add group name attribute for FromGroupSearchLDAPGroupMembershipStrategy

jenkinsci · Nov 10, 2023 · cfc6a17 · cfc6a17
1 parent bd1a491
commit cfc6a17
Show file tree

Hide file tree

Showing 11 changed files with 94 additions and 15 deletions.
diff --git a/src/main/java/hudson/security/LDAPSecurityRealm.java b/src/main/java/hudson/security/LDAPSecurityRealm.java
@@ -1,20 +1,20 @@
 /*
  * The MIT License
- * 
+ *
  * Copyright (c) 2004-2010, Sun Microsystems, Inc., Kohsuke Kawaguchi, Seiji Sogabe,
  *    Olivier Lamy
  * Copyright (c) 2017 CloudBees, Inc.
- * 
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * 
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * 
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -70,6 +70,9 @@
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.LdapUserDetails;
 import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl;
+
+import com.iwombat.util.StringUtil;
+
 import org.apache.commons.collections.map.LRUMap;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
@@ -293,7 +296,7 @@ public class LDAPSecurityRealm extends AbstractPasswordBasedSecurityRealm {
         justification = "This public field is exposed to the plugin's API")
     @Deprecated @Restricted(NoExternalUse.class)
     public transient String userSearch;
-    
+
     /**
      * This defines the organizational unit that contains groups.
      *
@@ -326,7 +329,7 @@ public class LDAPSecurityRealm extends AbstractPasswordBasedSecurityRealm {
      * @deprecated use {@link #groupMembershipStrategy}
      */
     @Deprecated @Restricted(NoExternalUse.class)
-    @SuppressFBWarnings(value = "UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD", 
+    @SuppressFBWarnings(value = "UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD",
         justification = "This public field is exposed to the plugin's API")
     public transient String groupMembershipFilter;
 
@@ -363,7 +366,7 @@ group target (CN is a reasonable default)
     public transient String managerDN;
 
     @Deprecated @Restricted(NoExternalUse.class)
-    @SuppressFBWarnings(value = "UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD", 
+    @SuppressFBWarnings(value = "UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD",
         justification = "This public field is exposed to the plugin's API")
     private transient String managerPassword;
 
@@ -1391,10 +1394,15 @@ public static final class AuthoritiesPopulatorImpl extends DefaultLdapAuthoritie
         boolean convertToUpperCase = true;
         private GrantedAuthority defaultRole = null;
 
-        public AuthoritiesPopulatorImpl(ContextSource contextSource, String groupSearchBase) {
+        public AuthoritiesPopulatorImpl(ContextSource contextSource, String groupSearchBase, LDAPGroupMembershipStrategy ldapGroupMembershipStrategy) {
             super(contextSource, fixNull(groupSearchBase));
-
             super.setRolePrefix("");
+            if (ldapGroupMembershipStrategy instanceof FromGroupSearchLDAPGroupMembershipStrategy) {
+                FromGroupSearchLDAPGroupMembershipStrategy fromGroupSearchLDAPGroupMembershipStrategy = (FromGroupSearchLDAPGroupMembershipStrategy) ldapGroupMembershipStrategy;
+                if (StringUtils.isNotBlank(fromGroupSearchLDAPGroupMembershipStrategy.getAttribute())) {
+                    super.setGroupRoleAttribute(fromGroupSearchLDAPGroupMembershipStrategy.getAttribute());
+                }
+            }
             super.setConvertToUpperCase(false);
         }
 
@@ -1524,7 +1532,7 @@ public FormValidation doValidate(StaplerRequest req) throws Exception {
             String user = json.getString("testUser");
             String password = json.getString("testPassword");
             JSONObject realmCfg = json.getJSONObject("securityRealm");
-            
+
             // instantiate the realm
             LDAPSecurityRealm realm = req.bindJSON(LDAPSecurityRealm.class, realmCfg);
             return validate(realm, user, password);

diff --git a/src/main/java/jenkins/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy.java b/src/main/java/jenkins/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy.java
@@ -59,19 +59,39 @@ public class FromGroupSearchLDAPGroupMembershipStrategy extends LDAPGroupMembers
      */
     private final String filter;
 
