Skip to content

Commit a02ae27

Browse files
samrocketmansamrocketman
authored
Merge pull request jenkinsci#104 from jenkinsci/release
Release 0.31
2 parents 715be7a + 9a2ed7b commit a02ae27

File tree

8 files changed

+436
-8
lines changed

8 files changed

+436
-8
lines changed

CHANGELOG.md

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,27 @@
1+
# Version 0.31 (Released Dec 6, 2018)
2+
3+
- Bugfix GitHub Committer Authorization Strategy bug introduced by 0.30 release.
4+
(pull request [#103][#103])
5+
- Enabled Cache for User Teams. (pull request [#100][#100])
6+
- Authenticated team members have read/build permissions when using GitHub
7+
Committer Authorization Strategy tracked by [JENKINS-42509][JENKINS-42509].
8+
(pull request [#91][#91])
9+
10+
[#100]: https://github.com/jenkinsci/github-oauth-plugin/pull/100
11+
[#103]: https://github.com/jenkinsci/github-oauth-plugin/pull/103
12+
[#91]: https://github.com/jenkinsci/github-oauth-plugin/pull/91
13+
[JENKINS-42509]: https://issues.jenkins-ci.org/browse/JENKINS-42509
14+
115
# Version 0.30
216

3-
- Enabled Cache for User Teams. (pull request [#100])
17+
- [SECURITY-602] Mask client secret in UI - the round-trip is now done in
18+
encrypted format
19+
- [SECURITY-797] Prevent session fixation - by the invalidation of the session
20+
after a successful login
21+
- [SECURITY-798] Prevent open redirect. Use the "from" in priority as it is
22+
managed directly inside the main layout. Otherwise, fallback to the referer
23+
header value. In all cases, check the URL is either relative or inside
24+
Jenkins.
425

526
# Version 0.29 (Released Jan 22, 2018)
627

pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@
3939

4040
<groupId>org.jenkins-ci.plugins</groupId>
4141
<artifactId>github-oauth</artifactId>
42-
<version>0.30-SNAPSHOT</version>
42+
<version>0.32-SNAPSHOT</version>
4343
<name>GitHub Authentication plugin</name>
4444
<description>A Jenkins authentication plugin that delegates to GitHub. We also implement an Authorization Strategy that uses the acquired OAuth token to interact with the GitHub API to determine a user's level of access to Jenkins.</description>
4545
<packaging>hpi</packaging>

src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -390,7 +390,10 @@ public boolean hasRepositoryPermission(String repositoryName, Permission permiss
390390
return true;
391391
}
392392
// WRITE or READ can Read/Build/View Workspace
393-
if (permission.equals(Item.READ) || permission.equals(Item.BUILD) || permission.equals(Item.WORKSPACE)) {
393+
if (permission.equals(Item.DISCOVER) ||
394+
permission.equals(Item.READ) ||
395+
permission.equals(Item.BUILD) ||
396+
permission.equals(Item.WORKSPACE)) {
394397
return repository.hasPullAccess() || repository.hasPushAccess();
395398
}
396399
// WRITE can cancel builds or view config

src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -241,6 +241,7 @@ private boolean testBuildPermission(Permission permission) {
241241
private boolean checkReadPermission(Permission permission) {
242242
if (permission.getId().equals("hudson.model.Hudson.Read")
243243
|| permission.getId().equals("hudson.model.Item.Workspace")
244+
|| permission.getId().equals("hudson.model.Item.Discover")
244245
|| permission.getId().equals("hudson.model.Item.Read")) {
245246
return true;
246247
} else {
@@ -257,7 +258,8 @@ public boolean hasRepositoryPermission(GithubAuthenticationToken authenticationT
257258

