[JENKINS-44489] fixed logout when the plugin is configured to allow R…

…EAD permission for Authenticated, but not Anonymous users.
jenkinsci · Dec 18, 2017 · 987608a · 987608a
1 parent 4bdd977
commit 987608a
Show file tree

Hide file tree

Showing 3 changed files with 138 additions and 0 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/GitLabLogoutAction.java b/src/main/java/org/jenkinsci/plugins/GitLabLogoutAction.java
@@ -0,0 +1,84 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2016 CloudBees, Inc., James Nord, Sam Gleske, Mohamed EL HABIB
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.jenkinsci.plugins;
+
+import hudson.Extension;
+import hudson.model.UnprotectedRootAction;
+import hudson.security.SecurityRealm;
+import jenkins.model.Jenkins;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * A page that shows a simple message when the user logs out.
+ * This prevents a logout / login loop when using this security realm and Anonymous does not have {@code Overall.READ} permission.
+ */
+@Extension
+public class GitLabLogoutAction implements UnprotectedRootAction {
+
+    /** The URL of the action. */
+    static final String POST_LOGOUT_URL = "gitlabLogout";
+
+    @Override
+    public String getDisplayName() {
+        return "Gitlab Logout";
+    }
+
+    @Override
+    public String getIconFileName() {
+        // hide it
+        return null;
+    }
+
+    @Override
+    public String getUrlName() {
+        return POST_LOGOUT_URL;
+    }
+
+    @Restricted(NoExternalUse.class) // jelly only
+    public String getGitLabURL() {
+        Jenkins j = Jenkins.getInstance();
+        assert j != null;
+        SecurityRealm r = j.getSecurityRealm();
+        if (r instanceof GitLabSecurityRealm) {
+            GitLabSecurityRealm glsr = (GitLabSecurityRealm) r;
+            return glsr.getGitlabWebUri();
+        }
+        // only called from the Jelly if the GithubSecurityRealm is set...
+        return "";
+    }
+
+    @Restricted(NoExternalUse.class) // jelly only
+    public String getGitLabText() {
+        Jenkins j = Jenkins.getInstance();
+        assert j != null;
+        SecurityRealm r = j.getSecurityRealm();
+        if (r instanceof GitLabSecurityRealm) {
+            GitLabSecurityRealm glsr = (GitLabSecurityRealm) r;
+            return "GitLab";
+        }
+        // only called from the Jelly if the GitLabSecurityRealm is set...
+        return "";
+    }
+}
diff --git a/src/main/java/org/jenkinsci/plugins/GitLabSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/GitLabSecurityRealm.java
@@ -435,6 +435,18 @@ public String getLoginUrl() {
 		return "securityRealm/commenceLogin";
 	}
 
+	@Override
+	protected String getPostLogOutUrl(StaplerRequest req, Authentication auth) {
+		// if we just redirect to the root and anonymous does not have Overall read then we will start a login all over again.
+		// we are actually anonymous here as the security context has been cleared
+		Jenkins jenkins = Jenkins.getInstance();
+		assert jenkins != null;
+		if (jenkins.hasPermission(Jenkins.READ)) {
+			return super.getPostLogOutUrl(req, auth);
+		}
+		return req.getContextPath()+ "/" + GitLabLogoutAction.POST_LOGOUT_URL;
+	}
+
 	@Extension
 	public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
 

diff --git a/src/main/resources/org/jenkinsci/plugins/GitLabLogoutAction/index.jelly b/src/main/resources/org/jenkinsci/plugins/GitLabLogoutAction/index.jelly
@@ -0,0 +1,42 @@
+<!--
+ The MIT License
+
+ Copyright (c) 2016 CloudBees, Inc., James Nord, Sam Gleske
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ THE SOFTWARE.
+ */
+-->
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
+  <l:layout norefresh="true">
+    <l:main-panel>
+      <j:choose>
+        <j:when test="${h.isAnonymous()}">
+          <p>You are now logged out of Jenkins.  However, you have not been logged out of <a href="${it.gitLabURL}">${it.gitLabText}</a>.</p>
+          <p>Have a nice day!</p>
+        </j:when>
+        <j:otherwise>
+          <h2>Whoa there...</h2>
+          <p>You are not logged out - don't run away!</p>
+          <p>Whilst you should have been logged out, you are not actually logged out.  Press the logout button to try logging out again.</p>
+        </j:otherwise>
+      </j:choose>
+    </l:main-panel>
+  </l:layout>
+</j:jelly>