Merge pull request #623 from jglick/requesterAuthentication

Removing `requesterAuthentication`

Author: jglick

src/main/java/com/cloudbees/jenkins/support/SupportAction.java

@@ -34,8 +34,6 @@
 import hudson.model.Api;
 import hudson.model.Failure;
 import hudson.model.RootAction;
-import hudson.security.ACL;
-import hudson.security.ACLContext;
 import hudson.security.Permission;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletOutputStream;
@@ -374,12 +372,7 @@ public HttpRedirect doGenerateBundleAsync(StaplerRequest2 req, StaplerResponse2
             }
             try (FileOutputStream fileOutputStream =
                     new FileOutputStream(new File(outputDir.toString(), SYNC_SUPPORT_BUNDLE))) {
-                SupportPlugin.setRequesterAuthentication(Jenkins.getAuthentication2());
-                try {
-                    SupportPlugin.writeBundleForSyncComponents(fileOutputStream, syncComponent);
-                } finally {
-                    SupportPlugin.clearRequesterAuthentication();
-                }
+                SupportPlugin.writeBundleForSyncComponents(fileOutputStream, syncComponent);
             } finally {
                 logger.fine("Processing support bundle sunc completed");
             }
@@ -472,18 +465,10 @@ private void prepareBundle(StaplerResponse2 rsp, List<Component> components) thr
         rsp.addHeader("Content-Disposition", "inline; filename=" + BundleFileName.generate() + ";");
         final ServletOutputStream servletOutputStream = rsp.getOutputStream();
         try {
-            SupportPlugin.setRequesterAuthentication(Jenkins.getAuthentication2());
-            try {
-                try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
-                    SupportPlugin.writeBundle(servletOutputStream, components);
-                } catch (IOException e) {
-                    logger.log(Level.FINE, e.getMessage(), e);
-                }
-            } finally {
-                SupportPlugin.clearRequesterAuthentication();
-            }
-        } finally {
+            SupportPlugin.writeBundle(servletOutputStream, components);
             logger.fine("Response completed");
+        } catch (IOException e) {
+            logger.log(Level.FINE, e.getMessage(), e);
         }
     }
 
@@ -554,12 +539,7 @@ protected void compute() throws Exception {
 
             try (FileOutputStream fileOutputStream =
                     new FileOutputStream(new File(outputDir.toString(), supportBundleName))) {
-                SupportPlugin.setRequesterAuthentication(Jenkins.getAuthentication2());
-                try {
-                    SupportPlugin.writeBundle(fileOutputStream, components, this::progress, outputDir);
-                } finally {
-                    SupportPlugin.clearRequesterAuthentication();
-                }
+                SupportPlugin.writeBundle(fileOutputStream, components, this::progress, outputDir);
             } finally {
                 logger.fine("Processing support bundle async completed");
             }

src/main/java/com/cloudbees/jenkins/support/SupportCommand.java

@@ -31,8 +31,6 @@
 import hudson.Extension;
 import hudson.cli.CLICommand;
 import hudson.remoting.RemoteOutputStream;
-import hudson.security.ACL;
-import hudson.security.ACLContext;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
@@ -93,20 +91,13 @@ protected int run() throws Exception {
                 selected.add(c);
             }
         }
-        SupportPlugin.setRequesterAuthentication(Jenkins.getAuthentication2());
-        try {
-            try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
-                OutputStream os;
-                if (channel != null) { // Remoting mode
-                    os = channel.call(new SaveBundle(BundleFileName.generate()));
-                } else { // redirect output to a ZIP file yourself
-                    os = new CloseProofOutputStream(stdout);
-                }
-                SupportPlugin.writeBundle(os, new ArrayList<>(selected));
-            }
-        } finally {
-            SupportPlugin.clearRequesterAuthentication();
+        OutputStream os;
+        if (channel != null) { // Remoting mode
+            os = channel.call(new SaveBundle(BundleFileName.generate()));
+        } else { // redirect output to a ZIP file yourself
+            os = new CloseProofOutputStream(stdout);
         }
+        SupportPlugin.writeBundle(os, new ArrayList<>(selected));
         return 0;
     }
 

src/main/java/com/cloudbees/jenkins/support/SupportPlugin.java

@@ -163,7 +163,6 @@ public class SupportPlugin extends Plugin {
             Jenkins.ADMINISTER,
             PermissionScope.JENKINS);
 
