Migrate from Acegi compatibility layer to Spring Security 6.x (#285)

Author: basil

src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java

@@ -50,10 +50,6 @@ of this software and associated documentation files (the "Software"), to deal
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
 import okhttp3.OkHttpClient;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.GrantedAuthorityImpl;
-import org.acegisecurity.providers.AbstractAuthenticationToken;
-import org.acegisecurity.userdetails.UsernameNotFoundException;
 import org.kohsuke.github.GHMyself;
 import org.kohsuke.github.GHOrganization;
 import org.kohsuke.github.GHRepository;
@@ -63,6 +59,10 @@ of this software and associated documentation files (the "Software"), to deal
 import org.kohsuke.github.GitHubBuilder;
 import org.kohsuke.github.RateLimitHandler;
 import org.kohsuke.github.extras.okhttp3.OkHttpGitHubConnector;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
 /**
  * @author mocleiri
@@ -190,7 +190,7 @@ public GithubAuthenticationToken(final String accessToken, final String githubSe
 
     @SuppressFBWarnings(value = "NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE")
     public GithubAuthenticationToken(final String accessToken, final String githubServer, final boolean clearUserCache) throws IOException {
-        super(new GrantedAuthority[] {});
+        super(List.of());
 
         this.accessToken = accessToken;
         this.githubServer = githubServer;
@@ -209,7 +209,7 @@ public GithubAuthenticationToken(final String accessToken, final String githubSe
             // may have changed due to SSO [JENKINS-60200].
             clearCacheForUser(this.userName);
         }
-        authorities.add(SecurityRealm.AUTHENTICATED_AUTHORITY);
+        authorities.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
 
         // This stuff only really seems useful if *not* using GithubAuthorizationStrategy
         // but instead using matrix so org/team can be granted rights
@@ -242,11 +242,11 @@ public GithubAuthenticationToken(final String accessToken, final String githubSe
                     for (Map.Entry<String, Set<GHTeam>> teamEntry : myTeams.entrySet()) {
                         String orgLogin = teamEntry.getKey();
                         LOGGER.log(Level.FINE, "Fetch teams for user " + userName + " in organization " + orgLogin);
-                        authorities.add(new GrantedAuthorityImpl(orgLogin));
+                        authorities.add(new SimpleGrantedAuthority(orgLogin));
                         for (GHTeam team : teamEntry.getValue()) {
                             String teamIdentifier = team.getSlug() == null ? team.getName() : team.getSlug();
 
-                            authorities.add(new GrantedAuthorityImpl(orgLogin + GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR
+                            authorities.add(new SimpleGrantedAuthority(orgLogin + GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR
                                     + teamIdentifier));
                         }
                     }
@@ -340,8 +340,8 @@ private static Proxy getProxy(@NonNull String host) {
     }
 
     @Override
-    public GrantedAuthority[] getAuthorities() {
-        return authorities.toArray(new GrantedAuthority[0]);
+    public Collection<GrantedAuthority> getAuthorities() {
+        return authorities;
     }
 
     @Override
@@ -572,7 +572,7 @@ GHTeam loadTeam(@NonNull String organization, @NonNull String team) {
     GithubOAuthUserDetails getUserDetails(@NonNull String username) throws IOException {
         GHUser user = loadUser(username);
         if (user != null) {
-            return new GithubOAuthUserDetails(user.getLogin(), this);
+            return new GithubOAuthUserDetails(user.getLogin(), getAuthorities());
         }
         return null;
     }

src/main/java/org/jenkinsci/plugins/GithubOAuthUserDetails.java

@@ -5,11 +5,10 @@
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-import java.io.IOException;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.userdetails.User;
-import org.acegisecurity.userdetails.UserDetails;
-import org.kohsuke.github.GHUser;
+import java.util.Collection;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
 
 /**
  * @author Mike
@@ -20,34 +19,8 @@ public class GithubOAuthUserDetails extends User implements UserDetails {
 
     private static final long serialVersionUID = 1L;
 
-    private boolean hasGrantedAuthorities;
-
-    private final GithubAuthenticationToken authenticationToken;
-
-    public GithubOAuthUserDetails(@NonNull String login, @NonNull GrantedAuthority[] authorities) {
+    public GithubOAuthUserDetails(@NonNull String login, @NonNull Collection<? extends GrantedAuthority> authorities) {
         super(login, "", true, true, true, true, authorities);
-        this.authenticationToken = null;
-        this.hasGrantedAuthorities = true;
     }
 
