Merge pull request #666 from akash-manna-sky/JENKINS-72544

Hide source code if user does not have access to workspace

Author: uhafner

plugin/pom.xml

@@ -149,6 +149,7 @@
     <dependency>
       <groupId>io.jenkins.plugins</groupId>
       <artifactId>prism-api</artifactId>
+      <version>1.30.0-703.v116fb_3b_5b_b_a_a_</version>
     </dependency>
 
     <!-- Test Dependencies -->

plugin/src/main/java/io/jenkins/plugins/coverage/metrics/steps/CoverageViewModel.java

@@ -40,6 +40,7 @@
 import hudson.model.Run;
 
 import io.jenkins.plugins.bootstrap5.MessagesViewModel;
+import io.jenkins.plugins.prism.SourceCodeViewModel;
 import io.jenkins.plugins.coverage.metrics.charts.TreeMapNodeConverter;
 import io.jenkins.plugins.coverage.metrics.color.ColorProvider;
 import io.jenkins.plugins.coverage.metrics.color.ColorProviderFactory;
@@ -401,6 +402,9 @@ public String getUrlForBuild(final String selectedBuildDisplayName, final String
      */
     @JavaScriptMethod
     public String getSourceCode(final String fileHash, final String tableId) {
+        if (!SourceCodeViewModel.hasPermissionToViewSourceCode(getOwner())) {
+            return Messages.Coverage_Permission_Denied();
+        }
         Optional<Node> targetResult
                 = getNode().findByHashCode(Metric.FILE, Integer.parseInt(fileHash));
         if (targetResult.isPresent()) {
@@ -519,7 +523,9 @@ public Object getDynamic(final String link, final StaplerRequest2 request, final
                 Optional<Node> targetResult
                         = getNode().findByHashCode(Metric.FILE, Integer.parseInt(link));
                 if (targetResult.isPresent() && targetResult.get() instanceof FileNode) {
-                    return new SourceViewModel(getOwner(), getId(), (FileNode) targetResult.get());
+                    var fileNode = (FileNode) targetResult.get();
+                    var view = new SourceViewModel(getOwner(), getId(), fileNode);
+                    return SourceCodeViewModel.protectedSourceCodeView(view, getOwner(), fileNode.getName());
                 }
             }
             catch (NumberFormatException exception) {

plugin/src/main/resources/io/jenkins/plugins/coverage/metrics/steps/Messages.properties

@@ -14,6 +14,7 @@ Parser.VectorCAST=VectorCAST Coverage Results
 Parser.Xunit=XUnit Test Results
 
 Coverage.Not.Available=N/A
+Coverage.Permission.Denied=You do not have Jenkins' WORKSPACE permission to view the source code
 Coverage.Link.Name=Coverage Report
 Coverage.Trend.Name={0} Trend
 Coverage.Trend.Default.Name=Code Coverage Trend

plugin/src/test/java/io/jenkins/plugins/coverage/metrics/steps/CoverageViewModelITest.java

@@ -0,0 +1,68 @@
+package io.jenkins.plugins.coverage.metrics.steps;
+
+import org.apache.commons.lang3.StringUtils;
+import org.junit.jupiter.api.Test;
+
+import edu.hm.hafner.coverage.Node;
+import edu.hm.hafner.coverage.parser.JacocoParser;
+import edu.hm.hafner.util.FilteredLog;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
+import java.util.function.Function;
+
+import hudson.model.Run;
+
+import io.jenkins.plugins.coverage.metrics.AbstractCoverageITest;
+import io.jenkins.plugins.coverage.metrics.AbstractCoverageTest;
+import io.jenkins.plugins.util.QualityGateResult;
+
+import static io.jenkins.plugins.coverage.metrics.steps.CoverageViewModel.*;
+import static org.assertj.core.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
+/**
+ * Integration tests for the class {@link CoverageViewModel} that require a running Jenkins instance.
+ * These tests verify permission-protected functionality like source code viewing.
+ *
+ * @author Akash Manna
+ */
+class CoverageViewModelITest extends AbstractCoverageITest {
+    @Test
+    void shouldReturnEmptySourceViewForExistingLinkButMissingSourceFile() {
+        var model = createModelFromCodingStyleReport();
+
+        String hash = String.valueOf("PathUtil.java".hashCode());
+        assertThat(model.getSourceCode(hash, ABSOLUTE_COVERAGE_TABLE_ID)).isEqualTo("N/A");
+        assertThat(model.getSourceCode(hash, MODIFIED_LINES_COVERAGE_TABLE_ID)).isEqualTo("N/A");
+        assertThat(model.getSourceCode(hash, INDIRECT_COVERAGE_TABLE_ID)).isEqualTo("N/A");
+    }
+
+    private CoverageViewModel createModelFromCodingStyleReport() {
+        return createModel(readJacocoResult("jacoco-codingstyle.xml"));
+    }
+
+    private Node readJacocoResult(final String fileName) {
+        FilteredLog log = new FilteredLog("Errors");
+        try (InputStream stream = CoverageViewModelITest.class.getResourceAsStream(fileName);
+                InputStreamReader reader = stream == null ? null : new InputStreamReader(stream, StandardCharsets.UTF_8)) {
+            if (reader == null) {
+                throw new AssertionError("Test resource not found: " + fileName);
+            }
+            var node = new JacocoParser().parse(reader, fileName, log);
+            node.splitPackages();
+            return node;
+        }
+        catch (IOException e) {
+            throw new AssertionError("Failed to read test resource: " + fileName, e);
+        }
+    }
+
+    private CoverageViewModel createModel(final Node node) {
+        return new CoverageViewModel(mock(Run.class), "id", StringUtils.EMPTY,
+                node, AbstractCoverageTest.createStatistics(), new QualityGateResult(), "-", new FilteredLog("Errors"),
+                Function.identity(), Function.identity());
+    }
+}

plugin/src/test/java/io/jenkins/plugins/coverage/metrics/steps/CoverageViewModelTest.java

@@ -30,16 +30,6 @@
  * @author Florian Orendi
  */
 class CoverageViewModelTest extends AbstractCoverageTest {
-    @Test
-    void shouldReturnEmptySourceViewForExistingLinkButMissingSourceFile() {
-        var model = createModelFromCodingStyleReport();
-
-        String hash = String.valueOf("PathUtil.java".hashCode());
-        assertThat(model.getSourceCode(hash, ABSOLUTE_COVERAGE_TABLE_ID)).isEqualTo("N/A");
-        assertThat(model.getSourceCode(hash, MODIFIED_LINES_COVERAGE_TABLE_ID)).isEqualTo("N/A");
-        assertThat(model.getSourceCode(hash, INDIRECT_COVERAGE_TABLE_ID)).isEqualTo("N/A");
-    }
-
     @Test
     void shouldReportOverview() {
         var model = createModelFromCodingStyleReport();