-    private static final ThreadLocal<Authentication> requesterAuthentication = new InheritableThreadLocal<>();
     private static final AtomicLong nextBundleWrite = new AtomicLong(Long.MIN_VALUE);
     private static final Logger logger = Logger.getLogger(SupportPlugin.class.getName());
     public static final String SUPPORT_DIRECTORY_NAME = "support";
@@ -239,16 +238,12 @@ public static File getLogsDirectory() {
         return new File(SafeTimerTask.getLogsRoot(), SUPPORT_DIRECTORY_NAME);
     }
 
+    /**
+     * @deprecated Check permissions directly.
+     */
+    @Deprecated
     public static Authentication getRequesterAuthentication() {
-        return requesterAuthentication.get();
-    }
-
-    public static void setRequesterAuthentication(Authentication authentication) {
-        requesterAuthentication.set(authentication);
-    }
-
-    public static void clearRequesterAuthentication() {
-        requesterAuthentication.remove();
+        return Jenkins.getAuthentication2();
     }
 
     public void setSupportProvider(SupportProvider supportProvider) throws IOException {
@@ -1066,7 +1061,6 @@ protected synchronized void doRun() throws Exception {
                                 thread.setName(String.format(
                                         "%s periodic bundle generator: since %s",
                                         SupportPlugin.class.getSimpleName(), new Date()));
-                                clearRequesterAuthentication();
                                 try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
                                     File bundleDir = getRootDirectory();
                                     if (!bundleDir.exists()) {

src/main/java/com/cloudbees/jenkins/support/actions/SupportObjectAction.java

@@ -13,8 +13,6 @@
 import hudson.model.Action;
 import hudson.model.Descriptor;
 import hudson.model.Saveable;
-import hudson.security.ACL;
-import hudson.security.ACLContext;
 import hudson.util.DescribableList;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletResponse;
@@ -139,26 +137,20 @@ public final void doGenerateAndDownload(StaplerRequest2 req, StaplerResponse2 rs
                 "Content-Disposition", "inline; filename=" + BundleFileName.generate(getBundleNameQualifier()) + ";");
 
         try {
-            SupportPlugin.setRequesterAuthentication(Jenkins.getAuthentication2());
-            try (ACLContext old = ACL.as2(ACL.SYSTEM2)) {
-                SupportPlugin.writeBundle(
-                        rsp.getOutputStream(),
-                        components,
-                        new ComponentVisitor() {
-                            @Override
-                            public <C extends Component> void visit(Container container, C component) {
-                                ((ObjectComponent<T>) component).addContents(container, object);
-                            }
-                        },
-                        null,
-                        true);
-            } catch (IOException e) {
-                LOGGER.log(Level.WARNING, e.getMessage(), e);
-            } finally {
-                SupportPlugin.clearRequesterAuthentication();
-            }
-        } finally {
+            SupportPlugin.writeBundle(
+                    rsp.getOutputStream(),
+                    components,
+                    new ComponentVisitor() {
+                        @Override
+                        public <C extends Component> void visit(Container container, C component) {
+                            ((ObjectComponent<T>) component).addContents(container, object);
+                        }
+                    },
+                    null,
+                    true);
             LOGGER.fine("Response completed");
+        } catch (IOException e) {
+            LOGGER.log(Level.WARNING, e.getMessage(), e);
         }
     }
 

src/main/java/com/cloudbees/jenkins/support/impl/AboutUser.java

@@ -1,18 +1,19 @@
 package com.cloudbees.jenkins.support.impl;
 
-import com.cloudbees.jenkins.support.SupportPlugin;
 import com.cloudbees.jenkins.support.api.Component;
 import com.cloudbees.jenkins.support.api.Container;
 import com.cloudbees.jenkins.support.api.PrefilteredPrintedContent;
 import com.cloudbees.jenkins.support.filter.ContentFilter;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
+import hudson.security.ACL;
 import hudson.security.Permission;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Set;
+import jenkins.model.Jenkins;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 
@@ -36,8 +37,8 @@ public Set<Permission> getRequiredPermissions() {
 