-    public GithubOAuthUserDetails(@NonNull String login, @NonNull GithubAuthenticationToken authenticationToken) {
-        super(login, "", true, true, true, true, new GrantedAuthority[0]);
-        this.authenticationToken = authenticationToken;
-        this.hasGrantedAuthorities = false;
-    }
-
-    @Override
-    public GrantedAuthority[] getAuthorities() {
-        if (!hasGrantedAuthorities) {
-            try {
-                GHUser user = authenticationToken.loadUser(getUsername());
-                if(user != null) {
-                    setAuthorities(authenticationToken.getAuthorities());
-                }
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-        return super.getAuthorities();
-    }
 }

src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java

@@ -45,12 +45,12 @@ of this software and associated documentation files (the "Software"), to deal
 import jenkins.branch.MultiBranchProject;
 import jenkins.model.Jenkins;
 import jenkins.scm.api.SCMSource;
-import org.acegisecurity.Authentication;
 import org.jenkinsci.plugins.github_branch_source.GitHubSCMSource;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.multibranch.BranchJobProperty;
 import org.kohsuke.stapler.Stapler;
-import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.springframework.security.core.Authentication;
 
 /**
  * @author Mike
@@ -76,11 +76,11 @@ public class GithubRequireOrganizationMembershipACL extends ACL {
     /*
      * (non-Javadoc)
      *
-     * @see hudson.security.ACL#hasPermission(org.acegisecurity.Authentication,
+     * @see hudson.security.ACL#hasPermission(org.springframework.security.core.Authentication,
      * hudson.security.Permission)
      */
     @Override
-    public boolean hasPermission(@NonNull Authentication a, @NonNull Permission permission) {
+    public boolean hasPermission2(@NonNull Authentication a, @NonNull Permission permission) {
         if (a instanceof GithubAuthenticationToken) {
             if (!a.isAuthenticated())
                 return false;
@@ -153,7 +153,7 @@ else if (testBuildPermission(permission) && isInWhitelistedOrgs(authenticationTo
                 throw new IllegalArgumentException("Authentication must have a valid name");
             }
 
-            if (authenticatedUserName.equals(SYSTEM.getPrincipal())) {
+            if (authenticatedUserName.equals(SYSTEM2.getPrincipal())) {
                 // give system user full access
                 log.finest("Granting Full rights to SYSTEM user.");
                 return true;
@@ -233,7 +233,7 @@ private boolean currentUriPathEndsWithSegment( String segment ) {
 
     @Nullable
     private String requestURI() {
-        StaplerRequest currentRequest = Stapler.getCurrentRequest();
+        StaplerRequest2 currentRequest = Stapler.getCurrentRequest2();
         return (currentRequest == null) ? null : currentRequest.getOriginalRequestURI();
     }
 

