[JENKINS-22247] Provide an extension point to define user id case sen…

…sitivity contract * Fix up bad merge
jenkinsci · Apr 14, 2014 · 7459ac0 · 7459ac0
1 parent a018bba
commit 7459ac0
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/core/src/main/java/hudson/model/User.java b/core/src/main/java/hudson/model/User.java
@@ -253,19 +253,31 @@ public <T extends UserProperty> T getProperty(Class<T> clazz) {
 
     /**
      * Creates an {@link Authentication} object that represents this user.
-     * 
+     *
+     * This method checks with {@link SecurityRealm} if the user is a valid user that can login to the security realm.
+     * If {@link SecurityRealm} is a kind that does not support querying information about other users, this will
+     * use {@link LastGrantedAuthoritiesProperty} to pick up the granted authorities as of the last time the user has
+     * logged in.
+     *
+     * @throws UsernameNotFoundException
+     *      If this user is not a valid user in the backend {@link SecurityRealm}.
      * @since 1.419
      */
-    public Authentication impersonate() {
+    public Authentication impersonate() throws UsernameNotFoundException {
         try {
-            UserDetails u = Jenkins.getInstance().getSecurityRealm().loadUserByUsername(id);
+            UserDetails u = new ImpersonatingUserDetailsService(
+                    Jenkins.getInstance().getSecurityRealm().getSecurityComponents().userDetails).loadUserByUsername(id);
             return new UsernamePasswordAuthenticationToken(u.getUsername(), "", u.getAuthorities());
+        } catch (UserMayOrMayNotExistException e) {
+            // backend can't load information about other users. so use the stored information if available
         } catch (UsernameNotFoundException e) {
-            // ignore
+            // if the user no longer exists in the backend, we need to refuse impersonating this user
+            throw e;
         } catch (DataAccessException e) {
-            // ignore
+            // seems like it's in the same boat as UserMayOrMayNotExistException
         }
-        // TODO: use the stored GrantedAuthorities
+
+        // seems like a legitimate user we have no idea about. proceed with minimum access
         return new UsernamePasswordAuthenticationToken(id, "",
             new GrantedAuthority[]{SecurityRealm.AUTHENTICATED_AUTHORITY});
     }