Removing requesterAuthentication

Author: jglick

src/main/java/com/cloudbees/jenkins/support/SupportAction.java

@@ -33,8 +33,6 @@
 import hudson.model.Api;
 import hudson.model.Failure;
 import hudson.model.RootAction;
-import hudson.security.ACL;
-import hudson.security.ACLContext;
 import hudson.security.Permission;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletOutputStream;
@@ -397,18 +395,10 @@ private void prepareBundle(StaplerResponse2 rsp, List<Component> components) thr
         rsp.addHeader("Content-Disposition", "inline; filename=" + BundleFileName.generate() + ";");
         final ServletOutputStream servletOutputStream = rsp.getOutputStream();
         try {
-            SupportPlugin.setRequesterAuthentication(Jenkins.getAuthentication2());
-            try {
-                try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
-                    SupportPlugin.writeBundle(servletOutputStream, components);
-                } catch (IOException e) {
-                    logger.log(Level.FINE, e.getMessage(), e);
-                }
-            } finally {
-                SupportPlugin.clearRequesterAuthentication();
-            }
-        } finally {
+            SupportPlugin.writeBundle(servletOutputStream, components);
             logger.fine("Response completed");
+        } catch (IOException e) {
+            logger.log(Level.FINE, e.getMessage(), e);
         }
     }
 

src/main/java/com/cloudbees/jenkins/support/SupportCommand.java

@@ -31,8 +31,6 @@
 import hudson.Extension;
 import hudson.cli.CLICommand;
 import hudson.remoting.RemoteOutputStream;
-import hudson.security.ACL;
-import hudson.security.ACLContext;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
@@ -93,20 +91,13 @@ protected int run() throws Exception {
                 selected.add(c);
             }
         }
-        SupportPlugin.setRequesterAuthentication(Jenkins.getAuthentication2());
-        try {
-            try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
-                OutputStream os;
-                if (channel != null) { // Remoting mode
-                    os = channel.call(new SaveBundle(BundleFileName.generate()));
-                } else { // redirect output to a ZIP file yourself
-                    os = new CloseProofOutputStream(stdout);
-                }
-                SupportPlugin.writeBundle(os, new ArrayList<>(selected));
-            }
-        } finally {
-            SupportPlugin.clearRequesterAuthentication();
+        OutputStream os;
+        if (channel != null) { // Remoting mode
+            os = channel.call(new SaveBundle(BundleFileName.generate()));
+        } else { // redirect output to a ZIP file yourself
+            os = new CloseProofOutputStream(stdout);
         }
+        SupportPlugin.writeBundle(os, new ArrayList<>(selected));
         return 0;
     }
 

src/main/java/com/cloudbees/jenkins/support/SupportPlugin.java

@@ -158,7 +158,6 @@ public class SupportPlugin extends Plugin {
             Jenkins.ADMINISTER,
             PermissionScope.JENKINS);
 
-    private static final ThreadLocal<Authentication> requesterAuthentication = new InheritableThreadLocal<>();
     private static final AtomicLong nextBundleWrite = new AtomicLong(Long.MIN_VALUE);
     private static final Logger logger = Logger.getLogger(SupportPlugin.class.getName());
     public static final String SUPPORT_DIRECTORY_NAME = "support";
@@ -234,16 +233,12 @@ public static File getLogsDirectory() {
         return new File(SafeTimerTask.getLogsRoot(), SUPPORT_DIRECTORY_NAME);
     }
 
+    /**
+     * @deprecated Check permissions directly.
+     */
+    @Deprecated
     public static Authentication getRequesterAuthentication() {
-        return requesterAuthentication.get();
-    }
-
-    public static void setRequesterAuthentication(Authentication authentication) {
-        requesterAuthentication.set(authentication);
-    }
-
-    public static void clearRequesterAuthentication() {
-        requesterAuthentication.remove();
+        return Jenkins.getAuthentication2();
     }
 
     public void setSupportProvider(SupportProvider supportProvider) throws IOException {
@@ -969,7 +964,6 @@ protected synchronized void doRun() throws Exception {
                                 thread.setName(String.format(
                                         "%s periodic bundle generator: since %s",
                                         SupportPlugin.class.getSimpleName(), new Date()));
-                                clearRequesterAuthentication();
                                 try (ACLContext ignored = ACL.as2(ACL.SYSTEM2)) {
                                     File bundleDir = getRootDirectory();
                                     if (!bundleDir.exists()) {

