search

mibexsoftware / bamboo-plan-dsl-plugin

Configuration as code with a Groovy-based DSL or YAML for Atlassian Bamboo.
https://marketplace.atlassian.com/plugins/ch.mibex.bamboo.plandsl/
Other
40 stars 16 forks source link

Setting permissions in the DSL doesn't have any effect #97

Open twotired opened 4 years ago

twotired commented 4 years ago

When I define permission in the DSL, the newly created plan doesn't reflect what is defined. Has this been tested recently?

EX:

    planPermissions {
        ['example.username'].each { u ->
            user(name: u) {
                permissionTypes PermissionType.VIEW, PermissionType.BUILD
            }
        }

        group(name: 'asdf-engineering') {
            permissionTypes PermissionType.VIEW
        }

        other(type: OtherUserType.LOGGED_IN_USERS) {
            permissionTypes PermissionType.VIEW
        }
    }

Does not get set.

mrueegg commented 4 years ago

Thanks for your feedback. Please notice that planPermissions is under project and is used for plan permission inheritance which is used to define the default permissions for newly created plans under that project. You can see this under Project settings -> Plan permissions inheritance.

If you try to configure the permissions of a specific plan, please use permissions under plan. Here's an example:

project(key: 'PROJECTKEY', name: 'my project') {
  plan(key: 'MYPLAN', name: 'my plan') {
    permissions {
        ['bob'].each { u ->
            user(name: u) {
                permissionTypes PermissionType.VIEW, PermissionType.BUILD
            }
        }

        group(name: 'build-engineers') {
            permissionTypes PermissionType.VIEW
        }

        other(type: OtherUserType.LOGGED_IN_USERS) {
            permissionTypes PermissionType.VIEW
        }
    }
  }
}

Does that help?

twotired commented 4 years ago

When I define custom permissions for a plan in the DSL, it just seems to be ignored.

mrueegg commented 4 years ago

@twotired Could you please provide me a sample DSL so that I can reproduce it?

twotired commented 4 years ago

This creates a pipeline in which Logged in users and Anonymous have no checkboxes checked on the Permissions tab:

import ch.mibex.bamboo.plandsl.dsl.*
import ch.mibex.bamboo.plandsl.dsl.permissions.PermissionTypes

project(key: 'DSL', name: 'DSL prototyping') {
  plan(key: 'PROTD', name: 'scratch deleteme D') {

    permissions {
      other(type: OtherUserType.LOGGED_IN_USERS) {
        permissionTypes PermissionType.VIEW, PermissionType.BUILD
      }

      other(type: OtherUserType.ANONYMOUS_USERS) {
        permissionTypes PermissionTypes.PermissionType.VIEW
      }
    }    
     stage('coach') {
       job(key: 'ASDF', name: 'qwerty') {
       }

       job(key: 'ZXCV', name: 'hjkl') {
       } 
    }
  }
}
mrueegg commented 4 years ago

@twotired Thanks for the sample DSL. I've just tried to reproduce this, but with no luck. Could you please tell me your plug-in and your Bamboo version?

twotired commented 4 years ago

Bamboo version is 6.10.3 Plugin version 1.9.15

mrueegg commented 4 years ago

@twotired Thanks for your feedback. I've just tried to reproduce this with your sample DSL, but in my test case the permissions are correctly set (used your Bamboo and plug-in version):

image

Just to be sure, could you please double-check that you are looking at the plan permission settings and not the project or the project plan inheritance settings?

Thanks!

twotired commented 4 years ago

Here's another example. In this example, it properly sets the user permission and ignores the 'other' permissions. This is the only plan in the project.

project(key: 'JWP3', name: 'jwells prototyping 3') {
  plan(key: 'PROTO1', name: 'testing permissions') {
    permissions {
      user(name: 'jason.wells') {
        permissionTypes PermissionType.VIEW, PermissionType.BUILD, PermissionType.EDIT
      }

      other(type: OtherUserType.LOGGED_IN_USERS) {
        permissionTypes PermissionType.ADMIN, PermissionType.EDIT
      }
      other(type: OtherUserType.LOGGED_IN_USERS) {
        permissionTypes PermissionType.VIEW
      }
    }    

    stage('first stage') {
      job(key: 'JONE', name: 'You had one job') {
        tasks {
          script() {
            description 'a task'
            inline {
              scriptBody 'echo "Hello"'
            }
          }
        }
      }      
    }
  }
}
mrueegg commented 4 years ago

@twotired Thanks for your example. I've just tried it out and for me the plug-in correctly created a VIEW permission for logged-in users. The permissions for ADMIN/EDIT are correctly ignored because they are overridden by the following VIEW permissions. Does that make sense? What permissions were set in your testing for logged-in users?

twotired commented 4 years ago

Here's my latest (valid?) example:

project(key: 'JWP', name: 'jwells prototyping') {
   projectPermissions {
      user(name: 'jason.wells') {
        permissionTypes PermissionType.VIEW
      }
      group(name: 'engineering') {
        permissionTypes PermissionType.VIEW
      }
      other(type: OtherUserType.LOGGED_IN_USERS) {
        permissionTypes PermissionType.VIEW
      }
   }

   planPermissions {
      user(name: 'jason.wells') {
        permissionTypes PermissionType.VIEW
      }
      group(name: 'engineering') {
        permissionTypes PermissionType.VIEW
      }
      other(type: OtherUserType.LOGGED_IN_USERS) {
        permissionTypes PermissionType.VIEW
      }
   }

  plan(key: 'PROTO1', name: 'testing permissions') {
    permissions {
      user(name: 'jason.wells') {
        permissionTypes PermissionType.VIEW, PermissionType.BUILD, PermissionType.EDIT
      }
      group(name: 'engineering') {
        permissionTypes PermissionType.VIEW
      }
      other(type: OtherUserType.LOGGED_IN_USERS) {
        permissionTypes PermissionType.VIEW
      }
    }    

    stage('first stage') {
      job(key: 'JONE', name: 'You had one job') {
        tasks {
          script() {
            description 'a task'
            inline {
              scriptBody 'echo "Hello"'
            }
          }
        }
      }      
    }
  }
}

Project Settings -> Project Permissions == correct Project Settings -> Plan permissions == correct

The problem is that the plan-specific permissions are ignored and no boxes are checked. Navigate to Plan -> Actions -> Configure Plan -> Permissions

Group section has no rows Other section has no boxes checked

User section:

It seems like all the boxes get checked for me since I'm an Admin. If I specify a lower user in the DSL, their settings are not applied here.

mrueegg commented 4 years ago

@twotired Thanks a lot for your detailed test case. When I run this DSL with admin permissions (configured user in the seed task), then all settings (even in the plan permissions) are correctly set.

But when I don't specify a user in the seed task, the plan permissions are not configured. When you configure an admin user in the seed task, does it work for you as well?

twotired commented 4 years ago

OK thanks. Yeah, leaving the user blank was the problem.