steve-jansen / github-oauth-plugin Goto Github PK

The current version of the GitHub OAuth plugin for Jenkins caches the list of GitHub Orgs that the authenticate user belongs to. This could be much more granular if we also included the teams the user belongs to within each org.

For example, a user might belong to the "Acme" org, the "Acme/Owners" team, and the "Acme/SomeCoolProject" team. Including these teams in the Jenkins auth tokens list of "Authorities" (aka roles) would be quite helpful when applying project matrix security.

See
https://github.com/mckinsey/github-oauth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java#L137 for the code that caches the org names for the current user.

The Jenkins WebUI makes an Ajax call to the URL
/job/<job name>/descriptorByName/hudson.security.AuthorizationMatrixProperty/checkName?value=<URI escaped username or role name> to load the OK/Not OK status of a username/role name added to the permissions matrix table.

For example, a succesful user lookup returns:

 <img src='/static/8d261c2f/images/16x16/person.png' style='margin-right:0.2em'>Steve Jansen`, which looks like this:

An example of an unknown user/group returns:

<img src='/static/8d261c2f/images/16x16/error.png' style='margin-right:0.2em'>Unknown User

The GitHub OAuth plugin' security realm doesn't seem to properly support this feature. We need to add support for this realm check. Relevant lines of code that run the user/group check are found at https://github.com/jenkinsci/jenkins/blob/0d955259d8880e02452f23e422e5272e6ab26153/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java#L291