search

jenkinsci / oic-auth-plugin

A Jenkins plugin which lets you login to Jenkins using your own, self-hosted or public openid connect server.
https://plugins.jenkins.io/oic-auth
MIT License
71 stars 88 forks source link

Latest release breaks build-user-vars-plugin #343

Closed LEDfan closed 2 months ago

LEDfan commented 2 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.452.2 OS: Linux - 5.10.218-208.862.amzn2.x86_64 Java: 17.0.11 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- build-user-vars-plugin:1.9 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Docker: jenkins/jenkins:2.452.2-lts-jdk17

Reproduction steps

  1. install this plugin and configure it (it was already configured in my case, this had been working for a long time)
  2. it breaks when using the latest version of this plugin (version 4.284.v0cc21de03d37), the version before works fine
  3. install build-user-vars-plugin****

Expected Results

During a Jenkins build, the BUILD_USER_GROUPS environment variable contains the groups of the user.

Actual Results

The variable is empty and a message is logged WARNING o.j.p.b.v.i.UserIdCauseDeterminant#setJenkinsUserBuildVars: Failed to get groups for user: myuser error: hudson.security.UserMayOrMayNotExistException2: Unable to query user information: myUser Show context

Anything else?

Thanks for maintaining this plugin!

Are you interested in contributing a fix?

No response

michael-doubez commented 2 months ago

This seems to be caused by this commit.

The loadUserByUsername function is no longer declared. It does make sense because OIDC has no way to identify if a user exists.

The only thing it could do is trying to get the LastGrantedAuthorities of the user. That should be handled by the build-user-vars-plugin as a fallback when UserMayOrMayNotExist is caught.

michael-doubez commented 2 months ago

At leart one other realm maintains a cache: https://github.com/jenkinsci/jwt-auth-plugin/blob/9fccee33434b0255fb7dacde91713003303f3642/src/main/java/io/jenkins/plugins/jwt_auth/JwtAuthSecurityRealm.java#L132

@jglick is there any interest to do that or implement the logic of getting the user and populating a UserDetails with the last granted authorities ?

jglick commented 2 months ago

AFAICT the oic-auth plugin is behaving correctly here: it throws UserMayOrMayNotExistException2 because at this point it does not, in fact, know for sure whether the user exists or not.

The fault lies in the build-user-vars-plugin for directly calling SecurityRealm.loadUserByUsername2 rather than going through User.getAuthorities, which is what would fall back to LastGrantedAuthoritiesProperty (via ImpersonatingUserDetailsService2).

michael-doubez commented 2 months ago

I created an report in Jenkins Jira with a ling to this issue.

https://issues.jenkins.io/browse/JENKINS-73420

LEDfan commented 2 months ago

Thank you both for looking into this and already creating the issue!