src/main/java/com/cloudbees/jenkins/support/actions/SupportObjectAction.java

@@ -13,8 +13,6 @@
 import hudson.model.Action;
 import hudson.model.Descriptor;
 import hudson.model.Saveable;
-import hudson.security.ACL;
-import hudson.security.ACLContext;
 import hudson.util.DescribableList;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletResponse;
@@ -139,21 +137,15 @@ public final void doGenerateAndDownload(StaplerRequest2 req, StaplerResponse2 rs
                 "Content-Disposition", "inline; filename=" + BundleFileName.generate(getBundleNameQualifier()) + ";");
 
         try {
-            SupportPlugin.setRequesterAuthentication(Jenkins.getAuthentication2());
-            try (ACLContext old = ACL.as2(ACL.SYSTEM2)) {
-                SupportPlugin.writeBundle(rsp.getOutputStream(), components, new ComponentVisitor() {
-                    @Override
-                    public <C extends Component> void visit(Container container, C component) {
-                        ((ObjectComponent<T>) component).addContents(container, object);
-                    }
-                });
-            } catch (IOException e) {
-                LOGGER.log(Level.WARNING, e.getMessage(), e);
-            } finally {
-                SupportPlugin.clearRequesterAuthentication();
-            }
-        } finally {
+            SupportPlugin.writeBundle(rsp.getOutputStream(), components, new ComponentVisitor() {
+                @Override
+                public <C extends Component> void visit(Container container, C component) {
+                    ((ObjectComponent<T>) component).addContents(container, object);
+                }
+            });
             LOGGER.fine("Response completed");
+        } catch (IOException e) {
+            LOGGER.log(Level.WARNING, e.getMessage(), e);
         }
     }
 

src/main/java/com/cloudbees/jenkins/support/impl/AboutUser.java

@@ -1,6 +1,5 @@
 package com.cloudbees.jenkins.support.impl;
 
-import com.cloudbees.jenkins.support.SupportPlugin;
 import com.cloudbees.jenkins.support.api.Component;
 import com.cloudbees.jenkins.support.api.Container;
 import com.cloudbees.jenkins.support.api.PrefilteredPrintedContent;
@@ -13,6 +12,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Set;
+import jenkins.model.Jenkins;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 
@@ -36,33 +36,31 @@ public Set<Permission> getRequiredPermissions() {
 
     @Override
     public void addContents(@NonNull Container result) {
-        final Authentication authentication = SupportPlugin.getRequesterAuthentication();
-        if (authentication != null) {
-            result.add(new PrefilteredPrintedContent("user.md") {
-                @Override
-                protected void printTo(PrintWriter out, ContentFilter filter) throws IOException {
-                    out.println("User");
-                    out.println("====");
-                    out.println();
-                    out.println("Authentication");
-                    out.println("--------------");
-                    out.println();
-                    out.println("  * Authenticated: " + authentication.isAuthenticated());
-                    out.println("  * Name: " + ContentFilter.filter(filter, authentication.getName()));
-                    Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
-                    if (authorities != null) {
-                        out.println("  * Authorities ");
-                        for (GrantedAuthority authority : authorities) {
-                            out.println("      - "
-                                    + (authority == null
-                                            ? "null"
-                                            : "`" + authority.toString().replaceAll("`", "&#96;") + "`"));
-                        }
+        final Authentication authentication = Jenkins.getAuthentication2();
+        result.add(new PrefilteredPrintedContent("user.md") {
+            @Override
+            protected void printTo(PrintWriter out, ContentFilter filter) throws IOException {
+                out.println("User");
+                out.println("====");
+                out.println();
+                out.println("Authentication");
+                out.println("--------------");
+                out.println();
+                out.println("  * Authenticated: " + authentication.isAuthenticated());
+                out.println("  * Name: " + ContentFilter.filter(filter, authentication.getName()));
+                Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
+                if (authorities != null) {
+                    out.println("  * Authorities ");
+                    for (GrantedAuthority authority : authorities) {
+                        out.println("      - "
+                                + (authority == null
+                                        ? "null"
+                                        : "`" + authority.toString().replaceAll("`", "&#96;") + "`"));
                     }
-                    out.println();
                 }
-            });
-        }
+                out.println();
+            }
+        });
     }
 
     @NonNull