-    @DataBoundConstructor
+    /**
+     * The LDAP attribute name which contains the group name (default = "cn").
+     */
+    private final String attribute;
+
     public FromGroupSearchLDAPGroupMembershipStrategy(String filter) {
         this.filter = filter;
+        this.attribute = "";
+    }
+
+    @DataBoundConstructor
+    public FromGroupSearchLDAPGroupMembershipStrategy(String filter, String attribute) {
+        this.filter = filter;
+        this.attribute = attribute;
     }
 
     public String getFilter() {
         return filter;
     }
 
+    public String getAttribute() {
+        return attribute;
+    }
+
     @Override
     public void setAuthoritiesPopulator(LdapAuthoritiesPopulator authoritiesPopulator) {
-        if (authoritiesPopulator instanceof LDAPSecurityRealm.AuthoritiesPopulatorImpl && StringUtils.isNotBlank(filter)) {
-            ((LDAPSecurityRealm.AuthoritiesPopulatorImpl) authoritiesPopulator).setGroupSearchFilter(filter);
+        if (authoritiesPopulator instanceof LDAPSecurityRealm.AuthoritiesPopulatorImpl) {
+            if (StringUtils.isNotBlank(filter)) {
+                ((LDAPSecurityRealm.AuthoritiesPopulatorImpl) authoritiesPopulator).setGroupSearchFilter(filter);
+            }
+            if (StringUtils.isNotBlank(attribute)) {
+                ((LDAPSecurityRealm.AuthoritiesPopulatorImpl) authoritiesPopulator).setGroupRoleAttribute(attribute);
+            }
         }
         super.setAuthoritiesPopulator(authoritiesPopulator);
     }

diff --git a/src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java b/src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java
@@ -623,7 +623,7 @@ public ApplicationContext createApplicationContext(LDAPSecurityRealm realm) {
         // this is when we need to find it.
         bindAuthenticator.setUserSearch(ldapUserSearch);
 
-        LDAPSecurityRealm.AuthoritiesPopulatorImpl ldapAuthoritiesPopulator = new LDAPSecurityRealm.AuthoritiesPopulatorImpl(contextSource, getGroupSearchBase());
+        LDAPSecurityRealm.AuthoritiesPopulatorImpl ldapAuthoritiesPopulator = new LDAPSecurityRealm.AuthoritiesPopulatorImpl(contextSource, getGroupSearchBase(), getGroupMembershipStrategy());
         ldapAuthoritiesPopulator.setSearchSubtree(true);
         ldapAuthoritiesPopulator.setGroupSearchFilter("(| (member={0}) (uniqueMember={0}) (memberUid={1}))");
         if (realm.isDisableRolePrefixing()) {

diff --git a/...ces/jenkins/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy/config.jelly b/...ces/jenkins/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy/config.jelly
@@ -28,4 +28,7 @@ THE SOFTWARE.
     <f:entry field="filter" title="${%Group membership filter}">
       <f:textbox/>
     </f:entry>
+    <f:entry field="attribute" title="${%Group name attribute}">
+        <f:textbox/>
+    </f:entry>
 </j:jelly>
diff --git a/...kins/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy/help-attribute.html b/...kins/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy/help-attribute.html
@@ -0,0 +1,3 @@
+<div>
+    The LDAP attribute name which contains the group name (default = "cn").
+</div>
diff --git a/...s/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy/help-attribute_fr.html b/...s/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy/help-attribute_fr.html
@@ -0,0 +1,3 @@
+<div>
+    Le nom de l'attribut LDAP contenant le nom du groupe (valeur par défaut = "cn")
+</div>
diff --git a/src/main/resources/jenkins/security/plugins/ldap/LDAPConfiguration/config.jelly b/src/main/resources/jenkins/security/plugins/ldap/LDAPConfiguration/config.jelly
@@ -51,4 +51,4 @@
             <f:checkbox />
         </f:entry>
     </f:advanced>
-</j:jelly>
+</j:jelly>
diff --git a/src/test/java/hudson/security/LDAPEmbeddedTest.java b/src/test/java/hudson/security/LDAPEmbeddedTest.java
@@ -228,6 +228,43 @@ public void userLookup_rolesFromUserRecord_modern() throws Exception {
         assertThat(userGetAuthorities(details), containsInAnyOrder("HMS_Victory"));
     }
 
