Remove use of BeanBuilder; construct components in Java

Author: jglick

src/main/java/hudson/security/LDAPSecurityRealm.java

@@ -82,7 +82,6 @@
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.springframework.dao.DataAccessException;
-import org.springframework.web.context.WebApplicationContext;
 
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
@@ -754,19 +753,19 @@ public SecurityComponents createSecurityComponents() {
             DelegateLDAPUserDetailsService details = new DelegateLDAPUserDetailsService();
             LDAPAuthenticationManager manager = new LDAPAuthenticationManager(details);
             for (LDAPConfiguration conf : configurations) {
-                WebApplicationContext appContext = conf.createApplicationContext(this, false);
-                manager.addDelegate(findBean(AuthenticationManager.class, appContext), conf.getId());
-                details.addDelegate(new LDAPUserDetailsService(appContext, conf.getGroupMembershipStrategy(), conf.getId()));
+                LDAPConfiguration.ApplicationContext appContext = conf.createApplicationContext(this);
+                manager.addDelegate(appContext.authenticationManager, conf.getId());
+                details.addDelegate(new LDAPUserDetailsService(appContext.ldapUserSearch, appContext.ldapAuthoritiesPopulator, conf.getGroupMembershipStrategy(), conf.getId()));
             }
             return new SecurityComponents(manager, details);
         } else {
             final LDAPConfiguration conf = configurations.get(0);
-            WebApplicationContext appContext = conf.createApplicationContext(this, true);
+            LDAPConfiguration.ApplicationContext appContext = conf.createApplicationContext(this);
             final LDAPAuthenticationManager manager = new LDAPAuthenticationManager();
-            manager.addDelegate(findBean(AuthenticationManager.class, appContext), "");
+            manager.addDelegate(appContext.authenticationManager, "");
             return new SecurityComponents(
                     manager,
-                    new LDAPUserDetailsService(appContext, conf.getGroupMembershipStrategy(), null)
+                    new LDAPUserDetailsService(appContext.ldapUserSearch, appContext.ldapAuthoritiesPopulator, conf.getGroupMembershipStrategy(), null)
             );
         }
     }
@@ -1283,11 +1282,6 @@ public static class LDAPUserDetailsService implements UserDetailsService {
          */
         private final LRUMap attributesCache = new LRUMap(32);
 
-        @Deprecated
-        LDAPUserDetailsService(WebApplicationContext appContext) {
-            this(appContext, null, null);
-        }
-
         @Deprecated
         LDAPUserDetailsService(LdapUserSearch ldapSearch, LdapAuthoritiesPopulator authoritiesPopulator) {
             this(ldapSearch, authoritiesPopulator, null, null);
@@ -1300,17 +1294,6 @@ public static class LDAPUserDetailsService implements UserDetailsService {
             this.configurationId = configurationId;
         }
 
-        @Deprecated
-        public LDAPUserDetailsService(WebApplicationContext appContext,
-                                      LDAPGroupMembershipStrategy groupMembershipStrategy) {
-            this(findBean(LdapUserSearch.class, appContext), findBean(LdapAuthoritiesPopulator.class, appContext), groupMembershipStrategy, null);
-        }
-
-        public LDAPUserDetailsService(WebApplicationContext appContext,
-                                      LDAPGroupMembershipStrategy groupMembershipStrategy, String configurationId) {
-            this(findBean(LdapUserSearch.class, appContext), findBean(LdapAuthoritiesPopulator.class, appContext), groupMembershipStrategy, configurationId);
-        }
-
         @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE", justification = "Only on newer core versions") //TODO remove when core is bumped
         public LdapUserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
             username = fixUsername(username);
@@ -1598,10 +1581,6 @@ public SecurityRealm newInstance(StaplerRequest req, JSONObject formData) throws
             return super.newInstance(req, formData);
         }
 
-        public boolean hasCustomBindScript() {
-            return LDAPConfiguration.getLdapBindOverrideFile(Jenkins.getActiveInstance()).exists();
-        }
-
         /**
          * Used by config.jelly to determine whether we are running on a Jenkins with Enable Security checkbox or not.
          * It impacts the json structure to send when checking the ldap configuration in the filter attribute of the

src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java

@@ -26,33 +26,34 @@
 package jenkins.security.plugins.ldap;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-import groovy.lang.Binding;
 import hudson.DescriptorExtensionList;
 import hudson.Extension;
 import hudson.Util;
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.security.LDAPSecurityRealm;
-import hudson.security.SecurityRealm;
 import hudson.util.FormValidation;
 import hudson.util.Secret;
-import hudson.util.spring.BeanBuilder;
 import jenkins.model.Jenkins;
-import org.acegisecurity.ldap.InitialDirContextFactory;
-import org.acegisecurity.ldap.LdapTemplate;
+import org.acegisecurity.AuthenticationManager;
+import org.acegisecurity.ldap.DefaultInitialDirContextFactory;
+import org.acegisecurity.ldap.LdapUserSearch;
 import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch;
+import org.acegisecurity.providers.AuthenticationProvider;
+import org.acegisecurity.providers.ProviderManager;
+import org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider;
 import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator;
+import org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2;
+import org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider;
 import org.apache.commons.codec.Charsets;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.commons.io.input.AutoCloseInputStream;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
-import org.springframework.web.context.WebApplicationContext;
 
 import javax.annotation.Nonnull;
 import javax.naming.Context;
@@ -62,9 +63,6 @@
 import javax.naming.directory.DirContext;
 import javax.naming.directory.InitialDirContext;
 
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
@@ -76,6 +74,7 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Hashtable;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
@@ -95,8 +94,6 @@
 public class LDAPConfiguration extends AbstractDescribableImpl<LDAPConfiguration> {
 
     private static final Logger LOGGER = LDAPSecurityRealm.LOGGER;
-    @Restricted(NoExternalUse.class)
-    public static final String SECURITY_REALM_LDAPBIND_GROOVY = "LDAPBindSecurityRealm.groovy";
 
     /**
      * LDAP server name(s) separated by spaces, optionally with TCP port number, like "ldap.acme.org"
@@ -400,10 +397,6 @@ public String getDisplayName() {
             return "ldap";
         }
 
-        public boolean noCustomBindScript() {
-            return !getLdapBindOverrideFile(Jenkins.getActiveInstance()).exists();
-        }
-
         // note that this works better in 1.528+ (JENKINS-19124)
         @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE", justification = "Only on newer core versions") //TODO remove when core is bumped
         public FormValidation doCheckServer(@QueryParameter String value, @QueryParameter String managerDN, @QueryParameter Secret managerPasswordSecret) {
@@ -572,50 +565,80 @@ static String normalizeServer(String server) { /*package scope for testing*/
         return StringUtils.join(normalised, ' ');
     }
 
-    @Restricted(NoExternalUse.class)
-    public WebApplicationContext createApplicationContext(LDAPSecurityRealm realm, boolean usePotentialUserProvidedBinding) {
-        Binding binding = new Binding();
-        binding.setVariable("instance", this);
-        binding.setVariable("realmInstance", realm);
-
-        final Jenkins jenkins = Jenkins.getInstance();
-        if (jenkins == null) {
-            throw new IllegalStateException("Jenkins has not been started, or was already shut down");
+    public static final class ApplicationContext {
+        public final AuthenticationManager authenticationManager;
+        public final LdapUserSearch ldapUserSearch;
+        public final LdapAuthoritiesPopulator ldapAuthoritiesPopulator;
+        ApplicationContext(AuthenticationManager authenticationManager, LdapUserSearch ldapUserSearch, LdapAuthoritiesPopulator ldapAuthoritiesPopulator) {
+            this.authenticationManager = authenticationManager;
+            this.ldapUserSearch = ldapUserSearch;
+            this.ldapAuthoritiesPopulator = ldapAuthoritiesPopulator;
         }
+    }
 
-        BeanBuilder builder = new BeanBuilder(jenkins.pluginManager.uberClassLoader);
-        try {
-            File override = getLdapBindOverrideFile(jenkins);
-            if (usePotentialUserProvidedBinding && override.exists()) {
-                builder.parse(new AutoCloseInputStream(new FileInputStream(override)), binding);
-            } else {
-                if (override.exists()) {
-                    LOGGER.warning("Not loading custom " + SECURITY_REALM_LDAPBIND_GROOVY);
-                }
-                builder.parse(new AutoCloseInputStream(LDAPSecurityRealm.class.getResourceAsStream(SECURITY_REALM_LDAPBIND_GROOVY)), binding);
-            }
+    @Restricted(NoExternalUse.class)
+    public ApplicationContext createApplicationContext(LDAPSecurityRealm realm) {
+        DefaultInitialDirContextFactory initialDirContextFactory = new DefaultInitialDirContextFactory(getLDAPURL());
+        if (getManagerDN() != null) {
+            initialDirContextFactory.setManagerDn(getManagerDN());
+            initialDirContextFactory.setManagerPassword(getManagerPassword());
+        }
+        Map<String, String> vars = new HashMap<>();
+        vars.put(Context.REFERRAL, "follow");
+        vars.put("com.sun.jndi.ldap.connect.timeout", "30000"); // timeout if no connection after 30 seconds
+        vars.put("com.sun.jndi.ldap.read.timeout", "60000"); // timeout if no response after 60 seconds
+        vars.putAll(getExtraEnvVars());
+        initialDirContextFactory.setExtraEnvVars(vars);
+
+        FilterBasedLdapUserSearch ldapUserSearch = new FilterBasedLdapUserSearch(getUserSearchBase(), getUserSearch(), initialDirContextFactory);
+        ldapUserSearch.setSearchSubtree(true);
+
+        BindAuthenticator2 bindAuthenticator = new BindAuthenticator2(initialDirContextFactory);
+        // this is when you the user name can be translated into DN.
+        // bindAuthenticator.setUserDnPatterns(new String[] {"uid={0},ou=people"});
+        // this is when we need to find it.
+        bindAuthenticator.setUserSearch(ldapUserSearch);
+
+        LDAPSecurityRealm.AuthoritiesPopulatorImpl ldapAuthoritiesPopulator = new LDAPSecurityRealm.AuthoritiesPopulatorImpl(initialDirContextFactory, getGroupSearchBase());
+        ldapAuthoritiesPopulator.setSearchSubtree(true);
+        ldapAuthoritiesPopulator.setGroupSearchFilter("(| (member={0}) (uniqueMember={0}) (memberUid={1}))");
+        if (realm.isDisableRolePrefixing()) {
+            ldapAuthoritiesPopulator.setRolePrefix("");
+            ldapAuthoritiesPopulator.setConvertToUpperCase(false);
+        }
 
