-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JEP-227][JENKINS-39324] Replace Acegi Security with Spring Security APIs #490
Conversation
This is the implementation of jenkinsci/jenkins#4848 for Credentials API. This will allow consumers of the credentials API to remove references to deprecated acegi APIs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall, and long overdue.
Is there a reason this is still in draft—are you planning to create some sample downstream PRs?
Hard to verify from review that signatures remain compatible. siom79/japicmp#266 would be helpful.
src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
Show resolved
Hide resolved
src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java
Outdated
Show resolved
Hide resolved
if (!hasPermission(a, p)) { | ||
throw new AccessDeniedException2(a, p); | ||
Authentication a = Jenkins.getAuthentication2(); | ||
if (!hasPermission2(a, p)) { | ||
throw new AccessDeniedException3(a, p); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that this will cause a change of behavior even without changing any clients. Not much we can do about that; one of the tricky aspects of JEP-222 was providing compatibility for exception types. I updated at least the standard handlers to accept either the Acegi or Spring Security versions, and automatically proxied from some other methods.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
checkPermission2(..)
?
…cation) in favor of CredentialsProvider#getCredentials2(Class, ItemGroup, Authentication, List)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps some unit tests could be left as is/duplicated to test that the backwards compatible code works?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine I think. Any downstream PRs showing the new APIs off in context?
Filed a few including usage and implementation of |
haven't really checked the code, but all the documentation needs to be updated too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, seems clearer and avoids the …2
naming pattern.
(The native English speaker in me wants lookup
used as a verb to be replaced by lookUp
but there is precedent in ExtensionList
etc. Anyway I have to suppress my spelling emotions as a Java developer after Cloneable
[sic]!)
==== | ||
|
||
There are currently two overloads, one taking `Item` as the context and the other taking `ItemGroup` as the context, the other parameters are otherwise identical. | ||
|
||
NOTE: A current RFE https://issues.jenkins-ci.org/browse/JENKINS-39324[JENKINS-39324] is looking to replace overloaded methods with a single method taking the more generic `ModelObject`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Completely forgot I filed this seven years ago. @AncestorInPath ModelObject context
would be convenient sometimes I guess, though having explicit methods for distinct types of context as you have here is probably clearer.
Just so you know after this PR was merged a new release was created
|
@michelzanini are you using a special credentials provider by any chance? (Vault, K8s |
Yes @jglick , Its actually the Github app credentials from Github Source Branch plugin. |
I meant the type of provider, not the type of credentials. I.e., was this App credentials item stored in global credentials, folder credentials, user credentials, Vault, etc. |
Strange, credentials-plugin/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java Lines 1186 to 1193 in 04f5ec1
credentials-plugin/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java Lines 425 to 428 in 04f5ec1
|
The originally |
Can it be that method "isOverridden" is checking for "org.acegisecurity.Authentication.class" and the impl method is using "org.springframework.security.core.Authentication" for the Authentication argument?
|
I do not think so, the point is that the old deprecated method was using |
https://github.com/jenkinsci/credentials-plugin/releases/tag/1305.v04f5ec1f3743 notes that a regression is being investigated as reported in jenkinsci/credentials-plugin#490 (comment) jenkinsci/credentials-plugin#492 submitted to resolve the issue
…nsci#2617)" https://github.com/jenkinsci/credentials-plugin/releases/tag/1305.v04f5ec1f3743 notes that a regression is being investigated as reported in jenkinsci/credentials-plugin#490 (comment) jenkinsci/credentials-plugin#492 submitted to resolve the issue This reverts commit 2a4afc3.
@michelzanini can you retest against https://github.com/jenkinsci/credentials-plugin/releases/tag/1307.v3757c78f17c3 please? If it is not on the update center yet |
FWIW I ran 2.414.3, installed |
https://github.com/jenkinsci/credentials-plugin/releases/tag/1305.v04f5ec1f3743 notes that a regression is being investigated as reported in jenkinsci/credentials-plugin#490 (comment) jenkinsci/credentials-plugin#492 submitted to resolve the issue
https://github.com/jenkinsci/credentials-plugin/releases/tag/1305.v04f5ec1f3743 notes that a regression is being investigated as reported in jenkinsci/credentials-plugin#490 (comment) jenkinsci/credentials-plugin#492 submitted to resolve the issue This reverts commit 2a4afc3.
This is working now with |
This is the implementation of
jenkinsci/jenkins#4848 for Credentials API.
cf. https://github.com/jenkinsci/jep/blob/31859bedd4594df528428ccc737117b44b786fce/jep/227/README.adoc
This will allow consumers of the credentials API to remove references to deprecated acegi APIs.
Some overloads methods were renamed in order to avoid the ambiguous signatures involving
Item
andItemGroup
.For example,
lookupCredentials
becomelookupCredentialsInItem
andlookupCredentialsInItemGroup
.cc @jglick
Testing done
Submitter checklist