From b565b18dd6e1efe34294857ff02a5f289744feb3 Mon Sep 17 00:00:00 2001 From: Crola1702 Date: Mon, 13 Jan 2025 10:16:08 -0500 Subject: [PATCH 1/4] Put authentication scripts and old resources in auth_strategy.groovy Signed-off-by: Crola1702 --- recipes/jenkins.rb | 87 +++++++++++++++++++++++++++++++++------------- 1 file changed, 63 insertions(+), 24 deletions(-) diff --git a/recipes/jenkins.rb b/recipes/jenkins.rb index dd96834..70b9818 100644 --- a/recipes/jenkins.rb +++ b/recipes/jenkins.rb @@ -149,30 +149,49 @@ # This method uses the Jenkins internal user database and manages permissions directly with chef. # * Groovy scripted: # This method can be used to enable more complex authentication / authorization strategies and security realms. + +# Create init.groovy.d directory to save important groovy files +directory '/var/lib/jenkins/init.groovy.d' do + mode '0755' + owner 'jenkins' + group 'jenkins' +end + if node['ros_buildfarm']['jenkins']['auth_strategy'] == 'groovy' auth_strategy_script = data_bag_item('ros_buildfarm_jenkins_scripts', 'auth_strategy')[node.chef_environment] if auth_strategy_script.nil? Chef::Log.fatal("No auth strategy script for #{node.chef_environment} in ros_buildfarm_jenkins_scripts but auth_strategy is set to groovy.") raise end - jenkins_script 'auth_strategy' do - command auth_strategy_script['command'] + + file '/var/lib/jenkins/init.groovy.d/auth_strategy.groovy' do + content auth_strategy_script['command'] + mode '0755' + owner 'jenkins' + group 'jenkins' end + elsif node['ros_buildfarm']['jenkins']['auth_strategy'] == 'default' - jenkins_script 'establish security realm' do - command <<~GROOVY - import hudson.model.* - import jenkins.model.* - import hudson.security.HudsonPrivateSecurityRealm - import hudson.security.SecurityRealm + ## TODO: (Crola1702) CHANGEME: cli to run groovy scripts + default_auth_script = <<~GROOVY + import hudson.model.* + import jenkins.model.* + import hudson.security.HudsonPrivateSecurityRealm + import hudson.security.SecurityRealm + + def jenkins = Jenkins.getInstance() + // Boolean `!` binds closer than instanceof so parenthesize the instanceof operation + if (!(jenkins.getSecurityRealm() instanceof HudsonPrivateSecurityRealm)) { + jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false)) + jenkins.save() + } + GROOVY - def jenkins = Jenkins.getInstance() - // Boolean `!` binds closer than instanceof so parenthesize the instanceof operation - if (!(jenkins.getSecurityRealm() instanceof HudsonPrivateSecurityRealm)) { - jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false)) - jenkins.save() - } - GROOVY + file '/var/lib/jenkins/init.groovy.d/auth_strategy.groovy' do + content default_auth_script + mode '0755' + owner 'jenkins' + group 'jenkins' end # Restart jenkins after updating the security realm otherwise running without @@ -182,6 +201,10 @@ def jenkins = Jenkins.getInstance() end # Aggregate permissions to assign to each user with a groovy script. + users_creation_scripts = [ + default_auth_script + ] + permissions = [] data_bag('ros_buildfarm_jenkins_users').each do |id| user = data_bag_item('ros_buildfarm_jenkins_users', id) @@ -197,16 +220,24 @@ def jenkins = Jenkins.getInstance() # not know what would happen if we tried to create a concrete user with the # username anonymous so let's just don't. next if user['username'] == 'anonymous' - jenkins_user user['username'] do - password user['password'] - public_keys user['public_keys'] - email user['email'] if user['email'] - end + + user_creation_script <<~GROOVY + user = hudson.model.User.get("crolaTest") + user.setFullName(#{user['username']}) + if (#{!user['email'].nil?}) { + email = new hudson.tasks.Mailer.UserProperty(#{user['email']}) + user.addProperty(email) + } + password = hudson.security.HudsonPrivateSecurityRealm.Details.fromPlainPassword(#{user['password']}) + user.addProperty(password) + keys = new org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl(#{user['public_keys'].join('\n')}) + user.addProperty(keys) + GROOVY + + users_creation_scripts << user_creation_script end - jenkins_script 'matrix_authentication_permissions' do - command <<~GROOVY - import hudson.model.