From bfaadfbdef278846e593661ff6f3b0c17a596587 Mon Sep 17 00:00:00 2001
From: domi <domi@dev.java.net>
Date: Sun, 24 Oct 2010 16:02:29 +0000
Subject: [PATCH] initial fork of the script-fork plugin (of version
 1.1-SNAPSHOT)

---
 pom.xml                                       |  15 ++
 .../ExtendedScriptSecurityRealm.java          | 150 ++++++++++++++++++
 .../ExtendedScriptSecurityRealm/config.jelly  |  34 ++++
 .../ExtendedScriptSecurityRealm/help.html     |  13 ++
 src/main/resources/index.jelly                |   3 +
 src/main/webapp/help-groupsCommandLine.html   |  12 ++
 src/main/webapp/help-groupsDelimiter.html     |   3 +
 .../ExtendedScriptSecurityRealmTest.java      |  22 +++
 8 files changed, 252 insertions(+)
 create mode 100644 pom.xml
 create mode 100644 src/main/java/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm.java
 create mode 100644 src/main/resources/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm/config.jelly
 create mode 100644 src/main/resources/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm/help.html
 create mode 100644 src/main/resources/index.jelly
 create mode 100644 src/main/webapp/help-groupsCommandLine.html
 create mode 100644 src/main/webapp/help-groupsDelimiter.html
 create mode 100644 src/test/java/hudson/plugins/script_realm/ExtendedScriptSecurityRealmTest.java

diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..645539e
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,15 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.jvnet.hudson.plugins</groupId>
+    <artifactId>plugin</artifactId>
+    <version>1.330</version>
+    <relativePath>../pom.xml</relativePath>
+  </parent>
+  
+  <artifactId>script-realm-extended</artifactId>
+  <version>1.0-SNAPSHOT</version>
+  <packaging>hpi</packaging>
+  <name>Security Realm by custom script with group support</name>
+  <url>http://wiki.hudson-ci.org/display/HUDSON/Script+Security+Realm+Extended</url>
+</project>
diff --git a/src/main/java/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm.java b/src/main/java/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm.java
new file mode 100644
index 0000000..70aa6b8
--- /dev/null
+++ b/src/main/java/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm.java
@@ -0,0 +1,150 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2004-2009, Sun Microsystems, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package hudson.plugins.script_realm_extended;
+
+import hudson.Extension;
+import hudson.Launcher.LocalLauncher;
+import hudson.model.Descriptor;
+import hudson.model.TaskListener;
+import hudson.security.AbstractPasswordBasedSecurityRealm;
+import hudson.security.GroupDetails;
+import hudson.security.SecurityRealm;
+import hudson.util.QuotedStringTokenizer;
+import hudson.util.StreamTaskListener;
+import org.acegisecurity.AuthenticationException;
+import org.acegisecurity.AuthenticationServiceException;
+import org.acegisecurity.BadCredentialsException;
+import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.GrantedAuthorityImpl;
+import org.acegisecurity.userdetails.User;
+import org.acegisecurity.userdetails.UserDetails;
+import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.apache.commons.io.output.ByteArrayOutputStream;
+import org.apache.commons.io.output.NullOutputStream;
+import org.apache.commons.lang.StringUtils;
+import org.kohsuke.stapler.DataBoundConstructor;
+import org.springframework.dao.DataAccessException;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.StringWriter;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.StringTokenizer;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * This realm is a fork of the original <code>ScriptSecurityRealm</code>, the
+ * extension would have fit in to the original class easily - but as I did not
+ * get any feedback if I can merge my changes, I just created a new plugin.
+ * 
+ * @author Kohsuke Kawaguchi (origin)
+ * @author Dominik Bartholdi
+ */
+public class ExtendedScriptSecurityRealm extends AbstractPasswordBasedSecurityRealm {
+	private static final Logger LOGGER = Logger.getLogger(ExtendedScriptSecurityRealm.class.getName());
+
+	public final String commandLine;
+	public final String groupsCommandLine;
+	public final String groupsDelimiter;
+
+	@DataBoundConstructor
+	public ExtendedScriptSecurityRealm(String commandLine, String groupsCommandLine, String groupsDelimiter) {
+		this.commandLine = commandLine;
+		this.groupsCommandLine = groupsCommandLine;
+		if (StringUtils.isBlank(groupsDelimiter)) {
+			this.groupsDelimiter = ",";
+		} else {
+			this.groupsDelimiter = groupsDelimiter;
+		}
+	}
+
+	protected UserDetails authenticate(String username, String password) throws AuthenticationException {
+		try {
+			StringWriter out = new StringWriter();
+			LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
+			if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(commandLine)).stdout(new NullOutputStream()).envs("U=" + username, "P=" + password)
+					.join() != 0) {
+				throw new BadCredentialsException(out.toString());
+			}
+			GrantedAuthority[] groups = loadGroups(username);
+			return new User(username, "", true, true, true, true, groups);
+		} catch (InterruptedException e) {
+			throw new AuthenticationServiceException("Interrupted", e);
+		} catch (IOException e) {
+			throw new AuthenticationServiceException("Failed", e);
+		}
+	}
+
+	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
+		GrantedAuthority[] groups = loadGroups(username);
+		return new User(username, "", true, true, true, true, groups);
+	}
+
+	@Override
+	public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
+		return new GroupDetails() {
+			public String getName() {
+				return groupname;
+			}
+		};
