Last active
August 8, 2022 07:39
-
-
Save zemliany/aa71ebe463fb04afd78bd67e92097538 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!groovy | |
| import jenkins.model.* | |
| import hudson.security.* | |
| import hudson.util.Secret | |
| import jenkins.model.IdStrategy | |
| import net.sf.json.JSONObject | |
| import jenkins.security.plugins.ldap.* | |
| import jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy | |
| import java.util.logging.Logger | |
| def logger = Logger.getLogger("") | |
| Map<String, String> env = System.getenv() | |
| Map<String, String> ldapManagerEnvVars = env.collectEntries { it.key.contains('LDAP_MANAGER') ? [(it.key) : it.value] : [:] } | |
| File buildEnvFile = new File("${env['JENKINS_HOME']}/init.groovy.d/properties/build.env") | |
| def checkEnvVars(Map envVars, File buildEnvFile) { | |
| if ((envVars.isEmpty() || envVars.containsKey("") || envVars.containsValue("")) && (!buildEnvFile.exists())) { | |
| throw new Exception("LDAP manager DN user and password does not exists in env varsc! LDAP cannot be configured, please set LDAP_MANAGER variables") | |
| } else if(buildEnvFile.exists()) { | |
| buildEnvFile.findAll().collect { it.contains('LDAP_MANAGER') ? it : null }.findResults{it}.each{envVars.put(it.split('=')[0], it.split('=')[1])} | |
| if(envVars.isEmpty() || envVars.containsKey("") || envVars.containsValue("")) { | |
| throw new Exception("LDAP manager DN user and password does not exists in env vars and ${buildEnvFile} does not contains LDAP_MANAGER type properties! LDAP cannot be configured, please set LDAP_MANAGER variables or check ${buildEnvFile} file!") | |
| } | |
| } | |
| return envVars | |
| } | |
| if(!binding.hasVariable('ldapSettings')) { | |
| ldapSettings = [:] | |
| } | |
| if(!(ldapSettings instanceof Map)) { | |
| throw new Exception('ldapSettings must be a Map.') | |
| } | |
| try { | |
| logger.info('--> INFO: init.groovy.d:configure_ldap:configuring ldap... start') | |
| // checking env vars, throw exception if LDAP_MANAGER type variables does not exists | |
| checkEnvVars(ldapManagerEnvVars, buildEnvFile) | |
| def managerDN = "CN=${ldapManagerEnvVars.get('LDAP_MANAGER_USER').replace("\"","")},OU=Service Accounts,DC=ad,DC=domain,DC=com".toString().replace("\"","") | |
| def managerPasswordSecret = ldapManagerEnvVars.get('LDAP_MANAGER_PASSWORD').replace("\"","").toString().replace("\"","") | |
| // configuring ldapManagerSettings for LDAP plugin | |
| ldapSettings = [ | |
| server:"ldap://ad.domain.com", | |
| rootDN:"dc=ad,dc=domain,dc=com", | |
| managerDN:managerDN, | |
| managerPasswordSecret:managerPasswordSecret, | |
| userSearchBase:"", | |
| userSearch:"(&(sAMAccountName={0}) (objectclass=organizationalPerson))", | |
| groupSearchBase:"OU=User Groups,OU=Groups", | |
| groupSearchFilter:"(& (cn={0}) (objectclass=group) )", | |
| groupMembershipStrategy:"(member={0})" | |
| ] | |
| ldapGeneralSettings = ldapSettings as JSONObject | |
| logger.info("---> Configuring LDAP as a Security Realm...") | |
| if(!(Jenkins.instance.securityRealm instanceof LDAPSecurityRealm)) { | |
| LDAPConfiguration conf = new LDAPConfiguration( | |
| ldapGeneralSettings.optString('server'), | |
| ldapGeneralSettings.optString('rootDN'), | |
| ldapGeneralSettings.optBoolean('inhibitInferRootDN'), | |
| ldapGeneralSettings.optString('managerDN'), | |
| Secret.fromString(ldapGeneralSettings.optString('managerPasswordSecret'))) | |
| conf.userSearchBase = ldapGeneralSettings.optString('userSearchBase') | |
| conf.userSearch = ldapGeneralSettings.optString('userSearch') // LDAPSecurityRealm.DescriptorImpl.DEFAULT_USER_SEARCH | |
| conf.groupSearchBase = ldapGeneralSettings.optString('groupSearchBase') | |
| conf.groupSearchFilter = ldapGeneralSettings.optString('groupSearchFilter') | |
| conf.groupMembershipStrategy = (new FromGroupSearchLDAPGroupMembershipStrategy(ldapGeneralSettings.optString('groupMembershipStrategy'))) | |
| conf.environmentProperties = (ldapGeneralSettings.opt('environmentProperties')?:[:]).collect { k, v -> | |
| new LDAPSecurityRealm.EnvironmentProperty(k.toString(), v.toString()) | |
| } as LDAPSecurityRealm.EnvironmentProperty[] | |
| conf.displayNameAttributeName = ldapGeneralSettings.optString('displayNameAttributeName', LDAPSecurityRealm.DescriptorImpl.DEFAULT_DISPLAYNAME_ATTRIBUTE_NAME) | |
| conf.mailAddressAttributeName = ldapGeneralSettings.optString('mailAddressAttributeName', LDAPSecurityRealm.DescriptorImpl.DEFAULT_MAILADDRESS_ATTRIBUTE_NAME) | |
| List<LDAPConfiguration> configurations = [conf] | |
| Jenkins.instance.securityRealm = new LDAPSecurityRealm( | |
| configurations, | |
| ldapGeneralSettings.optBoolean('disableMailAddressResolver'), | |
| null, | |
| IdStrategy.CASE_INSENSITIVE, | |
| IdStrategy.CASE_INSENSITIVE) | |
| Jenkins.instance.save() | |
| logger.info('---> Security realm set to LDAP') | |
| } | |
| else { | |
| logger.info('---> Nothing changed. LDAP security realm already configured.') | |
| } | |
| } catch (Exception e) { | |
| logger.info('--> ERROR: init.groovy.d:configure_ldap:configuring ldap... failed') | |
| logger.info(e.getMessage()) | |
| logger.info(e.printStackTrace()) | |
| } finally { | |
| buildEnvFile.delete() | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment