Migrate from Acegi compatibility layer to Spring Security 6.x (#169)

Author: basil

pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>4.88</version>
+        <version>5.6</version>
         <relativePath />
     </parent>
     <artifactId>gitlab-oauth</artifactId>
@@ -13,13 +13,11 @@
     <properties>
         <revision>1.20</revision>
         <changelist>-SNAPSHOT</changelist>
-        <jenkins.baseline>2.452</jenkins.baseline>
-        <jenkins.version>${jenkins.baseline}.4</jenkins.version>
+        <jenkins.baseline>2.479</jenkins.baseline>
+        <jenkins.version>${jenkins.baseline}.1</jenkins.version>
         <spotbugs.effort>Max</spotbugs.effort>
         <spotbugs.threshold>Low</spotbugs.threshold>
         <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
-	<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     </properties>
     <name>GitLab Authentication plugin</name>
     <description>A Jenkins authentication plugin that delegates to GitLab.  We also implement an Authorization Strategy that users the acquired OAuth token to interact with the GitLab API to determine a users level of access to Jenkins.</description>

src/main/java/org/jenkinsci/plugins/GitLabAuthenticationException.java

@@ -33,7 +33,7 @@ of this software and associated documentation files (the "Software"), to deal
 
 package org.jenkinsci.plugins;
 
-import org.acegisecurity.AuthenticationException;
+import org.springframework.security.core.AuthenticationException;
 
 /**
  *

src/main/java/org/jenkinsci/plugins/GitLabAuthenticationToken.java

@@ -41,9 +41,6 @@ of this software and associated documentation files (the "Software"), to deal
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.GrantedAuthorityImpl;
-import org.acegisecurity.providers.AbstractAuthenticationToken;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
 import org.gitlab4j.api.Constants.TokenType;
@@ -52,6 +49,9 @@ of this software and associated documentation files (the "Software"), to deal
 import org.gitlab4j.api.models.Group;
 import org.gitlab4j.api.models.Project;
 import org.gitlab4j.api.models.User;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 /**
  * @author mocleiri
@@ -93,7 +93,7 @@ public class GitLabAuthenticationToken extends AbstractAuthenticationToken {
     private final List<GrantedAuthority> authorities = new ArrayList<>();
 
     public GitLabAuthenticationToken(String accessToken, String gitlabServer, TokenType tokenType) throws GitLabApiException {
-        super(new GrantedAuthority[] {});
+        super(List.of());
 
         this.accessToken = accessToken;
         this.gitLabAPI = new GitLabApi(gitlabServer, tokenType, accessToken);
@@ -103,7 +103,7 @@ public GitLabAuthenticationToken(String accessToken, String gitlabServer, TokenT
         setAuthenticated(true);
 
         this.userName = this.me.getUsername();
-        authorities.add(SecurityRealm.AUTHENTICATED_AUTHORITY);
+        authorities.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
         Jenkins jenkins = Jenkins.getInstanceOrNull();
         if (jenkins != null && jenkins.getSecurityRealm() instanceof GitLabSecurityRealm) {
 
@@ -147,8 +147,8 @@ public GitLabApi getGitLabAPI() {
     }
 
     @Override
-    public GrantedAuthority[] getAuthorities() {
-        return authorities.toArray(new GrantedAuthority[0]);
+    public Collection<GrantedAuthority> getAuthorities() {
+        return authorities;
     }
 
     @Override
@@ -318,12 +318,12 @@ public GitLabOAuthUserDetails getUserDetails(String username) {
             try {
                 List<Group> gitLabGroups = gitLabAPI.getGroupApi().getGroups();
                 for (Group gitlabGroup : gitLabGroups) {
-                    groups.add(new GrantedAuthorityImpl(gitlabGroup.getName()));
+                    groups.add(new SimpleGrantedAuthority(gitlabGroup.getName()));
                 }
             } catch (GitLabApiException e) {
                 LOGGER.log(Level.FINE, e.getMessage(), e);
             }
-            return new GitLabOAuthUserDetails(user, groups.toArray(new GrantedAuthority[0]));
+            return new GitLabOAuthUserDetails(user, groups);
         }
         return null;
     }

src/main/java/org/jenkinsci/plugins/GitLabOAuthGroupDetails.java

@@ -5,9 +5,9 @@
 package org.jenkinsci.plugins;
 
 import hudson.security.GroupDetails;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.GrantedAuthorityImpl;
 import org.gitlab4j.api.models.Group;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 /**
  * Represent a group from GitLab as a group in Jenkins terms.
@@ -60,6 +60,6 @@ public String toString() {
     }
 
     public GrantedAuthority getAuth() {
-        return new GrantedAuthorityImpl(getName());
+        return new SimpleGrantedAuthority(getName());
     }
 }

src/main/java/org/jenkinsci/plugins/GitLabOAuthUserDetails.java

@@ -1,7 +1,8 @@
 package org.jenkinsci.plugins;
 
