Migrate from Acegi to Spring Security (#253)

Author: basil

src/main/java/hudson/plugins/copyartifact/CopyArtifact.java

@@ -94,9 +94,9 @@
 import jenkins.model.Jenkins;
 
 import jenkins.tasks.SimpleBuildStep;
-import org.acegisecurity.Authentication;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.Symbol;
 import org.kohsuke.stapler.AncestorInPath;
@@ -126,7 +126,7 @@ public class CopyArtifact extends Builder implements SimpleBuildStep {
     private static final Authentication AUTHENTICATED_ANONYMOUS = new UsernamePasswordAuthenticationToken(
         "authenticated",
         "",
-        new GrantedAuthority[]{ SecurityRealm.AUTHENTICATED_AUTHORITY }
+        List.of(SecurityRealm.AUTHENTICATED_AUTHORITY2)
     );
 
     @Deprecated private transient String projectName;
@@ -464,7 +464,7 @@ public void perform(@NonNull Run<?, ?> build, @NonNull FilePath workspace, @NonN
 
                     Date buildStartedAt = new Date(build.getStartTimeInMillis());
                     // will be System if there is no QueueItemAuthenticator
-                    String currentUserName = Jenkins.getAuthentication().getName();
+                    String currentUserName = Jenkins.getAuthentication2().getName();
                     LegacyJobConfigMigrationMonitor.get().addLegacyJob(build.getParent(), job, buildStartedAt, currentUserName);
 
                     // but let the process goes on 
@@ -581,8 +581,8 @@ private boolean canReadFrom(Job<?, ?> job, Run<?, ?> build) {
         Job<?, ?> fromJob = job;
         Job<?, ?> toJob = build.getParent();
 
-        Authentication a = Jenkins.getAuthentication();
-        if (!ACL.SYSTEM.equals(a)) {
+        Authentication a = Jenkins.getAuthentication2();
+        if (!ACL.SYSTEM2.equals(a)) {
             // if the build does not run on SYSTEM authorization,
             // Jenkins is configured to use QueueItemAuthenticator.
             // In this case, the permission is already checked by Jenkins
@@ -603,7 +603,7 @@ private boolean canReadFrom(Job<?, ?> job, Run<?, ?> build) {
         }
 
         // Test the permission as an anonymous authenticated user.
-        if (fromJob.getACL().hasPermission(
+        if (fromJob.getACL().hasPermission2(
                 AUTHENTICATED_ANONYMOUS,
                 Item.READ)) {
             LOGGER.log(Level.FINE, "The copy-artifact step (of {0}) was accepted because the target project {1}" +
@@ -631,11 +631,11 @@ private boolean canReadArtifact(Run<?, ?> srcBuild, Run<?, ?> destBuild) {
             return true;
         }
 
-        Authentication a = Jenkins.getAuthentication();
-        if (ACL.SYSTEM.equals(a)) {
+        Authentication a = Jenkins.getAuthentication2();
+        if (ACL.SYSTEM2.equals(a)) {
             a = AUTHENTICATED_ANONYMOUS;
         }
-        if (srcBuild.hasPermission(a, Run.ARTIFACTS)) {
+        if (srcBuild.hasPermission2(a, Run.ARTIFACTS)) {
             return true;
         }
 

src/main/java/hudson/plugins/copyartifact/monitor/LegacyJobConfigMigrationMonitor.java

@@ -298,7 +298,7 @@ public HttpResponse doMigrateAllSelected(@JsonBody MigrateAllSelectedModel conte
         }
         // to avoid issue when a project is not visible for the regular admin
         // like with early version of ProjectMatrix
-        try (ACLContext acl = ACL.as(ACL.SYSTEM)) {
+        try (ACLContext acl = ACL.as2(ACL.SYSTEM2)) {
             try (BulkChange bc = new BulkChange(this)) {
                 for (MigrateAllSelectedFromAndTo value : content.values) {
                     if (value.jobFrom == null || value.jobTo == null) {

src/main/java/hudson/plugins/copyartifact/monitor/LegacyMonitorData.java

@@ -236,7 +236,7 @@ private JobInfoModel retrieveOrBuildJobInfoForCurrentUser(
         Job<?, ?> job = jenkins.getItem(jobFullName, jenkins, Job.class);
         if (job == null) {
             hasAccessTo = false;
-            try (ACLContext acl = ACL.as(ACL.SYSTEM)) {
+            try (ACLContext acl = ACL.as2(ACL.SYSTEM2)) {
                 job = jenkins.getItem(jobFullName, jenkins, Job.class);
             }
         }

src/test/java/hudson/plugins/copyartifact/CopyArtifactPermissionPropertyTest.java

@@ -51,7 +51,7 @@
 import jenkins.model.Jenkins;
 import jenkins.security.QueueItemAuthenticatorConfiguration;
 
-import org.acegisecurity.Authentication;
+import org.springframework.security.core.Authentication;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.junit.After;
@@ -347,10 +347,8 @@ public void testNotWorkWithQueueItemAuthenticator() throws Exception {
         // if the permission is configured with QueueItemAuthenticator.
         {
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
-            Map<String, Authentication> authMap = new HashMap<>();
-            authMap.put(downstream.getFullName(), User.getById("bob", true).impersonate());
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-                new MockQueueItemAuthenticator(authMap)
+                new MockQueueItemAuthenticator().authenticate(downstream.getFullName(), User.getById("bob", true).impersonate2())
             );
             j.assertBuildStatus(Result.FAILURE, downstream.scheduleBuild2(0));
         }
@@ -360,10 +358,8 @@ public void testNotWorkWithQueueItemAuthenticator() throws Exception {
         // (actually, you don't need to configure copyArtifactPermission)
         {
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
-            Map<String, Authentication> authMap = new HashMap<>();
-            authMap.put(downstream.getFullName(), User.getById("alice", true).impersonate());
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-                new MockQueueItemAuthenticator(authMap)
+                new MockQueueItemAuthenticator().authenticate(downstream.getFullName(), User.getById("alice", true).impersonate2())
             );
             j.buildAndAssertSuccess(downstream);
         }

src/test/java/hudson/plugins/copyartifact/CopyArtifactTest.java

@@ -89,10 +89,10 @@
 import jenkins.model.Jenkins;
 import jenkins.security.QueueItemAuthenticatorConfiguration;
 
-import org.acegisecurity.Authentication;
-import org.acegisecurity.context.SecurityContext;
-import org.acegisecurity.context.SecurityContextHolder;
-import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.workflow.DirectArtifactManagerFactory;
 import org.junit.After;
@@ -1026,11 +1026,9 @@ public void testPermission() throws Exception {
             assertEquals(src.getName(), ca.getProjectName());
 
             // Build should succeed when run as joe.
-            Map<String, Authentication> authMap = new HashMap<>();
-            authMap.put(dest.getFullName(), User.getById("joe", true).impersonate());
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-                new MockQueueItemAuthenticator(authMap)
+                new MockQueueItemAuthenticator().authenticate(dest.getFullName(), User.getById("joe", true).impersonate2())
             );
             rule.assertBuildStatusSuccess(dest.scheduleBuild2(0));
         }
@@ -1074,7 +1072,7 @@ public void testPermissionWhenParameterized() throws Exception {
         rule.assertBuildStatusSuccess(b);
         // Build step should fail for a job not accessible to all authenticated users,
         // even when accessible to the user starting the job, as in this case:
-        SecurityContext old = ACL.impersonate(
+        SecurityContext old = ACL.impersonate2(
                 new UsernamePasswordAuthenticationToken("joe","joe"));
         try {
         b = p.scheduleBuild2(0, new Cause.UserIdCause(),
@@ -1678,10 +1676,10 @@ public void testCopyArtifactPermissionProperty() throws Exception {
 
         // test permissions
         // not all user can access projects.
-        assertFalse(copiee.getACL().hasPermission(test1.impersonate(), Item.READ));
-        assertFalse(copier.getACL().hasPermission(test1.impersonate(), Item.READ));
-        assertFalse(matrixCopiee.getACL().hasPermission(test1.impersonate(), Item.READ));
-        assertFalse(matrixCopier.getACL().hasPermission(test1.impersonate(), Item.READ));
+        assertFalse(copiee.getACL().hasPermission2(test1.impersonate2(), Item.READ));
+        assertFalse(copier.getACL().hasPermission2(test1.impersonate2(), Item.READ));
+        assertFalse(matrixCopiee.getACL().hasPermission2(test1.impersonate2(), Item.READ));
+        assertFalse(matrixCopier.getACL().hasPermission2(test1.impersonate2(), Item.READ));
 
