add group support

pom.xml

@@ -11,5 +11,6 @@
   <version>1.2-SNAPSHOT</version>
   <packaging>hpi</packaging>
   <name>Security Realm by custom script</name>
+  <description>Supports authentication by exeuting a custom script, to resolve groups for a user, a second script can be defined.</description>
   <url>http://wiki.hudson-ci.org/display/HUDSON/Script+Security+Realm</url>
 </project>

src/main/java/hudson/plugins/script_realm/ScriptSecurityRealm.java

@@ -26,66 +26,120 @@ package hudson.plugins.script_realm;
 import hudson.Extension;
 import hudson.Launcher.LocalLauncher;
 import hudson.model.Descriptor;
-import hudson.model.TaskListener;
 import hudson.security.AbstractPasswordBasedSecurityRealm;
 import hudson.security.GroupDetails;
 import hudson.security.SecurityRealm;
 import hudson.util.QuotedStringTokenizer;
 import hudson.util.StreamTaskListener;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.StringWriter;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.StringTokenizer;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.AuthenticationServiceException;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.GrantedAuthorityImpl;
 import org.acegisecurity.userdetails.User;
 import org.acegisecurity.userdetails.UserDetails;
 import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.apache.commons.io.output.ByteArrayOutputStream;
 import org.apache.commons.io.output.NullOutputStream;
+import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.springframework.dao.DataAccessException;
 
-import java.io.IOException;
-import java.io.StringWriter;
-
 /**
  * @author Kohsuke Kawaguchi
  */
 public class ScriptSecurityRealm extends AbstractPasswordBasedSecurityRealm {
-    public final String commandLine;
+	private static final Logger LOGGER = Logger.getLogger(ScriptSecurityRealm.class.getName());
 
-    @DataBoundConstructor
-    public ScriptSecurityRealm(String commandLine) {
-        this.commandLine = commandLine;
-    }
+	public final String commandLine;
+	public final String groupsCommandLine;
+	public final String groupsDelimiter;
 
-    protected UserDetails authenticate(String username, String password) throws AuthenticationException {
-        try {
-            StringWriter out = new StringWriter();
-            LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
-            if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(commandLine)).stdout(new NullOutputStream())
-                    .envs("U="+username,"P="+password).join()!=0)
-                throw new BadCredentialsException(out.toString());
+	@DataBoundConstructor
+	public ScriptSecurityRealm(String commandLine, String groupsCommandLine, String groupsDelimiter) {
+		this.commandLine = commandLine;
+		this.groupsCommandLine = groupsCommandLine;
+		if (StringUtils.isBlank(groupsDelimiter)) {
+			this.groupsDelimiter = ",";
+		} else {
+			this.groupsDelimiter = groupsDelimiter;
+		}
+	}
 
-            return new User(username,"",true,true,true,true,new GrantedAuthority[]{AUTHENTICATED_AUTHORITY});
-        } catch (InterruptedException e) {
-            throw new AuthenticationServiceException("Interrupted",e);
-        } catch (IOException e) {
-            throw new AuthenticationServiceException("Failed",e);
-        }
-    }
+	protected UserDetails authenticate(String username, String password) throws AuthenticationException {
+		try {
+			StringWriter out = new StringWriter();
+			LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
+			if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(commandLine)).stdout(new NullOutputStream()).envs("U=" + username, "P=" + password)
+					.join() != 0) {
+				throw new BadCredentialsException(out.toString());
+			}
+			GrantedAuthority[] groups = loadGroups(username);
+			return new User(username, "", true, true, true, true, groups);
+		} catch (InterruptedException e) {
+			throw new AuthenticationServiceException("Interrupted", e);
+		} catch (IOException e) {
+			throw new AuthenticationServiceException("Failed", e);
+		}
+	}
 
-    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
-        return new User(username,"",true,true,true,true,new GrantedAuthority[]{AUTHENTICATED_AUTHORITY});
-    }
+	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
+		GrantedAuthority[] groups = loadGroups(username);
+		return new User(username, "", true, true, true, true, groups);
+	}
 
-    @Override
-    public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException {
-        throw new UsernameNotFoundException(groupname);
-    }
+	@Override
+	public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
+		return new GroupDetails() {
+			public String getName() {
+				return groupname;
+			}
+		};
+	}
 
