jenkinsci · rsandell · Nov 17, 2020 · Jul 31, 2020 · Jul 31, 2020 · Aug 24, 2020
@@ -25,7 +25,7 @@
 
   <properties>
     <apacheds.version>2.0.0.AM25</apacheds.version>
-    <jenkins.version>2.235.3</jenkins.version>
+    <jenkins.version>2.251-SNAPSHOT</jenkins.version> <!-- TODO https://github.com/jenkinsci/jenkins/pull/4848 -->
     <java.level>8</java.level>
     <configuration-as-code.version>1.36</configuration-as-code.version>
   </properties>
@@ -50,59 +50,9 @@
   </pluginRepositories>
 
   <dependencies>
-    <dependency> <!-- for compatibility with https://github.com/jenkinsci/jenkins/pull/4848 -->
-      <groupId>org.acegisecurity</groupId>
-      <artifactId>acegi-security</artifactId>
-      <version>1.0.7</version>
-      <exclusions>
-        <exclusion>
-          <groupId>commons-codec</groupId>
-          <artifactId>commons-codec</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>commons-collections</groupId>
-          <artifactId>commons-collections</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>commons-lang</groupId>
-          <artifactId>commons-lang</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.springframework</groupId>
-          <artifactId>spring-core</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.springframework</groupId>
-          <artifactId>spring-jdbc</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.springframework</groupId>
-          <artifactId>spring-remoting</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.springframework</groupId>
-          <artifactId>spring-support</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
     <dependency>
-      <groupId>org.springframework</groupId>
-      <artifactId>spring-dao</artifactId>
-      <version>1.2.9</version>
-      <exclusions>
-        <exclusion>
-          <groupId>org.springframework</groupId>
-          <artifactId>spring-beans</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.springframework</groupId>
-          <artifactId>spring-context</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.springframework</groupId>
-          <artifactId>spring-core</artifactId>
-        </exclusion>
-      </exclusions>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-ldap</artifactId>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>

@@ -21,13 +21,14 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package org.acegisecurity.providers.ldap.authenticator;
-
-import org.acegisecurity.ldap.InitialDirContextFactory;
-import org.acegisecurity.userdetails.ldap.LdapUserDetails;
+package jenkins.security.plugins.ldap;
 
 import java.util.logging.Logger;
 import java.util.logging.Level;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.ldap.core.support.BaseLdapPathContextSource;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.ldap.authentication.BindAuthenticator;
 
 /**
  * {@link BindAuthenticator} with improved diagnostics.
@@ -40,19 +41,19 @@ public class BindAuthenticator2 extends BindAuthenticator {
      */
     private boolean hadSuccessfulAuthentication;
 
-    public BindAuthenticator2(InitialDirContextFactory initialDirContextFactory) {
-        super(initialDirContextFactory);
+    public BindAuthenticator2(BaseLdapPathContextSource contextSource) {
+        super(contextSource);
     }
 
     @Override
-    public LdapUserDetails authenticate(String username, String password) {
-        LdapUserDetails user = super.authenticate(username, password);
+    public DirContextOperations authenticate(Authentication authentication) {
+        DirContextOperations operations = super.authenticate(authentication);
         hadSuccessfulAuthentication = true;
-        return user;
+        return operations;
     }
 
     @Override
-    void handleBindException(String userDn, String username, Throwable cause) {
+    protected void handleBindException(String userDn, String username, Throwable cause) {
         LOGGER.log(hadSuccessfulAuthentication? Level.FINE : Level.WARNING,
             "Failed to bind to LDAP: userDn"+userDn+"  username="+username,cause);
         super.handleBindException(userDn, username, cause);

@@ -25,6 +25,7 @@
 
 import hudson.Extension;
 import hudson.security.LDAPSecurityRealm;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Set;
 import java.util.TreeSet;
@@ -35,13 +36,12 @@
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 import javax.naming.ldap.LdapName;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.ldap.LdapEntryMapper;
-import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator;
-import org.acegisecurity.userdetails.ldap.LdapUserDetails;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
-import org.springframework.dao.DataAccessException;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.ldap.LdapUtils;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 
 /**
  * Traditional strategy.
@@ -77,15 +77,15 @@ public void setAuthoritiesPopulator(LdapAuthoritiesPopulator authoritiesPopulato
     }
 
     @Override
-    public GrantedAuthority[] getGrantedAuthorities(LdapUserDetails ldapUser) {
-        return getAuthoritiesPopulator().getGrantedAuthorities(ldapUser);
+    public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
+        return getAuthoritiesPopulator().getGrantedAuthorities(userData, username);
     }
 
