Merge pull request jenkinsci#115 from jenkinsci/bugfix-JENKINS-57154

samrocketman · web-flow · commit bb9d1ef0c1bc · 2019-08-05T23:42:40.000-04:00
[JENKINS-57154] Fix configureSecurity HTTP 403 err
diff --git a/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java b/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
@@ -32,13 +32,14 @@ of this software and associated documentation files (the "Software"), to deal
 import com.squareup.okhttp.OkHttpClient;
 import com.squareup.okhttp.OkUrlFactory;
 
+import hudson.model.Item;
 import hudson.security.Permission;
 import hudson.security.SecurityRealm;
-import hudson.model.Item;
 import jenkins.model.Jenkins;
 import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.GrantedAuthorityImpl;
 import org.acegisecurity.providers.AbstractAuthenticationToken;
+import org.acegisecurity.userdetails.UsernameNotFoundException;
 import org.kohsuke.github.GHMyself;
 import org.kohsuke.github.GHOrganization;
 import org.kohsuke.github.GHPersonSet;
@@ -198,7 +199,9 @@ public GithubAuthenticationToken(final String accessToken, final String githubSe
 
         this.me = loadMyself(accessToken);
 
-        assert this.me!=null;
+        if(this.me == null) {
+            throw new UsernameNotFoundException("Token not valid");
+        }
 
         setAuthenticated(true);
 
diff --git a/src/main/java/org/jenkinsci/plugins/GithubSecretStorage.java b/src/main/java/org/jenkinsci/plugins/GithubSecretStorage.java
@@ -24,11 +24,12 @@
 package org.jenkinsci.plugins;
 
 import hudson.model.User;
-import org.jfree.util.Log;
 
+import java.io.IOException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
-import java.io.IOException;
 
 public class GithubSecretStorage {
 
@@ -43,20 +44,25 @@ public static boolean contains(@Nonnull User user) {
     public static @CheckForNull String retrieve(@Nonnull User user) {
         GithubAccessTokenProperty property = user.getProperty(GithubAccessTokenProperty.class);
         if (property == null) {
-            Log.debug("Cache miss for username: " + user.getId());
+            LOGGER.log(Level.FINE, "Cache miss for username: " + user.getId());
             return null;
         } else {
-            Log.debug("Token retrieved using cache for username: " + user.getId());
+            LOGGER.log(Level.FINE, "Token retrieved using cache for username: " + user.getId());
             return property.getAccessToken().getPlainText();
         }
     }
 
     public static void put(@Nonnull User user, @Nonnull String accessToken) {
-        Log.debug("Populating the cache for username: " + user.getId());
+        LOGGER.log(Level.FINE, "Populating the cache for username: " + user.getId());
         try {
             user.addProperty(new GithubAccessTokenProperty(accessToken));
         } catch (IOException e) {
-            Log.warn("Received an exception when trying to add the GitHub access token to the user: " + user.getId(), e);
+            LOGGER.log(Level.WARNING, "Received an exception when trying to add the GitHub access token to the user: " + user.getId(), e);
         }
     }
+
+    /**
+     * Logger for debugging purposes.
+     */
+    private static final Logger LOGGER = Logger.getLogger(GithubSecretStorage.class.getName());
 }
diff --git a/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
@@ -68,7 +68,6 @@ of this software and associated documentation files (the "Software"), to deal
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.util.EntityUtils;
-import org.jfree.util.Log;
 import org.kohsuke.args4j.Option;
 import org.kohsuke.github.GHEmail;
 import org.kohsuke.github.GHMyself;
@@ -92,6 +91,7 @@ of this software and associated documentation files (the "Software"), to deal
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -382,18 +382,18 @@ public HttpResponse doFinishLogin(StaplerRequest request)
         String expectedState = (String)request.getSession().getAttribute(STATE_ATTRIBUTE);
 
