Merge pull request #5 from oleg-nenashev/casc-plugin

Create a demo for CasC Plugin
oleg-nenashev · Oct 25, 2018 · eec4334 · eec4334
2 parents 0503547 + e77e108
commit eec4334
Show file tree

Hide file tree

Showing 8 changed files with 134 additions and 162 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM jenkins/jenkins:2.107.3
+FROM jenkins/jenkins:2.138.2
 MAINTAINER Oleg Nenashev <[email protected]>
 LABEL Description="This demo shows how to setup Jenkins Config-as-Code with Docker, Pipeline, and Groovy Hook Scripts" Vendor="Oleg Nenashev" Version="0.2"
 
@@ -29,4 +29,6 @@ VOLUME /var/jenkins_home/pipeline-libs
 EXPOSE 5005
 
 COPY jenkins2.sh /usr/local/bin/jenkins2.sh
+ENV CASC_JENKINS_CONFIG=/var/jenkins_home/jenkins.yaml
+COPY jenkins.yaml /var/jenkins_home/jenkins.yaml
 ENTRYPOINT ["tini", "--", "/usr/local/bin/jenkins2.sh"]
diff --git a/Makefile b/Makefile
@@ -0,0 +1,8 @@
+build:
+	docker build -t onenashev/demo-jenkins-config-as-code .
+
+run:
+	docker run --rm --name ci-jenkins-io-dev -v maven-repo:/root/.m2 -v ${MY_PIPELINE_LIBRARY_DIR}:/var/jenkins_home/pipeline-library -v ${MY_OTHER_PIPELINE_LIBS_DIRS}:/var/jenkins_home/pipeline-libs -e DEV_HOST=${CURRENT_HOST} -p 8080:8080 -p 50000:50000  onenashev/demo-jenkins-config-as-code
+
+debug:
+	docker run --rm --name ci-jenkins-io-dev -e DEBUG=true -p 5005:5005 -v maven-repo:/root/.m2 -v ${MY_PIPELINE_LIBRARY_DIR}:/var/jenkins_home/pipeline-library -v ${MY_OTHER_PIPELINE_LIBS_DIRS}:/var/jenkins_home/pipeline-libs -e DEV_HOST=${CURRENT_HOST} -p 8080:8080 -p 50000:50000  onenashev/demo-jenkins-config-as-code
diff --git a/...ripts/src/main/groovy/io/jenkins/systemgroovy/plugins/OwnershipBasedSecurityHelper.groovy b/...ripts/src/main/groovy/io/jenkins/systemgroovy/plugins/OwnershipBasedSecurityHelper.groovy
diff --git a/init_scripts/src/main/groovy/scripts/Auth.groovy b/init_scripts/src/main/groovy/scripts/Auth.groovy
@@ -1,8 +1,3 @@
-import com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy
-import com.michelin.cio.hudson.plugins.rolestrategy.RoleMap
-import com.synopsys.arc.jenkins.plugins.rolestrategy.RoleType
-import hudson.security.HudsonPrivateSecurityRealm
-import io.jenkins.systemgroovy.plugins.OwnershipBasedSecurityHelper
 import jenkins.model.Jenkins
 import jenkins.security.QueueItemAuthenticatorConfiguration
 import hudson.model.*
@@ -12,25 +7,14 @@ import org.jenkinsci.plugins.authorizeproject.strategy.TriggeringUsersAuthorizat
 
 boolean createAdmin = Boolean.getBoolean("io.jenkins.dev.security.createAdmin")
 
