Merge branch 'security-stable-2.138' into security-stable-2.150

core/src/main/java/hudson/cli/ClientAuthenticationCache.java

@@ -95,7 +95,8 @@ public class ClientAuthenticationCache implements Serializable {
         String verificationPart = val.substring(idx + 1);
         int indexOfSeparator = verificationPart.indexOf(VERIFICATION_FRAGMENT_SEPARATOR);
         if (indexOfSeparator == -1) {
-            return legacy(username, verificationPart, val);
+            LOGGER.log(Level.FINE, "The legacy method is no longer accepted: username={0}", username);
+            return Jenkins.ANONYMOUS;
         }
         
         /*
@@ -128,10 +129,6 @@ public class ClientAuthenticationCache implements Serializable {
 
         return getUserAuthIfValidMac(username, macFragment, val);
     }
-    
-    private Authentication legacy(String username, String mac, String fullValueStored){
-        return getUserAuthIfValidMac(username, mac, fullValueStored);
-    }
 
     /**
      * restOfFragments format: [userSeed]

test/src/test/java/hudson/cli/ClientAuthenticationCacheTest.java

@@ -28,6 +28,7 @@ import com.google.common.collect.Lists;
 
 import hudson.ExtensionList;
 import hudson.Launcher;
+import hudson.model.User;
 import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
 import hudson.util.Secret;
 import hudson.util.StreamTaskListener;
@@ -80,6 +81,9 @@ public class ClientAuthenticationCacheTest {
         r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
         r.jenkins.setAuthorizationStrategy(new FullControlOnceLoggedInAuthorizationStrategy());
         assertCLI(0, "Authenticated as: anonymous", jar, "who-am-i");
+
+        // user must exist to use the new cli auth cache (which is the case in non-test context)
+        User.getById("dev", true);
         assertCLI(0, null, jar, "login", "--username", "dev", "--password", "dev");
         try {
             assertCLI(0, "Authenticated as: dev", jar, "who-am-i");

test/src/test/java/hudson/cli/ClientAuthenticationCacheWithUserSeedTest.java

@@ -84,8 +84,8 @@ public class ClientAuthenticationCacheWithUserSeedTest {
     }
 
     @Test
-    @Issue("SECURITY-1247")
-    public void legacyCache_smoothlyMigratedWithUserSeed() throws Exception {
+    @Issue("SECURITY-1289")
+    public void legacyCache_noLongerUsable() throws Exception {
         ClientAuthenticationCache cache = new ClientAuthenticationCache(null);
         assertThat(cache.get(), is(Jenkins.ANONYMOUS));
 
@@ -109,7 +109,8 @@ public class ClientAuthenticationCacheWithUserSeedTest {
             File jar = tmp.newFile("jenkins-cli.jar");
             FileUtils.copyURLToFile(r.jenkins.getJnlpJars("jenkins-cli.jar").getURL(), jar);
 
-            assertCLI(0, "Authenticated as: " + user.getId(), jar, "who-am-i");
+            // the legacy method is no longer usable
+            assertCLI(0, "Authenticated as: anonymous", jar, "who-am-i");
 
             cache = new ClientAuthenticationCache(null);
             String valueAfterUsage = cache.props.getProperty(cache.getPropertyKey());

test/src/test/java/hudson/security/CliAuthenticationTest.java

@@ -123,6 +123,8 @@ public class CliAuthenticationTest {
     public void login() throws Exception {
         j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
 
+        // user must exist to use the new cli auth cache (which is the case in non-test context)
+        hudson.model.User.getById("abc", true);
         successfulCommand("login","--username","abc","--password","abc");
         spySecurityListener.authenticatedCalls.assertLastEventIsAndThenRemoveIt(userDetails -> userDetails.getUsername().equals("abc"));
         spySecurityListener.loggedInCalls.assertLastEventIsAndThenRemoveIt("abc");