     @Override
     public void addContents(@NonNull Container result) {
-        final Authentication authentication = SupportPlugin.getRequesterAuthentication();
-        if (authentication != null) {
+        final Authentication authentication = Jenkins.getAuthentication2();
+        if (!authentication.equals(ACL.SYSTEM2)) {
             result.add(new PrefilteredPrintedContent("user.md") {
                 @Override
                 protected void printTo(PrintWriter out, ContentFilter filter) throws IOException {

src/test/java/com/cloudbees/jenkins/support/CheckFilterTest.java

@@ -1,5 +1,7 @@
 package com.cloudbees.jenkins.support;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.empty;
 import static org.junit.Assert.fail;
 
 import com.cloudbees.jenkins.support.api.Component;
@@ -21,11 +23,13 @@
 import com.cloudbees.jenkins.support.impl.UpdateCenter;
 import hudson.EnvVars;
 import hudson.ExtensionList;
+import hudson.Functions;
 import hudson.model.FreeStyleBuild;
 import hudson.model.FreeStyleProject;
 import hudson.model.User;
 import hudson.model.labels.LabelAtom;
 import hudson.model.queue.QueueTaskFuture;
+import hudson.security.ACL;
 import java.io.BufferedInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -88,25 +92,31 @@ public void checkFilterTest() throws Exception {
         // Generate the filtered words
         checker.generateFilteredWords();
 
-        // Check the components are filtered correctly
-        assertComponent(
-                Arrays.asList(
-                        AboutJenkins.class,
-                        AboutUser.class,
-                        AgentsConfigFile.class,
-                        BuildQueue.class,
-                        ConfigFileComponent.class,
-                        DumpExportTable.class,
-                        EnvironmentVariables.class,
-                        JVMProcessSystemMetricsContents.Agents.class,
-                        JVMProcessSystemMetricsContents.Master.class,
-                        SystemConfiguration.class,
-                        NetworkInterfaces.class,
-                        NodeMonitors.class,
-                        UpdateCenter.class,
-                        SystemProperties.class,
-                        ThreadDumps.class),
-                checker);
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        try (var ignored = ACL.as(User.getById("admin", true))) {
+            // Check the components are filtered correctly
+            assertComponent(
+                    Arrays.asList(
+                            AboutJenkins.class,
+                            AboutUser.class,
+                            AgentsConfigFile.class,
+                            BuildQueue.class,
+                            ConfigFileComponent.class,
+                            DumpExportTable.class,
+                            EnvironmentVariables.class,
+                            JVMProcessSystemMetricsContents.Agents.class,
+                            JVMProcessSystemMetricsContents.Master.class,
+                            SystemConfiguration.class,
+                            NetworkInterfaces.class,
+                            NodeMonitors.class,
+                            UpdateCenter.class,
+                            SystemProperties.class,
+                            ThreadDumps.class),
+                    checker);
+        }
+        if (!Functions.isWindows()) { // some entries for procfs skipped on Windows
+            assertThat(checker.unchecked.stream().map(f -> f.filePattern).toList(), empty());
+        }
 
         // Cancel the job running
         build.cancel(true);
@@ -219,24 +229,25 @@ private static String getFirstEnvVar() {
 
     private static class FileChecker {
         private Set<FileToCheck> fileSet = new HashSet<>();
+        private Set<FileToCheck> unchecked = new HashSet<>();
         private Set<String> words = new HashSet<>();
 
         private FileChecker(Jenkins jenkins) throws UnknownHostException {
             fileSet.add(of("manifest.md", "about", false));
             fileSet.add(of("about.md", "b", false));
-            fileSet.add(of("items.md", "jobs", false));
+            // fileSet.add(of("items.md", "jobs", false));
             // checksum.md5 is not generated in tests
 
             // AboutJenkins -> nodes.md
             // The agent node name should be filtered
             fileSet.add(of("nodes.md", AGENT_NAME, true));
             // AboutUser
-            fileSet.add(of("user.md", "anonymous", true));
+            fileSet.add(of("user.md", "admin", true));
 