-println("=== Installing the Security Realm")
-def securityRealm = new HudsonPrivateSecurityRealm(false)
+println("=== Configuring users")
+def securityRealm = Jenkins.instance.getSecurityRealm()
 User user = securityRealm.createAccount("user", "user")
 user.setFullName("User")
 if (createAdmin) {
     User admin = securityRealm.createAccount("admin", "admin")
     admin.setFullName("Admin")
 }
-Jenkins.instance.setSecurityRealm(securityRealm)
-
-println("=== Installing the Role-Based Authorization strategy")
-RoleBasedAuthorizationStrategy strategy = new RoleBasedAuthorizationStrategy()
-def grantedRoles = new HashMap<String, RoleMap>()
-grantedRoles.put(RoleType.Project.stringType, OwnershipBasedSecurityHelper.projectRoleMap)
-grantedRoles.put(RoleType.Slave.stringType, OwnershipBasedSecurityHelper.computerRoleMap)
-grantedRoles.put(RoleType.Global.stringType, OwnershipBasedSecurityHelper.globalAdminAndAnonymousRoles)
-
-strategy.@grantedRoles.putAll(grantedRoles)
-Jenkins.instance.authorizationStrategy = strategy
 
 println("=== Configure Authorize Project")
 GlobalQueueItemAuthenticator auth = new GlobalQueueItemAuthenticator(

diff --git a/init_scripts/src/main/groovy/scripts/MasterComputer.groovy b/init_scripts/src/main/groovy/scripts/MasterComputer.groovy
@@ -16,27 +16,3 @@ println("== Configuring Master computer")
 // Admin owns the node
 NodeOwnerHelper.setOwnership(Jenkins.instance, new OwnershipDescription(true, "admin"))
 
-// Job restrictions
-boolean allowRunsOnMaster = Boolean.getBoolean("io.jenkins.dev.security.allowRunsOnMaster")
-if (allowRunsOnMaster) {
-    // TODO: Due to the BuildAnythingOnNode hack, there is actually no protection
-    println("Runs on Master are enabled. It is a bad idea from the security standpoint")
-    return
-}
-
-// We allow running jobs in the SystemFolder owned by admin + whitelisted job types
-// TODO: Job Restrictions API polishing would be really useful
-OwnersListJobRestriction ownedByAdmin = new OwnersListJobRestriction([ new UserSelector("admin") ],false)
-RegexNameRestriction inSystemFolder = new RegexNameRestriction("^System/.+", false)
-
-ClassSelector workflowJob = new ClassSelector(WorkflowJob.class.name)
-JobClassNameRestriction whitelistedClasses = new JobClassNameRestriction([workflowJob])
-
-Jenkins.instance.getNodeProperties().add(
-    new JobRestrictionProperty(
-        new OrJobRestriction(
-            new MultipleAndJobRestriction([ownedByAdmin, inSystemFolder]),
-            whitelistedClasses
-        )
-    )
-)
diff --git a/init_scripts/src/main/groovy/scripts/System.groovy b/init_scripts/src/main/groovy/scripts/System.groovy
@@ -12,17 +12,10 @@ println("-- System configuration")
 // TODO: Configure Job Restrictions, Script Security, Authorize Project, etc., etc.
 println("--- Configuring Remoting (JNLP4 only, no Remoting CLI)")
 CLI.get().enabled = false
-Jenkins.instance.agentProtocols = new HashSet<String>(["JNLP4-connect"])
 Jenkins.instance.getExtensionList(StaplerProxy.class)
     .get(AdminWhitelistRule.class)
     .masterKillSwitch = false
 
-println("--- Checking the CSRF protection")
-if (Jenkins.instance.crumbIssuer == null) {
-    println "CSRF protection is disabled, Enabling the default Crumb Issuer"
-    Jenkins.instance.crumbIssuer = new DefaultCrumbIssuer(true)
-}
-
 println("--- Configuring Quiet Period")
 // We do not wait for anything
 Jenkins.instance.quietPeriod = 0

