Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[FIXED JENKINS-9094] "Remember me" doesn't work with PAM
  • Loading branch information
kohsuke committed Apr 7, 2011
1 parent c7febe6 commit 531b86f
Show file tree
Hide file tree
Showing 4 changed files with 64 additions and 9 deletions.
13 changes: 13 additions & 0 deletions changelog.html
Expand Up @@ -64,6 +64,19 @@
<li class=bug>
When both "block build when upstream/downstream is building" are checked, the upstream block check wasn't taking effect.
(<a href="http://issues.jenkins-ci.org/browse/JENKINS-8968">issue 8968</a>)
<li class=bug>
A project aggregating tests without any tests itself should now link properly
to latest aggregated results, rather than broken link to non-existent test
results.
<li class=bug>
Initial position of the "build time" timeline was off by one day
(<a href="http://issues.jenkins-ci.org/browse/JENKINS-8865">issue 8865</a>)
<li class=bug>
Build list tables had "Date" as column label, but actual content of the column was "Time Since".
(<a href="http://issues.jenkins-ci.org/browse/JENKINS-9102">issue 9102</a>)
<li class=bug>
PAM authentication fails to restore group membership information on "remember me" tokens.
(<a href="http://issues.jenkins-ci.org/browse/JENKINS-9094">issue 9094</a>)
<li class=rfe>
Added the <tt>--mimeTypes</tt> command line option to define additional MIME type mappings.
<li class=rfe>
Expand Down
2 changes: 1 addition & 1 deletion core/pom.xml
Expand Up @@ -763,7 +763,7 @@ THE SOFTWARE.
<dependency>
<groupId>org.jvnet.libpam4j</groupId>
<artifactId>libpam4j</artifactId>
<version>1.2</version>
<version>1.4</version>
</dependency>
<dependency>
<groupId>org.jvnet.libzfs</groupId>
Expand Down
26 changes: 18 additions & 8 deletions core/src/main/java/hudson/security/PAMSecurityRealm.java
Expand Up @@ -88,11 +88,7 @@ public Authentication authenticate(Authentication authentication) throws Authent

try {
UnixUser u = new PAM(serviceName).authenticate(username, password);
Set<String> grps = u.getGroups();
GrantedAuthority[] groups = new GrantedAuthority[grps.size()];
int i=0;
for (String g : grps)
groups[i++] = new GrantedAuthorityImpl(g);
GrantedAuthority[] groups = toAuthorities(u);

// I never understood why Acegi insists on keeping the password...
return new UsernamePasswordAuthenticationToken(username, password, groups);
Expand All @@ -119,14 +115,28 @@ public SecurityComponents createSecurityComponents() {
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
if(!UnixUser.exists(username))
throw new UsernameNotFoundException("No such Unix user: "+username);
// return some dummy instance
return new User(username,"",true,true,true,true,
new GrantedAuthority[]{AUTHENTICATED_AUTHORITY});
try {
UnixUser uu = new UnixUser(username);
// return some dummy instance
return new User(username,"",true,true,true,true, toAuthorities(uu));
} catch (PAMException e) {
throw new UsernameNotFoundException("Failed to load information about Unix user "+username,e);
}
}
}
);
}

private static GrantedAuthority[] toAuthorities(UnixUser u) {
Set<String> grps = u.getGroups();
GrantedAuthority[] groups = new GrantedAuthority[grps.size()+1];
int i=0;
for (String g : grps)
groups[i++] = new GrantedAuthorityImpl(g);
groups[i++] = AUTHENTICATED_AUTHORITY;
return groups;
}

@Override
public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
if(CLibrary.libc.getgrnam(groupname)==null)
Expand Down
32 changes: 32 additions & 0 deletions test/src/test/java/hudson/security/PAMSecurityRealmTest.java
@@ -0,0 +1,32 @@
package hudson.security;

import hudson.Functions;
import hudson.security.SecurityRealm.SecurityComponents;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.jvnet.hudson.test.HudsonTestCase;

import java.util.Arrays;

import static hudson.util.jna.GNUCLibrary.*;

/**
* @author Kohsuke Kawaguchi
*/
public class PAMSecurityRealmTest extends HudsonTestCase {
public void testLoadUsers() {
if (Functions.isWindows()) return; // skip on Windows

SecurityComponents sc = new PAMSecurityRealm("sshd").getSecurityComponents();

try {
sc.userDetails.loadUserByUsername("bogus-bogus-bogus");
fail("no such user");
} catch (UsernameNotFoundException e) {
// expected
}

String name = LIBC.getpwuid(LIBC.geteuid()).pw_name;

System.out.println(Arrays.asList(sc.userDetails.loadUserByUsername(name).getAuthorities()));
}
}

0 comments on commit 531b86f

Please sign in to comment.