JUnit5JenkinsRule and JenkinsRule have different default permissions

[strangelookingnerd]

I noticed some very odd behavior in jenkinsci/jira-plugin#634 and jenkinsci/config-file-provider-plugin#347 where CredentialsStore#addCredentials would suddenly throw AccessDeniedException3 anonymous is missing the Credentials/Create permission when invoked in a JUnit5 test case whereas there is no issue when doing the same with JUnit4.

Reproduction steps

public class ReproducerTest {

    @Rule
    public JenkinsRule junit4rule = new JenkinsRule();

    @org.junit.Test
    public void junit4() {
        MockAuthorizationStrategy strategy = new MockAuthorizationStrategy();
        junit4rule.getInstance().setAuthorizationStrategy(strategy);

        Assert.assertTrue(junit4rule.getInstance().getACL().hasPermission(Permission.READ));
        Assert.assertTrue(junit4rule.getInstance().getACL().hasPermission(Permission.WRITE));
        Assert.assertTrue(junit4rule.getInstance().getACL().hasPermission(Permission.CREATE));
        Assert.assertTrue(junit4rule.getInstance().getACL().hasPermission(Permission.UPDATE));
        Assert.assertTrue(junit4rule.getInstance().getACL().hasPermission(Permission.DELETE));
        Assert.assertTrue(junit4rule.getInstance().getACL().hasPermission(Permission.CONFIGURE));

    }

    @org.junit.jupiter.api.Test
    @WithJenkins
    void junit5(JenkinsRule junit5rule) {
        MockAuthorizationStrategy strategy = new MockAuthorizationStrategy();
        junit5rule.getInstance().setAuthorizationStrategy(strategy);

        Assertions.assertTrue(junit5rule.getInstance().getACL().hasPermission(Permission.READ));
        Assertions.assertTrue(junit5rule.getInstance().getACL().hasPermission(Permission.WRITE));
        Assertions.assertTrue(junit5rule.getInstance().getACL().hasPermission(Permission.CREATE));
        Assertions.assertTrue(junit5rule.getInstance().getACL().hasPermission(Permission.UPDATE));
        Assertions.assertTrue(junit5rule.getInstance().getACL().hasPermission(Permission.DELETE));
        Assertions.assertTrue(junit5rule.getInstance().getACL().hasPermission(Permission.CONFIGURE));
    }
}

Expected Results

Permissions of JUnit4 JenkinsRule and JUnit5JenkinsRule should be identical.

Actual Results

Permissions are different.

Anything else?

I think I found a potential culprit in

jenkins-test-harness/src/main/java/org/jvnet/hudson/test/JenkinsRule.java

Line 657 in 446201c

ACL.impersonate(ACL.SYSTEM);

which does not seem to be applied in the JUnit5JenkinsRule as well.
However I will need some more time to investigate this further.

Are you interested in contributing a fix?

I would love to. However I'm unsure what the best solution would be:

Option 1

Remove permissions from JenkinsRule to align with JUnit5JenkinsRule -> Will likely cause a lot of tests to fail

Option 2

Add permissions to JUnit5JenkinsRule to align with JenkinsRule -> Will likely cause some tests to fail