src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java

@@ -42,30 +42,24 @@ of this software and associated documentation files (the "Software"), to deal
 import hudson.security.AbstractPasswordBasedSecurityRealm;
 import hudson.security.GroupDetails;
 import hudson.security.SecurityRealm;
-import hudson.security.UserMayOrMayNotExistException;
+import hudson.security.UserMayOrMayNotExistException2;
 import hudson.tasks.Mailer;
 import hudson.util.Secret;
+import jakarta.servlet.http.HttpSession;
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.net.InetSocketAddress;
 import java.net.Proxy;
 import java.security.SecureRandom;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import javax.servlet.http.HttpSession;
 import jenkins.model.Jenkins;
 import jenkins.security.SecurityListener;
-import org.acegisecurity.Authentication;
-import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.AuthenticationManager;
-import org.acegisecurity.BadCredentialsException;
-import org.acegisecurity.context.SecurityContextHolder;
-import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
-import org.acegisecurity.userdetails.UserDetails;
-import org.acegisecurity.userdetails.UserDetailsService;
-import org.acegisecurity.userdetails.UsernameNotFoundException;
 import org.apache.commons.lang.builder.HashCodeBuilder;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpHost;
@@ -83,15 +77,24 @@ of this software and associated documentation files (the "Software"), to deal
 import org.kohsuke.github.GHMyself;
 import org.kohsuke.github.GHOrganization;
 import org.kohsuke.github.GHTeam;
+import org.kohsuke.github.GHUser;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.Header;
 import org.kohsuke.stapler.HttpRedirect;
 import org.kohsuke.stapler.HttpResponse;
 import org.kohsuke.stapler.HttpResponses;
 import org.kohsuke.stapler.QueryParameter;
-import org.kohsuke.stapler.StaplerRequest;
-import org.springframework.dao.DataAccessException;
-import org.springframework.dao.DataRetrievalFailureException;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
 /**
  *
@@ -101,7 +104,7 @@ of this software and associated documentation files (the "Software"), to deal
  * This is based on the MySQLSecurityRealm from the mysql-auth-plugin written by
  * Alex Ackerman.
  */
-public class GithubSecurityRealm extends AbstractPasswordBasedSecurityRealm implements UserDetailsService {
+public class GithubSecurityRealm extends AbstractPasswordBasedSecurityRealm {
     private static final String DEFAULT_WEB_URI = "https://github.com";
     private static final String DEFAULT_API_URI = "https://api.github.com";
     private static final String DEFAULT_ENTERPRISE_API_SUFFIX = "/api/v3";
@@ -332,7 +335,7 @@ public String getOauthScopes() {
         return oauthScopes;
     }
 
-    public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter String from, @Header("Referer") final String referer)
+    public HttpResponse doCommenceLogin(StaplerRequest2 request, @QueryParameter String from, @Header("Referer") final String referer)
             throws IOException {
         // https://tools.ietf.org/html/rfc6749#section-10.10 dictates that probability that an attacker guesses the string
         // SHOULD be less than or equal to 2^(-160) and our Strings consist of 65 chars. (65^27 ~= 2^160)
@@ -355,7 +358,7 @@ public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter Stri
         }
         String suffix="";
         if (!scopes.isEmpty()) {
-            suffix = "&scope="+Util.join(scopes,",")+"&state="+state;
+            suffix = "&scope=" + String.join(",", scopes) + "&state=" + state;
         } else {
             // We need repo scope in order to access private repos
             // See https://developer.github.com/v3/oauth/#scopes
@@ -370,7 +373,7 @@ public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter Stri
      * This is where the user comes back to at the end of the OAuth redirect
      * ping-pong.
      */
-    public HttpResponse doFinishLogin(StaplerRequest request)
+    public HttpResponse doFinishLogin(StaplerRequest2 request)
             throws IOException {
         String code = request.getParameter("code");
         String state = request.getParameter(STATE_ATTRIBUTE);
@@ -435,7 +438,7 @@ public HttpResponse doFinishLogin(StaplerRequest request)
                 }
             }
 
-            SecurityListener.fireAuthenticated(new GithubOAuthUserDetails(self.getLogin(), auth.getAuthorities()));
+            SecurityListener.fireAuthenticated2(new GithubOAuthUserDetails(self.getLogin(), auth.getAuthorities()));
 
             // While LastGrantedAuthorities are triggered by that event, we cannot trigger it there
             // or modifications in organizations will be not reflected when using API Token, due to that caching
@@ -561,7 +564,7 @@ public Authentication authenticate(Authentication authentication)
                             GithubSecretStorage.put(user, token.getCredentials().toString());
                         }
 
-                        SecurityListener.fireAuthenticated(new GithubOAuthUserDetails(token.getName(), github.getAuthorities()));
+                        SecurityListener.fireAuthenticated2(new GithubOAuthUserDetails(token.getName(), github.getAuthorities()));
 
                         return github;
                     } catch (IOException e) {
@@ -570,11 +573,11 @@ public Authentication authenticate(Authentication authentication)
                 throw new BadCredentialsException(
                         "Unexpected authentication type: " + authentication);
             }
-        }, GithubSecurityRealm.this::loadUserByUsername);
+        }, GithubSecurityRealm.this::loadUserByUsername2);
     }
 
     @Override
-    protected GithubOAuthUserDetails authenticate(String username, String password) throws AuthenticationException {
+    protected GithubOAuthUserDetails authenticate2(String username, String password) throws AuthenticationException {
         try {
             GithubAuthenticationToken github = new GithubAuthenticationToken(password, getGithubApiUri());
             if(username.equals(github.getPrincipal())) {
@@ -593,12 +596,12 @@ public String getLoginUrl() {
     }
 