* - import jenkins.model.* + + matrix_auth_permissions_script = <<~GROOVY import hudson.security.ProjectMatrixAuthorizationStrategy def jenkins = Jenkins.getInstance() @@ -219,6 +250,14 @@ def jenkins = Jenkins.getInstance() jenkins.save() } GROOVY + + users_creation_scripts << matrix_auth_permissions_script + + file '/var/lib/jenkins/init.groovy.d/auth_strategy.groovy' do + content users_creation_scripts.join("\n") + mode '0755' + owner 'jenkins' + group 'jenkins' end else Chef::Log.warn("Jenkins auth_strategy attribute `#{node['ros_buildfarm']['jenkins']['auth_strategy']}` is unknown. No authentication will be configured.") From db3e5f03318ae80c28186bd34e9026afdff3c2cd Mon Sep 17 00:00:00 2001 From: Crola1702 Date: Wed, 8 Jan 2025 09:05:40 -0500 Subject: [PATCH 2/4] Fix syntax error Signed-off-by: Crola1702 --- recipes/jenkins.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes/jenkins.rb b/recipes/jenkins.rb index 70b9818..9b037ff 100644 --- a/recipes/jenkins.rb +++ b/recipes/jenkins.rb @@ -221,7 +221,7 @@ def jenkins = Jenkins.getInstance() # username anonymous so let's just don't. next if user['username'] == 'anonymous' - user_creation_script <<~GROOVY + user_creation_script = <<~GROOVY user = hudson.model.User.get("crolaTest") user.setFullName(#{user['username']}) if (#{!user['email'].nil?}) { From 9dcf1fff3aaac4f70cb0ae37087a32fdef1ed254 Mon Sep 17 00:00:00 2001 From: Crola1702 Date: Wed, 8 Jan 2025 10:07:04 -0500 Subject: [PATCH 3/4] Fix user creation script Signed-off-by: Crola1702 --- recipes/jenkins.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/recipes/jenkins.rb b/recipes/jenkins.rb index 9b037ff..9e6646c 100644 --- a/recipes/jenkins.rb +++ b/recipes/jenkins.rb @@ -222,13 +222,12 @@ def jenkins = Jenkins.getInstance() next if user['username'] == 'anonymous' user_creation_script = <<~GROOVY - user = hudson.model.User.get("crolaTest") - user.setFullName(#{user['username']}) + user = hudson.model.User.get("#{user['username']}") if (#{!user['email'].nil?}) { - email = new hudson.tasks.Mailer.UserProperty(#{user['email']}) + email = new hudson.tasks.Mailer.UserProperty("#{user['email']}") user.addProperty(email) } - password = hudson.security.HudsonPrivateSecurityRealm.Details.fromPlainPassword(#{user['password']}) + password = hudson.security.HudsonPrivateSecurityRealm.Details.fromPlainPassword("#{user['password']}") user.addProperty(password) keys = new org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl(#{user['public_keys'].join('\n')}) user.addProperty(keys) From 39a005873a4d71fc25a6e7bb9adbe9b569c34d57 Mon Sep 17 00:00:00 2001 From: Crola1702 Date: Mon, 13 Jan 2025 10:20:08 -0500 Subject: [PATCH 4/4] Use correct strategy in attributes and actually save the user Signed-off-by: Crola1702 --- recipes/jenkins.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/recipes/jenkins.rb b/recipes/jenkins.rb index 9e6646c..228edc8 100644 --- a/recipes/jenkins.rb +++ b/recipes/jenkins.rb @@ -157,7 +157,7 @@ group 'jenkins' end -if node['ros_buildfarm']['jenkins']['auth_strategy'] == 'groovy' +if node.default['ros_buildfarm']['jenkins']['auth_strategy'] == 'groovy' auth_strategy_script = data_bag_item('ros_buildfarm_jenkins_scripts', 'auth_strategy')[node.chef_environment] if auth_strategy_script.nil? Chef::Log.fatal("No auth strategy script for #{node.chef_environment} in ros_buildfarm_jenkins_scripts but auth_strategy is set to groovy.") @@ -170,9 +170,7 @@ owner 'jenkins' group 'jenkins' end - -elsif node['ros_buildfarm']['jenkins']['auth_strategy'] == 'default' - ## TODO: (Crola1702) CHANGEME: cli to run groovy scripts +elsif node.default['ros_buildfarm']['jenkins']['auth_strategy'] == 'default' default_auth_script = <<~GROOVY import hudson.model.* import jenkins.model.* @@ -231,6 +229,7 @@ def jenkins = Jenkins.getInstance() user.addProperty(password) keys = new org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl(#{user['public_keys'].join('\n')}) user.addProperty(keys) + user.save() GROOVY users_creation_scripts << user_creation_script