         // prepare an artifact
         rule.assertBuildStatusSuccess(copiee.scheduleBuild2(0));
@@ -2093,15 +2091,15 @@ public void testCliCannotBypassPermission() throws Exception {
     }
 
     private static class TestQueueItemAuthenticator extends jenkins.security.QueueItemAuthenticator {
-        private final transient org.acegisecurity.Authentication auth;
+        private final transient Authentication auth;
 
-        public TestQueueItemAuthenticator(org.acegisecurity.Authentication auth) {
+        public TestQueueItemAuthenticator(Authentication auth) {
             this.auth = auth;
         }
 
         @Override
         @edu.umd.cs.findbugs.annotations.CheckForNull
-        public org.acegisecurity.Authentication authenticate(Queue.Item item) {
+        public Authentication authenticate2(Queue.Item item) {
             return auth;
         }
 
@@ -2146,20 +2144,20 @@ public void testQueueItemAuthenticator() throws Exception {
         auth.grant(Item.READ).onItems(copier).to(test1,test2);
 
         // test permissions
-        assertTrue (copiee.getACL().hasPermission(admin.impersonate(), Item.READ));
-        assertTrue (copiee.getACL().hasPermission(test1.impersonate(), Item.READ));
-        assertFalse(copiee.getACL().hasPermission(test2.impersonate(), Item.READ));
+        assertTrue (copiee.getACL().hasPermission2(admin.impersonate2(), Item.READ));
+        assertTrue (copiee.getACL().hasPermission2(test1.impersonate2(), Item.READ));
+        assertFalse(copiee.getACL().hasPermission2(test2.impersonate2(), Item.READ));
 
-        assertTrue (copier.getACL().hasPermission(admin.impersonate(), Item.BUILD));
-        assertTrue (copier.getACL().hasPermission(test1.impersonate(), Item.BUILD));
-        assertTrue (copier.getACL().hasPermission(test2.impersonate(), Item.BUILD));
-        assertTrue (copier.getACL().hasPermission(Jenkins.ANONYMOUS, Item.BUILD));
+        assertTrue (copier.getACL().hasPermission2(admin.impersonate2(), Item.BUILD));
+        assertTrue (copier.getACL().hasPermission2(test1.impersonate2(), Item.BUILD));
+        assertTrue (copier.getACL().hasPermission2(test2.impersonate2(), Item.BUILD));
+        assertTrue (copier.getACL().hasPermission2(Jenkins.ANONYMOUS2, Item.BUILD));
 
         // Computer.BUILD is required since Jenkins 1.521.
-        assertTrue(rule.jenkins.getACL().hasPermission(admin.impersonate(), Computer.BUILD));
-        assertTrue(rule.jenkins.getACL().hasPermission(test1.impersonate(), Computer.BUILD));
-        assertTrue(rule.jenkins.getACL().hasPermission(test2.impersonate(), Computer.BUILD));
-        assertTrue(rule.jenkins.getACL().hasPermission(Jenkins.ANONYMOUS, Computer.BUILD));
+        assertTrue(rule.jenkins.getACL().hasPermission2(admin.impersonate2(), Computer.BUILD));
+        assertTrue(rule.jenkins.getACL().hasPermission2(test1.impersonate2(), Computer.BUILD));
+        assertTrue(rule.jenkins.getACL().hasPermission2(test2.impersonate2(), Computer.BUILD));
+        assertTrue(rule.jenkins.getACL().hasPermission2(Jenkins.ANONYMOUS2, Computer.BUILD));
 
         // prepare an artifact
         rule.assertBuildStatusSuccess(copiee.scheduleBuild2(0));
@@ -2174,7 +2172,7 @@ public void testQueueItemAuthenticator() throws Exception {
         {
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-                    new TestQueueItemAuthenticator(admin.impersonate())
+                    new TestQueueItemAuthenticator(admin.impersonate2())
             );
             rule.assertBuildStatus(Result.SUCCESS, copier.scheduleBuild2(0).get(TIMEOUT, TimeUnit.SECONDS));
         }
@@ -2184,7 +2182,7 @@ public void testQueueItemAuthenticator() throws Exception {
         {
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-                    new TestQueueItemAuthenticator(test1.impersonate())
+                    new TestQueueItemAuthenticator(test1.impersonate2())
             );
             rule.assertBuildStatus(Result.SUCCESS, copier.scheduleBuild2(0).get(TIMEOUT, TimeUnit.SECONDS));
         }
@@ -2194,7 +2192,7 @@ public void testQueueItemAuthenticator() throws Exception {
         {
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-                    new TestQueueItemAuthenticator(test2.impersonate())
+                    new TestQueueItemAuthenticator(test2.impersonate2())
             );
             rule.assertBuildStatus(Result.FAILURE, copier.scheduleBuild2(0).get(TIMEOUT, TimeUnit.SECONDS));
         }
@@ -2204,7 +2202,7 @@ public void testQueueItemAuthenticator() throws Exception {
         {
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
             QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-                    new TestQueueItemAuthenticator(Jenkins.ANONYMOUS)
+                    new TestQueueItemAuthenticator(Jenkins.ANONYMOUS2)
             );
             rule.assertBuildStatus(Result.FAILURE, copier.scheduleBuild2(0).get(TIMEOUT, TimeUnit.SECONDS));
         }
@@ -2482,11 +2480,9 @@ public void artifactsPermissionWithAuthSuccess() throws Exception {
                 true
         ));
 
-        Map<String, Authentication> authMap = new HashMap<>();
-        authMap.put(dest.getFullName(), User.getById("joe", true).impersonate());
         QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
         QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-            new MockQueueItemAuthenticator(authMap)
+            new MockQueueItemAuthenticator().authenticate(dest.getFullName(), User.getById("joe", true).impersonate2())
         );
         rule.assertBuildStatusSuccess(dest.scheduleBuild2(0));
     }
@@ -2520,11 +2516,9 @@ public void artifactsPermissionWithAuthFailure() throws Exception {
                 true
         ));
 
-        Map<String, Authentication> authMap = new HashMap<>();
-        authMap.put(dest.getFullName(), User.getById("joe", true).impersonate());
         QueueItemAuthenticatorConfiguration.get().getAuthenticators().clear();
         QueueItemAuthenticatorConfiguration.get().getAuthenticators().add(
-            new MockQueueItemAuthenticator(authMap)
+            new MockQueueItemAuthenticator().authenticate(dest.getFullName(), User.getById("joe", true).impersonate2())
         );
         rule.assertBuildStatus(Result.FAILURE, dest.scheduleBuild2(0));
     }

src/test/java/hudson/plugins/copyartifact/DownstreamBuildSelectorTest.java

@@ -52,8 +52,8 @@
 import hudson.tasks.Fingerprinter;
 import hudson.util.FormValidation;
 
-import org.acegisecurity.Authentication;
-import org.acegisecurity.context.SecurityContextHolder;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
@@ -554,9 +554,9 @@ public void testCheckUpstreamProjectName() throws Exception {
         assertEquals(FormValidation.Kind.OK, d.doCheckUpstreamProjectName(null, "folder1/project2").kind);
 
         // permission check
-        Authentication a = Jenkins.getAuthentication();
+        Authentication a = Jenkins.getAuthentication2();
         try {
-            SecurityContextHolder.getContext().setAuthentication(User.get("devel").impersonate());
+            SecurityContextHolder.getContext().setAuthentication(User.get("devel").impersonate2());
             assertEquals(FormValidation.Kind.OK, d.doCheckUpstreamProjectName(project2, "../project1").kind);
             assertEquals(FormValidation.Kind.ERROR, d.doCheckUpstreamProjectName(project2, "project3").kind);
             assertEquals(FormValidation.Kind.OK, d.doCheckUpstreamProjectName(null, "/project1").kind);
@@ -625,9 +625,9 @@ public void testCheckUpstreamBuildNumber() throws Exception {
         assertEquals(FormValidation.Kind.OK, d.doCheckUpstreamBuildNumber(null, "project2", "NosuchBuild").kind);
 
         // permission check
-        Authentication a = Jenkins.getAuthentication();
+        Authentication a = Jenkins.getAuthentication2();
         try {
-            SecurityContextHolder.getContext().setAuthentication(User.get("devel").impersonate());
+            SecurityContextHolder.getContext().setAuthentication(User.get("devel").impersonate2());
             assertEquals(FormValidation.Kind.OK, d.doCheckUpstreamBuildNumber(project1, "project3", "nosuchbuild").kind);  // limitation
             assertEquals(FormValidation.Kind.OK, d.doCheckUpstreamBuildNumber(null, "project3", "nosuchbuild").kind);
         } finally {