Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JEP-227][JENKINS-39324] Replace Acegi Security with Spring Security APIs #490

Merged
merged 13 commits into from
Oct 27, 2023

Conversation

Vlatombe
Copy link
Member

@Vlatombe Vlatombe commented Oct 23, 2023

This is the implementation of
jenkinsci/jenkins#4848 for Credentials API.

cf. https://github.com/jenkinsci/jep/blob/31859bedd4594df528428ccc737117b44b786fce/jep/227/README.adoc

This will allow consumers of the credentials API to remove references to deprecated acegi APIs.

Some overloads methods were renamed in order to avoid the ambiguous signatures involving Item and ItemGroup.

For example, lookupCredentials become lookupCredentialsInItem and lookupCredentialsInItemGroup.

cc @jglick

Testing done

Submitter checklist

Preview Give feedback

This is the implementation of
jenkinsci/jenkins#4848 for Credentials API. This
will allow consumers of the credentials API to remove references to
deprecated acegi APIs.
@Vlatombe Vlatombe requested a review from a team as a code owner October 23, 2023 08:24
@Vlatombe Vlatombe marked this pull request as draft October 23, 2023 09:10
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, and long overdue.

Is there a reason this is still in draft—are you planning to create some sample downstream PRs?

Hard to verify from review that signatures remain compatible. siom79/japicmp#266 would be helpful.

Comment on lines -204 to +225
if (!hasPermission(a, p)) {
throw new AccessDeniedException2(a, p);
Authentication a = Jenkins.getAuthentication2();
if (!hasPermission2(a, p)) {
throw new AccessDeniedException3(a, p);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this will cause a change of behavior even without changing any clients. Not much we can do about that; one of the tricky aspects of JEP-222 was providing compatibility for exception types. I updated at least the standard handlers to accept either the Acegi or Spring Security versions, and automatically proxied from some other methods.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

checkPermission2(..)?

@Vlatombe Vlatombe marked this pull request as ready for review October 24, 2023 07:48
Copy link
Member

@rsandell rsandell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps some unit tests could be left as is/duplicated to test that the backwards compatible code works?

Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine I think. Any downstream PRs showing the new APIs off in context?

@Vlatombe
Copy link
Member Author

Any downstream PRs showing the new APIs off in context?

Filed a few including usage and implementation of CredentialsProvider

@jtnord
Copy link
Member

jtnord commented Oct 26, 2023

haven't really checked the code, but all the documentation needs to be updated too.

@Vlatombe Vlatombe changed the title [JEP-227] Replace Acegi Security with Spring Security APIs [JEP-227][JENKINS-39324] Replace Acegi Security with Spring Security APIs Oct 26, 2023
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, seems clearer and avoids the …2 naming pattern.

(The native English speaker in me wants lookup used as a verb to be replaced by lookUp but there is precedent in ExtensionList etc. Anyway I have to suppress my spelling emotions as a Java developer after Cloneable [sic]!)

====

There are currently two overloads, one taking `Item` as the context and the other taking `ItemGroup` as the context, the other parameters are otherwise identical.

NOTE: A current RFE https://issues.jenkins-ci.org/browse/JENKINS-39324[JENKINS-39324] is looking to replace overloaded methods with a single method taking the more generic `ModelObject`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Completely forgot I filed this seven years ago. @AncestorInPath ModelObject context would be convenient sometimes I guess, though having explicit methods for distinct types of context as you have here is probably clearer.

@jglick jglick requested a review from jtnord October 27, 2023 12:10
@jglick jglick requested a review from rsandell October 27, 2023 12:17
@jglick jglick merged commit 04f5ec1 into jenkinsci:master Oct 27, 2023
13 checks passed
@michelzanini
Copy link

Just so you know after this PR was merged a new release was created 305.v04f5ec1f3743 my Jenkins updated and immediately no builds are working anymore. This is the error:

java.lang.AbstractMethodError: Implement getCredentialsInItemGroup
	at com.cloudbees.plugins.credentials.CredentialsProvider.getCredentialsInItemGroup(CredentialsProvider.java:1193)
	at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentialsInItemGroup(CredentialsProvider.java:389)
	at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentialsInItem(CredentialsProvider.java:544)
	at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:517)
	at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:300)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1636)
	at jenkins.scm.api.SCMSource.fetch(SCMSource.java:581)
	at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:99)
	at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:311)
	at hudson.model.ResourceController.execute(ResourceController.java:101)
	at hudson.model.Executor.run(Executor.java:442)
Finished: FAILURE