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.userdetails.User;
+import java.util.Collection;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.User;
 
 /**
  * @author Mike
@@ -11,7 +12,7 @@ public class GitLabOAuthUserDetails extends User {
 
     private static final long serialVersionUID = 1709511212188366292L;
 
-    public GitLabOAuthUserDetails(org.gitlab4j.api.models.User user, GrantedAuthority[] authorities) {
+    public GitLabOAuthUserDetails(org.gitlab4j.api.models.User user, Collection<? extends GrantedAuthority> authorities) {
         super(user.getUsername(), "", true, true, true, true, authorities);
     }
 

src/main/java/org/jenkinsci/plugins/GitLabRequireOrganizationMembershipACL.java

@@ -41,9 +41,9 @@ of this software and associated documentation files (the "Software"), to deal
 import java.util.List;
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
-import org.acegisecurity.Authentication;
 import org.kohsuke.stapler.Stapler;
-import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.springframework.security.core.Authentication;
 
 /**
  * @author Mike
@@ -70,11 +70,11 @@ public class GitLabRequireOrganizationMembershipACL extends ACL {
     /*
      * (non-Javadoc)
      *
-     * @see hudson.security.ACL#hasPermission(org.acegisecurity.Authentication,
+     * @see hudson.security.ACL#hasPermission(org.springframework.security.core.Authentication,
      * hudson.security.Permission)
      */
     @Override
-    public boolean hasPermission(Authentication a, Permission permission) {
+    public boolean hasPermission2(Authentication a, Permission permission) {
         if (a != null && a instanceof GitLabAuthenticationToken) {
             if (!a.isAuthenticated()) {
                 return false;
@@ -154,7 +154,7 @@ public boolean hasPermission(Authentication a, Permission permission) {
         } else {
             String authenticatedUserName = a.getName();
 
-            if (authenticatedUserName.equals(SYSTEM.getPrincipal())) {
+            if (authenticatedUserName.equals(SYSTEM2.getPrincipal())) {
                 // give system user full access
                 log.finest("Granting Full rights to SYSTEM user.");
                 return true;
@@ -223,7 +223,7 @@ private boolean currentUriPathEquals(String specificPath) {
     }
 
     private String requestURI() {
-        StaplerRequest currentRequest = Stapler.getCurrentRequest();
+        StaplerRequest2 currentRequest = Stapler.getCurrentRequest2();
         return (currentRequest == null) ? null : currentRequest.getOriginalRequestURI();
     }
 

src/main/java/org/jenkinsci/plugins/GitLabSecurityRealm.java

@@ -41,9 +41,10 @@
 import hudson.model.User;
 import hudson.security.GroupDetails;
 import hudson.security.SecurityRealm;
-import hudson.security.UserMayOrMayNotExistException;
+import hudson.security.UserMayOrMayNotExistException2;
 import hudson.tasks.Mailer;
 import hudson.util.Secret;
+import jakarta.servlet.http.HttpSession;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.MalformedURLException;
@@ -55,18 +56,8 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Logger;
-import javax.servlet.http.HttpSession;
 import jenkins.model.Jenkins;
 import jenkins.security.SecurityListener;
-import org.acegisecurity.Authentication;
-import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.AuthenticationManager;
-import org.acegisecurity.BadCredentialsException;
-import org.acegisecurity.context.SecurityContextHolder;
-import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
-import org.acegisecurity.userdetails.UserDetails;
-import org.acegisecurity.userdetails.UserDetailsService;
-import org.acegisecurity.userdetails.UsernameNotFoundException;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.builder.HashCodeBuilder;
 import org.apache.http.HttpEntity;
@@ -91,9 +82,17 @@
 import org.kohsuke.stapler.HttpResponse;
 import org.kohsuke.stapler.HttpResponses;
 import org.kohsuke.stapler.QueryParameter;
-import org.kohsuke.stapler.StaplerRequest;
-import org.springframework.dao.DataAccessException;
-import org.springframework.dao.DataRetrievalFailureException;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
 /**
  *
@@ -103,7 +102,7 @@
  * This is based on the GitLabSecurityRealm from the gitlab-auth-plugin written
  * by Alex Ackerman.
  */
-public class GitLabSecurityRealm extends SecurityRealm implements UserDetailsService {
+public class GitLabSecurityRealm extends SecurityRealm {
     private String gitlabWebUri;
     private String gitlabApiUri;
     private String clientID;
@@ -266,7 +265,7 @@ public Secret getClientSecret() {
 
     // "from" is coming from SecurityRealm/loginLink.jelly
     public HttpResponse doCommenceLogin(
-            StaplerRequest request, @QueryParameter String from, @Header("Referer") final String referer)
+            StaplerRequest2 request, @QueryParameter String from, @Header("Referer") final String referer)
             throws IOException {
         // 2. Requesting authorization :
         // http://doc.gitlab.com/ce/api/oauth2.html
@@ -298,7 +297,7 @@ public HttpResponse doCommenceLogin(
                 gitlabWebUri + "/oauth/authorize?" + URLEncodedUtils.format(parameters, StandardCharsets.UTF_8));
     }
 
-    private String buildRedirectUrl(StaplerRequest request) throws MalformedURLException {
+    private String buildRedirectUrl(StaplerRequest2 request) throws MalformedURLException {
         URL currentUrl = new URL(Jenkins.get().getRootUrl());
 
         URL redirect_uri = new URL(
@@ -313,7 +312,7 @@ private String buildRedirectUrl(StaplerRequest request) throws MalformedURLExcep
      * This is where the user comes back to at the end of the OpenID redirect
      * ping-pong.
      */
-    public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
+    public HttpResponse doFinishLogin(StaplerRequest2 request) throws IOException {
         String code = request.getParameter("code");
         String state = request.getParameter(STATE_ATTRIBUTE);
         String expectedState = (String) request.getSession().getAttribute(STATE_ATTRIBUTE);
@@ -394,7 +393,7 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
                                 new Mailer.UserProperty(auth.getMyself().getEmail()));
                     }
                 }
-                SecurityListener.fireAuthenticated(new GitLabOAuthUserDetails(self, auth.getAuthorities()));
+                SecurityListener.fireAuthenticated2(new GitLabOAuthUserDetails(self, auth.getAuthorities()));
             } catch (GitLabApiException e) {
                 throw new RuntimeException(e);
             }
@@ -489,8 +488,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
                 new UserDetailsService() {
                     @Override
                     public UserDetails loadUserByUsername(String username)
-                            throws UsernameNotFoundException, DataAccessException {
-                        return GitLabSecurityRealm.this.loadUserByUsername(username);
+                            throws UsernameNotFoundException {
+                        return GitLabSecurityRealm.this.loadUserByUsername2(username);
                     }
                 });
     }
@@ -501,7 +500,7 @@ public String getLoginUrl() {
     }
 
     @Override
-    protected String getPostLogOutUrl(StaplerRequest req, Authentication auth) {
+    protected String getPostLogOutUrl2(StaplerRequest2 req, Authentication auth) {
         // if we just redirect to the root and anonymous does not have Overall read then we will start a login all over
         // again.
         // we are actually anonymous here as the security context has been cleared
@@ -546,16 +545,15 @@ public DescriptorImpl getDescriptor() {
     /**
      * @param username
      * @throws UsernameNotFoundException
-     * @throws DataAccessException
      */
     @Override
-    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
+    public UserDetails loadUserByUsername2(String username) throws UsernameNotFoundException {
         GitLabAuthenticationToken authToken;
         if (SecurityContextHolder.getContext().getAuthentication() instanceof GitLabAuthenticationToken) {
             authToken = (GitLabAuthenticationToken)
                     SecurityContextHolder.getContext().getAuthentication();
         } else {
-            throw new UserMayOrMayNotExistException("Could not get auth token.");
+            throw new UserMayOrMayNotExistException2("Could not get auth token.");
         }
 
         try {
@@ -572,7 +570,7 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
 
             return userDetails;
         } catch (Error e) {
-            throw new DataRetrievalFailureException("loadUserByUsername (username=" + username + ")", e);
+            throw new AuthenticationServiceException("loadUserByUsername (username=" + username + ")", e);
         }
     }
 
@@ -604,10 +602,9 @@ public int hashCode() {
     /**
      * @param groupName
      * @throws UsernameNotFoundException
-     * @throws DataAccessException
      */
     @Override
-    public GroupDetails loadGroupByGroupname(String groupName) throws UsernameNotFoundException, DataAccessException {
+    public GroupDetails loadGroupByGroupname2(String groupName, boolean fetchMembers) throws UsernameNotFoundException {
 
         GitLabAuthenticationToken authToken =
                 (GitLabAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();