[FIXED JENKINS-9094] "Remember me" doesn't work with PAM

changelog.html

@@ -59,6 +59,9 @@ Upcoming changes</a>
 <div id="trunk" style="display:none"><!--=TRUNK-BEGIN=-->
 <ul class=image>
   <li class=>
+  <li class=bug>
+    PAM authentication fails to restore group membership information on "remember me" tokens.
+    (<a href="http://issues.jenkins-ci.org/browse/JENKINS-9094">issue 9094</a>)
 </ul>
 </div><!--=TRUNK-END=-->
 

core/pom.xml

@@ -763,7 +763,7 @@ THE SOFTWARE.
     <dependency>
       <groupId>org.jvnet.libpam4j</groupId>
       <artifactId>libpam4j</artifactId>
-      <version>1.2</version>
+      <version>1.4</version>
     </dependency>
     <dependency>
       <groupId>org.jvnet.libzfs</groupId>

core/src/main/java/hudson/security/PAMSecurityRealm.java

@@ -88,11 +88,7 @@ public class PAMSecurityRealm extends SecurityRealm {
 
             try {
                 UnixUser u = new PAM(serviceName).authenticate(username, password);
-                Set<String> grps = u.getGroups();
-                GrantedAuthority[] groups = new GrantedAuthority[grps.size()];
-                int i=0;
-                for (String g : grps)
-                    groups[i++] = new GrantedAuthorityImpl(g);
+                GrantedAuthority[] groups = toAuthorities(u);
 
                 // I never understood why Acegi insists on keeping the password...
                 return new UsernamePasswordAuthenticationToken(username, password, groups);
@@ -119,14 +115,28 @@ public class PAMSecurityRealm extends SecurityRealm {
                 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
                     if(!UnixUser.exists(username))
                         throw new UsernameNotFoundException("No such Unix user: "+username);
-                    // return some dummy instance
-                    return new User(username,"",true,true,true,true,
-                            new GrantedAuthority[]{AUTHENTICATED_AUTHORITY});
+                    try {
+                        UnixUser uu = new UnixUser(username);
+                        // return some dummy instance
+                        return new User(username,"",true,true,true,true, toAuthorities(uu));
+                    } catch (PAMException e) {
+                        throw new UsernameNotFoundException("Failed to load information about Unix user "+username,e);
+                    }
                 }
             }
         );
     }
 
+    private static GrantedAuthority[] toAuthorities(UnixUser u) {
+        Set<String> grps = u.getGroups();
+        GrantedAuthority[] groups = new GrantedAuthority[grps.size()+1];
+        int i=0;
+        for (String g : grps)
+            groups[i++] = new GrantedAuthorityImpl(g);
+        groups[i++] = AUTHENTICATED_AUTHORITY;
+        return groups;
+    }
+
     @Override
     public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
         if(CLibrary.libc.getgrnam(groupname)==null)

test/src/test/java/hudson/security/PAMSecurityRealmTest.java

+package hudson.security;
+
+import hudson.Functions;
+import hudson.security.SecurityRealm.SecurityComponents;
+import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.jvnet.hudson.test.HudsonTestCase;
+
+import java.util.Arrays;
+
+import static hudson.util.jna.GNUCLibrary.*;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class PAMSecurityRealmTest extends HudsonTestCase {
+    public void testLoadUsers() {
+        if (Functions.isWindows())  return; // skip on Windows
+
+        SecurityComponents sc = new PAMSecurityRealm("sshd").getSecurityComponents();
+
+        try {
+            sc.userDetails.loadUserByUsername("bogus-bogus-bogus");
+            fail("no such user");
+        } catch (UsernameNotFoundException e) {
+            // expected
+        }
+
+        String name = LIBC.getpwuid(LIBC.geteuid()).pw_name;
+
+        System.out.println(Arrays.asList(sc.userDetails.loadUserByUsername(name).getAuthorities()));
+    }
+}