannot find the VIEW_STATUS setting anywhere.
            Hide
            msound Mani Soundararajan added a comment -

            @aisystems I found "View Status" under Jenkins -> Global Security -> Authorization -> Matrix-based security.

            However I am trying to use the GitHub Committer auth strategy instead of Matrix. If you find a way of getting it to work with github oauth please post here.

            Show
            msound Mani Soundararajan added a comment - @aisystems I found "View Status" under Jenkins -> Global Security -> Authorization -> Matrix-based security. However I am trying to use the GitHub Committer auth strategy instead of Matrix. If you find a way of getting it to work with github oauth please post here.
            Hide
            retronym retronym added a comment -

            Mani Soundararajan

            I think either:

            1) the `GitHub OAuth` plugin would need to be changed to allow anoynmous access to the "ViewStatus" permission https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4#diff-25df045777dd8f7465c9cbac4dea6416R63, or
            2) this plugin would need to change to use the standard "hudson.model.Hudson.Read" / "hudson.model.Item.Read" permissions: https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4#diff-25df045777dd8f7465c9cbac4dea6416R103

            (Disclaimer: I'm not a Jenkins plugin expert, I just had a quick browse of the two code bases)

            Show
            retronym retronym added a comment - Mani Soundararajan I think either: 1) the `GitHub OAuth` plugin would need to be changed to allow anoynmous access to the "ViewStatus" permission https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4#diff-25df045777dd8f7465c9cbac4dea6416R63 , or 2) this plugin would need to change to use the standard "hudson.model.Hudson.Read" / "hudson.model.Item.Read" permissions: https://github.com/jenkinsci/embeddable-build-status-plugin/compare/11843c79f8e3...3a6e78d3e0a4#diff-25df045777dd8f7465c9cbac4dea6416R103 (Disclaimer: I'm not a Jenkins plugin expert, I just had a quick browse of the two code bases)
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 148978 ] JNJira + In-Review [ 192974 ]
            thomas_dee Thomas Döring made changes -
            Status Resolved [ 5 ] Closed [ 6 ]

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                ndeloof Nicolas De Loof
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: