[JENKINS-37311] make the logout button works (#19)

[FIX JENKINS-37311] make the logout button works
jenkinsci · Mar 14, 2017 · d47d2c1 · d47d2c1
1 parent 0887ae3
commit d47d2c1
Show file tree

Hide file tree

Showing 3 changed files with 141 additions and 0 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/saml/SamlLogoutAction.java b/src/main/java/org/jenkinsci/plugins/saml/SamlLogoutAction.java
@@ -0,0 +1,71 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2016 CloudBees, Inc., James Nord
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.jenkinsci.plugins.saml;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import hudson.Extension;
+import hudson.model.UnprotectedRootAction;
+import hudson.security.SecurityRealm;
+import jenkins.model.Jenkins;
+
+/**
+ * A page that shows a simple message when the user logs out.
+ * This prevents a logout - login loop when using this security realm and Anonymous does not have {@code Overall.READ} permission.
+ */
+@Extension
+public class SamlLogoutAction implements UnprotectedRootAction {
+
+    /** The URL of the action. */
+    static final String POST_LOGOUT_URL = "samlLogout";
+
+    @Override
+    public String getDisplayName() {
+        return "SAML Logout";
+    }
+
+    @Override
+    public String getIconFileName() {
+        // hide it
+        return null;
+    }
+
+    @Override
+    public String getUrlName() {
+        return POST_LOGOUT_URL;
+    }
+
+    @Restricted(NoExternalUse.class) // jelly only
+    public String getSamlURL() {
+        SecurityRealm r = Jenkins.getActiveInstance().getSecurityRealm();
+        if (r instanceof SamlSecurityRealm) {
+            SamlSecurityRealm smlsr = (SamlSecurityRealm) r;
+            return smlsr.getIdpMetadata();
+        }
+        // only called from the Jelly if the SamlSecurityRealm is set...
+        return "";
+    }
+
+}
diff --git a/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java
@@ -39,6 +39,7 @@
 import org.pac4j.saml.credentials.Saml2Credentials;
 import org.pac4j.saml.profile.Saml2Profile;
 
+import javax.annotation.Nonnull;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
@@ -289,6 +290,29 @@ private Saml2Client newClient() {
     return client;
   }
 
+  /**
+   * @see SecurityRealm#getPostLogOutUrl
+   * Note: It does not call the logout service on SAML because the library does not implement it on this version,
+   * it will be done when we upgrade the library.
+   */
+  @Override
+  protected String getPostLogOutUrl(StaplerRequest req,@Nonnull Authentication auth) {
+    LOG.log(Level.FINE,"Doing Logout {}",auth.getPrincipal());
+    // if we just redirect to the root and anonymous does not have Overall read then we will start a login all over again.
+    // we are actually anonymous here as the security context has been cleared
+    if (Jenkins.getActiveInstance().hasPermission(Jenkins.READ)) {
+        return super.getPostLogOutUrl(req, auth);
+    }
+    return req.getContextPath()+ "/" + SamlLogoutAction.POST_LOGOUT_URL;
+  }
+
+  @Override
+  public void doLogout(StaplerRequest req, StaplerResponse rsp) throws IOException, javax.servlet.ServletException {
+    super.doLogout(req,rsp);
+      LOG.log(Level.FINEST,"Here we could do the SAML Single Logout");
+      //TODO JENKINS-42448
+  }
+
   private String baseUrl() {
     return Jenkins.getActiveInstance().getRootUrl();
   }

diff --git a/src/main/resources/org.jenkinsci.plugins.saml.SamlLogoutAction/index.jelly b/src/main/resources/org.jenkinsci.plugins.saml.SamlLogoutAction/index.jelly
@@ -0,0 +1,46 @@
+<!--
+         The MIT License
+
+         Copyright (c) 2016 CloudBees, Inc., James Nord
+
+         Permission is hereby granted, free of charge, to any person obtaining a copy
+         of this software and associated documentation files (the "Software"), to deal
+         in the Software without restriction, including without limitation the rights
+         to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+         copies of the Software, and to permit persons to whom the Software is
+         furnished to do so, subject to the following conditions:
+
+         The above copyright notice and this permission notice shall be included in
+         all copies or substantial portions of the Software.
+
+         THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+         IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+         FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+         AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+         LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+         OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+         THE SOFTWARE.
+         */
+        -->
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout"
+         xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
+    <l:layout norefresh="true">
+        <l:main-panel>
+            <j:choose>
+                <j:when test="${h.isAnonymous()}">
+                    <p>You are now logged out of Jenkins, however this has not logged you out of
+                        <a href="${it.getSamlURL}">SAML</a>
+                        .
+                    </p>
+                    <p>Have a nice day</p>
+                </j:when>
+                <j:otherwise>
+                    <h2>Woo There....</h2>
+                    <p>You are not logged out - don't run away!</p>
+                    <p>Whilst you should been logged out you are not actually logged out...</p>
+                </j:otherwise>
+            </j:choose>
+        </l:main-panel>
+    </l:layout>
+</j:jelly>