258259
if (repositoryName == null) {
259260
if (authenticatedUserCreateJobPermission) {
260-
if (permission.equals(Item.READ) ||
261+
if (permission.equals(Item.DISCOVER) ||
262+
permission.equals(Item.READ) ||
261263
permission.equals(Item.CONFIGURE) ||
262264
permission.equals(Item.DELETE) ||
263265
permission.equals(Item.EXTENDED_READ) ||

src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,7 @@ of this software and associated documentation files (the "Software"), to deal
7979
import org.kohsuke.stapler.HttpRedirect;
8080
import org.kohsuke.stapler.HttpResponse;
8181
import org.kohsuke.stapler.HttpResponses;
82+
import org.kohsuke.stapler.QueryParameter;
8283
import org.kohsuke.stapler.StaplerRequest;
8384
import org.springframework.dao.DataAccessException;
8485
import org.springframework.dao.DataRetrievalFailureException;
@@ -93,6 +94,7 @@ of this software and associated documentation files (the "Software"), to deal
9394
import java.util.logging.Logger;
9495
import javax.annotation.Nonnull;
9596
import javax.annotation.Nullable;
97+
import javax.servlet.http.HttpSession;
9698

9799
/**
98100
*
@@ -333,9 +335,18 @@ public String getOauthScopes() {
333335
return oauthScopes;
334336
}
335337

336-
public HttpResponse doCommenceLogin(StaplerRequest request, @Header("Referer") final String referer)
338+
public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter String from, @Header("Referer") final String referer)
337339
throws IOException {
338-
request.getSession().setAttribute(REFERER_ATTRIBUTE,referer);
340+
String redirectOnFinish;
341+
if (from != null && Util.isSafeToRedirectTo(from)) {
342+
redirectOnFinish = from;
343+
} else if (referer != null && (referer.startsWith(Jenkins.getInstance().getRootUrl()) || Util.isSafeToRedirectTo(referer))) {
344+
redirectOnFinish = referer;
345+
} else {
346+
redirectOnFinish = Jenkins.getInstance().getRootUrl();
347+
}
348+
349+
request.getSession().setAttribute(REFERER_ATTRIBUTE, redirectOnFinish);
339350

340351
Set<String> scopes = new HashSet<>();
341352
for (GitHubOAuthScope s : getJenkins().getExtensionList(GitHubOAuthScope.class)) {
@@ -361,6 +372,7 @@ public HttpResponse doCommenceLogin(StaplerRequest request, @Header("Referer") f
361372
public HttpResponse doFinishLogin(StaplerRequest request)
362373
throws IOException {
363374
String code = request.getParameter("code");
375+
String referer = (String)request.getSession().getAttribute(REFERER_ATTRIBUTE);
364376

365377
if (code == null || code.trim().length() == 0) {
366378
Log.info("doFinishLogin: missing code.");
@@ -372,6 +384,14 @@ public HttpResponse doFinishLogin(StaplerRequest request)
372384
if (accessToken != null && accessToken.trim().length() > 0) {
373385
// only set the access token if it exists.
374386
GithubAuthenticationToken auth = new GithubAuthenticationToken(accessToken, getGithubApiUri());
387+
388+
HttpSession session = request.getSession(false);
389+
if(session != null){
390+
// avoid session fixation
391+
session.invalidate();
392+
}
393+
request.getSession(true);
394+
375395
SecurityContextHolder.getContext().setAuthentication(auth);
376396

377397
GHMyself self = auth.getMyself();
@@ -409,7 +429,6 @@ public HttpResponse doFinishLogin(StaplerRequest request)
409429
Log.info("Github did not return an access token.");
410430
}
411431

412-
String referer = (String)request.getSession().getAttribute(REFERER_ATTRIBUTE);
413432
if (referer!=null) return HttpResponses.redirectTo(referer);
414433
return HttpResponses.redirectToContextRoot(); // referer should be always there, but be defensive
415434
}

src/main/resources/org/jenkinsci/plugins/GithubSecurityRealm/config.jelly

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
</f:entry>
1818

1919
<f:entry title="Client Secret" field="clientSecret" help="/plugin/github-oauth/help/realm/client-secret-help.html">
20-
<f:textbox />
20+
<f:password />
2121
</f:entry>
2222

2323
<f:entry title="OAuth Scope(s)" field="oauthScopes" help="/plugin/github-oauth/help/realm/oauth-scopes-help.html">

0 commit comments

Comments
 (0)