SONAR-8236 Return secured settings when not authenticated but with scan permission

server/sonar-server/src/main/java/org/sonar/server/setting/ws/SettingsPermissionPredicates.java

@@ -29,6 +29,7 @@ import org.sonar.server.user.UserSession;
 
 import static org.sonar.api.PropertyType.LICENSE;
 import static org.sonar.api.web.UserRole.ADMIN;
+import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
 
 public class SettingsPermissionPredicates {
 
@@ -52,7 +53,7 @@ public class SettingsPermissionPredicates {
   }
 
   boolean isVisible(String key, @Nullable PropertyDefinition definition, Optional<ComponentDto> component) {
-    return verifySecuredSetting(key, definition, component) && (verifyLicenseSetting(key, definition));
+    return userSession.hasPermission(SCAN_EXECUTION) || (verifySecuredSetting(key, definition, component) && (verifyLicenseSetting(key, definition)));
   }
 
   private boolean verifySecuredSetting(String key, @Nullable PropertyDefinition definition, Optional<ComponentDto> component) {

server/sonar-server/src/test/java/org/sonar/server/setting/ws/ListDefinitionsActionTest.java

@@ -54,6 +54,7 @@ import static org.sonar.api.resources.Qualifiers.PROJECT;
 import static org.sonar.api.web.UserRole.ADMIN;
 import static org.sonar.api.web.UserRole.CODEVIEWER;
 import static org.sonar.api.web.UserRole.USER;
+import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
 import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
 import static org.sonar.db.component.ComponentTesting.newProjectDto;
 import static org.sonarqube.ws.MediaTypes.JSON;
@@ -341,6 +342,20 @@ public class ListDefinitionsActionTest {
     assertThat(result.getDefinitionsList()).extracting(Settings.Definition::getKey).containsOnly("foo", "plugin.license.secured", "commercial.plugin");
   }
 
+  @Test
+  public void return_secured_settings_when_not_authenticated_but_with_scan_permission() throws Exception {
+    userSession.setGlobalPermissions(SCAN_EXECUTION);
+    propertyDefinitions.addComponents(asList(
+      PropertyDefinition.builder("foo").build(),
+      PropertyDefinition.builder("secret.secured").build(),
+      PropertyDefinition.builder("plugin.license.secured").type(PropertyType.LICENSE).build(),
+      PropertyDefinition.builder("commercial.plugin").type(PropertyType.LICENSE).build()));
+
+    ListDefinitionsWsResponse result = executeRequest();
+
+    assertThat(result.getDefinitionsList()).extracting(Settings.Definition::getKey).containsOnly("foo", "secret.secured", "plugin.license.secured", "commercial.plugin");
+  }
+
   @Test
   public void return_secured_and_license_settings_when_system_admin() throws Exception {
     setUserAsSystemAdmin();

server/sonar-server/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java

@@ -56,6 +56,7 @@ import static org.sonar.api.PropertyType.LICENSE;
 import static org.sonar.api.web.UserRole.ADMIN;
 import static org.sonar.api.web.UserRole.CODEVIEWER;
 import static org.sonar.api.web.UserRole.USER;
+import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
 import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
 import static org.sonar.db.component.ComponentTesting.newModuleDto;
 import static org.sonar.db.component.ComponentTesting.newProjectDto;
@@ -465,7 +466,7 @@ public class ValuesActionTest {
       newGlobalPropertyDto().setKey("commercial.plugin").setValue("ABCD"),
       newGlobalPropertyDto().setKey("plugin.license.secured").setValue("ABCD"));
 
-    ValuesWsResponse result = executeRequestForGlobalProperties("foo", "secret.secured", "commercial.plugin", "plugin.license.secured");
+    ValuesWsResponse result = executeRequestForGlobalProperties();
 
     assertThat(result.getSettingsList()).extracting(Settings.Setting::getKey).containsOnly("foo");
   }
@@ -482,7 +483,7 @@ public class ValuesActionTest {
       .build());
     propertyDb.insertPropertySet("foo", null, ImmutableMap.of("key", "key1", "plugin.license.secured", "ABCD", "secret.secured", "123456"));
 
