From c21918df7e9b783c12d1bdc775b45b9531da7032 Mon Sep 17 00:00:00 2001
From: Kohsuke Kawaguchi <kk@kohsuke.org>
Date: Fri, 18 Mar 2011 22:18:06 -0700
Subject: [PATCH] [FIXED JENKINS-9094] "Remember me" doesn't work with PAM

---
 changelog.html                                |  3 ++
 core/pom.xml                                  |  2 +-
 .../hudson/security/PAMSecurityRealm.java     | 26 ++++++++++-----
 .../hudson/security/PAMSecurityRealmTest.java | 32 +++++++++++++++++++
 4 files changed, 54 insertions(+), 9 deletions(-)
 create mode 100644 test/src/test/java/hudson/security/PAMSecurityRealmTest.java

diff --git a/changelog.html b/changelog.html
index 6477983581..52bf6516dc 100644
--- a/changelog.html
+++ b/changelog.html
@@ -59,6 +59,9 @@ Upcoming changes</a>
 <div id="trunk" style="display:none"><!--=TRUNK-BEGIN=-->
 <ul class=image>
   <li class=>
+  <li class=bug>
+    PAM authentication fails to restore group membership information on "remember me" tokens.
+    (<a href="http://issues.jenkins-ci.org/browse/JENKINS-9094">issue 9094</a>)
 </ul>
 </div><!--=TRUNK-END=-->
 
diff --git a/core/pom.xml b/core/pom.xml
index 44f0e923ad..f8b3788390 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -763,7 +763,7 @@ THE SOFTWARE.
     <dependency>
       <groupId>org.jvnet.libpam4j</groupId>
       <artifactId>libpam4j</artifactId>
-      <version>1.2</version>
+      <version>1.4</version>
     </dependency>
     <dependency>
       <groupId>org.jvnet.libzfs</groupId>
diff --git a/core/src/main/java/hudson/security/PAMSecurityRealm.java b/core/src/main/java/hudson/security/PAMSecurityRealm.java
index fb5c657c4f..6f8aad00d1 100644
--- a/core/src/main/java/hudson/security/PAMSecurityRealm.java
+++ b/core/src/main/java/hudson/security/PAMSecurityRealm.java
@@ -88,11 +88,7 @@ public class PAMSecurityRealm extends SecurityRealm {
 
             try {
                 UnixUser u = new PAM(serviceName).authenticate(username, password);
-                Set<String> grps = u.getGroups();
-                GrantedAuthority[] groups = new GrantedAuthority[grps.size()];
-                int i=0;
-                for (String g : grps)
-                    groups[i++] = new GrantedAuthorityImpl(g);
+                GrantedAuthority[] groups = toAuthorities(u);
 
                 // I never understood why Acegi insists on keeping the password...
                 return new UsernamePasswordAuthenticationToken(username, password, groups);
@@ -119,14 +115,28 @@ public class PAMSecurityRealm extends SecurityRealm {
                 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
                     if(!UnixUser.exists(username))
                         throw new UsernameNotFoundException("No such Unix user: "+username);
-                    // return some dummy instance
-                    return new User(username,"",true,true,true,true,
-                            new GrantedAuthority[]{AUTHENTICATED_AUTHORITY});
+                    try {
+                        UnixUser uu = new UnixUser(username);
+                        // return some dummy instance
+                        return new User(username,"",true,true,true,true, toAuthorities(uu));
+                    } catch (PAMException e) {
+                        throw new UsernameNotFoundException("Failed to load information about Unix user "+username,e);
+                    }
                 }
             }
         );
     }
 
+    private static GrantedAuthority[] toAuthorities(UnixUser u) {
+        Set<String> grps = u.getGroups();
+        GrantedAuthority[] groups = new GrantedAuthority[grps.size()+1];
+        int i=0;
+        for (String g : grps)
+            groups[i++] = new GrantedAuthorityImpl(g);
+        groups[i++] = AUTHENTICATED_AUTHORITY;
+        return groups;
+    }
+
     @Override
     public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
         if(CLibrary.libc.getgrnam(groupname)==null)
diff --git a/test/src/test/java/hudson/security/PAMSecurityRealmTest.java b/test/src/test/java/hudson/security/PAMSecurityRealmTest.java
new file mode 100644
index 0000000000..a55c37e4a5
--- /dev/null
+++ b/test/src/test/java/hudson/security/PAMSecurityRealmTest.java
@@ -0,0 +1,32 @@
+package hudson.security;
+
+import hudson.Functions;
+import hudson.security.SecurityRealm.SecurityComponents;
+import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.jvnet.hudson.test.HudsonTestCase;
+
+import java.util.Arrays;
+
+import static hudson.util.jna.GNUCLibrary.*;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class PAMSecurityRealmTest extends HudsonTestCase {
+    public void testLoadUsers() {
+        if (Functions.isWindows())  return; // skip on Windows
+
+        SecurityComponents sc = new PAMSecurityRealm("sshd").getSecurityComponents();
+
+        try {
+            sc.userDetails.loadUserByUsername("bogus-bogus-bogus");
+            fail("no such user");
+        } catch (UsernameNotFoundException e) {
+            // expected
+        }
+
+        String name = LIBC.getpwuid(LIBC.geteuid()).pw_name;
+
+        System.out.println(Arrays.asList(sc.userDetails.loadUserByUsername(name).getAuthorities()));
+    }
+}
-- 
GitLab