Include scope in /oauth/authorize URL (#26)

* Include scope in `/oauth/authorize` URL As described in Gitlab's guide[1], the parameter should be included, otherwise a default set of scopes will be granted, which seems to be just `read_user` and is not enough for Jenkins. According to the README, the plugin needs the `api` scope, so that's what we're explicitly requesting from Gitlab. [1] https://docs.gitlab.com/ee/api/oauth2.html#web-application-flow [JENKINS-63536] * Remove unneeded JavaDoc tags & document some return types
jenkinsci · Aug 28, 2020 · 4583875 · 4583875
1 parent 3dcc8d4
commit 4583875
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 14 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/GitLabAuthenticationToken.java b/src/main/java/org/jenkinsci/plugins/GitLabAuthenticationToken.java
@@ -187,7 +187,7 @@ public GitlabUser getMyself() {
 	 *
 	 * @param candidateName
 	 * @param organization
-	 * @return
+	 * @return whether given candidate belongs to a given organization
 	 */
 	public boolean hasOrganizationPermission(String candidateName, String organization) {
 		try {

diff --git a/src/main/java/org/jenkinsci/plugins/GitLabAuthorizationStrategy.java b/src/main/java/org/jenkinsci/plugins/GitLabAuthorizationStrategy.java
@@ -117,71 +117,65 @@ private Object readResolve() {
     }
 
     /**
-     * @return
+     * @return comma- and space-separated organization names
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#getOrganizationNameList()
      */
     public String getOrganizationNames() {
         return StringUtils.join(rootACL.getOrganizationNameList().iterator(), ", ");
     }
 
     /**
-     * @return
+     * @return comma- and space-separated admin organization names
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#getAdminOrganizationNameList()
      */
     public String getAdminOrganizationNames() {
         return StringUtils.join(rootACL.getAdminOrganizationNameList().iterator(), ", ");
     }
 
     /**
-     * @return
+     * @return comma- and space-separated admin usernames
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#getAdminUserNameList()
      */
     public String getAdminUserNames() {
         return StringUtils.join(rootACL.getAdminUserNameList().iterator(), ", ");
     }
 
     /**
-     * @return
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#isUseRepositoryPermissions()
      */
     public boolean isUseRepositoryPermissions() {
         return rootACL.isUseRepositoryPermissions();
     }
 
     /**
-     * @return
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#isAuthenticatedUserCreateJobPermission()
      */
     public boolean isAuthenticatedUserCreateJobPermission() {
         return rootACL.isAuthenticatedUserCreateJobPermission();
     }
 
     /**
-     * @return
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#isAuthenticatedUserStopBuildPermission()
      */
     public boolean isAuthenticatedUserStopBuildPermission() {
         return rootACL.isAuthenticatedUserStopBuildPermission();
     }
 
     /**
-     * @return
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#isAuthenticatedUserReadPermission()
      */
     public boolean isAuthenticatedUserReadPermission() {
         return rootACL.isAuthenticatedUserReadPermission();
     }
 
     /**
-     * @return
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#isAllowGitlabWebHookPermission()
      */
     public boolean isAllowGitlabWebHookPermission() {
         return rootACL.isAllowGitlabWebHookPermission();
     }
 
     /**
-     * @return
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#isAllowCcTrayPermission()
      */
     public boolean isAllowCcTrayPermission() {
@@ -190,7 +184,6 @@ public boolean isAllowCcTrayPermission() {
 
 
     /**
-     * @return
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#isAllowAnonymousReadPermission()
      */
     public boolean isAllowAnonymousReadPermission() {
@@ -199,7 +192,6 @@ public boolean isAllowAnonymousReadPermission() {
 
     /**
      * @see org.jenkinsci.plugins.GitLabRequireOrganizationMembershipACL#isAllowAnonymousJobStatusPermission()
-     * @return
      */
     public boolean isAllowAnonymousJobStatusPermission() {
         return rootACL.isAllowAnonymousJobStatusPermission();

diff --git a/src/main/java/org/jenkinsci/plugins/GitLabSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/GitLabSecurityRealm.java
@@ -284,6 +284,7 @@ public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter Stri
         parameters.add(new BasicNameValuePair("redirect_uri", buildRedirectUrl(request, redirectOnFinish)));
         parameters.add(new BasicNameValuePair("response_type", "code"));
         parameters.add(new BasicNameValuePair("client_id", clientID));
+        parameters.add(new BasicNameValuePair("scope", "api"));
 
         return new HttpRedirect(gitlabWebUri + "/oauth/authorize?" + URLEncodedUtils.format(parameters, StandardCharsets.UTF_8));
     }
@@ -504,7 +505,6 @@ public DescriptorImpl getDescriptor() {
     /**
      *
      * @param username
-     * @return
      * @throws UsernameNotFoundException
      * @throws DataAccessException
      */
@@ -561,7 +561,6 @@ public int hashCode() {
     /**
      *
      * @param groupName
-     * @return
      * @throws UsernameNotFoundException
      * @throws DataAccessException
      */