-        } catch (FileNotFoundException e) {
-            throw new IllegalStateException("Failed to load "+ SECURITY_REALM_LDAPBIND_GROOVY, e);
+        ProviderManager authenticationManager = new ProviderManager();
+        List<AuthenticationProvider> providers = new ArrayList<>();
+        // talk to LDAP
+        providers.add(new LDAPSecurityRealm.LdapAuthenticationProviderImpl(bindAuthenticator, ldapAuthoritiesPopulator, getGroupMembershipStrategy()));
+        // these providers apply everywhere
+        {
+            RememberMeAuthenticationProvider rememberMeAuthenticationProvider = new RememberMeAuthenticationProvider();
+            rememberMeAuthenticationProvider.setKey(Jenkins.getInstance().getSecretKey());
+            providers.add(rememberMeAuthenticationProvider);
         }
-        WebApplicationContext appContext = builder.createApplicationContext();
+        {
+            // this doesn't mean we allow anonymous access.
+            // we just authenticate anonymous users as such,
+            // so that later authorization can reject them if so configured
+            AnonymousAuthenticationProvider anonymousAuthenticationProvider = new AnonymousAuthenticationProvider();
+            anonymousAuthenticationProvider.setKey("anonymous");
+            providers.add(anonymousAuthenticationProvider);
+        }
+        authenticationManager.setProviders(providers);
 
-        ldapTemplate = new LDAPExtendedTemplate(SecurityRealm.findBean(InitialDirContextFactory.class, appContext));
+        ldapTemplate = new LDAPExtendedTemplate(initialDirContextFactory);
 
         if (groupMembershipStrategy != null) {
-            groupMembershipStrategy.setAuthoritiesPopulator(SecurityRealm.findBean(LdapAuthoritiesPopulator.class, appContext));
+            groupMembershipStrategy.setAuthoritiesPopulator(ldapAuthoritiesPopulator);
         }
 
-        return appContext;
+        return new ApplicationContext(authenticationManager, ldapUserSearch, ldapAuthoritiesPopulator);
     }
 
     @Restricted(NoExternalUse.class)
     public LDAPExtendedTemplate getLdapTemplate() {
         return ldapTemplate;
     }
 
-    @Restricted(NoExternalUse.class)
-    public static File getLdapBindOverrideFile(Jenkins jenkins) {
-        return new File(jenkins.getRootDir(), SECURITY_REALM_LDAPBIND_GROOVY);
-    }
 }

src/main/resources/hudson/security/LDAPBindSecurityRealm.groovy

@@ -25,22 +25,15 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler" xmlns:l="/lib/layout"
          xmlns:v="/jenkins/security/plugins/ldap/validation">
-    <j:if test="${descriptor.hasCustomBindScript()}">
-        <f:description>
-            <j:out value="${%customBindingBlurb}"/>
-        </f:description>
-    </j:if>
     <f:entry>
-        <f:repeatable field="configurations" minimum="1" header="${%Server}" add="${%Add Server}" noAddButton="${descriptor.hasCustomBindScript()}">
+        <f:repeatable field="configurations" minimum="1" header="${%Server}" add="${%Add Server}">
             <table style="width:100%">
                 <st:include page="config.jelly" class="jenkins.security.plugins.ldap.LDAPConfiguration"/>
-                <j:if test="${descriptor.noCustomBindScript()}">
-                    <f:entry title="">
-                        <div align="right">
-                            <f:repeatableDeleteButton/>
-                        </div>
-                    </f:entry>
-                </j:if>
+                <f:entry title="">
+                    <div align="right">
+                        <f:repeatableDeleteButton/>
+                    </div>
+                </f:entry>
             </table>
         </f:repeatable>
     </f:entry>

src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly

@@ -4,4 +4,3 @@ validationBlurb=<p>Use your LDAP username and password to test your LDAP setting
   password if you don't know their password to validate that user lookup is working.</p>\
   <p>If you are using LDAP groups, test a user account that is a member of at least one LDAP \
   group to validate reverse group lookup.</p>
-customBindingBlurb=<p>Ability to make multiple server configurations turned off due to the presence of custom <em>LDAPBindSecurityRealm.groovy<em></p>