jenkinsci / azure-ad-plugin

Authentication and Authorization with Azure AD
https://plugins.jenkins.io/azure-ad/
MIT License
30 stars 59 forks source link

Graph Search suggests Outlook mail accounts #433

Open meiswjn opened 1 year ago

meiswjn commented 1 year ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.401.1 OS: Linux - 4.18.0-477.13.1.el8_8.x86_64 Java: 11.0.19 - Red Hat, Inc. (OpenJDK 64-Bit Server VM) --- Office-365-Connector:4.18.0 PrioritySorter:5.0.0 analysis-model-api:11.3.0 ansicolor:1.0.2 ant:487.vd79d090d4ea_e antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5 apache-httpcomponents-client-5-api:5.2.1-1.0 artifactory:3.18.4 audit-trail:333.vb_e1b_b_0f1238c authentication-tokens:1.53.v1c90fd9191a_b_ azure-ad:349.vc02b_a_0b_142a_8 azure-artifact-manager:115.vb0d5da76bb49 azure-credentials:254.v64da_8176c83a azure-keyvault:200.v115e9b_1644d5 azure-sdk:132.v62b_48eb_6f32f basic-branch-build-strategies:71.vc1421f89888e blueocean:1.27.4 blueocean-bitbucket-pipeline:1.27.4 blueocean-commons:1.27.4 blueocean-config:1.27.4 blueocean-core-js:1.27.4 blueocean-dashboard:1.27.4 blueocean-display-url:2.4.2 blueocean-events:1.27.4 blueocean-git-pipeline:1.27.4 blueocean-github-pipeline:1.27.4 blueocean-i18n:1.27.4 blueocean-jwt:1.27.4 blueocean-personalization:1.27.4 blueocean-pipeline-api-impl:1.27.4 blueocean-pipeline-editor:1.27.4 blueocean-pipeline-scm-api:1.27.4 blueocean-rest:1.27.4 blueocean-rest-impl:1.27.4 blueocean-web:1.27.4 bootstrap5-api:5.3.0-1 bouncycastle-api:2.28 branch-api:2.1109.vdf225489a_16d build-blocker-plugin:1.7.8 build-discarder:139.v05696a_7fe240 build-monitor-plugin:1.14-717.v3efcdffe8d58 build-user-vars-plugin:1.9 build-with-parameters:76.v9382db_f78962 built-on-column:1.4 caffeine-api:3.1.6-115.vb_8b_b_328e59d8 checks-api:2.0.0 chucknorris:1.4 cloud-stats:267.v577e3742c282 cloudbees-bitbucket-branch-source:809.vc1d904b_30426 cloudbees-disk-usage-simple:182.v62ca_0c992a_f3 cloudbees-folder:6.815.v0dd5a_cb_40e0e code-coverage-api:4.7.0 command-launcher:100.v2f6722292ee8 commons-httpclient3-api:3.1-3 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-36.vc008c8fcda_7b_ conditional-buildstep:1.4.2 config-file-provider:938.ve2b_8a_591c596 confluence-publisher:156.vf3597ca_9cf27 copyartifact:705.v5295cffec284 credentials:1254.vb_96f366e7b_a_d credentials-binding:604.vb_64480b_c56ca_ custom-folder-icon:2.8 dark-theme:336.v02165cd8c2ee dashboard-view:2.487.vcf0ff9008a_c0 data-tables-api:1.13.4-3 dependency-check-jenkins-plugin:5.4.0 dependency-track:4.3.1 disable-github-multibranch-status:1.2 display-url-api:2.3.7 docker-commons:419.v8e3cd84ef49c docker-java-api:3.3.1-79.v20b_53427e041 docker-plugin:1.4 docker-workflow:563.vd5d2e5c4007f dtkit-api:3.0.2 durable-task:507.v050055d0cb_dd echarts-api:5.4.0-5 email-ext:2.99 emailext-template:1.5 envinject:2.901.v0038b_6471582 envinject-api:1.199.v3ce31253ed13 extended-choice-parameter:373.v1a_ecea_fdf2a_a_ extended-read-permission:53.v6499940139e5 external-monitor-job:206.v9a_94ff0b_4a_10 extra-columns:1.25 favorite:2.4.2 file-operations:131.v32b_e7824fe95 file-parameters:285.287.v4b_7b_29d3469d font-awesome-api:6.4.0-1 forensics-api:2.3.0 git:5.1.0 git-client:4.4.0 git-forensics:2.0.0 github:1.37.1 github-api:1.314-431.v78d72a_3fe4c3 github-branch-source:1728.v859147241f49 github-checks:545.v79a_a_68b_ca_682 gradle:2.8 groovy:453.vcdb_a_c5c99890 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 htmlpublisher:1.31 http_request:1.17 instance-identity:173.va_37c494ec4e5 integrity-plugin:2.5 ionicons-api:56.v1b_1c8c49374e jackson2-api:2.15.2-350.v0c2f3f8fc595 jacoco:3.3.3 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:233.vdc1a_ec702cff javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.8-1 jdk-tool:66.vd8fa_64ee91b_d jenkins-design-language:1.27.4 jersey2-api:2.39.1-2 jira:3.10 jjwt-api:0.11.5-77.v646c772fddb_0 jnr-posix-api:3.1.17-1 job-restrictions:0.8 jobConfigHistory:1212.vd4470d08ff12 jquery:1.12.4-1 jquery3-api:3.7.0-1 jsch:0.2.8-65.v052c39de79b_2 junit:1214.va_2f9db_3e6de0 ldap:682.v7b_544c9d1512 leastload:3.0.0 list-git-branches-parameter:0.0.13 locale:314.v22ce953dfe9e localization-support:1.2 lockable-resources:1172.v4b_8fc8eed570 mailer:457.v3f72cb_e015e5 mask-passwords:150.vf80d33113e80 material-theme:0.5.2-rc100.6121925fe229 matlab:2.10.0 matrix-auth:3.1.8 matrix-project:789.v57a_725b_63c79 maven-plugin:3.22 metrics:4.2.18-439.v86a_20b_a_8318b_ mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ monitoring:1.94.1 msbuild:1.30 next-executions:179.vb_e011d7e3b_64 nodejs:1.6.0 nuget:1.1 okhttp-api:4.11.0-145.vcb_8de402ef81 parameterized-scheduler:1.2 parameterized-trigger:2.45 parasoft-findings:10.6.2 pipeline-build-step:496.v2449a_9a_221f2 pipeline-github:2.8-147.3206e8179b1c pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-graph-view:191.vc6da_9d3eb_70a pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7 pipeline-input-step:468.va_5db_051498a_4 pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2141.v5402e818a_779 pipeline-model-definition:2.2141.v5402e818a_779 pipeline-model-extensions:2.2141.v5402e818a_779 pipeline-rest-api:2.33 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2141.v5402e818a_779 pipeline-stage-view:2.33 pipeline-utility-steps:2.15.4 plain-credentials:143.v1b_df8b_d3b_e48 plot:2.1.12 plugin-usage-plugin:4.0 plugin-util-api:3.3.0 popper2-api:2.11.6-2 powershell:2.0 prism-api:1.29.0-7 pubsub-light:1.17 resource-disposer:0.22 robot:3.3.0 run-condition:1.5 scm-api:676.v886669a_199a_a_ script-security:1251.vfe552ed55f8d simple-theme-plugin:160.vb_76454b_67900 snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4 solarized-theme:0.1 sonar:2.15 splunk-devops:1.10.1 sse-gateway:1.26 ssh-agent:333.v878b_53c89511 ssh-credentials:305.v8f4381501156 ssh-slaves:2.877.v365f5eb_a_b_eec ssh-steps:2.0.65.vd26b_5b_9b_de4d sshd:3.303.vefc7119b_ec23 structs:324.va_f5d6774f3a_d synopsys-coverity:3.0.3 theme-manager:193.vcef22f6c5f2b_ thinBackup:1.17 timestamper:1.25 token-macro:359.vb_cde11682e0c trilead-api:2.84.v72119de229b_7 uipath-automation-package:3.0 uno-choice:2.6.5 variant:59.vf075fe829ccb versioncolumn:162.v85841b_0790d5 warnings-ng:10.2.0 windows-azure-storage:386.v673495b0a5de workflow-aggregator:596.v8c21c963d92d workflow-api:1215.v2b_ee3e1b_dd39 workflow-basic-steps:1017.vb_45b_302f0cea_ workflow-cps:3691.v28b_14c465a_b_b_ workflow-durable-task-step:1247.v7f9dfea_b_4fd0 workflow-job:1308.v58d48a_763b_31 workflow-multibranch:756.v891d88f2cd46 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ws-cleanup:0.45 xunit:3.1.2 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

