Add support for CAS 3.0 protocol (JENKINS-37512)

jenkinsci · Oct 16, 2016 · 659e358 · 659e358
1 parent bbae739
commit 659e358
Show file tree

Hide file tree

Showing 10 changed files with 141 additions and 0 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/cas/protocols/Cas30Protocol.java b/src/main/java/org/jenkinsci/plugins/cas/protocols/Cas30Protocol.java
@@ -0,0 +1,64 @@
+package org.jenkinsci.plugins.cas.protocols;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.lang.StringUtils;
+import org.jasig.cas.client.validation.Cas30ProxyTicketValidator;
+import org.jasig.cas.client.validation.Cas30ServiceTicketValidator;
+import org.jasig.cas.client.validation.ProxyList;
+import org.jasig.cas.client.validation.TicketValidator;
+import org.jenkinsci.plugins.cas.CasProtocol;
+import org.kohsuke.stapler.DataBoundConstructor;
+
+import hudson.Extension;
+import hudson.Util;
+import hudson.model.Descriptor;
+
+/**
+ * CAS 3.0 protocol support.
+ * 
+ * @author Fabien Crespel <fabien@crespel.net>
+ */
+public class Cas30Protocol extends CasProtocol {
+
+	public final Boolean proxyEnabled;
+	public final Boolean proxyAllowAny;
+	public final String proxyAllowList;
+
+	@DataBoundConstructor
+	public Cas30Protocol(String authoritiesAttribute, String fullNameAttribute, String emailAttribute, Boolean proxyEnabled, Boolean proxyAllowAny, String proxyAllowList) {
+		this.authoritiesAttribute = Util.fixEmptyAndTrim(authoritiesAttribute);
+		this.fullNameAttribute = Util.fixEmptyAndTrim(fullNameAttribute);
+		this.emailAttribute = Util.fixEmptyAndTrim(emailAttribute);
+		this.proxyEnabled = proxyEnabled;
+		this.proxyAllowAny = proxyAllowAny;
+		this.proxyAllowList = proxyAllowList;
+	}
+
+	@Override
+	public TicketValidator createTicketValidator(String casServerUrl) {
+		if (this.proxyEnabled != null && this.proxyEnabled) {
+			Cas30ProxyTicketValidator ptv = new Cas30ProxyTicketValidator(casServerUrl);
+			ptv.setAcceptAnyProxy(this.proxyAllowAny);
+			String[] proxyChain = StringUtils.split(this.proxyAllowList, '\n');
+			if (proxyChain != null && proxyChain.length > 0) {
+				List<String[]> proxyList = new ArrayList<String[]>(1);
+				proxyList.add(proxyChain);
+				ptv.setAllowedProxyChains(new ProxyList(proxyList));
+			}
+			return ptv;
+		} else {
+			return new Cas30ServiceTicketValidator(casServerUrl);
+		}
+	}
+
+	@Extension
+	public static final class DescriptorImpl extends Descriptor<CasProtocol> {
+		@Override
+		public String getDisplayName() {
+			return "CAS 3.0";
+		}
+	}
+
+}
diff --git a/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/config.jelly b/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/config.jelly
@@ -0,0 +1,32 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+  <f:block>
+    <table>
+      <f:description>${%description("https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html", "https://apereo.github.io/cas/4.2.x/integration/Attribute-Release.html")}</f:description>
+    </table>
+  </f:block>
+  <f:advanced>
+    <f:entry title="${%authoritiesAttribute}" field="authoritiesAttribute">
+      <f:textbox default="groups,roles" />
+    </f:entry>
+    <f:entry title="${%fullNameAttribute}" field="fullNameAttribute">
+      <f:textbox default="cn" />
+    </f:entry>
+    <f:entry title="${%emailAttribute}" field="emailAttribute">
+      <f:textbox default="mail" />
+    </f:entry>
+    <f:entry title="${%proxySettings}">
+      <table>
+        <f:optionalBlock title="${%proxyEnabled}" field="proxyEnabled" inline="true">
+          <f:radioBlock title="${%proxyAllowAny}" name="proxyAllowAny" value="true" checked="${instance.proxyAllowAny}" inline="true" />
+          <f:radioBlock title="${%proxyAllowList}" name="proxyAllowAny" value="false" checked="${!instance.proxyAllowAny}" inline="true">
+            <f:description>${%proxyAllowListDescription}</f:description>
