[JEP-227][JENKINS-39324] Replace Acegi Security with Spring Security APIs

[Vlatombe]

This is the implementation of
jenkinsci/jenkins#4848 for Credentials API.

cf. https://github.com/jenkinsci/jep/blob/31859bedd4594df528428ccc737117b44b786fce/jep/227/README.adoc

This will allow consumers of the credentials API to remove references to deprecated acegi APIs.

Some overloads methods were renamed in order to avoid the ambiguous signatures involving Item and ItemGroup.

For example, lookupCredentials become lookupCredentialsInItem and lookupCredentialsInItemGroup.

cc @jglick

Testing done

Submitter checklist

Edit tasklist title

Beta Give feedback Tasklist Submitter checklist, more options

• Rename
• Copy markdown
• Delete tasklist

Delete tasklist

Delete tasklist block?

Are you sure? All relationships in this tasklist will be removed.

Cancel Delete

1. Make sure you are opening from a **topic/feature/bugfix branch** (right side) and not your main branch!

   Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
2. Ensure that the pull request title represents the desired changelog entry

   Ensure that the pull request title represents the desired changelog entry
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
3. Please describe what you did

   Please describe what you did
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
4. Link to relevant issues in GitHub or Jira

   Link to relevant issues in GitHub or Jira
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
5. Link to relevant pull requests, esp. upstream and downstream changes

   Link to relevant pull requests, esp. upstream and downstream changes
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove
6. Ensure you have provided tests - that demonstrates feature works or fixes the issue

   Ensure you have provided tests - that demonstrates feature works or fixes the issue
   Options

   • Convert to issue
   • Toggle completion
   • Rename
   • Remove

Add item to Submitter checklist Loading

[jglick]

Looks good overall, and long overdue.

Is there a reason this is still in draft—are you planning to create some sample downstream PRs?

Hard to verify from review that signatures remain compatible. siom79/japicmp#266 would be helpful.

[jglick]

Note that this will cause a change of behavior even without changing any clients. Not much we can do about that; one of the tricky aspects of JEP-222 was providing compatibility for exception types. I updated at least the standard handlers to accept either the Acegi or Spring Security versions, and automatically proxied from some other methods.

[rsandell]

checkPermission2(..)?

[rsandell]

Perhaps some unit tests could be left as is/duplicated to test that the backwards compatible code works?

[jglick]

Fine I think. Any downstream PRs showing the new APIs off in context?

[Vlatombe]

Any downstream PRs showing the new APIs off in context?

Filed a few including usage and implementation of CredentialsProvider

• jep-227 downstream usage credentials-binding-plugin#280
• jep-227 downstream usage kubernetes-plugin#1458
• jep-227 downstream usage ssh-agents-plugin#446
• jep-227 downstream usage cloudbees-folder-plugin#357
• Use Spring security API instead of Acegi security git-plugin#1520

[jtnord]

haven't really checked the code, but all the documentation needs to be updated too.

[jglick]

Nice, seems clearer and avoids the …2 naming pattern.

(The native English speaker in me wants lookup used as a verb to be replaced by lookUp but there is precedent in ExtensionList etc. Anyway I have to suppress my spelling emotions as a Java developer after Cloneable [sic]!)

[jglick]

Completely forgot I filed this seven years ago. @AncestorInPath ModelObject context would be convenient sometimes I guess, though having explicit methods for distinct types of context as you have here is probably clearer.

[michelzanini]

Just so you know after this PR was merged a new release was created 305.v04f5ec1f3743 my Jenkins updated and immediately no builds are working anymore. This is the error:

java.lang.AbstractMethodError: Implement getCredentialsInItemGroup
	at com.cloudbees.plugins.credentials.CredentialsProvider.getCredentialsInItemGroup(CredentialsProvider.java:1193)
	at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentialsInItemGroup(CredentialsProvider.java:389)
	at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentialsInItem(CredentialsProvider.java:544)
	at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:517)
	at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:300)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1636)
	at jenkins.scm.api.SCMSource.fetch(SCMSource.java:581)
	at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:99)
	at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:311)
	at hudson.model.ResourceController.execute(ResourceController.java:101)
	at hudson.model.Executor.run(Executor.java:442)
Finished: FAILURE

[jglick]

@michelzanini are you using a special credentials provider by any chance? (Vault, K8s Secrets, etc.) At least the error message needs to mention the implementing class. Will probably just revert this as a hotfix while we study the cause.

[michelzanini]

Yes @jglick , Its actually the Github app credentials from Github Source Branch plugin.

[jglick]

I meant the type of provider, not the type of credentials. I.e., was this App credentials item stored in global credentials, folder credentials, user credentials, Vault, etc.

[michelzanini]

Ah ok, its the default "System" global credentials (nothing special about it):

The part where the problem happens is on a multi-branch pipeline with Github Source for Git and then this credentials select for branch discovery.

[jglick]

Strange,

credentials-plugin/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java

Lines 1186 to 1193 in 04f5ec1

	public <C extends Credentials> List<C> getCredentialsInItemGroup(@NonNull Class<C> type,
	@Nullable ItemGroup itemGroup,
	@Nullable Authentication authentication,
	@NonNull List<DomainRequirement> domainRequirements) {
	if (Util.isOverridden(CredentialsProvider.class, getClass(), "getCredentials", Class.class, ItemGroup.class, org.acegisecurity.Authentication.class, List.class)) {
	return getCredentials(type, itemGroup, authentication == null ? null : org.acegisecurity.Authentication.fromSpring(authentication), domainRequirements);
	}
	throw new AbstractMethodError("Implement getCredentialsInItemGroup");

is indeed overridden in

credentials-plugin/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java

Lines 425 to 428 in 04f5ec1

	@Override
	public <C extends Credentials> List<C> getCredentialsInItemGroup(@NonNull Class<C> type, @Nullable ItemGroup itemGroup,
	@Nullable Authentication authentication,
	@NonNull List<DomainRequirement> domainRequirements) {

[jglick]

The originally abstract method lacked the List parameter, so I can imagine some other provider throwing an error?

[michelzanini]

org.acegisecurity.Authentication.class

Can it be that method "isOverridden" is checking for "org.acegisecurity.Authentication.class" and the impl method is using "org.springframework.security.core.Authentication" for the Authentication argument?

if (Util.isOverridden(CredentialsProvider.class, getClass(), "getCredentials", Class.class, ItemGroup.class, org.acegisecurity.Authentication.class, List.class)) { 

[jglick]

I do not think so, the point is that the old deprecated method was using org.acegisecurity.Authentication while the new method uses org.springframework.security.core.Authentication.

[jglick]

@michelzanini can you retest against https://github.com/jenkinsci/credentials-plugin/releases/tag/1307.v3757c78f17c3 please? If it is not on the update center yet (typically takes 20m or so), you can also just install https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/credentials/1306.vfa_6a_01a_8028d/credentials-1306.vfa_6a_01a_8028d.hpi from the Advanced tab seems to be there.

[jglick]

FWIW I ran 2.414.3, installed github-branch-source and Pipeline plugins, created GH App credentials in the system store, created a multibranch project, and ran it, and it worked fine with both 1305 & 1307. So I have no hypothesis as to the trigger condition for that error.

[michelzanini]

This is working now with 1307.v3757c78f17c3. I didn't get the exception :) Thanks!