     @Override
-    protected String getPostLogOutUrl(StaplerRequest req, Authentication auth) {
+    protected String getPostLogOutUrl2(StaplerRequest2 req, Authentication auth) {
         // if we just redirect to the root and anonymous does not have Overall read then we will start a login all over again.
         // we are actually anonymous here as the security context has been cleared
         Jenkins j = Jenkins.get();
         if (j.hasPermission(Jenkins.READ)) {
-            return super.getPostLogOutUrl(req, auth);
+            return super.getPostLogOutUrl2(req, auth);
         }
         return req.getContextPath()+ "/" + GithubLogoutAction.POST_LOGOUT_URL;
     }
@@ -654,8 +657,8 @@ public DescriptorImpl getDescriptor() {
      * @return userDetails
      */
     @Override
-    public UserDetails loadUserByUsername(String username)
-            throws UsernameNotFoundException, DataAccessException {
+    public UserDetails loadUserByUsername2(String username)
+            throws UsernameNotFoundException {
         //username is in org*team format
         if(username.contains(GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR)) {
             throw new UsernameNotFoundException("Using org*team format instead of username: " + username);
@@ -672,7 +675,7 @@ public UserDetails loadUserByUsername(String username)
             }
         } catch(IOException | UsernameNotFoundException e) {
             if(e instanceof IOException) {
-                throw new UserMayOrMayNotExistException("Could not connect to GitHub API server, target URL = " + getGithubApiUri(), e);
+                throw new UserMayOrMayNotExistException2("Could not connect to GitHub API server, target URL = " + getGithubApiUri(), e);
             } else {
                 // user not found so continuing normally re-using the current context holder
                 LOGGER.log(Level.FINE, "Attempted to impersonate " + username + " but token in user property was invalid.");
@@ -684,15 +687,27 @@ public UserDetails loadUserByUsername(String username)
         if (token instanceof GithubAuthenticationToken) {
             authToken = (GithubAuthenticationToken) token;
         } else {
-            throw new UserMayOrMayNotExistException("Unexpected authentication type: " + token);
+            throw new UserMayOrMayNotExistException2("Unexpected authentication type: " + token);
         }
 
         /**
          * Always lookup the local user first. If we can't resolve it then we can burn an API request to Github for this user
          * Taken from hudson.security.HudsonPrivateSecurityRealm#loadUserByUsername(java.lang.String)
          */
         if (localUser != null) {
-            return new GithubOAuthUserDetails(username, authToken);
+            GHUser user;
+            try {
+                user = authToken.loadUser(username);
+            } catch (IOException e) {
+                throw new UncheckedIOException(e);
+            }
+            Collection<GrantedAuthority> authorities;
+            if (user != null) {
+                authorities = authToken.getAuthorities();
+            } else {
+                authorities = List.of();
+            }
+            return new GithubOAuthUserDetails(username, authorities);
         }
 
         try {
@@ -709,7 +724,7 @@ public UserDetails loadUserByUsername(String username)
 
             return userDetails;
         } catch (IOException | Error e) {
-            throw new DataRetrievalFailureException("loadUserByUsername (username=" + username +")", e);
+            throw new AuthenticationServiceException("loadUserByUsername (username=" + username +")", e);
         }
     }
 
@@ -749,8 +764,8 @@ public int hashCode() {
      * @return groupDetails
      */
     @Override
-    public GroupDetails loadGroupByGroupname(String groupName)
-            throws UsernameNotFoundException, DataAccessException {
+    public GroupDetails loadGroupByGroupname2(String groupName, boolean fetchMembers)
+            throws UsernameNotFoundException {
         GithubAuthenticationToken authToken =  (GithubAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
 
         if(authToken == null)
@@ -776,7 +791,7 @@ public GroupDetails loadGroupByGroupname(String groupName)
                 return new GithubOAuthGroupDetails(ghOrg);
             }
         } catch (Error e) {
-            throw new DataRetrievalFailureException("loadGroupByGroupname (groupname=" + groupName + ")", e);
+            throw new AuthenticationServiceException("loadGroupByGroupname (groupname=" + groupName + ")", e);
         }
     }