-    @Extension
-    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
-        public String getDisplayName() {
-            return "Authenticate via custom script";
-        }
-    }
+	@Extension
+	public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
+		public String getDisplayName() {
+			return "Authenticate via custom script";
+		}
+	}
+
+	protected GrantedAuthority[] loadGroups(String username) throws AuthenticationException {
+		try {
+			List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
+			authorities.add(AUTHENTICATED_AUTHORITY);
+			if (!StringUtils.isBlank(groupsCommandLine)) {
+				StringWriter out = new StringWriter();
+				LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
+				OutputStream scriptOut = new ByteArrayOutputStream();
+				if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(groupsCommandLine)).stdout(scriptOut).envs("U=" + username).join() == 0) {
+					StringTokenizer tokenizer = new StringTokenizer(scriptOut.toString().trim(), groupsDelimiter);
+					while (tokenizer.hasMoreTokens()) {
+						final String token = tokenizer.nextToken().trim();
+						String[] args = new String[] { token, username };
+						LOGGER.log(Level.FINE, "granting: {0} to {1}", args);
+						authorities.add(new GrantedAuthorityImpl(token));
+					}
+
+				} else {
+					throw new BadCredentialsException(out.toString());
+				}
+			}
+			return authorities.toArray(new GrantedAuthority[0]);
+		} catch (InterruptedException e) {
+			throw new AuthenticationServiceException("Interrupted", e);
+		} catch (IOException e) {
+			throw new AuthenticationServiceException("Failed", e);
+		}
+	}
 }

src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/config.jelly

@@ -22,7 +22,13 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <f:entry title="${%Command}">
+  <f:entry title="${%Login Command}">
     <f:textbox field="commandLine" />
   </f:entry>
+  <f:entry title="${%Groups Command}" help="/plugin/script-realm/help-groupsCommandLine.html">
+    <f:textbox field="groupsCommandLine" />
+  </f:entry>
+  <f:entry title="${%Groups Delimiter}" help="/plugin/script-realm/help-groupsDelimiter.html">
+    <f:textbox field="groupsDelimiter" default="," />
+  </f:entry>
 </j:jelly>

src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/help.html

@@ -3,7 +3,7 @@
   a custom authentication scheme, but don't want to write your own plugin.
 
   <p>
-  Each time the authentication is attemped,
+  Each time the authentication is attemped (which is once per session),
   the specified script will be invoked with the username in the 'U' environment variable
   and the password in the 'P' environment variable. If the script returns exit code 0,
   the authentication is considered successful, and otherwise failure.

src/main/resources/index.jelly

@@ -1,3 +1,3 @@
 <div>
-  This plugin adds authentication via user-defined script.
+  This plugin adds authentication via user-defined script, in additon to the orignal script-realm, this one also supports groups.
 </div>

src/main/webapp/help-groupsCommandLine.html

@@ -0,0 +1,12 @@
+<div>
+  Delegates the groups resolution to a custom script.
+  
+  <p>
+  Each time the authentication is attemped (which is once per session),
+  the specified script will be invoked with the username in the 'U' environment variable.
+  If the script returns exit code 0, the output will be tokenized by the delimiter (default: ',')
+  to create a groups with each token.
+
+  <p>
+  In case of the failure, the output from the process will be reported in the exception message.
+</div>

src/main/webapp/help-groupsDelimiter.html

@@ -0,0 +1,3 @@
+<div>
+  Delimiter to split the groups within the returned output of the groups script.
+</div>

src/test/java/hudson/plugins/script_realm/ScriptSecurityRealmTest.java

@@ -8,12 +8,12 @@ import org.jvnet.hudson.test.HudsonTestCase;
  */
 public class ScriptSecurityRealmTest extends HudsonTestCase {
     public void test1() {
-        new ScriptSecurityRealm("/bin/true").authenticate("test","test");
+        new ScriptSecurityRealm("/bin/true", null, null).authenticate("test","test");
     }
 
     public void test2() {
         try {
-            new ScriptSecurityRealm("/bin/false").authenticate("test","test");
+            new ScriptSecurityRealm("/bin/false", null, null).authenticate("test","test");
             fail();
         } catch (AuthenticationException e) {
             // as expected