     @Override
-    public Set<String> getGroupMembers(String groupDn, LDAPConfiguration conf) throws DataAccessException {
+    public Set<String> getGroupMembers(String groupDn, LDAPConfiguration conf) {
         LDAPExtendedTemplate template = conf.getLdapTemplate();
         String[] memberAttributes = { "member", "uniqueMember", "memberUid" };
-        return (Set<String>) template.retrieveEntry(groupDn, new GroupMembersMapper(), memberAttributes);
+        return template.executeReadOnly(ctx -> new GroupMembersMapper().mapAttributes(groupDn, ctx.getAttributes(LdapUtils.getRelativeName(groupDn, ctx), memberAttributes)));
     }
 
     @Extension
@@ -100,7 +100,7 @@ public String getDisplayName() {
     /**
      * Maps member attributes in groups to a set of member names.
      */
-    private static class GroupMembersMapper implements LdapEntryMapper {
+    private static class GroupMembersMapper implements LdapEntryMapper<Set<String>> {
         @Override
         public Set<String> mapAttributes(String dn, Attributes attributes) throws NamingException {
             NamingEnumeration<?> enumeration;

@@ -26,26 +26,25 @@
 import hudson.Extension;
 import hudson.security.LDAPSecurityRealm;
 import java.util.Set;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.GrantedAuthorityImpl;
-import org.acegisecurity.ldap.LdapEntryMapper;
-import org.acegisecurity.userdetails.ldap.LdapUserDetails;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
-import org.springframework.dao.DataAccessException;
 
 import javax.naming.InvalidNameException;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.ldap.LdapName;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 /**
  * This strategy is rumoured to work for Active Directory!
@@ -67,9 +66,9 @@ public String getAttributeName() {
     }
 
     @Override
-    public GrantedAuthority[] getGrantedAuthorities(LdapUserDetails ldapUser) {
+    public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
         List<GrantedAuthority> result = new ArrayList<GrantedAuthority>();
-        Attributes attributes = ldapUser.getAttributes();
+        Attributes attributes = userData.getAttributes();
         final String attributeName = getAttributeName();
         Attribute attribute = attributes == null ? null : attributes.get(attributeName);
         if (attribute != null) {
@@ -82,7 +81,7 @@ public GrantedAuthority[] getGrantedAuthorities(LdapUserDetails ldapUser) {
                     } catch (InvalidNameException e) {
                         LOGGER.log(Level.FINEST, "Expected a Group DN but found: {0}", groupName);
                     }
-                    result.add(new GrantedAuthorityImpl(groupName));
+                    result.add(new SimpleGrantedAuthority(groupName));
                 }
             } catch (NamingException e) {
                 LogRecord lr = new LogRecord(Level.FINE,
@@ -102,37 +101,37 @@ public GrantedAuthority[] getGrantedAuthorities(LdapUserDetails ldapUser) {
                     String role = ga.getAuthority();
 
                     // backward compatible name mangling
-                    if (authoritiesPopulatorImpl.isConvertToUpperCase()) {
+                    if (authoritiesPopulatorImpl._isConvertToUpperCase()) {
                         role = role.toUpperCase();
                     }
-                    GrantedAuthorityImpl extraAuthority = new GrantedAuthorityImpl(
-                            authoritiesPopulatorImpl.getRolePrefix() + role);
+                    GrantedAuthority extraAuthority = new SimpleGrantedAuthority(
+                            authoritiesPopulatorImpl._getRolePrefix() + role);
                     result.add(extraAuthority);
                 }
             }
-            result.addAll(authoritiesPopulatorImpl.getAdditionalRoles(ldapUser));
+            result.addAll(authoritiesPopulatorImpl.getAdditionalRoles(userData, /* TODO currently ignored anyway, but where does username come from? */null));
             GrantedAuthority defaultRole = authoritiesPopulatorImpl.getDefaultRole();
             if (defaultRole != null) {
                 result.add(defaultRole);
             }
         }
 
-        return result.toArray(new GrantedAuthority[result.size()]);
+        return result;
     }
 
     @Override
-    public Set<String> getGroupMembers(String groupDn, LDAPConfiguration conf) throws DataAccessException {
+    public Set<String> getGroupMembers(String groupDn, LDAPConfiguration conf) {
         LDAPExtendedTemplate template = conf.getLdapTemplate();
         String searchBase = conf.getUserSearchBase() != null ? conf.getUserSearchBase() : "";
         String[] filterArgs = { getAttributeName(), groupDn };
-        return new HashSet<>((List<String>)template.searchForAllEntries(searchBase, USER_SEARCH_FILTER,
+        return new HashSet<>(template.searchForAllEntries(searchBase, USER_SEARCH_FILTER,
                 filterArgs, new String[]{}, new UserRecordMapper()));
     }
 
     /**
      * Maps users records to names.
      */
-    private static class UserRecordMapper implements LdapEntryMapper {
+    private static class UserRecordMapper implements LdapEntryMapper<String> {
         @Override
         public String mapAttributes(String dn, Attributes attributes) throws NamingException {
             LdapName name = new LdapName(dn);