[FIXED JENKINS-9792]

OpenID plugin shouldn'd require global read access for authenticating users
jenkinsci · Nov 27, 2013 · 64ec740 · 64ec740
1 parent 967c3fa
commit 64ec740
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 24 deletions.
diff --git a/src/main/java/hudson/plugins/openid/StaticResourceServer.java b/src/main/java/hudson/plugins/openid/StaticResourceServer.java
@@ -0,0 +1,35 @@
+package hudson.plugins.openid;
+
+import hudson.Extension;
+import hudson.model.UnprotectedRootAction;
+import jenkins.model.Jenkins;
+import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;
+
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+/**
+ * Serve static resources even when the user doesn't have read access, as in prior to the login.
+ *
+ * @author Kohsuke Kawaguchi
+ */
+@Extension
+public class StaticResourceServer implements UnprotectedRootAction {
+    public String getIconFileName() {
+        return null;
+    }
+
+    public String getDisplayName() {
+        return null;
+    }
+
+    public String getUrlName() {
+        return "openid-assets";
+    }
+
+    // serve static resources
+    public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
+        Jenkins.getInstance().getPlugin("openid").doDynamic(req,rsp);
+    }
+}
diff --git a/src/main/resources/hudson/plugins/openid/OpenIdLoginService/_openid-form-body.jelly b/src/main/resources/hudson/plugins/openid/OpenIdLoginService/_openid-form-body.jelly
@@ -1,8 +1,8 @@
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <div>
-    <link type="text/css" rel="stylesheet" href="${rootURL}/plugin/openid/openid.css"/>
-    <script type="text/javascript" src="${rootURL}/plugin/openid//openid-prototype.js"/>
-    <script type="text/javascript" src="${rootURL}/plugin/openid//openid-en.js"/>
+    <link type="text/css" rel="stylesheet" href="${resURL}/openid-assets/openid.css"/>
+    <script type="text/javascript" src="${resURL}/openid-assets/openid-prototype.js"/>
+    <script type="text/javascript" src="${resURL}/openid-assets/openid-en.js"/>
 
     <div id="openid_choice">
       <p>Please click your account provider:</p>
@@ -14,7 +14,7 @@
     </div>
     <script>
       Behaviour.addLoadEvent(function() {
-        openid.img_path = '${rootURL}/plugin/openid/';
+        openid.img_path = '${resURL}/openid-assets/';
         openid.signin_text = "${%Login}";
         openid.init('openid');
         // makeButton($('openid_submit'),openid.submit);

diff --git a/src/main/resources/hudson/plugins/openid/OpenIdLoginService/loginFragment.jelly b/src/main/resources/hudson/plugins/openid/OpenIdLoginService/loginFragment.jelly
@@ -30,7 +30,7 @@ THE SOFTWARE.
       <style>
         #login-with-openid button {
           padding-left:26px;
-          background: url('${rootURL}/plugin/openid/openid.png') 5px center no-repeat;
+          background: url('${resURL}/openid-assets/openid.png') 5px center no-repeat;
         }
       </style>
     </form>

diff --git a/src/test/java/hudson/plugins/openid/OpenIdLoginServiceTest.java b/src/test/java/hudson/plugins/openid/OpenIdLoginServiceTest.java
@@ -29,7 +29,12 @@
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import hudson.model.User;
+import hudson.security.GlobalMatrixAuthorizationStrategy;
 import hudson.security.HudsonPrivateSecurityRealm;
+import jenkins.model.Jenkins;
+import org.jvnet.hudson.test.Bug;
+
+import java.io.IOException;
 import java.util.List;
 
 import static hudson.plugins.openid.OpenIdTestService.*;
@@ -38,41 +43,60 @@
  * @author Paul Sandoz
  */
 public class OpenIdLoginServiceTest extends OpenIdTestCase {
+    HudsonPrivateSecurityRealm realm;
 
-    public void testAssociateThenLogoutThenLogInWithOpenID() throws Exception {
-        openid = new OpenIdTestService(
-                getServiceUrl(),
-                getProps(),
-                Sets.newHashSet("foo", "bar"),
-                Lists.newArrayList(SREG_EXTENSION, AX_EXTENSION, TEAM_EXTENSION));
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+        realm = new HudsonPrivateSecurityRealm(false, false, null);
+    }
 
-        HudsonPrivateSecurityRealm realm = new HudsonPrivateSecurityRealm(false);
+    @Bug(9792)
+    public void testLoginWithoutReadAccess() throws Exception {
+        openid = createServer();
+
+        jenkins.setSecurityRealm(realm);
+        User u = realm.createAccount("aliceW", "aliceW");
+        associateUserWithOpenId(u);
+
+        // configure Jenkins to allow no access at all without login
+        GlobalMatrixAuthorizationStrategy s = new GlobalMatrixAuthorizationStrategy();
+        s.add(Jenkins.ADMINISTER,"authenticated");
+        jenkins.setAuthorizationStrategy(s);
+
+        // try to login
+        login(new WebClient());
+    }
+
+    public void testAssociateThenLogoutThenLogInWithOpenID() throws Exception {
+        openid = createServer();
         hudson.setSecurityRealm(realm);
         User u = realm.createAccount("aliceW", "aliceW");
+        associateUserWithOpenId(u);
+
+        // Re-login
+        login(new WebClient());
+    }
 
-        WebClient wc = new WebClient().login("aliceW", "aliceW");
+    /**
+     * Associates the OpenID identity of the user with {@link #realm}.
+     */
+    private void associateUserWithOpenId(User u) throws Exception {
+        WebClient wc = new WebClient().login(u.getId(), u.getId()/*assumes password==name*/);
 
         // Associate an OpenID with an existing user
         HtmlPage associated = wc.goTo("federatedLoginService/openid/startAssociate?openid=" + openid.url);
         assertTrue(associated.getDocumentURI().endsWith("federatedLoginService/openid/onAssociationSuccess"));
         OpenIdUserProperty p = u.getProperty(OpenIdUserProperty.class);
         assertEquals(1, p.getIdentifiers().size());
         assertEquals(openid.getUserIdentity(), p.getIdentifiers().iterator().next());
-
-        wc.goTo("logout");
-
-        // Re-login
-        login(wc);
     }
 
     public void testLogInWithOpenIDAndSignUp() throws Exception {
-        openid = new OpenIdTestService(
-                getServiceUrl(),
-                getProps(),
-                Sets.newHashSet("foo", "bar"),
-                Lists.newArrayList(SREG_EXTENSION, AX_EXTENSION, TEAM_EXTENSION));
+        openid = createServer();
 
-        hudson.setSecurityRealm(new HudsonPrivateSecurityRealm(true));
+        realm = new HudsonPrivateSecurityRealm(true);
+        hudson.setSecurityRealm(realm);
 
         WebClient wc = new WebClient();
         // Workaround failing ajax requests to build queue
@@ -100,6 +124,17 @@ public void testLogInWithOpenIDAndSignUp() throws Exception {
         login(wc);
     }
 
+    /**
+     * Creates a OpenID server.
+     */
+    private OpenIdTestService createServer() throws IOException {
+        return new OpenIdTestService(
+                getServiceUrl(),
+                getProps(),
+                Sets.newHashSet("foo", "bar"),
+                Lists.newArrayList(SREG_EXTENSION, AX_EXTENSION, TEAM_EXTENSION));
+    }
+
     private void login(WebClient wc) throws Exception {
         HtmlPage login = wc.goTo("federatedLoginService/openid/login?from=/");
         login.getDocumentElement().getOneHtmlElementByAttribute("a", "title", "log in with OpenID").click();