SECURITY-1761

jenkinsci · Feb 13, 2020 · 86aebd3 · 86aebd3
1 parent 9f7e1db
commit 86aebd3
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/src/main/java/fr/edf/jenkins/plugins/mac/MacHost.groovy b/src/main/java/fr/edf/jenkins/plugins/mac/MacHost.groovy
@@ -1,5 +1,6 @@
 package fr.edf.jenkins.plugins.mac
 
+import org.acegisecurity.AccessDeniedException
 import org.apache.commons.lang.StringUtils
 import org.kohsuke.stapler.AncestorInPath
 import org.kohsuke.stapler.DataBoundConstructor
@@ -224,12 +225,7 @@ class MacHost implements Describable<MacHost> {
          */
         @POST
         public FormValidation doCheckKey(@QueryParameter String key) {
-            try {
-                MacHostKeyVerifier.parseKey(key)
-                return FormValidation.ok()
-            } catch (MacHostKeyVerifierException|IllegalArgumentException ex) {
-                return FormValidation.error(ex.getMessage())
-            }
+            return FormUtils.verifyHostKey(key)
         }
     }
 }
diff --git a/src/main/java/fr/edf/jenkins/plugins/mac/util/FormUtils.groovy b/src/main/java/fr/edf/jenkins/plugins/mac/util/FormUtils.groovy
@@ -4,6 +4,7 @@ import static com.cloudbees.plugins.credentials.CredentialsMatchers.anyOf
 import static com.cloudbees.plugins.credentials.CredentialsMatchers.instanceOf
 import static com.cloudbees.plugins.credentials.domains.URIRequirementBuilder.fromUri
 
+import org.acegisecurity.AccessDeniedException
 import org.antlr.v4.runtime.misc.NotNull
 import org.jenkinsci.plugins.plaincredentials.FileCredentials
 import org.kohsuke.accmod.Restricted
@@ -18,6 +19,7 @@ import fr.edf.jenkins.plugins.mac.Messages
 import fr.edf.jenkins.plugins.mac.ssh.SSHCommand
 import fr.edf.jenkins.plugins.mac.ssh.connection.SSHGlobalConnectionConfiguration
 import fr.edf.jenkins.plugins.mac.ssh.key.verifiers.MacHostKeyVerifier
+import fr.edf.jenkins.plugins.mac.ssh.key.verifiers.MacHostKeyVerifierException
 import hudson.model.Item
 import hudson.model.ModelObject
 import hudson.security.ACL
@@ -94,6 +96,7 @@ class FormUtils {
     static FormValidation verifyConnection(final String host, final Integer port,
             final String credentialsId, final String key, final ModelObject context) {
         try {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER)
             MacHostKeyVerifier verifier = new MacHostKeyVerifier(key)
             String result = SSHCommand.checkConnection(new SSHGlobalConnectionConfiguration(credentialsId: credentialsId, port: port,
             context: context, host: host, connectionTimeout: 30,
@@ -160,4 +163,20 @@ class FormUtils {
                 fromUri(getUri(Jenkins.get().getRootUrl()).toString()).build(),
                 anyOf(instanceOf(FileCredentials)))
     }
+
+    /**
+     * Check the validity of the given key
+     * @param key
+     * @return ok if valid, error with exception message if not
+     */
+    @Restricted(NoExternalUse)
+    static FormValidation verifyHostKey(String key) {
+        try {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER)
+            MacHostKeyVerifier.parseKey(key)
+            return FormValidation.ok()
+        } catch (MacHostKeyVerifierException|IllegalArgumentException|AccessDeniedException ex) {
+            return FormValidation.error(ex.getMessage())
+        }
+    }
 }