+	}
+
+	@Extension
+	public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
+		public String getDisplayName() {
+			return "Authenticate via custom script (supporting groups)";
+		}
+	}
+
+	protected GrantedAuthority[] loadGroups(String username) throws AuthenticationException {
+		try {
+			List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
+			authorities.add(AUTHENTICATED_AUTHORITY);
+			if (!StringUtils.isBlank(groupsCommandLine)) {
+				StringWriter out = new StringWriter();
+				LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
+				OutputStream scriptOut = new ByteArrayOutputStream();
+				if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(groupsCommandLine)).stdout(scriptOut).envs("U=" + username).join() == 0) {
+					StringTokenizer tokenizer = new StringTokenizer(scriptOut.toString().trim(), groupsDelimiter);
+					while (tokenizer.hasMoreTokens()) {
+						final String token = tokenizer.nextToken().trim();
+						String[] args = new String[] { token, username };
+						LOGGER.log(Level.FINE, "granting: {0} to {1}", args);
+						authorities.add(new GrantedAuthorityImpl(token));
+					}
+
+				} else {
+					throw new BadCredentialsException(out.toString());
+				}
+			}
+			return authorities.toArray(new GrantedAuthority[0]);
+		} catch (InterruptedException e) {
+			throw new AuthenticationServiceException("Interrupted", e);
+		} catch (IOException e) {
+			throw new AuthenticationServiceException("Failed", e);
+		}
+	}
+}
diff --git a/src/main/resources/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm/config.jelly b/src/main/resources/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm/config.jelly
new file mode 100644
index 0000000..b002c8f
--- /dev/null
+++ b/src/main/resources/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm/config.jelly
@@ -0,0 +1,34 @@
+<!--
+The MIT License
+
+Copyright (c) 2004-2009, Sun Microsystems, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+  <f:entry title="${%Login Command}">
+    <f:textbox field="commandLine" />
+  </f:entry>
+  <f:entry title="${%Groups Command}" help="/plugin/script-realm-extended/help-groupsCommandLine.html">
+    <f:textbox field="groupsCommandLine" />
+  </f:entry>
+  <f:entry title="${%Groups Delimiter}" help="/plugin/script-realm-extended/help-groupsDelimiter.html">
+    <f:textbox field="groupsDelimiter" default="," />
+  </f:entry>
+</j:jelly>
\ No newline at end of file
diff --git a/src/main/resources/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm/help.html b/src/main/resources/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm/help.html
new file mode 100644
index 0000000..6e46eb2
--- /dev/null
+++ b/src/main/resources/hudson/plugins/script_realm_extended/ExtendedScriptSecurityRealm/help.html
@@ -0,0 +1,13 @@
+<div>
+  Delegates the authentication to a custom script. This is useful if you need to plug into
+  a custom authentication scheme, but don't want to write your own plugin.
+
+  <p>
+  Each time the authentication is attemped,
+  the specified script will be invoked with the username in the 'U' environment variable
+  and the password in the 'P' environment variable. If the script returns exit code 0,
+  the authentication is considered successful, and otherwise failure.
+
+  <p>
+  In case of the failure, the output from the process will be reported in the exception message.
+</div>
\ No newline at end of file
diff --git a/src/main/resources/index.jelly b/src/main/resources/index.jelly
new file mode 100644
index 0000000..01e653c
--- /dev/null
+++ b/src/main/resources/index.jelly
@@ -0,0 +1,3 @@
+<div>
+  This plugin adds authentication via user-defined script, in additon to the orignal script-realm, this one also supports groups.
+</div>
\ No newline at end of file
diff --git a/src/main/webapp/help-groupsCommandLine.html b/src/main/webapp/help-groupsCommandLine.html
new file mode 100644
index 0000000..905ebc0
--- /dev/null
+++ b/src/main/webapp/help-groupsCommandLine.html
@@ -0,0 +1,12 @@
+<div>
+  Delegates the groups resolution to a custom script.
+  
+  <p>
+  Each time the authentication is attemped,
+  the specified script will be invoked with the username in the 'U' environment variable.
+  If the script returns exit code 0, the output will be tokenized by the delimiter (default: ',')
+  to create a groups with each token.
+
+  <p>
+  In case of the failure, the output from the process will be reported in the exception message.
+</div>
\ No newline at end of file
diff --git a/src/main/webapp/help-groupsDelimiter.html b/src/main/webapp/help-groupsDelimiter.html
new file mode 100644
index 0000000..d3d073e
--- /dev/null
+++ b/src/main/webapp/help-groupsDelimiter.html
@@ -0,0 +1,3 @@
+<div>
+  Delimiter to split the groups within the returned output of the groups script.
+</div>
\ No newline at end of file
diff --git a/src/test/java/hudson/plugins/script_realm/ExtendedScriptSecurityRealmTest.java b/src/test/java/hudson/plugins/script_realm/ExtendedScriptSecurityRealmTest.java
new file mode 100644
index 0000000..ceb8717
--- /dev/null
+++ b/src/test/java/hudson/plugins/script_realm/ExtendedScriptSecurityRealmTest.java
@@ -0,0 +1,22 @@
+package hudson.plugins.script_realm;
+
+import org.acegisecurity.AuthenticationException;
+import org.jvnet.hudson.test.HudsonTestCase;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class ExtendedScriptSecurityRealmTest extends HudsonTestCase {
+	public void test1() {
+//		new ScriptSecurityRealm("/bin/true", "", null).authenticate("test", "test");
+	}
+
+	public void test2() {
+//		try {
+//			new ScriptSecurityRealm("/bin/false", "", null).authenticate("test", "test");
+//			fail();
+//		} catch (AuthenticationException e) {
+//			// as expected
+//		}
+	}
+}