Hello, I would like to contribute a new *CAS SecurityRealm plugin* to Jenkins. Jasig CAS <http://www.jasig.org/cas> (Central Authentication Service) is a single sign-on (SSO) service implemented as a web application, and is commonly used in universities and enterprises to secure applications without having to login again and again.
While looking for a way to login with CAS from Jenkins, I found the CAS1 plugin <https://wiki.jenkins-ci.org/display/JENKINS/CAS1+Plugin> by J. David Beutel, but as the plugin name implies it only supports the legacy CAS 1.0 protocol with custom extensions for role parsing. The plugin I have developped currently supports the following features: - *CAS protocol version 1.0*, preserving role parsing features from the existing CAS1 plugin. - *CAS protocol version 2.0*, with limited attribute support (custom protocol extensions need to be added to the CAS webapp). - *SAML protocol version 1.1*, with full attribute support (groups/authorities, mail and full name sync). - *Authentication renewal* (if enabled, user will have to input credentials even if a session already exists at CAS side). - *Single sign-out* (if enabled, user will be logged out of Jenkins if he logs out of CAS or from other CAS-enabled applications). - Fully *configurable*, with inline *help *and *i18n *support (French translation included, except for help texts). There are at least a couple more features that I'd like to try implementing, when/if I have time: - CAS 2.0 proxy support (needs configuration and testing) - CAS gateway mode (if a CAS session exists, login immediately on first visit) A few implementation notes: - This plugin was developed from scratch, it is not a fork of the CAS1 plugin and works differently, but it uses some bits of code from it for CAS 1.0 role parsing. - CAS protocols are exposed and configured as *extension points*, making it easy to add more as CAS evolves (e.g. SAML 2.0 one day?) - CAS authentication filters are defined in a *CasSecurityRealm.groovy*script defining Spring beans, and are executed before the original filters configured by Jenkins. This means that *anonymous *access and *API Token auth* still work as expected. - CAS needs Jenkins' URL to be able to redirect back to it; this plugin simply uses Jenkins.getInstance().getRootUrl(), unlike the CAS1 plugin which included a specific configuration option. - Due to missing features in the Acegi Security CAS support, *Spring Security* 3.0.7 is used instead and up to successful authentication - at which point the Spring Security Authentication object is mapped to an Acegi one and stored in the Acegi SecurityContext. Unlike Acegi, the Spring Security CAS support relies more on the official CAS Client library, supports more protocols and can use attributes to fill authorities. Now, there are a few things I'd like to get feedback on and discuss: - Is the Spring Security dependency a potential issue? AFAIK Jenkins isn't going to move away from Acegi any time soon, and during testing I didn't find any negative side effect due to using this library. The resulting HPI file is only 3 MB big including dependencies. It's surely possible to backport Spring Security CAS code to Acegi if need be, but it doesn't feel right to me :-) - If this new plugin is accepted as an official plugin, what would happen with the existing CAS1 plugin? would they coexist or the new plugin be considered as a replacement, and the old one marked as deprecated? should automatic configuration migration between the two be considered and if so, how? (I guess J. David Beutel should weight in here, if possible, as the author and maintainer of the CAS1 plugin). - Considering this is my first Jenkins plugin, a code review would be most welcome. :-) And talking of *code *- here it is at GitHub (username is fcrespel): https://github.com/fcrespel/jenkins-cas-plugin Could you please consider it for forking into the official jenkisci repos? Note that I prefixed my repo with 'jenkins-' but that's really only for me, after forking I guess the repo should simply be named 'cas-plugin'. If accepted, I would of course work on a proper wiki page to describe how to configure the plugin. Please let me know what you think, comments and feedback will be appreciated :-) Best regards, - Fabien.
