From c4831a9dae22a7468d9d645902827422c399cb38 Mon Sep 17 00:00:00 2001 From: Nigel Magnay Date: Sat, 28 May 2011 18:11:48 +0100 Subject: [PATCH 1/4] Stage 1 : Create hudson.model.Jenkins, make Hudson derive from Jenkins. Signed-off-by: Nigel Magnay Originally-Committed-As: 70c10658148c3eab3b4c4122705e1ed3a12e193d --- .../src/main/java/hudson/security/LDAPSecurityRealm.java | 9 ++++----- .../webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/core/src/main/java/hudson/security/LDAPSecurityRealm.java b/core/src/main/java/hudson/security/LDAPSecurityRealm.java index 9b038eb..2eeb8fe 100644 --- a/core/src/main/java/hudson/security/LDAPSecurityRealm.java +++ b/core/src/main/java/hudson/security/LDAPSecurityRealm.java @@ -29,7 +29,7 @@ import static hudson.Util.fixNull; import static hudson.Util.fixEmptyAndTrim; import static hudson.Util.fixEmpty; import hudson.model.Descriptor; -import hudson.model.Hudson; +import hudson.model.Jenkins; import hudson.model.User; import hudson.tasks.MailAddressResolver; import hudson.util.FormValidation; @@ -73,7 +73,6 @@ import java.net.UnknownHostException; import java.util.Collections; import java.util.HashSet; import java.util.Hashtable; -import java.util.Iterator; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; @@ -350,7 +349,7 @@ public class LDAPSecurityRealm extends AbstractPasswordBasedSecurityRealm { binding.setVariable("instance", this); BeanBuilder builder = new BeanBuilder(); - builder.parse(Hudson.getInstance().servletContext.getResourceAsStream("/WEB-INF/security/LDAPBindSecurityRealm.groovy"),binding); + builder.parse(Jenkins.getInstance().servletContext.getResourceAsStream("/WEB-INF/security/LDAPBindSecurityRealm.groovy"),binding); WebApplicationContext appContext = builder.createApplicationContext(); ldapTemplate = new LdapTemplate(findBean(InitialDirContextFactory.class, appContext)); @@ -453,7 +452,7 @@ public class LDAPSecurityRealm extends AbstractPasswordBasedSecurityRealm { public static final class MailAdressResolverImpl extends MailAddressResolver { public String findMailAddressFor(User u) { // LDAP not active - SecurityRealm realm = Hudson.getInstance().getSecurityRealm(); + SecurityRealm realm = Jenkins.getInstance().getSecurityRealm(); if(!(realm instanceof LDAPSecurityRealm)) return null; try { @@ -547,7 +546,7 @@ public class LDAPSecurityRealm extends AbstractPasswordBasedSecurityRealm { @QueryParameter final String managerDN, @QueryParameter final String managerPassword) { - if(!Hudson.getInstance().hasPermission(Hudson.ADMINISTER)) + if(!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) return FormValidation.ok(); try { diff --git a/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy b/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy index 4f0995c..613b00c 100644 --- a/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy +++ b/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy @@ -28,7 +28,7 @@ import org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2 import org.acegisecurity.ldap.DefaultInitialDirContextFactory import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch import org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider -import hudson.model.Hudson +import hudson.model.Jenkins import hudson.security.LDAPSecurityRealm.AuthoritiesPopulatorImpl import hudson.Util import javax.naming.Context @@ -74,7 +74,7 @@ authenticationManager(ProviderManager) { // these providers apply everywhere bean(RememberMeAuthenticationProvider) { - key = Hudson.getInstance().getSecretKey(); + key = Jenkins.getInstance().getSecretKey(); }, // this doesn't mean we allow anonymous access. // we just authenticate anonymous users as such, From 57b0be36a8393976ee61c5aac184bd49c257b281 Mon Sep 17 00:00:00 2001 From: Nigel Magnay Date: Sun, 29 May 2011 10:53:24 +0100 Subject: [PATCH 2/4] Move hudson.model.Jenkins to be jenkins.model.Jenkins - part II Just import changes, from hudson.model.Jenkins -> jenkins.model.Jenkins, and Javadoc comments. Signed-off-by: Nigel Magnay Originally-Committed-As: 5679d019ec7c1be89d5ea2b2a964ac143695d474 --- core/src/main/java/hudson/security/LDAPSecurityRealm.java | 2 +- .../main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/hudson/security/LDAPSecurityRealm.java b/core/src/main/java/hudson/security/LDAPSecurityRealm.java index 2eeb8fe..e76f43c 100644 --- a/core/src/main/java/hudson/security/LDAPSecurityRealm.java +++ b/core/src/main/java/hudson/security/LDAPSecurityRealm.java @@ -29,7 +29,7 @@ import static hudson.Util.fixNull; import static hudson.Util.fixEmptyAndTrim; import static hudson.Util.fixEmpty; import hudson.model.Descriptor; -import