From 0646c4a0a962d1dd3f6a68349e643fbd70bea945 Mon Sep 17 00:00:00 2001 From: Wadeck Follonier Date: Wed, 1 Nov 2023 17:42:28 +0100 Subject: [PATCH] [JENKINS-72268] Missing permission due to desync with cache (#256) * [JENKINS-72268] Ensure "gh" is present In case of impersonation the gh variable and the usersByTokenCache could be de-sync, leading to token not able to connect. Could be related to JENKINS-72209 as well. * Fix an exception when the authentication token is not exactly which is expected from the plugin --- .../jenkinsci/plugins/GithubAuthenticationToken.java | 3 +++ .../org/jenkinsci/plugins/GithubSecurityRealm.java | 11 ++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java b/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java index 0a997f45..28462fe4 100644 --- a/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java +++ b/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java @@ -504,6 +504,9 @@ private GHMyself loadMyself(@NonNull String token) throws IOException { // Also stick into usersByIdCache (to have latest copy) String username = ghMyself.getLogin(); usersByIdCache.put(username, new GithubUser(ghMyself)); + } else { + // force creation of the gh variable, esp. in case of impersonation + getGitHub(); } } catch (IOException e) { LOGGER.log(Level.INFO, e.getMessage(), e); diff --git a/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java index 803fd1c5..a55abed5 100644 --- a/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java +++ b/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java @@ -753,10 +753,15 @@ public int hashCode() { @Override public GroupDetails loadGroupByGroupname(String groupName) throws UsernameNotFoundException, DataAccessException { - GithubAuthenticationToken authToken = (GithubAuthenticationToken) SecurityContextHolder.getContext().getAuthentication(); - - if(authToken == null) + Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + if (authentication == null) { throw new UsernameNotFoundException("No known group: " + groupName); + } + if (!(authentication instanceof GithubAuthenticationToken)) { + throw new UserMayOrMayNotExistException("The received token is not a GitHub one"); + } + + GithubAuthenticationToken authToken = (GithubAuthenticationToken) authentication; try { int idx = groupName.indexOf(GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR);