Use ACL.as

blueocean-bitbucket-pipeline/src/main/java/io/jenkins/blueocean/blueocean_bitbucket_pipeline/server/BitbucketServerEndpointContainer.java

@@ -6,6 +6,7 @@
 import com.google.common.collect.Iterators;
 import com.google.common.collect.Lists;
 import hudson.security.ACL;
+import hudson.security.ACLContext;
 import io.jenkins.blueocean.blueocean_bitbucket_pipeline.Messages;
 import io.jenkins.blueocean.commons.ErrorMessage;
 import io.jenkins.blueocean.commons.ServiceException;
@@ -14,8 +15,6 @@
 import io.jenkins.blueocean.rest.impl.pipeline.scm.ScmServerEndpoint;
 import io.jenkins.blueocean.rest.impl.pipeline.scm.ScmServerEndpointContainer;
 import net.sf.json.JSONObject;
-import org.acegisecurity.context.SecurityContext;
-import org.acegisecurity.context.SecurityContextHolder;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
@@ -80,16 +79,9 @@ public ScmServerEndpoint create(JSONObject request) {
             throw new ServiceException.BadRequestException(new ErrorMessage(400, "Failed to create Bitbucket server endpoint").addAll(errors));
         }
         final com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketServerEndpoint endpoint = new com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketServerEndpoint(name, url, false, null);
-        SecurityContext old=null;
-        try {
+        try (ACLContext ctx = ACL.as(ACL.SYSTEM)) {
             // We need to escalate privilege to add user defined endpoint to
-            old = ACL.impersonate(ACL.SYSTEM);
             endpointConfiguration.addEndpoint(endpoint);
-        }finally {
-            //reset back to original privilege level
-            if(old != null){
-                SecurityContextHolder.setContext(old);
-            }
         }
         return new BitbucketServerEndpoint(endpoint, this);
     }

blueocean-github-pipeline/src/main/java/io/jenkins/blueocean/blueocean_github_pipeline/GithubServerContainer.java

@@ -10,16 +10,14 @@
 import com.google.common.collect.Ordering;
 import com.google.common.hash.Hashing;
 import hudson.security.ACL;
+import hudson.security.ACLContext;
 import io.jenkins.blueocean.commons.ErrorMessage;
 import io.jenkins.blueocean.commons.ServiceException;
 import io.jenkins.blueocean.rest.hal.Link;
 import io.jenkins.blueocean.rest.impl.pipeline.scm.ScmServerEndpoint;
 import io.jenkins.blueocean.rest.impl.pipeline.scm.ScmServerEndpointContainer;
 import net.sf.json.JSONObject;
-import org.acegisecurity.context.SecurityContext;
-import org.acegisecurity.context.SecurityContextHolder;
 import org.apache.commons.collections.ComparatorUtils;
-import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.jenkinsci.plugins.github_branch_source.Endpoint;
 import org.jenkinsci.plugins.github_branch_source.GitHubConfiguration;
@@ -29,9 +27,7 @@
 import javax.annotation.Nullable;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
-import java.nio.charset.Charset;
 import java.util.Comparator;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -120,10 +116,8 @@ public class GithubServerContainer extends ScmServerEndpointContainer {
         }
 
         if (errors.isEmpty()) {
-            SecurityContext old = null;
-            try {
+            try (ACLContext ctx = ACL.as(ACL.SYSTEM)) {
                 // We need to escalate privilege to add user defined endpoint to
-                old = ACL.impersonate(ACL.SYSTEM);
                 GitHubConfiguration config = GitHubConfiguration.get();
                 String sanitizedUrl = discardQueryString(url);
                 Endpoint endpoint = new Endpoint(sanitizedUrl, name);
@@ -132,11 +126,6 @@ public class GithubServerContainer extends ScmServerEndpointContainer {
                 } else {
                     return new GithubServer(endpoint, getLink());
                 }
-            }finally {
-                //reset back to original privilege level
-                if(old != null){
-                    SecurityContextHolder.setContext(old);
-                }
             }
         }
         ErrorMessage message = new ErrorMessage(400, "Failed to create GitHub server");

blueocean-jwt/src/main/java/io/jenkins/blueocean/auth/jwt/impl/JwtAuthenticationFilter.java

@@ -2,12 +2,11 @@
 
 import hudson.Extension;
 import hudson.init.Initializer;
+import hudson.security.ACL;
+import hudson.security.ACLContext;
 import hudson.util.PluginServletFilter;
 import io.jenkins.blueocean.auth.jwt.JwtTokenVerifier;
 import org.acegisecurity.Authentication;
-import org.acegisecurity.context.SecurityContext;
-import org.acegisecurity.context.SecurityContextHolder;
-import org.acegisecurity.context.SecurityContextImpl;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.Stapler;
 