hudson.model.Jenkins; +import jenkins.model.Jenkins; import hudson.model.User; import hudson.tasks.MailAddressResolver; import hudson.util.FormValidation; diff --git a/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy b/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy index 613b00c..db70277 100644 --- a/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy +++ b/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy @@ -28,7 +28,7 @@ import org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2 import org.acegisecurity.ldap.DefaultInitialDirContextFactory import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch import org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider -import hudson.model.Jenkins +import jenkins.model.Jenkins import hudson.security.LDAPSecurityRealm.AuthoritiesPopulatorImpl import hudson.Util import javax.naming.Context From 40f72a1b10f63d8c7a61ff32164ef25d115c6046 Mon Sep 17 00:00:00 2001 From: Kevin Connor Date: Mon, 6 Jun 2011 23:05:24 -0700 Subject: [PATCH 3/4] change ldap group lookup when using memberUid to match using name according to rfc2307 which says the memberUid is a name (not a uid strangely enough) just going by http://manpages.ubuntu.com/manpages/natty/man5/sssd-ldap.5.html ldap_schema description and my broken install on ubuntu... I can't say what ldif I used except it was standard (I didn't write it) and ldapscripts and phpmyadmin all seem to want the field to be a name. Originally-Committed-As: 8feb91bb2f6637783b9ffb051776e953b1c5e84c --- .../main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy b/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy index 4f0995c..3bd5001 100644 --- a/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy +++ b/war/src/main/webapp/WEB-INF/security/LDAPBindSecurityRealm.groovy @@ -64,7 +64,7 @@ bindAuthenticator(BindAuthenticator2,initialDirContextFactory) { authoritiesPopulator(AuthoritiesPopulatorImpl, initialDirContextFactory, instance.groupSearchBase) { // see DefaultLdapAuthoritiesPopulator for other possible configurations searchSubtree = true; - groupSearchFilter = "(| (member={0}) (uniqueMember={0}) (memberUid={1}))"; + groupSearchFilter = "(| (member={0}) (uniqueMember={0}) (memberUid={0}))"; } authenticationManager(ProviderManager) { From bd334cff2df0c4a7ec5b2c0de507fdc0db8b4036 Mon Sep 17 00:00:00 2001 From: Kohsuke Kawaguchi Date: Thu, 9 Jun 2011 15:40:20 -0700 Subject: [PATCH 4/4] LDAPBindSecurityRealm.groovy> can be now overridden in $JENKINS_HOME if it exists. See http://jenkins.361315.n4.nabble.com/LDAPBindSecurityRealm-groovy-td3584243.html Originally-Committed-As: 77188bfccf1fbafad14a18a26a0175e54157383e --- .../java/hudson/security/LDAPSecurityRealm.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/hudson/security/LDAPSecurityRealm.java b/core/src/main/java/hudson/security/LDAPSecurityRealm.java index e76f43c..fbe5188 100644 --- a/core/src/main/java/hudson/security/LDAPSecurityRealm.java +++ b/core/src/main/java/hudson/security/LDAPSecurityRealm.java @@ -54,6 +54,7 @@ import org.acegisecurity.userdetails.UsernameNotFoundException; import org.acegisecurity.userdetails.ldap.LdapUserDetails; import org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl; import org.apache.commons.collections.map.LRUMap; +import org.apache.commons.io.input.AutoCloseInputStream; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; import org.springframework.dao.DataAccessException; @@ -66,6 +67,9 @@ import javax.naming.directory.Attributes; import javax.naming.directory.BasicAttributes; import javax.naming.directory.DirContext; import javax.naming.directory.InitialDirContext; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; import java.io.IOException; import java.net.InetAddress; import java.net.Socket; @@ -349,7 +353,15 @@ public class LDAPSecurityRealm extends AbstractPasswordBasedSecurityRealm { binding.setVariable("instance", this); BeanBuilder builder = new BeanBuilder(); - builder.parse(Jenkins.getInstance().servletContext.getResourceAsStream("/WEB-INF/security/LDAPBindSecurityRealm.groovy"),binding); + String fileName = "LDAPBindSecurityRealm.groovy"; + try { + File override = new File(Jenkins.getInstance().getRootDir(), fileName); + builder.parse( + override.exists() ? new AutoCloseInputStream(new FileInputStream(override)) : + Jenkins.getInstance().servletContext.getResourceAsStream("/WEB-INF/security/"+ fileName),binding); + } catch (FileNotFoundException e) { + throw new Error("Failed to load "+fileName,e); + } WebApplicationContext appContext = builder.createApplicationContext(); ldapTemplate = new LdapTemplate(findBean(InitialDirContextFactory.class, appContext));