Merge PR jenkinsci#45 Allow limited oauth scopes

samrocketman · samrocketman · commit 674ec3a47a92 · 2015-07-23T21:39:46.000-04:00
diff --git a/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java b/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
@@ -26,27 +26,27 @@ of this software and associated documentation files (the "Software"), to deal
  */
 package org.jenkinsci.plugins;
 
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import hudson.security.SecurityRealm;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.HashSet;
-import java.util.logging.Logger;
+import java.util.List;
 import java.util.logging.Level;
-
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import hudson.security.SecurityRealm;
-import java.util.Collection;
-
-import org.jenkinsci.plugins.GithubOAuthUserDetails;
+import java.util.logging.Logger;
+import java.util.Map;
+import java.util.Set;
+import jenkins.model.Jenkins;
 import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.GrantedAuthorityImpl;
 import org.acegisecurity.providers.AbstractAuthenticationToken;
+import org.jenkinsci.plugins.GithubOAuthUserDetails;
 import org.kohsuke.github.GHMyself;
 import org.kohsuke.github.GHOrganization;
 import org.kohsuke.github.GHPersonSet;
@@ -72,6 +72,7 @@ public class GithubAuthenticationToken extends AbstractAuthenticationToken {
     private final String userName;
     private final GitHub gh;
     private final GHMyself me;
+    private GithubSecurityRealm myRealm = null;
 
     /**
      * Cache for faster organization based security
@@ -103,13 +104,23 @@ public GithubAuthenticationToken(String accessToken, String githubServer) throws
 
         this.userName = this.me.getLogin();
         authorities.add(SecurityRealm.AUTHENTICATED_AUTHORITY);
-        Map<String, Set<GHTeam>> myTeams = gh.getMyTeams();
-        for (String orgLogin : myTeams.keySet()) {
-            LOGGER.log(Level.FINE, "Fetch teams for user " + userName + " in organization " + orgLogin);
-            authorities.add(new GrantedAuthorityImpl(orgLogin));
-            for (GHTeam team : myTeams.get(orgLogin)) {
-                authorities.add(new GrantedAuthorityImpl(orgLogin + GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR
-                        + team.getName()));
+        if(Jenkins.getInstance().getSecurityRealm() instanceof GithubSecurityRealm) {
+            if(myRealm == null) {
+                myRealm = (GithubSecurityRealm) Jenkins.getInstance().getSecurityRealm();
+            }
+            //Search for scopes that allow fetching team membership.  This is documented online.
+            //https://developer.github.com/v3/orgs/#list-your-organizations
+            //https://developer.github.com/v3/orgs/teams/#list-user-teams
+            if(myRealm.hasScope("read:org") || myRealm.hasScope("admin:org") || myRealm.hasScope("user") || myRealm.hasScope("repo")) {
+                Map<String, Set<GHTeam>> myTeams = gh.getMyTeams();
+                for (String orgLogin : myTeams.keySet()) {
+                    LOGGER.log(Level.FINE, "Fetch teams for user " + userName + " in organization " + orgLogin);
+                    authorities.add(new GrantedAuthorityImpl(orgLogin));
+                    for (GHTeam team : myTeams.get(orgLogin)) {
+                        authorities.add(new GrantedAuthorityImpl(orgLogin + GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR
+                                + team.getName()));
+                    }
+                }
             }
         }
     }
diff --git a/src/test/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACLTest.java b/src/test/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACLTest.java
@@ -34,6 +34,8 @@ of this software and associated documentation files (the "Software"), to deal
 import hudson.plugins.git.GitSCM;
 import hudson.plugins.git.UserRemoteConfig;
 import hudson.scm.NullSCM;
+import hudson.security.Permission;
+import hudson.security.PermissionScope;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -42,16 +44,15 @@ of this software and associated documentation files (the "Software"), to deal
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-
-import hudson.security.Permission;
-import hudson.security.PermissionScope;
+import jenkins.model.Jenkins;
 import junit.framework.TestCase;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.GrantedAuthorityImpl;
 import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
-import org.junit.Test;
+import org.junit.Before;
 import org.junit.runner.RunWith;
+import org.junit.Test;
 import org.kohsuke.github.GHMyself;
 import org.kohsuke.github.GHOrganization;
 import org.kohsuke.github.GHPerson;
@@ -60,18 +61,35 @@ of this software and associated documentation files (the "Software"), to deal
 import org.kohsuke.github.GHUser;
 import org.kohsuke.github.GitHub;
 import org.kohsuke.github.PagedIterable;
+import org.mockito.Mock;
 import org.powermock.api.mockito.PowerMockito;
 import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
+import static org.mockito.Matchers.anyObject;
 
 /**
  *
  * @author alex
  */
 @RunWith(PowerMockRunner.class)
-@PrepareForTest( GitHub.class )
+@PrepareForTest({GitHub.class, Jenkins.class, GithubSecurityRealm.class})
 public class GithubRequireOrganizationMembershipACLTest extends TestCase {
 
+    @Mock
+    private Jenkins jenkins;
+
+    @Mock
+    private GithubSecurityRealm securityRealm;
+
+    @Before
+    public void setUp() throws Exception {
+        //GithubSecurityRealm myRealm = PowerMockito.mock(GithubSecurityRealm.class);
+        PowerMockito.mockStatic(Jenkins.class);
+        PowerMockito.when(Jenkins.getInstance()).thenReturn(jenkins);
+        PowerMockito.when(jenkins.getSecurityRealm()).thenReturn(securityRealm);
+        PowerMockito.when(securityRealm.getOauthScopes()).thenReturn("read:org");
+    }
+
     private final Permission VIEW_JOBSTATUS_PERMISSION = new Permission(Item.PERMISSIONS,
             "ViewStatus",
             Messages._Item_READ_description(),