         if (code == null || code.trim().length() == 0) {
-            Log.info("doFinishLogin: missing code.");
+            LOGGER.info("doFinishLogin: missing code.");
             return HttpResponses.redirectToContextRoot();
         }
 
         if (state == null){
-            Log.info("doFinishLogin: missing state parameter from Github response.");
+            LOGGER.info("doFinishLogin: missing state parameter from Github response.");
             return HttpResponses.redirectToContextRoot();
         } else if (expectedState == null){
-            Log.info("doFinishLogin: missing state parameter from user's session.");
+            LOGGER.info("doFinishLogin: missing state parameter from user's session.");
             return HttpResponses.redirectToContextRoot();
         } else if (!state.equals(expectedState)){
-            Log.info("state parameter value ["+state+"] does not match the expected one ["+expectedState+"]");
+            LOGGER.info("state parameter value ["+state+"] does not match the expected one ["+expectedState+"]");
             return HttpResponses.redirectToContextRoot();
         }
 
@@ -445,7 +445,7 @@ public HttpResponse doFinishLogin(StaplerRequest request)
             // or modifications in organizations will be not reflected when using API Token, due to that caching
             // SecurityListener.fireLoggedIn(self.getLogin());
         } else {
-            Log.info("Github did not return an access token.");
+            LOGGER.info("Github did not return an access token.");
         }
 
         if (referer!=null)  return HttpResponses.redirectTo(referer);
@@ -458,7 +458,7 @@ private String getAccessToken(@Nonnull String code) throws IOException {
         try (CloseableHttpClient httpClient = HttpClients.createDefault()) {
             HttpPost httpost = new HttpPost(githubWebUri
                     + "/login/oauth/access_token?" + "client_id=" + clientID + "&"
-                    + "client_secret=" + clientSecret + "&" + "code=" + code);
+                    + "client_secret=" + clientSecret.getPlainText() + "&" + "code=" + code);
             HttpHost proxy = getProxy(httpost);
             if (proxy != null) {
                 RequestConfig requestConfig = RequestConfig.custom().setProxy(proxy).build();
@@ -693,17 +693,17 @@ public UserDetails loadUserByUsername(String username)
 
         Authentication token = SecurityContextHolder.getContext().getAuthentication();
 
-        if (token == null || !username.equals(token.getPrincipal())) {
-            if(localUser != null && GithubSecretStorage.contains(localUser)){
+        try {
+            if(localUser != null && GithubSecretStorage.contains(localUser)) {
                 String accessToken = GithubSecretStorage.retrieve(localUser);
-                try {
-                    token = new GithubAuthenticationToken(accessToken, getGithubApiUri());
-                } catch (IOException e) {
-                    throw new UserMayOrMayNotExistException("Could not connect to GitHub API server, target URL = " + getGithubApiUri(), e);
-                }
-                SecurityContextHolder.getContext().setAuthentication(token);
-            }else{
-                throw new UserMayOrMayNotExistException("Could not get auth token.");
+                token = new GithubAuthenticationToken(accessToken, getGithubApiUri());
+            }
+        } catch(IOException | UsernameNotFoundException e) {
+            if(e instanceof IOException) {
+                throw new UserMayOrMayNotExistException("Could not connect to GitHub API server, target URL = " + getGithubApiUri(), e);
+            } else {
+                // user not found so continuing normally re-using the current context holder
+                LOGGER.log(Level.FINE, "Attempted to impersonate " + username + " but token in user property was invalid.");
             }
         }
 
@@ -725,8 +725,9 @@ public UserDetails loadUserByUsername(String username)
 
         try {
             GithubOAuthUserDetails userDetails = authToken.getUserDetails(username);
-            if (userDetails == null)
+            if (userDetails == null) {
                 throw new UsernameNotFoundException("Unknown user: " + username);
+            }
 
             // Check the username is not an homonym of an organization
             GHOrganization ghOrg = authToken.loadOrganization(username);