RHEL8

Reproduction steps

  1. Install the plugin
  2. Use AAD Matrix Auth
  3. Search for users: it will detect AAD users but also users that I once wrote mails to in Outlook (???)

Expected Results

No contacts from outlook

Actual Results

It parsed my outlook mail history and when searching for users, it gives me users that do not exist in the AAD. For example, I once got the notification from a GitHub repository via mail. Now, it finds the repository name in the Matrix Auth search. When examining the object, you see that the no-reply mail for the repository is behind it, everything else is null.

Anything else?

We updated to the latest version today from 313.v14b_f37ff114d

Likely introduced by https://github.com/jenkinsci/azure-ad-plugin/pull/405

iandrewt commented 1 year ago

Do you have any screenshots or other evidence of this happening? I cannot replicate this in Jenkins nor in the Microsoft Graph Explorer

meiswjn commented 1 year ago

Sure, here you go. I searched for "jenkinsci" in global security. We use the normal Azure AD integration. image

iandrewt commented 1 year ago

I don't actually know how that form works, but I'm fairly sure it uses a different query to the one I changed in #405

timja commented 1 year ago

It uses these web components: https://github.com/jenkinsci/azure-ad-plugin/blob/b89416d6dd4127715761e0b39a6936e871617f50/package.json#L31-L33

I guess there was a behaviour change in a dependency update.

t0rb3n commented 9 months ago

We have the same problem with "users" appearing that are in the logged-in users mailboxes.

I think changing the user-type of the mgt-people-picker would solve this problem.

https://github.com/jenkinsci/azure-ad-plugin/blob/067a533eab804528ade952bff4ab729e5b693568/src/main/resources/com/microsoft/jenkins/azuread/AzureAdMatrixAuthorizationStrategy/config.jelly#L209

Changing it from any to user should only show Org-Users (see userType property)

Unfortunately I failed to build a working plugin locally. Every time I built it, with or without any changes the picker disappears when the Graph Integration checkmark is unchecked. grafik So if anyone could build a version with user-type="user" and the picker not disappearing, I am more than happy to test this.

timja commented 9 months ago

Need to make sure it works with guest users but if that works then changing to user makes sense