diff --git a/RBAC_Example.groovy b/RBAC_Example.groovy new file mode 100644 index 0000000..17357a1 --- /dev/null +++ b/RBAC_Example.groovy @@ -0,0 +1,67 @@ +import jenkins.model.Jenkins; +import nectar.plugins.rbac.strategy.*; +import hudson.security.*; +import nectar.plugins.rbac.groups.*; +import nectar.plugins.rbac.roles.*; + +//Obtain security configuration +RoleMatrixAuthorizationStrategyImpl strategy = RoleMatrixAuthorizationStrategyImpl.getInstance() +RoleMatrixAuthorizationConfig config = RoleMatrixAuthorizationPlugin.getConfig() + +println 'Groups' +config.getGroups().each{ g -> + println '\t' + g.name + println '\t\t Group Roles' + g.getAllRoles().each{rg -> println '\t\t\t' + rg} + println '\t\t Group Memberships' + g.getGroupMembership().each{mg -> println '\t\t\t' + mg} + println '\t\t Group Members' + g.getMembers().each{mg -> println '\t\t\t' + mg} + } + +println '*Roles*' +config.getRoles().each{r -> + println '\t' + r + println '\t\t Role Permissions' + Role rc = new Role(r) + rc.getPermissionProxies().each{p -> println '\t\t' + p.id + " - " + p.name} + } + +println '*Permissions*' +Permission.getAll().each{p -> println '\t' + p.id + " - " + p.name} + +println 'create a new Role' +String roleName = "NewRole" +strategy.addRole(roleName) + +println 'add all permission to NewRole' +Role rc = new Role(roleName) +for (Permission p: Permission.getAll()) { + if(p.getEnabled() && p.owner == null){ + rc.doGrantPermissions(p.id) + } +} + +println 'remove permission from role' +rc.doRevokePermissions("hudson.model.Hudson.Read") + +println 'create a new groups at different container levels' + +// Get location for ClientMaster +locationCM = Jenkins.instance.getAllItems().find{it.name.equals("ClientMaster")} +// Get location for a FolderA/FolderB +locationFolder = Jenkins.instance.getAllItems().find{it.fullName.equals("FolderA/FolderB")} +// Get location at Root Level +locationRoot = Jenkins.getInstance() + +// For the following example the group is created at root container (locationRoot) +String groupName = "newGroup" +GroupContainer container = GroupContainerLocator.locate(locationRoot) +Group group = new Group(container, groupName) +group.doAddMember('tesla') +group.doAddMember('userToDelete') +group.doRemoveMember('userToDelete') +group.doGrantRole('roleToRevoke', 0, Boolean.TRUE) +group.doRevokeRole('roleToRevoke') +group.doGrantRole(roleName, 0, Boolean.TRUE) +container.addGroup(group) diff --git a/rbac-report.groovy b/rbac-report.groovy new file mode 100644 index 0000000..71b119c --- /dev/null +++ b/rbac-report.groovy @@ -0,0 +1,43 @@ +import nectar.plugins.rbac.groups.*; +import java.util.*; + +Map containers = new TreeMap(); +// Add the root container +containers.put(Jenkins.instance.displayName, GroupContainerLocator.locate(Jenkins.instance)); +// Add all the items that are be containers +for (i in Jenkins.instance.allItems) { + if (GroupContainerLocator.isGroupContainer(i.getClass())) { + GroupContainer g = GroupContainerLocator.locate(i); + if (g != null) containers.put(Jenkins.instance.displayName + "/" + i.fullDisplayName, g); + } +} +// Add all the nodes, as they are containers also (but be safe about it) +for (i in Jenkins.instance.nodes) { + if (GroupContainerLocator.isGroupContainer(i.getClass())) { + GroupContainer g = GroupContainerLocator.locate(i); + if (g != null) containers.put(Jenkins.instance.displayName + "/" + i.displayName, g); + } +} +// There may be other group containers if somebody has written additional +// extension points in additional plugins, but at this point in time this +// is the full set of places where group containers can be hiding + +for (c in containers) { + println(c.key); + for (g in c.value.groups) { + println(" " + g.name); + println(" Roles:"); + for (r in g.roles) { + println(" " + r + (g.doesPropagateToChildren(r) ? " (and children)" : " (pinned)")); + + } + println(" Members:"); + // g.members is the String names + // g.membership is the corresponding AbstractAssignee objects (so this may involve an LDAP lookup) + // but g.membership is the only way to determine what the String name corresponds to + // listing here so you can see what can be done, but up to you to judge the runtime cost + for (a in g.membership) { + println(" " + a.id + " <" + a.fullName + "> (" + a.description + " : " +a.getClass().getName() + ")"); + } + } +} \ No newline at end of file