From fcf8b7721a146e9adcc9d8bf68c88ddc5ed05e52 Mon Sep 17 00:00:00 2001
From: Sam Palmer <sam.palmer@nationalarchives.gov.uk>
Date: Sat, 27 Nov 2021 01:59:26 +0000
Subject: [PATCH] [JENKINS-34835] Authorities from team slug (#124)

* [JENKINS-34835] Use team slug for authorities if set

PR #116 loads the team based on the slug if it's available but the
authorities list is still using the team name.
This means that you can set the team in the matrix in global security
but you will then be denied access because the authorities list uses the
team name.
You can see this if you go to /whoAmI The team name is shown against the
user.

* [JENKINS-34835] Add slug to teams

The GithubAuthenticationToken constructor now uses the github team slug
if it's set. I've updated the tests so the slug is set here as well.
---
 .../plugins/GithubAuthenticationToken.java    |  4 ++-
 .../GithubAccessTokenPropertyTest.java        | 25 +++++++++++++------
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java b/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
index 8c955a16..24d13141 100644
--- a/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
+++ b/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
@@ -241,8 +241,10 @@ public GithubAuthenticationToken(final String accessToken, final String githubSe
                         LOGGER.log(Level.FINE, "Fetch teams for user " + userName + " in organization " + orgLogin);
                         authorities.add(new GrantedAuthorityImpl(orgLogin));
                         for (GHTeam team : teamEntry.getValue()) {
+                            String teamIdentifier = team.getSlug() == null ? team.getName() : team.getSlug();
+
                             authorities.add(new GrantedAuthorityImpl(orgLogin + GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR
-                                    + team.getName()));
+                                    + teamIdentifier));
                         }
                     }
             }
diff --git a/src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java b/src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java
index 894ff7f5..e43a1082 100644
--- a/src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java
+++ b/src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java
@@ -50,6 +50,7 @@
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -104,7 +105,7 @@ public void setupMockGithubServer() throws Exception {
     private static class MockGithubServlet extends DefaultServlet {
         private String currentLogin;
         private List<String> organizations;
-        private List<String> teams;
+        private List<Map<String, String>> teams;
 
         private JenkinsRule jenkinsRule;
         private URI serverUri;
@@ -210,12 +211,14 @@ private void onTeamMember(HttpServletRequest req, HttpServletResponse resp, Stri
 
         private void onOrgsTeam(HttpServletRequest req, HttpServletResponse resp, final String orgName) throws IOException {
             List<Map<String, Object>> responseBody = new ArrayList<>();
-            for (String teamName : teams) {
-                final String teamName_ = teamName;
+            for (Map<String, String> team : teams) {
+                final String teamName_ = team.get("name");
+                final String slug = team.get("slug");
                 responseBody.add(new HashMap<String, Object>() {{
                     put("id", 7);
                     put("login", teamName_ + "_login");
                     put("name", teamName_);
+                    put("slug", slug);
                     put("organization", new HashMap<String, Object>() {{
                         put("login", orgName);
                     }});
@@ -227,11 +230,13 @@ private void onOrgsTeam(HttpServletRequest req, HttpServletResponse resp, final
 
         private void onUserTeams(HttpServletRequest req, HttpServletResponse resp) throws IOException {
             List<Map<String, Object>> responseBody = new ArrayList<>();
-            for (String teamName : teams) {
-                final String teamName_ = teamName;
+            for (Map<String, String> team : teams) {
+                final String teamName_ = team.get("name");
+                final String slug = team.get("slug");
                 responseBody.add(new HashMap<String, Object>() {{
                     put("login", teamName_ + "_login");
                     put("name", teamName_);
+                    put("slug", slug);
                     put("organization", new HashMap<String, Object>() {{
                         put("login", organizations.get(0));
                     }});
@@ -293,7 +298,10 @@ public void testUsingGithubToken() throws IOException {
         String aliceLogin = "alice";
         servlet.currentLogin = aliceLogin;
         servlet.organizations = Collections.singletonList("org-a");
-        servlet.teams = Collections.singletonList("team-b");
+        Map<String, String> team = new HashMap<>();
+        team.put("slug", "team-b");
+        team.put("name", "Team D");
+        servlet.teams = Collections.singletonList(team);
 
         User aliceUser = User.getById(aliceLogin, true);
         String aliceApiRestToken = aliceUser.getProperty(ApiTokenProperty.class).getApiToken();
@@ -321,7 +329,10 @@ public void testUsingGithubLogin() throws IOException {
         String bobLogin = "bob";
         servlet.currentLogin = bobLogin;
         servlet.organizations = Collections.singletonList("org-c");
-        servlet.teams = Collections.singletonList("team-d");
+        Map<String, String> team = new HashMap<>();
+        team.put("slug", "team-d");
+        team.put("name", "Team D");
+        servlet.teams = Collections.singletonList(team);
 
         User bobUser = User.getById(bobLogin, true);
         String bobApiRestToken = bobUser.getProperty(ApiTokenProperty.class).getApiToken();