@@ -75,19 +74,9 @@ public void doFilter(ServletRequest req, ServletResponse rsp, FilterChain chain)
 
         // run the rest of the request with the new identity
         // create a new context and set it to holder to not clobber existing context
-        SecurityContext sc = new SecurityContextImpl();
-        sc.setAuthentication(token);
-        SecurityContext previous = SecurityContextHolder.getContext();
-        SecurityContextHolder.setContext(sc);
-        request.setAttribute(JWT_TOKEN_VALIDATED,true);
-        try {
+        try (ACLContext ctx = ACL.as(token)) {
+            request.setAttribute(JWT_TOKEN_VALIDATED, true);
             chain.doFilter(req,rsp);
-        } finally {
-            if(previous != null){
-                SecurityContextHolder.setContext(previous);
-            }else {
-                SecurityContextHolder.clearContext();
-            }
         }
     }
 

blueocean-pipeline-api-impl/src/test/java/io/jenkins/blueocean/rest/impl/pipeline/PipelineBaseTest.java

@@ -18,8 +18,8 @@
 import hudson.tasks.Mailer;
 import io.jenkins.blueocean.commons.JsonConverter;
 import jenkins.model.Jenkins;
-import org.acegisecurity.adapters.PrincipalAcegiUserToken;
 import org.acegisecurity.context.SecurityContextHolder;
+import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import org.acegisecurity.userdetails.UserDetails;
 import org.jenkinsci.plugins.workflow.actions.ThreadNameAction;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
@@ -638,7 +638,7 @@ protected User login(String userId, String fullName, String email) throws IOExce
 
         UserDetails d = Jenkins.getInstance().getSecurityRealm().loadUserByUsername(bob.getId());
 
-        SecurityContextHolder.getContext().setAuthentication(new PrincipalAcegiUserToken(bob.getId(),bob.getId(),bob.getId(), d.getAuthorities(), bob.getId()));
+        SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(bob.getId(), bob.getId(), d.getAuthorities()));
         return bob;
     }
     protected User login() throws IOException {

blueocean-rest-impl/src/test/java/io/jenkins/blueocean/service/embedded/BaseTest.java

@@ -13,13 +13,12 @@
 import hudson.model.Run;
 import hudson.model.User;
 import hudson.security.csrf.CrumbIssuer;
-import hudson.security.csrf.DefaultCrumbIssuer;
 import hudson.tasks.Mailer;
 import io.jenkins.blueocean.commons.JsonConverter;
 import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
-import org.acegisecurity.adapters.PrincipalAcegiUserToken;
 import org.acegisecurity.context.SecurityContextHolder;
+import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import org.acegisecurity.userdetails.UserDetails;
 import org.junit.Assert;
 import org.junit.Before;
@@ -529,7 +528,7 @@ protected User login(String userId, String fullName, String email) throws IOExce
 
         UserDetails d = Jenkins.getInstance().getSecurityRealm().loadUserByUsername(bob.getId());
 
-        SecurityContextHolder.getContext().setAuthentication(new PrincipalAcegiUserToken(bob.getId(),bob.getId(),bob.getId(), d.getAuthorities(), bob.getId()));
+        SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(bob.getId(), bob.getId(), d.getAuthorities()));
         return bob;
     }
     protected User login() throws IOException {

blueocean-rest-impl/src/test/java/io/jenkins/blueocean/service/embedded/ProfileApiTest.java

@@ -15,8 +15,8 @@
 import io.jenkins.blueocean.rest.factory.organization.OrganizationFactory;
 import io.jenkins.blueocean.service.embedded.rest.UserImpl;
 import jenkins.model.Jenkins;
-import org.acegisecurity.adapters.PrincipalAcegiUserToken;
 import org.acegisecurity.context.SecurityContextHolder;
+import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import org.acegisecurity.userdetails.UserDetails;
 import org.junit.Assert;
 import org.junit.Ignore;
@@ -391,7 +391,7 @@ public void testPermissionOfOtherUser() throws IOException {
 
         UserDetails d = Jenkins.getInstance().getSecurityRealm().loadUserByUsername(bob.getId());
 
-        SecurityContextHolder.getContext().setAuthentication(new PrincipalAcegiUserToken(bob.getId(),bob.getId(),bob.getId(), d.getAuthorities(), bob.getId()));
+        SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(bob.getId(), bob.getId(), d.getAuthorities()));
 
         Assert.assertNull(new UserImpl(Iterables.getFirst(OrganizationFactory.getInstance().list(), null), alice).getPermission());
     }