[FIXED JENKINS-21374] Allow disabling ROLE_ creation

jenkinsci · Mar 28, 2017 · 3d556a3 · 3d556a3
1 parent 4e7237f
commit 3d556a3
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 0 deletions.
diff --git a/src/main/java/hudson/security/LDAPSecurityRealm.java b/src/main/java/hudson/security/LDAPSecurityRealm.java
@@ -102,6 +102,7 @@
 import org.apache.commons.io.input.AutoCloseInputStream;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.interceptor.RequirePOST;
@@ -403,6 +404,8 @@ group target (CN is a reasonable default)
 
     private final IdStrategy groupIdStrategy;
 
+    private boolean disableRolePrefixing;
+
     /**
      * @deprecated retained for backwards binary compatibility.
      */
@@ -497,6 +500,15 @@ public LDAPSecurityRealm(String server, String rootDN, String userSearchBase, St
         this.groupIdStrategy = groupIdStrategy == null ? IdStrategy.CASE_INSENSITIVE : groupIdStrategy;
     }
 
+    public boolean isDisableRolePrefixing() {
+        return disableRolePrefixing;
+    }
+
+    @DataBoundSetter
+    public void setDisableRolePrefixing(boolean disableRolePrefixing) {
+        this.disableRolePrefixing = disableRolePrefixing;
+    }
+
     private Object readResolve() {
         if (managerPassword != null) {
             managerPasswordSecret = Secret.fromString(Scrambler.descramble(managerPassword));

diff --git a/src/main/resources/hudson/security/LDAPBindSecurityRealm.groovy b/src/main/resources/hudson/security/LDAPBindSecurityRealm.groovy
@@ -69,6 +69,10 @@ authoritiesPopulator(AuthoritiesPopulatorImpl, initialDirContextFactory, instanc
     // see DefaultLdapAuthoritiesPopulator for other possible configurations
     searchSubtree = true;
     groupSearchFilter = "(| (member={0}) (uniqueMember={0}) (memberUid={1}))";
+    if (instance.disableRolePrefixing) {
+        rolePrefix = "";
+        convertToUpperCase = false;
+    }
 }
 
 authenticationManager(ProviderManager) {

diff --git a/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly b/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly
@@ -80,6 +80,9 @@ THE SOFTWARE.
         <f:entry field="disableMailAddressResolver">
             <f:checkbox title="${%Disable Ldap Email Resolver}"/>
         </f:entry>
+        <f:entry field="disableRolePrefixing" help="/plugin/ldap/help-disableRolePrefixing.html">
+            <f:checkbox default="true" title="${%Disable Backward Compatibility for Roles}"/>
+        </f:entry>
         <f:optionalProperty field="cache" title="${%Enable cache}"/>
         <f:entry field="environmentProperties" title="${%Environment Properties}">
             <!-- TODO JENKINS-22910 must repeat the field attr: -->

diff --git a/src/main/resources/hudson/security/LDAPSecurityRealm/help-disableRolePrefixing.html b/src/main/resources/hudson/security/LDAPSecurityRealm/help-disableRolePrefixing.html
@@ -0,0 +1,6 @@
+<div>
+    For backwards compatibility reasons, the LDAP plugin will create a role <code>ROLE_FOO</code> for every role/group
+    <code>Foo</code> of a user by default.
+    If you're not using these <code>ROLE_*</code> roles in your security configuration and don't want this duplication
+    of roles, you can check this option so they'll no longer be created.
+</div>