|
|
@@ -33,16 +33,21 @@ of this software and associated documentation files (the "Software"), to deal |
|
|
import com.thoughtworks.xstream.io.HierarchicalStreamReader; |
|
|
import com.thoughtworks.xstream.io.HierarchicalStreamWriter; |
|
|
import hudson.Extension; |
|
|
import hudson.FilePath; |
|
|
import hudson.ProxyConfiguration; |
|
|
import hudson.Util; |
|
|
import hudson.cli.CLICommand; |
|
|
import hudson.model.Descriptor; |
|
|
import hudson.model.User; |
|
|
import hudson.security.AbstractPasswordBasedSecurityRealm; |
|
|
import hudson.security.CliAuthenticator; |
|
|
import hudson.security.GroupDetails; |
|
|
import hudson.security.SecurityRealm; |
|
|
import hudson.security.UserMayOrMayNotExistException; |
|
|
import hudson.tasks.Mailer; |
|
|
import hudson.util.Secret; |
|
|
import jenkins.model.Jenkins; |
|
|
import jenkins.security.MasterToSlaveCallable; |
|
|
import jenkins.security.SecurityListener; |
|
|
import org.acegisecurity.Authentication; |
|
|
import org.acegisecurity.AuthenticationException; |
|
|
@@ -64,6 +69,7 @@ of this software and associated documentation files (the "Software"), to deal |
|
|
import org.apache.http.impl.client.HttpClients; |
|
|
import org.apache.http.util.EntityUtils; |
|
|
import org.jfree.util.Log; |
|
|
import org.kohsuke.args4j.Option; |
|
|
import org.kohsuke.github.GHEmail; |
|
|
import org.kohsuke.github.GHMyself; |
|
|
import org.kohsuke.github.GHOrganization; |
|
|
@@ -77,15 +83,16 @@ of this software and associated documentation files (the "Software"), to deal |
|
|
import org.springframework.dao.DataAccessException; |
|
|
import org.springframework.dao.DataRetrievalFailureException; |
|
|
|
|
|
import javax.annotation.Nonnull; |
|
|
import javax.annotation.Nullable; |
|
|
import java.io.Console; |
|
|
import java.io.IOException; |
|
|
import java.net.InetSocketAddress; |
|
|
import java.net.Proxy; |
|
|
import java.util.Arrays; |
|
|
import java.util.HashSet; |
|
|
import java.util.Set; |
|
|
import java.util.logging.Logger; |
|
|
import javax.annotation.Nonnull; |
|
|
import javax.annotation.Nullable; |
|
|
|
|
|
/** |
|
|
* |
|
|
@@ -95,7 +102,7 @@ of this software and associated documentation files (the "Software"), to deal |
|
|
* This is based on the MySQLSecurityRealm from the mysql-auth-plugin written by |
|
|
* Alex Ackerman. |
|
|
*/ |
|
|
public class GithubSecurityRealm extends SecurityRealm implements UserDetailsService { |
|
|
public class GithubSecurityRealm extends AbstractPasswordBasedSecurityRealm implements UserDetailsService { |
|
|
private static final String DEFAULT_WEB_URI = "https://github.com"; |
|
|
private static final String DEFAULT_API_URI = "https://api.github.com"; |
|
|
private static final String DEFAULT_ENTERPRISE_API_SUFFIX = "/api/v3"; |
|
|
@@ -485,6 +492,57 @@ public UserDetails loadUserByUsername(String username) |
|
|
}); |
|
|
} |
|
|
|
|
|
@Override |
|
|
protected GithubOAuthUserDetails authenticate(String username, String password) throws AuthenticationException { |
|
|
try { |
|
|
GithubAuthenticationToken github = new GithubAuthenticationToken(password, getGithubApiUri()); |
|
|
if(username.equals(github.getPrincipal())) { |
|
|
SecurityContextHolder.getContext().setAuthentication(github); |
|
|
return github.getUserDetails(username); |
|
|
} |
|
|
} catch (IOException e) { |
|
|
throw new RuntimeException(e); |
|
|
} |
|
|
throw new BadCredentialsException("Invalid GitHub username or personal access token: " + username); |
|
|
} |
|
|
|
|
|
@Override |
|
|
public CliAuthenticator createCliAuthenticator(final CLICommand command) { |
|
|
return new CliAuthenticator() { |
|
|
@Option(name="--username",usage="GitHub username to authenticate yourself to Jenkins.") |
|
|
public String userName; |
|
|
|
|
|
@Option(name="--password",usage="GitHub personal access token. Note that passing a password in arguments is insecure.") |
|
|
public String password; |
|
|
|
|
|
@Option(name="--password-file",usage="File that contains the personal access token.") |
|
|
public String passwordFile; |
|
|
|
|
|
public Authentication authenticate() throws AuthenticationException, IOException, InterruptedException { |
|
|
if(userName == null) { |
|
|
//return command.getTransportAuthentication(); // no authentication parameter. fallback to the transport |
|
|
return Jenkins.ANONYMOUS; |
|
|
} |
|
|
if(passwordFile != null) { |
|
|
try { |
|
|
password = new FilePath(command.channel, passwordFile).readToString().trim(); |
|
|
} catch (IOException e) { |
|
|
throw new BadCredentialsException("Failed to read " + passwordFile, e); |
|
|
} |
|
|
} |
|
|
if(password == null) { |
|
|
password = command.channel.call(new InteractivelyAskForPassword()); |
|
|
} |
|
|
|
|
|
if(password == null) { |
|
|
throw new BadCredentialsException("No GitHub personal access token specified."); |
|
|
} |
|
|
GithubSecurityRealm.this.authenticate(userName, password); |
|
|
return new GithubAuthenticationToken(password, getGithubApiUri()); |
|
|
} |
|
|
}; |
|
|
} |
|
|
|
|
|
@Override |
|
|
public String getLoginUrl() { |
|
|
return "securityRealm/commenceLogin"; |
|
|
@@ -686,4 +744,22 @@ static Jenkins getJenkins() { |
|
|
private static final Logger LOGGER = Logger.getLogger(GithubSecurityRealm.class.getName()); |
|
|
|
|
|
private static final String REFERER_ATTRIBUTE = GithubSecurityRealm.class.getName()+".referer"; |
|
|
|
|
|
/** |
|
|
* Asks for the password. |
|
|
*/ |
|
|
private static class InteractivelyAskForPassword extends MasterToSlaveCallable<String,IOException> { |
|
|
public String call() throws IOException { |
|
|
Console console = System.console(); |
|
|
if(console == null) { |
|
|
return null; // no terminal |
|
|
} |
|
|
char[] w = console.readPassword("GitHub Personal Access Token: "); |
|
|
if(w==null) { |
|
|
return null; |
|
|
} |
|
|
return new String(w); |
|
|
} |
|
|
private static final long serialVersionUID = 1L; |
|
|
} |
|
|
} |
