Class AclAwareWhitelist

  • All Implemented Interfaces:
    ExtensionPoint
    Direct Known Subclasses:
    AnnotatedWhitelist

    public class AclAwareWhitelist
    extends Whitelist
    Delegating whitelist which allows certain calls to be made only when a non-ACL.SYSTEM user is making them.

    First there is a list of unrestricted signatures; these can always be run.

    Then there is a (probably much smaller) list of restricted signatures. These can be run only when the current user is a real user or even Jenkins.ANONYMOUS, but not when ACL.SYSTEM. Restricted methods should be limited to those which actually perform a permissions check, typically using ACL.checkPermission(hudson.security.Permission). Allowing the system pseudo-user to run these would be dangerous, since we do not know “on whose behalf” a script is running, and this “user” is permitted to do anything.

    • Constructor Detail

      • AclAwareWhitelist

        public AclAwareWhitelist​(Whitelist unrestricted,
                                 Whitelist restricted)
        Creates a delegating whitelist.
        Parameters:
        unrestricted - a general whitelist; anything permitted by this one will be permitted in any context
        restricted - a whitelist of method/constructor calls (field accesses never consulted) for which ACL checks are expected
    • Method Detail

      • permitsMethod

        public boolean permitsMethod​(Method method,
                                     Object receiver,
                                     Object[] args)
        Description copied from class: Whitelist
        Checks whether a given virtual method may be invoked.

        Note that method should not be implementing or overriding a method in a supertype; in such a case the caller must pass that supertype method instead. In other words, call site selection is the responsibility of the caller (such as GroovySandbox), not the whitelist.

        Specified by:
        permitsMethod in class Whitelist
        Parameters:
        method - a method defined in the JVM
        receiver - this, the receiver of the method call
        args - zero or more arguments
        Returns:
        true to allow the method to be called, false to reject it