+            <f:entry field="proxyAllowList">
+              <f:textarea />
+            </f:entry>
+          </f:radioBlock>
+        </f:optionalBlock>
+      </table>
+    </f:entry>
+  </f:advanced>
+</j:jelly>
diff --git a/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/config.properties b/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/config.properties
@@ -0,0 +1,9 @@
+description=<a href="{0}">CAS 3.0</a> is a XML-based protocol. It fully supports <a href="{1}">attributes</a> out-of-the-box, without requiring custom extensions.
+authoritiesAttribute=Roles Attribute(s)
+fullNameAttribute=Full Name Attribute
+emailAttribute=Email Attribute
+proxySettings=Proxy Settings
+proxyEnabled=Accept Proxy Tickets
+proxyAllowAny=Allow any proxy
+proxyAllowList=Allow a specific proxy chain
+proxyAllowListDescription=Enter one proxy URL per line, in the required traversal order
diff --git a/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/config_fr.properties b/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/config_fr.properties
@@ -0,0 +1,9 @@
+description=<a href="{0}">CAS 3.0</a> est un protocole basé sur XML. Il supporte directement les <a href="{1}">attributs</a> sans nécessiter d''extension spécifique.
+authoritiesAttribute=Attribut(s) des rôles
+fullNameAttribute=Attribut du nom complet
+emailAttribute=Attribut de l''adresse e-mail
+proxySettings=Paramètres de Proxy
+proxyEnabled=Accepter les Proxy Tickets
+proxyAllowAny=Autoriser n''importe quel proxy
+proxyAllowList=Autoriser une chaine de proxies spécifique
+proxyAllowListDescription=Entrez une URL de proxy par ligne, dans l''ordre de traversée requis
diff --git a/...esources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-authoritiesAttribute.html b/...esources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-authoritiesAttribute.html
@@ -0,0 +1,4 @@
+<div>
+    Attribute(s) holding the authorities (groups, roles, etc.) the user belongs to.
+    Multiple values should be separated with commas (e.g. 'groups,roles').
+</div>
diff --git a/...main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-emailAttribute.html b/...main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-emailAttribute.html
@@ -0,0 +1,3 @@
+<div>
+    Attribute holding the user's email address.
+</div>
diff --git a/...n/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-fullNameAttribute.html b/...n/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-fullNameAttribute.html
@@ -0,0 +1,3 @@
+<div>
+    Attribute holding the user's full name.
+</div>
diff --git a/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-proxyAllowAny.html b/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-proxyAllowAny.html
@@ -0,0 +1,3 @@
+<div>
+    When checked, the chain of proxy servers that eventually generated the Proxy Ticket will not be validated.
+</div>
diff --git a/...main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-proxyAllowList.html b/...main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-proxyAllowList.html
@@ -0,0 +1,7 @@
+<div>
+    Enter the exact proxy chain (one proxy URL per line) the Proxy Ticket must have gone through to be accepted.
+
+    <p>
+    Such validation can be necessary to ensure that only certain approved proxies may programmatically authenticate
+    on Jenkins on behalf of a user.
+</div>
diff --git a/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-proxyEnabled.html b/src/main/resources/org/jenkinsci/plugins/cas/protocols/Cas30Protocol/help-proxyEnabled.html
@@ -0,0 +1,7 @@
+<div>
+    When checked, Proxy Tickets will be validated in addition to standard Service Tickets.
+
+    <p>
+    Proxy Tickets can be thought of as a secure alternative to <a href="https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients">
+    API Tokens</a> when external applications need to access Jenkins and already make use of CAS for their own authentication.
+</div>