diff --git a/jenkins.yaml b/jenkins.yaml
@@ -0,0 +1,101 @@
+jenkins:
+  mode: NORMAL
+  numExecutors: 2
+  agentProtocols:
+  - "JNLP4-connect"
+  - "Ping"
+  nodeProperties:
+  - jobRestrictionProperty:
+      jobRestriction:
+        or:
+          first:
+            multipleAnd:
+              restrictions:
+              - ownersList:
+                  usersList:
+                  - selectedUserId: "admin"
+                  acceptsCoOwners: false
+              - regexNameRestriction:
+                  checkShortName: false
+                  regexExpression: "^System/.+"
+          second:
+            jobClassNameRestriction:
+              jobClasses:
+              - selectedClass: "org.jenkinsci.plugins.workflow.job.WorkflowJob"
+  crumbIssuer:
+    standard:
+      excludeClientIPFromCrumb: true
+  disableRememberMe: false
+  scmCheckoutRetryCount: 0
+  projectNamingStrategy: "standard"
+  markupFormatter: "plainText"
+  slaveAgentPort: 50000
+  myViewsTabBar: "standard"
+  viewsTabBar: "standard"
+
+  securityRealm:
+    local:
+      allowsSignup: false
+      enableCaptcha: false
+  authorizationStrategy:
+    roleBased:
+      roles:
+        global:
+          - name: "admin"
+            description: "Jenkins administrators"
+            permissions:
+              - "Overall/Administer"
+            assignments:
+              - "admin"
+          - name: "readonly"
+            description: "Read-only users"
+            permissions:
+              - "Overall/Read"
+              - "Job/Read"
+              - "Agent/Build"
+            assignments:
+              - "authenticated"
+        items:
+          - name: "@OwnerNoSid"
+            description: "Primary Owners"
+            pattern: ".*"
+            permissions:
+              - "Job/Configure"
+              - "Job/Build"
+              - "Job/Delete"
+              - "Run/Delete"
+            assignments:
+              - "authenticated"
+          - name: "@CoOwnerNoSid"
+            description: "Secondary Owners"
+            pattern: ".*"
+            permissions:
+              - "Job/Configure"
+              - "Job/Build"
+            assignments:
+              - "authenticated"
+        agents:
+          - name: "@OwnerNoSid"
+            description: "Primary Owners"
+            pattern: ".*"
+            permissions:
+              - "Agent/Configure"
+              - "Agent/Build"
+              - "Agent/Delete"
+              - "Agent/Build"
+            assignments:
+              - "authenticated"
+          - name: "@CoOwnerNoSid"
+            description: "Secondary Owners"
+            pattern: ".*"
+            permissions:
+              - "Agent/Connect"
+              - "Agent/Build"
+            assignments:
+              - "authenticated"
+tool:
+  git:
+    installations:
+    - home: "git"
+      name: "Default"
+
diff --git a/plugins.txt b/plugins.txt
@@ -1,24 +1,27 @@
-matrix-auth:2.2
-cloudbees-folder:6.4
-workflow-aggregator:2.5
-workflow-cps:2.53
-git:3.9.0
+matrix-auth:2.3
+cloudbees-folder:6.6
+workflow-aggregator:2.6
+workflow-cps:2.59
+git:3.9.1
 timestamper:1.8.10
-yet-another-docker-plugin:0.1.0-rc47
+yet-another-docker-plugin:0.1.0-rc48
 ownership:0.12.1
-job-restrictions:0.7
-role-strategy:2.8.1
+job-restrictions:0.8
+role-strategy:2.9.0
 mailer:1.21
 authorize-project:1.3.0
-security-inspector:0.4
-monitoring:1.72.0
-locale:1.2
-blueocean:1.5.0
+security-inspector:0.5
+monitoring:1.74.0
+locale:1.3
+blueocean:1.9.0
 filesystem_scm:2.1
-junit:1.24
+junit:1.26.1
 checkstyle:3.50
 findbugs:4.72
-parallel-test-executor:1.10
-email-ext:2.62
-jacoco:2.2.1
-cobertura:1.12.1
+parallel-test-executor:1.11
+email-ext:2.63
+jacoco:3.0.3
+cobertura:1.13
+configuration-as-code:1.1
+configuration-as-code-support:1.1
+jdk-tool:1.1