[JENKINS-55813] Consider the UserDetails attributes for validity#3866
[JENKINS-55813] Consider the UserDetails attributes for validity#3866Wadeck wants to merge 4 commits intojenkinsci:masterfrom
Conversation
Wadeck
added
the
work-in-progress
jvz
left a comment
jvz
left a comment
There was a problem hiding this comment.
Looks good overall, just want to make sure you're intentionally introducing new public APIs.
core/src/main/java/hudson/security/BasicAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
core/src/main/java/hudson/security/BasicAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
core/src/main/java/jenkins/security/BasicHeaderApiTokenAuthenticator.java
Outdated
Show resolved
Hide resolved
Co-Authored-By: Wadeck <Wadeck@users.noreply.github.com>
|
Waiting for @Wadeck to confirm this is actually not |
…icator.java Co-Authored-By: Wadeck <Wadeck@users.noreply.github.com>
|
@Wadeck gentle ping |
|
@batmat @oleg-nenashev As discussed with Baptiste internally, it's still work-in-progress, internal reference: FNDJEN-599 The remaining task is to determine other usage of the UserDetails that should require specific treatment like the one already present. |
jvz
left a comment
jvz
left a comment
There was a problem hiding this comment.
There are some more potential places to consider the validity of UserDetails before proceeding:
User.UserIDCanonicalIdResolver.resolveCanonicalIdmay or may not want to return here.AbstractPasswordBasedSecurityRealm.doAuthenticate()may wish to implement this same check.FederatedLoginService.FederatedIdentity.signin()should probably verify this as well.
|
@jvz made an assumption that the changes in LDAP and AD plugins are the root cause of instabilities in the recent weekly community ratings. e.g. https://issues.jenkins-ci.org/browse/JENKINS-57607 , https://issues.jenkins-ci.org/browse/JENKINS-57569 |
|
@oleg-nenashev AFAICT not possible for JENKINS-57569 because the related PR was not merged yet for this one. The other is more "interesting". |
|
@Wadeck would you have time to come back on this one? |
|
@alecharp not those days unfortunately, perhaps in 1-2 weeks or later... :( |
Wadeck
added
on-hold
daniel-beck
added
the
plugin-api-changes
|
Note: for regular login, Acegi is using |
|
@Wadeck taking into account it's been on hold for several months, what do you think about proposing it for close? It can always be reopened if you plan to work on it again in the future. |
timja
added
the
proposed-for-close
|
@Wadeck I'm closing this given you don't seem to have the capacity to work on this right now. Please feel free to reopen when you have the bandwith. |
| * | ||
| * @since TODO | ||
| */ | ||
| public static boolean isFullyActive(@Nonnull UserDetails ud){ |
There was a problem hiding this comment.
It seems like the appropriate API to use here would be UserDetailsChecker rather than reinventing that API here.
9 participants
See JENKINS-55813.
Required PR for #89 in active-directory-plugin and #34 in ldap-plugin.
Proposed changelog entries
Submitter checklist
* Use the
Internal:prefix if the change has no user-visible impact (API, test frameworks, etc.)