Trigger job is not work when Jenkins uses Role strategy plugin

[bereczkitamas]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.450 OS: Linux - 5.4.0-172-generic Java: 11.0.22 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- Exclusion:0.15 ace-editor:1.1 ansicolor:1.0.4 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.3.1-1.0 artifactory:4.0.6 asm-api:9.7-33.v4d23ef79fcc8 authentication-tokens:1.53.v1c90fd9191a_b_ basic-branch-build-strategies:81.v05e333931c7d bitbucket:241.v6d24a_57f9359 bitbucket-push-and-pull-request:3.0.2 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 branch-api:2.1152.v6f101e97dd77 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloud-stats:336.v788e4055508b_ cloudbees-bitbucket-branch-source:883.v041fa_695e9c2 cloudbees-folder:6.928.v7c780211d66e command-launcher:107.v773860566e2e commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-95.v22a_d30ee5d36 conditional-buildstep:1.4.3 config-file-provider:968.ve1ca_eb_913f8c configuration-as-code:1775.v810dc950b_514 configurationslicing:548.ve92d48e66b_f8 copyartifact:722.v0662a_9b_e22a_c credentials:1337.v60b_d7b_c7b_c9f credentials-binding:657.v2b_19db_7d6e6d cucumber-reports:5.8.1 cucumber-testresult-plugin:0.10.1 dark-theme:439.vdef09f81f85e data-tables-api:2.0.3-1 declarative-pipeline-migration-assistant:1.6.3 declarative-pipeline-migration-assistant-api:1.6.3 display-url-api:2.200.vb_9327d658781 docker-build-publish:1.4.0 docker-commons:439.va_3cb_0a_6a_fb_29 docker-custom-build-environment:1.7.3 docker-java-api:3.3.4-86.v39b_a_5ede342c docker-plugin:1.6 docker-workflow:572.v950f58993843 durable-task:550.v0930093c4b_a_6 echarts-api:5.5.0-1 email-ext:2.105 envinject:2.908.v66a_774b_31d93 envinject-api:1.199.v3ce31253ed13 extended-choice-parameter:381.v360a_25ea_017c external-monitor-job:215.v2e88e894db_f8 file-parameters:316.va_83a_1221db_a_7 font-awesome-api:6.5.1-3 generic-webhook-trigger:2.1.1 git:5.2.1 git-client:4.7.0 git-parameter:0.9.19 git-server:114.v068a_c7cc2574 gradle:2.10 greenballs:1.15.1 gson-api:2.10.1-15.v0d99f670e0a_7 h2-api:11.1.4.199-12.v9f4244395f7a_ handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 http_request:1.18 instance-identity:185.v303dc7c645f9 ionicons-api:70.v2959a_b_74e3cf ivy:2.5 jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jersey2-api:2.42-147.va_28a_44603b_d5 jetbrains-space:1.999999-SNAPSHOT (private-9198d05d-bereczki) jnr-posix-api:3.1.19-2 job-dsl:1.87 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery:1.12.4-1 jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 keycloak:2.3.2 kubernetes:4203.v1dd44f5b_1cf9 kubernetes-cli:1.12.1 kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:0.11 ldap:719.vcb_d039b_77d0d lockable-resources:1246.v28b_e4cc6fa_16 mailer:472.vf7c289a_4b_420 matrix-auth:3.2.2 matrix-project:822.824.v14451b_c0fd42 maven-plugin:3.23 mercurial:1260.vdfb_723cdcc81 metrics:4.2.21-449.v6960d7c54c69 mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd multi-branch-project-plugin:0.7 multiple-scms:0.8 naginator:1.436.vb_e769dcb_cdf6 nodejs:1.6.1 okhttp-api:4.11.0-172.vda_da_1feeb_c6e pam-auth:1.10 parameterized-trigger:787.v665fcf2a_830b_ pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:704.vc58b_8890a_384 pipeline-input-step:491.vb_07d21da_1a_fb_ pipeline-maven:1396.veb_f07b_2fc1d8 pipeline-maven-api:1396.veb_f07b_2fc1d8 pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2188.v26e255fd2984 pipeline-model-definition:2.2188.v26e255fd2984 pipeline-model-extensions:2.2188.v26e255fd2984 pipeline-npm:204.v4dc4c2202625 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2188.v26e255fd2984 pipeline-stage-view:2.34 pipeline-utility-steps:2.16.2 plain-credentials:179.vc5cb_98f6db_38 plugin-util-api:4.1.0 prism-api:1.29.0-13 promoted-builds:945.v597f5c6a_d3fd role-strategy:713.vb_3837801b_8cc run-condition:1.7 saferestart:0.7 scm-api:689.v237b_6d3a_ef7f script-security:1335.vf07d9ce377a_e slack:684.v833089650554 snakeyaml-api:2.2-111.vc6598e30cc65 snyk-security-scanner:4.0.2 sonar:2.17.2 ssh-agent:346.vda_a_c4f2c8e50 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.948.vb_8050d697fec ssh-steps:2.0.68.va_d21a_12a_6476 sshd:3.322.v159e91f6a_550 structs:337.v1b_04ea_4df7c8 theme-manager:215.vc1ff18d67920 token-macro:400.v35420b_922dcb_ trilead-api:2.142.v748523a_76693 variant:60.v7290fc0eb_b_cd workflow-aggregator:596.v8c21c963d92d workflow-api:1291.v51fd2a_625da_7 workflow-basic-steps:1049.v257a_e6b_30fb_d workflow-cps:3894.vd0f0248b_a_fc4 workflow-cps-global-lib:612.v55f2f80781ef workflow-durable-task-step:1336.v768003e07199 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:783.va_6eb_ef636fb_d workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:896.v175a_a_9c5b_78f ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

We have used Keycloak plugin for Jenkins as authentication.

1. Install Jenkins with Role Strategy plugin.

2. Role based authorization is set

3. Setup Application for webhooks to Jenkins

4. Setup a Job in Jenkins with trigger from Space

5. Trigger webhook event

Expected Results

The Jenkins job is triggered and started.

Actual Results

Jenkins log contains: No registered trigger found for webhook id = qyHCs0h52xN

This is because, this returns empty list:

private suspend fun ProcessingScope.processWebhookCallback(payload: WebhookRequestPayload): SpaceHttpResponse {
    val allJobs = Jenkins.get().getAllItems(TriggeredItem::class.java)

Anything else?

The getAllItems returns empty list due the anonymus user and role is applied when this code is executed and it has no permission to read items.

I had a workaround to solve after adding user space and add permission, however it is not proper solution:

private suspend fun ProcessingScope.processWebhookCallback(payload: WebhookRequestPayload): SpaceHttpResponse {
    SecurityContextHolder.setContext(
        SecurityContextImpl(AnonymousAuthenticationToken(
            "space",
            "space",
            setOf(SimpleGrantedAuthority("space"))
        ))
    )

    val allJobs = Jenkins.get().getAllItems(TriggeredItem::class.java)

Could you add parameter to setup user like a space user and space role which has this permission and use it, please?

Or if it cannot be done, then please add to install guide the information about if Role Strategy plugin is used, then give this roles to anonymous:

Are you interested in contributing a fix?

No response

[Kiryushin-Andrey]

@bereczkitamas thank you for trying out the plugin early and for the detailed bug report! I've fixed the bug in the latest release https://github.com/jenkinsci/jetbrains-space-plugin/releases/tag/1.50.vc9c3d0b_5a_f40.

The approach I took is just to perform jobs query impersonating the plugin code as system security principal. Build triggering endpoint doesn't give any information about the jobs out in its response or sends it anywhere, so I think it's fine from security point of view. I also checked the BitBucket and GitHub plugins for Jenkins, and they use the same approach.