@jglick
Copy link
Member

jglick commented Oct 27, 2023

@michelzanini are you using a special credentials provider by any chance? (Vault, K8s Secrets, etc.) At least the error message needs to mention the implementing class. Will probably just revert this as a hotfix while we study the cause.

@michelzanini
Copy link

Yes @jglick , Its actually the Github app credentials from Github Source Branch plugin.

@jglick
Copy link
Member

jglick commented Oct 27, 2023

I meant the type of provider, not the type of credentials. I.e., was this App credentials item stored in global credentials, folder credentials, user credentials, Vault, etc.

@michelzanini
Copy link

michelzanini commented Oct 27, 2023

Ah ok, its the default "System" global credentials (nothing special about it):
Screenshot 2023-10-27 at 11 16 12
The part where the problem happens is on a multi-branch pipeline with Github Source for Git and then this credentials select for branch discovery.

@jglick
Copy link
Member

jglick commented Oct 27, 2023

Strange,

public <C extends Credentials> List<C> getCredentialsInItemGroup(@NonNull Class<C> type,
@Nullable ItemGroup itemGroup,
@Nullable Authentication authentication,
@NonNull List<DomainRequirement> domainRequirements) {
if (Util.isOverridden(CredentialsProvider.class, getClass(), "getCredentials", Class.class, ItemGroup.class, org.acegisecurity.Authentication.class, List.class)) {
return getCredentials(type, itemGroup, authentication == null ? null : org.acegisecurity.Authentication.fromSpring(authentication), domainRequirements);
}
throw new AbstractMethodError("Implement getCredentialsInItemGroup");
is indeed overridden in
@Override
public <C extends Credentials> List<C> getCredentialsInItemGroup(@NonNull Class<C> type, @Nullable ItemGroup itemGroup,
@Nullable Authentication authentication,
@NonNull List<DomainRequirement> domainRequirements) {

@jglick
Copy link
Member

jglick commented Oct 27, 2023

The originally abstract method lacked the List parameter, so I can imagine some other provider throwing an error?

@michelzanini
Copy link

michelzanini commented Oct 27, 2023

org.acegisecurity.Authentication.class

Can it be that method "isOverridden" is checking for "org.acegisecurity.Authentication.class" and the impl method is using "org.springframework.security.core.Authentication" for the Authentication argument?

if (Util.isOverridden(CredentialsProvider.class, getClass(), "getCredentials", Class.class, ItemGroup.class, org.acegisecurity.Authentication.class, List.class)) { 

@jglick
Copy link
Member

jglick commented Oct 27, 2023

I do not think so, the point is that the old deprecated method was using org.acegisecurity.Authentication while the new method uses org.springframework.security.core.Authentication.

@jglick
Copy link
Member

jglick commented Oct 27, 2023

@michelzanini can you retest against https://github.com/jenkinsci/credentials-plugin/releases/tag/1307.v3757c78f17c3 please? If it is not on the update center yet (typically takes 20m or so), you can also just install https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/credentials/1306.vfa_6a_01a_8028d/credentials-1306.vfa_6a_01a_8028d.hpi from the Advanced tab seems to be there.

@jglick
Copy link
Member

jglick commented Oct 27, 2023

FWIW I ran 2.414.3, installed github-branch-source and Pipeline plugins, created GH App credentials in the system store, created a multibranch project, and ran it, and it worked fine with both 1305 & 1307. So I have no hypothesis as to the trigger condition for that error.

MarkEWaite added a commit to jenkinsci/bom that referenced this pull request Oct 27, 2023
MarkEWaite added a commit to jenkinsci/bom that referenced this pull request Oct 27, 2023
@michelzanini
Copy link

This is working now with 1307.v3757c78f17c3. I didn't get the exception :) Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants