[Security-771] Fixed and improved smoke test logic and implementation for About Jenkins page access.

[A1exKH]

In this PR was fixed and improved smoke test logic and implementation for About Jenkins page access for users with different permissions.

In this smoke test were covered all critical permission combinations:

1. Admin (ADMINISTER) -> Full access, should see About Jenkins page.
2. Manager (MANAGE) -> Management access, should see About Jenkins page.
3. Manager+SystemRead -> Combined elevated permissions, should see About Jenkins page.
4. Read+SystemRead -> Edge case, should see About Jenkins page.
5. Read-only -> Basic user, should not see About Jenkins page.
6. SystemRead-only -> Security boundary case, should not see About Jenkins page.
7. Anonymous -> Unauthenticated access, should not see About Jenkins page.

Key Details:
SECURITY-771 (CVE-2018-1000192) is a 2018 Jenkins vulnerability where the CLI and UI allowed non-administrator users to enumerate installed plugins, potentially exposing sensitive environment information. It was addressed in the May 9, 2018 Jenkins Security Advisory by restricting plugin information access.

Vulnerability Type: Information Exposure (Plugin Enumeration).
Impact: Non-authenticated or low-privilege users could list all installed plugins, helping attackers identify potential vulnerabilities in specific plugin versions.
Affected Components: Jenkins CLI and User Interface.

Before update:

After update:

Testing done

Local test run passed for updated test.
To run test you can use the next command:
mvn test -Dtest=AboutJenkinsTest

Screenshots:

Proposed changelog entries

• human-readable text

Proposed changelog category

/label tests, skip-changelog`

Proposed upgrade guidelines

N/A

Submitter checklist

• The Jira issue, if it exists, is well-described.
• The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples). Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
• There is automated testing or an explanation as to why this change has no tests.
• New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
• New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
• New or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
• For dependency updates, there are links to external changelogs and, if possible, full differentials.
• For new APIs and extension points, there is a link to at least one consumer.

Desired reviewers

@mention

Before the changes are marked as ready-for-merge:

Maintainer checklist

• There are at least two (2) approvals for the pull request and no outstanding requests for change.
• Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
• Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
• Proper changelog labels are set so that the changelog can be generated automatically.
• If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).
• If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

[welcome]

Yay, your first pull request towards Jenkins core was created successfully! Thank you so much!

A contributor will provide feedback soon. Meanwhile, you can join the chats and community forums to connect with other Jenkins users, developers, and maintainers.

[comment-ops-bot]

I wasn't able to add the following labels: test

Check that the label exists and is spelt right then try again.

[A1exKH]

@jglick , @timja , @NotMyFault
Could you review this PR, when you have a chance, please?

Thanks in advance for your feedback!

[NotMyFault]

I surely can take a look at the changes proposed, but I lack access to the names jira issue, therefore I'm unsure weather this meets the needed conditions.

[timja]

I surely can take a look at the changes proposed, but I lack access to the names jira issue, therefore I'm unsure weather this meets the needed conditions.

SECURITY-771 is about being able to see what plugins are installed and their versions with only overall read access.

As part of the change list-plugins cli command and about Jenkins page were made to require administer to use/view them rather than just overall/read.

---

The change seems ok to me although not much benefit in refactoring old security tests imo.
Needs a security team approval though.

[A1exKH]

I surely can take a look at the changes proposed, but I lack access to the names jira issue, therefore I'm unsure weather this meets the needed conditions.

SECURITY-771 is about being able to see what plugins are installed and their versions with only overall read access.

As part of the change list-plugins cli command and about Jenkins page were made to require administer to use/view them rather than just overall/read.

The change seems ok to me although not much benefit in refactoring old security tests imo. Needs a security team approval though.

@timja thanks for taking a look at this PR!
I appreciate your feedback about the Security team approval - you're absolutely right that this needs their review given the security implications.

Regarding your point about refactoring the old security tests, let me explain the benefits this PR brings:

What this PR delivers:

1. Enhanced test coverage.
   Added 2 additional edge case scenarios that weren't covered in the original tests, making our security validation more robust.
2. Improved test maintainability.
   Separated positive and negative test logic, making the tests easier to understand and modify in the future.
3. Better resource management.
   Implemented try-with-resources for WebClient to prevent resource leaks.
4. Clear documentation.
   Added comprehensive Javadoc to explain the test scenarios.

Why these changes matter:

1. The additional edge cases help ensure we're thoroughly testing the SECURITY-771 requirements.
2. The refactoring makes the test code more readable and maintainable, which is especially important for security-related tests.
3. Proper resource cleanup prevents potential issues in test execution.

Could you help route this to the Security team for their review, please?
I believe these improvements will make the security testing more reliable and comprehensive.

[daniel-beck]

I lack access to the names jira issue, therefore I'm unsure weather this meets the needed conditions.

This is generally unnecessary for published issues except in weird edge cases. https://www.jenkins.io/security/issue/SECURITY-771 has everything in this case.

---

Security team does not object to this PR in principle.

Personally this PR looks unnecessary though. The newly added test configurations are unnecessary (without Overall/Read, you never get past Jenkins#getTarget anyway) and otherwise this does nothing. Initially this even silently removed an existing case.

[NotMyFault]

This is generally unnecessary for published issues except in weird edge cases. jenkins.io/security/issue/SECURITY-771 has everything in this case.

@daniel-beck til about this redirect 👀

But +1 with your and Tim's thoughts.

[A1exKH]

Hi team, thank you for the feedback so far!

To clarify the intent of this PR, the main improvements are:

1. Strengthened Test Validation:
   The original test's reliance on a 200 status code was insufficient, as it couldn't distinguish between a successful page load and an access-denied page. My changes strengthen the test by confirming that authorized users are not only served a 200 OK, but are actually granted access to the correct resource, as proven by the validated page title and content.
2. Fixed Resource Handling:
   The previous test used getPage without releasing the resources, which could lead to memory leaks. The new version uses a try-with-resources block to ensure proper cleanup.

Regarding the new test configurations, could you please help me understand why they are considered unnecessary?

I added them to explicitly test the access control path for users without Overall/Read permission, ensuring the redirect logic is triggered correctly.

I believe these changes significantly improve the code quality and reliability of this security test.
Could you please take another look with these points in mind?

cc @timja @daniel-beck @oleg-nenashev @NotMyFault @jglick

[Copilot]

Pull request overview

This PR fixes and improves the smoke test for About Jenkins page access control (SECURITY-771) by expanding test coverage to validate all critical permission combinations. The test was refactored from a single test method into two focused test methods with improved organization and clarity.

Changes:

• Refactored authorization setup into a dedicated setupTestAuthorization() method for better organization
• Extracted user access logic into reusable helper methods (accessAsUser() and accessAsAnonymous())
• Split the original test into two focused test methods: one for users with elevated permissions and one for users with basic permissions
• Added comprehensive test coverage for 7 permission scenarios including edge cases
• Introduced string constants for test data to improve maintainability

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[A1exKH]

@MarkEWaite thank you for your help with triggering Copilot code review!

All comments were addressed and resolved.
PR is ready for review.
All tests passed after code update:

cc @timja @oleg-nenashev

[timja]

Can you stop merging master into this, it notifies us each time.

This is low priority for us.