-    ValuesWsResponse result = executeRequestForGlobalProperties("foo");
+    ValuesWsResponse result = executeRequestForGlobalProperties();
 
     assertFieldValues(result.getSettings(0), ImmutableMap.of("key", "key1"));
   }
@@ -502,11 +503,31 @@ public class ValuesActionTest {
       newGlobalPropertyDto().setKey("plugin.license.secured").setValue("ABCD"),
       newGlobalPropertyDto().setKey("plugin.licenseHash.secured").setValue("987654321"));
 
-    ValuesWsResponse result = executeRequestForGlobalProperties("foo", "secret.secured", "commercial.plugin", "plugin.license.secured", "plugin.licenseHash.secured");
+    ValuesWsResponse result = executeRequestForGlobalProperties();
 
     assertThat(result.getSettingsList()).extracting(Settings.Setting::getKey).containsOnly("foo", "commercial.plugin", "plugin.license.secured", "plugin.licenseHash.secured");
   }
 
+  @Test
+  public void return_secured_settings_when_not_authenticated_but_with_scan_permission() throws Exception {
+    userSession.setGlobalPermissions(SCAN_EXECUTION);
+    definitions.addComponents(asList(
+      PropertyDefinition.builder("foo").build(),
+      PropertyDefinition.builder("secret.secured").build(),
+      PropertyDefinition.builder("commercial.plugin").type(LICENSE).build(),
+      PropertyDefinition.builder("plugin.license.secured").type(LICENSE).build()));
+    propertyDb.insertProperties(
+      newGlobalPropertyDto().setKey("foo").setValue("one"),
+      newGlobalPropertyDto().setKey("secret.secured").setValue("password"),
+      newGlobalPropertyDto().setKey("commercial.plugin").setValue("ABCD"),
+      newGlobalPropertyDto().setKey("plugin.license.secured").setValue("ABCD"),
+      newGlobalPropertyDto().setKey("plugin.licenseHash.secured").setValue("987654321"));
+
+    ValuesWsResponse result = executeRequestForGlobalProperties();
+
+    assertThat(result.getSettingsList()).extracting(Settings.Setting::getKey).containsOnly("foo", "secret.secured", "commercial.plugin", "plugin.license.secured", "plugin.licenseHash.secured");
+  }
+
   @Test
   public void return_secured_and_license_settings_when_system_admin() throws Exception {
     setUserAsSystemAdmin();
@@ -520,7 +541,7 @@ public class ValuesActionTest {
       newGlobalPropertyDto().setKey("plugin.license.secured").setValue("ABCD"),
       newGlobalPropertyDto().setKey("plugin.licenseHash.secured").setValue("987654321"));
 
-    ValuesWsResponse result = executeRequestForGlobalProperties("foo", "secret.secured", "plugin.license.secured", "plugin.licenseHash.secured");
+    ValuesWsResponse result = executeRequestForGlobalProperties();
 
     assertThat(result.getSettingsList()).extracting(Settings.Setting::getKey).containsOnly("foo", "secret.secured", "plugin.license.secured", "plugin.licenseHash.secured");
   }
@@ -538,7 +559,7 @@ public class ValuesActionTest {
       newComponentPropertyDto(project).setKey("plugin.license.secured").setValue("ABCD"),
       newComponentPropertyDto(project).setKey("plugin.licenseHash.secured").setValue("987654321"));
 
-    ValuesWsResponse result = executeRequestForProjectProperties("foo", "secret.secured", "plugin.license.secured", "plugin.licenseHash.secured");
+    ValuesWsResponse result = executeRequestForProjectProperties();
 
     assertThat(result.getSettingsList()).extracting(Settings.Setting::getKey).containsOnly("foo", "secret.secured", "plugin.license.secured", "plugin.licenseHash.secured");
   }
@@ -556,7 +577,7 @@ public class ValuesActionTest {
       .build());
     propertyDb.insertPropertySet("foo", null, ImmutableMap.of("key", "key1", "plugin.license.secured", "ABCD", "secret.secured", "123456"));
 
-    ValuesWsResponse result = executeRequestForGlobalProperties("foo");
+    ValuesWsResponse result = executeRequestForGlobalProperties();
 
     assertFieldValues(result.getSettings(0), ImmutableMap.of("key", "key1", "plugin.license.secured", "ABCD", "secret.secured", "123456"));
   }