commit 2953edf3ca9d0cae6016b1e8c0f361c3d2c1b0ed
author Dmitry Burmistrov <dburmistrov@mirantis.com> Thu May 24 11:32:54 2018 +0400
committer Dmitry Burmistrov <dburmistrov@mirantis.com> Thu May 24 11:47:39 2018 +0400
tree f3a2713dbc99d7a0afed09b7b5b1aa75bfe44f1f
parent 2af1da7d7d00cb5294045b3805693bc14c6c0e17

Extend security state

   Implement management of:
     - CSRF protection
     - Content Security Policy
     - Agent to Master security

   Closes-PROD: https://mirantis.jira.com/browse/PROD-20183

Change-Id: I09439bbe534b84ad760091b7db471b5c07274a76

_states/jenkins_security.py

diff --git a/_states/jenkins_security.py b/_states/jenkins_security.py
index e8389ba..ae4a496 100644
--- a/_states/jenkins_security.py
+++ b/_states/jenkins_security.py
@@ -14,6 +14,66 @@
     return True
 
 
+def agent2master(name, enabled, whitelisted, file_path_rules):
+    """
+    Jenkins Agent to Master Access Control state method
+
+    :param enabled
+    :param whitelisted: Whitelisted Commands
+    :param file_path_rules: File Access Rules
+    """
+
+    template = __salt__['jenkins_common.load_template'](
+        'salt://jenkins/files/groovy/security.agent2master.template',
+        __env__)
+    return __salt__['jenkins_common.api_call'](name, template,
+                        ["CHANGED", "EXISTS"],
+                        {
+                            'enabled': enabled,
+                            'newWhitelistedContent': whitelisted,
+                            'newFilePathRulesContent': file_path_rules
+                        },
+                        'Agent to Master Access Control')
+
+def csp(name, policy):
+    """
+    Jenkins Content Security Policy state method
+
+    :param policy
+    """
+    default_policy = """\
+            sandbox; default-src 'none'; img-src 'self'; style-src 'self';
+        """.strip()
+
+    template = __salt__['jenkins_common.load_template'](
+        'salt://jenkins/files/groovy/security.csp.template',
+        __env__)
+    return __salt__['jenkins_common.api_call'](name, template,
+                        ["CHANGED", "EXISTS"],
+                        {
+                            'policy': policy if policy else default_policy,
+                        },
+                        'Content Security Policy')
+
+def csrf(name, enabled, proxy_compat):
+    """
+    Jenkins CSRF protection state method
+
+    :param enabled
+    :param proxy_compat
+    """
+
+    template = __salt__['jenkins_common.load_template'](
+        'salt://jenkins/files/groovy/security.csrf.template',
+        __env__)
+    return __salt__['jenkins_common.api_call'](name, template,
+                        ["CHANGED", "EXISTS"],
+                        {
+                            'csrfEnabled': enabled,
+                            'proxyCompat': proxy_compat
+                        },
+                        'CSRF Protection')
+
 def ldap(name, server, root_dn, user_search_base, manager_dn, manager_password,
          user_search="", group_search_base="", inhibit_infer_root_dn=False):
     """