-            fileSet.add(of("node-monitors.md", AGENT_NAME, true));
+            // fileSet.add(of("node-monitors.md", AGENT_NAME, true));
 
-            fileSet.add(of("admin-monitors.md", "diagnostics", false));
-            fileSet.add(of("admin-monitors.md", "Family", false));
+            // fileSet.add(of("admin-monitors.md", "diagnostics", false));
+            // fileSet.add(of("admin-monitors.md", "Family", false));
 
             fileSet.add(of("nodes/slave/*/config.xml", AGENT_NAME, true));
 
@@ -293,23 +304,23 @@ private FileChecker(Jenkins jenkins) throws UnknownHostException {
             // system-uptime.txt
             // net/rpc/nfs.txt
             // net/rpc/nfsd.txt
-            fileSet.add(of("nodes/master/proc/swaps.txt", "cpu", false));
-            fileSet.add(of("nodes/slave/*/proc/swaps.txt", "cpu", false));
+            // fileSet.add(of("nodes/master/proc/swaps.txt", "cpu", false));
+            // fileSet.add(of("nodes/slave/*/proc/swaps.txt", "cpu", false));
 
-            fileSet.add(of("nodes/master/proc/cpuinfo.txt", "cpu", false));
-            fileSet.add(of("nodes/slave/*/proc/cpuinfo.txt", "cpu", false));
+            // fileSet.add(of("nodes/master/proc/cpuinfo.txt", "cpu", false));
+            // fileSet.add(of("nodes/slave/*/proc/cpuinfo.txt", "cpu", false));
 
-            fileSet.add(of("nodes/master/proc/mounts.txt", "cpu", false));
-            fileSet.add(of("nodes/slave/*/proc/mounts.txt", "cpu", false));
+            // fileSet.add(of("nodes/master/proc/mounts.txt", "cpu", false));
+            // fileSet.add(of("nodes/slave/*/proc/mounts.txt", "cpu", false));
 
-            fileSet.add(of("nodes/master/proc/system-uptime.txt", "cpu", false));
-            fileSet.add(of("nodes/slave/*/proc/system-uptime.txt", "cpu", false));
+            // fileSet.add(of("nodes/master/proc/system-uptime.txt", "cpu", false));
+            // fileSet.add(of("nodes/slave/*/proc/system-uptime.txt", "cpu", false));
 
-            fileSet.add(of("nodes/master/proc/net/rpc/nfs.txt", "cpu", false));
-            fileSet.add(of("nodes/slave/*/proc/net/rpc/nfs.txt", "cpu", false));
+            // fileSet.add(of("nodes/master/proc/net/rpc/nfs.txt", "cpu", false));
+            // fileSet.add(of("nodes/slave/*/proc/net/rpc/nfs.txt", "cpu", false));
 
-            fileSet.add(of("nodes/master/proc/net/rpc/nfsd.txt", "cpu", false));
-            fileSet.add(of("nodes/slave/*/proc/net/rpc/nfsd.txt", "cpu", false));
+            // fileSet.add(of("nodes/master/proc/net/rpc/nfsd.txt", "cpu", false));
+            // fileSet.add(of("nodes/slave/*/proc/net/rpc/nfsd.txt", "cpu", false));
 
             // NetworkInterfaces --> nodes/master/networkInterface.md, nodes/slave/*/networkInterface.md
             String anIP = getInetAddress();
@@ -333,6 +344,7 @@ private FileChecker(Jenkins jenkins) throws UnknownHostException {
             // ThreadDumps --> nodes/slave/*/thread-dump.txt, nodes/master/thread-dump.txt
             fileSet.add(of("nodes/master/thread-dump.txt", "runnable", true));
             fileSet.add(of("nodes/slave/*/thread-dump.txt", "runnable", true));
+            unchecked.addAll(fileSet);
         }
 
         private String getUpdateCenterURL(Jenkins jenkins) {
@@ -393,6 +405,7 @@ private void check(String file, String content) {
             for (FileToCheck value : fileSet) {
                 // If there is a filePattern to check that matches this entry of the bundle, we check
                 if (value.match(file)) {
+                    unchecked.remove(value);
                     if (content == null) {
                         fail(String.format("Error checking the file %s because its content was null", file));
                     } else {