+    @Test
+    @LDAPSchema(ldif = "sevenSeas", id = "sevenSeas", dn = "o=sevenSeas")
+    public void userLookup_rolesFromGroupSearchWithGroupAttribute() throws Exception {
+        LDAPSecurityRealm realm = new LDAPSecurityRealm(
+                ads.getUrl(),
+                null,
+                null,
+                null,
+                null,
+                null,
+                new FromGroupSearchLDAPGroupMembershipStrategy(null, "description"),
+                "uid=admin,ou=system",
+                Secret.fromString("pass"),
+                false,
+                false,
+                new LDAPSecurityRealm.CacheConfiguration(100, 1000),
+                new LDAPSecurityRealm.EnvironmentProperty[0],
+                "cn",
+                null,
+                IdStrategy.CASE_INSENSITIVE,
+                IdStrategy.CASE_INSENSITIVE);
+        r.jenkins.setSecurityRealm(realm);
+        User user = User.get("hhornblo", true, Collections.emptyMap());
+        List<String> authorities = user.getAuthorities();
+        assertThat(user.getAuthorities(), containsInAnyOrder("HMS_Lydia", "ROLE_HMS_LYDIA"));
+        assertThat(user.getDisplayName(), is("Horatio Hornblower"));
+        assertThat(user.getProperty(Mailer.UserProperty.class).getAddress(), is("[email protected]"));
+        UserDetails details = realm.authenticate2("hhornblo", "pass");
+        assertThat(userGetAuthorities(details), containsInAnyOrder("HMS_Lydia", "ROLE_HMS_LYDIA"));
+        user = User.get("hnelson", true, Collections.emptyMap());
+        assertThat(user.getAuthorities(), containsInAnyOrder("HMS_Victory", "ROLE_HMS_VICTORY"));
+        assertThat(user.getDisplayName(), is("Horatio Nelson"));
+        assertThat(user.getProperty(Mailer.UserProperty.class).getAddress(), is("[email protected]"));
+        details = realm.authenticate2("hnelson", "pass");
+        assertThat(userGetAuthorities(details), containsInAnyOrder("HMS_Victory", "ROLE_HMS_VICTORY"));
+    }
+
     private Set<String> userGetAuthorities(UserDetails details) {
         Set<String> authorities = new LinkedHashSet<>();
         for (GrantedAuthority a : details.getAuthorities()) {

diff --git a/src/test/java/jenkins/security/plugins/ldap/CasCTest.java b/src/test/java/jenkins/security/plugins/ldap/CasCTest.java
@@ -35,5 +35,6 @@ public void configure_ldap() {
         assertEquals("(&(cn={0})(objectclass=group))", configuration.getGroupSearchFilter());
         final FromGroupSearchLDAPGroupMembershipStrategy strategy = ((FromGroupSearchLDAPGroupMembershipStrategy) configuration.getGroupMembershipStrategy());
         assertEquals("(&(objectClass=group)(|(cn=GROUP_1)(cn=GROUP_2)))", strategy.getFilter());
+        assertEquals("description", strategy.getAttribute());
     }
 }
diff --git a/src/test/resources/hudson/security/sevenSeas.ldif b/src/test/resources/hudson/security/sevenSeas.ldif
@@ -168,6 +168,7 @@ dn: cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas
 objectclass: groupOfUniqueNames
 objectclass: top
 cn: HMS Lydia
+description: HMS_Lydia
 uniquemember: cn=Horatio Hornblower,ou=people,o=sevenSeas
 uniquemember: cn=William Bush,ou=people,o=sevenSeas
 uniquemember: cn=Thomas Quist,ou=people,o=sevenSeas
@@ -236,6 +237,7 @@ dn: cn=HMS Victory,ou=crews,ou=groups,o=sevenSeas
 objectclass: groupOfUniqueNames
 objectclass: top
 cn: HMS Victory
+description: HMS_Victory
 uniquemember: cn=Horatio Nelson,ou=people,o=sevenSeas
 uniquemember: cn=Thomas Masterman Hardy,ou=people,o=sevenSeas
 uniquemember: cn=Cornelius Buckley,ou=people,o=sevenSeas
@@ -320,6 +322,7 @@ dn: cn=HMS Bounty,ou=crews,ou=groups,o=sevenSeas
 objectclass: groupOfUniqueNames
 objectclass: top
 cn: HMS Bounty
+description: HMS_Bounty
 uniquemember: cn=William Bligh,ou=people,o=sevenSeas
 uniquemember: cn=Fletcher Christian,ou=people,o=sevenSeas
 uniquemember: cn=John Fryer,ou=people,o=sevenSeas

diff --git a/src/test/resources/jenkins/security/plugins/ldap/casc.yml b/src/test/resources/jenkins/security/plugins/ldap/casc.yml
@@ -11,6 +11,7 @@ jenkins:
           groupMembershipStrategy:
             fromGroupSearch:
               filter: "(&(objectClass=group)(|(cn=GROUP_1)(cn=GROUP_2)))"
+              attribute: "description"
       cache:
         size: 100
         ttl: 10